Page 82 - Cyber Warnings
P. 82
Instilling a culture of cybersecurity will also entail proper training for all employees, not just IT
and security staff. It’s important to note that DoD’s requirements are applicable to contractors.
This raises another concern for IT executives working for a commercial company: Does your
organization hold the independent contractors providing services to your company to the same
standards as your own employees? Are they forced to comply and meet the same cyber
requirements and security awareness standards?
Improving Employee Security Awareness: An Example.
Let’s revisit the problem of phishing. Several cost-effective tools exist today that allow you to
routinely phish everyone within your organization. Conducting phishing campaigns against your
own employees – and contractors -- will allow you to consistently reinforce the importance of
security by educating the right people at the right time and by applying targeted training that
changes employee behavior.
As phishing attacks become increasingly sophisticated and highly targeted, an anti-phishing
program is a good first step – but that is all it is. It should be coupled with training on how to
prevent phishing attacks and the mandatory reporting of suspected phishing emails to your
security team. To be effective, anti-phishing learning objectives must be part of your overall
security awareness training program.
You can then benchmark your phishing results, identify and track your repeat offenders for
additional training, and demonstrate the impact of your awareness training with detailed metrics
on risk exposure. Reporting capabilities from these tools will allow you to identify susceptible
users by tracking individual behavior, system information, and other related data, and then
determine future assessment and targeted training needs.
Solving the Cybersecurity Skills Gap: Some Proposals
In addition to adopting DoD’s approach to cyberspace workforce management, here are a few
proposals for addressing the cybersecurity talent shortage and ensuring you have the qualified
and experienced resources necessary to effectively manage your security infrastructure and
program. They include organic efforts like:
• Improved education and training, e.g., the implementation and funding of a corporate
continuous education program;
• Innovative hiring, e.g., encouraging individuals in other departments to pursue
cybersecurity careers even if their primary tech specialty lies somewhere else; and,
• Investment in existing IT teams to help solve the skills gap.
82 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
