Author: Rick McElroy, Security Strategist, Carbon Black
In my previous blogs, I introduced 10 questions CEOs should be asking their teams and discussed issues pertaining to team structures and risk management. This week, we dive the next question –
“Do we have a training and awareness program in place?”
When I work with CEOs, I like to use a safety program within an organization as a parallel to a cybersecurity program. While a safety program is not required by all industries, it is still a good idea for all companies to have one.
I once had a manager who formerly managed a safety program for a small trucking firm. The company had under-invested in its prevention of accidents, training and awareness, and managing driver sleep time between shifts. The risk of under investment was raised numerous times without appropriate action taken. An incident finally occurred involving a gas truck, an overpass, and a Volvo heading home. The results of this accident were devastating, and the firm went out of business as a result of litigation.
A cyber incident can have very kinetic results including loss of life, loss of customers, damaged reputation, stolen data, business up-time or a class action lawsuit. The threat of a cyberattack is very real. Ensuring your employees are aware and understand their role in securing your organization is a great way to decrease your risk of an incident.
Safety is a program that requires management and training. Companies with a culture of safety make it visible to the entire organization. We don’t often do the same with cybersecurity.
To create a culture of safety in an organization, time and resources are spent to ensure people are properly equipped and trained in procedures and understand how to prevent incidents, as well as what to do in the event of an incident.
In the Marine Corps, safety is drilled over and over but they also have videos and training. They show you the accidents, talk about what went right and what went wrong and you drill in the scenarios. When I was stationed on an aircraft carrier as a Marine, we watched a video of the U.S.S. Forrestal blazing away as a jet-fuel fire began lighting off live ammunition. That video led to endless fire fighting simulation drills. Yes, even as a Marine, I threw on fire fighting gear and grabbed hoses. It was part of our culture on board and part of our daily lives. Incidentally, we later had two fires: an F-18 that caught the wrong wire and an on-board fire. Neither resulted in anything more than a bit more training and there was no loss of life. Training and constant awareness works.
These are all qualities that a cybersecurity program should share. Safety is everyone’s responsibility. So is cybersecurity. As the CEO, you don’t need to know all of the ins and outs of the program, but knowing that everyone in the organization has gone through the appropriate training is a good start. Your team should also have specific training for you, the executive team, and the board. They should be constantly educating the entire organization to help ensure your cybersecurity plan is being carried out.
People are the key to any successful organization. People are also the key to a successful cybersecurity program. Ensuring they are aware and trained will keep you out of the headlines and ahead of your competition.