Speaking at Infosecurity Europe, Munawar Valji, CISO of Trainline, Dr Emma Philpott, CEO at the IASME Consortium and Helen Rabe, CISO at the BBC were asked if there is an over reliance on security certifications. The panel agreed there are benefits but the processes designed to satisfy auditors or insurers potentially results in a less innovative and diverse workforce and can lead to organizations doing the bare minimum required to achieve certifications rather than improve security.
“It can be time consuming and cumbersome to maintain,” says Rabe. “You have to figure out if controls are no longer relevant. It is not necessarily about certificates but obtaining the right outcomes,” Valji explained.
In a separate panel, Charlie Sinclair, cyber security senior awareness and engagement manager at Unilever, and Tim Ward, CEO and co-founder at ThinkCyber explained the Nudge Theory, which uses easy, attractive, social and timely techniques to incentivize employees instead of punishing them for mistakes avoiding risky behavior and improving overall security.
According to Ward, as many as 80% of security issues can come from just 10% of users. Sinclair pointed out that those users are usually “disconnected” from security issues, and they make mistakes and don’t tell anyone. “You need to focus on the psychology and how it works. You have to accept that humans bring risk and understand how to tackle that risk,” he said.
Willy Leichter, PV of Marketing, Cyware had this to say:
“Compliance requirements have been a major factor in making many organizations take security more seriously, but the typical check-box training program is out of date and inadequate. Rather than relying on online courses, real-world tests like mock phishing emails are more effective and impactful for users. But security teams can’t rely on training to keep them out of trouble – we have to assume there will always be susceptible users and design security that is resilient to insider mistakes.”
This kind of reminds me of the early 2000’s where everyone had a MCSE, but few people actually knew anything related to said MCSE. But employers would hire them anyway simply because of the fact that they had this certification. Given how high the stakes are when it comes to cybersecurity, we can’t afford to go back to those days because too much is on the line.
Like this:
Like Loading...
Related
This entry was posted on June 22, 2023 at 8:23 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Are Training and Certificates Improving Security?
Speaking at Infosecurity Europe, Munawar Valji, CISO of Trainline, Dr Emma Philpott, CEO at the IASME Consortium and Helen Rabe, CISO at the BBC were asked if there is an over reliance on security certifications. The panel agreed there are benefits but the processes designed to satisfy auditors or insurers potentially results in a less innovative and diverse workforce and can lead to organizations doing the bare minimum required to achieve certifications rather than improve security.
“It can be time consuming and cumbersome to maintain,” says Rabe. “You have to figure out if controls are no longer relevant. It is not necessarily about certificates but obtaining the right outcomes,” Valji explained.
In a separate panel, Charlie Sinclair, cyber security senior awareness and engagement manager at Unilever, and Tim Ward, CEO and co-founder at ThinkCyber explained the Nudge Theory, which uses easy, attractive, social and timely techniques to incentivize employees instead of punishing them for mistakes avoiding risky behavior and improving overall security.
According to Ward, as many as 80% of security issues can come from just 10% of users. Sinclair pointed out that those users are usually “disconnected” from security issues, and they make mistakes and don’t tell anyone. “You need to focus on the psychology and how it works. You have to accept that humans bring risk and understand how to tackle that risk,” he said.
Willy Leichter, PV of Marketing, Cyware had this to say:
“Compliance requirements have been a major factor in making many organizations take security more seriously, but the typical check-box training program is out of date and inadequate. Rather than relying on online courses, real-world tests like mock phishing emails are more effective and impactful for users. But security teams can’t rely on training to keep them out of trouble – we have to assume there will always be susceptible users and design security that is resilient to insider mistakes.”
This kind of reminds me of the early 2000’s where everyone had a MCSE, but few people actually knew anything related to said MCSE. But employers would hire them anyway simply because of the fact that they had this certification. Given how high the stakes are when it comes to cybersecurity, we can’t afford to go back to those days because too much is on the line.
Share this:
Like this:
Related
This entry was posted on June 22, 2023 at 8:23 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.