Endpoint

3/29/2017
10:30 AM
Rocco Grillo
Rocco Grillo
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

To Gain Influence, CISOs Must Get Security's Human Element Right

Focusing on certain elements of security in isolation can cause a false sense of security.

It can be tempting for CISOs to look to the latest technology as a cure-all for securing their organizations. Inevitably, they're also occupied with security governance and compliance requirements. However, concentrating on these aspects in isolation can lead to a false sense of security.

CISOs should be careful not to overlook basic fundamentals around how their employees behave and interact with the organization's data and technology. Excessive sharing and access to information introduces significant risks. The more access to sensitive data that an employee has, the easier it is for cybercriminals to obtain a company's critical assets, if they successfully target their credentials. CISOs need to cast a wider net around who they're protecting and tailor their security plans to the way the business operates. Although it's not a quick-fix, focusing on employees can have a significant impact on a CISO's success and help limited budgets go further.

Here are four recommendations for CISOs looking to increase their influence and direct security efforts where they have the greatest effect.

1. Protect employees who have the keys to the kingdom.
Cybercriminals' primary targets are the decision-makers with the combination of access and authority. It's essential for CISOs to have a detailed understanding of how their executives operate at an individual level in order to protect them.

These targets are likely to use multiple devices, including PCs, laptops, smartphones, and tablets. They tend to travel, often globally, communicating not only from their cellphones but also over a VPN or connected to hotel Wi-Fi. They may be doing business in countries such as China, Russia, and others where they are at risk of falling victim to economic or political espionage. It can be a good idea to work with an outside provider to conduct security assessments on executives to test their susceptibility to social engineering emails and assess their security while on the go.

2. Be aware that others besides the senior leadership team have the keys to the kingdom.
Criminals seeking employee credentials are deploying increasingly cunning spearphishing and social engineering tactics and widening the net of targets that they view as "high value." Many CISOs mistakenly focus solely on the high-profile C-suite, board members, and those with domain access. Although these are crucial targets to protect, there are others in the organization that criminals are likely to target. For example, the head of communications who might have access to sensitive earnings data before it's public, the executive assistant who possesses all of the CEO's passwords, or the employee in HR or accounts payable who might be going through a tough time at home.

The executive leadership bubble is much wider than the leaders themselves, and others are often given more access than they need. Just as CISOs need to know what their critical assets are, they need to understand who in the "inner circle" could grant criminals access to them.

3. Deepen your search for critical data that those with authority can access.
When identifying a company's critical assets, security teams should probe senior leadership and innovators within the business. The C-suite, general counsel, chief marketing officer, and product development leaders might be creating, storing, and sharing sensitive intelligence to which only they are privy. Be sure to look beyond data that's regulated. If you're a brick-and-mortar retailer with substantial online sales, you may be focused on protecting credit card information, but if credentials are compromised, criminals can cause havoc — for example, by attacking your ecommerce site, manufacturing plants, or supply chain. Although regulated data may not be compromised, this could bring a company to a halt.

Once the critical assets are identified, there needs to be alignment with the board, which has the fiduciary responsibility to ensure that the company is safeguarding its most critical assets, whether through adequate funding, head count, expertise, or other means. Many organizations' security programs suffer because employees are given excessive access to data that they don't need; at all levels, access rights should be granted relating to job function and should be refreshed with any changes in responsibilities.

4. Leverage other stakeholders in your organization to be your advocates.
As technology increasingly touches every part of an organization, the "CISO of the future" needs a seat at the table when business decisions are being made. Cybersecurity now has more visibility at the board level. However, this isn't the case across all organizations, as leadership teams often mistakenly view cybersecurity in silos, as an IT issue, or as something they can take off their balance sheet with insurance. Whether or not CISOs carry authority at the highest levels, with limited budget and ever-expanding responsibilities, they must leverage others to become advocates for good security practices across departments. CISOs can then more effectively advise on how changes in the business affects cybersecurity, and encourage the entire organization to commit to a continuous process of improvement.

There is much that CISOs can do with others in the organization below board level: implementing training and awareness programs with HR; coordinating with the legal, PR, and other departments on their roles in incident response plans; aligning with risk officers to balance remediating and insuring against cyberrisk; and so on. CISOs must not allow themselves to be pigeonholed as purely technical practitioners.

A CISO's role will always require deep technical fundamentals. CISOs are also responsible for keeping the company compliant with multiple frameworks and regulations. However, if CISOs don't know how their employees are using and abusing data, information, and technology, they won't be effective at protecting critical assets and high-value employees. Even with the best intentions and largest budget, a CISO on the periphery of the organization won't be as effective as one who builds relationships and focuses on the business priorities and activities of their employees. 

Related Content:

Rocco Grillo is Stroz Friedberg's Cyber Resilience Leader and a member of the firm's executive management team. His cyber resilience team, which includes the company's incident responders and security scientists who deliver the firm's proactive and reactive cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bufflowbill
50%
50%
bufflowbill,
User Rank: Apprentice
5/3/2017 | 5:31:35 PM
Re: #1 extended
I think they should also consider the health of their Cybersecurity staff. Find out how they are doing. Are they satisfied with their roles, career, pay etc. Not to be held hostage, of course but it does matter. When the people you want to protect aren't happy, you are in a bad place. They will leave, leaving a vacuum and they also have important information they are leaving with. Don't forget that side of the human interaction.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/29/2017 | 8:50:12 PM
#1 extended
To take tip #1 a step further, another effective method is to offer employees training on security in general -- i.e., for their personal lives, impacting such things as their banking, their personal social media accounts, etc.  Give them, as a benefit, training on how they can secure their personal lives.

Then, it's easy from there to demonstrate how that can and should be used professionally, at work.  And if they're already doing it in their personal lives, they'll be that much more likely to do it in the professional lives.
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...