![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
9 Innovative Ways to Boost Security Hygiene for Cyber Awareness Month
If we really want to move the dial on security habits, it's time to think beyond phishing tests. Our panel of CISOs and other security heavy-hitters offer expert tips that go beyond the obvious.
October 21, 2023
![Illustration of human head with mind flows streaking out of the brain. Illustration of human head with mind flows streaking out of the brain.](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte4f8159b1a073dd5/654e39fbb4e480040b167638/mind_brain-Jan_Mika_via_Alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Jan Mika via Alamy Stock Photo
October is Cybersecurity Awareness Month, a time where many companies take the opportunity to remind their employees about the dangers of password reuse, reinforce the importance of not clicking on untrusted links, and provide their yearly cybersecurity user training.
These are familiar approaches that don't change very much year-to-year — even though the cyberthreat landscape does. To mark the 20th year of Cybersecurity Awareness Month, we decided to talk to a range of CISOs and other well-known cybersecurity leaders about how to evolve user awareness efforts, asking them just one question:
What is your No. 1 piece of advice for security teams looking to boost employee, supplier, and partner security literacy in new and innovative ways?
Read on for innovative responses from our expert panel:
Window Snyder, Founder and CEO, Thistle Technologies
Kurt John, CISO, Expedia Group
Bruce Schneier, Security Technologist & Author
Phil Venables, CISO, Google Cloud
Dave Lewis, Advisory CISO, Cisco
Fred Kwong, CISO, DeVry
Rob Duhart, Deputy CISO, Walmart
Pat Opet, CISO, JPMorgan Chase
Tennisha Martin, Founder and Executive Director, BlackGirlsHack
Window Snyder advocates equipping users with more secure-by-design platforms rather than expecting them to discern when it's safe to click or not.
For an organization's application developers, it starts with a development platform that minimizes the risk of buggy code. "The most impactful thing you can do to improve security with the least amount of effort is to move to a memory-safe language," Snyder says. "So when they're choosing what platform, what language that they [developers] are going to use to create new capabilities and new features, moving to a memory-safe language is going to quickly and dramatically reduce the risk" of software vulnerabilities, she says.
![Window Snyder Window Snyder](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt9ffe1a25658242e4/653675455cf932399dd2befc/WindowSnyder.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Window Snyder
Snyder, who for over 20 years has helped major vendors (Mozilla, Apple, Microsoft, and Intel, to name a few) build security into their products, contends that it's unreasonable to place on the shoulders of end users the responsibility for what to click and what not to click. "The problem is not that they clicked on something, it's that they have accounts with more capabilities than are needed to do their user tasks. They shouldn't be able to corrupt the entire device by clicking on a link in a Web browser."
Overprivileged user accounts aside, the good news is that there are examples of popular software — such as Mac iOS and Chromium — with built-in guardrails that can prevent users from inadvertently installing malicious code, according to Snyder, founder of connected device security firm Thistle Technologies.
Still, the tech industry has a long way to go to retrofit the security gap in many of today's systems, according to Snyder.
Expedia Group CISO Kurt John recommends deputizing volunteer employees as security champions who promote cybersecure behaviors within the organization. That grass-roots advocacy approach, he says, naturally fosters a culture of security within the organization.
![KurtJohnExpedia_(1).jpg KurtJohnExpedia_(1).jpg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt356e8af11df14f99/6532db335531e712d651c581/KurtJohnExpedia_(1).jpg?width=350&auto=webp&quality=80&disable=upscale)
Kurt John, CISO, Expedia Group. Source: Kurt John
John, who is also a member of the Dark Reading CISO Advisory Board, advocates rotation programs to help foster collaboration among different groups in the company. This gives business users a chance to temporarily step into the security team's shoes and vice versa. "Rotation programs [give] employees the opportunity to work within the security team, and security team members to work within parts of the business," he explains. "This would be four to eight weeks, and [does] a great job at cross-pollinating business concepts within the security team, and security context within the business."
In that same vein, mentoring and reverse-mentoring — if done right — can help users understand both sides of the security equation. "The planned and careful pairing of security and non-security employees and leaders [can] help foster richer collaboration and deeper appreciation for each other's spaces across the enterprise," John says.
Bruce Schneier doesn't mince words about his assessment of the conventional security guidance regularly doled out to users.
"'Don't click on URLs' is terrible advice. What else are you supposed to do with URLs?" the renowned technologist and author says. "Or, even worse, 'don't stick strange USB sticks into your computer.' Why the hell not? That's what USB sticks are for."
![VBabutsPhoto_Bruce-Schneier_02.jpg VBabutsPhoto_Bruce-Schneier_02.jpg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt41ad326c681d22da/6532d9530ef0e007801fbc81/VBabutsPhoto_Bruce-Schneier_02.jpg?width=350&auto=webp&quality=80&disable=upscale)
Bruce Schneier, security technologist, author. Source: Bruce Schneier
Instead, he says, organizations should offer simple, straightforward, and actionable security guidance to their employees if they want them to make any meaningful changes in their online behaviors. Take the popular public health mantras of "wash your hands," "wear a condom," and "wear a face mask," he offers. "In all instances, the advice is a simple behavioral change. You can explain the reasoning in a sentence. And the action obviously connects to the problem and makes obvious sense," he says.
The core problem, of course, is that much of today's established technology and software infrastructure wasn't built with security in mind. "The problem is that we are trying to change user behavior to cover up for lousy design," he says. "What kind of engineer built a system ... putting a USB stick into your computer? Microsoft, that's who. They were so enamored with AutoRun that they ignored the security problems," he says, adding that there are plenty of other such examples of security holes built into vendor products.
For Phil Venables, CISO of Google Cloud, the biggest security challenges still concern passwords. Attackers are still taking advantage of the fact that users are still using weak passwords or reusing passwords.
"It's been 20 years since the first Cybersecurity Awareness Month, and while we've made a lot of really great strides in security over that time, we're still making up for issues that surround passwords," says Venables.
![Phil_VenablesGoogleCloud.jpg Phil_VenablesGoogleCloud.jpg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt6e998d1dede2b502/6532dcc675c74cc1d15840f6/Phil_VenablesGoogleCloud.jpg?width=350&auto=webp&quality=80&disable=upscale)
Phil Venables, CISO, Google Cloud. Source: Phil Venables
Instead of complicating authentication and identity management even further by adding more layers of protection, Venables recommends "completely eliminating passwords and replacing them with passkeys, which are both easier to use and phishing resistant." The technology exists — users can use their fingerprint sensor or Face ID on their mobile devices to login to their accounts, for example, and skip passwords altogether.
While passkey support is still evolving and it will require some time (and more technology) before enterprises can fully embrace passkeys, security teams can work with end users to turn on passkeys on user accounts where available. Google for instance is currently working with partners to expand the use of passkeys beyond Google, such as with Home Depot, Uber, and eBay. But until then, users can get used to using passkeys on their personal accounts with Google, Microsoft, Apple, Amazon, and others.
Dave Lewis, an advisory CISO at Cisco, suggests viewing security through both the enterprise and personal lenses, and taking appropriate action to address gaps in those perspectives.
From the individual perspective, Lewis recommends reviewing the security debt load of an organization as a whole as it relates to technology. The security debt refers to vulnerabilities in the organization's technology stack that accumulate over time and which make it harder to defend data and systems from attack. One example of security debt is running legacy software that's no longer receiving security updates, or not updating software components because it may break functionality.
![dave-lewis_Cisco.jpg dave-lewis_Cisco.jpg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/bltec11c5738e7a28d2/6532de128081b707688bdca6/dave-lewis_Cisco.jpg?width=400&auto=webp&quality=80&disable=upscale)
Dave Lewis, advisory CISO, Cisco. Source: Dave Lewis
However, individual systems should face the same scrutiny, he adds. "This is something that I typically focus on for the enterprise, but it is absolutely salient to the discussion for the end user," Lewis says. He notes that attackers can and do take advantage of an endpoint's security debt to gain initial access into an environment, execute malicious code such as ransomware, and more.
To audit security debt, security teams can ask end users questions such as whether the system the end user is using has been patched to the current version, whether the Web browser is the latest version, what version of the operating system is running on a mobile device, and if there is any software being used that is no longer supported. Armed with the answers, the security team can work with the users to reduce their individual debt.
"We don't want to make the criminal's job easy for them," Lewis says.
While a common piece of employee security awareness centers on basics like learning to recognize phishing attempts and indoctrinating password hygiene, Fred Kwong, CISO at DeVry and also a member of the Dark Reading CISO Advisory Board, says it's important to get creative when it comes to how that training is rolled out. Once-a-year online classes aren't going to cut it.
![FredKwongDeVryjpg.jpg FredKwongDeVryjpg.jpg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt03c9dd40bf8f93dd/6532e35f39fda368378a975f/FredKwongDeVryjpg.jpg?width=350&auto=webp&quality=80&disable=upscale)
Fred Kwong, CISO, DeVry. Source: DeVry
"Increasing security literacy in organizations requires a shift in culture and thinking," he says. "As security leaders, we must continue to innovate in the ways that we deliver the message around cybersecurity. While phishing campaigns and awareness training are techniques that can help enforce a security-first message, it is not the only means are our disposal."
Getting creative and providing different ways to educate employees on cybersecurity basics can mean gamification, for instance.
"Create an escape room scenario," he says. "For example, you can create a puzzle around password cracking. You can find a hint you need by picking out and using a suspicious link or content. By transforming cybersecurity awareness training with gamification, we can turn essential lessons into engaging challenges that not only educate but helps employees retain knowledge."
Walmart is literally the globe's "Fortune 1" company, with millions of employees worldwide and plenty to lose in a cyberattack should one of those workers inadvertently open the doors to the digital marauders.
One would imagine that cybersecurity awareness represents a large challenge, simply by dint of scale. Rob Duhart, deputy CISO at the retail giant, says reducing security friction with technology approaches is one part of the strategy to get all of those humans moving in the right cyber-direction. But the other — and arguably more important — piece is fomenting a culture of security.
![Rob-DuhartWalmart.jpg Rob-DuhartWalmart.jpg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt56879e390e2c44bd/6532eb0af11cf1712a44aa9f/Rob-DuhartWalmart.jpg?width=400&auto=webp&quality=80&disable=upscale)
Rob Duhart, Deputy CISO, Walmart. Source: LinkedIn
For instance, the company is working to implement an advanced identity access management model on the technical side, he notes. But the team is also focused on "actively instilling a security mindset ahead of any technical rollout or changes."
That effort encompasses discussions of security with everyone in the workforce, even in-store employees, and why the technology should be embraced companywide.
"We invest in security awareness, training, and communication for associates at all levels, which enables them to act as our first layer of defense while also improving efficiency, encouraging innovation, and helping to reduce frustration and resistance," he says. "Focusing on mindset first emphasizes collaboration, enables the business to innovate with speed, and fosters a security-first culture to drive design that is inherently secure."
While educating employees, customers, and partners on cyber best practices through trainings and year-round events is important, Pat Opet, CISO at JPMorgan Chase, says that his company is also making use of cyber and fraud threat intelligence to boost accountability.
![PatOpetJPMorganChase.jpg PatOpetJPMorganChase.jpg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt1fdb5307b6bb0d0d/6532eb5e2231226babc787f3/PatOpetJPMorganChase.jpg?width=350&auto=webp&quality=80&disable=upscale)
Pat Opet, CISO, JPMorgan Chase. Source: JPMorgan Chase
For instance, the finance behemoth recently expanded its intelligence collection and analysis to identify risk within its supply chain.
"We look for nontraditional ways to educate our business and suppliers," he explains. "We process high volumes of data — from open source, Internet, Dark Web, and active scanning — to produce novel intelligence, all of which are used to protect our business and our clients."
The security team uses the platform to identify weaknesses in the perimeter defenses of suppliers, including pre-compromise targeting and early-stage compromises (e.g., malware beaconing, command and control channel establishment, and anomalous network activity). Then, the company notifies relevant partners, shares findings and the full context of the weakness, and helps suppliers address the issue.
"This type of action-oriented process holds suppliers to a higher level of accountability, which in turn benefits the entire ecosystem," Opet says. "This has become more critical as the cyber landscape continues to evolve and systems are more connected than ever."
Employees are the first line of defense in every organization, so education of the next generation remains key to boosting the organization's security capabilities.
"Nurturing, developing, and attracting talent is not just a strategy — it's the lifeline that sustains enterprise security, ensuring the protection of tomorrow," says Tennisha Martin, founder of BlackGirlsHack.
![TennishaMartinBlackGirlsHack.jpeg TennishaMartinBlackGirlsHack.jpeg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt45186b3e7e923523/6532f8b65760f52eea7a21d4/TennishaMartinBlackGirlsHack.jpeg?width=350&auto=webp&quality=80&disable=upscale)
Tennisha Martin, Founder, BlackGirlsHack. Source: Tennisha Martin
When employees are provided with more opportunities — whether the training is focused on helping employees to learn new security skills or clarifying how their actions impact the organization's security posture — organizations benefit. Security teams should invest in more relevant and interesting educational programs as well as increase the frequency.
"It is essential for leaders to provide on-the-job training and learning opportunities to meet the growing demand to fulfill critical security roles," Martin says.
Employees are the first line of defense in every organization, so education of the next generation remains key to boosting the organization's security capabilities.
"Nurturing, developing, and attracting talent is not just a strategy — it's the lifeline that sustains enterprise security, ensuring the protection of tomorrow," says Tennisha Martin, founder of BlackGirlsHack.
![TennishaMartinBlackGirlsHack.jpeg TennishaMartinBlackGirlsHack.jpeg](https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt45186b3e7e923523/6532f8b65760f52eea7a21d4/TennishaMartinBlackGirlsHack.jpeg?width=350&auto=webp&quality=80&disable=upscale)
Tennisha Martin, Founder, BlackGirlsHack. Source: Tennisha Martin
When employees are provided with more opportunities — whether the training is focused on helping employees to learn new security skills or clarifying how their actions impact the organization's security posture — organizations benefit. Security teams should invest in more relevant and interesting educational programs as well as increase the frequency.
"It is essential for leaders to provide on-the-job training and learning opportunities to meet the growing demand to fulfill critical security roles," Martin says.
October is Cybersecurity Awareness Month, a time where many companies take the opportunity to remind their employees about the dangers of password reuse, reinforce the importance of not clicking on untrusted links, and provide their yearly cybersecurity user training.
These are familiar approaches that don't change very much year-to-year — even though the cyberthreat landscape does. To mark the 20th year of Cybersecurity Awareness Month, we decided to talk to a range of CISOs and other well-known cybersecurity leaders about how to evolve user awareness efforts, asking them just one question:
What is your No. 1 piece of advice for security teams looking to boost employee, supplier, and partner security literacy in new and innovative ways?
Read on for innovative responses from our expert panel:
Window Snyder, Founder and CEO, Thistle Technologies
Kurt John, CISO, Expedia Group
Bruce Schneier, Security Technologist & Author
Phil Venables, CISO, Google Cloud
Dave Lewis, Advisory CISO, Cisco
Fred Kwong, CISO, DeVry
Rob Duhart, Deputy CISO, Walmart
Pat Opet, CISO, JPMorgan Chase
Tennisha Martin, Founder and Executive Director, BlackGirlsHack
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024