IT Operations

Every Employee Must Now Be Part of the Cybersecurity Team

As Western governments prepare for Russian cyberattacks, some U.S. states are leading the way to greater cyber-resilience.

With cyberattacks coming from every direction—nation-states, hacktivists, criminal gangs—organizations need to use every tool in their arsenal to protect themselves following the Russian invasion of Ukraine. That includes their people.

Organizations can have millions of dollars’ worth of tools in their toolbox, and it can still take only one person clicking on a link or running an unpatched device to bring them all down.

And so in Arizona we made a big shift.

Know your IT risk posture

The old adage still holds true: An ounce of prevention is worth a pound of cure. When I helped define cybersecurity strategy for the state of Arizona, one of the first policy changes the state made was to cyber-train every single state employee, every year, with basic foundational information and awareness.

They learned the basics of good cyber hygiene. They were trained to think before they clicked on an unknown link. They learned ways to avoid becoming the next victim of a phishing attack.

With this kind of preparation, we increased the size of our security team to all 36,000 state employees. They were all part of the cyber team. They were all responsible for defending against cyberattacks.

Expanding the idea of security

In Arizona, security pervaded the entire state government culture. We no longer wanted the security team to be this secretive group working behind closed doors. We wanted state employees to understand that we were their partners.

Security pervaded the entire state government culture. We no longer wanted the security team to be this secretive group.
If they ever had a question, we wanted to be the first group that employees would think to contact. Even if they were not sure about reporting an incident, we would look at anything suspicious and make sure workers were not putting the entire network at risk.

Arizona isn’t the only state doing this. I’m seeing other states that are also beginning to engage in comprehensive cyber training of their entire workforce.

[Read also: For state and local government, the road to cybersecurity advancements starts with good cyber hygiene]

Organizations are only as strong as their weakest link. Whether someone is developing an application, processing payroll, or writing
a contract, they need to be thinking about why they could be the
target of an attack. They need to know how bad actors could try to use them.

Educating employees makes organizations safer

In Arizona, cyber training became as routine as taking anti-harassment training. And we monitored to see if people completed the training. And if they didn’t, they could be disconnected from the network. That’s how important it was.

[It] went all the way up to the director level. If people didn’t do the training, their access and privileges could be revoked.
And that went all the way up to the director level. Even if someone was very busy and important, cybersecurity was also very important. If people didn’t do the training, their access and privileges could
be revoked.

Rather than just an annual training event, we also looked at different ways of sharing the same messages. For example, we provided short video clips that could be played during a team event.

[Read also: 4 simple ways security ops can thrive with hybrid work]

Ultimately, we learned that cyber training must be more than a point-in-time solution. It must be designed to keep security top of mind for everyone, all the time.

Jennifer Pittman-Leeper
Jennifer Pittman-Leeper is a customer engagement manager at Tanium. She was previously the enterprise security program administrator in charge of leading cybersecurity strategy for the state of Arizona.