Most businesses struggle with cyber protection strategies that enlist stakeholders and key employees as critical components in their resiliency roadmap.  On the physical security side, security experts across the world have expertise to protect facilities and experience assuring vigilance within an organization.  They have learned to guide and advise personnel to assist in the process of reducing physical risks. Whereas on the cyber side, the widespread ever-changing entry ways and emerging opportunities for cyber exploitation requires a new kind of strategy.  

Our dependence of cybersecurity tools, reliance on traditional intelligence and law enforcement approaches will not lead organizations to the “network resilience” results they desire.  Ultimately, we have learned that employee participation in the security process is paramount in effective security management. Hence, the Department of Homeland Security’s (DHS) slogan “See Something, Say Something.”

The numerous frameworks and security mindset supporting risk management practices will not make employees competitive in efforts to keep hackers out.  Generalized security practices and IT compliance training will not assure critical asset, systems and networks function as they are intended to do.

The lessons learned from physical events have assisted in creating the assessment and continuity practices we employ today.  With a building, we can see if people are coming in or going out. Barriers can be erected that can physically stop a person for passing.  However, the ability of cyber exploits to ride legitimate functions of networks creates a different dynamic when attempting to identify intruders.   

Corporate officers, ranging from the members of Boards of Directors to the Chief Information Security Officer, are seeking cost effective methods to reduce cyber risks.  The employee is the answer and needs to move from employee to team member. This transformation is critical as more exploits are targeting the worker than ever before. It starts however with a strategic approach to training.  

Developing a culture of cybersecurity provide a cost-saving realized through cybersecurity capacity building that makes everyone a “partners.”  Engaging them requires training. A lack of awareness by employees, regarding their role in cybersecurity, will minimize their vigilance, and ultimately their assistance.  The employer essentially negates in-house assistance and the opportunity to create a force multiplier.

Employees should know that hackers can gain enough information to impersonate legitimate business associates and community partners.  With personal information, hackers can build communications appearing to come from legitimate sources. Thus, employees can be moved to take an action because of their confidence and faith that the impersonator is making a legitimate request, or order.   

The communications and coordination across technology, policy, operations, and strategic leadership areas have become key to assuring cyber resilience in these business areas.  The increased value of data, connectivity of systems and growth of social media exacerbates opportunity leading to a successful breach.

Although all employees are usually provided IT compliance training, their part in cyber risk reduction is lost on the general workforce.  Bringing them into the cybersecurity resilience strategy means creating an expectation of security among them. If employers fail to realize now that every employee is a “key employee” in the new digitized work environment, the organization will financially and reputationally pay a cost later.  Every employee requires the training and inclusion in the security process to effectively secure critical environments. There is a net return when you invest in employees. Their understanding of cyber threats, and the consequences that result from successful exploits, makes them powerful no matter their pay grade or position.    

The goal is to enhance protections against electronic systems disruption and unauthorized access to corporate and personnel data.  When a breach does occur “all-hands on deck” should tie to a metered strategy that is backed by employees who are conditioned to readjust services.  Their recognition and ability to provision service offerings on the fly will assist in maintaining regulatory compliance and providing information to responding cyber experts.  This makes it easier to bring affected systems back to near normal operations a lot sooner.

As a former DHS cybersecurity planner, I am afforded opportunities to simultaneously take a broad look at the security threats facing critical infrastructure, and how the risk is being managed.  My work with critical infrastructure organizations across all sectors still provides a “birds-eye” view of unfolding approaches to managing cyber threats. This is how I am sure resilience is only achieved when we go beyond IT compliance training.  Don’t find out the hard way that you can’t just depend on cybersecurity professionals to build a resilient network. We are only as strong as our weakest links, but stronger when we weave them together.