Well, it has been a while since I post here or write anything for any publication for that matter. I have been wanting to get back to it and thought hat my notes on this session that I attended would be a great start. I already have other content that I have written and will be posting more consistently and frequently. Writing is something that I have always enjoyed because I learn and hopefully give back to our community in the process. Here we go...
The Executive Leadership Roundtable
Last Friday 9/4/15 I had the privilege to participate in the second annual Tech Coast Conference as a speaker in the Executive Leadership Roundtable presenting and leading a discussion with CIOs, CISOs and other leaders around Information Security alongside my peer Kirk Hale, Director of Information Technology and CISO at Brooks Rehabilitation.
In this format both Kirk and I presented a topic which was immediately followed by a discussion on it where we challenged the audience with a question so that we could hear what ideas came out that could be useful to everyone (whole session went almost two hours with a very engaged audience). Here are my key take away:
World Class Security in a Budget – Kirk Hale
- World Class (Best In Class in Regency Center’s world, the organization I work for) is defined by your organization who you want to be. However, you should also keep an eye on what your industry and local community peers are doing as it can provide great insight.
- Define your risk organization’s level\appetite.
- Understand industry risks, compliance requirements and trends.
- Document Risk and Risk Management Program.
- Pick a framework that aligns with your goals. In REG’s case we are heading towards National Institute of Standards and Technology Special Publication 800-53 (NIST SP800-53). This was popular in the room as many of the attendees seems to either already adhere to this framework or in the process of doing so.
- Have a strategy, Build a Program and define roles.
- Leverage existing staff. Sometimes you can offload some of the tasks to several areas of your IT Organization. I don’t necessarily agree with this because of several reasons including separation of duties, and accountability among others. However, every organization is different and not many can have the luxury of an internal security organization.
- Perform regular assessments (annually at the very least). This depends on your requirements.
- Hire the right staff – Choose Threat Intelligence over Technical Skills. People that can make sense of the information at hand and can speak to it in business terms. Look for passionate, engaged individuals; security is not always very exciting so passion is key.
- Use best in class tools but choose carefully as it is easy to over buy. Some of the technologies that are becoming essential to have now:
- Phishing Protection
- Advance Malware Protection (beyond Antivirus)
- Sandboxing \ URL Wrapping
- Activity Monitoring (Events Monitoring) – Do not over monitor though. Your monitoring strategy should align with the risk and security programs and if you monitor what you don’t need you bring yourself a problem because you must comply with it.
- Use of 3rd party partners.
- Some do little on this area but they do use them for Vulnerability Assessments, health check, compliance audits, risk assessments and education and configuration services.
- At Regency we rely heavily on a few different partners who can monitor and remediate issues 24x7x365 and are a great addition to our staff. I wrote about this in 2011 in an article titled DevelopingStrong Network Security with a Services-Integrator Approach.
- Have an incident response plan. Things will happen and the plan should include:
- Well defined roles.
- Communication of the plan.
- Testing the plan.
- Go for the low hanging fruit:
- Access and privilege management
- Strong password
- Hardened hosts
- Holy Grail - User Awareness
- Group ideas and approach:
- Data Classification. Know what you need to protect and where it is, then build walls around it.
- A large number of companies in the room referred to Security Awareness as an invaluable tool.
- Periodic vulnerability and risk assessment.
- Any effort must have leadership support and it should be driven by the company’s top executives.
The Human Firewall – Carlos Rodriguez
The idea around my presentation is that we should strive to help our people become our first line of defense because the bad guys aren’t coming after our servers and routers and firewalls anymore. They are coming after The Center of any organization, our people. We can achieve this by making the educational efforts personal so that we can influence behavior whether our people are inside or outside the company. You can find a copy of my presentation here.
I used the following two examples through the presentation:
- On the Phising attacks:
- A retailer wanted to gain insight about sales in a particular area where a REIT owns a shopping center with similar tenants.
- They want to know their sales, demographic, etc. Any info they do not possess about that market.
- Someone at the retailer, say in the IT Department, creates a fake Facebook account that impersonates someone that works at the REIT and request to become the VP of Finance’s friend.
- She finds out that this VP loves and coach soccer.
- Creates an email about a new soccer tournament in town that he should look at for his team. The VP / Coach loves the tourney, clicks the link and she drops malware. Phases I, II & III of the Kill Chain achieved (Recon, Weaponization, Delivery).
- I am attending an IT Leadership Academy course and the first session session in Chicago was hosted at very large and well-recognized organization’s Global Technology Center. One of the things that caught my attention while I was there was this very well known character that represents \ identifies this company who was all over the place running their Information Security Awareness Training with messages from “wear your badge” to “shredder your paper” and everything in between. I can visualize him doing videos, etc in this campaign. This approach sticks because it makes it personal (many people are likely aware of this guy and my cereal is very personal) and it also shows how to leverage the company culture and resources to deliver the message.
- Everyone agreed that this is where’s at; that building a culture where people behaves the same way inside the company’s building / network and outside of it is critical to build that culture. There were a lot of great ideas coming from the group and here are some.
- One of the companies has a successful campaign based on humor. They love their CISO’s emails and the messages sticks.
- Another company has SAM (the Security Awareness Man) and they are also trying to build a rewards program similar to those healthy life challenges \ programs that many companies run. This is a healthcare organization and again, this method works for them because is their culture and who they are. I thought that was a great idea.
- Some companies have programs where they reward people with recognition, again, make it personal. They announce when people shows great behavior around security and the reward may also include either an incentive (gift card, money, PTO, etc) or something as simple as lunch / dinner with a top executive (or both). I thought that was a good idea too.
- A few companies did launch an internal phishing campaign that had a high “clicking” ratio. One company also dropped a few USB sticks with malware and about half got plugged into the network (they labeled something like payroll or compensation). They did let at least executives know they were doing it; in some cases they told the whole company and still got undesirable results.
- Before launching a program build a team \ focus group that includes internal people from different areas, IT, HR and 3rd party experts in this area that can help you with both the creation and delivery of the program.
How are you building your company's Information Security Program?