Elevating Alert Readiness: A People-First Approach for CISOs

Originally published by Devoteam.

The Gartner Security & Risk Management Summit 2024 hammered home the need for a proactive and resilient approach to cybersecurity. Sure, there were plenty of shiny new technologies and strategies on display, but the biggest takeaway for me was the resounding emphasis on a people-centric approach to security and cyber resilience. This resonated with me, because it aligns perfectly with the core principles of the Alert Readiness Framework (ARF).

Simon Sinek famously said, “People don’t buy what you do; they buy why you do it.” And that’s not just true for customers, it’s true for our employees too. If we truly want to engage our workforce in cybersecurity, we need to ditch the tedious checklists and compliance lectures and tap into the deeper “why” behind security awareness.

The Alert Readiness Framework : A people-first approach for CISOs

CISOs face numerous challenges: increasing risk appetites, the growth of shadow IT, the complexity of emerging technologies like generative AI, and pressure on security teams. Gartner’s research painted a rather grim picture:

• 58% of boards plan to increase their risk appetite in the coming year,
• 75% of employees will operate outside the traditional IT perimeter by 2027, and
• 62% of cybersecurity professionals are already burnt out.

These figures are a wake-up call. We need a new approach to cybersecurity, and that’s where the ARF comes in. You might be wondering, “What exactly is ARF?” It is a people-centric framework that empowers everyone in the organization to play a part in cyber defence. It’s about building a security-conscious culture and providing clear guidelines so everyone knows what to do when a security alert pops up.

ARF helps CISOs tackle these challenges head-on by enabling:

• Building a Security-Conscious Culture: ARF empowers everyone to play a part in cyber resilience: A People-First Approach. By fostering a culture of shared responsibility and providing clear guidelines, ARF turns cybersecurity from a techie chore into a team effort. It increases overall resilience through collective awareness.
• Informed Risk Decisions: Boards might feel adventurous with risk, but CISOs need to back up their security investments with solid data. ARF provides a clear framework for assessing risk, prioritising threats, and proving that security controls work. This allows for proactive risk management based on insights.
• Navigating Emerging Technologies: New technologies like generative AI, IoT, and cloud computing are exciting, but bring new security challenges. ARF helps CISOs get a handle on these risks by providing a flexible framework that can adapt to the ever-changing threat landscape. Crucially, ARF encourages the development of contextual response plans that specifically address the unique security challenges posed by these technologies. By incorporating these considerations into your response plans, you can leverage ARF to proactively mitigate risks and build resilience in the face of technological advancements.
• Achieving Sustainable Security: Let’s be honest, trying to prevent every single attack is exhausting. ARF promotes a more sustainable approach by sharing the load, streamlining processes, and empowering everyone to make informed security decisions, leading to a more proactive and less reactive security posture.

The Alert Readiness Framework for cyber resilience

The concept of cyber resilience is gaining traction as organisations recognise the need to not merely defend against attacks, but to adapt and thrive in the face of evolving cyber threats. The Alert Readiness Framework plays a crucial role in building this resilience by promoting a proactive and holistic approach to cybersecurity. By fostering a culture of shared responsibility, ARF empowers every individual within an organisation to become an active participant in cyber defence. This collective awareness creates a more robust security posture, allowing for quicker detection and response to potential threats.

Moreover, echoing Gartner’s emphasis on “praiseworthy failures,” ARF encourages continuous learning from both successes and setbacks, recognising that valuable insights can be gained from all outcomes. This learning culture enables organisations to adapt to new challenges and strengthen their overall resilience. By integrating ARF principles, organisations can move beyond reactive security measures and cultivate a security-conscious culture that proactively anticipates and mitigates cyber risks.

The human-machine partnership within the Alert Readiness Framework

ARF understands that effective cybersecurity isn’t just about fancy technology; it’s about humans and machines working together. The framework leverages both to get the best possible security outcomes:

• Human Intuition and Expertise: ARF incorporates human observations and insights into the alert system, adding a layer of nuance and context that machines alone can’t provide.
• Empowering Human Decision-Making: ARF provides clear guidelines and response plans so that everyone knows what to do when a security alert pops up. This empowers people to take action and builds a proactive security culture.
• Optimising Technology: ARF helps CISOs choose the right tools for the job and avoids unnecessary complexity. It’s about using technology strategically to support human decision-making.

How the Alert Readiness Framework fosters a culture of learning

Gartner made a great point about “praiseworthy failures.” In the past, cybersecurity has often been about avoiding mistakes at all costs. But this can stifle innovation and make us less adaptable to new threats.

By embracing the idea of praiseworthy failures, we can create a culture of learning and continuous improvement strengthening cyber resilience. This means understanding that not all failures are bad. Some are blameworthy, like when someone ignores basic security protocols. But others, especially those that come from trying new things or navigating uncharted territory, can be valuable learning experiences.

ARF helps us distinguish between these types of failures. By setting clear roles, responsibilities, and response plans, ARF helps pinpoint the root cause of incidents and figure out whether they’re learning opportunities or situations that need fixing.

To build a culture of learning, CISOs should:

• Encourage Experimentation: Give security teams the freedom to try new approaches and technologies without fear of reprisal.
• Destigmatise Failure: Make it clear that everyone makes mistakes, and that learning from them is how we grow.
• Celebrate Learning: Recognize and reward people who identify vulnerabilities, experiment with new solutions, and share their learnings.

By embracing praiseworthy failures, CISOs can create a more dynamic and adaptable security environment.

Actionable advice for CISOs

• Start with Why: Explain why security matters. Connect it to the organisation’s mission and goals.
• Adopt a People-First Approach: Focus on building a security-conscious culture and empowering individuals.
• Think Big, Start Small: Begin with a small scope and gradually expand ARF implementation.
• Build a Cross-Functional Team: Involve people from different departments to align the framework with business objectives.
• Prioritize Communication: Ensure everyone knows how to share information about security alerts and response plans.
• Embrace Continuous Improvement: Regularly review and refine your ARF implementation based on feedback and new threats.

The Gartner Summit drove home the importance of a people-centric approach to cybersecurity. ARF provides the framework and the “why” to make this happen. By empowering employees, optimizing technology, and fostering a culture of shared responsibility, ARF enables CISOs to build resilient and secure organizations.