Wood says that it is pivotal to establishing a security culture to get training right, while independent pen tester and social engineering expert Richard De Vere calls for a more direct approach. “Get the board involved and shout until you are blue in the face because it's what they are paying you for.”
Sjouwerman agrees: “This need to be driven by the CEO and COO down.”
Some take bolder steps; one company sent simulated email attacks to board members before presenting to them on the same topic. Several of the board clicked on the links, and the bold CISO got his approval to send these links to end users - and provide follow-up training as required.
Others, however, are not so forthcoming, and it goes back to the importance of CEO-CISO communication.
Red-teaming, gamification and more
Getting board support is crucial for funding, resources and the right culture. But how should training take form? Should it be online, in-person, and how do you shape this program in the first place?
Wood says proactive companies should first do red teaming exercises to work out their potential areas of compromise, so they can shape the program and address the specific risks to the business.
He tells CSO Online the story of one UK-based life sciences company, whose head of information sector hired First Base to build a ‘storyboard’ of an attack. Wood’s pen testers researched the company, found out that one threat actor would be organized crime, and discovered how these hackers would try and get information. From phishing emails and malware to on-site attacks via USB dongles, Wood says there were numerous weak points in the organization.
“What came out at the end wasn’t just a set of recommendations of how to fix this, but we also made sure to film it so they had visual evidence of us wandering around where we shouldn’t have been. They took this and made a training awareness program out of it, and they delivered it to the staff across the world as a story.”
That sort of imaginative approach to the problem is what’s needed, rather than taking a classroom-based approach.
De Vere urges: “Training shouldn't be patchy. Pick a good platform and provider and stick to it. Staff have a hard enough task as it is learning all the ways in which they pose a risk to security without misinformation or gaping holes in knowledge. If you don't have a social engineering training platform yet, get one.
“Staff should be considered 'responsible' for a breach in security but in return you have to bend over backwards to provide everything they need for support. If they fail, pat them on the back and sign them up for more training.”
Sign up for CIO Asia eNewsletters.