Want to get executive support on security? Hack their email inbox

Penetration testing has proven to be an extremely effective means of building executive support for cybersecurity initiatives because it most directly impacts their day-to-day working environment, a cybersecurity expert has advised.

Whether due to lack of education or simply too many conflicting priorities, busy executives can easily minimise their organisational risk exposure to malware, unauthorised network access and other security risks, major general Stephen Day, a former Department of Defence security executive and former head of the Australian Cyber Security Centre (ACSC), recently told CSO Australia.

Effectively managing security within an organisational context “is all about risk appetite and the allocation of resources,” he explained. “It's about culture; it's about protocols; in short, it's got a lot to do with people.” Since those people – executives in particular – were naturally more attuned to immediate threats, Day said, “the trick is to communicate in a way that resonates with them – and that means using the language of risk.

Executives are balancing risk all the time.” Although cybersecurity issues may often fade into the background behind more immediately pressing business issues, “we have found penetration testing to be very successful in getting executive attention,” he continued. “It's always important to personalise it: if you can, for example, get the CEO's inbox.

That really brings it home – and allows a conversation.” Such a conversation is likely to have some strong undertones, since business executives see the CISO's job as being to prevent such hacking in the first place. Yet continuing vulnerabilities around many commonly used information resources are symptomatic of a common momentary approach to security, in which funds are invested and the business assumes the risk has been managed as an outcome.

Many penetration-testing exercises are hobbled by this mentality, Day said, with penetration-testing firms identifying a way to get into the network and then blocking it. “This is largely the way penetration testing is used,” he explained. “The customer feels comfortable but it's a load of baloney because there are a variety of ways you know that you can get in.”

Technologists have long argued about the importance of network visibility, machine learning and other technologies in managing risk from threats such as ransomware, while others have noted that a strong customer-led business approach can reduce the overall damage caused in a breach. Yet with vulnerabilities identified and superficially patched while others remain undetected, Day said that CISOs' efforts must be focused not so much on preventing intrusion but on ensuring that there is adequate support for security as a continuous process, owned and driven by the business.

This approach ensures that whatever policies are put in place reflect the management of risk in a way that is comfortable and relevant for the executives. “The technical people shouldn't own that,” Day said. “It's the executive suite that has to come up with it. And often [the security policy] doesn't mean that they can't get in; it just means that if they get in, they don't get out with much.” Shifting from a block-at-all-costs mentality to a data-triage environment can take time – and flexible thinking, since data loss is one issue but many businesses also run operational systems whose compromise could shut down their operation.

Efforts to engage executives were also struggling in Australia because of an historical lack of sharing about best methods around security, Day added: “It has been difficult to get examples that had meaningful costs and consequences,” he explained, noting the appeal of looming mandatory breach-notification laws but noting that many businesses are heading off potential issues by being more proactive about sharing details of cybersecurity compromises.

“You never have enough resources to deal with everything at once,” Day said. “But if businesses can adopt that proactive approach, I think there will be less pressure to institute something like mandatory breach laws.” “Ultimately, the success statement around security needs to be driven from the executive; you just have to roll your sleeves up and start small.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Penetration testingcybersecuritynetwork visibilityCISOsransomwarehacking

More about CSODepartment of Defence

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place