Making the case for security

Our manager makes his debut before top management, and he has just a few minutes to get them to see what needs to be done to better secure the enterprise.

Having been at my new company for several months now, this week I was invited to inform executive management about the state of our security. I had half an hour to formally introduce myself and talk about my philosophy, my initial findings and the priorities I think we need to have.

Thirty minutes isn't much time, of course, and I figured that I should be prepared to talk for just 15 minutes, so that I could give the team time to ask questions. I had to make that quarter of an hour really count.

Before me were the CEO, the CIO, the CFO, the CTO and the vice presidents of sales, marketing, support and operations. I told them that I had been working in security long enough to know what sorts of things work. There's the rule of least privilege, which enforces access controls based on granting only those privileges that any individual needs. There's security awareness and the idea that changing employees' behavior is one of the most crucial ingredients of strong security. There's the acknowledgment that we're only as strong as our weakest link. There's the all-important realization that security is a process, not a point solution.

Real-world examples helped get my points across. The weak link, for example: I noted that even a large company like Target, with a multimillion-dollar budget, huge security staff and PCI and other industry certifications, could still be breached because its HVAC vendor allowed a PC to be compromised. Employee behavior: I cited many recent breaches that had been caused by one person doing something he shouldn't have done. Security as a process: I said that we needed technology to help secure the company, but no single device or piece of software can guarantee a secure infrastructure. Security is a product of people, policy, process and technology that, when combined, increase our security posture, and thus decrease risk.

I was only five minutes in and didn't mind too much the two minutes I lost when the CEO told a war story.

Next, I needed to give the executives my assessment of our security stance. The assessment, I explained, was based on things like my observations during the new-hire process, a review of existing documentation, security assessments, interviews, business process reviews, and the monitoring of our network.

I spent some time focusing on what we can learn by monitoring the network. We recently conducted a proof of concept of a Palo Alto Networks firewall, which came with all of the cool bells and whistles that can make transparent how our network is being used from a security and risk perspective. I told the group some of what we've learned: We have traffic going to and coming from more than 60 different countries. We're using more than 30 different cloud file storage solutions. Employees are using peer-to-peer software and remote-control software such as LogmeIn, both of which violate our corporate remote-access policy. They're also using our network to access pornography sites, which is a legal, human resources and security risk. The firewall told us we're under attack and pinpointed the type of attack being used. It singled out several internal resources that were potentially compromised and communicating with malicious Internet command-and-control sites.

Everyone was certainly paying attention. An awkward silence fell over them, followed by expressions of disbelief that our employees could be engaged in such risky behavior. But the data could not be ignored, and the value of the tool that had made the behavior visible for the first time was clear to all.

This was my chance to jump into my top findings and recommendations. I strongly advocated tightening up the corporate network by segmenting into security zones, restricting the use of and access to risky applications, and obtaining visibility into threats to our company. That last point was a thinly veiled plea for the funds to purchase a tool that would give us the kind of monitoring we had seen with our Palo Alto proof of concept.

I also recommended arming our PCs with a more advanced endpoint detection capability, tighter group policy and full disk encryption. Finally, I reinforced my belief that technology isn't the whole story by arguing that changing behavior is essential if we are to avoid falling victim to the types of security breaches we have seen in the news within the past several years. In other words, we need to implement an enterprise-grade security awareness and training program.

So I have made my arguments and presented my concerns. I hope it gets us on the road to better security.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityfirewallsecurity awarenessRule of Least Privilege

More about ClickPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place