A recent Harvard Business Review article argued that the best Cybersecurity investment that organizations can make is better employee training to raise awareness of the threats and how best to guard against them[1]. But on the other hand, another review, this one from Accenture, found that ‘Training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets’.[2]
So it’s clear that there is a major disconnect here. At the root of this appears to be a set of dynamics which perpetuates an established conventional wisdom that treats Cybersecurity as almost exclusively a technology problem, against which technology provides the best form of defence, to the neglect of the human aspects which are every bit as significant.
In the first instance, this is driven by a lack of sufficient understanding of Cybersecurity on the part of many senior business people. This is itself in part a result of the prevailing orthodoxy, in that if Cybersecurity is fundamentally a technology problem, then the tendency is very often for senior executives to regard it as outside their area of expertise, and delegate it to those with the required technical expertise. So despite the significance of the Cybersecurity risk for organizations, there is frequently a reluctance for management to engage with it in the way that they might engage with other risks of similar magnitude.
Moreover, delegating responsibility for Cybersecurity to the technologists further reinforces and perpetuates the perception of Cybersecurity as a technology issue, because this is where the interest, expertise and the mindset of the technologists will inevitably reside. And so, almost regardless of whether or not this is the best use of funds and resources, the tendency will be such individuals to look to invest in ever more sophisticated technical defences against the perceived threats. Such an approach also helps them gain access to additional funds and resources, in turn raising their corporate profiles and importance.
This pattern is likely to extend also to any third party support that organizations may choose to engage to help them address the Cybersecurity threat. If the threat is perceived as a technical one, then it is additional technical expertise which is most likely to be sought. Equally, third party organizations are aware that it is technology-related Cybersecurity services which are most in demand, so this is where they focus their offers.
Given all this, it’s clear that the conventional Cybersecurity wisdom has considerable resilience which will not easily be broken down. This said, there are signs of growing recognition of the critical importance of the human factor in Cybersecurity. Government agencies, academic bodies and consultancies are increasingly pointing to the need to raise employee awareness – at all levels of the organization, including in the boardroom and the executive suite – as a key element in any Cybersecurity defence strategy.
But there is still some way to go before organizations really embrace this, and go beyond just lip service to adopt really high quality awareness training that is genuinely engaging for staff. By way of illustration, the 2019 SANS Security Awareness Report (perhaps significantly entitled ‘The Rising Era of Awareness Training’) found that 80 per cent of those involved in Cybersecurity awareness training still come from a technical background, while only 10 per cent of their job titles contain the words ‘Awareness’ or ‘Training’, implying that this remains a part time and secondary activity.