Share with Your Network
October is upon us and you’re probably well aware that it’s been christened Cybersecurity Awareness Month. While this might seem like a cheesy corporate effort to get people to change their passwords, this month can potentially serve as a great opportunity. Cybersecurity Awareness Month is the perfect excuse to revisit your key priorities, increase awareness (and a little know-how), and hopefully create some cybersecurity stewards in your organization.
This year’s Cybersecurity Awareness Month theme is “Do Your Part. #BeCyberSmart.” A fitting theme given some surprising findings a recent study uncovered. Earlier this year, TalentLMS reported that a shocking 61% of workers failed a simple cybersecurity quiz (even after having received training). The survey asked some 1,200 employees about their cybersecurity practices and knowledge, as well as tested them on their ability to recognize cyber threats.
Helping the workforce bone up on their security know-how is a no-brainer, and a great catalyst for considering your larger security operations as a whole. Because the more security savvy your employees are, and the more security-focused your organization is as a whole, the more risk you can drive down across the board.
4 weeks to Do Your Part
Security transformations (just like other operations overhauls and systems modernizations) don’t happen overnight. But using this month as a starting point for these conversations now will help you grease the wheels for a smooth and successful transition to a proactive risk posture.
To make this an achievable goal, we’ve broken down some suggested areas of focus for each week of October.
Week 1: Hold yourself (and your vendors) accountable
Modern IT environments have become increasingly complex and layered, and while there’s thankfully a shift toward simplification, security leaders and teams are tasked with securing more and more. So, where to begin?
Start the month off by taking stock of your security landscape.
- Create an inventory of your tools, programs, and processes that you and your teams use on a regular basis.
- List third-party service providers, partners, etc. that have physical or virtual access to your environment.
- Suss out areas of potential exposure or weakness. This step involves asking the hard-hitting questions of yourself (and your vendors) that can unearth dangers lurking in your ecosystem. Need some help with this interrogation process? Check out these probing questions outlined in How Not To Let Your Supply Chain Leave You Vulnerable.
Week 2: Rally your teams around risk
Too often, Security teams become jaded trying to prioritize thousands (or in some cases, millions) of vulnerabilities with little to no actionable intel, and IT teams are left frustrated and skeptical working an endless spreadsheet of vulns to close. This dynamic can result in friction between the two teams, operational inefficiencies, and a drain on resources.
To alleviate these symptoms and to more effectively lower cybersecurity risk, industry analysts recommend a risk-based vulnerability management (RBVM) approach. Gartner recently identified RBVM as a top security project for 2021. Equipping remediation teams to leverage automated, data-driven prioritization powered by machine learning saves time, money and energy. Security and IT are empowered with clear and actionable marching orders. Leading RBVM solutions also provide a self-service environment, which allows users easy, intuitive access to the data they need, when they need it, removing bottlenecks and democratizing security.
Rallying teams around risk creates a unified and empowering environment, one where remediation teams can more effectively and efficiently secure their organization.
Week 3: Get the board on board
Not only do the boots on the ground need to be aligned to “do their part,” but leadership and stakeholders do as well. Persuading the board to understand the importance of a risk-based approach is an all-too-common challenge and is sometimes where transformative security initiatives can fizzle out. Not everyone can speak security, much less understand basic IT lingo, and board members are notorious for getting distracted by shiny objects.
But this is where real success is won. When your board’s on board, it’s easier to secure support and funding for future endeavors, and to build trust and credibility throughout the enterprise. So it’s imperative that risk be communicated in a way they can understand. Avoid data-heavy spreadsheets and arbitrary KPIs like number of vulns closed; instead, deliver details about the organization’s risk posture like likelihood of a breach, what the impact of a breach would look like, and the plan to reduce that likelihood.
Leadership and board members can do their part in the fight against cybercrime, but not without meaningful reports they can understand. Explore Part 1 and Part 2 of a blog series on making risk matter to the board for more details.
Week 4: Amp up cybersecurity training
Last but not least! The dismal cybersecurity hygiene performance mentioned earlier must not be accepted as status quo. While humans will always pose a great threat to the integrity of an organization’s cybersecurity, there’s ample room for improvement. For employees to step up to the virtual plate and do their part, they need some training first. And required cybersecurity training doesn’t have to be painful or infrequent.
Companies are getting creative by gamifying vulnerability management, and rewarding top performers with pizza parties or some other highly coveted prize (think: tacos, cool sneaks, the latest in techwear, or a rare FunkoPop! figurine). Introducing live discussions and hands-on training sessions have also increased awareness and engagement.
Inviting employees to be active participants in security will help evangelize risk-based efforts and create a security-focused culture.
Security is a communal effort
October doesn’t have to be just one step closer to waving goodbye to 2021. Jump into this Cybersecurity Awareness Month with the intent to ramp up your security efforts and charge others to do the same. When everyone in the enterprise is committed to reducing risk, Security no longer falls solely on the shoulders of the IT department; it’s a company- and relationship-wide effort where everyone pulls their weight.
As our world becomes more connected and the threats become more sophisticated, it’s inevitable that every person, team, and organization is tasked with helping to mitigate cyber threats. At the same time, organizations must work to lock down their environments to eliminate attack opportunities and drive down their risk profiles. A steady state of risk management is the end goal, and the good news is, it’s achievable too.
To learn more about achieving a proactive security posture, explore Kenna Katalyst, an on-demand educational series designed to help kickstart your risk-based vulnerability management program.
