Seasoned security executives know that creating a culture of cybersecurity starts at the top. As CIO Alex Philips explains, Cybersecurity Awareness Month at NOV, Inc. is marked by a special emphasis on social engineering and personal cyber hygiene. He notes that, since we often bring portions of our home lives to work with us, it makes sense that good cyber sense be developed at home.
We asked Philips for his take on National Cybersecurity Awareness Month, key initiatives at NOV, and what can really get done in 30 days.
Editorial Team: Protecting organizations from cyber threats in a cost-effective way is a topic of conversation across many CIOs. With cybersecurity awareness month in mind, what is one critical activity CIOs can do today to continually enhance their cybersecurity practices?
Alex Philips: Given the recent cyber breaches in the news and their very real, material impact on company bottom lines, it is imperative that we all take a few minutes to ensure we are not susceptible to the same threats many of these companies fell victim to, which is social engineering.
We have all worked to lower the cost of repetitive tasks by automation, by pushing such work to our early-career employees, or by outsourcing these tasks. But have we inadvertently put our security at risk as a result?
My advice to all CIOs is to examine your processes for password and MFA resets and ensure you have separation of duties for these tasks. Make sure your front line does not have the power to reset both. For our financial systems, we closely guard against separation of duty violations that can lead to monetary theft. Have we created a similar risk for our identity systems?
Editorial Team: What recommendations do you have to enhance employee cybersecurity awareness and diligence?
Alex Philips: As much as we all hate it, repetition is key. Phishing training with follow-up guidance on the clues (we call them Phishbones) they should have seen in the training. This is important as it helps us recognize the tricks scammers attempt to use against us.
Editorial Team: How can you change an organization's internal culture to emphasize a higher importance of cybersecurity awareness and action?
Alex Philips: I believe it starts at the top with the CEO. They help set the tone of how important it is to them which will trickle down through our organization. We joke at NOV that you can never trust an email from Clay Williams, our CEO.
Editorial Team: Do you have a success story around a program or initiative that helped drive better cybersecurity awareness?
Alex Philips: We recorded a video of our team recreating an actual incident we went through and explained the “why” as we shared the details of how the bad guys attacked us. That really gave the team an understanding of what a real-life cyber incident looks like and how we protect against them.
Editorial Team: What can realistically be accomplished in 30 days at the organizational level to improve overall security posture?
Alex Philips: It is surprising how quickly you can gain the attention of your organization with a well-crafted CEO video on cybersecurity followed up with good phishing training. We have also found it very effective to have a Teams meeting where we focus on how our employees can improve cybersecurity in their personal lives. If they can improve at home, they will bring the same mindset and practices to work.
What to read next