In this installation of FinTech Conversations, Advisor360° Chief Information Security Officer (CISO) Alex Cunningham and Mukund Ravipaty, CISO of Commonwealth Financial Network, talk about the challenge of how to champion adherence to cybersecurity best practices and celebrate security successes in ways that keep employees engaged and alert.
Alex Cunningham: One of the challenges that those of us charged with leading and enforcing our organizations’ cybersecurity programs have is we’re often repeating the same message—use strong passwords, use multi-factor authentication, don’t click on suspicious links, report suspicious emails, etc. At this point, most people “get it.” They know the language and they have some understanding that cybersecurity is a daily threat. In many respects, we’ve moved our focus from education to continually raising awareness about the need for vigilance and the value of being cyber-aware all the time.
But how do we do this? When it comes to cybersecurity, there is no end state—the threat of a data breach or attack is constant and we need to be creative to avoid our users switching off and ignoring our messages.
Mukund Ravipaty: I agree. We need to find new ways of keeping people engaged in being the first line of defense, our organizational “cyber-guardians,” so to speak, because otherwise we’ll lose them.
The traditional methods of driving this home—basically beating people down with a barrage of messages that convey they’re doing something wrong and are going to be punished—don’t work. We can’t alienate people; we need to draw them in.
We can do this by rewarding good behaviors, providing more context, and showing that we’re here as their partner. At the end of the day, everyone in the organization plays a role in the first line of defense against cyber threats. The information security folks lead these efforts, but we need to bring our staff along with us. We need to build up our cyber-guardians and find ways to remind them of the importance of their front line position.
Alex: Advisor360°, like many companies, uses phony phishing emails to educate our staff and offer incentive to report suspicious emails. In addition to cybersecurity updates and announcements, we’ve recently started a Lunch & Learn series for any employees interested in learning more about security measures. These are just a few examples of how we’re creating cybersecurity awareness in our company, but there are many methods to positively engage staff in protecting the house.
Mukund: Gone are the days where you put your people through cybersecurity defense training for two to three hours at a clip. That’s just painful to sit through, and I think we’ve learned that there are better ways to make a deeper impact.
Cybersecurity awareness messaging needs to be doled out in bite-sized chunks. The information needs to be served up in different ways so it can be digested more easily. We’re having success with integrating awareness touch points throughout the regular workday—using screen savers is one example of how we’re checking in on awareness. Gamification is another tactic that’s working for some organizations, and others are turning to cartoons and animation to keep employees engaged. The important thing to keep in mind is that individual behaviors don’t change overnight, so organizations need to be patient.
If we’re going to champion the idea that all employees are cyber-guardians, then we need to focus on positive reinforcement. Most people aren’t intentionally trying to bypass security controls, they just want to do their jobs. I’ve found that people respond better when they understand why they need to comply with certain security measures, and they also need to be rewarded for doing so. That’s how you start to get behaviors, and the culture, to shift.
We need to focus on weaving security into how our organizations do business. Organizational culture evolves all the time, so as CISOs, we need to figure out how to work security into it. It’s not a top-down mandate; a strong cybersecurity culture must emerge from within.
Mukund: In some circles, talking about data breaches is almost taboo, but for me, thinking about how we recover and respond in the event of a breach is a part of day-to-day life.
At the end of the day, we’re all human. We like our mundane practices and routines. Knowing this, we need to train everyone—end users and executives alike—because if you don’t train, people will not be prepared.
Alex: For starters, we need a “we’re all in this together” versus “oh no, I’m going to get fired” attitude. We’ve all clicked on that suspicious link at one point or another—we’re all human. People should feel comfortable raising their hands when they’ve made a mistake. If our staff feel like they are going to get in trouble, or it creates an organizational problem when someone makes a mistake, you’re going to have an ethos of fear.
At Advisor360°, we have “cheers for peers”—a shout out to people who go above and beyond, doing things that aren’t tied to their job description. We want to show that cybersecurity is a team sport and we all have a role to play. Public praise and affirmation can be powerful tools.
Mukund: There are a lot of dynamics to consider, but there should be an element of fun. Your organizational DNA matters—for a cybersecurity program to really be effective, you need to understand your end users, be flexible, and recognize how people work and want to be rewarded.
Organizations are getting creative about applauding these above and beyond moments; some use thank you cards and financial rewards and others give paid time off and send gift hampers to the house.
Alex: I have two. First, cybersecurity education isn’t just for October, it’s a year-round endeavor. CISOs must find the right rhythm and then bang the drum so it doesn’t become noise and people stay engaged with you.
Second, when in doubt, ask. I ask a million questions all the time. I’d rather have everyone asking than no one asking any questions.
Mukund: I’ll start out by saying that cybersecurity does not have to be overly complicated—use common sense. We have basic behaviors about how we stay safe. At home, we lock our doors at night. There are simple things that we do as part of human behavior that we can do to be secure.
Secondly, we are all imperfect. Things sometimes go wrong, and that’s okay, we just need to understand why the mistake happened and how to avoid it the next time.
And finally, connect with others. Have the courage to fail, courage to succeed, and courage to connect. Ask to connect to people, ask if you are doing the right thing, and ask about what you can do to stay safe.
Commonwealth Financial Network, Member FINRA/SIPC, a Registered Investment Adviser, provides a suite of business solutions that empowers more than 2,000 independent financial advisors nationwide. J.D. Power ranks Commonwealth “#1 in Independent Advisor Satisfaction Among Financial Investment Firms, Eight Times in a Row.”
Alex Cunningham is Senior Vice President, Chief Information Security Officer at Advisor360°. He leads the Information Security team in protecting the Advisor360° enterprise, keeping all company and client data safe and secure.