Every society has a set of rules and norms where every single member of such society is expected to follow. I remember as a kid in Chicago when every morning I was told to do the Pledge of Allegiance right before my first class. Later on, I was indoctrinated into the Christian belief of Catholicism by going to classes on Sundays and receive the different ceremonies that Catholics believe in. Later on, on the weekends to have faith that the Cubs would one day win the World Series which they did. It paid off.
Cybersecurity should be no different.
I read a lot of status reports and the state of cyber resilience and how this information needs to be shared and how the C-Suites (top management) have to understand the business impact of not following proper cybersecurity risks assessments. In my experience, we are preaching to the wrong audience when it comes to providing proper cybersecurity advice.
In essence, cybersecurity is closer to regular folks than anyone cares to think. In my post “What is Cybersecurity?” I analyze its etymology and definition which is “to secure and protect what is being steered and governed”. It literally means “to secure the information and to protect the assets that create such information.”
Information has always been and will always be an intangible asset. We knew this way before computers and electronic boards. We know when something is a secret for which we have two choices to do with this information: we either keep it safe or make it public.
How we protect this information will determine how long can it be kept a secret. Our challenge as humans is to choose where to put this information besides our brain. Remembering all the details of something that we don’t often use or do isn’t an easy task, therefore if you are like me, we write it down.
The beginnings of my indoctrination
In my case, I have two version of my life: before the smartphone and after the smartphone. Before the advent of the smartphone, I wrote down my appointments, tasks and every life detail in a little notebook, which I carried with me all the time. Then came the BlackBerry and I transferred all this information to the device. That way, if I forget something I could refer back to it with a simple search and also because the BlackBerry taught me to secure my information with a password. I felt it was secured. Anyone could open my little notebook and see my notes, but not my BlackBerry.
Now, and after several BlackBerrys, Palm Pilots, iPhones, and Androids later I still do this. I have everything on my device synced to the cloud and my laptop. Because now is not only about forgetting, but also about making sure that I don’t lose this information. If I lose my smartphone, I still have access to my data, thanks to the cloud and again, everything is protected by not only a password but also with a Two-factor authentication.
I was indoctrinated from the very beginning to secure my digital information, thanks to BlackBerry and now I never walk around with an unprotected device.
Years ago I helped to indoctrinate my parents, relatives and my wife with how to secure a device and never walk around with it unprotected because they know that if they do, anyone can see their secrets.
This is how you begin advising others on how to “to secure the information and to protect the assets that create such information.”
How to indoctrinate your company
There are two ways to see this when it comes to training people in your company. First, is your company highly regulated by the government? If your answer is Yes, then you have an edge here. Let me explain.
An example of a highly regulated industry is the Health sector. This sector has several industries, which one of them happens to be the Pharmaceutical industry, where I use to work at. I use to manage a division in IT for a Fortune 500 company regulated by the federal government, specifically, the FDA, DEA, and Health Department and their counterparts from Europe, Middle East, and Asia.
Yes, that’s a lot of regulators! And each one with their own regulations.
The way we leveraged to indoctrinate all (100%) of computer users in the company was by implementing an Identity Management program. Part of the program was to train all computer users on how to protect their identities while using a computer.
We did this by creating a Standard Operating Procedure (SOP) which required every person with a computer access ID to be trained by the IT Department on how to protect their virtual Identity while working and while online. If they didn’t take this training, then they couldn’t access a computer and therefore, no job. This included top management as well, no excuses and no negotiations out of this one.
It seems harsh, but it worked. This training was part of their curriculum training to perform on the job and the HR department made sure that this was included in their employee’s record. Like any other SOP, every time there was a revision, all 100% of employees were required to be retrained.
All of this was possible because there was a structure in place and a willingness to do what was right. From the very beginning, every single employee saw how serious we were with the Identity Management program and everyone from top management down to every single computer user, made sure that everyone was in compliance with the program. This is proof of how indoctrinated we were as a company culture.
A second way to indoctrinate in your company is when you are not a highly regulated company, and usually, the lack of visibility and monitoring from the regulatory agencies creates a certain lack of accountability on cybersecurity training on the personnel working in the company.
In this case, you need to have the initiative and willingness to speak up to your supervisor(s) and top management by creating a similar program and start negotiating what can or can’t be done. Trust me, anything you can teach the employees is better than no awareness of how to protect the information and assets in the company.
Read “How To Excel in Cybersecurity”, where I explain how I did a similar proposal, without even been a full-time employee for one of the largest newspaper conglomerate corporation.
Every report says to teach computer users on being accountable, and for cybersecurity specialists to be resilient, but no one says “how” to do this and is not just the purpose of the program but the “how” that will determine if a program will succeed or not.
What about your company? Do they at least offer any training on how to protect your identity?
by Edgar Vera, MS Cybersecurity