BUILDING THE BRIDGE TO A CYBERCULTURE- Revisiting Cybersecurity Plan

If we learned anything from the Equifax hack that affected 143 million people, it’s that the CEO (along with the rest of the C-suite) needs to be concerned as much about cybersecurity as the chief information security officer (CISO). More organizations realize that they need to better integrate security practices into their business operations to help combat the increasingly complex threats attacking their networks — and their brand reputations. This shift has given rise to the concept of the cybersecurity culture, in which all users, from entry-level personnel to executive leadership, are responsible for helping maintain the integrity of data assets.

Revisiting Cybersecurity by Introducing Cyberculture
Revisiting Cybersecurity by Introducing Cyberculture

WHERE THREATS ORIGINATE

Wade Baker, an associate professor of integrated security and a cybersecurity researcher in Virginia Tech’s Online Master of Information Technology program, describes today’s breed of cybersecurity threats as falling into four categories:

Insiders, either employees of the company or employees of trusted partners and contractors;

Cybercriminals, the people who send out spam and phishing emails to gain entry to the corporate networks;

Cyberespionage, including nation against nation, nation against company and even company against company, with the intent of stealing intellectual property or other confidential information;

and Activists, people who use the internet to launch a protest or deface websites of organizations they oppose.

That’s a wide swath. What makes fighting the bad guys a “whole company issue,” says Baker, is that everybody’s a target. “Take a phishing email, which is used in cybercriminal activity and cyberespionage campaigns. If the employee clicks on it, then their computer is infected, and it spreads from there to compromise other computers and servers throughout the network.”

DEVELOPING THE CYBERSECURITY CULTURE

Smart companies have learned that helping employees understand that they’re part of the security picture is much more effective than, for example, making them sit through an annual slideshow about security. That practice isn’t going to change behavior, he insists. Baker, who for many years led development of Verizon’s annual Data Breach Investigations Report, points to a specific data point that surfaced in that research.

“When you look at how data breaches are detected, what has found more breaches than intrusion detection systems were employees happening to notice things that were suspicious [and] then investigated,”

TIP: “If you can help employees feel like [they’re] part of the defense of the organization … you get more buy-in and more of a security culture.” As an example, Baker advises adding gaming elements in training to make it more engaging.

TIP: One example: to stop “tailgating” — the practice of one badged person allowing others to follow right behind when going through a locked door (a physical security data breach) — “gamify it a little bit and say, ‘We’re going to be walking through the building and someone will try to tailgate you, and you’ll get $100 if you challenge them.’” That changes the conversation, he explains, from “I’m challenging you because I don’t trust you and don’t like you and I’m a jerk,” to, “Hey I’m just trying to win $100.” “Everybody has that shared understanding,” he says. Retired US Navy Rear Admiral David Simpson, who will be instructing Virginia Tech students in a course on cybersecurity risk in the spring, advises “judicious deployment of ‘red teams.’”

TIP: ”These are third-party or in-house experts who play the role of white-hat hackers to uncover ways systems and services in the company can be compromised [by] extracting data, denying availability of critical services or “replacing truth with an agenda that would be harmful.” The reason Simpson likes the red team approach is that it helps “capture the attention of your various divisions in a language they understand: ‘You couldn’t get the car off the assembly line for three days because you lost control of your robotic arms? Hey, I understand that. No cars off the assembly line. Really bad.’”

WHAT TO DO ABOUT THE INTERNET OF THINGS

Not everyone who is pursuing a master’s degree in IT wants to commit to becoming a cybersecurity professional, says Kendall Giles, an assistant professor of practice in Virginia Tech’s MIT program. “Yet in today’s world, I think certainly every MIT student should come out of the program with a basic understanding of security.”. To provide that foundation, Giles teaches a semester long security fundamentals course titled Cybersecurity and the Internet of Things, which uses a case study approach to concentrate on the main principles. As he explains, IoT is the common lingo we use to describe taking internet-connected sensors and putting them on devices that can compute and gather data. Yes, he acknowledges, sensors allow companies to gather data more easily, but IT and business leaders also need to remember that each of those devices possibly has vulnerabilities. “[I]f it’s easier for you to gather data, it’s easier for the malicious hackers to gather that same data and use it,” Giles says.

Because IoT involves physical devices, the traditional cybersecurity principles that stress confidentiality, integrity and availability also need to encompass safety now. That changes how companies should approach security, Giles says.

TIP: For one, the chief cybersecurity officer needs to work with the chief security officer in charge of physical security to develop a coordinated plan of action in the event of an attack.

Second, given limited resources, organizations need to prioritize their critical assets and put in control mechanisms to protect those above all others. But the most effective way to address security concerns is to become educated, Giles says.

TIP: “Everything in our lives is online,” he stresses. “We can no longer afford not to understand the basic principles of security.”

TIP: When that’s the lesson, he adds, nobody needs to be a cyber expert to know they have a responsibility to mitigate such potential failures. David Raymond, a faculty member for VT-MIT’s online graduate program as well as deputy director of the university’s IT Security Lab, urges his master’s students to understand that business and cybersecurity need to work together.

TIP: While the cybersecurity team is busy putting together a layered approach with multiple levels of defense and checks and balances, the business side needs to help them prioritize the risks so they know where the work needs to focus.

TIP: When a security event occurs, too often he sees organizations treat them as natural disasters, something out of the control of the company. Better, he asserts, to “treat it as some level of failure. Somebody failed to do something that caused it to happen.” In the case of Equifax, a web application vulnerability that wasn’t fixed in March, when the patch was available, led to the May break-in and theft. Former CEO Richard Smith blamed a single employee for the problem to a Congressional committee. That response led to plenty of nonpartisan condemnation. As one representative asked during the hearing, according to The New York Times,

“How does this happen when so much is at stake? I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid.” Raymond likens such mass cyber break-ins to a bridge falling into the water.

“That is going to cause investigations lawsuits, and the company that built that bridge is going to be out of business.”

In civil engineering, he says, “there’s a compliance infrastructure and requirement that these things be engineered in a certain way. Security engineering just hasn’t gotten to that level of maturity.”

TIP: How can companies mature? One step Raymond recommends is adopting a “robust security framework” — a strong process for securing systems. An example is CIS Controls, produced by the Center for Internet Security, which is a prioritized set of actions for securing the organization’s infrastructure and its data.

TIP: “It starts with relatively simple things. like having a full inventory of computing devices, that should be connected to your network. And then periodically auditing your network to make sure there aren’t any unauthorized computing devices connected to it,” he says. The point is to pick something and then do it. “You shouldn’t be making it up as you go along,” he says.

FORMING BRIDGES

TIP: The most important driver for changing culture, however, is getting the two sides. Business and information security, to work better together. Baker’s research has shown that while company boards understand and value for cybersecurity, the same isn’t true for the CISO.

“The board is craving this information. They need to know the organization is secure,” .

Baker

“The CISO doesn’t really know how to explain it to them in a way they understand.”. That, in turn, leads to a lack of trust, confidence and willingness to fund what needs to be done. As a result, he adds, cybersecurity initiatives don’t end up “in the right place.”

That’s why technical and business training courses, having major dose of cybersecurity instruction are so critical, Baker says. “It’s common that you have pure business with no technical and technical with no business. When you have people who live in both worlds, they’re valuable in an organization because they form a bridge.”

86 thoughts on “BUILDING THE BRIDGE TO A CYBERCULTURE- Revisiting Cybersecurity Plan

  1. Great post however , I was wondering if you could write
    a litte more on this topic? I’d be very thankful if you could elaborate a little bit more.
    Appreciate it!

  2. Woah! I’m really enjoying the template/theme of this
    blog. It’s simple, yet effective. A lot of times
    it’s hard to get that “perfect balance” between user friendliness and appearance.
    I must say you’ve done a very good job with this. In addition, the blog loads super
    quick for me on Chrome. Excellent Blog!

  3. Thanks, actually i have multiple sites on same server so I switched off this site for quite some time, soon I will update it !

    1. Its added by default, download your website using plugins and reinstall this site and upload your comments again if you had.

  4. I’m not sure why but this website is loading extremely slow for me.

    Is anyone else having this issue or is it a issue on my end?
    I’ll check back later and see if the problem still exists.

  5. Having read this I thought it was very enlightening.
    I appreciate you taking the time and energy to put this content together.

    I once again find myself spending a lot of time both reading and posting comments.
    But so what, it was still worth it!

  6. Appreciating the commitment you put into your website and detailed
    information you offer. It’s awesome to come across a blog every once in a
    while that isn’t the same unwanted rehashed material.
    Great read! I’ve bookmarked your site and I’m adding your RSS feeds to my Google account.

  7. Hi! I realize this is kind of off-topic but I had to ask.
    Does running a well-established blog like
    yours require a large amount of work? I am completely new to blogging but I do write in my journal every day.
    I’d like to start a blog so I will be able to share my experience and thoughts online.
    Please let me know if you have any ideas or tips
    for brand new aspiring bloggers. Appreciate it!

  8. Hi there! Someone in my Facebook group shared this site with us so I
    came to give it a look. I’m definitely loving the information. I’m book-marking and
    will be tweeting this to my followers! Excellent blog and terrific design and style.

  9. Simply want to say your article is as amazing. The clearness in your post is simply cool and i could
    assume you are an expert on this subject. Well with your permission allow me
    to grab your RSS feed to keep up to date with forthcoming
    post. Thanks a million and please carry on the enjoyable work.

  10. I am really inspired with your writing talents and also with
    the format to your weblog. Is that this a paid
    theme or did you customize it your self? Anyway stay
    up the excellent quality writing, it is uncommon to look a nice weblog like this one these days..

  11. Hello there I am so excited I found your webpage, I really found you by accident,
    while I was browsing on Aol for something else,
    Anyhow I am here now and would just like to say
    thanks for a fantastic post and a all round thrilling blog (I also love the theme/design), I don’t have time to read it all at the
    minute but I have book-marked it and also included your RSS
    feeds, so when I have time I will be back to read more, Please do
    keep up the superb jo.

  12. Great goods from you, man. I have understand your stuff previous to
    and you’re just extremely magnificent. I really like what you’ve acquired here, certainly
    like what you’re stating and the way in which you say it.
    You make it enjoyable and you still take care of to keep it wise.
    I can’t wait to read much more from you. This is really a wonderful site.

  13. After I initially left a comment I appear to have clicked
    on the -Notify me when new comments are added- checkbox and from
    now on every time a comment is added I get four emails
    with the same comment. Is there a way you can remove me from that service?
    Thank you!

  14. Hello there, I found your blog by way of Google while searching for a similar topic, your website came up,
    it appears to be like great. I have bookmarked it in my google bookmarks.

    Hello there, simply was alert to your blog through Google, and found that it’s really informative.

    I am going to be careful for brussels. I will be grateful if you proceed this in future.
    Numerous other people shall be benefited out of your writing.
    Cheers!

  15. It’s a shame you don’t have a donate button! I’d most certainly donate to this fantastic blog!
    I guess for now i’ll settle for bookmarking and adding your
    RSS feed to my Google account. I look forward to fresh updates
    and will share this website with my Facebook group. Talk soon!

  16. I know this if off topic but I’m looking into starting my own weblog and was curious what all is required to get set up?
    I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web savvy so I’m not 100% certain. Any suggestions or advice
    would be greatly appreciated. Cheers

    1. Starting a Blog site is not difficult these days. Of course it costs, again it depends on how much you can spend! different solutions are there in the market depending on your expertise level.
      1. Try Godaddy if have no experience at all (you can purchase the Domain and space for your WordPress based Blog Site in one go).
      2. Linode (a cheaper service but you need some training using stuff on their website).

      In addition to all this, you can find different services which are easy to use but remember easiness is inversely proportional to cost.

  17. Wonderful blog! I found it while searching on Yahoo News.
    Do you have any suggestions on how to get listed in Yahoo News?
    I’ve been trying for a while but I never seem to get there!
    Appreciate it

  18. This design is spectacular! You definitely know how to keep a reader entertained.

    Between your wit and your videos, I was almost moved to start my own blog (well,
    almost…HaHa!) Excellent job. I really enjoyed what you had to say,
    and more than that, how you presented it. Too cool!

Leave a Reply

Your email address will not be published. Required fields are marked *