Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Jon Allen
Jon Allen

How CISOs Can Reframe The Conversation Around Security: 4 Steps

Security professionals often complain that people are the weak link in the data security system. But in reality, they could be your biggest asset and ally.

When I joined Baylor University in 1995, the job I have now did not exist. In 2003, I took on the role as coordinator of IT security at the university, but it wasn’t until a few years later that the Chief Information Security Officer (CISO) role formalized into what it is today – a high visibility position that touches every aspect of the organization.

Today, 44 percent of organizations employ a CISO and full-fledged information security team, which has increasingly become a necessity in protecting against data breaches. Cyberattacks are more persistent and sophisticated, and as a result, CISOs are rethinking the most fundamental aspects of IT strategy and infrastructure. This new security paradigm is no longer just about using technology to protect against the next data breach; it lives at the intersection of technology and people.

Corporate data has shifted from behind corporate firewalls and servers; data now lives on the edge of the network on user devices, where it is more vulnerable to threats. With this shift comes new CISO challenges and. To be effective, IT and security teams need visibility into where information is stored, what type of information is on devices, and the ability to apply appropriate data controls. In today’s BYOD world, what matters is how and where employees are taking the data. And it is not about implementing more and more security protocol, it is about educating employees on the responsible choices they can make to avoid data loss and mitigate risk. We’re all in this together.

With a centralized security approach where operations are unified rather than siloed, teams can integrate security into every aspect of their organization and be proactive and strategic together. As technology changes, it is vital to get the entire organization on board. Here are four steps to help you focus on the people in your security strategy:

1. Drive home the personal benefits of security
Employees often have trouble understanding the importance of a security policy; they do not want to be inconvenienced unless they see a true benefit. To ensure the value of security resonates within the workforce, make it personal by informing people how a data breach would impact them personally. For example, students at Baylor might be more concerned about data protection and security policies if they knew  the schoolwork in their laptop— including book-length theses — was protected from theft, hard drive crashes or attacks on the network. 

2. Teach users the value of security
It is easy to tell employees to sign a security policy, back up their data, and be wary of potential scams or breaches but simply telling them what to do doesn’t teach anything about the benefits or risks. When people understand the “why behind the what” and the value of a security strategy, they’ll be more invested in it. Sharing examples of how security threats have impacted organizations is a great way to demonstrate the potential consequences of their behavior. If someone opens a phishing email with a hyperlink infected with malware, that attack could threaten an organization’s entire network.

3. Create security policies that are easy to enforce
Having structure and processes around security is key to gaining buy-in. . It is not enought to deploy the latest and greatest advanced threat detection and anti-malware software. You must also introduce basic steps that will hedge against human error. Data loss by malware, hardware failure or accident is the one of the most common and preventable threats. By continuously backing up your organization’s data, data availability can be integrated into your organization’s infrastructure and processes. Another example of baking security into the organization is Baylor’s approach to software acquisition. Faculty and staff must submit forms for software approval through the information security team. This allows risk analysis to take place before software is purchased for the campus environment. Failure to follow the process results in delays or cancellation by the purchasing team.

4. Leverage relationships with key stakeholders
CISOs are responsible for advising and consulting key stakeholders within their organizations to help them understand their respective roles and responsibilities within security. As part of this give and take,  the CISO needs to quantify the risk and explain how it applies to their respective domain. As with general employees, department managers will take more ownership when they see understand how security maps to compliance requirements.

CISOs should also show employees how security extends beyond endpoints, networks and datacenters. Any technology that is connected via an IP address today can expose an entire network. At Baylor we recently built a new stadium with the audio system, elevators and fire alarms all connected and dependent on the network. With all of those connected devices, significant planning helped to ensure that proper security measures were in place to protect the school.

The conversation around information security has been reframed. It is no longer strictly about the technical aspects; now, it is about engagement and relationship building. CISOs must learn a new set of skills to incorporate everyone in the security strategy – not just their security team. Security professionals often complain that people are the weak link in the data security system, but, in reality, they could be your biggest asset and ally.  

Jon Allen is the assistant vice president and Chief Information Security Officer at Baylor University where he has built the information security group from a one-person shop to an integrated organization. Jon has more than ten years of experience in information and network ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sagiss, LLC
Sagiss, LLC,
User Rank: Strategist
12/9/2015 | 3:24:12 PM
Great Read
There's so much talk about employee education but not a lot of action. Thanks Jon for listing out the steps that can be taken in order to move this conversation from fantasy to reality. With insider threats becoming a bigger and bigger issue among companies, a step by step guide like this could prove very handy for a lot of CISOs. Cheers.
User Rank: Apprentice
12/8/2015 | 1:24:33 PM
Operations are unified and data-centric rather than siloed
I agree that "With a centralized security approach where operations are unified rather than siloed, teams can integrate security into every aspect of their organization and be proactive and strategic together."

I think that we are wasting lot of money on firewalls and network perimeter security, things that make us feel safe but don't address real problems. Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security. Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

I found good guidance in a recent report from Gartner. The report analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data-Centric Audit and Protection." The report
concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."

The attackers are increasingly focused on stealing our sensitive data and will always look for the next path to attack the data. So we urgently need to secure the sensitive data itself with modern data security approaches.

I read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". The name of the study is "Tokenization Gets Traction".

Ulf Mattsson, CTO Protegrity
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.