Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/1/2019
10:00 AM
Lena Smart
Lena Smart
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Raising Security Awareness: Why Tools Can't Replace People

Training your people and building relationships outside of the security organization is the most significant investment a CISO can make.

I've worked in information security for over two decades, and I can tell you firsthand that instilling a culture that puts security first in all organizations, not just the ones that traditionally have a role in security, is a challenge. There are, however, a number of leadership techniques that will raise security awareness in any organization of any size. Here are four tried and true strategies.

Strategy 1: Team Building
Your immediate priority is getting to know your current security team and scaling it quickly but pragmatically. One of the biggest dangers in any new job is to move too quickly and "make a big entrance." Not me. By looking at the superb internal talent, my team has been able to swiftly and strategically build out our security organization while doubling down on the best practices that were already working.

Part of my philosophy is that it's imperative to show value in a security team quickly. We are not a revenue-generating team in the usual sense, but we do provide a valuable service to our customers, both internal and external. At the end of the day, the most important asset in any company is the employee base. It's critical that everyone in your company understands their role in security. Employees are the strongest link, and also the weakest. Clear, concise communication is vital to making your security program successful.

Strategy 2: Extend a Security Mindset
Whether you are a developer, an HR expert or a lawyer, it's important that each employee understands their role in the security world. Conversely, trying to force change by lecturing and shaming people on their security or lack thereof will rarely elicit the results you want. Instead, make security a shared focus by inviting all departments into the security organization.

At MongoDB, I am building a security champion program. We have volunteers from many teams, globally, who are willing to become the "security champion" for their group. This includes the opportunity to meet directly with security leadership on best practices and to incorporate those security practices within their particular business unit. These volunteers already have an interest in security and their outside perspective helps diversify the security organization. They can act as a conduit between internal teams to help break down silos while shifting security to a shared goal.

Strategy 3: Learn — Continuously!
It's important to maintain a sense of curiosity as a security leader. Everyone on your security team should attend at least one training class a year, either internal or external. My team currently attends seminars throughout the year taught by third-party experts on topics such as cloud security, authentication, and container security. Our less-experienced security personnel have the opportunity to learn a new skill and grow in their role. To help with this, we offer an outstanding program called New Hire Technical Training. This is a week-long intensive training class attended by all engineering staff, including a pre-program containing approximately 100 hours of homework.

I am also working with our team behind MongoDB University, a free online training platform on MongoDB best practices, to enhance the existing security content for the class as well. To get an entire organization prioritizing security it is critical to provide a number of low-friction channels to educate and train your employees.

It's also important to recognize that many people from nontraditional backgrounds have the critical thinking skills to be successful security practitioners. It's our job, as CISOs, to identify those with a natural aptitude for security work and give them the opportunity to expand on that skillset with formal and internal, peer to peer training. Stepping outside of your infosec bubble to listen to and understand underrepresented perspectives will help raise the bar for security in your organization.

Strategy 4: Measure Success
To give our customers peace of mind that our technology is built securely from the ground up we communicate by third-party validation. We've prioritized documenting our internal processes and work for audits to attain certifications for SOC2, ISO27001, PCI/ DSS, and more. Following months of hard work, I found we had great processes already in place for many security and compliance issues that we could clearly demonstrate and communicate to partners and other third parties.

For example, the NIST CSF is helpful with measurements around people, processes and technology. So, if I were to plan a phishing exercise rollout in January, and 30% of people "click the link," then I know I have training awareness shortfalls. That would give me solid data to launch training classes in security awareness with phishing. Two months is a decent reset before trying a new phishing exercise to see if that click rate is down significantly. I know this isn't an exact science, and it is very dependent on the phishing topic, but you get my point.

Bottom line: Investing in training your people and continuously building relationships outside of the security world provides a greater impact than any other investment a security organization can make.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Is Voting by Mobile App a Better Security Option or Just 'A Bad Idea'?"

Lena joined MongoDB with more than 20 years of cybersecurity experience. Before joining MongoDB, she was the global chief information security officer for the international fintech company, Tradeweb, where she was responsible for all aspects of cybersecurity. She also served ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
11/4/2019 | 6:11:50 AM
Education, process and technology working together help protect an organization.
Education, process, and technology working together help protect an organization. Any of these in isolation is not a silver bullet. We know that better education must be part of the solution. But after more than a decade of trying to educate users, IT security professionals still aren't getting their message through. The challenge is that users are indeed human. They are flawed, they are careless and often exploited. Users (computing) are in fact defined as "Those that generally use a system or a software product without the technical expertise required to fully understand it'.

We must accept that employees aren't going to change their habits in a hurry, no matter how much we try to scare them into doing so. We live in a world where convenience and simplicity are so important, and the advice the industry has been giving doesn't always support the way workers want to get on with their job. 

The notion that IT security is a combination of people, process and technology is nothing new. Despite arguments to rebalance this 'golden triangle' the pragmatic view still points to the validity of this statement. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...