The CEO Cybersecurity Challenge

It is with thanks to Chad Loder that I write this blog. His post on LinkedIn made me laugh out loud and is what inspired me to propose the CEO Cybersecurity Challenge (#ceocybersecuritychallenge). The very simple post was:

From: Security Team
To: All Employees
Subject: Security Awareness Training

To opt out of this year’s security training, click here.

Security experts will instantly see the simple genius of this social engineering tactic. In just 10 words you get:

  1. Proof that the CEO doesn’t care [enough] about securityThe CEO is ultimately responsible and accountable for the culture of an organisation. If the security culture is piss-poor, it’s their fault and no one else’s;
  2. An understanding of which employees [likely] care little for securityif they go out of their way to AVOID taking security training, that’s bad;
  3. An indication that your security awareness training program needs some serious revampingIt is inappropriate to the industry sector/region? Is it too long or too short? Is it unbearably boring?;
  4. A definitive indication of the prevailing security cultureEvery organisation has a security culture, no matter how pitiful. Trying to get out of security awareness training is the symptom of the wrong culture;
  5. An indication of how vulnerable the organisation isSecurity is about people, process, and technology, in that order. If the people don’t care, no process(es) and certainly no technology(ies) is/are going to keep you out of trouble.

Think about it for a second; You’re an employee for a company where you; 1) had significant security and policy training as part of your on-boarding, 2) undergo mandatory and monitored security training every year, 3) receive several ad hoc emails throughout the year related to significant changes in the threat landscape, 4) have continual improvement in security as an individual KPI, and 5) KNOW the CEO takes a very active role in the promotion of a good security culture:

Would you DARE try to get out of it, or would you immediately assume it’s either a joke or some kind of a test?

Seems ridiculous when it put it this way, but I’m willing to go out on a limb and say that 75% of employees globally would click that link because none of the above in place.

So, to the challenge:

  • If you’re a CEO it’s simple, have your security team (or IT team if you don’t have a dedicate in-house security resource) send out an email with a link to opt-out of security awareness training and track the results;
  • If you’re anyone else, try to get the CEO to do 1. above. You could even sell it as a social engineering test as part of your risk management processes.

First, lay the ground rules. Something like this:

Step 1: If the opt-out response rate is less than 25%, congratulate your employees, if over 25% go to Step 2;
Step 2

The fixes could not be simpler, and unless you love throwing best of breed technology at your problems the fixes should also be cheap:

  1. CEO – Get off your arse and take security seriously, even if you’re only pretending. Send out a few emails stating the equivalent of 1) you DO care, 2) you ARE watching, and 3) there WILL be consequences for anyone not doing as they are told;
  2. C-Level – Put a Governance framework and security policies in place to baseline everyone’s subsequent behaviour;
  3. Departmental / LoB Heads – Be the security champion of your little empire, you’re the one that most people have more direct access to and are more prone to emulate;
  4. Managers – Make sure EVERY direct report has everything they need to actually do the things you’re holding them accountable for;
  5. Everyone else – You are just as guilty as everyone above you, you KNOW security is important and you should accept personal accountability for your continued ignorance.

This whole thing may sound flippant, but the concept is actually very powerful. In the same way that a risk assessment can be simplified into “What scares the sh*t out you?”, the challenge above gets you directly to the ROOT CAUSE of your security problems!

Your people.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.