Train, don’t shame

Welcome to the new 459 cyber warriors who joined us last week. 🥳

Weekly insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA23 keynote stage.

Want to receive our weekly newsletters on LinkedIn? Subscribe here.

📣 This week we’re focused on…

The reality that organisations have to think about cybersecurity – not just once or twice, but every day.

We asked Abdullah ALSaadoun (Manager, GCC & LEVANT at NetWitness) what most people don’t understand about cybersecurity, and he said:

“There are no shortcuts to security and no silver bullets, cybersecurity is not a tool. Many organisations look for simple ‘deploy and forget’ solutions in the hope they would solve their security challenges with little to no overhead on security teams.”

But, AlSaadoun added, “threat actors are very agile, constantly evolving, adapting quickly to new trends, and are able to very quickly adopt new techniques and exploit within their toolsets. The question is not whether a breach will happen, but when it will, and once it does, are we able to detect and investigate it.”

A shift in mindset: Cybersecurity is not a tool 🛡️

What these words point to is the need for a collective mindset shift: people at every level of any organisation need to stop thinking of cybersecurity as a tool they can plug in and ignore, and instead embrace it as an approach to business. Security needs to be built into the fabric of operations – not just technologically, but also in the skills and thought processes of every team member.

Which is huge. It’s a cognitive leap as well as a learning leap.

We’re not the first to say it

We know – we’re far from the first people to point out that a mindset shift is needed.

The World Economic Forum has urged for a new focus on cybersecurity orchestration opportunities; for robotic press automation to strengthen manual processes; and for new models for managed service and delivery.

Forbes council member Kumar Ritesh wrote that organisations need to move away from an event-driven mindset, which largely just reacts to vulnerabilities and breaches as they’re detected, and instead cultivate an intelligence-driven mindset – in which a ‘proactive hunt for threats’ is the core purpose of cybersecurity infrastructure.

But as organisations grow their complex networks of IoTs and endpoints, there’s a need for everyone with a device in their hand or home to understand how they can contribute to an organisation’s overall security. And importantly, to feel empowered and motivated to embrace that role.

🚫 Train, don’t shame

Here’s the thing, though: if people don’t know, they don’t know. The way people feel about their cybersecurity knowledge is often akin to the way people feel about personal finance: there’s an expectation that they should know how it works and what to do. And they feel quietly ashamed that they don’t.

But no one’s ever taught them or pointed them towards the information they need in order to learn.

So instead of embracing the possibilities of learning new skills, they hide their shame – and in doing so, conceal the fact that they’re not exactly sure what they need to do to protect their organisation against breaches, or to minimise the impact of a breach when it happens. This means that shame itself becomes a cybersecurity vulnerability: it’s an emotional obstacle standing in the way of effective, efficient, collaborative security.

As ALSaadoun said,

“Cybersecurity is not a single department working in silo. Every department, employee, contractor, third party provider…has a role in the security of the organisation, hence the need for continuous awareness, training, assessment; and unified full visibility across all users and functions, whether on-prem or in the cloud.”

It’s the job of people who do know, then, to provide that training and knowledge. And to do it in a way that pushes shame out of the room so teams can feel inspired about stepping into the cybersecurity space.

Read our interview with Abdullah ALSaadoun: MENA cybersecurity and crucial client blindspots.

💬 Share on Twitter

Black Hat MEA is back again from 📅 14 - 16 November 2023. Interested to be a part of it? Register now.

Join the conversation online using #BHMEA23 and @Blackhatmea.