CISOs are worried and unhappy and it’s the human factor in their organisations that’s to blame. That’s pretty clear from a recent cross-sector survey of information security professionals by the Ponemon Institute.
With over two-thirds thinking that their company would fall victim to a data breach or cyber-attack this year, not surprisingly many believed that their professional lives were about to get even more stressful.
And what was top of their threat list? Not technology. Not hackers. Not malware.
For many CISOs, the ‘human factor’ is the overriding problem, with lack of competent staff or inadequate in-house expertise identified as the weak points in the corporate armour.
If, as the Ponemon Institute report suggests, CISOs believe they don’t have the skills in their teams to drive awareness, then maybe it’s time to look outside to find the external support, or to skill up existing members of their teams. This isn’t about reaching for tried and tested solutions, but adopting new approaches that recognise an evolving infosec landscape blighted by increasingly high profile data breaches.
According to the survey, changes to staffing and leadership are seen as potential answers to the problem, but that’s perhaps a sign of a growing appreciation among CISOs that preventing data breaches may not be a problem that can be solved by technology alone. Instead, modifying behaviour for the better, rather than parachuting in new software, is a longer-term, more sustainable solution.
To date, the emphasis in many organisations has been on security awareness training – but, as has been proven numerous times, awareness in itself does not lead directly to a change in behaviour – and without that, the risk from the human factor remains.
But if good habits are instilled through more effective, motivation-based, training, or design of policy and processes, they can be maintained and carried forward without ever-greater expenditure on technology.
That should sit well with those in the survey, more than half of whom, believe that infosec budgets aren’t about to rise any time soon. If new funds are required, then this might be the time to reconsider their source. Perhaps budgets could be reshaped to incorporate funding from other areas such as learning and development.
Of course, training and awareness is only one way to influence behaviour. Better policy and process design, as well as incorporating behavioural insights should also be part of any infosec programme. All these are key components of SABC™.
A different approach is needed
Re-thinking the human factor in any organisation is likely to require a change in corporate culture, and that needs to be led from the top. This requires organisations first to admit that this offers a real opportunity for improvement. But this means CISOs must better understand the root causes behind why their activities to date have failed to bring about change in behaviour and culture that they hoped for or expected. If we keep doing things the same way, then we should not expect different results.
Perhaps we are seeing a move in the right direction, with many (50%) in the survey reporting greater involvement in information security by their board. CISOs are going to need that support and understanding if they are to give rethinking the human factor greater priority.
As Dr Larry Ponemon, whose firm conducted the survey, commented: “It’s not an easy time to be a CISO”. But how much better it could be if they began seeing people as an infosec asset … not a threat”.