Life on a college campus changes in the Fall.

In a way, just like the seasons, life in higher ed is very cyclical, and the beginning of the semester is one of excitement.  It also ends a busy season for the IT group, which is commonly known to all others as “summer break.”

Much of the major work for IT and the security team must be done while the students are not on campus, so summer and January are critical times. I know that this may be counter-intuitive to those who think we have the summers off, but when you look at it pragmatically, it makes perfect sense. We cannot get in the way of the teaching and learning!

I especially look forward to October. Each year as October approaches it brings a distinct feel to my role as a security officer on a college campus.  We all enjoy it when the colors begin to appear on the trees, the days slowly begin to get cooler, and the sounds of the Fall sports are heard all over campus.  However, I look forward to October for a specific reason: our annual campaign in support of National Cyber Security Awareness Month.

We take National Cyber Security Awareness Month (“NCSAM”) seriously here.  We’ve been making this an awareness priority for 11 years, and are listed as an NCSAM Champion with Stay Safe Online. Our campus expects to be hearing a security message each year, and we try not to disappoint.

There are those who believe that awareness efforts are a waste of time and resources, as the return is not worth the effort.  In many ways this could be true. However, when done right, a small amount of security funding can make a proportionally larger impact on your user base. It makes sense to raise awareness using methods that resonate, and NCSAM helps us in this regard.

October is a chance to get our message out with a theme that is catchy and memorable, and focuses on either a new security initiative, or an area that is in need of improvement.  Through brown bag discussions, security message quizzes, ads in the daily campus paper, and weekly and monthly prizes as incentives, we have a chance to raise broad awareness across campus for 31 consecutive days. Of special note is our movie nights (free popcorn!) with security-focused content, and Q&A afterwards with prestigious panels of experts.

All of these efforts give the campus an opportunity to see the security group, to meet us, to dialogue with us, and to get to know us personally.  They learn that we are on their side, and that we understand their issues as students, faculty or staff. Afterwards, they can follow us on Twitter to get breaking security and privacy news that is important to them, in a way that they are comfortable with.

Does this have an impact on our baseline security posture and performance? It is hard to say.  However, we do know that we have touch-points with thousands of the people we support and protect.  It is an easy assumption that awareness is certainly increased, members of the campus have more security information that they can use, and risk is reduced to our university.

That’s why I look forward to October.

The post Why I look Forward to October appeared first on Security Current.

As security practitioners, we know that nary a day goes by when our schedule for the day (or week) goes as planned.  There is always an alert to address, an attack to thwart, an email that takes priority or a senior leader that needs data right away.  We’ve all experienced this, and we are only successful when we can adopt on the fly and maintain our deadlines, all the time while fighting fires.

Recently I had a week that was quite out of the ordinary in terms of impact.  It truly was a perfect storm of events that demanded attention, time, resources and leadership.

While in the midst of the storm it was difficult to see above the waves, as every ounce of effort was necessary to ensure that all tasks were being accomplished and that risk was being mitigated.

However, in very quick hindsight, there was certainly a silver lining.  The week allowed security to be in front of the entire organization, through separate constituencies, and for different reasons.  A rare opportunity to have the breadth of the security function be on display simultaneously.

Let me briefly give you a box score of the week that was.  Our organization was scheduled for our yearly PCI-DSS on-site assessment.  This absorbed approximately twenty-two hours of calendar time scheduled from Wednesday through Friday.  At the beginning of the week however, we began to see a concentrated phishing attack on our campus that eventfully saw us addressing over 40 compromised accounts throughout our campus populations.  It was certainly an inopportune time for the scammers to choose my school for their target. Finally, we were all alerted to the Shellshock vulnerability on Thursday morning.  Given the week I was in, shellshock was surely an appropriate choice of name.

A perfect storm to say the least.  Needless to say, we weathered the week, with great success in all areas.  However, as I reflected on the week while documenting our results and actions, it occurred to me that security needed to be in the forefront with three different populations simultaneously, for differing purposes and for different drivers.  It was an opportunity to provide (and demonstrate) value to the entire campus.

Firstly, the scheduled PCI assessment.  This is the key area where the security officer is dealing with a topic important to the Trustees, and the financial administration of the university. It is an opportunity to utilize your MBA skills, speak the language of the business, and demonstrate the value that security provides to the financial needs of the organization.  It is an opportunity to get in front of leadership without a “bad” thing happening. How often does that occur?

Secondly, responding to Shellshock (or any vulnerability). This is your interaction time with the highly technical areas of your organizations.  During a time of emerging threats, the security team is looked to for guidance and leadership.  We were out in front of the Shellshock conversation early, set the expectations of the day, planned our actions, provided support and information, and followed up with scans indicating success.

The conversations were deep, and sometimes contentious or anxious, but the results were achieved quickly and the threat mitigated.  When your technology team knows that they can look to security for leadership and guidance, future events will continue to go smoothly.

Finally, when addressing widespread phishing attacks, it allows the security team to interact with all members of the community, including the faculty and students if on a university.  While oftentimes the security awareness messages may not be read and taken to heart as much as we would like them to be, during times that the community’s mailboxes are being hit with phishing, and many are falling for them, people are ready to listen.

Answering their (numerous) questions directly and with expertise provides them a window into the security role, and the value that security plays in the organization.  We also took the “opportunity” to understand exactly why our community falls for certain phishing attacks, and begin to tailor future awareness messages and methods appropriately.

So, an intense week?  Absolutely.  Were issues needed to be addressed that were not planned for?  Yes, and I’m sure that this happens to each of you, probably more often that we care to admit.  However, each opportunity such as this pushes us to higher levels of performance and expectation, and further deepens our impact to the success of the organization.  While it’s hard to see while in the midst of the work, you’ll see the silver lining upon reflection.

The post The Silver Lining of an Intense Security Week appeared first on Security Current.

Most of you reading this are security practitioners, and I can safely assume that each of you has discussed this topic at conferences and airports for years:  Is our role a thankless one, and one doomed for failure?

A recent article in the New York Times on July 20, 2014¹ provided an objective look at the role of the CISO, and provided a peek into our world for the general public.  I had many friends forward it to me with comments as diverse as “is that what your job is like?” to “I didn’t know you made that much money!”  Let’s forget about the salary talk for this venue, and ask ourselves, how accurate did the article portray the role of the CISO in 2014?

It begins with “pity the poor information security officer,” moves towards how critical the role is to enterprise at this time, and then ends with an anecdote of losing your job (after a third breach, mind you).  What a roller coaster ride! That, in essence describes what the day-to-day role of the CISO is like, with all of its daily unknowns, and the highs and lows of providing security for an enterprise.

The article also talks of the need to be skilled in crises management and communications.  That certainly is true, as we all will experience this at some point.

But think of how these skills impact us in our normal operating mission! Highly tuned communications are key to engaging the community at all levels, and the ability to manage and lead during any period of stress is something that gets noticed.

Both of these can make the CISO stand out in a crowd.  You may recall that in years past the security team was one to be avoided, but now the skills are necessary and marketable, and the CISO is one to be turned to when leadership, decisiveness and action is required.

The article has the elements of doom and gloom as it recounts breaches that led to the release of the CISO.  With words like pity, thankless, sacrificed and angst, and some of the CISO’s answering a study that it was “the worst job they ever had,” I fear that the article will be an alarm for talented people that aspire to the CISO role as a career.

I’d answer to the contrary.  Like any role that has enterprise responsibility, there is stress and the need to perform at a high level.  While this may be a daily occurrence, it is an opportunity to provide value to the entire organization.  So while I’m thankful for the recognition that the article has brought, I don’t find the role of CISO one to pity.  I find it fulfilling, and one that I counsel young professionals to aspire to.  I hope that you do as well.

^{=======================================}

¹ A Tough Corporate Job Asks One Question: Can You Hack It? http://www.nytimes.com/2014/07/21/business/a-tough-corporate-job-asks-one-question-can-you-hack-it.html?_r=0

The post Thanks for the CISO Recognition (I think) appeared first on Security Current.

Life as a Chief Information Security Officer can oftentimes be hard on the ego.  It is surely one career in which it is easy to fall in to an identity crises (which is a different “identity management” than we are used to dealing with).

How many times have we heard that the position of a CISO is a thankless one? How often do we as CISO’s go virtually unnoticed when all is well, only to find out that we are the main culprit (dare I say “target”?) when there is an incident?  A wise security sage once told me it was like being an umpire: you never get noticed until there is a bad call.

We can change that, and we have opportunities provided to us regularly.

We are all familiar with the greatest hits of 2014: the Heartbleed panic, XP’s end of life, and yet another IE issue. We could add a few more, but that would be for another article.

However, if you are like me, information security garnered a great deal of attention when these security concerns made it in to the mainstream media.  As a result, for a few days after each event, my phone rang numerous times from members of my community that I rarely get an opportunity to engage with, my daily email stream became a deluge, and requests for my guidance and opinions observed a dramatic increase.

For about 72 hours after each of these events, the CISO became the rock star.  Yes, a rock star.  Everyone wanted my opinion on how such events impacted our organization.  Several of them wanted to know what they should do personally.  Another subset actually took the opportunity to dig deeper into other areas of security.  Now, truthfully, how often do you get to have meaningful conversation with the people you secure about overall information security?

So what does this mean to us as security practitioners?  It means that those we serve look to us for guidance.  They want to know that we are there to help them, and they understand that we are the go-to people when their lives are impacted through technology.  We are the ones they rely upon to cut through the noise, hype and jargon.  More and more of our communities are realizing that technology is no longer just a tool for their use, but it has become something they must pay attention to relative to security and privacy. We are the ones with the answers for them.

So when the next unexpected security event hits us, and our schedule and routine gets completely pushed aside for us to address yet another issue, prepare for the calls and requests that you will receive from a curious or panicked community.  Encourage these calls.  Tell them that you are there to help, and are happy to provide the insight and sense of calm that they need.  For a few days, be thankful that you are the rock star that they are looking for, and that you can fulfill this role.

You are a rock star.  Really!

David Sherry is the Chief Information Security Officer at Brown University in Providence, RI.  He has institutional responsibilities for all areas of information security and privacy, and plays a key role in the records management program, regulatory compliance, and copyright law.  Prior to moving to higher education he spent several years in financial services, with responsibilities for enterprise security governance and regulatory compliance, access controls and operations, identity management, and the security awareness program.  A graduate of Providence College and Northeastern University, with certifications of CISSP and CISM, he is a frequent conference speaker on emerging security topics and best practices, as well as a guest-lecturer throughout the academic year at several New England institutions.

The post CISOs as Rock Stars. Really? appeared first on Security Current.