Victoria Van-Roosmalen, Chief Information Security Officer at Coosto
With an increased spend in security budgets, organisations find themselves investing heavily in more robust defence mechanisms. As breaches continue to grow in number and sophistication, it is imperative companies keep up with technology and its implementation.
We interviewed Victoria Van-Roosmalen, Chief Information Security Officer at Coosto and dived into the impact of human error. Not only that, she shared what can be done as a leader to improve employee cyber behaviour within an organisation. Ultimately, reduce human error for a resilient organisation and here’s why to do it.
Why technology should be a business-wide issue
Victoria explained that security doesn’t exist on its own, unless you are a security company your business doesn’t evolve around security. The aim is to keep your business sufficiently secure whilst supporting growth.
This requires an deep understanding of the business itself, the environment it sits in, the business goals and only then can you truly identify and manage the risks which prevent the business goals being achieved.
By treating security as an IT problem we fail to understand the risks that truly matter and is a waste of time and energy.
Pay attention to human error
People are the biggest threat as they have access to your corporate data and intellectual property and others personal data. It is important to understand that these systems and technologies are just means to achieve a certain goal. They are tools and there are no threats to tools itself but more on how you use them.
Typical threats caused by human error
The most common is breach of anything valuable e.g. data. Largely caused by lack of awareness of the consequences of our actions or lack of actions. From clicking on malicious links or connecting to unknown devices to carelessly providing information to the wrong person. Someone may think they are being helpful by sending information to someone who isn’t authorised to receive it. Moreover, poor access management is common whereby people are given too much access to systems and data they don’t need.
Another example is neglecting software updates, they can be annoying and time consuming, but they are so important to do so.
How to avoid those scenarios
Awareness is KEY.
There is not a one size fits all solution. An awareness training programme needs to be tailored and one that people relate to and get them actively thinking, not a passive lecture scenario whereby people aren’t engaged.
Ideally you want to put people together who perform similar tasks and get them to evaluate situations, have open discussions about the threats and educate them as to how it affects their daily work. It is important to create a sense of community as to avoid the deference of responsibility to IT teams.
Build a sense of community to encourage the formation of a resilient organisation
Victoria explains that the secret to creating a resilient organisation is to cultivate a truly safe environment that isn’t about IT security. The aim should be to encourage people to work together and feel safe to speak up if they suspect a problem which they don’t know how to deal with. Leaders should facilitate an environment where people feel comfortable enough to do so without fear of criticism.
A CISO should lead by example by putting themselves out there, asking questions and encourage learning from other people. This will create a solid foundation for when there is an incident. People won’t waste time on dealing with typical human issues like critical battles, turf wars or employees feeling personally attacked. It is important to create an environment of collaboration and empowerment promoting a sense of security to be able to handle any situation.
What are your thoughts on shifting the focus to reduce security threats? Our next summit will cover this topic in October with the CISOs from WHSmith, Cycloon and Dominos. Read the session breakdown >>