As security practitioners, we know that nary a day goes by when our schedule for the day (or week) goes as planned. There is always an alert to address, an attack to thwart, an email that takes priority or a senior leader that needs data right away. We’ve all experienced this, and we are only successful when we can adopt on the fly and maintain our deadlines, all the time while fighting fires.
Recently I had a week that was quite out of the ordinary in terms of impact. It truly was a perfect storm of events that demanded attention, time, resources and leadership.
While in the midst of the storm it was difficult to see above the waves, as every ounce of effort was necessary to ensure that all tasks were being accomplished and that risk was being mitigated.
However, in very quick hindsight, there was certainly a silver lining. The week allowed security to be in front of the entire organization, through separate constituencies, and for different reasons. A rare opportunity to have the breadth of the security function be on display simultaneously.
Let me briefly give you a box score of the week that was. Our organization was scheduled for our yearly PCI-DSS on-site assessment. This absorbed approximately twenty-two hours of calendar time scheduled from Wednesday through Friday. At the beginning of the week however, we began to see a concentrated phishing attack on our campus that eventfully saw us addressing over 40 compromised accounts throughout our campus populations. It was certainly an inopportune time for the scammers to choose my school for their target. Finally, we were all alerted to the Shellshock vulnerability on Thursday morning. Given the week I was in, shellshock was surely an appropriate choice of name.
A perfect storm to say the least. Needless to say, we weathered the week, with great success in all areas. However, as I reflected on the week while documenting our results and actions, it occurred to me that security needed to be in the forefront with three different populations simultaneously, for differing purposes and for different drivers. It was an opportunity to provide (and demonstrate) value to the entire campus.
Firstly, the scheduled PCI assessment. This is the key area where the security officer is dealing with a topic important to the Trustees, and the financial administration of the university. It is an opportunity to utilize your MBA skills, speak the language of the business, and demonstrate the value that security provides to the financial needs of the organization. It is an opportunity to get in front of leadership without a “bad” thing happening. How often does that occur?
Secondly, responding to Shellshock (or any vulnerability). This is your interaction time with the highly technical areas of your organizations. During a time of emerging threats, the security team is looked to for guidance and leadership. We were out in front of the Shellshock conversation early, set the expectations of the day, planned our actions, provided support and information, and followed up with scans indicating success.
The conversations were deep, and sometimes contentious or anxious, but the results were achieved quickly and the threat mitigated. When your technology team knows that they can look to security for leadership and guidance, future events will continue to go smoothly.
Finally, when addressing widespread phishing attacks, it allows the security team to interact with all members of the community, including the faculty and students if on a university. While oftentimes the security awareness messages may not be read and taken to heart as much as we would like them to be, during times that the community’s mailboxes are being hit with phishing, and many are falling for them, people are ready to listen.
Answering their (numerous) questions directly and with expertise provides them a window into the security role, and the value that security plays in the organization. We also took the “opportunity” to understand exactly why our community falls for certain phishing attacks, and begin to tailor future awareness messages and methods appropriately.
So, an intense week? Absolutely. Were issues needed to be addressed that were not planned for? Yes, and I’m sure that this happens to each of you, probably more often that we care to admit. However, each opportunity such as this pushes us to higher levels of performance and expectation, and further deepens our impact to the success of the organization. While it’s hard to see while in the midst of the work, you’ll see the silver lining upon reflection.