As we all know by now, the human factor is crucial to enterprise security. Cyber attacks routinely exploit vulnerable human behaviors to gain entry, since organizations must trust their own people—or at least some of them—with access to critical systems. Humans make decisions on risk tradeoffs, funding for security programs, adherence to policies, and hiring, factors which impact the organization’s security posture in many ways. From the newest intern to the chief executive, all members hold the power to harm, or to help, the security of sensitive data and essential systems. Acknowledging this is a necessary but insufficient step. The humans we rely on must know what to do about all of this. Given that cybersecurity is neither the expertise nor passion of most people, there must be an easy-to-understand and easy-to-do set of actions that everyone can perform to do their part. It turns out that for all of the resources available on security awareness and training, there is precious little available on security guidance for employees based on their business functions. That is, guidelines for people based on their job role: security guidelines for Finance and Administration professionals or security guidelines for Legal & Compliance workers. It was to address this need that the Workforce Management subgroup of the National Initiative for Cybersecurity Education (NICE) launched a project to draft guidelines for all members of an organization based on business function. NICE is a program of the National Institute of Standards and Technology (NIST), the lead federal agency for maintaining the Framework for Improving Critical Infrastructure Cybersecurity (commonly known as the Cybersecurity Framework, or CSF), among other standards. (Many readers may also be familiar with NIST for the Special Publication 800 series, which provides detailed technical standards for security.) The Workforce Management subgroup, part of the broader NICE Working Group, is a voluntary collaboration of professionals from government, industry and academia who meet to develop guidelines for improving enterprise security through their workforce. The draft guidebook, Cybersecurity is Everyone’s Job, is now available for public comment, the final phase of its nearly one-and-a-half-year development. The goal is to capture feedback from a diverse audience to ensure that the document meets its objective: to engage the entire workforce in improving enterprise cybersecurity by providing actionable guidance by business function in an easy-to-understand fashion. The public comment period is open until July 31, 2018, and feedback can be provided via an online survey (or email, if preferred). The document is available for review on its webpage. This provides an excellent opportunity for cybersecurity professionals—and professionals from all functions and sectors—to provide input to this important guidebook.
