From Security Awareness to a Cybersecurity Culture – A Shift in Mindset

 by Brian McCarthy

It’s an exciting month, and everyone’s feed is filled with the most recent hacks, tools, and cybersecurity news for Cybersecurity Awareness Month. It’s great to see cybersecurity gaining the focus it not only deserves but needs as our domain continues to mature and grow. But, unfortunately, reading the threads, I see a repetitive theme in every post.

Pulling Away from the Common Outcome

We Remain Fully Exposed to {Hacking Ingenuity}

The hackers, hostile nation-states, and even the “Script Kiddies” can keep plugging away until they find their next front-page handout of notoriety, cash, or whatever it is they seek. Everyone has a motive for their illicit activity, but each is focused on different outcomes.

and well, the list goes on, as we will know.

What does this mean?

Phishing, Smishing, Vishing, Social Engineering, Viruses, UI redress, Cookie Theft, DDoS, DNS Spoofing, Lapse Security Patching, Malware Injection, Password Cracking, and, well, all of the hacking will continue until morale improves, or worse.

It’s not that people aren’t intelligent. It’s not that we don’t have excellent people doing hard work to protect our organizations. It’s not that our technologies aren’t up-to-date and cutting-edge. It’s not that anyone wants to get hacked. It’s just that we are human. The most significant attack vector will remain in our humanity for the foreseeable future.

What can we do if being human is the most significant attack vector?

With a few decades of experience having worked across multiple domains of business, government, defense, healthcare, and other industries, I can say, from a 10,000-foot view, that we are not changing all that much when it comes to cybersecurity, or at least not as fast as the market is demanding of us. The cybersecurity market expects us to be completing an Olympic marathon while we currently stand on the starting line, comparing our shoe’s latest features and graphical dashboards.

We humans (or cybersecurity workers) still embrace our core humanity, which will not change, or at least, it shouldn’t. Humans want to help, share, and create a better tomorrow, so let’s not focus on changing the basis of our being. However…

What can we change to harden our cybersecurity posture in an evolving threat landscape, seemingly coming from every direction?

Well, one thing that keeps ringing this month is the idea of “Security Awareness” training, and yes, I full-heartedly agree with this need. If users can’t decipher between a safe and unsafe email, website, USB stick, phone call, voicemail, or software update, that’s ground zero. Still, there is more performance and capability on the table, and it’s a more considerable leap of faith and a longer run to the endzone, but it will be necessary to succeed in cyber.

We need to shift from a Security Awareness expectation to a Cybersecurty Culture Mindset

Working in regulated environments (FDA, FISMA, DFARS, CMMC, DCWF 8570 & 8140), we have seen many check boxes filled out with the expectation that we accomplished something. Compliance is essential, and it certainly matters. Still, we need to think much further into the knowledge spectrum of our workforce if we are to see actual change in human/technology behavior.

-CISO: Hey, we need to get on top of this Security Awareness Training
-EMPLOYEE: On it, boss! I'll find a Security Awareness Training company right away
-CISO: Great, let me know when it's done
-EMPLOYEE: (two months later) - Everyone has completed their Awareness Training

...Box Checked...

-DoD Training Manager: Hey, we need 20 folks certified for 8140 compliance
EMPLOYEE: On it, boss! I'll find certification training right now
DoD Training Manager: Great, let me know when it's done
EMPLOYEE: (one month later) All 20 persons are certified now

...Box Checked...

HOWEVER

In the above examples, was anything proven, or did behavior or on-the-job performance change?

We can find the most cutting-edge Security Awareness training vendor and buy the latest platform that shows program completion (check box) with a Certificate of Completion to every participant, and voila! We are done with our Security Awareness training for the year… Or are we?

Security is not a check-box. Never was, never will be.

If we look at Adult Learning best practices, one of the best in the business is Josh Bersin of Bersin by Deloitte. Here’s something interesting from a study a few years ago. 90% of new skills from training will be lost within a year if not continuously reinforced. So, 90% of our Awareness will be… GONE (Hows is that Certificate of Completion working for ya now?). Reconcile this with a threat landscape changing daily and ZeroDay events rising. How can front-line workers keep up if security awareness is not a constant improvement program baked into a team’s C-Level strategy?

If Cybersecurty Awareness Month is to bring us anything, we ask it to bring this.

Let’s Move from a Cybersecurity Awareness Month to a 

Cybersecurity Culture Mindset

Cultural change is required if we are to enable our humanity (workforce) to harden cyber defenses and offenses in today’s world. What we know today may be irrelevant in a day or a few months, and that compliance checked box will slowly fade into its irrelevancy. Cultural change is akin to working in the “left of bang” environment we seek. Think “Risk Management Framework,” but for people. Security Awareness is not a one-time, annual, or semi-annual event, with a smile sheet and Certificate of Completion. It should be in the very fiber of an organization’s strategy to enable people and technology. We need a Cybersecurity Culture Mindset to succeed.

Wow. That sounds really hard! How do we move to a Cybersecurity Culture Mindset?

First, we must admit that check-box Security Awareness is just the first step in an ongoing process that must become part of the business’s executive, organizational strategy, and culture. Cybersecurity must operate top down and bottom up with stellar leadership and cultural change to enable its full effectiveness. If we can’t do that, there is always a check-box completion and a 90% knowledge dropoff to feel good about as our advisories train, coach, and develop our next attack based on a new social app IT didn’t know about. So feel free to continue onward. We need to get just as serious about Cybersecurity People as we are about Cybersecurity Tools. They work together, after all.

How does the cybersecurity workforce move to a risk-managed environment? First, we must look at other successful workforce models applied to domains such as sales and leadership and take note of their use of competency frameworks, training, coaching, and continuous improvement. Unfortunately, for some reason, cybersecurity competency development hasn’t been met with the same exuberance as the latest pharmaceutical sales team’s selling model. This impacts the organization’s ability to truly understand who knows what, at what level, and what critical vulnerabilities exist in the workforce of Knowledge, Skills, and Abilities (KSAs) against a commonly agreed upon standard.

Let’s take a quick detour,

then back to a Cybersecurity Culture Mindset

Take, for example, Richardson Sales Performance. This organization has been around for decades and does impressive, measured work to accelerate sales teams. It’s not accomplished by training non-stop or forcing a certification to equal compliance. Instead, they look at human capital across the employment lifecycle in a work domain, identifying places to train, coach, mentor, challenge, and rotate into and through new opportunities. They create career journeys that corporations can adopt to compress time to peak performance, coach to maximum performance, and retain the right talent. Finally, they design the KSAs that indicate performance and back them into a competency framework to assess and measure improvement. Baselining one’s current KSAs is the only way to build that person’s overall competency. A competency model or Framework allows leading organizations to assess their workforce against commonly agreed-on “what good looks like” behaviors and then develop across a full spectrum of activities.

Oh, a competency framework can be used to accelerate sales performance? What about a cybersecurity competency framework?

I’m glad you asked!

Yes, competencies matter in the cybersecurity workforce. So much so that the National Institute for Standards and Technology (NIST), operating under the Department of Commerce, has created the Workforce Framework for Cybersecurity (NICE Framework), or the NIST 800-181. It’s one of the best in the world and free! I have seen many competency models, and when I first heard of the NIST/NICE 800-181, I was apprehensive. How could a governmental agency develop and deliver a competency model with great design, agility, usability, and scalability? However, upon my first review, I was hooked. 

To achieve a Cybersecurity Culture Mindset, government and industry MUST adopt a commonly agreed framework like NIST/NICE 800-181, and assess, then develop the workforce across this model, aligned to job role KSAs on career pathways. Sure, you can add your nuances (NICE for the Department of Defense (DoD) is different from NICE for the Office of Personnel Management); however, it’s still the common goal. As a result, we enable our cyber human capital to perform at the highest possible level.

What’s at stake?

In part a call to action and in part to share our excitement about the NIST/NICE 800-181, if we are going to solve the Cybersecurity “skills gap” or whatever you want to call it, we will need to put the same amount of work into our cybersecurity workforce as we do our Sales or Leadership teams. If sales can’t log in, they are ineffective. If Intelectual Property is leaked on the dark web, sales may not have anything to sell in short order. If IP, PI, PII, CUI, customer data, and other assets are lost in a hack, leadership and sales will have a far more significant problem than selling and leading.

Everyone is in cybersecurity, and it’s about time we look at locking cyber in as the competitive advantage it is in the 21st century, and this starts with a continuous development model, career tracking, and enabling the cyber workforce through assessment, training, coaching, mentoring, job rotation, and retention strategies.

References:

  1. NICE website: https://www.nist.gov/itl/applied-cybersecurity/nice
  2. NICE Framework: https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center

#327solutions is a leading training, coaching, and cyber talent consultancy, helping organizations move beyond the classroom and into continued human capital development.

You can find us at https://www.327solutions.com.