Having a human conversation about security
Last week, security expert Chris Roberts and members of our Slack community got together for our inaugural Cybersecurity Office Hours. A rousing discussion took place on topics ranging from the cyber threats emanating from Russia to how to get CEOs and the rest of the workforce to follow simple security measures, as well as the importance of storytelling in framing tech initiatives.
If you happened to miss it (we will be holding Office Hours alternating Thursday afternoons) here’s a brief recap.
Business risk and the C-suite
When is comes to security vulnerabilities, employees are the biggest failure point. The C-suite is no exception, in fact often a far greater threat. Tom Cottingham, CEO/Partner at Flyover Future told the group, “The first rule in our security policy is that I don’t have access to anything.” His comment spurred a lively conversation around permissions, access, and vulnerabilities. The general agreement was that security professionals haven’t done a great job of focusing internal conversations on business risk.
“We haven’t done the best job of walking into that C-suite and saying, Hey, let’s have a conversation around business risk. We haven’t talked with the C-suite about business risk in a human way, about how we identify and mitigate risk. We go in there and we speak in acronyms. We speak in all these languages that the C-suite has no clue about. They just nod and smile until you go away. We have to learn how to talk to people in their language,” Chris said. “The challenge is figuring out how to explain to company executives the need for security measures before something bad happens.”
Of course, C-suite buy-in is just one of the issues IT faces. Other issues such as information silos and the lack of meaningful security training for employees hamper progress as well.
Many organizations don’t have an asset tracking system or, if they do, they have four or five different ones in the network – one for the helpdesk, one for HR, etc. Each silo has a separate reason for doing what they’re doing and they’re pretty attached to it. Those departments don’t talk to one another and they aren’t always connected.
“From a security standpoint, when we ask people what they care about and where their critical assets are, they can’t answer. So it’s not an easy conversation to have. I always wonder, why are the silos not talking to each other? I want to ask, ‘Why hasn’t one of you picked up some coffee and a bag of Dunkin Donuts and just walked into the other person’s meeting to have a conversation? You’re all getting paid by the same people,’” Chris added.
Security awareness training
Security awareness training is crucial but many companies don’t do a great job of it. That lack of awareness only comes to the surface when someone clicks on a phishing email that results in a ransomware attack or when some form of shadow IT affects the network. These are challenges that are not easy to overcome, they require everyone knuckling down to try to figure it out.
“Companies pay $50 for a device that provides an endpoint solution. Your people are your endpoints. Why not spend half of that on training the humans themselves?” Chris asked. “Your people are your most valuable and most vulnerable assets.”
One way to educate users about security is to incentivize them, to encourage them to report suspicious activity to security. It could be something as simple as a gift card.
“A stack of $5 gift cards is a lot cheaper than having to pay someone like me to come in and dig you out of a mess,” Chris said. The frequency of the reward is more important than the amount.
Tom said, “Ultimately, people pay attention to what leadership pays attention to, and that starts with the CEO. If a CEO puts out a memo, says ‘Hey – the security guys just came in, I have new rules and protocols to follow and I’m going to be doing these things.’ Then my people know it’s important to me.”
Carlota Sage (vCISO) agreed. “You have to get people invested in your success and they need to feel like you’re invested in theirs. They’re not going to feel that if you’re constantly telling them when they screw up and not when they’ve done something right,” she said.
She cited a company she works with that uses their internal Slack group to celebrate employees. “Whenever somebody successfully catches a phishing attempt, IT takes a screenshot and posts it where everyone can see what it looks like. They are publicly thanking them for submitting it but they’re also educating everyone else at the same time. It’s extremely effective.”
Flyover Future hosts Cybersecurity Office Hours (moderated by Chris Roberts) every two weeks. Get practical answers to your questions from some of the brightest minds in cybersecurity. Join our Flyover IT Strategy Slack Group any time as well as the next Office Hours conversation on February 17th at 1pm ET.