What your
workforce wishes
the cyber team knew
12.80%
of employees are very familiar
with their company’s cybersecurity team
40.80%
of employees want cybersecurity
advice with real-life examples
82.10%
say all employees share
cybersecurity responsibility
Congrats…! Nothing happened!
Being a CISO or a member of a cybersecurity team can be a thankless job. Crucial work is being done daily, often in the hope that…nothing happens!
Whilst proving the value of the cybersecurity team to the board is one thing – how does the workforce think they’re doing? Are those nudges and emails landing? What do they want to see more of? What can’t they stand?
We surveyed over 1000 workers to understand more.
What’s working?
The good news is workers have a strong understanding of how important the cybersecurity team is. 86% see the team as a ‘necessary function’, 88% read cybersecurity emails within a day, and most importantly, 97% at least moderately trust their cybersecurity team’s ability to prevent or minimize damage from cyberattacks.
What isn’t?
While it’s great to know general opinions are, in the most part, positive, they aren’t unanimous. Around a quarter of workers find the cybersecurity team to be secretive and out of sight (26%), and workers have on at least one occasion found the team to be slowing progress (26%), a hindrance to personal objectives at work (24%), and intrusive (25%).
Access the full study insights to discover the future of cybersecurity training tailored to today’s digital workforce.
Out of sight, out of mind
STAT: Just 12.8% of employees are very familiar with their company’s cybersecurity team
For security teams, it’s easy to feel like unsung heroes holding the fort. But our survey reveals they’re often viewed as unseen. This opens gaps through which important information can fall. Our survey found that over 78% of respondents work remotely at least part of the time. However, around a third of these remote workers reported having little to no familiarity with the cybersecurity professionals protecting their systems.
Only 12.1% find their cybersecurity team visible and easy to contact. Proactively sharing knowledge requires consistent visibility. Otherwise, they may as well remain locked in the server room shouting warnings no one can hear.
“With dispersed teams, old security protocols can feel restrictive rather than protective for many employees today,” says Dr Jason Nurse, CybSafe. “We need human-centric awareness built on mutual understanding for safety that feels like support.”
On a scale of 1-5 (1 = not familiar at all, 5 = very familiar), how familiar are you with the role and responsibilities of your company’s cybersecurity team?
How can your experience with your organisation’s cybersecurity team be improved? (Select 3)
Simple, not simplistic
STAT: 40.8% of employees want cybersecurity advice with real-life examples
Today’s workforce is pragmatic, but overwhelmed. They need cybersecurity guidance that translates security into their tangible work contexts. While making cybersecurity training ‘fun’ may have an initial novelty factor, what your team really want is the answer to two questions:
- What do I need to know?
- What does this look like in my daily work?
They don’t need overly technical details or gamified training modules. Instead, they want clear, concise and relevant insights alongside the necessary time to internalize them, or at the point of need.
Our research revealed well over 1⁄3 of employees desire security training focused on real scenarios versus abstract attacks. In other words, what signs can I look out for in my daily work? What types of attacks are most likely and require more attention? Where should I report incidents to get issues resolved swiftly?
The cybersecurity profession tends toward technical terminology unfamiliar to most. But common language connects better across varied backgrounds. Over 1⁄4 (29.1%) of employees want cybersecurity teams to use less technical jargon. Speaking plainly – without talking down – makes communications seamless rather than strained.
Ira Winkler
CISO and Vice president, CYE and author
of Security Awareness for Dummies:
“The research suggests cybersecurity teams are becoming enablers rather than obstacles of daily business processes. Given that 38% of respondents felt that the security team hampered their work suggests that users still perceive cybersecurity as a nuisance.”
“This does make it a pleasant surprise that users who reported were overwhelmingly satisfied with the response from the cybersecurity team. The implication is that cybersecurity teams are becoming more customer service focused and understanding of the needs of users.”
“While cybersecurity friction does have a bad connotation, the reality is that it can be useful and necessary. While you don’t necessarily want to make business processes difficult, you do want to make sure that it is not easy to do the wrong things. At the same time, users and the company as a whole should understand that cybersecurity embedded in business practices enables organizations to do things they otherwise would not be able to do. For example, cloud based applications would not be possible unless data could be secured across the internet and users could authenticate themselves properly.”
Unified, not universal
STAT: 82.1% say all employees share cybersecurity responsibility
There’s no one-size-fits-all formula for cyber safety amidst hybrid work’s complications. But collectively acknowledging distributed security duties helps. Over 80% see protection as a shared stewardship rather than the security team’s solo burden.
That said, collective responsibility also requires the tools to support the workforce. 37.7% cited a lack of cybersecurity education and training as a top pain point for them. One-off compliance training isn’t cutting it.
“With hybrid workforces accessing systems from everywhere, threats can slip through via clever phishing links or shadow apps outside the firewall,” explains Dr Jason Nurse, CybSafe.
“The research makes clear that most workers feel a sense of personal responsibility for protecting their organisation’s data. It’s up to the cybersecurity team to build on this goodwill, creating an environment where mistakes aren’t punished but expected, and one little click doesn’t destroy a network due to a culture encouraging fear of reprisal.”
“People want to be, and are, part of the solution. Ultimately, however, it is the security team’s responsibility to develop that solution through support, guidance, secure systems, and easy-to-use security processes and systems.”
Who do you believe bears MORE responsibility for protecting your company from cyberattacks?
Access the full study insights to discover the future of cybersecurity training tailored to today’s digital workforce.
Access full study now
Biographies
Dr Jason Nurse
Director of Science and Research, CybSafe
Dr Jason Nurse is the Director of Science and Research at CybSafe, and he is also an Associate Professor in Cyber Security at the University of Kent.
At CybSafe, Dr Nurse leads a team of behavioral scientists and researchers responsible for ensuring that the company’s product is grounded in scientific evidence and empowers users to make smarter security decisions and build better habits.
Jason has spoken at venues across the world, and has contributed to (or featured in) mainstream media such as the Wall Street Journal, The BBC, Newsweek and Wired. Prior to CybSafe, Dr Nurse has engaged in research into human cyber risk, security behaviors, and cyber psychology, at the Universities of Oxford and Warwick; with his PhD specifically focused on organizational cyber security.
Ira Winkler
CISO and Vice President, CYE and author of Security Awareness for Dummies
Ira Winkler, CISSP is the Field CISO for CYE Security, former Chief Security Architect at Walmart, and author of You Can Stop Stupid, Security Awareness for Dummies, and Advanced Persistent Security.
He is considered one of the world’s most influential security professionals, and has been named a “Modern Day James Bond” by the media. He did this by performing espionage simulations, where he physically and technically
“broke into” some of the largest companies in the World and investigating crimes against
them, and telling them how to cost effectively protect their information and computer infrastructure. He continues to perform these espionage simulations, as well as assisting
organizations in developing cost effective security programs.
Ira also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader. He was named 2021 Top Cybersecurity Leader by Security Magazine, and most recently 2022 Cybersecurity Champion of the Year by the Cybersecurity Association of Maryland.