Automation, digitalization and digital transformation are impossible without working on information security. The further you advance along the path of technological development, the more vulnerable you will be. Moreover, as follows from Positive Technologies statistics, one of the most vulnerable places is people. That is why in almost 50% of cases an attack on a company comes through the use of social engineering.
As a result, people are the target in 43% of successful attacks.
This is confirmed by research - people are increasingly falling for social engineering tools.
And the fault here lies not only in inattention, but also in the increasing ingenuity of attackers. For example, one of our partners used the delivery services of one large company. But at one moment, when he was waiting for the parcel, he received a letter: “Ivan Ivanovich, your parcel has arrived! Follow the link and select a convenient time for delivery." That is, the attackers obtained a database with personal data and made targeted mailings. Could you avoid falling for such a trick?
As a result, effective cybersecurity is impossible without developing competencies among all employees.
At the same time, specialists from Positive Technologies have developed an excellent and detailed matrix of competencies for an information security director (CISO), which you can find here . Positive Technologies is generally one of the leaders in the Russian information security market and develops courses for information security directors.
So what competencies are needed, from whom and at what level are they needed?
Rating scale
Let's first look at the scale of competencies in our proposed matrix. Each competency has four levels:
0 points – no competence;
1 point – competence is demonstrated at a basic level. The employee knows and uses basic tools, but this is not his strong point;
2 points – competence is expressed at a sufficient level. The employee demonstrates expert knowledge and mastery of the tool. Can solve complex problems, participate in projects, adapt the tool to the organization’s tasks. However, he cannot be an expert of the competence center and explain it to others simply, without complex terminology;
3 points – competence is demonstrated at an excellent level and is the employee’s strength. An employee can be an expert in a competency center and solve atypical problems using a tool/competency. In addition, the employee is able to convey knowledge and skills to others in a simple and accessible language with analysis using practical examples.
Competency Matrix
We recommend basing the CISO competency matrix on the developments of Positive Technologies in the field of technological expertise, but supplemented with knowledge of systems approach tools. As a result, we get the following matrix:
1. Information security competencies
knowledge of the basic processes of the organization and the specifics of their information security support – 2-3 points;
understanding the impact of IT on the organization’s activities and key processes, including which IT systems are involved in them – 2-3;
knowledge of modern digital and telecommunication technologies, the possibility of their use for information security and potential risks, approaches to neutralizing these risks;
knowledge of approaches to organizing and ensuring information security - 2-3;
knowledge of regulations in the field of information security and information protection – 2-3.
2. Systems approach tools
lean manufacturing – 1-2;
project and product management – 2;
theory of systems limitation – 1-2;
communication management – 2-3;
implementation of changes, motivation management and PR – 2-3;
regular management practices – 1-2;
reading and describing business processes – 1-2;
working with strategy and organizational structures – 1-2.
But for other employees, the model and matrix of competencies will be different.
1. Personal safety competencies
Basic tools and methods of attacks on individuals, knowledge of social engineering methods and countering them
Rules for “digital hygiene” in social networks and working with email, methods for protecting personal data and rules for creating passwords
Rules for using search engines and analysis of web portals and sites, knowledge of methods for masking malicious attachments
2. Information security competencies in the organization
Basic tools and methods of attacks on organizations
Detecting deepfakes (voice substitutions) and unreliable emails
Security rules with proprietary information and trade secrets
Knowledge of unacceptable scenarios in which an employee may find himself and the criteria for them
Identification of symptoms characterizing an intruder's intrusion
Knowledge of the contact details of those responsible for information security in the organization and the organization’s information security rules
Knowledge of government regulations
3. IS competence in digital projects
Knowledge of typical vulnerabilities of digital technologies and the ability to formulate information security requirements for digital solutions
Knowledge of typical risks of various classes of IT systems
Knowledge of typical platform and operating system vulnerabilities
Identifying unacceptable events and scenarios that a new IT solution or technology may experience
Employee categories
We recommend that all employees be grouped into the following categories:
owner, CEO; CEO-1;
middle management (heads of departments) who are not involved in digital projects or unacceptable scenarios;
middle management, which oversees and implements digital projects;
middle management, which is at risk (involved in unacceptable scenarios, including HR and marketing);
informal opinion leaders;
specialists involved in digital projects and unacceptable scenarios;
ordinary employees.
Based on this approach, we have prepared a competency matrix, which is attached below.
Road map
We considered the issue of building information security from the point of view of competencies.
Now let's look at the roadmap. Of course, everyone would like a universal algorithm. Unfortunately, this cannot be: everyone has different business processes, industry specifics, organizational structures, levels of automation and digitalization. But let’s give a conditional and generalized road map.
Stage 1. Preparation
At this stage, our goal is to close the most obvious gaps and prepare for a full-scale restructuring.
What need to do:
identify events the implementation of which during cyber attacks is unacceptable;
identify scenarios and criteria that may lead to unacceptable events;
describe “as is” the necessary processes;
conduct a complete inventory of the IT landscape;
check the real security of the organization and its systems from unacceptable events;
conduct a retrospective investigation for old hacks;
select domestic protection systems and plan implementation projects (technical part);
strengthen monitoring aimed at detecting cyber threats.
prepare a training program and instructions for employees, answering the question “why?” from regular staff and technicians;
conduct mass training of personnel in the basics of information security and countering social engineering, and the rules for creating passwords.
Necessary tools of a systematic approach to solve problems:
systems limitation theory
project management
modeling and description of business processes
communication
implementation of changes
digital technologies and IT systems
Implementation period: 6-12 months.
Stage 2. Transformation
Goals of this stage:
carry out transformation and build effective information security;
lengthen attack chains to allow more time to react and take action;
make unacceptable events impossible.
To do this you need:
implement protective IT solutions and rebuild the IT landscape (perimeter protection, sandboxes, etc.);
change business processes and build the necessary policies;
train the necessary information security competencies to specialists from the “risk zone” participating in digital projects;
systematic PR about achieved successes;
conduct mid-term studies and cyber drills to identify hidden unacceptable scenarios and additional areas for employee training;
determine the necessary competencies and content for your own competency center;
build systematic work on vulnerability management and analysis of new and current software;
build secure development processes (DevSecOps) for IT companies
build work with IT solution providers, including specifying information security requirements and analyzing solutions for vulnerabilities.
Key tools of a systematic approach for solving problems:
project management;
modeling and description of business processes;
communication;
implementation of changes;
digital technologies and IT systems.
Duration: 6-12 months
Stage 3. Consolidation of changes and transfer of information security to a permanent function
The goal of this stage is to make information security not a one-time project, but a stable function, so that in six months or a year it will not roll back.
Key tasks of this stage:
create your own competence center from a knowledge base and trained specialists
consolidate practices with new standards, reminders, instructions, rules, described business processes;
regularly conduct cyber exercises to identify new criteria and scenarios of unacceptable events;
financially and publicly reward employees who participated in previous stages;
change the KPIs of employees from risk areas and those responsible for digital development;
carry out optimization and automation of information security.
Necessary tools of a systematic approach to solve problems:
Lean
regular management practices
communication
digital technologies and IT systems, automation.
Duration: 1-2 years.
The most common mistakes that can disrupt the construction of information security or increase the time frame:
set a task and do not provide resources with the authority to complete it;
focus on what we will do well now, and then everything will work itself. That is, ignoring process management and a systems approach;
focus on process without results;
lowering goal setting and identifying unacceptable events to the level of performers without the appropriate competencies, using their own metrics that they understand. A CIO or a cybersecurity director simply won't be able to identify business risks.