The benefits of having three layers of security
Dr. Ronald Ross, computer scientist and fellow at the National Institute of Standards and Technology, tells Tonya Hall about the importance of testing security and layering cyber defense.
Investment into changing security culture and behavior via security awareness and training (SA&T), if done correctly, has the ability to transform your security team’s function and reach. We need to invest in these people-related initiatives to harden the ever-important human firewall. But there’s also more to this story: Changing the culture around security has the power to uplift the security conversation, in turn giving you much-needed visibility and support as a security function. None of these are particularly tangible things to measure.
People-Related Security Investment Is Still Seen As Fluffy And Soft
Historically, investments into SA&T have been halfhearted and usually low on the laundry list of security initiatives to receive funding. Plus, it’s debatable as to how well they work: Our data suggests that only 26% of workers know what to do in the event of a breach. It also shows that 7% openly acknowledge that they ignore or go around security policy. This means either we are not investing enough in training employees or that whatever it is that we are investing in is not working.
Time and time again, I hear something along the lines of “Why should I invest in awareness?” or “Prove to me that it works.” Fair question/request, but they are also a sad reflection that, within security, people-related initiatives are still seen to have fewer tangible benefits than technical initiatives. They are perceived as “soft” and “fluffy” areas of security. After conducting new research on the business case for security awareness and training, this could not be further from our reality.
Key Tips For Measuring The Benefits Of Awareness
SA&T works, and we need to demonstrate its effectiveness. We need to define what “works” means — that is, are SA&T initiatives successful in changing desired behaviors? In our report, we show security teams and leaders how they should measure the success of their SA&T programs. We share how they can employ techniques such as surveys to understand employee triggers and behaviors. You can read the full report, but I wanted to share some tips from the report to help you understand how to justify your existing SA&T programs:
If done correctly, your SA&T solutions will have significant reach. Work with all your constituents to identify whether that reach is effective. Check with them to determine if it is creating the behavior and culture change that you need it to.
By Jinan Budge, Principal Analyst
Register for Forrester’s complimentary webinar on how to future-proof your business with Zero Trust.
This post originally appeared here.
(I’d like to note my thanks to my research associate, Seles Sebastin, for coauthoring this blog with me.)
*Net Promoter and NPS are registered service marks, and Net Promoter Score is a service mark, of Bain & Company, Inc., Satmetrix Systems, Inc., and Fred Reichheld.
Security
Online security 101: How to protect your privacy from hackers, spies, and the government
Facebook asked to clamp down on cops creating fake accounts
Bodybuilding.com discloses security breach
Facial recognition creeps up on a JetBlue passenger and she hates it
Related Topics:
Tech Industry
Security TV
Data Management
CXO
Data Centers