People, processes, and technology are the three parts of every security program. Sometimes, people make the mistake of believing that technology is the biggest or most important part. It isn’t. It might be the easiest part, since you can make quick changes to technology and buy new things to instantly improve it. But the biggest changes come from people. Changing processes is difficult because it involves convincing people to make changes, but if those people have the information they need, changing processes becomes much more achievable. These three components—people, processes, and technology—need to do three different things: prevent, detect, and respond. They have to do those three things in concert, not haphazardly.
In Happy Gilmore, Adam Sandler plays a failed hockey player who turns into a golf pro when he realizes that he can drive a golf ball huge distances. But that’s all he can do. Every other part of his game needs work.
This is where we are at with Cybersecurity. We are attempting to hit a hole in one every time with technology. In fact, most new security technologies are attempting to keep people out of the equation. The motivation for this is easy to see. The most recent Verizon Data Breach Report says that 95% of data breaches are caused by human error.
Let’s be realistic for a minute. Cutting people out of the loop won’t work. And there isn’t a technology that can eliminate human error. So it’s hopeless.
Or is it? I would argue that we haven’t really tried to change this. Cybersecurity awareness and training accounts for only 1.4% of cybersecurity budgets. Usually, this is made up mostly of annual training that most employees think of the same way they think of other required employee training, a waste of time.
Technology has improved by leaps and bounds over the last decade. So what would improving cybersecurity preparedness look like? Some thoughts:
- Create a cybersecurity newsletter to share real stories about how cybercriminals have affected the business.
- Develop a multi-year training plan for employees that build employee knowledge over time.
- Shift cybersecurity training from annual to monthly in mini-lessons to keep engagement high.
- Measure cybersecurity behaviors for employees regularly and let this guide how you develop your training plan.
- Conduct breach drills for everyone in the company regularly just like fire drills to help make employees more aware of what your procedures are.
- Create an awards program for employees (not just in IT) that recognizes employees for their contributions in protecting cybersecurity.
- Create an incentives program for employees to participate in your program.
Just before the moment in the picture above, another pro in the golf tour gives Happy some advice.  He says, “Why don’t you send him [Cybersecurity] home? His bags are packed. He has his plane ticket. Bring him to the airport. Send him home.“
