If you had a choice between doctors to perform surgery on you, which would you pick: a doctor who has sat through training on how to perform an appendectomy; or assurance that your doctor will successfully perform your appendectomy?
The answer seems obvious, but on the topic of dealing effectively with human vulnerabilities in cybersecurity, most of us seem satisfied with “awareness training.” It’s a check-the-box response to regulatory compliance or client demands. Sign everyone up for an on-line phishing exercise and you’re done. Yet the consequences of ineffective training can be dire. You will most certainly lose productivity, you’ll probably lose money, and you may lose the company.
This is not to say that awareness is unimportant. But raising awareness is just the first step in effective cybersecurity defense. Employees—and management—must come to understand why and how security incidents occur and learn how to recognize and guard against them. In other words, you must develop assurance that everyone in your organization is equipped to protect the company and its assets. Continue Reading How to gain assurance against human security vulnerabilities