Endpoint
3/29/2017
10:30 AM
Rocco Grillo
Rocco Grillo
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

To Gain Influence, CISOs Must Get Security's Human Element Right

Focusing on certain elements of security in isolation can cause a false sense of security.

It can be tempting for CISOs to look to the latest technology as a cure-all for securing their organizations. Inevitably, they're also occupied with security governance and compliance requirements. However, concentrating on these aspects in isolation can lead to a false sense of security.

CISOs should be careful not to overlook basic fundamentals around how their employees behave and interact with the organization's data and technology. Excessive sharing and access to information introduces significant risks. The more access to sensitive data that an employee has, the easier it is for cybercriminals to obtain a company's critical assets, if they successfully target their credentials. CISOs need to cast a wider net around who they're protecting and tailor their security plans to the way the business operates. Although it's not a quick-fix, focusing on employees can have a significant impact on a CISO's success and help limited budgets go further.

Here are four recommendations for CISOs looking to increase their influence and direct security efforts where they have the greatest effect.

1. Protect employees who have the keys to the kingdom.
Cybercriminals' primary targets are the decision-makers with the combination of access and authority. It's essential for CISOs to have a detailed understanding of how their executives operate at an individual level in order to protect them.

These targets are likely to use multiple devices, including PCs, laptops, smartphones, and tablets. They tend to travel, often globally, communicating not only from their cellphones but also over a VPN or connected to hotel Wi-Fi. They may be doing business in countries such as China, Russia, and others where they are at risk of falling victim to economic or political espionage. It can be a good idea to work with an outside provider to conduct security assessments on executives to test their susceptibility to social engineering emails and assess their security while on the go.

2. Be aware that others besides the senior leadership team have the keys to the kingdom.
Criminals seeking employee credentials are deploying increasingly cunning spearphishing and social engineering tactics and widening the net of targets that they view as "high value." Many CISOs mistakenly focus solely on the high-profile C-suite, board members, and those with domain access. Although these are crucial targets to protect, there are others in the organization that criminals are likely to target. For example, the head of communications who might have access to sensitive earnings data before it's public, the executive assistant who possesses all of the CEO's passwords, or the employee in HR or accounts payable who might be going through a tough time at home.

The executive leadership bubble is much wider than the leaders themselves, and others are often given more access than they need. Just as CISOs need to know what their critical assets are, they need to understand who in the "inner circle" could grant criminals access to them.

3. Deepen your search for critical data that those with authority can access.
When identifying a company's critical assets, security teams should probe senior leadership and innovators within the business. The C-suite, general counsel, chief marketing officer, and product development leaders might be creating, storing, and sharing sensitive intelligence to which only they are privy. Be sure to look beyond data that's regulated. If you're a brick-and-mortar retailer with substantial online sales, you may be focused on protecting credit card information, but if credentials are compromised, criminals can cause havoc — for example, by attacking your ecommerce site, manufacturing plants, or supply chain. Although regulated data may not be compromised, this could bring a company to a halt.

Once the critical assets are identified, there needs to be alignment with the board, which has the fiduciary responsibility to ensure that the company is safeguarding its most critical assets, whether through adequate funding, head count, expertise, or other means. Many organizations' security programs suffer because employees are given excessive access to data that they don't need; at all levels, access rights should be granted relating to job function and should be refreshed with any changes in responsibilities.

4. Leverage other stakeholders in your organization to be your advocates.
As technology increasingly touches every part of an organization, the "CISO of the future" needs a seat at the table when business decisions are being made. Cybersecurity now has more visibility at the board level. However, this isn't the case across all organizations, as leadership teams often mistakenly view cybersecurity in silos, as an IT issue, or as something they can take off their balance sheet with insurance. Whether or not CISOs carry authority at the highest levels, with limited budget and ever-expanding responsibilities, they must leverage others to become advocates for good security practices across departments. CISOs can then more effectively advise on how changes in the business affects cybersecurity, and encourage the entire organization to commit to a continuous process of improvement.

There is much that CISOs can do with others in the organization below board level: implementing training and awareness programs with HR; coordinating with the legal, PR, and other departments on their roles in incident response plans; aligning with risk officers to balance remediating and insuring against cyberrisk; and so on. CISOs must not allow themselves to be pigeonholed as purely technical practitioners.

A CISO's role will always require deep technical fundamentals. CISOs are also responsible for keeping the company compliant with multiple frameworks and regulations. However, if CISOs don't know how their employees are using and abusing data, information, and technology, they won't be effective at protecting critical assets and high-value employees. Even with the best intentions and largest budget, a CISO on the periphery of the organization won't be as effective as one who builds relationships and focuses on the business priorities and activities of their employees. 

Related Content:

Rocco Grillo is Stroz Friedberg's Cyber Resilience Leader and a member of the firm's executive management team. His cyber resilience team, which includes the company's incident responders and security scientists who deliver the firm's proactive and reactive cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bufflowbill
50%
50%
bufflowbill,
User Rank: Apprentice
5/3/2017 | 5:31:35 PM
Re: #1 extended
I think they should also consider the health of their Cybersecurity staff. Find out how they are doing. Are they satisfied with their roles, career, pay etc. Not to be held hostage, of course but it does matter. When the people you want to protect aren't happy, you are in a bad place. They will leave, leaving a vacuum and they also have important information they are leaving with. Don't forget that side of the human interaction.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/29/2017 | 8:50:12 PM
#1 extended
To take tip #1 a step further, another effective method is to offer employees training on security in general -- i.e., for their personal lives, impacting such things as their banking, their personal social media accounts, etc.  Give them, as a benefit, training on how they can secure their personal lives.

Then, it's easy from there to demonstrate how that can and should be used professionally, at work.  And if they're already doing it in their personal lives, they'll be that much more likely to do it in the professional lives.
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.