CISOs on the Human Factor: How Well are we Preparing
Anti-Phishing, DMARC , Business Email Compromise (BEC) , CISO Trainings
Andy Rose • March 15, 2023
CISOs have faced a broad and varied set of challenges in recent years. Remote environments, increasingly sophisticated threats and expanding supply chains are just some of the many concerns keeping them up at night.
Nonetheless one issue remains prevalent when engaging with CISOs during extensive surveys or one-on-one conversations— the human factor.
Similarly, Proofpoint’s 2022 Board Perspective Report revealed that over two-thirds of board members believe human error to be their biggest cyber vulnerability. And they’ve good reason to feel this way, as 82% of reported cyber attacks involve a human element.
However, the pandemic, while causing many cybersecurity challenges, may have had a net positive impact on the human factor risk. With several years of remote or hybrid working under their belt, most CISOs believe that employees better understand the role they play in protecting their organisations against cyber threats.
While any positive news after such a difficult period should be celebrated, conversations with CISOs suggest there is still a long way to go before our people are fully equipped to play their role as a reliable line of cyber defence.
Hybrid working and human defence
In a recent episode of the CISO Voices podcast, Kate Mullin from the Cancer Treatment Centers of America discussed the impact of hybrid working on people-centric security.
While Kate agrees that cybersecurity awareness may have improved as a result of more widespread remote working, she adds that the infrastructure of their home setups bring security concerns of their own.
“The risks have shifted. Even where people have spent a lot of money on smart homes, it’s not enough. Because while you may have secured your devices, unless you’re on a VPN when you connect to me, I’m sorry, but you are using an unsecured network.”
Remote setups are just one of many recent developments adding to the increasing tasks facing CISOs across industries, Kate goes on to say that:
“The human side is our greatest weakness. Whether it be because of the great resignation, high turnover, or early retirements, human error is an enormous risk.”
Daniela Almeida, CISO at the Dutch fintech Tinka, agrees that the people perimeter can be a weak spot for organisations, in her feature on Proofpoint’s CISO Voices podcast series. However, she believes that, with time and effort, this can become a strength:
“I tend to see the users as the strongest link instead of the weakest because mistakes can be counteracted. If they understand the risks and see how the attackers want to get to them, you can train them to be an effective defence.”
Fixing the people problem
While people can undoubtedly be a robust line of defence against highly targeted attacks, building this barrier requires the investment of both time and money. Not just in sophisticated tools and controls but in company-wide security awareness.
During his featured discussion on Proofpoint’s CISO Voices podcast series, leading fintech CISO Todd Wade touched upon this approach. Todd believes that creating a security culture that permeates every level of an organisation requires a personal touch:
“If you can teach people how to improve the cyber posture for their families and themselves, it connects with them better, and those same habits carry over into the workplace….
You have to speak in their language. The entire company is in charge of security, not just the security team, and you have to build a collaborative relationship.”
Finally, as everyone in the industry is well aware, cybersecurity faces another people-shaped problem: the skills gap. Proofpoint’s VP and Global Resident CISO Lucia Milică Stacy believes that organisations need to focus just as much effort in this direction if we are serious about building security-conscious organisations fit for the future:
“We are still seeing quite a substantial skill shortage in the industry. Organisations need to rethink recruitment & inclusion programmes, and job descriptions for how and where jobs are advertised, so we can be sure that we’re looking for talent in the right places.”
Want to hear more?
To hear from Kate, Daniela, Todd, Lucia, and more CISOs in their own words, listen to our six-episode CISO Voices podcast series. Or, for more cybersecurity research, insights, and resources, head over to Proofpoint’s dedicated CISO Hub.