8 Steps to Better Security. Kim Crawley

Чтение книги онлайн.

СКАЧАТЬ or something more substantial. A simple cash reward of $100 is a huge motivator for people and will cause them to remember the security lesson that provided the money.

      I discuss how to build a security team in step 2. But yeah, dangle a monetary carrot in front of your workers! It won't hurt to give that a try. And as Romeo implies, $100 is much cheaper than a data breach!

Here's some more advice for fostering a strong security culture: make security awareness and training fun. In my writing, I convey my emotional and enthusiastic personality. I also get silly sometimes. I know that by writing that way, I can retain your interest and attention more effectively than if my writing was dry and boring, like in a lot of technical documentation and textbooks. If you find security concepts to be exciting and fascinating, you can express that attitude in how you conduct your security training and reminders.

      It may help to quiz your employees about security in the style of a game show. Maybe you can search Randall Munroe's archive of xkcd web comics and find the perfect comic strip to complement a security concept you're teaching.

      Be creative with how you present security knowledge and encourage good habits in a fun way. If you feel that your imagination is lacking, there's probably a creative thinker in your company who can help you with this.

      Train your workers regularly, and give them frequent reminders of how they can work and interact with your computer systems in a more secure way. Now you're well on your way to fostering a strong security culture. But before we move onto step 2, there's one more thing I'd like you to keep in mind.

Security Leaders on Security Culture

      Security leaders believe strongly in the importance of security culture. I asked some of these leaders for their thoughts on how an organization can improve their security culture. Their ideas were varied, but they all included improving relationships. For example, Andrew Gish-Johnson at Carnegie Mellon University stressed visibility and a willingness to help. He said, “Figuring out how to do things right is tough. Finding people to help is tough. If the organization doesn't know who to talk to or finds you're not helpful, they're avoiding you as much as possible.” But if, as the CISO, you can make sure the rest of the company knows who you are and what your role is, you can help improve your security culture.

Nav Bassi, the CISO at the University of Victoria, stressed “awareness and education,” while my friend Larry, a good cybersecurity leader but a very private man, said that “gamification (making educational material like a video game)” can help ensure employees understand cybersecurity well enough that they can maintain the security culture.

What Makes a Good CISO?

      Not all organizations have chief information security officers. For the most part, they're like chief technical officers, but they're focused on cybersecurity. The nature of this executive role bridges the gap between nontechnical business leaders (“the suits”) and the IT department (“the nerds”).

      Sometimes a company will outsource functions of the CISO role to a managed service provider or some other sort of third party. Either way, if your organization has a CISO, they're the top of the cybersecurity hierarchy. A CISO's job is to lead an organization's security team and to work with other executives to make sure the organization meets its cybersecurity goals. If a company gets hit by a major cyberattack that costs them millions of dollars, their CISO will be very stressed out.

      I asked some security leaders what makes an effective CISO. In a nutshell, CISOs need to be able to work well with people. It helps to understand cybersecurity and information technology in general. But people skills are paramount in the CISO role. You need to be able to explain to other executives, such as the chief financial officer, why money should be allocated for a security budget. You need to be able to explain why spending $500,000 on cybersecurity can save the company $5 million. Further, you must also be able to lead your security team, including the people in your IT department.

Andreas Bogk, a principal security architect, also believes the CISO needs to be able to remain calm in a crisis. Nav Bassi thinks curiosity and resilience are important traits in a CISO. Randy Marchany, the CISO at Virginia Tech, believes in a strong team and thinks the CISO needs to be able to trust, defend, and cultivate the growth of the team. These characteristics all demonstrate the need for a CISO to be able to work well with other people.

The Biggest Mistakes Businesses Make When It Comes to Cybersecurity

      I asked business cybersecurity leaders about the biggest mistakes organizations make when it comes to cybersecurity. Their answers included trying to solve a problem by buying off-the-shelf software, keeping investment in cybersecurity to a minimum, and believing that having employees who are compliant means that the company is secure. Mitch Parker, the CISO of Indiana University Health, put together his “top 11” mistakes:

       Assuming that IT costs are sunk costs and that IT is capable of handling all issues with minimal effort or intervention.

       Not doing or ignoring a risk assessment.

       Not addressing or developing a risk management plan.

       Not developing good internal processes to assess and address risks.

       Under-resourcing information security initiatives either through lack of funding, team members, or both.

       Assuming that cyber insurance is an appropriate risk transference mechanism. As of 2021, when this was written, the major cyber insurance carriers are becoming more stringent with who they insure. They are denying higher-risk customers policies due to ransomware payouts causing significant financial losses.

       Leadership allowing their teams to bypass security controls and identified risks to facilitate the business, even if there is a high probability of a breach.

       Assuming that security events will never happen to them for any number of imagined reasons.

       Cutting security and IT costs out of projects to increase profitability on return-on-investment calculations.

       Leadership not supporting security and information risk management as a required business function.

       Overreliance on tools or services to address security needs based on inflated expectations and little analysis.

Even if you aren't a CISO, these are valuable tips for when you design your company's cybersecurity program. It's always best to learn from others the easy way, rather than learn the hard way by making the same mistakes yourself.

The Psychological Phases of a Cybersecurity Professional

      You will probably work with cybersecurity professionals at some point or another. I want to help you to foster a strong security culture by teaching you what I've learned about how we think. Understanding this will be a big help in security hardening your organization.

      When people start learning cybersecurity, they often believe that computer software, hardware, and networks can be made 100 percent secure. That's the first phase. “I must learn about everything that makes computers vulnerable, so those things can be completely remedied, and then there'll be no more security problems!” But as the first months and years of their studies progress, they learn that absolutely nothing can be made 100 percent secure.

      The first problem is the complexity of computer systems. I love video games, so I'll use them as an СКАЧАТЬ