October marks the 20th anniversary of Cybersecurity Awareness Month – an annual campaign led by the Cybersecurity and Infrastructure Agency (CISA) in partnership with the National Cybersecurity Alliance to raise awareness for ways in which we can better protect our data. Some of the most visible cyberattacks in recent months have reminded us that we all play a role in security and people remain our weakest link. Threat actors continue to take advantage of human nature by using phishing emails, persuasive text messages and convincing phone calls to gain access to high value systems and sensitive data and reap financial rewards. Given the headlines, it makes sense this month to take a closer look at the people problem and what organizations can do to strengthen defenses.
The people problem is two-fold: a lack of security awareness among users and a lack of cybersecurity talent. Let’s start with the first challenge, what organizations can do to raise security awareness among users.
- Support for security awareness programs: According to the SANS 2023 Security Awareness Report: Managing Human Risk (PDF), maturity levels for security awareness programs are improving when compared to last year. However, organizations are struggling with the fundamentals of program development including lack of budget, limits on training time for employees, and lack of staffing and time for program management. It comes as no surprise that the most effective programs are backed by strong leadership support, have dedicated full-time employees, and promote a strong security culture where incident reporting is encouraged and made easy which helps mitigate risk.
- User training: Also not surprising, the SANS report finds that phishing/smishing/vishing tops the list of human risks, followed by passwords/authentication, detection/reporting, and IT admin misconfiguration. Training should focus on these four areas and go beyond annual computer-based training to include continuous training so that key concepts are reinforced year-round. Involving security teams in the development of human-focused security training helps ensure content remains highly relevant to the organization. Partnering with other departments such as communications and human resources and bringing on third-party training consultants will also help drive program effectiveness while optimizing resources.
Looking at the second component of the people problem – a lack of cybersecurity talent – a combination of training and technology can help close the gap currently estimated at 663,600 in the U.S. alone. For example:
- Cybersecurity professionals training: Cybersecurity itself is a continuous learning experience, something that is often overlooked. New research by Enterprise Strategy Group (ESG) finds that 40% of cybersecurity professionals believe their organization should increase its commitment to cybersecurity training to help address the skills shortage by enabling the organization to get more out of existing resources. Partnering with security technology vendors that offer product training and make it available in multiple formats and form factors, including instructor-led/in-person, instructor-led/virtual, and self-service, provides flexibility to select what works best for your business model and your security teams.
- Security automation: An important benefit of security automation is that the highly skilled human resources you have can work smarter, not harder. In research we commissioned recently, security leaders say the number one way to address a top challenge – high turnover rates – is with smarter tools that simplify work. Additionally, over 60% expect automation to positively affect employee satisfaction and retention. A balanced approach to automation where repetitive, low-risk, time-consuming tasks are automated so that analysts are freed-up to take the lead on irregular, high-impact, time-sensitive work can improve retention and utilization while driving better security outcomes. And a data-driven approach to automation ensures that actions remain relevant for greater focus, accuracy and confidence in the outcomes. Additionally, security automation platforms that support low-code/no-code interfaces can make automation accessible to a range of users with varying skill sets.
- Additional, new technologies: Approaches and technologies like AI are already helping to drive efficiencies. Specifically, natural language processing is being used to identify and extract threat data, such as indicators of compromise, malware and adversaries, from unstructured text in data feed sources and intelligence reports so that analysts spend less time on manual tasks and more time proactively addressing risks. Machine learning (ML) techniques are being applied to make sense of all this data in order to get the right data to the right systems and teams at the right time to accelerate detection, investigation and response. And a closed loop model with feedback, ensures AI capable security operations platforms can continue to learn and improve over time.
Threat actors continue to use variations of the same threat vectors year after year to execute successful attacks. Fortunately, we have it in our power to disrupt the cycle. Addressing the people problem with effective approaches and tools for users and security practitioners to strengthen defenses will enable us to work smarter, and force attackers into a position where they must work harder.