Brian Linder is an Emerging Threats Expert and Evangelist in Check Point’s Office of the CTO, specializing in the modern secured workforce. Brian has appeared multiple times on CNBC, Fox, ABC, NBC, CBS, and NPR radio, and hosts Check Point’s CoffeeTalk Podcast and Weaponizers Underground, and has teamed on keynote CyberTalks at Check Point’s CPX360 events. For 20+ years, Brian has been an advisor at the C-level to firms big and small in financial, legal, and telecommunications, on next generation cyber security solutions and strategies for cloud, mobile, and network. Brian holds a B.S. in computer science from Drexel University and an M.S. in Information Science from the Pennsylvania State University.
In this thought leadership interview, Brian Linder offers insights into how to best leverage Cyber Security Awareness Month for the benefit of your employees, your security operations, and your organization’s overall advancement.
Why do we need Cyber Security Awareness Month and how would you recommend that organizations conceptualize Cyber Security Awareness Month? What should organizations keep in mind as they plan and execute programs?
There are several dimensions to explore here. The first consists of employees and the human element. To expand on that further, we are all aware that, as humans, we are the weakest link. Everyone reading this is on the cyber security frontlines, interacting with their devices that host an unwieldy variety of apps and that leverage the cloud 24/7. Humans and the vulnerability that they can potentially introduce represents one key area of focus.
The next dimension of this to consider is the one that encompasses the board, the C-suite and the CISO role. Allow me to illuminate that a bit more — According to the Wall Street Journal, boards now seek to recruit new board members with risk awareness expertise. I think that this is an amazing initiative, and that this makes a lot of sense. We need to look at both extremes of the continuum; not just the employees and ‘regular Joe’ types who use connected devices all day, but at the board-level, from which the funding flows. We also need stockholder awareness, and investment at a level that most levels of management, even within the cyber security organization, just can’t achieve. This should be the second key area of focus.
What are the major hurdles that leaders face in the process of creating more risk-aware workplaces? And how does Cyber Security Awareness Month provide an opportunity to champion these challenges?
The way I would describe the current state of security for many organizations is that of a perfect storm. This perfect storm began at the start of the pandemic and has continued with unstoppable ferocity. Let me unpack that a bit…
First and foremost, we have a highly distributed workforce. We’re working in an increasingly hybrid way. We’re in an office and then we’re not in an office. We’re in coffee shops. Well-intended users are trying to do the right thing, but we all are subject to the weaknesses of human nature vis-à-vis social engineering attacks. We can’t get around it.
Second, we are all using every device, in every cloud, in every app. The idea of a data center is really a yesterday concept. Our computing is so distributed. We enjoy the convenience of it, but as a result, we are now dependent on many different apps and therefore we become even more of a vector for attack than ever before.
Now, on top of all that is a cyber security skills shortage, to which there is no end in sight. As I like to say, even if we all had unlimited funding to go hire the best people, there just aren’t enough best people. Not to mention there’s also a recession, where the money just isn’t there to fund increased hiring and other new cyber initiatives.
In addition, when it comes to threat detection, there’s an over-dependence on human response time. ‘If I have a security operation center with top global cyber talent, I am still mostly dependent on detection, so I’m going to detect and respond,’ CISOs commonly think to themselves. Well, those days are behind us. We can no longer afford to assess and respond to cyber threats that way. We need to use more automated methods and impose greater reliance on prevention. As humans, we just don’t have the speed to keep up with the scale. We’re overwhelmed by all of the alerts, and everything that we need to pay attention to.
To recap, it’s kind of a perfect storm in the sense that many organizations are facing a series of major challenges that could turn into full-blown crises. They’re contending with an ever-expanding threat surface, dwindling financial resources, limited availability of talent, outdated models and processes, and other resource limitations.
What kinds of factors should leaders take into consideration to make employee security awareness programming easy, effective and successful?
There’s a major obstacle that everyone in cyber security faces – In cyber security, we’re of the mentality that our users can’t be trusted, and we carry around a big stick, so to speak, and we’re ready to whack ‘em with the stick when they make a mistake. In other words, we approach employee education and awareness with a punitive or punishment mentality.
I propose that we take the opposite approach. I propose a change in the paradigm that emphasizes positive reinforcement. Now you’re probably thinking, ‘how can positive reinforcement have any context or relevance?’ If you’re familiar with what we call bug bounty hunting, which is where someone responsibly reports a source code bug to a vendor, and the vendor offers a financial reward, that’s positive reinforcement.
What I’m saying is ‘why not experiment with programs where we train our users, where they’re reporting issues, where they’re tracking phishing threats, and where it becomes fun for them?’ Maybe a given organization even offers financial incentives. “Hey, every time you accurately report a phishing attempt, $25 bucks.” Or “every time you do this particular task successfully, you’re entered into a competition.”
Now, some would say, “Wow, that’s going to cost the company too much money – we’re in a recession.” My response is that we need to look at this from the perspective of risk mitigation. If you’re willing to pay for cyber insurance, why not pay employees to help them become part of a ‘citizens crime watch’ for cyber security? It’s a little bit of a controversial thing, but is worth exploring further.
Otherwise, our industry tends to focus on what users shouldn’t do. “Don’t do this, don’t do that, be sure to…” Rather, we would do well to engage our human users a bit more by reinforcing positive actions and rewarding people. We need to invite employees to step into the security mindset by making it something fun; something worth talking about around the watercooler.
Can you imagine one of your employees standing around the watercooler saying “Hey, I found three phishing attacks last week. My account got $75 bucks, or 100 points, and I’m winning, and I’m the quarterly leader…” and then, the education probates.
Cyber Security Awareness Month is flying by fast but there’s still time to kick initiatives into high-gear. Do you have any immediate, actionable recommendations for the final stretch of this month so that organizations can move forward successfully and easily into the next year?
Leverage this moment. Leverage this Cyber Security Awareness Month. Although every month should -in the eyes of some, at least- be Cyber Security Awareness Month, use this month to remind people of the basics. Now, you’ve probably told your people the basics within your existing training programs. Perhaps you have firms that are on a retainer, providing your employees with ongoing training. Regardless, use this month as an opportunity to elevate the discussion; to talk about the potential damage that cyber attacks can cause, and to address that reality.
Have the messages come from leadership. Make sure that it’s not just your head of IT speaking about Cyber Security Awareness Month. Ensure that people higher-up within the organization share thoughts and perspectives.
Consider providing real-world examples of the type of damage that can occur on account of a cyber attack. Talk about some of the costs associated with cyber attacks, and discuss how a multi-million dollar ransomware attack on your organization could potentially have a trickle-down effect on employees. For instance, it could cause job losses, affect raises…etc.
Use the moment to educate further. There’s no cap to the quantity of education that we can provide or that users can consume. Unfortunately, we are human, we’re very busy, and our attention is scattered across a large volume and breadth of different projects. But take the moment, in these next two weeks, to capture a little of your employees’ attention and to show them what else they can do to help out.
One reason as to why companies aren’t adequately secure has to do with the talent shortage. What is being done to advance the cyber security talent pipeline and how can organizations upskill existing talent?
We have a major shortage in the industry when it comes to good cyber security talent. Most of the best are already employed. We need to not only look at how to train younger people and those who are new to the workforce, but also explore how to bring in people who are making changes in their careers, and even train people for the C-suite cyber security roles, such as that of a CISO.
Where I work, here at Check Point, I’m proud to say that there is a lot going on in this area. We’ve partnered with Cybrary, which is a great initiative that enables employees to invest in their own skillsets. And Check Point itself offers many no-cost online training courses through our Mind initiative.
At the other end of the scale, we also offer the CISO Academy, which is a great initiative that requires an investment of both time and money, but can prepare the top experts for the C-suite. Someone who aspires to becoming a CISO can engage with these educational programs. There are a lot of resources out there and cyber security professionals have an ecosystem of support.
We need to encourage those who have the educational foundations and personal interest to acquire additional cyber security expertise. Cyber security offers huge career opportunities. You’ll be employable for the rest of your career if you’ve acquired some of these skillsets.
Are you optimistic or pessimistic about the future of cyber security?
Let me turn that around into another question. Are you optimistic or pessimistic about automotive safety? I think that we are all mostly optimistic about it. Our cars are safer and drive more safely than ever before. We have more controls in place that allow us to avoid accidents than ever before.
Now, is everybody a safe driver? No. It is to say that the opportunity exists to be a safe driver.
The same goes for cyber security. We’ve reached a point where the controls and the tools available not only allow us to be more educated, but to have safer networks, and safer applications.
But without the right security measures and tools in place, you’re likely behind the curve and opening your organization up to undue risk. For example, if you’re still depending on detection and response, you’re still operating at the speed of a human, versus operating at the speed of prevention, which is completed in large-part by artificial intelligence and other modern technologies.
I am optimistic about the future. I am optimistic that, increasingly, organizations will see how to leverage the tools that are available and that they will discover how to enhance their savvy. However, as with automotive safety, cyber security does require humans to adopt new mindsets, habits and tools.
So, we need to continue to educate, which is why Cyber Security Awareness Month and similar initiatives are so great – they give us a moment to educate around the ideas, tools and technologies that can lower our risk of impactful, negative cyber events. We just need to actually adopt the tools and tech, rather than staying with the status quo and assuming that we’re safe enough as we are. Let’s question our assumptions and take our security to the next level.
Check out a past CyberTalk.org conversation with Brian Linder, here. Lastly, get best-in-class interviews, real-world reports and so much more delivered to your inbox each week – subscribe to the CyberTalk.org newsletter.