“Just stick to the checklist” – Cyber Resilience Debate Series - Day 3
18 Oct 2017
It’s day three of the Cyber Debate series. Today’s topic is about how quickly new threats arise and how little time we have to react to them. Not only do you have to keep up with the latest threats, but vitally, you need to keep your staff regularly trained and updated to help embed long term behaviours. With that in mind, here’s today’s statement;
It has been argued that a checklist of safeguards is no longer sufficient for informing and maintaining Cyber resilience. What would be your advice for continually updating and training staff about Cyber resilience?
Let us know your thoughts!
1) Classify and group your workforce: it's unlikely that one size fits all, even in smaller organizations. Classify your workforce and group them into communities. This could be by function ( finance, H/R, legal, IT ), or geography (APAC, EMEA, USA ), or Org Structure ( customer facing, back of house ). The challenge is grouping staff by "their needs" without creating an overly complicated classification scheme.
2) Build and run targeted programs for each community: the Patterson Conner Commitment curve ( Google this one ) is one of the most powerful tools for designing and building effective programs. Learn this and use it. If your staff are unaware - start with awareness programs, if they're aware, but not educated - build education programs......
In my experience the root cause of many failed programs, especially ITIL programs, is not following the Patterson Conner Commitment curve. You hear things like "I trained everyone in ITIL Foundation and it still failed ...." - take a look at the curve - that doesn't get you to commitment! Ultimately programs that track progress against the commitment curve and apply different approaches to ensure staff move up the curve are more likely to succeed.
3) Keep your programs fresh and relevant: you would think this is obvious, but how many boring and irrelevant InfoSec sessions have you endured over the years.
TIP: Ask yourself if you're communicating to your staff 7 times in 4 different ways. If you're communicating "1 time using 1 way" you're unlikely to succeed.
TIP: Avoid Fear Uncertainty and Doubt. Mentally people file ghost stories under fiction, and are less likely to respond to the message.
TIP: Breach Exchange mailing lists provide daily bulletins on data breaches. These are free, timely and easy to add to your awareness programs. If you work in Healthcare for example sharing Healthcare breaches you receive ( as they are reported ), with a covering note that explains what you’re doing to avoid this type of event is simple and can be effective.
TIP: Question annual training. Why is annual the right frequency ? Like most people you probably went with annual as the default. Based on your community needs you may want lighter, more frequent, communication. You may also want more detail, less frequently.
To answer the question posed. Sure - checklists can be sufficient - for the right community with the approriate level of commitment.
I must agree that checklist of safeguards may be sufficient for a baseline, but is such listing are hampered when integrating to a quickly evolving IT environment.
An efficient method for updating technical staff would be to establish a tracked On-Line Cyber Round Table Web-ex (15minutes, 30 minutes and 1 hour) that IT personnel must sign in and attend at least 3-5 sessions a year at the minimum one session from each time grouping.
With providing this requirement it is in addition to annual training requirements for IT personnel and staff depending on their role.
The Cyber Roundtable would include for example 2 or more universities/ companies that agree to host for that given year.
There will be a posting of the tentative topics quarterly by the hosting group.
Having such events will provide the opportunity for collaboration among like organizations and a better understanding that most industry related issues are not just in the confines of just these four walls of their organization.
That's great. Anthony Constantinou appreciate your effort.