Building executive sponsorship for a robust and effective information security program requires a combination of talent and effort. As managers we execute a plan, as leaders we manage scarcity, and as executives we manage ambiguity. Enlist everyone by including everyone.
Table top exercises are a powerful security awareness tool that security professionals can wield in their pursuit of risk mitigation for the organizations in which they serve.
TSA table top exercises are a tailored live session designed to help board directors and executive leadership teams come up to speed on some of the things they can be expected to discuss and understand about incident response scenarios.
An executive table top exercise:
Helps elevate specific cybersecurity risks to execs
Represents a modest investment of time and cost
Generates momentum for remediation of gaps and technical debt
Counts as a BCP/DR activity for compliance and audit
Demonstrates the importance of depth of bench and “named delegates”
For more information about what works, check out the recording of "Delivering Effective Table Top Exercises" webinar from TSA's Mike Wilkes, Director of Cybersecurity Operations.
You can also simply contact us to set up a discussion for which type of executive education and training is right for your organization.
Critical Infrastructure Course
The Security Agency has created an executive-level course for owners and operators of critical infrastructure entitled "Cybersecurity Risk in Critical Infrastructure for Board Directors" that aims to bridge the information technology (IT) and operations technology (OT) domains from a governance perspective. This course is intended to help move a board director or senior executive from "cyber curious" towards "cyber aware" as it is foolish to think that executives can or need to become cybersecurity experts in order to provide proper governance of cybersecurity programs within their organizations. But modern governance of risk most definitely now includes management of cybersecurity threats and how to prioritize effective programs of mitigation.
The board of directors essentially needs to know enough about cybersecurity in the IT and OT domains in order to provide "effective challenge" when CISOs, FSOs (Facility Security Officers) and other information security professionals seek budget to implement controls and tools to address attacks from organized crime, nation states and (for better or for worse) bored teenagers.
The course topics include:
Systemic and Cognitive Risk
Governance of IT and OT Systems
Best Practices for Mitigation of Risk
Sustainable Resilience
Third-party Risk
Sign up here if you're interested in learning more about our 2 hour course "Cybersecurity Risk in Critical Infrastructure for Board Directors" which includes maritime OT examples of risks and threat mitigations.
Cybersecurity Awareness Training
At the end of the day it is the “wetware” (that gray matter between our ears) and not hardware or the software that is responsible for someone clicking on a link or responding to the urgent plea of an executive (impersonated or deep-faked) that results in malware being installed or credentials being compromised. We must acknowledge that humans are fallible and that poor judgment will sometimes occur. That said, money spent on cybersecurity awareness training is money well spent. In order to build up the “skepticism muscle” we must exercise it and train it. So the best way to decrease the risk to your organization of human error is to approach the concept of security awareness training with a carrot and not a stick (though there do seem to still be a few companies out there trying to fire their way to a more secure posture).
Our approach is to treat cybersecurity in a holistic manner, for it is not just when we’re sitting behind the keyboard of our company laptop or workstation that we need to exercise caution and care. We also need to practice cybersecurity awareness when we are on vacation, when we are visiting family for Thanksgiving and even when we step out to grab a coffee at the local cafe and check our messages.
In addition to executive table top exercises, TSA can deliver:
Cybersecurity Awareness Training - we can create custom training that is tailored to your industry and to the specifics of your company. Good cybersecurity training is engaging, relevant and fun if it is to be retained. If you have an existing service provider we can help to evaluate whether they are providing good value for the cost and take the decision to stick with them or migrate to another solution. If you need to procure a security awareness training capability there are several great options available. We can save you the time of performing lengthy PoC installations and instead perform a “paper-based” evaluation based on your needs.
We have worked with all of the major providers in this space and know their strengths and their weaknesses. We can help make sure you align your requirements around content, integration with your email service provider, ability to customize the tool and reporting capabilities. It is also important to avoid a “one-to-many” training technique. A role-based training program acknowledges that the finance team is not working with the same kind of sensitive information as the legal team. The job roles for HR and data engineering are also not identical and so the data handling training to keep these users from accidentally sharing files with unintended third parties or installing web browser extensions to help them do their jobs is also different. Each job function has a different scope of risk that can appear and expose the company to a data breach or disruption of business operations.
Depending on your budget and internal talent that can be allocated to creating content for your training, you might want to purchase a subscription with LinkedIn Learning or other providers. We are vendor-agnostic so you can trust that our advice will reflect our honest opinion about what is the right solution for your situation. We can also point you to high-quality content that has been open-sourced and can be imported into your LMS (Learning Management System) in SCORM format. Whether you have an in-house LMS or a SaaS-hosted LMS there are options for building a robust and effective training program. You might also want to consider bringing over other required annual training for anti-money laundering, sexual harassment training and other industry-specific or jurisdictional-based content. Delivering it on your LMS can actually save your business money by consolidating it and making compliance reporting easier.
Phishing / Smishing Testing - sending phishing tests (and SMS-based tests) to your employees, contractors and consultants on a regular basis (we recommend at least quarterly if not monthly) is a great way to inoculate them to the real phishing attacks that might make it through your email defenses. Generally, a user clicks on a phishing email for one of four reasons:
fatigue
curiosity
vanity
greed
Creating tests that simulate the kinds of real phishing attempts seen “in the wild” involves a combination of “click tests” and “credential harvesting” tests. The CTA (Call To Action) employed by the test should also be varied in order to gauge which user groups are most susceptible to each flavor of phishing.
A great KPI to track is not just the number of users who click on one of your tests, but with the introduction of a phishing reporting button you can also track the number of users who report those suspicious emails. In time, seeing more users report than fail the test is a great indicator that their skepticism muscle is being exercised. This is also especially effective at mitigating real risk when automation is implemented as part of the phishing reporting button that can pull similar unread emails from your colleague's inboxes when the reported email is not one of your tests. The potential outbreak of malware or compromise of multiple company user accounts is vastly reduced when the collective awareness and resilience of the team is encouraged and rewarded.
Just as security awareness training should not be “one-to-many” we also advocate selecting tools and preparing phishing and smishing tests that deliver different test scenarios to different user groups and departments. A member of the legal team is much more likely to click on an email purporting to be from a local or state court with a notice to appear in a litigation than someone from the customer support team. Similarly, because customer support teams are generally predisposed to solving problems and helping users with technical glitches is the reason that threat actors successfully target these users with simple but effective social engineering attacks.
If you are unhappy with your current phishing testing solution let’s talk about why and discuss alternatives. If you need TSA to run these tests for you as a managed service we are ready and able. We will help you consider the perennial “build or buy” question and document the criteria that were evaluated. Why? So that it can be reviewed again in the future so you don’t have an Alexander Hamilton “in the room where it happened” effect. Nobody will be confused or be able to second-guess the vendor selection decision when it is clearly documented. If and when the relevant parameters and goals of the phishing testing program change then it becomes easier to decide to remain on the same platform/solution, migrate to a COTS (Commercial Off The Shelf) product or migrate to an open-source solution. Each has its place depending on the maturity of the organization, skills and interests of your infosec team and susceptibility of your users to failure behaviors.
