How do you feel about the phrase “easy cybersecurity?” If you’re like most security professionals, the phrase probably makes you feel nervous. You might feel that “easy” means sloppy and inconsistent. There’s a different way to look at it. When you adopt easy cybersecurity for end-users, you end up protecting the organization more effectively.
Why Easy Cybersecurity Matters to Your Success
When you spend years of effort earning cybersecurity certifications, you have expert knowledge. That means you can speak intelligently and analyze security problems in great depth. For your day-to-day work, that level of expertise is an asset. However, your knowledge can only go so far. What about the other people in your organization? Most of them have no particular security expertise. For most business end-users and managers, cybersecurity measures are a chore that keeps them away from their core job responsibilities.
If only you embrace easy cybersecurity practices, you’re going to face a punishing task. Getting people to learn complicated cybersecurity terminology and tools is simply unlikely to work. Fortunately, there’s a better way.
Your Step-by-Step Plan for Easy Cybersecurity for Managers
Take this plan as a starting point to help your managers succeed with security. In this case, we made one assumption: that you’re already perceived as a trustworthy cybersecurity expert within your company. If you’re not seen in that light right now, you need to reach out to managers and find out how you can better support them.
1. Define Your Goals for Cybersecurity Managers
Stephen Covey wrote in “The 7 Habits of Highly Effective People”: Start with the end in mind. That’s a good principle to start with as we build out this process.
Write out the goal you want to achieve with promoting easy cybersecurity for managers. Here are a few suggestions to help get you started:
- Managers complete 95% of their quarterly cybersecurity tasks on time.
- Managers know how to answer most employee questions about cybersecurity.
- Managers earn an 80% or higher grade on a “cybersecurity for business” test.
- Managers know how to apply the principle of least privilege in reviewing access requests.
2. Assess Their Current Cybersecurity Practices
Before you demand change, find out what your business managers are doing right now. You can find the answers using a formal survey or a few conversations. Use these questions to assess their knowledge and practices.
- Have you encountered a phishing email?
- Do you or your employees have any inactive user accounts? To get up to speed on the risks of inactive user accounts, read our post: Stopping Inactive User Account Risk Fast.
- Have you reused passwords across more than one system?
- What do you see as your role in the company’s cybersecurity program?
3. Implement Cybersecurity Automation and Elimination Improvements
This is the critical step in delivering easy cybersecurity! By analyzing your goals (step 1) and current practices (step 2), you can identify specific practices that need to be improved. For example, you may find out that 30 percent of your managers have no idea how to handle inactive user accounts. To address that problem, use a combination of elimination and automation strategies.
Elimination: How can you streamline current practices to make them easier? For example, make the “monthly security check” for managers into five steps instead of 10.
Automation: How can you use a security software solution to make life easier for managers? Using a single sign-on solution is one option. When employees have a single sign-on experience, there’s less administrative overload to manage access for users and fewer ways for employees to make mistakes.
4. Offer Business-friendly Cybersecurity Training
Your next step is to create easy-to-understand cybersecurity training. Your objective is to make the training easy to remember and act upon. Remember, your audience is managers who aren’t focused on security. To make your cybersecurity training program, following these best practices:
Duration: Start by limiting yourself to a relatively short session (i.e., 60-90 minutes).
Cite business examples: Security concerns may come across as theoretical until you cite examples. For example, cite the EY Global Information Security Survey 2018-19 for data to discuss in your training.
Offer one exercise: Give your managers some time to do an exercise to apply what they’re learning about security. For example, give managers copies of phishing emails and ask them to flag which emails are suspicious and why.
Limit the use of cybersecurity jargon: Before you deliver the training, ask a non-IT security professional to review your materials. Ask him or her to flag confusing terms so you can adjust.
Provide a point of contact: Make it clear that you’re there to support managers. Provide a single email address (e.g., SecurityHelp@YourCompany.com) or phone number so that managers can get the help they need.
5. Use Continuous Improvement to Make Easy Cybersecurity Develop
In the first months of adopting an easy cybersecurity philosophy, you’ll need to pick and choose your battles. You might choose an initial focus on access governance issues such as inactive user accounts. After managers become skilled with that issue, don’t stop there. You’ll need to move on to other areas of security, such as password management. Over time, you’ll build greater security skills across the organization.
What’s Next After You Make Cybersecurity Easy for Managers?
After you win the support of your company’s managers by making cybersecurity easy, there are other challenges to address. Look into making IT security easy for everyone in the company to do. Using a specialized IT security chatbot is one way to make this happen. With Apollo, users can submit IT security requests such as password changes 24/7 and get a response in seconds.
