An effective cybersecurity strategy requires a multi-layered approach. Employee security awareness is not a “silver bullet,” but it plays a significant role in mitigating security risk regardless of your operating environment — at the office, hybrid or work from home,” says Jack Koziol, President & Founder, Infosec, in an exclusive interview with ITSecurityWire.
ITSW Bureau: Cybersecurity has traditionally been the domain of obscure tools that many don’t understand. How then can organizations ensure that the security imperative is percolated to all corners of the organization?
Jack Koziol: One of the best ways to ensure that the entire organization understands the importance and role of security is to approach cybersecurity education from an employee wellness perspective instead of a compliance requirement. The same employee behaviors and habits that protect company information also keep employees and their families safe at home. By focusing on how secure habits benefit employees first, organizations can maximize training engagement and retention, and ultimately, create lasting behavioral change and a more secure environment.
Also Read: Top Strategies on How to Budget as a CISO
ITSW Bureau: Adopting inclusive security strategies is the most powerful way to ensure the least risk. How do you see the impact of this method? In your experience and according to your latest research, have you measured its efficacy? Where does it stand?
Jack Koziol: To create an effective security culture, organizations must go above and beyond to show employees how secure habits and behaviors personally benefit themselves alongside the organization. Leveraging inclusive security practices — especially in terms of employee security education — is imperative because employees must see themselves represented within the training program itself.
ITSW Bureau: Do you believe that a robust culture of security awareness ensures a better-secured infrastructure? Do you have any data to explain this?
Jack Koziol: Data surrounding the impact of an effective security culture is limited at this point in time, but we look forward to correlating security culture to business risk in the coming months and years. In the interim, we can learn from similar examples set by the Occupational Safety and Health Administration (OSHA). Chances are, you’ve heard the OSHA-originated terms “bend with your knees” and “team lift” a few times before. Some studies have found that OSHA-sponsored injury prevention programs can reduce incidents by 9% to 60%. If we can generate the same results from security culture as we’ve seen with safety culture, investments into employee security awareness will pay dividends.
ITSW Bureau: The remote working culture that enterprises have been forced to adopt during the pandemic has pushed up security risks manifold. Do you think awareness is enough to fight this risk? What would you advise enterprises to do in the current circumstances to keep them secure?
Jack Koziol: An effective security strategy requires a multi-layered approach. Employee security awareness is not a “silver bullet,” but it plays a significant role in mitigating security risk regardless of your operating environment — at the office, hybrid or work from home. Your security awareness and training program should start with a focus on first securing your employees and their families. It’s this type of accountability and personal engagement that will drive the lasting security behavior change you need to actually change your organization’s culture.
Also Read: The Evolving Role of the CISO: From Critic to Enabler
ITSW Bureau: While it is possible to quantify the damage done by cyber-attacks, it has not been possible to measure the level of security cover. That would really help in strategizing the most effective plan ever. How do organizations do that?
Jack Koziol: Although there is no one-size-fits-all approach to measuring and establishing the “correct” level of security coverage, one effective method is to test for vulnerabilities. Penetration testing allows organizations to evaluate their security and IT infrastructure, while simulated phishing tests, cybersecurity assessments and culture surveys measure how prepared your employees are for the cyber threats they face and how likely they are to adopt behaviors that keep your organization secure. By first identifying vulnerabilities, organizations can build a plan to address their most significant weaknesses.
Jack Koziol is president and founder of Infosec, a leading security awareness and anti-phishing training provider. With years of private vulnerability and exploitation development experience, he has trained members of the U.S. intelligence community, military and federal law agencies. His extensive experience also includes delivering security awareness and training for Fortune 500 companies including Microsoft, HP, and Citibank. Jack is the lead author of The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. He also wrote Intrusion Detection with Snort, a best-selling security resource with top reviews from Linux Journal, Slashdot and Information Security Magazine. Jack has appeared in USA Today, CNN, MSNBC, First Business and other media outlets for his expert opinions on information security.