How Lockheed Martin, Cisco and PWC manage cybersecurity

Forget systems … it’s your own people who are your greatest security threats. Luckily, and with training, they can also be your first line of defense.

Cybersecurity remains a top priority for companies in all industries. The reason is clear. Criminals and other parties have access to inexpensive tools and training to attack companies and governments. The New York Times reported on the rise of ransomware earlier in 2015. This type of malicious software encrypts a user’s data and demands a payment to release it (or the data will be destroyed).

Many companies are deploying greater resources to turn the tide of hackers: Google has a team of 10 full time hackers working to eliminate flaws. Given these threats, executives and technology leaders are asking for best practices and technologies. Developing security awareness in staff, growing security professionals and equipping CIOs to monitor security remain vital components to a successful security management strategy.

The next wave of security testing: send phishing emails to employees

The capabilities and knowledge of your organization’s customers and nontechnical staff has one been one of the greatest cybersecurity threats. The ability to persuade people and defeat security measures is known under the broad heading of social engineering. Social engineering tactics – specifically phishing emails – were at the core of the 2011 RSA SecurID breach which shook confidence in security across the world. As that incident shows, even highly respected firms and security technologies are vulnerable to social engineering threats. Leading companies use several approaches to mitigate the risk.

“At Cisco, we have comprehensive training program that addresses information security,” commented Patrick Harbauer, technical Lead for the Neohapsis PCI DSS services practiceat Cisco Systems. “Annual training and computer based testing is a key part of our practice to equip our staff with the skills to detect and avoid phishing and similar information security threats,” Harbauer says.

[Related: Microsoft CEO takes a collaborative approach to cybersecurity]

“Recently, our organization began testing the effectiveness of our training by sending out phishing emails to see if staff fell for them. I actually received one of these test emails – supposedly concerning Amazon Prime – and it was difficult to detect!” Testing the effectiveness of security training is becoming more important because the old guidance to detect phishing emails – e.g. lack of company logos or poor grammar – is less effective. “Many phishing emails today use code, images and other material lifted directly from a company’s website so they appear to be legitimate,” says Harbauer.

“At Lockheed Martin, our security approach includes monitoring for high risk behavior flags. These flags are then investigated by a specialized team. For example, if an employee suddenly starts logging into the company network at 3am where they previously never did so, that would raise a flag,” comments Angela Heise, vice president, commercial markets at Lockheed Martin. “Of course, that person could have decided to check email after taking care of a young child in the night, so judgement is required to evaluate these flags,” she says.

Winning the war for cybersecurity talent strategy

Talented information security professionals remain the linchpin of a successful cybersecurity program. Several employment surveys have found that security skills continue to be in high demand, and some high profile security jobs can command salaries over $200,000 per year. Thirty five percent of organizations surveyed are unable to fill open security jobs according to ISACA’s State of Cybersecurity: Implications for 2015 survey.

“There’s a huge war for cyber security talent,” commented Angela Heise, vice president, commercial markets at Lockheed Martin. Best known for its military hardware and spacecraft, Lockheed Martin has developed a strong reputation for managing security threats and meeting the high security requirements of the military. Based on that reputation, the company now provides security services and support to many companies in the Fortune 500 including energy firms, financial companies and utilities.

A major part of Lockheed’s security success comes down to the organization’s talent strategy. “When I bring a new security analyst into Lockheed, they have the opportunity to rotate through several groups: Lockheed’s internal security unit, the group serving government clients and work with our commercial clients,” Heise shared. “We empower our security staff by giving them a say in the tools they use and help them develop their careers,” she continued. Diversity and cross-generational cooperation is another opportunity. “I see a lot of organizations that tend to prefer hiring highly experienced security professionals. I prefer a diverse approach that includes bringing new graduates into the organization who can learn from and share with our experienced professionals,” Heise says.

The CIO’s view on cybersecurity: best practices for IT leaders

When a security incident occurs, the CIO and/or CISO is expected to lead a solution. While the need for emergency response to security incidents is ever present, leading organizations have adopted a proactive strategy. Threat detection and managing third parties are key practices for CIOs and IT managers to use.

“The best CIOs and executives we work with use several monitoring strategies to address cyber security risk,” shared Carolyn Holcomb, Partner and Leader of the Risk Assurance Data Protection and Privacy Practice at PricewaterhouseCoopers (PwC). “In managing vendors and third parties, the best approach is to request a SOC2 report where an independent party conducts a thorough assessment of security, privacy or other points,” says Holcomb. SOC2 is an internal controls report defined by the American Institute of CPAs that address security, availability, processing integrity, confidentiality and privacy matters.

“If a SOC2 approach is not feasible, there are two other alternatives: using a right to audit clause in the contract and questionnaires,” Holcomb says. The right to audit clause enables an organization’s auditors and/or security professionals to review the vendor. The least expensive and least robust option is to send a questionnaire to the vendor to ask about their security practices and technology. The questionnaire approach tends to provide the least detailed information compared to the other approaches.

[Related: CISOs learn 5 tough lessons about conveying security risks]

As business leaders, CIOs have limited time to manage security and lead other efforts. Given this reality of limited resources for security, Holcomb recommends increased security and attention on very important assets. “Customer data, merger and acquisition information, intellectual property and pre-release financial data are frequently targeted by hackers. It makes sense to apply additional controls and protection to this information,” she says.

People and management remain at the center of IT security strategy

According to IT research company Gartner, worldwide spending on IT security services will surpass $70 billion dollars in 2015. That large portion of spending has attracted the interest of many service providers ranging from new companies such as IBM to start-up companies. Given the high trust required to take on a security consulting or advisory service, CIOs have a wide choice of options in services. As Lockheed Martin and Cisco show, developing security skills throughout the organization is essential to effective security.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityciscoPwClockheed martin

More about AssuranceCiscoGartnerGoogleISACALeaderLockheed MartinMicrosoftNeohapsisPricewaterhouseCoopersRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bruce Harpham

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place