Oz Alashe
CEO & Founder
CybSafe
MODERATOR
Ian Rathie
Managing Director, CISO
Fitch Group
GOVERNING BODY HOST
Stacey Romanello
RISO
Royal Bank of Canada
DISCUSSION LEADER
Bob Brown
CISO
Federal Home Loan Bank of New York
DISCUSSION LEADER
Carlos Lyons
VP, Global Chief Information Security and Compliance Officer
CGS
DISCUSSION LEADER
Mikhail Falkovich
CISO
Con Edison
DISCUSSION LEADER
OCTOBER 2023
Is your organization one of the many that are moving too slowly in addressing the human risk elements of security? At the heart of the problem is a misunderstanding of the human factor when it comes to cybersecurity. Many executives believe the only contributing factors are employees’ knowledge and understanding of security risks. Research now suggests there are even more factors for CISOs to investigate and navigate.
CISOs in the New York Community gathered recently to discuss and share what human risk factors they might be missing, how to strengthen this knowledge and how to equip their security teams to take action on it.
Oz Alashe, CEO and Founder of CybSafe, set up the discussion, with Governing Body members Ian Rathie, Managing Director, CISO at Fitch Group; Stacey Romanello, RISO at Royal Bank of Canada; Bob Brown, CISO at Federal Home Loan Bank of New York; Carlos Lyons, VP, Global Chief Information Security and Compliance Officer at CGS; and Mikhail Falkovich, CISO at Con Edison, leading the small group breakout discussions.
Human Risk Factors
CybSafe CEO and founder Oz Alashe started off the discussion by sharing some research about human risk factors and why organizations may be overlooking some of the risks employees pose. He explained that companies primarily focus on employees’ knowledge and understanding of security, but not necessarily their behaviors.
Alashe noted that “less than 15 percent of users who complete security awareness training actually change their behavior.” So, while companies can test employees’ knowledge, it doesn’t necessarily correlate to changing their behavior. He said other factors to consider include their confidence in understanding cybersecurity, their digital hygiene, and their access to data and technology.
Alashe also pointed out that security leaders can be challenged by what to measure. With 74% of security breaches involving a human element, security teams need visibility into risk factors. He shared an open source database of security behaviors that can help CISOs look at what they should be monitoring.
Key Takeaways from the Discussion on Cyber Awareness & Behavior
- Most organizations are focused on security basics: employee knowledge and understanding.
While there are multiple human risk factors to consider, including employees’ attitude and confidence, CISOs are primarily focused on the knowledge and understanding of their employees. One CISO agreed that a lot of security awareness is about “improving what employees know.” Another shared that “information security is kind of foreign to people,” and leaders need to make connections to different roles and responsibilities internally to help create relevance. Others in the discussion asked their peers how to know if employees are guessing in their training answers and how to account for employee attitude.
Other human risk factors include what data and technology different employees have access to, and many CISOs are looking at that information in their risk assessments. Some executives are also considering “digital hygiene,” or what employees do on personal devices that could impact their work. One CISO mentioned that instead of focusing on “just suboptimal behavior,” executives should observe all employee behaviors. Another security leader added that it’s “easier to deal with behavior than a breach.”
- CISOs are making cybersecurity awareness more engaging.
Security leaders are actively trying to make security training and awareness more memorable and engaging, including running cybersecurity escape rooms and capture-the-flag competitions. CISOs agreed that security training can get boring for employees, and it needs to be refreshed or offered in a different way. Many security leaders said they are trying novel techniques, such as gamified training, live-action training, competitions, and more. One CISO pointed out that if they don’t get people to engage, there is a lot of “waste” in training efforts and resources.
They noted higher participation in these new and unique ideas, but also shared that they still run standard phishing campaigns on a regular basis. The “who clicked and who reported it” style of campaign provides valuable data to their teams. Another CISO shared that their team publishes a personal security guide annually that offers personal security tips for families, which drives a lot of engagement and raises security awareness in a different way.
- Measuring human risk factors is a challenge.
Measurement is the most difficult part, but CISOs are using data in a more sophisticated way to evaluate risks and tailor their training to specific departments. One CISO said that they are focusing on which types of employees are most heavily targeted by cyber attackers and adjusting their responses and training accordingly. Another security leader noted that they are using data to make their training more effective and to “move from training them to helping them.” One CISO noted that it’s hard to measure “conduct,” and another said they feel it’s necessary to conduct audits. Another executive shared that even with all of the education and training, their team has to prepare for a breach and build security controls that account for “bad behavior.”
To continue the discussion on cybersecurity, security awareness, and human risk factors, join New York CISOs at their upcoming Executive Summit, or check out our calendar for opportunities in your region. You may also apply to join a CISO community near you to continuously stay up-to-date with your CISO peers.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.
