Endpoint
3/29/2017
10:30 AM
Rocco Grillo
Rocco Grillo
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

To Gain Influence, CISOs Must Get Security's Human Element Right

Focusing on certain elements of security in isolation can cause a false sense of security.

It can be tempting for CISOs to look to the latest technology as a cure-all for securing their organizations. Inevitably, they're also occupied with security governance and compliance requirements. However, concentrating on these aspects in isolation can lead to a false sense of security.

CISOs should be careful not to overlook basic fundamentals around how their employees behave and interact with the organization's data and technology. Excessive sharing and access to information introduces significant risks. The more access to sensitive data that an employee has, the easier it is for cybercriminals to obtain a company's critical assets, if they successfully target their credentials. CISOs need to cast a wider net around who they're protecting and tailor their security plans to the way the business operates. Although it's not a quick-fix, focusing on employees can have a significant impact on a CISO's success and help limited budgets go further.

Here are four recommendations for CISOs looking to increase their influence and direct security efforts where they have the greatest effect.

1. Protect employees who have the keys to the kingdom.
Cybercriminals' primary targets are the decision-makers with the combination of access and authority. It's essential for CISOs to have a detailed understanding of how their executives operate at an individual level in order to protect them.

These targets are likely to use multiple devices, including PCs, laptops, smartphones, and tablets. They tend to travel, often globally, communicating not only from their cellphones but also over a VPN or connected to hotel Wi-Fi. They may be doing business in countries such as China, Russia, and others where they are at risk of falling victim to economic or political espionage. It can be a good idea to work with an outside provider to conduct security assessments on executives to test their susceptibility to social engineering emails and assess their security while on the go.

2. Be aware that others besides the senior leadership team have the keys to the kingdom.
Criminals seeking employee credentials are deploying increasingly cunning spearphishing and social engineering tactics and widening the net of targets that they view as "high value." Many CISOs mistakenly focus solely on the high-profile C-suite, board members, and those with domain access. Although these are crucial targets to protect, there are others in the organization that criminals are likely to target. For example, the head of communications who might have access to sensitive earnings data before it's public, the executive assistant who possesses all of the CEO's passwords, or the employee in HR or accounts payable who might be going through a tough time at home.

The executive leadership bubble is much wider than the leaders themselves, and others are often given more access than they need. Just as CISOs need to know what their critical assets are, they need to understand who in the "inner circle" could grant criminals access to them.

3. Deepen your search for critical data that those with authority can access.
When identifying a company's critical assets, security teams should probe senior leadership and innovators within the business. The C-suite, general counsel, chief marketing officer, and product development leaders might be creating, storing, and sharing sensitive intelligence to which only they are privy. Be sure to look beyond data that's regulated. If you're a brick-and-mortar retailer with substantial online sales, you may be focused on protecting credit card information, but if credentials are compromised, criminals can cause havoc — for example, by attacking your ecommerce site, manufacturing plants, or supply chain. Although regulated data may not be compromised, this could bring a company to a halt.

Once the critical assets are identified, there needs to be alignment with the board, which has the fiduciary responsibility to ensure that the company is safeguarding its most critical assets, whether through adequate funding, head count, expertise, or other means. Many organizations' security programs suffer because employees are given excessive access to data that they don't need; at all levels, access rights should be granted relating to job function and should be refreshed with any changes in responsibilities.

4. Leverage other stakeholders in your organization to be your advocates.
As technology increasingly touches every part of an organization, the "CISO of the future" needs a seat at the table when business decisions are being made. Cybersecurity now has more visibility at the board level. However, this isn't the case across all organizations, as leadership teams often mistakenly view cybersecurity in silos, as an IT issue, or as something they can take off their balance sheet with insurance. Whether or not CISOs carry authority at the highest levels, with limited budget and ever-expanding responsibilities, they must leverage others to become advocates for good security practices across departments. CISOs can then more effectively advise on how changes in the business affects cybersecurity, and encourage the entire organization to commit to a continuous process of improvement.

There is much that CISOs can do with others in the organization below board level: implementing training and awareness programs with HR; coordinating with the legal, PR, and other departments on their roles in incident response plans; aligning with risk officers to balance remediating and insuring against cyberrisk; and so on. CISOs must not allow themselves to be pigeonholed as purely technical practitioners.

A CISO's role will always require deep technical fundamentals. CISOs are also responsible for keeping the company compliant with multiple frameworks and regulations. However, if CISOs don't know how their employees are using and abusing data, information, and technology, they won't be effective at protecting critical assets and high-value employees. Even with the best intentions and largest budget, a CISO on the periphery of the organization won't be as effective as one who builds relationships and focuses on the business priorities and activities of their employees. 

Related Content:

Rocco Grillo is Stroz Friedberg's Cyber Resilience Leader and a member of the firm's executive management team. His cyber resilience team, which includes the company's incident responders and security scientists who deliver the firm's proactive and reactive cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/29/2017 | 8:50:12 PM
#1 extended
To take tip #1 a step further, another effective method is to offer employees training on security in general -- i.e., for their personal lives, impacting such things as their banking, their personal social media accounts, etc.  Give them, as a benefit, training on how they can secure their personal lives.

Then, it's easy from there to demonstrate how that can and should be used professionally, at work.  And if they're already doing it in their personal lives, they'll be that much more likely to do it in the professional lives.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.