While cyber security awareness training is gaining traction within organizations as a critical part of an overall security strategy, there's much to be understood by leadership and implementing a program effectively.
Dr. Alexander Stein shared his insights with our community from his extensive work as a psychoanalyst whose expertise in human decision-making and behavior has been sought after by executives, founders, and directors on topics of leadership, culture, governance, ethics, risk, and more.
Changing perspective
"Cybersecurity is a human issue that involves technology, not a technology problem that can be solved technocratically."
To begin, Dr. Stein recommends shifting our perspective to view the individuals within an organization as a collection of people in a human ecosystem rather than a problem of predators and victims. It's known that cybersecurity and the threats to an organization go beyond malicious threat actors to include negligent insiders, a lack of safeguards, and/or the improper implementations of security protocols.
With all these disparate elements at play, how does one go about building a resilient culture of security within a business?
When assessing a company's security awareness mindset, Dr. Stein distinguishes between three different categories of cyber security awareness. These are:
- Content
- Environment
- Self
Content Awareness includes the policies, procedures, and cyber security training employees receive. It involves the information one needs to know specific to the business or industry.
Awareness of Environment focuses on those things that are particular to the enterprise in which an individual works, or the area of the enterprise that they're in. For example, people working in a call center will not have the same security environment as those who are in executive management.
Self Awareness is the "most complicated and nebulous and least understood of the three, but the most critical", according to Dr. Stein. This requires individuals throughout the organization to understand themselves and recognize their own personal, individual triggers, strengths, and vulnerabilities.
The challenge lies in that traditional cyber security awareness training focuses on the first two categories of awareness - content, and environment - while lacking the most crucial aspect of self-awareness. Both content awareness and awareness of the work environment are important, but lacking the third piece of the puzzle leaves the traditional model "woefully inadequate".
Dr. Stein states, "Deep sophisticated awareness enhancement, not just training, means you have to understand what happens to people when certain things happen. Social engineering, phishing, scamming - typical techniques that occur by and large involve stressor events which [aim] to deprive or degrade an individual's high level executive functioning so as not to think but act now.
If people have no idea what happens to them in moments of duress or understand what their relationship to pressure or authority is, they're just going to respond on a primitive level. So there's going to be a significant gap between the design of the program - which may look great and have buy-in from everyone in the C-Suite and the Board - and how it actually plays out because the people are not conforming to the design."
Dr. Stein works to bridge that gap between program design and individual responses to help organizations understand what's happening at the human level of awareness (of self) to support those who need to be able to or expected to perform differently to change their behavior.
Talking with the Leadership about Cyber security awareness
The awareness of self is no easy feat to help a single individual, much less an entire organization. How does one go about speaking to leadership who themselves may not have the understanding needed to value such a holistic security awareness program?
Indeed, to be successful starting such a conversation requires a particular orientation of mindset from leadership that these types of programs are valuable and should not be dismissed. However, more often than not, Dr. Stein is called post-incident to bring his proverbial mop and pail as opposed to his whiteboard.
While crises do have the benefit of shining the light on the importance of security as a whole, Dr. Stein notes that there is a tendency in incident response to fixate on 'righting' the crisis as opposed to analyzing and addressing the root cause. Failure to do so leads to cyclical reoccurrences. "Invariably, something needs to trigger the thinking, not just the forward-thinking, that [security awareness] is really important and let's do something about it and let's address it in a non-conventional way...[however,] not every leader is oriented to think that way; nor the board willing to take that on." On top of the leadership's perception, there is also the consideration of an organization's stance on progressivism vs conservatism and an industry's risk appetites and tolerance - which includes steps taken to mitigate those risks.
Dr. Stein notes there is a whole range of issues at play in organizational decision-making. Borrowing from well-known security professional Bruce Schneier he shared "Security is made of two things - a feeling and a reality. You can feel secure, but not be it or be secure and not feel it."
Security Awareness Managers - What to do?
Given the many moving parts that work to properly secure an organization, professionals who don the hat that is the Security Awareness Manager should remember that "great leadership doesn't entail doing everything yourself, it involves understanding how to build a great team. So if there are things that you're not so good at that are actually important to fulfill the capabilities of the functions that are in your brief of work, get those people around you and consult with them."
Dr. Stein also notes that another aspect that is starting to gain traction but is still evolving is the importance of elevating the information security function to the executive level. According to him, not having the CISO as part of the C-Suite already flags an internal vulnerability.
"Cybersecurity is a harmonization and collaboration between and among many different functions and stakeholders in an organization."
Building a Robust security program
In an ideal scenario where Dr. Stein is called in with his whiteboard to strategize solutions for the business and proactively mitigate potential risks, he first likes to do a diagnosis of the current status of the company. He looks at the current state of the company; its history and where they've come from; and why they are where they are now. He also assesses from the stakeholders what they think is working well; what are they challenged by and what is their understanding of why that is; and what they think needs to be done to address the issue.
Doing a deep dive discussion on these topics provides better insights that lay the groundwork for building a more robust security solution. "You cannot build a sustainable solution for things, which includes not just solving problems but mitigating potential problems unless you really understand what the problem is and what the problem sets are."
Tying the human aspect into this assessment depends on where the focus areas are. In the example of helping design a security awareness program, he noted many organizations have a binary approach. In the instance of a phishing simulation, many times the reports merely demonstrate employees got it 'right' or 'wrong'. While this is a starting point for gathering intel to better understand the state of employee ability, it's missing the crucial aspect of 'why'. "The fact that somebody got something 'right' or something 'wrong' tells you something but not enough to really be able to make a robust determination around what else needs to be done or not done to fortify them."
When asked how to scale such an individualized assessment for large organizations he recommended the utilization of such tools that involve the 'why' questions which can allow you to capture narrative responses. Including questions such as "what were you thinking about?" "what was going on at the time?" "were you distracted?", etc will provide qualitative data to enrich your data sets to better guide the direction needed for the company overall.
"It is critical to understand awareness is not a behavior. There is psychologically a difference between understanding something and doing something different. Lots of people know what's right and wrong, what they should and shouldn't do, but they do those things anyway...part of the [security awareness training] process is building a bridge that connects the cognitive component with the behavioral component.
The idea that many organizations have is that all you have to do is enhance awareness and the behavior will change, is a cardinal misnomer that handicaps the project before it leaves the door."
While Dr. Stein's consulting service (Dolus Advisors) is always available as a resource for companies, the main resource he encourages business leaders to utilize is thinking for themselves about what it is they think they need and not just going out into the marketplace to buy the most flashy tech or consulting services. While each has its place, every organization is unique in its needs, features, risks, culture, and challenges. "You can't just buy a generic product and think it's going to solve all your problems."
Connect with Dr. Stein on LinkedIn and while you're there check out our Security Awareness Manager community.
Resources from Dr. Alexander Stein:
Featured Podcasts with Dr. Stein
Wizer Panel: To Phish or Not to Phish
Looking for awareness training that is short, relevant and engaging? Check out Wizer’s free security awareness video library.
