Tactics and Metrics CISOs Can Use To Drive and Measure Cyber Security-Aware Behaviors Throughout Their Organization
An organization-wide cyber-aware culture is necessary for CISOs to succeed in protecting an organization. In this blog, we are outlining some of the top metrics and tactics that can help CISOs and security leaders encourage healthy cyber practices and feel more confident in their cybersecurity program.
1. Training
Talking about the risks can help create a cybersecurity-aware culture. CISOs should define the cybersecurity processes so that they can be documented and shared. While sharing this information, it's important to explain the reasoning behind the policies to communicate why these practices matter. These practices are important to the business for financial, practical, and reputational reasons. By continuously communicating how and why a breach can occur CISOs can create a cybersecurity-aware culture in their organization. People will hopefully respond to this by asking good questions and using their training to behave in a way that is cybersecurity aware.
Metric for Training:
Percent of Users Who Completed Training Assignments On Time measures the percent of users who complete assigned training before the due date. Users who are not completing their security awareness training are unaware of security best practices and what they should be doing to protect the organization from cyber threats. A low security awareness training completion rate can indicate an untrained employee base.
2. Phishing Simulations:
CISOs can promote cybersecurity awareness through phishing emails that are for practice. These emails can familiarize employees with what to do when facing an actual phishing attempt. Employees will also become familiar with the idea of staying vigilant and maintaining a cyber-secure workspace. A security-first mindset can be encouraged through periodic training which provides important information and phishing simulations which provide real-world experience. Over time, employees will become skilled at detecting phishing emails and this can be measured by tracking their success rate. If certain employees are consistently unsuccessful in these simulations it's important to note this and possibly give them more training / reevaluate their access permissions.
Metrics for Phishing Simulations:
Phishing Simulation Click Rate measures malicious link click rate for simulated phishing emails. Users who are clicking on links in simulated phishing emails may not be trained on the best ways to spot malicious emails and this could put company assets at risk.
Phishing Simulation Reporting Rate measures the reporting rate for simulated phishing emails. Users who are consistently reporting simulated phishing emails are most likely up to date on their security awareness training and capable of identifying potential threats to the organization.
Phishing Simulation Data Surrender Rate measures the percentage of users that entered data from simulated phishing emails. Knowing the time your organization takes to respond to incidents can help give an overall picture of your organization’s security situation. A prolonged response time increases the risk of a malicious actor establishing a foothold in the organization's network, potentially leading to a longer and more complex remediation process and significant damage to the organization.
3. Multi-Factor Authentication (MFA) and Strong Password Requirements:
To drive cyber security-aware behaviors like MFA and strong passwords, encourage employees with reminders, holding them accountable, and even sometimes, if the situation requires, revoking access. Reminders can be helpful and work well with most employees, especially in an organization with cybersecurity awareness. If that doesn't work, CISOs can create a system where they can hold people accountable like a dedicated group chat message naming those who have yet to fulfill their cyber-responsibilities. Revoking access to a system may be harsh and a last resort but it is good for a CISO to have in their arsenal just in case.
Metrics for Multi-Factor Authentication (MFA) and Strong Password Requirements:
Percent of Users Without MFA Enabled measures the percentage of all user accounts that do not have MFA. A high percentage of user accounts that do not have multi-factor authentication puts the organization at high risk as those accounts are much more vulnerable to takeover by malicious actors, which can potentially lead to data breaches and total business disruption.
Percent of Privileged Users Without MFA Enabled measures the percentage of privileged user accounts that do not have MFA. A high percentage of user accounts that do not have multi-factor authentication puts the organization at high risk as those accounts are much more vulnerable to takeover by malicious actors, which can potentially lead to data breaches and total business disruption. The risk posed by this issue is greatly increased due to the accounts having elevated privileges.
Percent of Non-Privileged Users with MFA Bypass measures the Percent of Users with MFA Bypass Status. A high percentage of users with bypass could be indicative of misconfigured RBAC policies, accounts with the bypass status are allowed to ignore the organization’s MFA policy, which makes those accounts much more vulnerable to malicious actors.
Percent of Users with Weak Passwords measures the percentage of all user accounts that have weak passwords. A high percentage of users with weak passwords could be indicative of a poor password policy which leaves those accounts at high risk of compromise, providing an opportunity for malicious actors to establish a foothold in the organization’s network leading to data breaches and potentially total business disruption.
Automate The Process
Metrics are very useful but can be time-consuming to collect manually and even more so if they are to be collected regularly. This is where the right technology can help speed up the process, which is why we incorporate all of the Training and Awareness metrics above, and more, in our Cybersecurity Management platform.