Home OPINION A global CISO’s secrets to high-performing security awareness initiatives

A global CISO’s secrets to high-performing security awareness initiatives

October 24, 2022

Jonathan Fischbein is the Chief Information Security Officer for cyber security vendor Check Point Software. He has more than 25 years’ experience in high-tech security markets, shaping security strategies, and in developing ad-hoc solutions to help large corporations mitigate security threats.

In this interview, Check Point’s Global CISO, Jonathan Fischbein, discusses cyber security awareness, how to build high-performing initiatives, best practices for securing executive identities, driving high-quality security outcomes, Check Point’s approach, and more. This interview is brimming with practical insights for all security professionals.

In your experience as Check Point’s CISO, what works and what doesn’t when it comes to cyber security education for employees?

The first question to ask yourself when it comes to setting up security awareness initiatives is, “What are you trying to accomplish?” And then, “What is the success rate of these types of security awareness activities?” “Is it effective, is it not effective?” These are things that you need to take into account.

Subsequently, you need to measure security awareness engagement on a continual basis. For example, if you run a security awareness campaign, how many people actually participated in the exercise? Are participation rates in accordance with the targets that you assigned? And if you’re not close to the target, what are you going to do about it? It’s a continuous thing.

Now, in terms of what works for us, a leading cyber security team, I can share a few examples: Employee education starts on the first day of every employee’s employment. Employees who do not pass mandatory training will not gain access to the network and to resources. Although this is onboarding training, it’s also part of the larger security awareness program.

We continue by educating around phishing campaigns, as some phishing campaigns are targeted towards specific departments. And then we have incidental communications – After industry security breaches, we communicate simply and encourage employees to report any security incidents that may arise.

In every employee’s Outlook setup, there’s a “report security incident” button. By clicking on it, a dedicated email is dispatched to the Security Operations Center – the SOC. This group will investigate and they will, within the same day, take remediation actions, if needed. This is very important. The SOC will even communicate back to the employee and say “thank you, we are taking action…etc.”

Examples of effective security awareness can also involve gamification, short videos + quizzes, hackathons, and sophisticated email campaigns that include user debrief, in case employees fail the test.

What factors should an organization take into consideration when deciding on the right cyber security awareness programming for its employees?

There are multiple factors to take into consideration, but I want to start with risk. CISOs and security professionals need to ask themselves, “What is the risk if my employees are not sufficiently aware or security-responsible?” Following the cyber pandemic, an event observed in recent months, we can conclude that every organization requires a high or a moderate cyber security awareness program.

For instance, lacking a mature awareness program will impact the obtention of security certifications, such as ISO27k or similar. If my corporate clients demand a high level of security, they will ask me a lot of questions on the audits, and if I cannot show a mature security awareness program, I will fail those audits.

Another factor that organizations should consider: Investing in security tools that help employees make a measurable decision when a security challenge is presented. This is what I call User-Check, effective usually on DLP scenarios, and things that are related to engaging with employees so that they know what they are doing.

Another aspect of security awareness is making sure that every single employee knows that there is a security team available to assist and to offer guidance on security matters. We invest a lot in internal communication just to increase the security effectiveness posture. If I am a regular employee, and I do not know that there is a security team or a button or someone to approach about a possible issue…then that’s a problem.

The challenge, unfortunately, is just one click away. After one click on a malicious link, a regular employee who’s unaware of the security team might say ‘I am just going to continue working, despite what I clicked on,’ but then it’s game-over for the company. Informing employees that there is a security team within the organization, taking care of the staff – it’s part of security awareness and something that organizations should be sure to communicate.

How can security leaders do a better job of fostering cyber security collaboration across an organization?

It’s important to understand that we cannot win the fight alone. So, for every industry, we need to collaborate. What we are doing internally is good, but there is also an external component. A financial organization, for example, might be fighting off the same types of attacks as other financial organizations, making threat intelligence sharing a critical component of maintaining a strong security posture.

We have plenty of groups, with whom we share information on a daily basis, multiple times. We share threat indicators. We share information about security awareness programs – things that we do. Things that have worked well. While 10 years ago, security was often secretive and hush, hush, we’ve now acknowledged that we cannot fight alone.

So definitely by focusing on collaboration internally, and in a similar vein, by focusing on collaboration externally as well.

Here we are shifting topics a little bit – Identities are a top attack vector. Where should organizations start when it comes to identity theft awareness?

This is my favorite topic. Organizations need to not only invest in security awareness. They need to invest in technologies to ensure that the identity is aligned with corporate policies and best practices.

Multi-factor authentication is basic, but we still see cases where organizations aren’t aware enough – so this is an area in which organizations should focus. For all SaaS interactions, we implement multi-factor authentication.
At Check Point, we believe that SMS is less secure than push notifications via mobile phone. We have moved from SMS, because we have seen SMS phishing (smishing) attempts in the last two years, to push notifications. This is another aspect of securing identity.
Further, and this is more within the security teams, organizations need to focus on visibility and tools that will tell you that there is a risk. There is a tool called SIEM. If it knows that a marketing manager is currently operating from the West Coast, but then sees that the marketing manager is trying to gain access to systems from Bucharest, Romania, the SOC systems will give an alert. When the marketing manager logs in the next time, she will get a red flag, alerting her to the fact that something suspicious is going on, and she will be blocked. Not all organizations have implemented such security techniques, but this is something that is available through Check Point tools, and together with SOC & XDR solutions to make sure that the identity is being preserved at all times.

What kinds of identity theft scams should executives watch out for and how can organizations do a better job of keeping executive identities secure?

Firstly, since the start of COVID-19, we have seen a huge increase in the number of whaling attacks, and the impersonation of executives. Attacks are varied, but usually leverage personal information about executives that’s found through the company website and through LinkedIn.

Attackers often effectively impersonate executives, writing emails with messages such as “Hi, I’m the CEO of the company, so please let me know that you received this email, as I need to share some insights with you.” Or they will say that they need to share information that’s relevant to an individual’s specific job function.

Secondly, regarding hacker impersonation attempts, we need to spread awareness to employees. For instance, finance teams need to be aware of the fact that, if they don’t usually transfer money to the CEO or COO when they are in the airport, if they get an email with a sense of urgency, this is the first type of red flag. The type of second red flag arises when an employee is asked to transfer money – an easy flag to spot.

How can employees recognize these types of threats? When hitting ‘reply’ to an impersonation email, employees should look for the name and the email address of the CEO in the ‘to’ section of the email. And they will see that the email is actually destined to go to someone other than the CEO; someone with a different email address. ‘Sense of Urgency’ emails are for sure a red flag. So we careful with emails expressing the need to take an immediate action.

Here is where security tools within the main security of the organization can help. Tools such as Check Point’s Harmony, Email and Office client, together with more sophisticated SOC tools, mean that we can detect these kinds of attempts -on the fly- and stop them. Organizations need to increase security awareness and to also apply security best practices and the right mitigations.

On behalf of Cyber Security Awareness Month and CyberTalk.org, is there anything else that we haven’t asked but that we should have?

Yes…On an internal organizational level, we must share why we have selected and implemented certain security solutions, describing why we use them and which threats they assist us in managing. In organizations where there is a high level of technical knowledge and understanding, end-users sometimes have questions about their daily work environment, especially when security tools might cause decreases in network bandwidth or similar. Usually, internal security teams do not share much with end-users about why certain solutions were selected. However, sharing information can lead end-users to be more responsible, and decrease Shadow IT initiatives where employees try to work around or bypass the daily security tools. This is also part of security awareness.

Lastly, my team at Check Point consists of 14-15 people, full-time, and we have another 10 security champions from parallel teams. With a team of 25 people, I can tell you that it’s more than challenging to keep one of the leading cyber security teams in the world secure, with more than 6,000 people around the world. We cannot win this fight alone. By continuously investing in security awareness, this is how we multiply our numbers.

The problem is that even if 99% of the organization behaves well security wise, the bad guys need only one person to be tricked. That is why security is so important.

For more from Check Point’s Global CISO, Jonathan Fischbein, click here. Lastly, get best-in-class interviews, real-world reports and so much more delivered to your inbox each week – subscribe to the CyberTalk.org newsletter.