Eddie Borrero shares an unexpected story of earthquakes – a seismic event known too well in the San Francisco Bay Area. A few years ago a prior company, Eddie attended a training on earthquake safety. Just three hours after the training ended, an actual earthquake hit and he observed employees completely neglect to do very things they were just trained for. Instead of seeking safety, they ran to the windows asking, “is this an earthquake?”
Eddie Borrero, currently CISO of Blue Shield of California, recalls this event in a Fireside Chat discussion of workforce risk with Masha Sedova, Co-Founder of Elevate Security. Traditionally workforce or insider risk has fallen under the security training bucket, but much like earthquake training, it does not equate to real world practice. Instead, it checks off a box – a formality that does not protect your organization when it comes to ransomware or account takeover. Eddie accounts that using a checkbox security strategy is risky and that security education needs to be retained, continuous, and impactful.
Eddie and Masha dove into the concept of a workforce security killchain, how implementing this strategy will change the game, and gave insights into approaches that are working to reduce risk. A high level theme that emerged: tracking metrics is important!
What can you do to help prepare and protect your business against workforce risk when a real threat arises? Here are a few tips shared in the Fireside Chat:
- Invest in simulated phishing, this is a must!
- Set up a security advocacy program that continuously educates employees on the impact of a breach. (Making it role specific gives a granular training approach so that the employees retain what they ‘need to know’.)
- Provide visibility into individuals’ risk profiles, so employees are empowered to make proactive, safe security decisions.
Attackers get in through the concept of killchain. Numerous things need to go wrong for them to get in. What do we need to prevent from an employee perspective? Using the example of ransomware – you need an entry spot (secure browsing/phishing), device security (deploy malware on machine), some people hit snooze on patches, etc. It’s key to measure all the ways your organization is strong and weak, to make it stronger on every step of the way, therefore making that ransomware attack more difficult.
For example, are your employees clicking on bad links? Visiting bad websites? Track the outliers! Are they logging into a system for the first time? This allows you to know where to focus your training and advocacy programs. Without this visibility, it’s impossible to know that the right training and support is going to the right people. A one-size-fits-all approach doesn’t work in our regular lives, so why should we think it will work for security? The short answer is – it doesn’t.
Here is just a small flavor of the insight provided by two security pioneers. Check out the recorded session for answers to questions like: How do you deal with repeat offenders? Who is most attacked? Where do I need to allocate resources? How can I be proactive about security threats? What metrics should CISOs be keeping an eye on in their organization? How does – Get me a cup of coffee vs. will you get me a cup of coffee fit into your security strategy? What should you present to your Board? How to build the relationship between the CISO and the Board? Don’t push this to the wayside like some do security training. And ask yourself, if an earthquake happened, would your employees run to the window?