#CISO, If you call your servers, laptops, stations, firewalls, routers, mobile phones and faxes – The stuff, so stop reading now.
But you don’t. You do an asset list, with specific risk for each asset, mitigation plan and monitoring.
Same you need to do with your employees – it’s not one piece, you never call to HR asking for 20 pieces of employees. On one side you have your paranoid IT guy that uses the terminal to read emails, and on the other hand you have double click Dave, that double click any link.
And when you do a yearly course about cyber security, or even if you send all of them the same phishing email, you just aggregate them into one group.
You need to to build your assets list, KYE ( Know your Employee ), to see what they like, what they don’t like, to see what their understanding of the risks they have on day to day life, you need to see what tools they use, how they bypass your restrictions.
And then, you need to assess what is their awareness level, and test it.
Third step you need a mitigation plan, what your paranoid IT guy is missing because of over paranoia, Why does Double click Dave, double click every email twice? How you can personally teach any of them about Social engineering risks?
And finally, you need to monitor that, you need to see if those classes actually solved it on the day to day life, you need constant cycles of testing & training.
As the CISO, you can’t look on your employees as the piece of equipment, each one bring personalized set of risks, you need a personalized solution.