Security Awareness Training Dies. My 2020 Prediction
It’s December, and it’s nearly Christmas! It’s the time of year when many pundits, journalists and vendors make wild predictions about what the world of cybersecurity will look like in the new year. Much in the same way that the shops are filled with Christmas music over the tannoys, you can pretty much bet your bottom dollar that a cursory Google search will elicit numerous predictions on what is going to happen in 2020. My prize for 2020 predictions has got to go to Forbes. Not because I think they have credible predictions but because they have gone all out…141 Cybersecurity predictions for 2020. Before getting too excited, the article mentions Artificial Intelligence (AI) 47 times and automation 15 times – read into that what you like. That said it’s highly likely AI will be the buzzword of 2020 and despite many companies not actually incorporating AI in their products, we are likely to see every salesperson and their llama trying to convince us that the “AI” in their product will protect us from 99% of the cyber threats we may face! Anyway, I’m not going to jump on the AI prediction bandwagon. My prediction is slightly more nuanced. My prediction is that 2020 will be the year security awareness training dies…and not before time…here’s why…
Security Awareness Training is dying? Surely not??
Security awareness training has been dying for some time. It’s had a lingering illness, that has sustained for years. Like a chronic condition, new medicines have been introduced to try and manage the situation. Powerpoint slides were replaced with slick Computer-Based Training (CBT) packages. CBT was augmented with Phishing exercises – but to no avail. Our users are still as susceptible as ever. Users still click on ever more sophisticated emails, still transfer money after a voice phishing attack. Users still email data to themselves when they’re about to change roles, still think that the intellectual property (owned by the company) is theirs to take with them so as to benefit their new employer. Why, because security awareness training is dying…it’s on its last legs.
Is there a cure? Can we resuscitate?
Sadly, there is no cure. Well, not one that has been discovered and shared. Perhaps the cure has been discovered and is being hidden from us by the “Big Awareness” industry – I think not. But if there is not a cure, is there any chance we can resuscitate our awareness programmes. What about updating those PowerPoint slides with articles on the most recent data breaches – yes, that will revive those ageing slides for another year. In all honesty though, why flog the proverbial dead horse.
The reality is, most awareness programmes are either compliance exercises, primarily aimed at “ticking a box” or redundant. I say redundant because, in a lot of cases, when it comes to data leakage or phishing-related ransomware infections, awareness is not going to protect an organisation. It’s not going to prevent the malware running rampant through your infrastructure after a successful phishing attack. Awareness programmes rarely achieve 100% levels of awareness and, if we’re being honest with ourselves, it only takes that one person to click on that one link to cause untold havoc!
Soooo, should we stop doing security awareness training?
The fact is, we can do all the awareness training, all the CBT, all the phishing exercises, and it’s going to have very little impact. Security awareness training, as it is currently implemented, is as dead as a dead parrot.
We need to think differently.
I am not saying organisations should stop talking to employees about cybersecurity. What I am saying is that information security professionals need to change the narrative. Security awareness sessions should be taken as an opportunity to sell the benefits of cybersecurity. For example, the obligatory staff induction, instead of setting out a list of rules (that will most likely be ignored or forgotten), could be about setting out the services the Information Security team provide to the organisation. In short, security awareness should be about promoting the value the information security team provide to the organisation!
How can we do this? Well, it’s not really that difficult. Rather than the futile exercise of trying to educate users not to click on suspicious email links, promote the function of the Security Operations Centre (SOC). Promote how the SOC guys and girls work round-the-clock to prevent hackers from successfully disrupting the organisation. Rather than telling people not to email personal data or intellectual property without permission, show how many incidents the Data Leakage Prevention (DLP) tools have prevented in the last 6 months – and how it’s going down. Rather than positioning the Information Security Team as the Data Police, why not show how many successful procurement projects have been supported by the Third Party Risk Team. There are countless other examples.
Security Awareness is Dead…Long Live Security Awareness
Security awareness will die in 2020…maybe. Like most predictions and forecasts, mine is highly likely not to come to fruition. Some may even see the idea as too radical! If the current security awareness ethos did die in 2020, we should not lament its timely shuffle off this mortal coil. Instead, we should take the opportunity to engage with the business in a much more positive and productive way. Showing them how the information security team are a force for good!
About The Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 27001:2013 article 25 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPIA DPO DSAR GDPR incident management information security leadership management Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso vulnerability scanning