FEATURE: CYBERSKILLS //////////////////////////////////////////////////////////////////////////
despite not being sophisticated, many
organisations are likely to fall victim to them.
For any organisation, it is important to have
someone at a senior level with the right level
of contextual awareness – a combination
of technical and business acumen to
ensure that information risk is appropriately
considered and decisions are made in a
responsible and informed fashion. When an
attack happens, they can then ensure that
the response minimises the impact to the
business. The ideal candidate for this role is
someone who is on the board and can act as
the champion for information/cybersecurity.
This can be the CISO or CSO, or a non-exec
member who is an expert in this field.
Training the rest of the business
Beyond the board, there are other
cybersecurity skills that organisations may
require. The first challenge is identifying them.
One issue with gap identification is the lack
of awareness that there is a gap – i.e. getting
the rest of the business on board when it
comes to security. It is a situation where the
lack of awareness makes it hard to convince
people that there is a need for better
expertise. This is known as the ‘bootstrap
problem’. The way out is a good awareness
campaign, starting with the decision makers
(to ensure that the wider staff will be
motivated to take the training seriously).
On the subject of awareness, as with
anything, you’re only as strong as your
weakest link. An organisation can put in
place the best security policies, for example,
but if staff don’t adhere to them, it will
remain exposed. In order to overcome this,
you must educate the wider company in
an effective and straightforward manner.
In-house security teams have infinitely
more knowledge than the rest of business
and can be leveraged for this task. When
designing your own training, it’s important
not to overwhelm colleagues. Instead, show
practical examples of the threats a person
will face in their specific role and what they
can do about it, such as top tips to spot a
phishing attack. Make it completely relevant
Bridget Kenyon, Global CISO, Thales
and completely actionable; this isn’t a
theoretical subject! For their part, security
teams also have a lot to learn about the
wider business, so it’s important to establish
two-way communications with colleagues in
other departments.
Marketing also needs to be taken into
consideration here, namely how the
56 INTELLIGENTCIO www.intelligentcio.com