Allow me to set the stage – if you have employees, you probably have an internet connection. Add the two together and you have security risk. Why? Because we’re all human and humans make mistakes – it’s how we learn, through life experience.
Enter the constantly shifting hacker mentality – like seasonal winds, this mindset constantly evolves. To keep up with this evolution, you must adapt and become an expert sailor in the black (hat) sea or be sunk. Regardless, you will encounter battles; whether you win or lose is the issue to be concerned with. Remember, we have to win every time while they just have to win once.
What do these two items have in common as they relate to the security professional? They are both dangerous and we are caught in the middle.
Now, let’s add even more complexity – executive demand. The security role is held to a higher standard in most organizations and rightfully so. It’s no secret the security industry is a high stakes game which carries heavy workload and the associated stress.
So how do we make ourselves more relevant, ensuring we are in sync with Executive management, rowing in the same direction?
The answer lies in the quest to understand the specific industry you work in and the associated business drivers your senior management team finds most important. There is no magic recipe and no simple answer with quality results surfacing through cooperation, often attributed to trial and error over time.
Businesses are different and there’s no standard template that fits everyone – or is there? While I don’t claim there’s a silver bullet, I will offer you four key elements to consider.
Let’s presume your CEO truly cares about security and doesn’t want to be center stage in a media circus answering questions about a security breach. How do you help prevent that now that you have the attention and support of the C-Suite?
Let’s examine four steps that may assist you.
First, work to build a good rapport with your executive team. Schedule meetings to get face time with them to discuss your concerns. I recommend you not only be present during these meetings; but truly listen to their concerns and hear what they are asking for. Take copious notes, reflect on what you’ve heard and try to rise above your specific role and visualize their position.
Work to analyze security risk versus operational profitability from their perspective and demonstrate your understanding. This can be quite challenging for most tactical security professionals; but very important in order to offer real value and ultimately help Connect Security to the Business.
As part of the rapport building process, after you’ve selected a reputable security framework (NIST is recommended: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf), assessed and documented your holistic security posture and devised a plan, get 3rd party validation of your security roadmap prior to execution.
Go with a “brand name” in the industry – someone who is very well known in the security space and reputable. Even though this won’t be cheap, it’s worth the incremental spend and will build confidence with your executive staff by illustrating you know what you’re doing. Even if the 3rd party review acts as a re-sequencing agent, it’s good insurance to help you prioritize appropriately.
Next, demonstrate you heard them by providing security metrics that offer value. Please note this is an iterative process that requires creative thinking and validation. This approach aims to decentralize security through automation. If you’re like many companies you run with a lean security team (or perhaps you spell team with only an “I” in a worst case scenario) and therefore don’t have the resources to handle all things security.
No problem – work to create & automate the publishing of specific metrics which capture much needed and actionable change by business unit. This puts the onus on each business unit leader to drive better security posture throughout the company and the competition within and between groups can often foster faster improvement.
Publish these monthly metrics to the VP’s responsible for these groups and to the CEO – preferably in a self-service format. Many CEOs that are security focused are going to hold those VP’s accountable and you now have a secret recipe to drive faster adoption of security initiatives.
I would also recommend leveraging significant incentives – quite simply, if people literally profit from better security behavior, they will pay closer attention to their actions.
Lastly, for your holistic security program to be effective, it’s important to drive adoption and utilization of security controls across the enterprise. Since we discussed earlier that humanity is the weakest link it’s important to educate your staff. Consider any tactic that would be effective and well received.
This could be phishing contests, QR Code testing, lunch and learn sessions, guest speakers, comedic videos or formal training such as SANS Securing the Human (http://www.securingthehuman.org/enduser) curriculum. It’s crucial to remain vigilant, providing a steady drip of security awareness training.
After all, the latest trends illustrate that Malware occurrence continues to increase in 2014 (Q1 Global Security Report for 2014 released by AppRiver) and it’s no surprise that black hats are targeting end users and their end points, especially with the corresponding increase in mobile devices.
Consider leveraging ‘Attack Driven Defense’ tactics and start thinking like your adversaries. With that frame of reference, how would you target your end user community?
Security professionals need every advantage possible to remain effective and proactive. I encourage you to entertain new ideas and creativity in your quest to remain secure and to avoid breach. If you’re successful, you, your company and your CEO win!
- Threat Mitigation and the 20 Critical Security Controls with Tony Sager
- Who Should Insure the Nation’s Critical Infrastructure?
- Attention General Counsel: Do You Know Your DDoS from Your APT?
- Target and the Security Liability Blame Game
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].