Hosted by Exabeam Chief Security Strategist Steve Moore, a former IT security leader himself, The New CISO podcast invites chief information security officers to give us their take on cybersecurity trends, what it takes to lead security teams and what it takes to be a CISO today.
If we truly believe that employees are our first line of defense against attacks, like phishing, credential theft, and business email compromise, we need their active participation. But when it comes to driving the right behavior, negative reinforcement only goes so far.
How do we get our coworkers to buy into the idea that security truly starts with them, keep them on high alert to identify risky situations, and empower them to make wise security decisions without fear and without slowing down business.
In this episode, Steve speaks to David Tyburski, the CISO at Wynn Resorts, about the effectiveness of merely training staff in security best practices versus actually educating them as a means of engendering an understanding of “the why” and not just the “what”.
A security team of one
David, who was charged with building the security team at the Wynn nine years ago, talks about the challenges of creating a team from scratch. In the beginning, it was just him … there are some things he would go back and tell his younger self to do.
“If I was going to tell myself, I’d say spend more time on the use case so we know how to use it instead of just getting it done. Understand not just the reason you want it but how you’re really going to use it, what you expect from it, what are you going to put into it, and what do you expect to get out of it.”
Security training vs. education: is it a cop-out?
At The New CISO podcast, we try to keep things as informal as possible and encourage guests to speak their mind, something David had no problem doing. On the topic of security training versus education, and when asked whether he thinks the current way we train non-security staff might be a cop-out, he didn’t hesitate.
More often than not, businesses are made up of everyone except security professionals. Most people you’ll come across aren’t experts in how to spot a phishing attempt or best practices for preventing insider threats.
“What bothers me is that we’re attempting to teach non-security professionals to be security professionals. They have backgrounds that are varied from us. They don’t spend their time looking at security incidents or reading up on security articles, but they’re extraordinarily talented people in other ways.”
The way we’re going about training – again, versus education – itself seems to have become almost a means of simply ticking a box and passing it off.
“I even heard of an organization where if you become susceptible to a phish three times, you basically lost your job. That’s got to be the wrong way to handle it. We have to educate people, but it’s our responsibility to put in better processes, better tools, better functionality to protect them as opposed to saying, ‘You’ve got to learn how to be a security professional. You’ve got to learn how to do all the things that I can do and do your day job.’”
Ultimately, according to David, if your objective is to reduce malware in your environment, then training people the way we seem to want to is a negative reinforcement model that simply gets to the point, if you take it to its extreme, that everybody says, “Well, I’m just not going to open anything.”
You can reduce the number of security incidents, but the question is not necessarily whether you reduce them. The real question is, what business did you sacrifice because of that reduction of incidents?
Want to listen to the whole podcast and get the full scoop? Check it out:
Rounding off the conversation, and by no means a punt of the Wynn – although we’re dubious as to whether this isn’t a bias answer – David didn’t hesitate when asked where you can find the best sushi in a town known for its food.
Mizumi at the Wynn … of course.
Have a topic or guest you’d like to see featured on The New CISO? Email us at firstname.lastname@example.org