Three ways a CSO can stop being the bad guy

Are you the Dr. No of your company, always with security-related reasons for stopping or slowing down projects?

When you meet with management, is it to ask for more money for security or else horrible things will happen? If so, do you say it like, "one meeeeellion dollars" while petting a white cat? You do know that one million dollars will hardly make a dent in the problem. Better make it, "one beeeeellion dollars."

(Yes, I know it was Dr. Evil who made "one meeeellion dollars" a catchphrase, but it was Dr. No who said it first.)

And when you're not going around telling people to stop doing what they want, or asking for money, are you delivering bad news about breaches?

"I was the least invited person to meetings," recalls Adam Bly, who, before founding his own security company, San Francisco-based Bluebox Security, used to manage security, risk and compliance at companies like TiVo and Walt Disney.

"I would 'no' to a lot of things because there was risk and I didn't have a solution," he said.

But some security executives are redefining their roles to become people who say "yes," and restructuring their departments around becoming enablers of business.

Here are some of the ways they're doing it.

Eliminate spam and phishing emails

Hartford, Conn.-based insurance giant Aetna recently switched to the DMARC email authentication.

"It authenticates all our emails to the Internet service providers," said Aetna CISO Jim Routh. "That's 65 million spam and phishing emails that they're not receiving."

Consumers benefit from reduced risk and Aetna benefits from having lower costs due to not having to deal with phishing-related issues, he said. And it's even helping bring in new business.

"The security department led the initiative with marketing," Routh said. "Traditionally, they don't get along. But at Aetna, we do. Now it's a feature in sales calls with employers who are choosing Aetna to provide benefits to their employees."

In fact, Aetna was the only health care company to receive a perfect 100 percent score last year in a survey by Agari, an email security company. The other 13 health care companies all scored "vulnerable" or below, with an average security score of 17 percent. According to Agari, an email that says it's from a typical health insurance company is four times more likely to be a fake than one that claims to be from a social media company.

Adopt cloud gateways

CSOs are typically well-aware of the problems with cloud applications.

"They expose organizations to security risks such as sensitive data leakage, unauthorized privilege escalation, denial of service, and so forth," said Nir Valtman, CISO at Duluth, Georgia-based NCR Corp.

So what does everyone at a typical company do? They sneak around. They sign up for cloud applications without telling anyone, and next thing you know, the whole company is running in the cloud, security be damned.

According to research by CipherCloud, one of the leading cloud gateway providers, 86 percent of cloud applications used by companies were unsanctioned "shadow IT," with the average global enterprise using more than 1,100 cloud applications.

Valtman recommends that security departments look at cloud gateway technologies to secure cloud applications.

"These gateways provide aggregated discovery, control, auditing and analysis tools to ensure that cloud application usage is secure," he said.

Cloud gateway vendors can help fully secure such popular cloud apps as Salesforce, Office 365, Google Apps, and online storage providers while still preserving functionality.

And they can provide limited security, such as access control, to any other commercial or home-grown cloud app.

"Transparent to the user, you can automatically verify devices, IP addresses, locations, OS and more. This prevents phishing, malware, social engineering and other attacks," said Yair Grindlinger, CEO & co-founder at Redwood City, Calif.-based cloud security firm FireLayers, Inc.

By having a solution to offer, CSOs can actually get ahead of cloud adoption, instead of playing catch-up.

But cloud gateways aren't just for cloud users. Companies selling services in the cloud can also partner with cloud gateway vendors to provide their clients even more security -- while not compromising on functionality.

That would make security a selling point and a revenue generator, not just an expense item.

Listen to rank-and-file employees

When Adam Meyer was CISO at the Washington Metropolitan Area Transit Authority he would hold open forums during lunchtime, with coffee and snacks, where anyone from the company could come and ask questions.

He originally expected people to work-related questions, he said, "and it turned out to be 99 percent personal questions and 1 percent corporate."

People would come up to him and ask about their teenagers' computer use, about whether to trust their mobile banking apps, and other personal questions that had nothing to do with the company.

But that actually worked, he added.

"By making it personal, now those users became more cyberserurity aware in their jobs," he said.

And they began to see where the security department was coming from.

"It wasn't some big policy coming down, it was a personal conversation between them and me and they knew I was just looking to do the right thing," he said.

In addition, users were more inclined to share problems they were having, allowing the security department to get out ahead of potential issues.

For example, one person complained that filing sharing was too burdensome, inspiring the company to decomission their own storage solution and switch to cloud-based storage, after working with the cloud provider to implement specific rules for credit card information.

"It allowed us to reduce malware threats, like ransomware," said Meyer. "We got better availability, better data loss prevention, and a happier workforce -- and we ended up chopping storage costs in half."

Users are just trying to do their jobs to the best of their ability, he said.

"The question is, how can we enable users to be more diligent in security, but also enable them to do their job quicker," he said. "Business isn't in business to lose money -- all those users are there to perform a function. If you remove the barriers for the end user, you're now touching a lot of the organization."

Meyer urged very CSO and CISO to begin building working relationships with other business leaders in their company, and to stay positive.

"If a business unit wants to deploy something in six months, you make sure you do everything you can to meet their six month target," he said. "They can't wait two years -- they're throwing money away, in their eyes. Don't stop $50 million of potential revenues for $2 million in risk. That makes no sense. Assume the risk and move forward."

Join the CSO newsletter!

Error: Please check your email address.

Tags Bluebox SecuritysecuritytivoSecurity Leadership

More about BlueboxCipherCloudCSOGoogleInc.TiVoWalt Disney

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts