Cyber Risk and the Board: Support Fuels Cyber Awareness Training 

Cyber risk was a key consideration when a major global telecommunications provider first developed plans for a cloud-native 5G network offering, so the company built security into the project’s architecture from the start. But the high- profile business venture, which required ongoing collaboration with external partners using virtual private networks, created an additional layer of risk. 

“We knew the bad actors would be watching, and we would be a big target for them,” said the company’s senior engineer of information security. Indeed, as the security team anticipated, there was a subsequent spike in social engineering attacks targeting employees and senior leaders.

Thus far, though, the company has stayed out of the cyber breach headlines, thanks in large part to commitments from the company’s CEO and board of directors to support cybersecurity awareness training. “When we have a situation like this, we make sure the CEO and board understands the architecture landscape and the risks we have to manage so that they are 100% on board,” said the security engineer, who leads awareness and training for 30,000 employees across the telecom company’s multiple lines of business.

Despite Its Limited Expertise, the Board’s Security Training Support Made a Difference

The company’s board has limited cybersecurity expertise. The CISO’s monthly updates, occasional walkthroughs of infosec workforce competencies, and proactive explanations of how the telecom protects itself against breaches publicized at other companies serve both to educate board members and foster trust in the security team’s assessment of needed investments. So, when the CISO suggested increasing cybersecurity awareness training to bolster defenses against phishing attacks, the board approved. “They are strongly supportive, from the chairman to our CEO, who is one of our biggest ambassadors for security awareness training,” says the security engineer, who works hand-in-hand with the CISO providing information to senior leaders. “He’s the first one to jump in when talking about the importance of security awareness training and carry that message forward.”

That enthusiasm for cybersecurity awareness training aligns with results of a Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook, a report which found that as the volume of phishing and other email-borne attacks have increased in recent years, so too has C-suite support of cybersecurity awareness training. In-depth interviews with 78 business and security leaders in 13 countries about perceptions of cyber risk at the C-suite and board level indicated that corporate leaders increasingly recognize the need to create a cyber-aware culture to strengthen their security postures. The survey also underscored the importance of board-level commitment to sustaining that focus.

Speaking the Board’s Language: Data and Risk

Strong C-suite and board support for cyber awareness training specifically — and cybersecurity priorities generally — rarely emerges in a vacuum. CISOs and their teams build these relationships over time, putting in work to educate, inform, and persuade at regular board and executive meetings, within cyber and business risk subcommittees, and though informal interactions with decision makers.

At the telecom company, regular cybersecurity updates are embedded into management and board meetings to keep everyone current on threats, trends, and overall cybersecurity performance. The CISO and his team focus their communication on the two things the board cares about: risk and metrics. “Those are the things they can relate to, and that’s how you get their endorsement,” says the security engineer. “It instills belief in the team they’ve got and the information we provide, so there’s a willingness to invest.”

Targeting Cyber Awareness Weak Spots

Each month, the company’s CISO delivers updates to the board on the performance of phishing awareness programs and training campaigns as well as details on any recent attacks, policy violations, or human errors. Once a quarter, in meetings that include the heads of all business units, the CISO reports specific results, including phishing click rates at the enterprise and business-unit level. The best-performing business units may have a better click rate of around 1% or 2%, while 15% or more of employees in another unit are clicking on malicious links.

Because of these regular updates, there’s little resistance to putting remediation plans into action. Any business unit above the company’s target click rate threshold is enrolled in a 12-week cybersecurity awareness training program to provide additional support to increase awareness on topics like ransomware, phishing, and impersonation fraud, followed up by surprise testing using de-weaponized attacks. If user risk scoring identifies frequent offenders, those employees must participate in more intensive on-on-one coaching.

Employees at the telecom company embrace training and assimilate what they’ve learned into their digital behaviors in greater numbers than companies where the security engineer worked previously. “The user acceptance level is maximum, primarily because of the cybersecurity culture that has been created through the efforts of our senior leaders,” he says. “They will bring up these issues during their standup meetings. They understand that security is everyone’s responsibility, and that’s the message from the top.”

"They understand that security is everyone’s responsibility, and that’s the message from the top.”

Communicating the Value of Cyber Awareness

Still, changing human behavior isn’t easy. Cyber awareness training and remediation efforts take time to yield results compared to, say, the implementation of an email gateway or data encryption program. “There are a couple of instances where it took us longer to deliver [the improvements] we promised because it’s a behavioral change rather than an operational or procedural change,” says the security engineer. “Those conversations [with the board and senior leaders] are never easy.”

Cybersecurity awareness training is always a moving target. There’s turnover and new hiring to consider. The company has grown by 6,000 employees since the security engineer took over awareness training program two years ago. 

The ROI of behavioral change — essentially avoiding a negative outcome — can be hard to nail down, as well. Real-time demonstrations of what would happen in the event of an attack or of workforce competency in detecting malicious links help to showcase the value of the cyber awareness training investments. 

The CISO also harnesses board interest in the latest publicized security breaches, dedicating time to discuss incidents in the news and the factors that contributed to them to illustrate the value of the security function’s efforts. “It’s a great opportunity to secure their buy-in and say, this is what we need to do to stay on top of things and not be in the news for the wrong reason,” the security engineer says.

The board has approved the security team’s awareness training budgets each year, in line with both hiring growth and expanding threat vectors. “Bad actors have gone far beyond traditional email attacks to smishing and vishing, which helps us get funding for new services,” he says. “But it all goes back to having senior leadership that advocates for security. If you have that, you’re in a fairly good spot.”

The Bottom Line

The experience of this global telecom company is a testament to the impact that an engaged and active board and support from the C-suite can have on a company’s cybersecurity awareness and overall security posture. Frequent and targeted communication on the evolving threat landscape, with a focus on the human vulnerabilities that bad actors seek out, helps sustain support and funding for cybersecurity awareness training programs.

Read more in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook.