Your friends claim it’s the “best show ever.” The Rolling Stones says it’s one of “100 Greatest TV Shows of All Time.” Yet, here we are coming off a weekend where it was spoiled… by hackers. SHAME!
Yes, of course I’m talking about HBO’s Game of Thrones and the hack that threatens to oust secrets even Lord Varys’ “little birds” don’t know. If you’re a super fan, you’ve probably already written the script for a battle that brings these digital thieves to light.
The thing is, figuring out who’s behind the hack will take time. But if I were on the case, I’d start by looking INSIDE the company. Why? Because we know that 60% of attacks are carried out by insiders. Usually, these are people who don’t have malicious intent. They’re good employees or partners who want to protect valuable company information. Yet they use weak passwords, give sensitive information to the wrong people, don’t dispose of data appropriately, or click malicious links. That’s why security is such a big business.
Gartner reports worldwide spending on information security is around $75 billion. That’s a big number, but the money is primarily going to security products and staffing. While those are critical investments, we need more funding toward the root of the problem: education. And we know that dollars spent on education pay off. In fact, a Ponemon Institute study found that average-sized organizations can expect 50x yearly ROI on cybersecurity training.
Cybersecurity spend is up, but awareness programs are taking a back seat
With those results, you would think business leaders focused on ROI would be all about training programs. But let me ask you this: How great is the security training program at your company? If you’re at Purdue University, or Kimberly-Clark, or AbbVie, I happen to know you’re answering with a resounding “Great!” The Chief Information Security Officers (CISOs) I’ve talked to at those organizations are passionate about education and make it a top priority. But if your company is like many others, your response is likely, “What training?” or “It’s dreadful.”
The truth is, most companies have little to no budget set aside to train their insiders on cybersecurity. Organizations are meeting minimal compliance regulations, but they’re not investing in proactive, effective training programs. Why?
The SANS Institute says over 50% of security awareness teams have only a small budget of $5,000 or less. Part of the problem is executive support—more than one third of security teams say they don’t have the leadership support they need to develop and manage effective programs. But I suspect the lack of support doesn’t equal lack of interest from executives. More than likely, it represents an overabundance of priorities for the CISO. They not only have big technical and educational roles to fill, they also have a lot of groundwork to lay with their peers. Fast Company calls the CISO position the “hottest seat in corporate America today,” but it’s not a role for the faint of heart.
CISOs have a hot seat in more ways than one
CISOs must provide guidance to manage risks for an organization, build and oversee technology solutions, serve as a strategic leader who provides constant guidance on risk management, and be a skilled communicator who can partner with executive staff and business units across the company. Oh, and their security teams are constantly expected to do more with less, all while top talent is being recruited to other companies in a highly competitive—and understaffed—job market. Did I mention that technology is evolving every second? New devices are coming online, threats are growing every minute, and hackers are becoming more sophisticated.
Suffice it to say there are reasons cybersecurity education has taken a back seat. But if more businesses invested in cybersecurity training, think of the headline-news breaches that wouldn’t have happened. Think of the brand values that wouldn’t have tanked. The jobs that wouldn’t have been lost. Your Game of Thrones secrets that wouldn’t have been spoiled…
But never let mega breach headlines or political hacking stories pose digital security as a problem for everybody else. After all, it’s YOU who connects to the internet… or at least 3 BILLION of you do, according to the United Nations. So, let me ask you this:
If you could prevent a tragic cyberattack from happening, would you?
Of course you would. And you can. If we all started treating cybersecurity like the Surgeon General treats a disease outbreak, we would make a massive impact on the safety of our connected world.
The first thing we need to do is initiate a global education campaign on cyber hygiene—one that is government-funded and far bigger than what we have today. We need the full support of world leaders and private sector organizations to make it happen. My Huffington Post article, “Safe Cyber Is The New Safe Sex,” gives a passionate plea on this life-threatening issue.
The second thing we need to do is shift corporate thinking on security from product strategy to security training programs. While new technologies are always welcome and obviously very important, what we need is a more balanced investment within IT budgets for awareness training.
If you’re an influencer on this topic at your company and need a head start, check out the SANS Institute or the Ponemon Institute for top-notch training programs. And when you need a bit of inspiration, remember what Nelson Mandela said: “Education is the most powerful weapon which you can use to change the world.”