If you aren’t communicating with your business counterpoints by now, your security initiatives aren’t going to matter, and some organizations utilize punitive measures for employees who don’t learn from phishing awareness training. Those were among the takeaways from day one of the CISO Exchange West.
Speaking on “Effective Orchestration of Security to Minimize Breach Impact” Chris Wolski, CISO of office furniture maker Herman Miller, said people remain a big risk for organizations even with all the training they conduct on phishing.
“We actually took away people’s access to the internet and also their email account for a week,” because IT would get flagged that an adversary was inside their environment, he said. “It started as joke, and then the boss said ‘Yeah, do it.’”
Another aspect of an effective security program is having password policies. But sometimes, “if you ask 10 people what it is you’ll get 15 answers’’ on what those policies are, he said. Policies on password, email, data retention and data classification are all necessary for orchestrating an effective security program, Wolski said.
Implementing mismatched security products and making them work with your other systems is a challenge, especially when you have limited budgets,’’ he noted, “until something happens. That’s when the blank check shows up.”
Wolski also talked about the importance of making everything seamless to your information security professionals so that your least common denominator — such as a help desk technician — can understand the information and act on it.
“I have a 24 x 7 help desk but not a 24 x 7 SOC. That is orchestration,” Wolski said. “It’s not just about technological capabilities and automation but having processes in place that make it work.”
For Wolski, the key is having a SIEM to bring information and events together and allowing his help desk to respond more quickly.
In response to a question from the audience about how much pressure you should put on the vendors you work with, Wolski replied, “If you still want us as a customer in two-three years, fix it. Get it into your change process and add it as feature.’’ He said he’s been successful using that approach to get vendors to make “quite a few changes.”
He also noted that sometimes it’s good to go with a young, proven security product, where a vendor is more eager to work with you.
How To Gain Executive-Level Support
Vaughn Hazen opened his keynote on “Thwarting the Threats – Insights into Hardening Humans and Machines” with a lesson he learned at a chemical company he worked at years ago. The company was often the target of nation state actors, and even though his security team had developed a program to successfully prevent network intrusions, no one in the company got excited about that. The reason, said Hazen, now director of IT security and CISO at mining company Freeport-McMoRan, was “we didn’t have that executive sponsorship you need for your program. If you don’t have that, it doesn’t matter what you do. The way to get that is to communicate.”
One of the comments he heard from the CIO at the time was “our security is too restrictive and too old fashioned,’’ Hazen recalled. So one of the first things he did coming on board at Freeport-McMoRan was to ask, “What does this organization see as a risk?” He said he makes sure to have regular interactions with all senior leadership. This has “reduced friction in the organization, which is one of the things that is absolutely key if you want support from your leadership,’’ he said.
See Related: “Taking On The Leading Role In Cyber Security”
The company’s users were required to use multi-factor authentication for remote access, which was laborious, so Hazen said his security team took the devices they managed and put non-exportable certificates on them as the second level of authentication so that all users would have to do was log onto their machine.
“I’ve never had people come up and say, ‘thank you’ before,’’ he said. That earned Freeport-McMoRan’s security professionals a lot of credibility and support, he added.
The Phishing Attack Conundrum Continues
Many of the attendees said they also attended the RSA Conference, where Hazen noted there were over 700 vendors. There is a tendency among CISOs to keep buying security tools, “and that’s not going to be sustainable in the long run and you will lose executive support if you’re not careful,’’ he said.
Hazen also stressed that while he appreciates the partners Freeport-McMoRan works with, “they’re not creating silver bullets and they’re disincentivized to solve problems for us. Even if they could or had that interest — they really can’t do it. We have to do it ourselves.”
He said he once heard someone say, ‘cyber security isn’t sexy.’ “I turned to him and said, ‘It’s been a long time since I worried about being sexy. I’m more focused on being relevant and impactful.’”
An organization’s success in cyber security is going to rely on a set of principles that aren’t new, he said; it’s the oft-heard “people, processes and technology.”
Hazen said they do not have a security awareness program but a behavior modification program, and it is important to recognize the difference.
“Most people do phishing on internal folks to reduce their susceptibility, but another desired outcome is to have them report when they see something suspicious,” he explained.
To drive the desired outcome “you have to have some kind of influence on those people when they click through [an email] and shouldn’t, or when they report this.”
He asked the audience, “Who has an easy button for reporting phishing?” Very few raised their hand. That’s important, Hazen stressed, because phishing is getting more and more targeted and even if one person clicks a suspicious link, IT will never know if it isn’t reported.
See Related: “The Phishing Phenomenon: How To Keep Your Head Above Water”
His organization has employed tactics like cracking user passwords and doing broad-based dictionary attacks. Initially, the security team was cracking almost 40% of passwords within 48 hours, “which is pretty extreme,’’ he acknowledged. “Over time we’ve driven that down to about 2%.”
To do that requires behavior modification, but first you have to know what behaviors you have, Hazen said, then build in consequences.
One thing his security group found to be “so incredibly powerful” when it came to a password improvement program, was to take all the data they collected and bring it to vice presidents in different business units to show them how their group performed.
“And they got competitive with each other,’’ he recalled. “Then they were driving [password modification] down, not us. We had a tool that showed them this is how long it will take to break a password with brute force or a dictionary attack.”
Hazen said they also worked with HR teams to show how certain employees were a risk to the organization by not completing security awareness training, which drove the punitive measures like losing internet access.
Finding Talent, The Right Tools
Another pain point for attendees is finding security professionals. “It’s incumbent on us to get creative,” Hazen said. Among the ways to do that are to build internship programs with local colleges and universities, which he said they have done with great success.
Another technique is to consider people “who are adjacent to security,’’ such as networking people who are adept at working with firewalls or people in data retention or governance roles. He advised the audience to “look at folks maybe not coming from a direct security role but who could be helpful in driving your security program with the skills they have.” Additionally, “I’ve seen some of best security analysts coming from philosophy degrees.”
Hazen also had advice for the audience when it comes to selecting a tool. Look at the efficacy of it: how well does it do what it says it will do? “I’ve seen broad statements … which can be a huge problem,” he said. His team also focuses on the tool’s performance and what it will use in storage bandwidth and CPUs.
“Another aspect is the management of the solution — how intuitive is it?,’’ he said. “How complex is it? How easy is it for me to get the reports I want, is there a big delay? Is it capable of providing my needs? What’s the breadth of the functions — is it a platform or point solution? Those are important things to ask when evaluating technology.”
Because it is hard to find qualified security professionals, the more tools you have the more difficult it will be to manage them when you don’t have enough people, Hazen said. “And since you can’t find people we have to simplify the tech landscape.”
See Related Event: “Cyber Security Digital Summit, Spring 2019”