No network to defend: A data-centric approach to infosec, Part 1 – People

Cybersecurity is a 24/7, multi-front commitment. It’s no longer enough to assume the presence of a traditional, well-defined network that’s defensible from attack during normal business hours, since today’s teams can operate anytime and anywhere, often from the devices of their choice. The entire notion of a network perimeter has accordingly fractured along several fault lines:

  • Mobile endpoints enable easy access to key company resources. In a 2016 Syntonic survey of C-level executives, 68 percent of respondents reported their employees spent four of more hours weekly using smartphones for business purposes.
  • Cloud computing has lessened companies’ direct control over compute, storage and networking resources. The 2018 Spiceworks State of IT report found cloud/hosted services accounted for 21 percent of the typical IT budget, nearly even with software.
  • Popular communication options, including instant messaging and video conferencing, are essential for modern collaboration, yet they also expand the attack surface. Phishing and surveillance frequently exploit widespread reliance on these tools.

Security strategy must address these challenges head-on. In this three-part series, we will look at the different bases organizations now have to cover in ensuring information security, starting with their personnel. Some degree of human error is unavoidable, but the associated risks can be mitigated by conducting useful trainings, getting buy-in from leadership and eliminating organizational silos.

Security awareness training: Everyone must be involved

For cyberattackers, enticing someone into clicking a suspicious link or entering his or her credentials into an unsecured form is much easier than bypassing advanced defenses. A 2018 Microsoft report even identified email phishing as the most common attack type. Since such threats can target anyone, security awareness training must span the entire company, from the board to the front desk.

Effective training should go beyond just viewing slides with harrowing statistics on them. It should include:

  • Simulations of phishing and other attacks, like social engineering.
  • Options for remedial courses for anyone struggling to avoid these risks.
  • Follow-up tests and peer-based collaboration to keep everyone current.

These features help reduce the dangers from attack vectors targeting people, in turn mitigating risk to the sensitive information they work with.

 

Executive buy-in: An uphill struggle worth winning

Despite the clear evidence of the costs of security breaches – the Ponemon Institute has estimated a $3.62 million price tag for the average incident – it’s not always easy to convince leadership to invest in cybersecurity training and technical solutions. Cost is not the only issue, either. Executives might regard the time needed to rethink security strategy as secondary to other priorities, especially in today’s complex threat landscape.

“Security awareness training must span the entire company.”

Overcoming this mentality often requires presenting cybersecurity as an essential business function, such as accounting or logistics, instead of as something walled-off from everything else. Technical security jargon and acronyms, while important in some contexts, should probably be shelved when making a direct case to the C-suite.

Clear metrics and visuals can also help, along with internal or external security audits. The 2018 Internal Audit and Capabilities and Needs Survey from Protiviti found cybersecurity had become one of the top eight audit priorities, along with cloud computing.

Silos: How removing them promotes stronger security

Cybersecurity affects everyone in the organization. However, attempts at getting all teams onboard with security education and updates can quickly stall because of organizational silos, which isolate decision-making, impede communication and result in inefficiently duplicated (or even conflicting) workflows.

An entire movement in the software world, called DevOps, emerged to confront these challenges and became one of the defining IT trends of the early 2010s. Similar cross-functional collaboration is necessary for comprehensive coverage against security threats. Sales, marketing, HR, legal: Every department needs to be on the same page when it comes to upholding best practices for data protection.

In the next part of this series, we will look at the role of governance processes in information security. Be sure to take a look at our Services page for additional background on how Inspirage can help you modernize your infrastructure and processes.

 

Norm Messenger | Key Contributor

Norm is the Chief Security Officer For Inspirage. He is also an experienced aerospace and defense professional with more than 30 years of experience in federal and commercial program management, integrated logistics support, IT systems development, financial management, and operations research. He has been a Solution Director for Oracle and Inspirage focusing on service lifecycle management and supply chain management solutions for large enterprise customers. Norm blogs on a variety of topics across these domains.