Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Jon Allen
Jon Allen

How CISOs Can Reframe The Conversation Around Security: 4 Steps

Security professionals often complain that people are the weak link in the data security system. But in reality, they could be your biggest asset and ally.

When I joined Baylor University in 1995, the job I have now did not exist. In 2003, I took on the role as coordinator of IT security at the university, but it wasn’t until a few years later that the Chief Information Security Officer (CISO) role formalized into what it is today – a high visibility position that touches every aspect of the organization.

Today, 44 percent of organizations employ a CISO and full-fledged information security team, which has increasingly become a necessity in protecting against data breaches. Cyberattacks are more persistent and sophisticated, and as a result, CISOs are rethinking the most fundamental aspects of IT strategy and infrastructure. This new security paradigm is no longer just about using technology to protect against the next data breach; it lives at the intersection of technology and people.

Corporate data has shifted from behind corporate firewalls and servers; data now lives on the edge of the network on user devices, where it is more vulnerable to threats. With this shift comes new CISO challenges and. To be effective, IT and security teams need visibility into where information is stored, what type of information is on devices, and the ability to apply appropriate data controls. In today’s BYOD world, what matters is how and where employees are taking the data. And it is not about implementing more and more security protocol, it is about educating employees on the responsible choices they can make to avoid data loss and mitigate risk. We’re all in this together.

With a centralized security approach where operations are unified rather than siloed, teams can integrate security into every aspect of their organization and be proactive and strategic together. As technology changes, it is vital to get the entire organization on board. Here are four steps to help you focus on the people in your security strategy:

1. Drive home the personal benefits of security
Employees often have trouble understanding the importance of a security policy; they do not want to be inconvenienced unless they see a true benefit. To ensure the value of security resonates within the workforce, make it personal by informing people how a data breach would impact them personally. For example, students at Baylor might be more concerned about data protection and security policies if they knew  the schoolwork in their laptop— including book-length theses — was protected from theft, hard drive crashes or attacks on the network. 

2. Teach users the value of security
It is easy to tell employees to sign a security policy, back up their data, and be wary of potential scams or breaches but simply telling them what to do doesn’t teach anything about the benefits or risks. When people understand the “why behind the what” and the value of a security strategy, they’ll be more invested in it. Sharing examples of how security threats have impacted organizations is a great way to demonstrate the potential consequences of their behavior. If someone opens a phishing email with a hyperlink infected with malware, that attack could threaten an organization’s entire network.

3. Create security policies that are easy to enforce
Having structure and processes around security is key to gaining buy-in. . It is not enought to deploy the latest and greatest advanced threat detection and anti-malware software. You must also introduce basic steps that will hedge against human error. Data loss by malware, hardware failure or accident is the one of the most common and preventable threats. By continuously backing up your organization’s data, data availability can be integrated into your organization’s infrastructure and processes. Another example of baking security into the organization is Baylor’s approach to software acquisition. Faculty and staff must submit forms for software approval through the information security team. This allows risk analysis to take place before software is purchased for the campus environment. Failure to follow the process results in delays or cancellation by the purchasing team.

4. Leverage relationships with key stakeholders
CISOs are responsible for advising and consulting key stakeholders within their organizations to help them understand their respective roles and responsibilities within security. As part of this give and take,  the CISO needs to quantify the risk and explain how it applies to their respective domain. As with general employees, department managers will take more ownership when they see understand how security maps to compliance requirements.

CISOs should also show employees how security extends beyond endpoints, networks and datacenters. Any technology that is connected via an IP address today can expose an entire network. At Baylor we recently built a new stadium with the audio system, elevators and fire alarms all connected and dependent on the network. With all of those connected devices, significant planning helped to ensure that proper security measures were in place to protect the school.

The conversation around information security has been reframed. It is no longer strictly about the technical aspects; now, it is about engagement and relationship building. CISOs must learn a new set of skills to incorporate everyone in the security strategy – not just their security team. Security professionals often complain that people are the weak link in the data security system, but, in reality, they could be your biggest asset and ally.  

Jon Allen is the assistant vice president and Chief Information Security Officer at Baylor University where he has built the information security group from a one-person shop to an integrated organization. Jon has more than ten years of experience in information and network ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sagiss, LLC
Sagiss, LLC,
User Rank: Strategist
12/9/2015 | 3:24:12 PM
Great Read
There's so much talk about employee education but not a lot of action. Thanks Jon for listing out the steps that can be taken in order to move this conversation from fantasy to reality. With insider threats becoming a bigger and bigger issue among companies, a step by step guide like this could prove very handy for a lot of CISOs. Cheers.
User Rank: Apprentice
12/8/2015 | 1:24:33 PM
Operations are unified and data-centric rather than siloed
I agree that "With a centralized security approach where operations are unified rather than siloed, teams can integrate security into every aspect of their organization and be proactive and strategic together."

I think that we are wasting lot of money on firewalls and network perimeter security, things that make us feel safe but don't address real problems. Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security. Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

I found good guidance in a recent report from Gartner. The report analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data-Centric Audit and Protection." The report
concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."

The attackers are increasingly focused on stealing our sensitive data and will always look for the next path to attack the data. So we urgently need to secure the sensitive data itself with modern data security approaches.

I read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". The name of the study is "Tokenization Gets Traction".

Ulf Mattsson, CTO Protegrity
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.