One of the major challenges CISOs, like myself, face today is finding balance between keeping a business running efficiently versus the security controls implemented. It is an ongoing challenge that takes time to figure out. But, as we all know, time is not something that is readily available to CISOs.
To help, Nabil Hannan, NetSPI Managing Director and a former colleague of mine, invited me to share insights on his Agent of Influence podcast. From the conversation, here are my top tips for achieving balance and, in turn, eliminating friction between business and cyber security.
Create realistic security awareness campaigns – and learn from them
Phishing engagements are a great opportunity to keep people on their toes while garnering awareness around email security. One particular engagement I coordinated was so effective, it fooled our security team. Our phishing emails were deployed at the same time as our real security awareness training and tricked people into clicking on a “malicious” link to confirm they had completed the company-wide training. Over 70 percent of people in the company fell for it.
We learned a few lessons from this engagement.
First, security practitioners are not immune to phishing attacks. There is a misconception that security teams are immune to being hacked or compromised. It is important to find curious and creative methods of security awareness training to challenge not only your general employees, but also your security teams.
Second, someone had said to me, “I will never trust an email from you again.” And I thought about that for a long time – and still do to this day. How do we as security practitioners create effective training campaigns without losing some level of trust? Well, it’s not necessarily a bad thing for people to be skeptical. People can be easily tricked when their guard is down. When we receive an email from an outside source nowadays we are much more cautious when opening attachments or clicking on links. But if an email appears to come from your friendly HR team, manager, or CEO, we are much more comfortable clicking on a link or opening an attachment.
Third, cybercriminals are getting more creative, and our security awareness engagements should too. More now than ever we need to imitate real-world attacks using the latest attack tactics, techniques, and procedures (TTPs). Had this been a real attack, if somebody had access to our email system, they would have known that the real security training email had gone out that day. And they could have easily distributed the exact email and captured many usernames and passwords. Our engagement was not far from how an advanced persistent threat (APT) would work.
Finally, as with many things in life, security is circumstantial. From a business perspective, it is important to understand your user base and change your security approach accordingly. Every company’s user base is different. Your security offerings, penetration testing, and training are all circumstantial based on the type of users you have. Account for organizational cultural norms when making security decisions.
Prioritize risk – while also moving the business forward
In my first three months as a CISO, there were outstanding tasks and projects to complete. To prioritize my focus, I took a step back and looked at what the risks to the business were. By prioritizing my tasks based on the biggest business risks, securing the business came naturally.
Every CISO should ask themselves, “How can I help make the business move faster, while staying secure?” This is an interesting question because security is almost inverse of being able to go fast. However, we have made great strides over the past 10 to 15 years where we can now have a level of transparency, while maintaining an adequate level of security. This allows for a frictionless experience where things happen fast in an organization, such as DevOps.
During my conversation with Nabil, he explained this well. He said, “Recently, I read something that really resonated with me. It took me back to the early days where we would say, ‘security is just a subset of quality.’ If you think about it that way, if we are doing quality correctly, security goes along hand in hand. Similarly, I think if you’re doing DevOps correctly, you shouldn’t need DevSecOps. If you’re doing DevOps correctly, security should be part of that process already. Security really needs to be frictionless and needs to focus on how to be secure while still enabling the business and enabling people to move ahead.”
Understand the business – and how it makes money
When I first became a CISO, the most valuable advice I received was, “you need to understand how the business makes money, that’s the most important job of a CISO.” If you can understand how the business makes money, then you’re able to protect the business’s critical assets and transactions.
And that’s exactly what I did when I came to MicroStrategy. I followed the guidance of my mentors. CISOs, especially first time CISOs, should have mentors to help them understand their role formally, hear real-world experiences, and learn what others have gained from being in a similar position. One book I recommend to any CISO is CISO Leadership: Essential Principles for Success from ISC². It digests the thought process behind the CISO role. The first half of the book explains the role of the CISO and the second provides real scenarios and examples of how CISOs dealt with different technology and security challenges.
The CISO role is really a business position, a leadership position. It is not about the tooling or the firewalls – your job is to reduce company risk. Different organizations have different appetites for risk. Once you understand that, everything else will fall into place.
Click here to listen to my full interview with Nabil. Or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.