Few cyber professionals would disagree that every person within an organization (employees and the extended workforce) plays an important role in protecting companies from cyber-attacks, insider threat incidents, or inadvertent data loss. A loss event can start with anyone in a company at any level.
- Do they know the importance of their role?
- Do they know what they need to know?
- Do they know what they need to do?
- Is it embedded into their routine and departmental work culture?
- Do they know where they need to go to get help?
Many information security programs have a very limited focus and budget
on workforce awareness. Why is there such a disconnect?
- Many programs have a majority focus on technology (many info security teams sit within or grew out of IT, it is what they know)
- Information security had traditionally been an IT responsibility. There were/and sometimes still are very few incentives for executive leaders outside of IT to take broader accountability
- Some executive leaders understand the need and the risk to the company but don’t know how they could/should help.
- The workforce awareness domain has often been minimized to phishing employees and generic SaaS-enabled training.
Information Security workforce awareness programs need to be organizational culture initiatives that are run more like an ongoing internal marketing campaign than an IT tool and training platform roll-out.
Here are some goals for 2023 that you could use to enable a more intentional focus on what matters most in cyber: humans.
- Reinforce the fundamentals: Ensure the workforce understands the basics around protecting themselves and the organization (your cyber training platform can help here).
- Be different! Reach people through unconventional and innovative ways: It is challenging to permeate the constant whirlwind of white noise in many organizations. There are so many initiatives, communications, and updates that often get lost in the swirl. Develop some key tactics and vehicles to rise to the top. Not every successful example of doing this will work at every company. It can be culture dependent.
- Ensure clear and communicated expectations: Ensure your workforce-facing security policies are clear, actionable, communicated, and understood across the organization.
- Drive enhanced risk-based focus on key personas: Understand and prioritize elevated focus on individuals (personas) in high-risk roles or that might be targeted.
- Make it easier for people to help and leverage what you need them to: Make it easier for everyone to know their role around using internal tools and processes to protect the organization and themselves. This often involves investing in more usable tools and simplifying and improving processes. These projects need to be prioritized as they are often precursors necessary before anything can be asked of the workforce.
- Activate influencers: Enable a network of vested champions/advocates across the organization that can be influencers within the functions they serve.
Regardless of where you are in your journey, it is likely that the humans that make up your broad workforce (whether in a 10-person or 100,000-person company) are more capable, willing, and ready to help you achieve your critical mission within your cyber program. You just need to unlock their potential and activate and inspire them to help!