A recent report by Gartner highlights the importance of taking a human-centric approach to cybersecurity. According to the report, by 2027, at least 50% of Chief Information Security Officers (CISOs) globally will formally adopt this approach. This is because employees pose the greatest risk to enterprise security, as more than 90% of them admit to undertaking actions that increase their company’s cyber risk.
For a long time, security leaders have struggled to find the right balance between technology and the human element when it comes to implementing an effective cybersecurity strategy. However, by looking beyond awareness and focusing on building a culture of security, organizations can address this imbalance.
The first step towards implementing human-factor security is to cultivate a culture of security from the top down. This involves training and educating employees at all levels about security policies and controls. By ensuring that every team member is aware of the threats they may come across and providing regular training and testing, organizations can build employee confidence in their cybersecurity skills and reduce human risk.
It is also important to go beyond security awareness and build learning processes that work. Merely reviewing a list of security procedures every few months is not enough. Organizations should engage employees in active learning processes that help them internalize and apply cybersecurity best practices in their day-to-day work. Training should be regular, unscheduled, and tailored to the specific cyber risks employees are likely to encounter. The goal is to create a culture where every employee forms a human firewall inside the organization, identifying threats and preventing attacks.
Furthermore, organizations should implement tailored training for every role in the organization. Different employees have different security aptitudes, skills, and educational needs. Non-technical employees on a marketing team, for example, will not require the same level of security training as developers or engineers. By providing role-specific training, employees can develop the cybersecurity skills they need to protect themselves and the organization.
Secure code and application security training should also not be overlooked. Developers and engineers must understand cybercriminals’ intents, identify vulnerabilities in their code, and create software and applications that are resistant to potential cyber threats.
Lastly, organizations should create an executive workshop program and continue to provide training and education throughout the organization. C-suite executives set the tone for the entire organization, so it is crucial that they are well-versed in cybersecurity best practices. Executive workshops can help establish a security culture that starts from the top and permeates every level. Regular education programs and effective communication help reinforce good practices and reduce human risk.
In conclusion, Gartner’s report emphasizes the need for a human-centric approach to cybersecurity. By focusing on human factor security and building a culture of security, organizations can reduce their vulnerability to cyber threats. This requires combining technology with cultural change, transforming mindsets and skill sets to create a lasting impact. By adopting these strategies, organizations can better protect themselves and their employees from ever-evolving cybersecurity risks.