ESG's Jon Oltsik and Christina Richmond discuss recent ESG research on cybersecurity awareness training.
Read the related ESG Research Report(s):
Read the related ESG Blog(s):
Christina: Hi there, folks. I'm Christina Richmond. I'm ESG's principal analyst covering cybersecurity services. And I am joined today with Jon Oltsik, who is a senior principal analyst and ESG fellow. Welcome.
Jon: Thank you, Christina. Nice to be here.
Christina: I'm so glad you joined me for this. We're going to talk about security awareness training today.
Jon: Good topic.
Christina: Something I think you know a lot about?
Christina: So, you know, in my recent study on security services, 45% of the respondents said that they are definitely engaging in cybersecurity awareness training. In the IASA Life and Times study that you did, you also had some data on that. Isn't that right?
Jon: Yeah, we found that 48% of organizations had had a security incident within the last two years and we asked them, "Well, what was the cause of this?" And the top reason, 34% said it was a lack of employee training on cybersecurity. So they're being trained or they're not being trained. It's really somewhat unclear.
Christina: You know, it's interesting, also, we had a digital worker study that came out, gosh, a couple of weeks ago. And they said that one in five respondents said that they had a cyberattack, but slightly more than a third received training. So there's an obvious correlation between the attack and lack of training.
Jon: Yes. Employees are often the root cause, you know about phishing attacks and business email compromise. It's fairly easy to social engineer someone who may even have the training but is just not looking for the attacker or not aware of what the attacker does.
Christina: Right. But then why do we find that cybersecurity awareness training is not always as effective as it could be? So for example, in my services study, it was the second to the bottom in effectiveness in a list of like 15 services. So is it just that it's a tick the box exercise?
Jon: Exactly. At least that's my perspective. That's it. It's required for governance purposes, it's required for compliance, or maybe a third party has asked you to train your people. So if you think of it as a checkbox exercise, you're not going to take it seriously.
It's not in your culture that cybersecurity is important. It's just something you push your employees to do, ineffective.
Christina: Right. And then I also think that employees are...they're already busy enough. They have enough responsibilities, they don't want to be the cyber expert. So how do we get around that? Is there a way that executive teams can make it more of an important task?
Jon: Yeah. When I started my career, lo these many years ago, I worked at a company named EMC and there was a sales culture. And I remember the CEO, Deke Egan, saying, "Everyone's in sales." walking around. Well, it's the same thing. Everyone's in cybersecurity.
And so it has to start from the CEO down and it has to be in the culture. The CEO has to act as a cheerleader and encourage people to do this. And there has to be some accountability for when it doesn't work as well as it could.
Christina: Right. So my question is if we do the training, and we have our executive teams putting the wood behind that arrow, is it going to make a big difference? And the reason I asked that, because in the most recent digital worker study, 81% said, they felt ready to deal with security situations when they've had the training.
And I wonder if that's overconfidence.
Jon: There's probably some of that, but if you have to do this anyway, you may as well do it right. Especially in this environment of so many cyberattacks, sophisticated cyberattacks, social engineering attacks. And what we should do is test our people. So they may be confident. But let's send them that synthetic phishing attack and see if they open up an email attachment or click on a link.
And then if they do, we can reinforce the training.
Christina: And don't you think it should be iterative, it should be continuous? I mean, if it's just a tick the box compliance exercise, it's not going to be as effective. If you have a plan, and you know where you're going with it, and you've got the board and the executive team buy in, and you do it on a continuous basis, maybe that can raise the bar to that 81% saying, "You know, we've got this, we're not going to get attacked."
Jon: Yeah, I mean, there's plenty of research, historical research on the retention rate of training. And it's always that there's a pretty good level of training and then a steep drop off. So it has to be, it has to be iterative. We have to make people feel part of the process, part of the solution. And if you do so, then they'll be more appreciative of the training instead of resentful of the training.
Christina: Right, you bring up a good point, really bringing everyone into the security conundrum, if you will, and making sure that they understand the importance of it, right?
Jon: It is. Like, you wouldn't open the door to a stranger and let them into your office. It's the same thing. It's just the digital equivalent. And therefore, we just have to teach people maybe put it in the language that they understand. But we have to do that. And you're absolutely right, we have to reinforce that all the time.
Christina: So I think what we've come up with here is that there's a lot of data that may seem counterintuitive, but really, it's a necessary thing. It's a nice to have, but it's also a must-have, but it has to be done right, it has to be done in an iterative fashion, it has to have executive buy-in, and it needs to include employees in what matters, why it's important.
Jon: Yeah, it's a long time ago that we realized that compliance doesn't equal security, right?
Christina: Right. Right.
Jon: And we have to do the same thing with training.
Christina: Yeah, agreed. Well, thanks so much for joining us. If you'd like to learn more about security awareness training, please read the brief that Jon Oltsik and I have written and we'd love to hear from you.