Did you know you need just three resources to build a highly effective security program? It’s true. Your success will be highly contingent upon how you leverage people, process and technology.
Perhaps it is the rule of three which make this all gel, but if you take proper care of these three elements, everything else should fall into place. What’s more, I’m a proponent of leveraging the resources in the order presented: people are your greatest asset, but they need process to accomplish their goals, with underlying technology to support them. When all three work in harmony, great things can be accomplished.
Over the course of my career as an IT and InfoSec leader, I’ve learned a few things about how to strengthen the pillars of people, process and technology, and I now pass along my tips to you.
PEOPLE
Many companies often claim, “Our people are our greatest assets.” I couldn’t agree more. That’s why we need to nurture and encourage people every step of the way, and that includes personal development.
For people in management and other leadership roles, strong and effective leadership traits are a must. As a former psychotherapist, I learned that good leaders utilize a strength-based perspective of focusing and applying team members’ strengths for program gain. In doing so, employees’ self-confidence tends to grow, their weaknesses are diminished, and as a result, business gains can be maximized. However, leaders need to avoid “me-dership” (i.e., focusing on self instead of team) and instead should focus on servant leadership and becoming mentally strong leaders.
In managing our teams, we need to keep in mind that InfoSec folks need to focus on innovation and not just “keeping the lights on.” There will always be another audit, another firewall rule change, another incident investigation, etc. It’s important to give people a chance to take the time needed to focus on collaborative skills and to develop soft skills and not just more technical skills.
I’ll talk in a moment about outsourcing some common activities to a managed security service provider (MSSP). Doing this frees up your own technical people from doing mundane tasks and allows them to move into more challenging, more fulfilling roles. This is one of the best strategies you can employ to retain your prized security staff. If they are challenged and they like their work, they are less likely to leave for a different opportunity elsewhere.
In addition to providing personal development opportunities to InfoSec employees, every CISO is accountable for providing the entire workforce with cybersecurity job skills and awareness training. Too many companies subject their employees to mandatory online trainings which look great for checkbox compliance but don’t move the needle forward when it comes to strengthening the organization’s human firewall. Most workforce members and InfoSec pros alike understand that a generically based education content can be applicable to all, but this isn’t a “one and done” tactic. As effective CISOs know, you need much more to succeed. Training workforce members in how they can be more secure in terms of their specific job function is where you want to be for maximum impact and retention.
A better way to approach the workforce is to serve them TEA—Training, Education and Awareness. Think of training as specific, spot learning, such as teaching someone what phishing messages look like. Education is a broader program that gets people to see the big picture; for example, the ramifications of phishing messages and how they can lead to a company data breach. Awareness is what you do to help promote a security culture; i.e., the things they do and practice every day to keep the business safe. A good security education program will encompass all facets of TEA.
An important aspect of awareness training is to emphasize that employees should feel comfortable reporting anything suspicious that is happening or has happened. If someone clicked a suspicious link, they should feel a responsibility to come forward and report it so that security analysts can look into the situation. When everyone has that “see something, say something” mentality, the whole organization can be more secure.
Jim Routh, Chief Security Officer at Aetna and Chairman of the Board of the National Health ISAC, summed it up perfectly when asked about how many of his company’s employees are part of his security team. His answer: all of them. Yes, every employee in the company should feel and demonstrate ownership of information security.
PROCESS
In a short article like this, it’s not possible to be comprehensive about the process aspect of information security, so I’ll keep to a few nuggets that I have found to be very effective in my situation.
A prime area where it’s possible to begin mitigating risk is with contractual statements you put in vendor agreements. Third party risk is of high concern to enterprises today, largely because it’s often a lapse in control. However, smart statements in the contract can bring control back to your enterprise. Three of my favorite stipulations to put into contracts pertain to a renewal clause, audits, and penetration testing.
When we establish a contract, we put in a renewal clause that says that any price increase will be limited to 5% of the Consumer Price Index. Then we know that a vendor isn’t low-balling the contract in the first year, only to hammer us with a huge increase in ensuing years. I would hate to base my valuation of a cybersecurity solution on a low initial price, only to have the cost increase significantly once the solution is entrenched in our environment.
On the security side of contractual statements with companies that will host or process our data, I ask for the right to do a penetration test of the vendor’s platform, and I ask that they send complete audit reports pertaining to their environment. If the vendor balks at the pen test, I offer to do it for them, which usually changes the conversation to one where they welcome the scrutiny of their systems. It’s to the benefit of both parties – us and them – to know if vulnerabilities exist so they can be addressed.
As for audit reports, we want to see full reports, not summary statements that don’t give us enough insight into their key risks and issues they are dealing with. The way I see it, a third party’s risks are my risks and I need to know about them.
I think the Office for Civil Rights (OCR) phase 2 audits for HIPAA have proven, not only is risk analysis important, but also risk management and subsequent risk remediation is paramount. OCR really dinged many covered entities for documentation shortcomings post risk analysis. Doing a risk analysis and comprehensively developing a risk register can be done without much complexity by referencing NIST 800-30. It’s about risk assessments and how to conduct them. My company developed an Excel spreadsheet with a macro which quantitatively ranks our risk registry. Once completed and when OCR comes knocking, we’ve got a quantitative score for the risk that we have, and we also track the remediation of these type of things.
TECHNOLOGY
In my opinion, technology is probably the least important component of a security program, but many people jump there first because it is what we are most comfortable with—especially if we have come from a technical background. A lot of security people, especially on the engineering side, love the promise of tools. You definitely have to have technology as part of your security program, but I think it should be one of the less emphasized resources.
That said, I do think there are some important technologies that should be a part of a good security program. For example, a strong secure email gateway is necessary to stop a variety of threats that arrive via email messages. We also have committed to implementing DMARC (Domain-based Messaging, Authentication, Reporting and Conformance), the global standard for email authentication, to be helpful in reducing unwanted and malicious email, both inbound and outbound. It’s simply a defense-in-depth strategy around securing email.
We utilize phishing simulation technology to test our employee awareness of phishing threats. We follow-up with more training for people who fail to pass the tests. We track percentages and get quarterly metrics to gauge the success of this program, and to ensure we are reducing our susceptibility to threats hitting our human firewall.
My company leverages managed security services providers (MSSPs) for many of our mundane activities, like patching on the desktop, and monitoring DLP and SIEM. We also have a contract for forensic services in the event of a security breach. Using MSSPs provides us several benefits. One, it frees up our own security professionals to do higher level work, which in turn helps keep them engaged and satisfied with their jobs. So, this helps with reducing employee turnover. Another benefit of using MSSPs is that it’s a fixed-cost expense that we can budget for each year. We find that a service provider can generally provide many services less expensively and at a higher maturity than we could do them ourselves, making it an easy cost justification.
One technology we’ve found very beneficial for protecting our endpoints is user behavior analytics (UBA). We are exploring using an MSSP to help us fully mature and get more value from the UBA product in a short time period, rather than taking years to get where we want to be.
Some enterprises are hesitant to take a chance on technology from startup companies. I advocate finding a team of eager developers with a new product, and help them build a product that is tailored to your own needs. Add the contract clause about capping the renewal cost and you end up with your own managed services that are highly customized for your business, at better than market rates.
Conclusion
It’s impossible to write a fully comprehensive article on everything to consider for People, Process and Technology. I hope I’ve given you insight to some of the aspects of “PPT” that have proven effective for my own organization’s information security program.