There are important security lessons for CEOs following the embarrassing revelation that a teenager hacked into the personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson. This isn't the first nor will it be the last time that people hack into accounts using a variety of techniques; it illustrates the lengths to which amateurs and bad actors will go. In this case, Brennan’s and Johnson’s personal email accounts were breached through simple tricks. The teen fooled a service provider into releasing personal information about the victims. Using that information, the teen then asked the email provider to reset the passwords, giving him unrestricted access to their email accounts. While not an attack on a corporate or government system, it certainly is embarrassing and reinforces the importance and need for a holistic approach to security. Cybersecurity tools alone cannot stop the kind of breaches carried out on Brennan and Johnson. CEOs must understand that a common sense approach, inclusive of cyber security tools, is required to provide a holistic approach for mitigating security risks and protecting your company. To assist a CEO in developing a security context (framework) and measurement system, it's recommended to use the standard business approach of people, process and systems that makes sense to you, and then organize and manage the performance against your security context. Establishing a visual dashboard and ongoing reporting can continuously inform you of what is in place and what is missing. The following is an example of a holistic security context:
*This sample security context is based on industry standard security concepts. Your security context may be different, but this chart addresses the main areas related to security. Also, at the risk of oversimplification, embedded within this security context are more than 100 detailed control processes based on industry standard security frameworks, such as NIST 800 and ISO 27000. CEOs should ask their security team how the current security program addresses the security context illustrated above, and at a minimum, you should ask the following questions of your security team:
- Have you assessed your security risks?
- What security risks are most important to your firm?
- Does your approach to security follow the priorities established in the risk assessment?
- If not, why?
- How have you organized security in your business?
- Do you have a Chief Security Officer (CSO) or Chief Information Security Officer (CISO)?
- If so, who do they report to?
- Is there a risk that the CSO or CISO roles will be compromised because of where they report in the organization?
- How do you onboard new staff?
- Do new employees have appropriate levels of clearance commensurate for the work they will be performing?
- Do you require employees to comply with your security policies and procedures?
- If so, how?
- How do you provide security training?
- Is the training provided one time or on an ongoing basis?
- Are employees regularly made aware of new security risks and threats?
- Do you have written security policies and procedures?
- Do you follow them?
- Are the policies and procedures shelfware, or are they used and updated frequently?
- How do you communicate security policies and procedures to the business?
- Do you audit security?
- Do you have processes to manage the application of your security policies and procedures with third parties?
- Is security incorporated into your business continuity planning?
- When you acquire products and services, do you formally consider the security ramifications?
- What process is followed when a security incident occurs?
- How have you addressed critical security and cyber security controls?
- Have you received a description of security tools being employed in terms that you can understand?
- Do your systems provide required access, no more than necessary, for authorized individuals?
- How is that done, in layman’s terms?
- Are there risks with the way you grant access to your systems?
- Who is in charge of physical security?
- If not the CSO or CISO, how are physical security matters coordinated with the CSO/CISO?
- How do you do surveillance?
These questions are but a partial list that every CEO should ask their security team. Engage with those responsible for security in your business, educate yourself on basic security principles, and ask your team to explain your security context in terms you can understand. You’ll feel more confident your business is protected, you will be better informed, and your business will be better off.
About the Author: Mr. Dennis Conley is a managing partner with Transition Partners, a management consultancy headquartered in Reston, Virginia. He is a senior business and information technology executive and transformation leader with over 20 years of broad corporate and consulting experience. His extensive background and experience covers such areas as mergers and acquisitions, outsourcing, business development, technology management, organization development, security, business and strategic planning, and leadership training. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock