The Golden City is known for its progressive approach and innovative technology. Michael Makstman, CISO for the City & County of San Francisco decided to challenge the old paradigm of cybersecurity awareness training and promote an employee-centric cybersecurity culture.
On December 5th, Makstman joined CybeReady’s Head of Product for a live discussion and shared how San Francisco’s positive training approach, combined with advanced automation, motivates over 30,000 employees to take an active role in mitigating cyberattacks.
Watch the Live Talk here.
The Security Awareness Challenge
We started the Live Talk by asking what the primary challenges faced by CISOs today were. Makstman mentioned three main challenges:
- Security teams are understaffed and have ongoing operational tasks – all of which are timely, and essential for keeping the organization safe
- Employees are focused on their own professional development and KPIs seeing cybersecurity training as “one more thing”
- Workforce dynamics such as employee turnover and remote workforce are resulting in additional risk and uncertainty from new, un-trained employees
According to Makstman, the role of a CISO is no longer limited to the technology aspects of an IT environments. Being part of a larger ecosystem, CISO’s must be part of the business, understand employees and people the organization serves in order to make better informed decisions. It includes looking at business service aspects, understanding employees, and understanding the potential ramifications through out decision making process.
When it comes to security awareness training, the CISO’s challenge is amplified. Cybercrime is escalating and so are the attacks employees are facing. Organizations must embrace change to address these evolving challenges, and create a new culture-based training.
“Engaging with employees may be one of the most important efforts when addressing cybersecurity concerns, said Makstman. “There’s never been a more important time to educate and train your staff to be cyber aware,”
Due to the complexity of training different employees on different vectors and at different locations, Makstman’s approach is finding a way to reduce the administrative process while providing personalized training.
“We need to focus on alleviating the administrative effort and have smart automation that will personalize training,” he said. “The CISO’s plate is full. Trying to do more of the same is a recipe for disaster, because you will run out of resources.”
Building Cybersecurity Culture
We asked Makstman what should CISOs do to start building a cybersecurity culture. He suggested the following:
- Define your KPIs – set measurable goals you can work towards and choose a solution that allows you to track progress over time
- Set employees up for success – deploying a positive training approach with immediate feedback is key for success. In addition, training sessions should be short and embedded in employees’ work day to generate quick, rewarding engagements
- Communicate continuously – conducting the training in ongoing cycles create multiple opportunities for engagements and at the same time, yields multiple data points for adapting the training for each employees’ performance.
When it comes to feedback, Makstman believes there’s no room for judgement or penalty: “Don’t reprimand employees for making mistakes during their training; understand that this is a process in which they are supported, as employees must trust the CISO to be on their side.”
Personalized Training at Scale
Makstman believes the only way to bridge the gap between the evolving threat landscape that requires more intense training, and the IT resource shortage is by using automation.
The City & County of San Francisco have been using CybeReady’s fully-automated security awareness training solution for the past three years, allowing for more effective training of the city’s large workforce of 30,000 employees without adding additional administration burden to the City’s IT teams.
“We are delivering personalized training at scale,” Makstman said. “Because employees don’t have the patience for another impersonal message, it’s really about delivering the right message at the right time to the right person.”
CybeReady’s Head of Product, Michal Gil added: “CISOs today have a lot on their plate. Training employees can be a tedious task if the wrong path is taken, which often results in training taking a backseat to other activities. Having a highly automated security awareness platform that communicates continuously and ensures progress is the preferred direction for CISOs today.”
Michal Gil shared the following resources to help cybersecurity leaders build an effective cybersecurity awareness program:
- The CISO Toolkit – short decks with easy tips to help employees stay cyber-safe.
- The Phishing Simulations Playbook – ten (10) best practices for building an effective phishing simulations & learning program
Ready to deploy a resource-free security awareness training program that generates behavior and culture change? Request a demo with one of our experts and fine out more.