This is the second in a series of conversations between Nick Wilding and leading cyber resilience commentators and practitioners from around the world and also Nick's second discussion with Karoliina Ainge, head of Estonian cyber security policy.
In 2015 AXELOS launched its RESILIA Cyber Resilience Best Practice portfolio to help organizations address ‘the human factor’ in cyber resilience and to improve the understanding, awareness and behaviours of their people, from the most senior to the most junior members of staff. Nick spoke to Karoliina about RESILIA and how she thinks it enables the improvement of cyber resilience in people.
Nick Wilding: What are your impressions of the approach AXELOS is taking with RESILIA™?
Karoliina Ainge: I see it as a sensible approach; its focus on proven best practice, its coherence and the way it compliments existing security standards and cyber frameworks will help its uptake. The people-centric focus is commendable. In fact, the way you engage with people is as important as the message and organizations need to adopt more effective ways of doing this.
Nick Wilding: In creating and developing RESILIA we have sought advice from experts, getting their insight on what is happening both in the boardroom and on the operational frontline. For example, we appreciate that business leaders respond well to storytelling and compelling narrative to connect to an issue and build understanding. That’s why we’ve published a cyber thriller – Whaling for Beginners – about a targeted cyber-attack on a CEO. The response to the story from senior executives has been very positive as they increasingly understand the impacts that a cyber-attack can have on their personal and professional reputations.
RESILIA is designed to address the critical ‘human factor’ in cyber resilience: it’s our own behaviours that can all too quickly open the door to cyber attackers. Do you think the human factor is treated seriously enough by nations or organizations?
Karoliina Ainge: It’s very human that people look to find the easiest way out of a problem. If they’ve got the money they can buy a new piece of kit and, sadly, we see organizations doing this without thinking about the human factor. We need to keep addressing the point that technology is no use if you don’t train your people to use it responsibly. Organizations are increasingly acknowledging this, but a lot more work needs to be done to bring about universal acceptance that the human factor is vitally important.
Nick Wilding: At a recent conference I heard a group CISOs admit that the highest risk they face is their people and that it’s perhaps their most difficult challenge. This was refreshing to hear, but many organizations still believe their annual information security awareness training programme – typically one computer-based training exercise – is sufficient for providing their people with what they need to know. I would suggest this approach does little to influence, drive or measure new cyber resilient behaviours.
Nick Wilding: What do you think about the potential impact of companies’ suppliers and third party partners on cyber security?
Karoliina Ainge: It’s about managing inter-business relationships. When agreeing contracts, cyber needs to be part of it, just as product quality or delivery timescales are. This way, businesses can get off to a better understanding of what is expected on either side.
Nick Wilding: Cyber resilience is increasingly on the board agenda but what can we do to make a fundamental difference to effective corporate action in the boardroom?
Karoliina Ainge:It’s about setting values and the right tone. It’s a priority that needs to be handled with care. It needs drive to get companies there and tone from the top plays a very important role in building the right resilient culture within your organization.
Nick Wilding: We find that there is still much to be done to ensure that there is ownership, responsibility and insight in the boardroom. Any cyber resilience strategy must be linked to the business strategy and focus on the information and systems that fundamentally drive business success. You cannot protect everything so concentrate on where it matters most.
Our recent research with people in UK companies responsible for information security awareness learning has revealed that only about 30% think the awareness learning they provide is very effective and relevant – how big a problem do you think that is for companies?
Karoliina Ainge: I sympathize with companies who are unsure how to talk to their staff about cyber. In my previous roles I’ve felt the same uncertainty and, in the end, I made it up as I went along as I had nothing to refer to for advice and guidance. Often companies have had to make it up on the go when it comes to addressing these issues and talking about the best ways to behave and learn. Clearly, many do need help in knowing how to best achieve positive, sustained and measureable changes in their peoples’ behaviours.
In this way I think it’s commendable that RESILIA is offering a new approach by doing this in a much more engaging and coherent way.
Nick Wilding: We find that many organizations see information security awareness learning as a compliance requirement. They might be able to tick the boxes but does it help build learning and change behaviours? We believe organizations need to adopt a new approach – one that exploits the latest learning techniques, including games and simulations, to provide regular, immersive and short learning modules which allow their people to choose their preferred learning style.
Read the first part of Nick's conversation with Karoliina.
See our RESILIA section for more information about cyber resilience.