Cybersecurity remains a top priority for companies in all industries. The reason is clear. Criminals and other parties have access to inexpensive tools and training to attack companies and governments. The New York Times reported on the rise of ransomware earlier in 2015. This type of malicious software encrypts a user’s data and demands a payment to release it (or the data will be destroyed).
Many companies are deploying greater resources to turn the tide of hackers: Google has a team of 10 full time hackers working to eliminate flaws. Given these threats, executives and technology leaders are asking for best practices and technologies. Developing security awareness in staff, growing security professionals and equipping CIOs to monitor security remain vital components to a successful security management strategy.
The next wave of security testing: send phishing emails to employees
The capabilities and knowledge of your organization’s customers and nontechnical staff has one been one of the greatest cybersecurity threats. The ability to persuade people and defeat security measures is known under the broad heading of social engineering. Social engineering tactics – specifically phishing emails – were at the core of the 2011 RSA SecurID breach which shook confidence in security across the world. As that incident shows, even highly respected firms and security technologies are vulnerable to social engineering threats. Leading companies use several approaches to mitigate the risk.
“At Cisco, we have comprehensive training program that addresses information security,” commented Patrick Harbauer, technical Lead for the Neohapsis PCI DSS services practiceat Cisco Systems. “Annual training and computer based testing is a key part of our practice to equip our staff with the skills to detect and avoid phishing and similar information security threats,” Harbauer says.
“Recently, our organization began testing the effectiveness of our training by sending out phishing emails to see if staff fell for them. I actually received one of these test emails – supposedly concerning Amazon Prime – and it was difficult to detect!” Testing the effectiveness of security training is becoming more important because the old guidance to detect phishing emails – e.g. lack of company logos or poor grammar – is less effective. “Many phishing emails today use code, images and other material lifted directly from a company’s website so they appear to be legitimate,” says Harbauer.
“At Lockheed Martin, our security approach includes monitoring for high risk behavior flags. These flags are then investigated by a specialized team. For example, if an employee suddenly starts logging into the company network at 3am where they previously never did so, that would raise a flag,” comments Angela Heise, vice president, commercial markets at Lockheed Martin. “Of course, that person could have decided to check email after taking care of a young child in the night, so judgement is required to evaluate these flags,” she says.
Winning the war for cybersecurity talent strategy
Talented information security professionals remain the linchpin of a successful cybersecurity program. Several employment surveys have found that security skills continue to be in high demand, and some high profile security jobs can command salaries over $200,000 per year. Thirty five percent of organizations surveyed are unable to fill open security jobs according to ISACA’s State of Cybersecurity: Implications for 2015 survey.
“There’s a huge war for cyber security talent,” commented Angela Heise, vice president, commercial markets at Lockheed Martin. Best known for its military hardware and spacecraft, Lockheed Martin has developed a strong reputation for managing security threats and meeting the high security requirements of the military. Based on that reputation, the company now provides security services and support to many companies in the Fortune 500 including energy firms, financial companies and utilities.
A major part of Lockheed’s security success comes down to the organization’s talent strategy. “When I bring a new security analyst into Lockheed, they have the opportunity to rotate through several groups: Lockheed’s internal security unit, the group serving government clients and work with our commercial clients,” Heise shared. “We empower our security staff by giving them a say in the tools they use and help them develop their careers,” she continued. Diversity and cross-generational cooperation is another opportunity. “I see a lot of organizations that tend to prefer hiring highly experienced security professionals. I prefer a diverse approach that includes bringing new graduates into the organization who can learn from and share with our experienced professionals,” Heise says.
The CIO’s view on cybersecurity: best practices for IT leaders
When a security incident occurs, the CIO and/or CISO is expected to lead a solution. While the need for emergency response to security incidents is ever present, leading organizations have adopted a proactive strategy. Threat detection and managing third parties are key practices for CIOs and IT managers to use.
“The best CIOs and executives we work with use several monitoring strategies to address cyber security risk,” shared Carolyn Holcomb, Partner and Leader of the Risk Assurance Data Protection and Privacy Practice at PricewaterhouseCoopers (PwC). “In managing vendors and third parties, the best approach is to request a SOC2 report where an independent party conducts a thorough assessment of security, privacy or other points,” says Holcomb. SOC2 is an internal controls report defined by the American Institute of CPAs that address security, availability, processing integrity, confidentiality and privacy matters.
“If a SOC2 approach is not feasible, there are two other alternatives: using a right to audit clause in the contract and questionnaires,” Holcomb says. The right to audit clause enables an organization’s auditors and/or security professionals to review the vendor. The least expensive and least robust option is to send a questionnaire to the vendor to ask about their security practices and technology. The questionnaire approach tends to provide the least detailed information compared to the other approaches.
As business leaders, CIOs have limited time to manage security and lead other efforts. Given this reality of limited resources for security, Holcomb recommends increased security and attention on very important assets. “Customer data, merger and acquisition information, intellectual property and pre-release financial data are frequently targeted by hackers. It makes sense to apply additional controls and protection to this information,” she says.
People and management remain at the center of IT security strategy
According to IT research company Gartner, worldwide spending on IT security services will surpass $70 billion dollars in 2015. That large portion of spending has attracted the interest of many service providers ranging from new companies such as IBM to start-up companies. Given the high trust required to take on a security consulting or advisory service, CIOs have a wide choice of options in services. As Lockheed Martin and Cisco show, developing security skills throughout the organization is essential to effective security.