Despite most employees undergoing cybersecurity training, staff remain a persistent security vulnerability at many organisations. According to Proofpoint’s 2024 Voice of the CISO report, 74% of CISOs consider human error their organisation’s biggest cyber vulnerability. This is not necessarily the fault of leaders or individual employees but rather an indication of just how complex the cybersecurity landscape has become, and the monumental challenge CISOs face in keeping up with new threats targeting their people.
Matt Cooke, cybersecurity strategist at Proofpoint, explains the plight of the modern CISO and how organisations can turn employees into cybersecurity assets.
What persistent concerns are CISOs facing regarding staff interactions?
One thing that was consistent throughout the report was that the vast majority of CISOs are concerned about the risk that people pose to the organisation. It tells us that most CISOs are pretty comfortable with the things they can control – for example, the security basics such as patching and configuring systems.
The thing they can’t control is human behaviour and how we interact with some of the risks that we face on a daily basis. Those risks can be unknown. We don’t necessarily know what they are, and that’s part of the problem. We can’t then predict or control that behaviour.
Is that behaviour due to a lack of awareness or is it human error and complacency?
It’s hard to call it error because a mistake is something you know you shouldn’t have done. And I don’t think we always know that. Leaders are doing a really good job of trying to keep as many threats away from people as possible, but some threats will arrive in their inbox. People don’t necessarily know what the risks are of clicking on that link and putting in a username and password. What happens if a cybercriminal takes over an account? Do people know it could lead to a ransomware incident across the entire organisation?
One of the challenges organisations face is just helping people understand what the risks are. How do they educate them? How can they change the culture so that people feel more empowered?
AI is adding to risk complexity. What pressures are you seeing here for CISOs and security teams?
There’s a lot of thought going into this for CISOs and their teams at the moment. AI is fantastic, but it can present risks. If we start giving these news tools sensitive organisational information, we’re giving data away to companies that will then use that data to learn from and maybe even regurgitate that data in responses back to other people. From a data loss perspective, that’s a real challenge.
We’ve seen a lot of organisations now using data loss programmes within their business because organisations realise now that AI is one way that data is going to leak from their organisations. So they need to raise awareness and put some boundaries around that.
How has the relationship between CISOs, the rest of the C-suite and the board changed over the last few years?
It’s certainly got a lot better. The report this year highlights that 84% of CISOs say that they feel like they see eye to eye with the board now, and that’s up significantly over the last few years.
We saw a lot of CISOs being introduced into the board around the pandemic because organisations became remote and more digital. That presented lots of challenges – they needed someone to own those challenges and CISOs had to step up. In many cases, they’ve maintained that position and that relationship by now talking the language of the board. So instead of talking about protecting remote workers and phishing attacks, they’re talking about things the board wants to understand. What’s the impact on the operation of the business? What’s the potential financial impact of a cyber incident?
We see some really good examples where the CISO works with individual leaders to help them understand the risks for their area of the business. For example, speaking to the CMO about reputational risk. And then they actually play out those scenarios to understand the implications. This can make a huge difference because now you’ve ultimately got the buy-in and greater understanding across the whole of the board.
What about employees at a more junior level? How can cybersecurity training be made more impactful for them?
With security awareness programmes, one thing that comes out in the report is the focus on changing the culture. We know that a yearly one-size-fits-all security awareness training doesn’t work. What you really need to do is start changing the security culture of an organisation. And to do that, you do need senior support. The leaders need to lead by example. They need to help drive that change.
One of the core components of a cybersecurity training programme is ensuring education is hyper-relevant to individuals. To do that, individuals need to engage with the right type of content for them. It’s tailored to their demographic. It works in the format that they want to consume it. It might be a poster on the wall. It might be a short video that they can see on their phone on the way to work on the train. It might be that threat intelligence has identified they’re being targeted at the moment, and that individual is automatically enrolled in some of that training to heighten awareness. There’s a lot to change in culture, and it doesn’t happen overnight, but we see some really good examples led by the overall board, rather than just the CISO.
How does technology consolidation help support security?
CISOs are really challenged by consolidation because they’ve all grown up with different technology that solves individual problems. But we’re at the point now where CISOs are saying: ‘I’ve got all these different products trying to solve all these different departments’ problems and reduce risk for the business, but I’ve got all these people having to manage that’. That’s complexity. And we know now complexity is the enemy of security. We need these tools to talk to each other. We need them to be sharing intelligence.
Platform consolidation is a big focus area. It helps CISOs reduce the number of tools they have to manage, reduce vendor relationships and refocus skills. Instead of having one person per tool, you can focus on other initiatives within the security team.