During my 30+ years in the IT industry, most spent as a tech executive, I have watched with fascination and irritation the arms race between attackers and the defenders, people who protect systems and the information they store. In the early days, data centers were hidden in bunkers or behind fences to protect systems from physical attacks. Then we connected everything and built a new type of wall – firewalls. Despite all the time, energy, and resources poured into hardware and software solutions, people remain at the heart of information security. A quick internet search of “IT security” brings up numerous articles about software and hardware solutions. Few articles about the importance of a security minded culture rise to the top.
While a recent study found that only a quarter of security events come from within, organizations consider employees the greatest security risk. These findings may seem contradictory on the surface, but they are correct. Although 75% of security events come from external sources, many require internal resources – our employees – to be successful.The same study found that security breaches are nearly three times more likely to occur due to social engineered attacks on employees. Despite these findings, adding new technologies remains the number one preventive measure identified by organizations. User training and creating a security minded culture do not even make the list of top strategies.
I am fortunate to have recently joined an organization where efforts over the last few years are building a security minded culture. One of the first steps in changing the culture was acceptance by the organization that security is everyone’s responsibility. When employees saw that information security is important to executives, they took notice. These actions led to changes in habit sand mindsets and began to reshape the culture. One and done is not good enough though; repetition and intentional actions are needed for lasting change. Including information security into the organization’s strategies is also a key component of changing the culture. Marin County’s 5 Year Business Plan and IT’s Strategic Plan have strategies and specific action plans related to information security. This inclusion makes information security an organizational priority.
"While a recent study found that only a quarter of security events come from within, organizations consider employees the greatest security risk"
Our Chief Information Security Officer (CISO), Jason Balderama, understands the importance of arming our employees for cybersecurity battles. It is not unusual for security to come up in conversations. Our CISO is well known throughout the organization and is clearly seen as the authority in all things information security related. In addition to mandatory security awareness training, Jason and his team conduct monthly mock phishing exercises. They are really good at it. With that said, results are improving. Mock phishing exercises are an inexpensive solution that reaps significant rewards since email phishing scams are one of the top causes of security breaches. The security team sends monthly Mock Phishing Reports to department leadership. They review the results to identify “frequent clickers” and reach out to them or their managers to provide additional training. The security team also provides custom training, either upon request or based on their outreach.
The CISO’s security newsletters are often quoted and shared outside of our organization with family and friends. We celebrate Cyber Security Awareness month in October with brown bag security awareness sessions and other activities. Our next initiative is to roll out a security ambassador program where each department identifies someone to work closely with the information security team; further embedding information security into the fabric of the organization. This ongoing focus helps create a security minded culture where the organization’s executives and the Board, in our case the elected Board of Supervisors, understand and support the important role employees have in securing our information and systems. In this war in cyberspace, employees are the foot soldiers who will help us win it. Arm them accordingly.