Earlier in June, I attended the Gartner Security Summit in National Harbor Maryland, where I had a chance speak to many great CISOs and security experts. Together, we shared and learned a lot of information. The conference focused on seven key principles that are integral to building trust and resilience:
- Business Outcomes
- Facilitator
- Detect & Respond
- People-Centric
- Data Flows
- Risk-based
Each principle plays a role in creating a trusted and resilient environment. At this time, let’s focus on people-centric. Why? Because people are critical to our resiliency and our ability to adapt, defend and restore when we are attacked. The best security strategy cannot be without people. On the flip side, a key source of data breaches is people, particularly with regards to social engineering and email phishing. People also make mistakes by forgetting to upgrade their applications. At the Gartner Summit, a People-Centric Security (PCS) session challenged this conventional security viewpoint on people by emphasizing individual accountability and trust and de-emphasizing restrictive, preventative security controls. My initial reaction to this was my thinking that you need both. Why? Not all people operate with cyber security in mind. “Controls” can help prevent them from doing something that could cause malicious harm, and with social engineering behind most attacks, some level of control is in need. As the population becomes savvier with cybersecurity, this may change. In the meantime, user and entity behavior monitoring remain a key security capability, as it provides a great source of intelligence. On another note, it is well known that there is a talent shortage of cybersecurity professionals despite the fact that cybersecurity jobs experienced a 91 percent increase from 2010 to 2014. This lack of security professionals hinders improved security postures. The challenges of hiring are 1) the time it takes and 2) the cost to bring on someone new. In fact, it might take an organization up to nine months to hire someone, and it might end up paying 20 percent more. Organizations should not focus only on security expertise. They should seek versatile, technically-savvy professionals whom they can train and who are open to continuous learning. A new emerging role in some organizations is the Digital Risk Officer (DRO). This reflects the fact that risk-based thinking is a core principle to a trusted and resilient environment. Every day, organizations must weigh the level of risk they will take, which means they need to understand the potential impact, as well as the steps needed to reduce or curb that impact. Larger enterprises and those with a robust digital business model need a DRO, who can help oversee security risks across the entire organization. That's not just for IT but also for operational and physical. In my discussion with some CISOs, it struck me that real-life people-related security issues kept coming up:
- A CISO from a manufacturer told me that his organization just completed a penetration test. The test found that 25 percent of the organization fell for a phishing email. Even the CEO didn't spot the scam. Given this result, the CISO was making plans to help make the company more cyber-aware and cautious.
- A CISO from an energy company shared his security concerns. His charter was from Information Technology (IT) to Operational Technology (OT.) The gap in security expertise between the IT and OT professionals was wide, so he took some of the IT security expertise and moved it to OT.
- Another discussion centered on leadership organizational cultures not admitting to potential risk. It is critical for everyone (not just IT) to be cyber-aware and recognize that risks exist. Check out the video on 10 Quick Tips to Improving Your Board's Cyber Security Literacy.
It would be great to hear more people's stories about cyber security. Do you have one? Please share in the comments below.
