“With people arguably the weakest point in an organization’s cyber defences, security awareness training is a hot” topic for CISOs.
But what’s the most effective security awareness strategy: The carrot or the stick?
At TMX Group. which runs the Toronto Stock Exchange and the TSX Venture Exchange, the answer is a subtle carrot.
“My overall goal is to make security personal,” CISO Bobby Singh told the RiskSec Toronto conference this week. “The intention is to get users to understand how to protect corporate data as they protect their financial data in their personal life.”
While the organization looks for security champions outside the IT department, does phishing simulations four times a year – having one-on-one meetings with offenders who repeatedly click on bad links in the tests – and occasional ‘lunch and learn’ sessions, the focus of awareness training has shifted.
“Instead of talking to users about protecting corporate data we’re talking about how to protect their financial data – what multifactor authentication looks like, how it should be done, how do you know what your kids are talking about on SnapChat … and we’re hoping that while doing the personal stuff the transition of behavior will come into the corporate side.”