Steve Durbin is Chief Executive of Information Security Forum. He is a frequent speaker on the Board’s role in cybersecurity and technology.
Cybersecurity is finally getting the importance and attention it deserves. CSOs and CISOs no longer must convince their boards with proof-of-concept exploits. Cybersecurity incidents are all over the news, and business leaders have realized what is truly at stake. It is not just a matter of regulatory fines or temporary operational glitches—the resulting reputational and trust damage with customers can very well shut down a business entirely.
Still, the growing cybersecurity awareness has not necessarily made it easier for CISOs to bag the funds they need. The ongoing economic uncertainty and skills shortage means many security teams remain under-resourced and under-financed. It is important in these circumstances that CISOs figure out their top priorities and redirect their cybersecurity efforts and resources to what really matters.
AI takes the lead in the cyber space.
Artificial intelligence (AI) has always been a critical area in cybersecurity because of just how complicated and data-intensive modern digital environments are. Cloud security depends heavily on AI-powered real-time threat analysis and detection. Security teams and tools have enough data to derive intelligence and insights based on AI-enabled behavioral analytics and contextual awareness. For instance, to detect fraudulent access attempts, many companies rely on AI algorithms that analyze current user behavior against pre-established behavioral baselines for the particular user or user role.
However, the power of AI cuts both ways.
The emergence of generative AI, especially, has both good and dire consequences in cybersecurity. On the one hand, it can be used to understand emerging threats and predict future threats based on existing threat intelligence. Security teams can use AI-generated modules and exercises to train employees and improve the company’s security posture.
On the other hand, cybercriminals are already actively using AI to generate hyper-realistic deepfakes and virtually undetectable phishing campaigns. The challenge here is to realize the full potential of AI and how it can be used and abused. This is crucial not just for businesses but also for regulatory bodies that often tend to lag behind bleeding-edge technologies.
Cloud security is a collective responsibility.
A common misunderstanding is that data stored in the cloud automatically becomes the cloud provider’s responsibility. In reality, the data a business generates or collects remains its responsibility regardless of where it resides.
CSPs (cloud service providers) have taken extensive measures to ensure data security and regulatory compliance for their customers. However, the onus of a potential breach will eventually fall on the business. Businesses have to hold themselves accountable for the security of their data and cloud environments, especially since their users and employees often have a key role in data leaks and breaches.
Considering how prevalent AI is, businesses cannot rely on basic phishing awareness to combat modern security threats. I suggest they focus on human-centered security and look at the element of human psychology in their cybersecurity efforts if they hope to stand any chance of cracking the security nut.
Cybersecurity training must evolve to engage employees.
People are at the heart of security. One way to adopt a human-centered approach to cybersecurity is to focus on meaningful and hands-on cybersecurity training programs. Typically, businesses view cybersecurity training as an annual or bi-annual task. That is not nearly enough, since people encounter these threats multiple times each day, and threats evolve at a pace much faster than that.
Instead of infrequent training, I recommend that security teams and their leaders focus on engaging employees on a regular basis to help them understand the threat landscape and their security posture. This could mean something as simple as reinforcing the security best practices for a particular scenario, such as data sharing, while an employee is taking a particular action. It can help employees understand their mistakes and take corrective measures right away.
In my experience, contextualizing security training and breaking it into micro-lessons can better engage employees and help them retain all the security-related information that would otherwise be forgotten.
CSOs must respond empathetically to human error, even if it can potentially compromise security. Turn it into a teaching moment instead. Additionally, companies can also engage their employees through appreciation and positive reinforcement. Recognize employees when they follow security best practices and evade security threats, and turn it into an opportunity to motivate and spread awareness across the entire enterprise.
Boost security through employee engagement and proactive technology.
AI is expected to have an even more significant impact on cybersecurity. As businesses become more aware and patch basic entry points, the threats are bound to become more sophisticated. The solution is to constantly strive to be a step ahead of the evolving threats. It’s important for CISOs to implement the latest security tools and technologies, including AI, and demonstrate a willingness to teach and learn with empathy and positivity.
The concept of ongoing, contextualized security training may sound complex, but it is the need of the hour. That is the best way CISOs can empower employees and protect their data and systems from cyberattacks.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here