The Security Culture Playbook. Perry Carpenter

Читать онлайн книгу.

The Security Culture Playbook - Perry Carpenter


Скачать книгу
be interesting, but they aren't particularly useful. Useful conversations are those that provide context about how cybersecurity concepts and decisions might impact the business, either positively or negatively.

      Here's a way of framing conversations we've found works for making virtually any topic understandable and relatable at an executive level. Think of it as a simple filter or formula you can use to improve your executive communication:

StartLayout 1st Row italic i n f o r m a t i o n right-arrow italic s t o r y slash italic n a r r a t i v e right-arrow italic t r a n s p a r e n c y italic a n d italic m e t r i c s right-arrow italic i n s i g h t 2nd Row italic a n d italic d i r e c t i o n EndLayout

      If you aren't clearly telling your own story and articulating what your data and details imply, then your audience is left to interpret things for themselves. They form an alternate story in their minds, and that's not usually to your benefit.

       If you aren't clearly telling your own story and articulating what your data and details imply, then your audience is left to interpret things for themselves. They form an alternate story in their minds, and that's not usually to your benefit.

      They make assumptions, and those assumptions might not align with reality. That's why it's so important to have a clear understanding of the information you need to share and the story that it tells. After you understand your information and broader narrative, you can work on underpinning that story with relevant metrics and anecdotes. And then you can point back to your metrics, anecdotes, and story to bring your audience to the ultimate conclusions. This is your chance to celebrate your successes, set future expectations, gain feedback, solicit support, and more.

       Telling the Human Side of the Story

      Much of the cybersecurity narrative revolves around technology. We talk about firewalls being bypassed, data being leaked, or servers being hacked; we show images of cybercriminals in dark rooms surrounded by screens filled with indecipherable computer code. When that's the picture of cybersecurity that our people get, it is very easy for them to feel overwhelmed. Making human-layer vulnerabilities and defenses a frequent and explicit part of your organization's cybersecurity conversations paves the way for more human-centric policies, processes, and technologies.

      By consistently referring to the importance of the human layer, you can reinforce the need to engage people. It gives everyone the message that your people share a proactive role helping protect the organization. It opens up more meaningful conversations and helps pave the way to gain buy-in for initiatives that will help foster a stronger security culture.

       What's the Cost of Not Getting This Right?

      Organizations can't afford to neglect the importance of the human side of cybersecurity. As we mentioned in Chapter 1, organizations have been investing more and more each year trying to combat cybercrime and data breaches, and yet the breaches keep on coming. In fact, as we showed in Figure 1.1, the rise in breaches is outpacing the global spend on cybersecurity “solutions.” Why is that spend not paying off? The reason becomes clear when you look at where the security spend is going.

Schematic illustration of cybersecurity spending has effectively ignored the main cause of data breaches

      Does the Breach Problem Mean Security Awareness Has Failed?

      At this point, you might be thinking something like, “But I bet most of those organizations that were breached weren't totally ignoring the human side of things. Surely they were doing some form of awareness training. So what gives? Doesn't that mean that focusing on humans hasn't been effective?”

      That's a great question.

      The entirety of this book is about taking real control of your human-layer defenses. This will require you to expand your thinking about what security awareness training should look like.

      We'll begin that journey in Chapter 3, “The Foundations of Transformation”!

      Let's think about this for a minute. Less than 3 percent of security spending is focused on the human layer, but more than 85 percent of breaches are traced back to humans. That stark contrast between the problem area and where organizations are focusing is shocking.

       Less than 3 percent of security spending is focused on the human layer, but more than 85 percent of breaches are traced back to humans.

      For decades, security leaders have known that humans are the most enticing and vulnerable attack surface; nonetheless, we, as an industry, have tried everything but doing the actual work needed to improve our situation.

      And here we are.

       Cybercriminals Are Doubling Down on Their Attacks Against Your Employees

      Over the past few years, we've seen a meteoric rise in attacks seeking to bypass technology by targeting humans. And it's working. Ransomware continues to make headlines due to large-scale attacks like those that targeted Colonial Pipeline (Fung, 2021), JBS Foods (Reuters, 2021), and Kaseya


Скачать книгу