As a Chief Information Security Officer, I’m focused on the security of Cisco’s entire enterprise, not just our IT systems and infrastructure or the data our customers entrust with us. Because Cisco is a leading security technology provider, my team and I are fortunate to have the best tools to help prevent, detect and remediate cyberattacks.
But even with all of the great technology available to us, I never forget that our number one asset for fighting cyber threats is our employees.
People are the most valuable and the most challenging part of the cybersecurity equation. A recent Ponemon Institute study found that 64 percent of the attacks covered in their survey could be traced back to the negligent behavior of a staff member or contingent worker. It’s not that employees have malicious intent; it’s that most are far too busy, unaware, or get tricked by adversaries trying to find a way in.
Having an informed workforce that knows how and is actively involved in keeping the physical and extended virtual workplace as safe as possible can reduce risk due to human error. To that end, I recommend setting a goal to move employees through three phases of security engagement:
- Training and Education. At Cisco, we’re constantly raising employee awareness and knowledge about cyber threats. Employees need to learn about cyber risks – how to spot and report them. For instance, we regularly use anti-phishing training and testing so that everyone can learn how to minimize risks from email and malware.
This year marks the 11th year of Cisco SecCon, our annual employee security education conference. The conference continually evolves to address the current threat landscape. This year, the conference focuses on building and securing internal enterprise application and cloud-delivered services for our customers, and hardware/software development best practices addressing the latest hacks/attacks and security innovations.
This month, we’re celebrating National Cybersecurity Awareness Month and the one-year anniversary of Keep Cisco Safe, a company-wide campaign to drive pervasive security into our culture and motivate the entire Cisco population into action. Using some out-of-the-box tools and techniques (like gamification, provocative messaging and a family of persistent digital monsters that pop up in unexpected places), we’re driving awareness of data security threats in memorable ways. Our dozens of Keep Cisco Safe Ambassadors, enlisted from across the company, help keep our global workforce on its security game. We’re committed to preserving a culture where experimentation and creativity are the norm, and it’s safe to make a mistake – as long as we learn from it and stay safe along the way.
- Accountability. Ultimately, all employees need to take ownership of security within the domain they can control. Practicing good cyber-hygiene and changing risky behaviors cannot be optional, it must be mandatory. At Cisco, we have employees annually review and sign a business code of conduct that includes cybersecurity and data protection practices. That way, they’re committing to a standard of accountability that defines their responsibilities to Cisco and to our customers. Employees understand this is serious business with direct implications tied to their job role.
It’s important that this approach to accountability is done in the right spirit – imposing rules always has a bit of a different feel than people internalizing the responsibility. We emphasize that these policies aren’t about restricting employees from being creative in their own work and meeting business goals; it’s about learning where pitfalls lie and where lines need to be drawn.
- Advocacy. At Cisco Security, Primes/Advocates are roles we’ve formalized in IT and development teams to be champions of security from within the function or team. We teach them leading security practices, cultivate the security community and celebrate their successes.
The ideal state is to get employees to the point of being proactive security advocates. There are no better role models among the employee population than peers who champion the cause. Not everyone will get to this level, but if you can, find the people who are naturally inspired about security and give them all of the support and tools they need to live out their passion for the good of the organization. Perhaps you have someone on your team who can devise customized practices that fit your group’s processes and style; or someone who will make time to help other team members with specific questions or needs around securing their practices. And – if it’s ever possible, temporarily rotate an IT Security team member into a functional business group; that individual will benefit from learning about how the business works, and in turn, he or she will foster more security engagement with that functional group than any leadership information push could ever do.
With the right knowledge, understanding and encouragement, employees can and will be the best line of cyber defense you’ll ever have. During National Cybersecurity Awareness Month, make some time to pause and think about how you can teach, engage and inspire your team to be the cyber champions you need to keep your organization safe.