Here at Nubank, we take Information Security as a top priority. This is why our Information Security Business Unit has over 120 professionals organized into defensive and offensive squads. They share the same common goal: protect more than 70 million customers across Latin America.
The human factor in information security has become the main way for cybercriminals to establish invasions and data breaches, so, in this article I will delve into the Security Awareness profession — one of the careers within the Nubank’s Infosec team — and why it is such an essential role in any organization. Keep reading!
Big picture of Cyber Security
A recent research from Cyber Security Ventures noticed that 90% of cyberattacks originate from email, which means that the most effective and popular strategy is to try to trick people using phishing as the most popular strategy.
Even having the best and most technological protections, social engineering is normally a scam that can bypass it. The other way that we have to protect ourselves is by ensuring awareness. This remains true when we check the PPT (People, Process, Technology) framework that since the 1960s and popularized by Bruce Schneier is being used.
Amateurs hack systems, Professionals hack people. (Bruce Schneier)
Security Culture and Strategy
So, if information security is about People, Process and Technology, here is not different. We have an area inside the Security Enablement team responsible for building the strategy about how we train people and spread the security culture.
Yes! This is about culture. We normally do not talk about information security in the school or college, we normally do not talk about it in general but, everyday, we see scams or scammed people asking for help because they lost some password, access or because they suffered from a data breach. Sometimes a training, a phishing test applied for awareness purposes or simply a communication and video is enough to empower and acknowledge people about security.
What does a Information Security Awareness Engineer do at Nubank?
Scope of Work
Security Awareness Professionals are responsible for training, testing and communicating with employees, third parties and clients about cyber security through internal, external channels and event organization (like Infosec Week). They are also responsible for creating and maintaining the strategy according to frameworks, policies, regulations.
Expected Skills
Being a Security Awareness Professional means knowing about Security, Education, Marketing. It is a multidisciplinary profession. After all, it is very common to see professionals working with many things at the same time, for example, leading GRC programs, building systems and also taking care of Security Awareness.
Shared responsibility
Security Awareness is not only a task, it is a profession! Security Awareness is not only a topic, it is a company priority. Building the cybersecurity culture is kind of creating a human firewall and we are all responsible for building this strong wall. The Security Awareness professional only gives the way, teaches and facilitates this process but everybody builds it together.
What our Information Security Awareness Engineers say:
“Security Awareness Engineer is understanding that people can follow a behavior that poses risk to them and the company they work without realizing that it is wrong. It is up to the Awareness Engineer to show (sometimes more than once) the correct path and create that way: a safer and more efficient culture, adding to all aspects of that person’s life.”
Robert Gomes
“Awareness is about people, and when we talk about them we talk about diversity. It is a constant challenge to understand and study about the human being, how to convey messages assertively and teach, shaping a culture of safety in each individual.”
Beatriz Zardo
“Working with information security awareness is a daily challenge: impacting a person’s life not only on the professional side, but also worrying about spilling over to the personal side. When we reach this level, where the person brings the teachings passed during work to their home, in their daily lives, that’s when we reach the main point: making the individual aware of the consequences of their unsafe actions on the internet. After all, this is what determines when we are aware of something, we know exactly what the consequences of our actions will be.”
Felipe Rodrigues