Vulnerabilities / Threats
12/8/2015
10:30 AM
Jon Allen
Jon Allen
Commentary
50%
50%

How CISOs Can Reframe The Conversation Around Security: 4 Steps

Security professionals often complain that people are the weak link in the data security system. But in reality, they could be your biggest asset and ally.

When I joined Baylor University in 1995, the job I have now did not exist. In 2003, I took on the role as coordinator of IT security at the university, but it wasn’t until a few years later that the Chief Information Security Officer (CISO) role formalized into what it is today – a high visibility position that touches every aspect of the organization.

Today, 44 percent of organizations employ a CISO and full-fledged information security team, which has increasingly become a necessity in protecting against data breaches. Cyberattacks are more persistent and sophisticated, and as a result, CISOs are rethinking the most fundamental aspects of IT strategy and infrastructure. This new security paradigm is no longer just about using technology to protect against the next data breach; it lives at the intersection of technology and people.

Corporate data has shifted from behind corporate firewalls and servers; data now lives on the edge of the network on user devices, where it is more vulnerable to threats. With this shift comes new CISO challenges and. To be effective, IT and security teams need visibility into where information is stored, what type of information is on devices, and the ability to apply appropriate data controls. In today’s BYOD world, what matters is how and where employees are taking the data. And it is not about implementing more and more security protocol, it is about educating employees on the responsible choices they can make to avoid data loss and mitigate risk. We’re all in this together.

With a centralized security approach where operations are unified rather than siloed, teams can integrate security into every aspect of their organization and be proactive and strategic together. As technology changes, it is vital to get the entire organization on board. Here are four steps to help you focus on the people in your security strategy:

1. Drive home the personal benefits of security
Employees often have trouble understanding the importance of a security policy; they do not want to be inconvenienced unless they see a true benefit. To ensure the value of security resonates within the workforce, make it personal by informing people how a data breach would impact them personally. For example, students at Baylor might be more concerned about data protection and security policies if they knew  the schoolwork in their laptop— including book-length theses — was protected from theft, hard drive crashes or attacks on the network. 

2. Teach users the value of security
It is easy to tell employees to sign a security policy, back up their data, and be wary of potential scams or breaches but simply telling them what to do doesn’t teach anything about the benefits or risks. When people understand the “why behind the what” and the value of a security strategy, they’ll be more invested in it. Sharing examples of how security threats have impacted organizations is a great way to demonstrate the potential consequences of their behavior. If someone opens a phishing email with a hyperlink infected with malware, that attack could threaten an organization’s entire network.

3. Create security policies that are easy to enforce
Having structure and processes around security is key to gaining buy-in. . It is not enought to deploy the latest and greatest advanced threat detection and anti-malware software. You must also introduce basic steps that will hedge against human error. Data loss by malware, hardware failure or accident is the one of the most common and preventable threats. By continuously backing up your organization’s data, data availability can be integrated into your organization’s infrastructure and processes. Another example of baking security into the organization is Baylor’s approach to software acquisition. Faculty and staff must submit forms for software approval through the information security team. This allows risk analysis to take place before software is purchased for the campus environment. Failure to follow the process results in delays or cancellation by the purchasing team.

4. Leverage relationships with key stakeholders
CISOs are responsible for advising and consulting key stakeholders within their organizations to help them understand their respective roles and responsibilities within security. As part of this give and take,  the CISO needs to quantify the risk and explain how it applies to their respective domain. As with general employees, department managers will take more ownership when they see understand how security maps to compliance requirements.

CISOs should also show employees how security extends beyond endpoints, networks and datacenters. Any technology that is connected via an IP address today can expose an entire network. At Baylor we recently built a new stadium with the audio system, elevators and fire alarms all connected and dependent on the network. With all of those connected devices, significant planning helped to ensure that proper security measures were in place to protect the school.

The conversation around information security has been reframed. It is no longer strictly about the technical aspects; now, it is about engagement and relationship building. CISOs must learn a new set of skills to incorporate everyone in the security strategy – not just their security team. Security professionals often complain that people are the weak link in the data security system, but, in reality, they could be your biggest asset and ally.  

Jon Allen is the assistant vice president and Chief Information Security Officer at Baylor University where he has built the information security group from a one-person shop to an integrated organization. Jon has more than ten years of experience in information and network ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sagiss, LLC
50%
50%
Sagiss, LLC,
User Rank: Strategist
12/9/2015 | 3:24:12 PM
Great Read
There's so much talk about employee education but not a lot of action. Thanks Jon for listing out the steps that can be taken in order to move this conversation from fantasy to reality. With insider threats becoming a bigger and bigger issue among companies, a step by step guide like this could prove very handy for a lot of CISOs. Cheers.
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
12/8/2015 | 1:24:33 PM
Operations are unified and data-centric rather than siloed
I agree that "With a centralized security approach where operations are unified rather than siloed, teams can integrate security into every aspect of their organization and be proactive and strategic together."

I think that we are wasting lot of money on firewalls and network perimeter security, things that make us feel safe but don't address real problems. Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security. Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

I found good guidance in a recent report from Gartner. The report analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data-Centric Audit and Protection." The report
concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."

The attackers are increasingly focused on stealing our sensitive data and will always look for the next path to attack the data. So we urgently need to secure the sensitive data itself with modern data security approaches.

I read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". The name of the study is "Tokenization Gets Traction".

Ulf Mattsson, CTO Protegrity
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.