How CISOs Can Reframe The Conversation Around Security: 4 Steps

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/vulnerabilities---threats/how-cisos-can-reframe-the-conversation-around-security-4-steps-/a/d-id/1323464

When I joined Baylor University in 1995, the job I have now did not exist.
In 2003, I took on the role as coordinator of IT security at the
university, but it wasn’t until a few years later that the Chief
Information Security Officer (CISO) role formalized into what it is today –
a high visibility position that touches every aspect of the organization.

Today, 44 percent of organizations employ a CISO and full-fledged
information security team, which has increasingly become a necessity in
protecting against data breaches. Cyberattacks are more persistent and
sophisticated, and as a result, CISOs are rethinking the most fundamental
aspects of IT strategy and infrastructure. This new security paradigm is no
longer just about using technology to protect against the next data breach;
it lives at the intersection of technology and people.

Corporate data has shifted from behind corporate firewalls and servers;
data now lives on the edge of the network on user devices, where it is more
vulnerable to threats. With this shift comes new CISO challenges and. To be
effective, IT and security teams need visibility into where information is
stored, what type of information is on devices, and the ability to
applyappropriate data controls. In today’s BYOD world, what matters is how
and where employees are taking the data. And it is not about implementing
more and more security protocol, it is about educating employees on the
responsible choices they can make to avoid data loss and mitigate risk.
We’re all in this together.

With a centralized security approach where operations are unified rather
than siloed, teams can integrate security into every aspect of their
organization and be proactive and strategic together. As technology
changes, it is vital to get the entire organization on board. Here are four
steps to help you focus on the people in your security strategy:

1. Drive home the personal benefits of security
Employees often have trouble understanding the importance of a security
policy; they do not want to be inconvenienced unless they see a true
benefit. To ensure the value of security resonates within the workforce,
make it personal by informing people how a data breach would impact them
personally. For example, students at Baylor might be more concerned about
data protection and security policies if they knew  the schoolwork in their
laptop— including book-length theses — was protected from theft, hard drive
crashes or attacks on the network.

2. Teach users the value of security
It is easy to tell employees to sign a security policy, back up their data,
and be wary of potential scams or breaches but simply telling them what to
do doesn’t teach anything about the benefits or risks. When people
understand the “why behind the what” and the value of a security strategy,
they’ll be more invested in it. Sharing examples of how security threats
have impacted organizations is a great way to demonstrate the potential
consequences of their behavior. If someone opens a phishing email with a
hyperlink infected with malware, that attack could threaten an
organization’s entire network.

3. Create security policies that are easy to enforce
Having structure and processes around security is key to gaining buy-in. .
It is not enought to deploy the latest and greatest advanced threat
detection and anti-malware software. You must also introduce basic steps
that will hedge against human error. Data loss by malware, hardware failure
or accident is the one of the most common and preventable threats. By
continuously backing up your organization’s data, data availability can be
integrated into your organization’s infrastructure and processes. Another
example of baking security into the organization is Baylor’s approach to
software acquisition. Faculty and staff must submit forms for software
approval through the information security team. This allows risk analysis
to take place before software is purchased for the campus environment.
Failure to follow the process results in delays or cancellation by the
purchasing team.

4. Leverage relationships with key stakeholders
CISOs are responsible for advising and consulting key stakeholders within
their organizations to help them understand their respective roles and
responsibilities within security. As part of this give and take,  the CISO
needs to quantify the risk and explain how it applies to their respective
domain. As with general employees, department managers will take more
ownership when they see understand how security maps to compliance
requirements.

CISOs should also show employees how security extends beyond endpoints,
networks and datacenters. Any technology that is connected via an IP
address today can expose an entire network. At Baylor we recently built a
new stadium with the audio system, elevators and fire alarms all connected
and dependent on the network. With all of those connected devices,
significant planning helped to ensure that proper security measures were in
place to protect the school.

The conversation around information security has been reframed. It is no
longer strictly about the technical aspects; now, it is about engagement
and relationship building. CISOs must learn a new set of skills to
incorporate everyone in the security strategy – not just their security
team. Security professionals often complain that people are the weak link
in the data security system, but, in reality, they could be your biggest
asset and ally.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!