Tip #1: Make it fun. That means creating training modules that people will actually want to watch. Think of your favorite TV shows. There’s a reason you want to binge every episode. You care about the characters, or you’re at least interested in how their dilemmas work out. A good example is the Fox TV show 24; every episode was one hour in an unfolding storyline with high stakes. Your training program doesn’t need life-or-death consequences, but it should give people a reason to watch beyond just checking a box for compliance.

Tip #2: Make it easy. Your end-user is your customer; so, you need them to buy-in. When investigating new security solutions, I ask: “Could you explain how this works to my mother in thirty minutes or less?” If not, it’s probably not a user-friendly solution. Asking people to create a password with 20 characters consisting of random symbols, cases, and numbers (that they shouldn’t write down) is not easy. For a better option, try passwordless authentication options for Azure Active Directory. If your organization has  Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can employ Attack Simulator in the Security & Compliance Center to run realistic scenarios. These simulated attacks can help you easily identify vulnerable users before a real attacker comes knocking.

Tip #3: Focus on your highest risk. Nearly one in three security breaches starts with a phishing attack costing the affected organization an average of USD1.4 million. Even after security training, employees still click on phishing links at an average rate of 20 – 30 percent. With the rise in people working from home, new forms, such as consent phishing, have cropped up to take advantage of new vulnerabilities. Direct your resources to where the people in your organization can see the risk is real, and you’ll generate positive engagement.

Tip #4: Be transparent about breaches. No organization can claim 100 percent invulnerability. Let people know they are the first line of defense. Communicating with staff when a successful attack occurs will help them remain alert. It’s okay to provide examples as long as you don’t reveal so much information that it’s obvious who clicked on that fake Zoom invitation. Be careful not to treat employees like children. They need to own their own actions, but shaming won’t make your organization safer.

Tip #5: Avoid a compliance only mindset. Yes, that once-a-year cybersecurity training your people dutifully click through meets the organizational requirement. But gaining employee buy-in means doing more than just checking the box. Schedule a refresher course after a breach, even if the victim happens to be another company. Creating a security program that’s fun and engaging will probably cost more, but ask yourself how high the costs from downtime and lost productivity from a major breach would run. Better to invest those funds in protection upfront.

Tip #6: Communicate and educate continuously. Make security news part of your normal staff communications. Talk to your people about the headline-making hacks that target large corporations and government agencies, as well as the smaller identity theft and payment-app scams we all contend with. Talk about supply chain security and the dangers of using unauthorized devices and shadow IT. Cybersecurity threats can feel overwhelming and scary. Communication helps demystify those threats and makes employees feel empowered to protect themselves and their organizations.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training appeared first on Microsoft Security Blog.

It is not news that the world changed in the last two decades through digital transformation and the requirements for security have also. Initially, it was mainly focused on protecting the network and building virtual walls around the digital assets of a company. The fast evolution of mobile technology, globalization, and digitalization has disrupted standard assumptions for business and they are transforming to adapt, and security needs to be in lock step or better yet – to lead this journey. The world is not what it used to be as it looks more like the graphic image below:

Security must be closely aligned to the business it serves and protects against attacks by the criminal groups working on the Internet. Crime went digital– from vandalism to classical crime to nation states. The business, on the other hand, gets disrupted and must change at a speed never seen before. This is the place, where security needs to be.

Security must enable the business transformation and ensure acceptable business risks. This is a non-negotiable truth as security’s sole purpose of existence is to protect the organization that employs it. This is more difficult than it sounds because security started as a purely technical discipline with a common belief that success was achieved in compliance with standards. Many organizations are on the journey of shifting this mindset to a risk-based approach and a deep alignment with their business counterparts. This is a major shift for the security organization as it requires major cultural changes, different priorities, changing of processes and habits, as well as technology changes. I have seen a lot of security people “hiding” behind their policies instead of helping the business to be successful. This is not solving any problems in today’s world.

Regardless of your industry, compliance does not bring security – good security brings compliance. Success in security is all about running a reasonable risk management and risk mitigation program, which is leveraged and often even driven by the business leaders, and which clears the way for the business to be successful in a frequently hostile environment.

Chief Security Officers must re-think what they do, re-think the way they look at the world and constantly try to disrupt themselves. I recognize that this is something people in security are typically not good at, as most of us had been taught risk avoidance during our careers (sound familiar?).

Disruptive changes require going against this nature and taking risks where the outcome is uncertain. While this is uncomfortable, it is critically important for our future success.

Looking at it from a more outward view, the CSO has different constituencies to satisfy:

• Top-Management: The top management wants to understand their key cyber risks, what they need to do with them and whether they invest the right amount in the right location. “Key risk” means comparable to the other business risks they must deal with. CSOs need to keep this in mind: The CEO has a lot of business risks on his/her table and the Cyber risks have to be aligned with them. Typically – as a rule of thumb – we might speak of 5-8 risks, where the CSO needs to see action and support by the CEO and the board.
• Employees: Looking at the employees, security needs to enable them to run their business successfully and with acceptable risks. It is not about security or productivity, we talk of security AND productivity.
• Customers/partners: Obviously, customers and partners have a certain expectation about what the supplier does with their data and how they protect them. This is not “only” compliance to data protection regulations, but gaining trust.
• Regulator: Regulators are heavily challenged by today’s situation. Rules which were valid a few years ago, do not apply anymore. New definitions of sovereignty need to be developed. Modern technologies suddenly change the rules of the game as it was known. Most regulators need help and they want to listen to the industry if the discussion happens with mutual respect.
• Security Community: The security community is often ignored by companies, which can lead to rather dramatic security challenges. Think about what happens if somebody finds a vulnerability in an infrastructure and wants to responsibly disclose this vulnerability to the security organization. How do they find the right people and process? How are they dealt with?

Security needs to be re-thought and certain base assumptions need to be disrupted and re-thought. Progressing digitalization, as well as emerging technologies, will challenge the thoughts again and security functions will be constantly forced to look for new and creative ways to support the business. Our stakeholders are moving fast and so must we. We need to get more in a DevOps approach and align closely with the fast-moving criminal landscape, the fast-moving technology, and the fast-moving business.

For more information

• Update your cybersecurity strategy to enable and accelerate digital transformation. Download the whitepaper here.
• Stay current on today’s cyberthreats with the Microsoft Security Intelligence Report.
• Learn how partnerships help defend against a world of increased threats.

The post Perspectives of a former CISO: Disrupted security in digitalization appeared first on Microsoft Security Blog.