Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/1/2019
10:00 AM
Lena Smart
Lena Smart
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Raising Security Awareness: Why Tools Can't Replace People

Training your people and building relationships outside of the security organization is the most significant investment a CISO can make.

I've worked in information security for over two decades, and I can tell you firsthand that instilling a culture that puts security first in all organizations, not just the ones that traditionally have a role in security, is a challenge. There are, however, a number of leadership techniques that will raise security awareness in any organization of any size. Here are four tried and true strategies.

Strategy 1: Team Building
Your immediate priority is getting to know your current security team and scaling it quickly but pragmatically. One of the biggest dangers in any new job is to move too quickly and "make a big entrance." Not me. By looking at the superb internal talent, my team has been able to swiftly and strategically build out our security organization while doubling down on the best practices that were already working.

Part of my philosophy is that it's imperative to show value in a security team quickly. We are not a revenue-generating team in the usual sense, but we do provide a valuable service to our customers, both internal and external. At the end of the day, the most important asset in any company is the employee base. It's critical that everyone in your company understands their role in security. Employees are the strongest link, and also the weakest. Clear, concise communication is vital to making your security program successful.

Strategy 2: Extend a Security Mindset
Whether you are a developer, an HR expert or a lawyer, it's important that each employee understands their role in the security world. Conversely, trying to force change by lecturing and shaming people on their security or lack thereof will rarely elicit the results you want. Instead, make security a shared focus by inviting all departments into the security organization.

At MongoDB, I am building a security champion program. We have volunteers from many teams, globally, who are willing to become the "security champion" for their group. This includes the opportunity to meet directly with security leadership on best practices and to incorporate those security practices within their particular business unit. These volunteers already have an interest in security and their outside perspective helps diversify the security organization. They can act as a conduit between internal teams to help break down silos while shifting security to a shared goal.

Strategy 3: Learn — Continuously!
It's important to maintain a sense of curiosity as a security leader. Everyone on your security team should attend at least one training class a year, either internal or external. My team currently attends seminars throughout the year taught by third-party experts on topics such as cloud security, authentication, and container security. Our less-experienced security personnel have the opportunity to learn a new skill and grow in their role. To help with this, we offer an outstanding program called New Hire Technical Training. This is a week-long intensive training class attended by all engineering staff, including a pre-program containing approximately 100 hours of homework.

I am also working with our team behind MongoDB University, a free online training platform on MongoDB best practices, to enhance the existing security content for the class as well. To get an entire organization prioritizing security it is critical to provide a number of low-friction channels to educate and train your employees.

It's also important to recognize that many people from nontraditional backgrounds have the critical thinking skills to be successful security practitioners. It's our job, as CISOs, to identify those with a natural aptitude for security work and give them the opportunity to expand on that skillset with formal and internal, peer to peer training. Stepping outside of your infosec bubble to listen to and understand underrepresented perspectives will help raise the bar for security in your organization.

Strategy 4: Measure Success
To give our customers peace of mind that our technology is built securely from the ground up we communicate by third-party validation. We've prioritized documenting our internal processes and work for audits to attain certifications for SOC2, ISO27001, PCI/ DSS, and more. Following months of hard work, I found we had great processes already in place for many security and compliance issues that we could clearly demonstrate and communicate to partners and other third parties.

For example, the NIST CSF is helpful with measurements around people, processes and technology. So, if I were to plan a phishing exercise rollout in January, and 30% of people "click the link," then I know I have training awareness shortfalls. That would give me solid data to launch training classes in security awareness with phishing. Two months is a decent reset before trying a new phishing exercise to see if that click rate is down significantly. I know this isn't an exact science, and it is very dependent on the phishing topic, but you get my point.

Bottom line: Investing in training your people and continuously building relationships outside of the security world provides a greater impact than any other investment a security organization can make.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Is Voting by Mobile App a Better Security Option or Just 'A Bad Idea'?"

Lena joined MongoDB with more than 20 years of cybersecurity experience. Before joining MongoDB, she was the global chief information security officer for the international fintech company, Tradeweb, where she was responsible for all aspects of cybersecurity. She also served ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
CVE-2021-20208
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-27458
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
CVE-2020-27241
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
CVE-2021-3497
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.