8 Steps to Better Security. Kim Crawley
Чтение книги онлайн.

Читать онлайн книгу 8 Steps to Better Security - Kim Crawley страница 9

СКАЧАТЬ to the goth subculture I belong to. Humanity is comprised of perhaps millions of different cultures, depending on your definition of the word. And chances are you belong to multiple cultures. As for myself, some of the cultures I belong to in addition to goth culture are hacker culture, cybersecurity culture, autistic culture, Anglo-Canadian culture, and JRPG, anime, and manga fan cultures.

      If you work in business, you probably know what corporate culture is. It's how the people in your company behave, how the people in your company feel about it, and the attitudes and styles your company reinforces, whether that's done deliberately or accidentally. Corporate culture can affect employee morale, which can have a measurable effect on your bottom line.

      A strong security culture encourages the people in your company to behave in ways that facilitate your resilience to cyberattacks and help protect your precious data.

      I spoke to J. Wolfgang Goerlich, Duo Security advisory CISO of Cisco Systems. CISO stands for chief information security officer. CISOs bridge the gap between the suits and the nerds. Goerlich has years of experience in securing corporate business computer networks. Here's what he told me about security culture:

      Security culture comes from a partnership between security champions and security advocates. A security advocate is a member of the security team who focuses on getting practices into the hands of the workforce. It's more common for us to talk about security champions. A security champion is a member of the business itself, who collaborates with the security team on best practices. A culture of security has advocates working with champions to interpret and implement security controls. In a well-run security practice, controls will be usable and widely adopted, because of the partnership of advocates and champions.

      All security controls are useless if it is ignored. Good security is usable security. Good security is adopted security. The starting point, then, is empathy and kindness for the people we are charged with defending.

      I would stress the word everyone. I'm in a better position compared to my peers (CISOs of other companies, including those outside of the cybersecurity industry) as we are a security company. This means multiple things. It's easier to explain to my business managers, as they natively understand that “we are a security company” means our brand is based on the security of the company. And even people in departments that don't need to understand security management understand that branding is important.

      Security culture means that part of awareness training is decentralized. If someone is targeted by phishing, then they can speak to a colleague in the same room (now virtual) and ask them to take a look into it instead of going through an IT ticketing system.

      People aware of security can smell if they are being deceived by FUD, so the communication from the security team needs to be straightforward. (Both Merriam-Webster and Urban Dictionary define FUD as fear, uncertainty, and doubt.) Also, security-aware people can point out bad (security) control selection or implementation very quickly by replacing auditors or specialists.

      Of course, the security culture is not a replacement for security controls, but it helps in all kind of controls, even unpleasant ones.

      As with all the work you must do to keep your company secure, establishing and maintaining a strong security culture isn't a project you set then forget, as some infomercial spokespeople love to say about their As Seen on TV products. It's a constant, everyday process. It's something you build and maintain over the years. And if you neglect it, it will die. I love cybersecurity expert Bruce Schneier's ideas, so I'll quote him again as I often do in my writing:

      Security is a process, not a product.

      As I've mentioned, a strong security culture doesn't stop at your IT department. Every single person in your organization, from the bottom of the corporate hierarchy to the top, must be part of it.

      Every single thing your company's employees do with your computers, networks, and buildings can affect your security posture in a positive or negative way.

      A strong security culture begins when everyone understands how they can affect your security and they are willing to be accountable for that. Next, you need to promote security awareness. As with everything security-related, security training isn't something you should do only once. People in your organization need frequent security training and reminders about proper security habits.

      One of the most important things you can do is to train your workers to resist social engineering attempts. Explain what phishing is and the various ways it can manifest through phone calls, text messages, emails, web pages, and social media posts. Teach them that cyberattackers could pretend to be a person or company they trust, and to engage in healthy skepticism. And you must support that skepticism by reminding them that they won't be reprimanded for questioning if your chief executive officer (CEO) or tech support workers are who they say they are when they phone, email, or text message them.

      Your email servers could have robust antivirus software that scans all email attachments that go through the system. Nonetheless, no antivirus software is perfect. Malicious email attachments are one of the most common ways that cyberattackers acquire unauthorized access to computer systems. So, part of your company's regular security training should be a reminder to only open email attachments that they expect to receive, from senders they're familiar with.

      Helen Patton teaches information security at Ohio State University. She shared some security awareness training tips with me:

      Awareness training should be broader than just the company's data, with the theory that they will more likely apply security skills to stuff they care about first (family, friends) and then bring those habits to work too.

      Awareness training should be about building advocates, not just partners. Reward them for good security behaviors—visibly, loudly. Don't punish for bad behaviors—naming and shaming just breeds anti-security workarounds.

      So, those are the ideas you must encourage your people to remember. But how can you motivate them to be engaged? Well, as much as my love of cybersecurity knowledge drives my career, money is one of my main motivations. I have no interest in becoming super wealthy, but I need money to pay my bills and buy food, video games, and Demonia boots. I'm not unusual, except perhaps in my taste for footwear. People do well in their jobs because they want and need money, a necessity in our market economy. Security Journey CEO Chris Romeo also sees money as a useful motivator to get your employees to do good things for cybersecurity:

      When someone goes through the mandatory security awareness program and completes СКАЧАТЬ