November 24, 2017

More Training Won’t Reduce Your Cyber Risk

By: Michael Sulmeyer and Mari Dugas

How many times have you had to watch your company’s latest cybersecurity training video? An entire industry now exists to train us humans to be smarter in how we operate computers, and yet the number of cybersecurity incidents continues to rise. Are the hackers always one step ahead? Are we impossible to train? Or are we being taught the wrong lessons?

The human is indeed the weakest link in cybersecurity. But all too often organizations’ approach to mitigating that risk — other than taking the wise step of ensuring that they have the state-of-the art technological protection in place — is more training. It won’t suffice.

The U.S. armed forces and security agencies are a case in point. Should the military train its soldiers, sailors, generals, and admirals so they are less of a weak link for cybersecurity, as Admiral Sandy Winnefeld, the former vice chairman of the U.S. Joint Chiefs of Staff, advises? Sure. Should the National Security Agency (NSA) do the same for its employees to keep secrets secret, as the New York Times indicates has been a challenge? Obviously.

Read the full commentary in the Harvard Business Review.

More from CNAS

View All Reports View All Articles & Multimedia