Top 5 behavioral security challenges CISOs face and how to deal with them

A CISO’s job is highly demanding. They’re directly responsible for their organization’s cyber security and, among other challenges, have to prevent employees from unknowingly aiding hackers to penetrate the organization.

In our daily conversations with CISOs, we’ve noticed that when it comes to behavioral cyber security, the same five challenges keep coming up. In this post, we address these challenges and suggest the best ways of tackling them.

Challenge No.1: Our employees make cyber behavior mistakes unintentionally. We want them to be more involved in preventing this.

How to make them more engaged:

Solution No.1: Peer-to-Peer learning.

Creating an environment in which employees discuss, interact with, and learn from each other will inspire them to follow good examples and adopt positive cyber security habits.

This can be done in the form of chatbots, peer groups on platforms such as slack, private social media groups, internal wikis, etc. The idea is to generate a healthy and fruitful discussion. In order to kickstart the conversation, assign a few trusted team members who can share their own thoughts and act as role models (role models will have an extra benefit – people mimic individuals around them, be it consciously or subconsciously). 

Solution No.2: Empower with resources and track comprehension.

Make sure to provide your employees with relevant cyber behavior security resources they can access at their own time and pace, without any pressure. Combine this theoretical knowledge with practical employee activity tracking.

Offer support and education based on employee roles and responsibilities. Deliver relevant content with data-driven personalization that overtime zeroes in on what lessons each employee needs.

Measure and understand people’s knowledge, understanding, and confidence.

Solution No.3: Simplicity is key.

Traditional security awareness solutions may be too complex, long, boring, or simply not relevant enough. Instead of overwhelming your employees, offer them quick, applicable tips. Break content into frequent and engaging bites and weave them into their daily routines exactly when and where they need it most. This will allow them to retain information longer and more effectively.

Solution No.4: Listen to your employees and adjust in accordance with their needs.

Lead with their priorities instead of yours. Develop a training program that is relevant to them, interactive, updated, clear, and stimulating. Engage them through well-established techniques such as personalized interactions, gamification, informative and engaging videos, and contextual intervention.

Do this consistently and don’t shift to cruise control. Make sure to communicate and ask for feedback

Challenge No.2: Changing behaviors requires knowledge and soft skills beyond us. We’re tech guys.

How to shift mindsets:

Solution No.1: Behavioral psychology is your best friend.

Use insights and best practices in psychology to design your approach and successfully drive change in employees’ cyber behavior, such as positive reinforcement. This will help employees clearly understand the consequences of poor cyber decisions, but also the benefits of proper cyber behavior.

Solution No.2: Contextual training.

Identify unique teachable moments for every employee and deliver short, easily digested lessons for each of these moments. For instance, train your employees based on their real-life actions; If the employee tends to forget their password (i.e. they send too many forget my password requests), then offer them safe password training (e.g. explaining the use of password manager, and the like). If they often visit unsafe websites, offer them training on safe browsing.

Solution No.3: Scientific evaluation.

Understand what works in changing cyber behavior and why. The factors that affect people’s behavior can be categorized into three groups: 

1. social

2. environmental

3. personal

Consider what category each problematic behavior falls under. Identifying that will help you analyze, understand, and, as a result, figure out what will likely make an impact on the employees’ behavior.

Solution No.4: Facilitate positive business-to-consumer (B2C) employee experiences.

This can be done through the use of apps for mobile learning, gamification, content onboarding, as well as the user-friendly and consistent design of security tools and training modules.

This will make it easy and convenient for them to acquire knowledge and develop proper cyber decision-making skills to transform their behavior.

Challenge No.3: We don’t know how to measure and quantify behavioral security risk. 

How to take control of your data:

Step No.1: Look at your existing data silos.

You can extract information about actual cyber behavior events within your organization’s existing data silos. This can be secure email gateways, endpoint protection suites, phishing simulators, and others. Mapping out this data will give you a detailed overview of your organization’s cyber behavior risks – including the who, the what, and the where.

Step No.2: Cluster and benchmark the data.

The information from these events can be clustered by groups, departments, and location. As such, it can also be correlated and consolidated with your organizational risk matrix and predictive algorithms can be applied to measure and anticipate individual/group risk scores.

Step No.3: Create an action plan.

Once you have all this consolidated information, you can generate clear action plans for risk mitigation. 

This leads us to our next challenge:

Challenge No.4: How exactly do we develop an action plan?

An organization’s action plan should contain comprehensively organized personalized and engaging feedback and training. This includes listing targeted risky cyber behaviors and corrective real-time tips to help employees better understand both risky and favorable behaviors. It should also include security controls, based on individual and group risk.

Solution No.1: Ditch the “one-size-fits-all” approach.

An approach that treats everyone the same in terms of risk has no place in an efficient action plan for a cyber behavior crisis. Instead, individual controls should be introduced, set on the basis of an employee’s past cyber actions, level of access, and how frequently they are targeted by social engineering. 

Solution 2: Benchmark the data to comprehend your priorities (understand who to deal with first).

Not all of your employees pose the same cyber security behavior risk. Keep track of their individual actions and aggregate this data to understand which employees’ behavior is the riskiest. These are the employees you need to prioritize in terms of security awareness training. 

Solution No.3: Leverage technology.

Technology has provided assistance in the form of web-based platforms such as Dcoya with an API gateway that natively and seamlessly integrates with your existing security stack and workflows. Integrate such a solution to get access to predefined and configurable mail, web, and malware training and controls, as well as other benefits that allow you to develop a foolproof action plan.

Challenge No.5: Chronic shortage of resources at my disposal.

How to overcome the resource obstacle:

Solution No.1: Drive behavioral changes at scale. 

The best way to achieve this is by using a centralized and automatic human layer security platform that is based on AI/ML. This will allow you to reduce the number of people required for selecting and assigning courses, creating and curating content, following up with employees, and dealing with all other chores.

Solution No.2: Automation.

Introduce real-time employee training assisted by automated routine Q&A prompts. This allows you to gather real-time detailed insights into employees’ cyber behavior skills, measure the effectiveness of training modules, while also removing the need for stressful testing after the training is complete.

Solution No.3: Content intelligence and knowledge base API. 

Leverage this to evaluate individual cyber behavior performance and engage employees with learning content and knowledge they can access whenever they want or need to. Such technology can segment your employees according to specific parameters, allowing you to design materials suitable for different groups and provide holistic and automated training. With it, you can also keep track of employee cyber behavior scores and course completion. Consequently, you will also improve personalized prediction scores.

Challenge… accepted!

Behavioral security challenges are all just part of the daily job of a CISO. But what separates a good CISO from the others  is the way in which they manage to overcome these challenges as they’re thrown in their direction.

Many of the challenges can be resolved thanks to modern technology and behavioral science. When properly applied, they allow you to address challenges at an individual and subconscious level, measure potential cyber behavioral threats within your organization, and develop the best plan of defense with capable employees at your organization’s front line.

The more prepared you and your employees are, the better you can protect your organization against external threats trying to creep in. Here’s to never worrying about cyber behavioral challenges again!