The most effective factor in combatting cybercrime is an informed and alert employee. And that includes every employee in the company.

I learned that by talking to CISOs while conducting a research study to determine the tools and processes they use to thwart ransomware and other cyber-attacks.

On behalf of a tech company, Futurum Research conducted this study to understand:

How CISOs from large organizations (more than 1,000 employees) are approaching the issue of protecting their companies’ data from cyber criminals and enabling sufficient recovery after an attack
How the ransomware threat has changed security and data protection practices
What tools and processes CISOs are using now, which areas need improvement, and what they feel they are not getting from their current products
How budgets and security teams are growing to meet the increase in cyber threats

We surveyed 163 security executives and conducted a dozen in-depth interviews with CISOs. We promised the interview subjects anonymity to ensure they could speak freely.

The CISOs we talked to emphasized they need help – both externally and internally – to secure their organizations. That includes getting IT teams to work closely with security teams, and outsourcing processes to large providers with expertise that could not be found in-house. But it also means getting every employee in their company involved and educated on all potential threats.

“The easiest way for a hacker to get in is to exploit a human vulnerability,” said a senior information security executive at a pet supplies company. “Most attacks come through phishing. It’s the human factor that we have to worry about. Someone has to click on the phishing link [for an attack to be successful]. If you can prevent that, then most likely you’re going to prevent someone from getting inside and causing havoc in your network.”

A bank Information Security Officer said he holds security awareness training sessions with all non-security staff.

“As I train staff, I tell them ‘You are the first line of defense,’” he said. “We train users to report suspicious events. If something weird is going on, we ask them to report it. So, it’s a combination of detection, monitor controls and ongoing user awareness.”

An oil company CIO with CISO responsibilities said he makes security training an ongoing process throughout the company. He circulates weekly security videos created by an outside firm to the entire organization. He also distributes quizzes every week, and gives an award to the employee who gets the highest score.

“Employees have become a lot more aware of how to spot an issue, which is important because most attacks start with some kind of access to an account,” he said. “We brought the same rigors we have for physical security to the cybersecurity side. The KPI on the physical side is Lost Time to Injury (LTI). I created a zero Cyber Incident as a KPI. And we track how many months we have zero cyber-incident. And lots of people are now spotting these kinds of issues and sending emails [to the security team].”

A former CISO for a Fortune 500 company and current cybersecurity consultant said cybersecurity awareness should be mandatory for all employees.
“You’ve got to hold them accountable upfront where they understand that there are certain policies that they have to follow,” he said. “Otherwise, we cannot protect the company. That’s a real conversation that continues to happen.”

Budget, Staffing Can Limit Security Efforts

Our survey identified the two main obstacles for managing cyber recovery as financial-related: the high cost of solutions (37%) and limited budget (36%). The former CISO-turned-consultant said another limiting factor for security professionals is, there are too few of them.

“There may be an expectation that every company has a good security incident response team and plan, and that’s the fallacy,” he said. “I know CISOs who are the only security practitioner in the company.”

We found in interviews that it is common for large organizations to outsource security expertise, particularly through Security Operations Centers including monitoring for Security Information and Event Management (SIEM) systems, and Managed Detection Response (MDR) services. Several executives said they also use services for scanning and monitoring data and other functions instead of trying to find in-house expertise.

CISOs also see the public clouds as offering complementary services to a wide range of on-premises tools. When asked which vendors’ products/services they use to address cybersecurity needs, the three major hyperscalers ranked in the top five. Microsoft Azure (39%) and AWS (30%) were the top two, followed by IBM, Cisco, and Google. Others mentioned by at least 10% of respondents were VMware, Dell, Palo Alto Networks, and CrowdStrike. Interviews revealed that executives see the public clouds as complementary services to a wide range of on-premises tools.

Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.