The biggest thing keeping chief information security officers (CISOs) up at night isn’t hackers or malware or even new regulations; it’s their own teams. As Ponemon discovered earlier this year, a lack of competent staff was CISOs’ top-ranked security threat. In addition, 65 percent of CISOs predicted that “inadequate inhouse expertise” would be the leading cause of a future data breach.
Instilling good security habits and helping employees improve their cybersecurity knowledge is vital for organizations looking to keep their names out of the data breach headlines. Here are four tips every organization can use to get its new hires up to speed on cybersecurity.
1. Start During the Onboarding Process.
A new hire’s first few days and weeks can be challenging. With learning job duties, administrative tasks, meeting co-workers and a dozen other pressing tasks vying for attention, you may be tempted to put security on the back burner. Don’t. The onboarding process is critical in setting expectations. If you put cybersecurity on the back burner, don’t be surprised if your employees follow suit.
Onboarding provides a great opportunity to teach a baseline of cybersecurity skills and communicate how those skills relate to your organization. For example, the National Initiative for Cybersecurity Education’s NICE Framework helps organize a cybersecurity workforce across three levels: high-level categories, specialty areas of cybersecurity and more specific work roles. Other frameworks and regulations, such as PCI DSS or HIPAA, provide their own sets of guidelines. Clearly communicating to new hires where they fit into the framework your organization uses can help set initial work expectations and provide a clear pathway toward identifying knowledge gaps to address as they settle into their roles.
2. Be Flexible in Your Training.
Balancing the demands of a new environment, a new workload and continuing education presents a variety of challenges unique to each person, especially new hires who are transitioning from a university setting or moving into a new job role. Some employees prefer to learn through bursts of intense, face-to-face instruction with subject matter experts. Others prefer to slowly build their knowledge with a few hours of self-paced training each week. When addressing new hires’ skill gaps and creating a training plan, don’t box them into just one training modality. Provide them with a choice of online, in-person or self-paced training options that can be personalized to how, when and where they like to learn best.
3. Continuously Patch Your Employees.
Just like you patch software to remove vulnerabilities, employees must be “patched” to keep the human element of your organization up to date and protected. This process should include regularly scheduled training on the latest security threats as well as the opportunity for employees to advance their skills through professional certifications. The security landscape is continuously evolving, and employees’ job roles must shift as well to defend against new risks and keep their skills from becoming stagnant. In addition to making your organization safer, creating a clear career path and empowering your employees through training has been shown to improve employee happiness, boost productivity and improve efficiency.
4. Think Beyond Technical Roles.
As organizations shift toward a more interconnected and holistic approach to cybersecurity, it’s important that employee training matches that shift. Cybersecurity remains inherently negative for some employees, particularly those who have been reprimanded or forced to take cybersecurity training in response to phishing attacks, ransomware or another incident. Flipping this perspective so your employees feel empowered and rewarded can help turn the front lines of your organization – an often-reported weakness – into one of your strengths.
Basic cybersecurity standards like multi-factor authentication and following the new and improved NIST password guidelines may be old hat to cybersecurity professionals, but the vast majority of employees have yet to implement them. For example, earlier this year, a Google engineer said fewer than 10 percent of active Google accounts have enabled multi-factor authentication – a simple and proven way to increase account security. When getting new hires up to speed on cybersecurity, don’t limit your approach to just technical roles. Think how you can improve cybersecurity training and awareness throughout your entire organization.