Go Easy on Your CISO – They’re Under a Lot of Pressure

 

Threats are everywhere. And it’s no secret cyber criminals are getting more organized and working more patiently to accomplish their objective: stealing your data, access to which is provided via an infinite number of channels. There are currently an estimated five billion devices connected to the internet today and Gartner estimates that number to grow to 25 billion + by 2020. That’s almost 4 devices for every man, woman and child on the planet. Look around your desk. How many connected devices do you count? 5? 6? More? Further, just how many of these devices are being brought into and connected to the enterprise at work, exposing not just you, but your company to further risk? A recent article I read described the exponential increase of connected devices – including devices such as smart ice cubes that pulse to the beat of your music and monitor how much you’re drinking and smart diapers that can tell you when the baby needs to be changed! Every one of those devices pose a risk at home and work. This risk increases the strain on security resources that now have to be responsible for plugging up every hole, even ones they don’t know about.

The odds are against your success

Security professionals in today’s landscape have to be right 100% of the time to stop criminals, whereas the criminals only need to be right once. Those are pretty scary odds considering all the different devices they need to take into account. You would get better odds if you were to wager that I’d end up being the President of the Moon. I kind of like the sound of that.
I’ve been in the security space for nearly my entire career. Back in the old days, security was nothing more than installing a small firewall in a locked room that also housed the cleaning supplies because someone said a firewall was the right thing to do. Back then, the only time sensitive part of the job was ensuring the antivirus software on everyone’s system was up to date. Synching your phone was simply putting your Palm Pilot or Windows CE on its cradle to sync your contacts and calendar and working from home meant printing out your spreadsheets to take with you. As a CISO now, the number and magnitude of security risks that have to be factored into the day-to- day monitoring and overall corporate strategy are mind blowing. BYOD, IoT, VPN, ISO, PCI are all acronyms CISO’s lose sleep over. As a profession, we not only need to worry about the outside attackers intentionally threatening everything in our organizations, but we also have to make sure our legitimate inside users are informed  enough  so they’re not going to accidently open our systems to a vulnerability or circumvent security controls because “It gets in the way of doing real work”. We have all received those tempting emails offering an all-expenses paid trip to Tahiti or texts saying that we are entitled to a ten million dollar Nigerian inheritance; all we have to do is send them our SSN and corporate password to collect our riches. How do you ensure your users are armed with enough information so they know not to click or respond to obvious phishing scams as well as the more sophisticated ones designed to look perfectly legit?
Couple all that with the 100 different security tools we need to deploy from 50 different security vendors all with their own proprietary implementation and it’s a mystery to me why anyone would want to willingly work in the cybersecurity space. Don’t even get me started on physical security and regulatory compliance. Good luck getting any sleep at night! (Have I mentioned I’m thinking about switching careers to become a fisherman?)

You’re only as strong as your weakest link

You can spend millions of dollars on the fanciest security hardware with cool flashing lights and engage every vendor for their “Next Gen Security Whatever” solution, but all that aside, one gigantic vulnerability still exists in every organization. PEOPLE. Users are the single largest vulnerability when it comes to cybersecurity. In fact, studies show that 95% of successful security attacks are the result of human error – that is a scary number. Users can be manipulated into giving up sensitive information. Users can forget proper protocols and passwords, they can even forget that they’re not supposed to click that link!
A proper security awareness program with frequent reinforcement messages that advocate vigilance will help arm your users with the knowledge needed to protect your organization. Most regulatory compliance and security frameworks incorporate and in fact require a security awareness program for users. There is no use locking all the doors and windows when the users are going to continuously open them again. Informing your users why and how they should keep windows and doors locked empowers them with the information they need to turn them from our biggest vulnerability to our greatest asset. Security is no longer an IT problem, it is a business problem and security professionals at all levels need to work together to minimize the risk of the “people factor” and maximize the success of their security posture. As such, consider the following points to assist in the success of your security program.

1. Executive Support – A security awareness initiative without executive support will not get much traction with the rest of the organization. If the executives don’t see the value, other key departments you need to work with won’t either. Getting this level of support can be difficult, even though there is a correlation between compliance and awareness efforts and reducing corporate risk.
2. Peer and Interdepartmental Support – Everyone is busy, but just as important as getting executive support is getting departmental support. If people don’t see the direct value of your program, it’s not likely to succeed. Tailor your message to the specific department. Partner with them. Make key departments such as legal, HR and finance understand they have a vested interest. As security practitioners, we know we have to work up, down and sideways to get the support needed for our initiatives to be successfully implemented.
3. Walk before you run – When it comes to security awareness, there isn’t a one size fits all solution. Depending on your industry and company culture, you will need to evaluate your audience and their level of expertise and cater your program to allow your audience to extract the most value out of your message.
4. Have a Plan – I cannot stress this enough. After getting everyone to support your program, you need a way to execute and measure the success of the initiative. Compliance programs, such as PCI have their suggested methods, but these should be used as a baseline or framework to build on and customize for your organization. Create a 90 day plan and identify key performance indicators to keep your program successful and progressing.
5. Reinforce, Reinforce, Reinforce – It doesn’t have to be weekly stern emails telling people not to click on links in emails sent from Romania or not write their corporate passwords on a sticky-note and place it under their keyboard. Be creative and be consistent. Make people want to join and engage in the program. Create a cybersecurity week and celebrate a theme. Have others share experiences. Give out prizes for participation. Create posters. Get everyone engaged. Employees feel engaged in the program if they can relate personal experiences to the message.

We all wear multiple hats when it comes to cyber protection and security awareness. We must protect ourselves against both internal and external threats, inform our legitimate users about what not to do, sniff out those looking to harm the rest of us. It’s an ongoing effort that requires teamwork. Make sure your team is educated, motivated and armed with the knowledge and tools necessary to do their part and they will.

Steve Tcherchian, CISSP
CISO
XYPRO Technology