On the subject of awareness, as with
anything, you’re only as strong as your
weakest link. An organisation can put
in place the best security policies, for
example, but if staff don’t adhere to
them, it will remain exposed.
In order to overcome this, you must
educate the wider company in an
effective and straightforward manner.
In-house security teams have infinitely
more knowledge than the rest of
business and can be leveraged for
this task. When designing your own
training, it’s important not to overwhelm
colleagues. Instead, show practical
examples of the threats a person will
face in their specific role and what they
can do about it, such as top tips to spot
a phishing attack. Make it completely
relevant and completely actionable;
this isn’t a theoretical subject! For
their part, security teams also have a
lot to learn about the wider business,
so it’s important to establish two-way
communications with colleagues in
other departments.
Marketing also needs to be taken
into consideration here, namely
how the company views security in
general. Is it seen as a hindrance – is
security the ‘no’ department? This is
where the delivery of key messages
is important. For example, instead of
just focusing on the work involved in
protecting information, ask them to
balance that effort against the cost,
impact and disruption of dealing with
a potential breach. Much like home or
car insurance, investing in protecting
something now can be worth it in the
long term.
An encouraging career
As well as focusing internally, it’s
important the industry looks to the
external world. One thing a company
can do is encourage as many staff
64
Bringing in people
from diverse
backgrounds not
only helps to plug
the skills gap,
but brings fresh
ideas and new
perspectives to
the industry.
as possible to consider a career in
cybersecurity; hiring from within and
training someone up can be really cost-
effective and encourages retention. A
part of this encouragement includes
considering what sort of image the
industry is projecting. Bringing in
people from diverse backgrounds not
only helps to plug the skills gap, but
brings fresh ideas and new perspectives
to the industry, which can only be a
good thing. But how can we expect to
attract a more diverse pool of talent if
the most common thing they associate
with security is a scruffy young man in
a hoodie? Hiring people that have skills
in marketing or PR can help improve
understanding in the company (and
the wider community) of what sorts
of people already have a career in
information security, in turn attracting
more diverse talent.
When looking at candidates, don’t
always focus on finding that one
perfect person who has everything the
company needs. For companies with
larger budgets, focus on hiring a couple
of people who can cover off the skills
and experience they need between
them; consider flexible working and job
sharing. Those with a smaller budget,
especially, shouldn’t hold out for the
‘unicorn’ candidate who ticks every
box. Unicorns are expensive (if they
even exist…). Instead, think about what
is vital to the business and work on
developing the rest while they’re in the
job. Once a person is hired, give them
the time and autonomy to work and grow
in confidence in the role to ensure they
stick around.
Outside of the work the industry can
do, the public sector should also help
from an educational perspective by
Issue 23
|
www.intelligentciso.com