Building a Resilient Cybersecurity Culture
Naveed Islam, Chief Information Security Officer at UK-based payments company Dojo, argues that people are the first line of cybersecurity defense
In the last couple of years, we have seen a rapid increase in cyber-attacks that target people over technology. But are people really the weakest link in the cybersecurity chain?
In this episode of the Business of InfoSec Podcast, Naveed Islam, Chief Information Security Officer for UK card payments company Dojo argues that developing a collective understanding and responsibility for cybersecurity is essential for staff to become the first line of defense against cyber-attacks.
“There is [an] adage which I strongly disagree with – ‘The people are the weakest link.’ I don't believe people are the weakest links,” Islam says. “I do truly believe people are the first line of defense if given the right capabilities.”
He continues: “At the end of every single device, whether it's a laptop, keyboard, iPad, whatever, a person is operating it. So, from a cybercriminal perspective, it becomes the most obvious route into an organization.”
Engaging Staff in Cybersecurity Training
Most staff understand the basics of the cyber threat, Islam believes. But it’s crucial for cybersecurity leaders to help staff understand the nature of the threat to their business.
And while e-learning has its place in cybersecurity education, it’s important to engage staff in various ways and to make cybersecurity training fun and engaging.
“We are about to roll out a lot of immersive events, things like cyber puzzles, escape room-type concepts, which require in-person engagement,” Islam says. “[We’re] taking the model of not always trying to do something digital – people get fed up after a while of just staring at a screen. So, this is a bit of fun with education fitted in.”
Islam also believes that elements of cybersecurity training should be focused on specific teams and business functions, and these messages should be tailored to the target audience.
“There are different ways of engaging. [For example], there's very focused awareness that we're trying to do with the engineering community around cyber threats in development. To think about threats slightly differently. Whenever you develop something, for example, always think of how someone could exploit it.”
He continues: “There are different levels in any organization. There is no one-size-fits-all. It just depends on the messaging you're trying to land and which community you're trying to land it with.”
Developing Multiple Cybersecurity Touchpoints
All too often cybersecurity is seen as a function designed to say ‘no’. To win buy-in from staff, Islam believes that CISOs should focus on raising awareness about how cyber threats affect the organization and developing a sense of shared responsibility.
“As soon as people are told to do something, if it becomes a mandatory thing, you get less acceptance for it,” Islam says. “You need people to adopt it. People need to come to you as opposed to you pulling them in and [saying]: ‘You will do this because I'm cybersecurity’.”
Instead, a combination of approaches is needed to properly contextualize cybersecurity in the proper business context. By increasing the number of touchpoints that each staff member has with cybersecurity, CISOs can more effectively ground cyber awareness in the day-to-day work of their staff.
“It's then [about] building a program, giving bike-size chunks often and in an innovative and fun way. I think that's what I've learned most – it needs to be fun. Otherwise, it's just seen as security of telling me to do some more stuff., Islam says.
Ultimately, Islam believes that cybersecurity must become an integral part of the overall culture of the business if awareness programs are to be a success.
The starting point is always to understand the culture of the business,” Islam concludes. “Because if you launch a people-focused program that is completely opposite to what the [business] culture is, it won't go anywhere.”