Eight ways microlearning makes security training more effective
Find out how microlearning can increase cyber resilience in your organisation and improve employee engagement with cybersecurity training.
Read MoreAt #BHMEA22, a panel of CISOs discussed issues around data protection, privacy, and disinformation campaigns – with a focus on the risk of insider threats. Jaya Baloo (CISO at Avast) asked each of them to share the most important lessons CISOs should consider if they want to do a better job of information protection and incident response.
Here’s what they said.
“I think transparency, compliance, ethical rules, and risks should be well documented and well known,” Aggio said. And the critical points he suggested all CISOs should keep in mind are:
“Because privacy is a major nightmare,” he added. And after an attack, the integrity and reputation of your brand might be among your most valuable assets, and there’s real potential for a data breach to cause real destruction to that reputation.
You need to ensure that “rules are clear, expectations are clear, policy is clear as well.”
And finally, build a really robust awareness campaign across your organisation: “Make sure that you have training and awareness that is embedded in the day-to-day work — not a one-off checklist.”
“One, it’s very important to be proactive and not reactive as regards to keeping up with privacy regulations. All these regulations have due dates, so you need to give yourself enough time to make sure that your program evolves to make sure it is compliant with any changes to privacy regulations.”
“Two, utilise third party law firms as much as possible, so they can clearly explain to you what needs to be done and whether you're impacted by any regulatory changes.”
“And lastly, cyber incident response when there is a data breach. Every regulator has different notification time periods when there is a breach. So you need to be well aware of that in the regions you’re operating in, and make sure that you’re updating your incident response plan to highlight any nuances between each region.”
“For me it always comes back to why are you there – what’s the business about? It sounds very trite, but that’s the reality – you’re only there for one reason so you’ve got to figure out for each of those senior stakeholders what they actually care about. They’ll then become your champions for you, and actually they’ll start to take risks with you.”
“If you look at the rest of your management team, they’re already mutually supporting each other – the COO, the CMO, the CEO – and so how do you emulate that behaviour?” For Staniforth, this is a key aspect of your role as a CISO; and as a result of the rapid transition to digital over the last few years, it’s more important than ever. Because CISOs are more important than ever; and increasingly, the work of the CISO has a direct impact on business operations and success.
Alongside that growing importance of the CISO role, the role itself is also shifting, and becoming more intertwined with broader business operations. Staniforth added, “Always be prepared to do something you don’t think is a traditional CISO role. I’ve run procurement teams, finance teams, facilities – all as the CISO. Because you’re there to be part of that team.”
And finally: practise your incident response plan. “I’ve been involved in three or four major breaches. It never goes right. And it’s about understanding who your key partners are; and understanding why you’ve made decisions (even if they’re bad ones) during that investigation.”
“Every CISO should also focus on building a good team, training them well, and empowering them to work. Because there’s only so much a CISO can do alone.”
It was a brief but critical final point: your team really matters. And that means the broader team across your organisation, too – part of your job as CISO is to empower other departments to engage in security practices, and to embed security champions in different departments.
Baloo summed the discussion up like this:
“Keep it transparent, make sure you keep it well documented, align with the rest of the company; practise practise practise; and finally train up your team so that you have excellence in the people that are actually supporting you during such work.”
Want more straight-to-the-point advice to support you in your role as a CISO? Join us at Black Hat MEA 2024. We can’t wait to see you there.
Join the newsletter to receive the latest updates in your inbox.
Find out how microlearning can increase cyber resilience in your organisation and improve employee engagement with cybersecurity training.
Read MoreFind out how microlearning can increase cyber resilience in your organisation and improve employee engagement with cybersecurity training.
Read MoreWhat is cyber poverty, and why do cyber inequities affect all organisations and industries? Learn how cybersecurity practitioners can work together to close the cyber poverty gap.
Read More