When National Cybersecurity Awareness Month was created 15 years ago, the idea was to help Americans develop safe online practices. Over the past 10 years, the month has had a theme of "shared responsibility," which is a notion that's become a rallying cry in large organizations.
But no matter how much one declares that cybersecurity is our "shared responsibility," there will always be those who pay closer attention than others. We have seen the consequences of this play out time and again in the form of "insider threats." Sure, some of these incidents are nefarious, but many simply result from a lack of awareness. Consider this report commissioned by Shred-it, which specializes in document shredding and hard drive destruction. The findings clearly illustrate that so-called "honest mistakes" represent one of the biggest cybersecurity threats organizations face.
Eliminating honest mistakes should be relatively easy, right? Wrong. It turns out that changing such behavior is a monumental challenge every CISO wrestles with. With that in mind, our CISO Speaks series seemed an ideal forum to look at this issue. In this latest edition, Gerald Beuchelt, CISO of billion-dollar software firm LogMeIn, shares how he and his peers are building a culture of security awareness and accountability. What follows is a lightly edited transcript of my email interview with Beuchelt:
Q: How has a lack of employee security awareness impacted LogMeIn?
A: Before we started a formal Security Awareness and Engagement program, security was not consistently addressed early on in sales and development processes. Security awareness isn’t just about teaching employees what to do with phishing emails—there’s so much more, including developing our products with security in mind. We have seen a really positive and upward shift in engagement with our product teams and have put a major focus on this.
Q: How have you achieved this engagement, and how has it translated to improved security awareness amongst your staff?
A: We have a dedicated Security Engagement team that is responsible company-wide for building a global program that evolves our security culture. From annual trainings people actually love and security news shared on a variety of our internal social channels to the use of digital displays and gamified experiences like security escape rooms, our approach has really changed how our employees view security. We’re not seen as the naysayers or bad guys—our employees reach out to engage and want to make sure they are doing the right thing.
We also have a global Security Champions program that is our link into the product teams. Multi-directional communication is extremely important in a security program. We work from the top-down, bottom-up, and side-to-side to get our messaging across. And yes, it’s true: Security is everyone’s responsibility.
Q: How receptive are your employees to messaging about security awareness? Do they follow guidelines, or do they engage in a lot of rogue activity?
A: It’s a journey to influence behavior change for thousands of employees, and we have started to embark. We have great support from our executive team and the board, which really helps drive adoption. At the end of the day, employees want to do the right thing—it’s just a matter of constant education and communication.
Q: What is your biggest challenge in terms of building employee security awareness?
A: People learn differently—some are more receptive to visual, listening or the ‘hands-on’ approach, and some people are attracted to different types of content—funny, serious, historical background or whatever it may be. And at the same time, providing consistent communication is the key to a strong awareness program. Part of our focus is to make sure we are delivering our security training and materials via a variety of channels. We’ve also included employees in video creations and contests. It gets them involved and excited about it.
Q: Are there certain data assets or applications that you focus on in terms of employee security awareness?
A: It really depends on the user group. Of course, we want to make sure our engineers are developing securely, and that anyone with access to confidential information knows how to properly handle that data. To be effective, we really try to have a holistic program that effectively covers all areas of security awareness.
Q: How do you monitor/measure the success of your efforts to raise employee security awareness?
A: Gone are the days when tracking how many employees took their annual 30-minute security training course was the single golden standard of success. To understand if we are driving a successful security culture shift, we also need to look at things like: How often are our employees engaging with us? Are they reaching out before they download software to ask about a security review? Are we expanding our reach globally and not focusing on a small group of employees? Do we patch quicker? It’s these types of questions that we use to monitor our program.
Q: How do you see employee security awareness impacting the business? Does it bring a measurable bottom line impact? Or is it more about avoiding the disasters associated with internal threats?
A: Security absolutely impacts the bottom line and enables the business. Companies are becoming increasingly concerned with being able to trust that the people they do business with aren’t careless with their confidential data. Having a security awareness program is the “new normal” and a lack of that program will ultimately have a trickle-down effect of more serious security issues.
We tie closely with our sales and care teams to stay in tune with what our customers are looking for and really hear the “voice of the customer." Earning and maintaining customer trust is at the heart of modern software development and delivery.