A cyber professional needs their staff, non-IT workers, and the board to take certain actions to achieve the goals of their security program. Should a CISO use the hacking mindset on their own people?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yael Nagler (@MavenYael), consultant.
Got feedback? Join the conversation on LinkedIn.
Thanks to this week’s podcast sponsor, Anomali
On this episode of Defense in Depth, you’ll learn:
- Employee hacking is an effort to get employees to do what you need them to do in order to pull off your security program
- There’s a grand debate as to whether you should be hacking employees (use the tools you’ve got) or working with them (don’t trick).
- Many listeners likened this motivation technique to be no different than sales persuasion methods. But these methods are focused on getting individuals to take a single action, to purchase. This is not the case for a CISO who must change a wide ranging set of behaviors that are often not connected to individual desires.
- To complicate matters even more, a CISO must sell a process and culture change, NOT a product. It’s not easy to change human behavior.
- Manipulation is a tainted word. You need to respect differences and find a common ground to motivate employees to show concern to want to stay with a security program.
- One way to get people to care about security is to internally explain what do big security news items have to do with your business and how a similar breach could or couldn’t happen to your business.
- While you’re trying to win someone over, it’s not a selfish interest. It’s of interest to the individual and the company. It’s just the individual has to understand why they’re changing behavior and see value in making that change.
Creative Commons photo credit to Flickr user Josh McGinn.