How missed education opportunities have created workplaces where people don’t know what the plan is in a crisis

By Chris Green, Head of Communications, EMEA, (ISC)²

Problems can disrupt even the most well-prepared organizations. There are a multitude of events that can impact the cybersecurity posture of an organization and prevent it from operating normally, in turn requiring a sudden change of plans or the activation of a documented and tested action plan.

Disaster recovery (DR) plans and business continuity (BC) strategies are a case in point. These action plans commonly account for a variety of challenges such as a fire, a flood, a power failure, bad weather, strike action or a transport failure. All things that can impact the existing workplace or prevent normal access to IT facilities and normal use of cybersecurity measures.

When it comes to cybersecurity, documented plans and strategies are critical. They are the playbook when something goes wrong, and they serve as the baseline for activities that should be carried out to prevent crises in the first place. As we have learned in the last few months, many companies did not have a documented plan in place for dealing with the impact of a pandemic. But even for those who did, did everyone on the team know what the plan was when disaster struck? Did education, communication and training go far enough to ensure everyone knew what to do and what was expected of them?

At (ISC)², our annual Cybersecurity Workforce Study provides a wealth of valuable, actionable data every year. But it also shines a spotlight on some of the underlying problems that hold back cybersecurity success. In particular, the lack of awareness within organizations about plans, strategies and standards.

For example, we asked respondents to the most recent survey about which standards their organisation used to determine the framework for protecting its information infrastructure. We found that 37% use ISO 27000, while 35% also pointed to NIST SP800-53 (with many organizations using more than one framework for a best of breed approach). However, we also discovered that 12% of respondents globally - more than one in 10 of respondents - did not know at all what their organizations’ preferred framework standards were. Broken down by region, we found that it was as high as 14% among respondents from EMEA, while North America and APAC were on a par with the global average. The smallest organizations – those with up to 19 users – were the highest, with almost one in five (19%) not knowing, compared with 9% of 250-499 user organizations. The largest companies mirrored the global average.

It’s a similar story when we looked at published cybersecurity strategies, policies and plans. The good news is that two-thirds of organizations globally have one, or at least that respondents are aware that their organization has one. Almost a quarter categorically indicated that their organization did not have a published information security strategy or policy document. This is greatly concerning in its own right, but at least there is clarity about the deficiency. The great concern is the 11% where respondents simply didn’t know one way or the other.

Plans and strategies only work if all the affected people know what the plan or the strategic approach is in the first place. If people don’t know what the approach is, or where to find the information, they simply won’t follow it when the need arises. Of course, this situation is even more challenging if there genuinely is no plan to follow, or if business leaders simply assume that because a plan exists, that everyone knows to action it when necessary. Education and drills serve as a valuable means to verify awareness, as well as testing the viability of the documented approach.

The lack of awareness highlights the need for consistent training. Not just in testing and practicing strategic responses, but in ensuring awareness. As cybersecurity professionals, a key part of what we can bring to our organizations is leading the education and communications push. Not only ensuring people understand what cybersecurity is and why we do what we do to keep users, systems and data safe, but in communicating, training and ensuring people know a strategic plan exists, where it is, what to do, as well as why we do it.

If you don’t know, you can’t alert others or call for help when something goes wrong, because you don’t know the processes, the lines of communication, the legal requirements or other policies that need to be followed. Another case in point, 14% of respondents don’t know if their country or region requires public disclosure of a cybersecurity breach. That is 14% in dire need of training and education on what to do and why to do it.

Organizations and cybersecurity professionals need to devote resources to training the rest of the business and raising awareness of policies, processes and action plans. The COVID-19 experience has provided stark evidence of the importance of this. As the data shows, the lack of awareness around standards, plans, strategies and legal requirements is big enough that it could undermine any organization – including yours!