By HP Security Strategist Stan Wisseman
In a previous post, I highlighted five primarily technology-based actions you can take to greatly enhance your security program. However, as we’ve heard many times, people are the weakest link in the security chain. “What we have here is failure to communicate.”
This line from “Cool Hand Luke” sums up the challenge we have in the information security field. We all need to think differently on how to have business success with the constant threat of attack (or as Luke would say, you’ve got to “get your mind right”). That includes users, partners, executive management and board members. Raising the collective security IQ of the workforce can be one of the most cost effective, proactive security controls you can implement.
The recent SANS Security the Human: 2015 Security Awareness Report had 3 key findings:
- Support is essential: It is clear that security awareness programs will continue to fail until they get the same emphasis and support as technical controls. To address this, we have to better educate senior leadership that cyber security is far more than just bits and bytes; it also includes the human element.
- Soft skills are lacking: The majority of those in charge of security awareness programs have highly technical backgrounds and lack the necessary communication or human behavior skills. The importance of communication skills for information security professionals was also emphasized in the 2015 (ISC)2 Global Information Security Workforce Study results.
- Security awareness is still in its infancy: Majority of programs surveyed were immature. The report notes that if we are
To effectively change behavior regarding information security, employees and executives must feel a sense of urgency and understand not only that they are targets, but also that their actions play a key role in securing the organization. Effective organizations:
1. Have an engaged, security aware workforce. General security awareness activities (newsletters,security awareness month, etc.) are important to remind the workforce of security best practices and of imminent threats. Testing users for their ability to avoid phishing scams will help reduce the threat of this common attack vector to the enterprise. Role-based security training programs are essential as well. For example, the 2015 HP Cyber Risk Report found that “…most vulnerabilities stem from a relatively small number of common, well-understood software programming errors.” Developers need training on software security best practices to effectively build more secure applications. Provide workforce incentives (e.g., spot bonuses, reward points) to put a spotlight on examples of security awareness behaviors you want to see. Likewise, it’s necessary to penalize those that place your organization at risk;
2. Have clear policies and procedures that prioritize the protection of data and IT assets and which foster compliance with security standards. Policies and procedures are always important, but they are essential for information security. You need to create and publish your policies to gain consensus on how you will handle specific security issues. Policy rules need to be clear, simple, understandable, and achievable by the workforce;
3. Have the support of executive leadership. Translate information security issues into terms of risk – that’s the language they understand. Make it personal and show how they’ll be impacted. Stage realistic security incident exercises that brings in other stakeholders like outside council, communications, solution providers to participate. The annual renewal of cybersecurity insurance can also drive a useful discussion.
4. Have learned to work together and respond to security incidents, collaborating effectively. Practice makes perfect and you should exercise the Incident Response team on a regular basis to ensure that roles are understood and they aren’t learning on the job during an incident. The Incident Response plan needs to be accessible to all parties (e.g., on a mobile app). Don’t forget to communicate with employees, key business partners, and customers in a timely manner post-incident;
5. And, is obtaining critical intelligence by sharing information externally, with trusted partners and government agencies. Holistic threat intelligence is not a single player sport – we need to collaborate just like our adversaries are doing. US government agencies like the FBI and DHS want to partner with private industry in dealing with the cybersecurity threats (e.g., InfraGard andInformation Sharing and Analysis Organizations (ISAOs)). While there are concerns with sharing incident and threat information with the government, as reflected in this ICIT brief, sharing IoC data with others may help them, and you, avoid an incident. You can also leverage commercial platformsto establish your own trusted communities to share threat intelligence data.
A cultural mind shift on cyber security is needed similar to the one that had to take place for auto safety. It took decades to understand the risks, pass appropriate legislation and then change human behaviors to reduce the risk factors and associated injuries. I still recall being a passenger in the 60’s without a seat belt in the back of my family’s station wagon – something I certainly wouldn’t allow today with my kids (wouldn’t own a station wagon, either!) Real change started when Ralph Nader, an early advocate for auto safety, wrote a book and spoke to Congress of auto safety in terms the general public and legislators could understand.
With regards to Detroit engineers, Nader said they had a “…general unwillingness to focus on road-safety improvements for fear of alienating the buyer or making cars too expensive.” Sound familiar? Once regulations were imposed, auto companies complied and there were massive advertising campaigns to convince the public to buckle up – efforts to enhance auto safety continue to this day.
Significant security incidents like the ones that have recently hit Sony Pictures and OPM can raise security awareness and spawn some remediation actions. However, reactions like the US Federal government’s 30-day sprint won’t change the underlying mindset or behavior of the workforce. A concerted effort over a longer period of time will be required.
HP Enterprise Security University has a wide range of eLearning and stand-up security courses available. HP recently released Security User Awareness training based on theSANS Critical Security Controls. HP also has an Executive Breach Response framework available to ensure that executive stakeholders can respond confidently to security incidents.
Learn more about HP Enterprise Security and http://ift.tt/1LwzAPC.
from cyber security caucus http://ift.tt/1dhRyqc
via IFTTT
No comments:
Post a Comment