CISO Voices: The CISO as a Storyteller—Part 4
Recently, Jenny Radcliffe interviewed Daniela Almeida for the “Human Factor Security” podcast. Daniela has a background in communications and cultural studies, so she knows all about people. She puts these skills to good use as the chief information security officer (CISO) for Dutch fintech company, Tinka. After all, the human factor is vital to an effective security posture.
Below is a summary of Daniela’s thoughts on people-centric cybersecurity, the legacy of the pandemic and the language of the CISO.
Translating cyber risk to business risk
It can be challenging to translate cyber risk into a language the wider business community can understand. If an organization wants to grow, move in another direction or make any significant decision, it’s up to us to show them the risks involved and all possible consequences. That way, the board can make an informed decision.
But to work effectively with the board, we must speak the same language. It’s no use leading with fear. If every presentation is essentially “We’re all going to die,” people will stop listening. Instead, we should tie risk to relatable consequences.
If a business is selling its products online, cover the threats that could jeopardize that online presence. Focus on the kinds of risks the business already faces or is likely to face and build a threat profile. Most important, try to get in the same boat. Agree on priorities together to avoid tunnel vision from either side.
On the lasting impact of the pandemic
The pandemic likely made people more savvy about cybersecurity because it moved the risks of the work environment into their homes. Fraud and scams, like those linked to COVID-19, feel like more of an intrusion when they happen in your safe place. It heightens the need to protect yourself.
But there is uncertainty as people return to the office. People may ask, “Do I still need to take the same precautions?” Add to that the increased levels of creativity and sophistication shown by cyber criminals on the back of the pandemic, and it makes for a very interesting time. (Check out the 2022 Human Factor report from Proofpoint for more statistics on this kind of behavior.)
In recent years, we’ve seen an increase in spear-phishing attacks. Threat actors are using social media and other sources to increase their conversion rates. I’m curious about where this goes next, as cyber criminals continually find new and innovative ways to target people.
It’s all about people
Organizations are made up of people. Regardless of what configurations or security mechanisms you may have in place, there is a person behind them.
This human layer is often seen as the weakest link, but I think it can be the strongest. If you know what mistakes pose a risk, you can counteract them. And if you can get people to understand how threat actors will attack, then you can create a barrier by teaching users how to be cyber-savvy in response.
But to do this, we have to invest in awareness. Not just general awareness but a security awareness training program that is specific to certain threats, entry methods, job roles and more.
We must also keep in mind that the illusion of knowledge is more dangerous than ignorance. When building effective defenses, IT and cybersecurity teams must be careful not to get overconfident in our understanding of the latest threats and the risks they pose.
Want to hear more from CISOs?
Head to “CISO Voices” to hear from Daniela in her own words and access other episodes. Jenny’s “Human Factor Security” podcasts also feature further insights from cybersecurity experts. And keep an eye out for the next installment of this podcast series, when Bridget Kenyon of Thales joins Jenny to discuss all things cybersecurity—from the high drama to the day-to-day.
Proofpoint CISO Hub
Visit our CISO Hub to get regular updates on cybersecurity research, insights and resources specifically for the global CISO community.