Phil Zongo and Darren ArgyleOn 13 May, the Financial Times reported the discovery of a major security flaw in the popular messaging app, WhatsApp. The pervasive vulnerability, which affected both Apple and Android devices, allowed malicious actors to inject commercial spyware by ringing up unsuspecting targets using WhatsApp’s VOIP-based call function.

The world is now accustomed to daily data breach news. What makes this threat particularly disturbing, however, is its novelty and deftness. This flaw allowed hackers to break into phones by simply calling a target. The victims didn’t even need to pick up, and the missed calls simply vanished from the logs. Device hacks that don’t require victim participation, such as taping a weaponized hyperlink, are difficult to fend off and dramatically alter the game.

According to the report, the commercial spyware in question was developed by Israeli cybersecurity firm NSO Group. While NSO has denied the allegations, the incident has nonetheless brought to light the complex, secretive and dangerous world of the cyber arms market, in which companies like NSO operate. Within this industry, governments and other sophisticated groups buy advanced surveillance tools, zero-day vulnerabilities, exploit kits and several other malicious programs from defense contractors or niche malware developers.

These advanced digital munitions are used to debilitate adversary nations’ critical infrastructure, influence elections; jam airwaves to silence opposition; and spy on journalists, dissenters, suspected terrorists and a wide array of targets. According to research, the global cyber weapons market stood at US$406.77 billion in 2016 and is poised to reach a staggering US$524.27 billion by 2022.

When we dig deeper into factors that have spurred the exponential rise in the cyber weapons market, three insightful answers emerge. At the root of this predicament is the rapid shift in defense policies. As geo-political tensions rise, more and more nations are rushing to acquire offensive cyber capabilities. This props up the commercial cyber weapons industry, as governments find it easier and more economical to buy or rent digital arms than to develop their own. As a 2013 article highlighted, “A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.”

Back in 2017, US defense chiefs, via a joint statement to the US Senate Armed Services Committee, bemoaned the growing threat from adversary nations exploiting cyber space to steal military secrets, sensitive research and other high-value information. “Many countries view cyber capabilities as a useful foreign policy tool that also is integral to their domestic policy, and will continue to develop these capabilities,” they emphasized.

Secondly, and perhaps the most vexing, is the absence of collective will to curtail the development and acquisition of cyber weapons. As one of the co-authors of this blog post wrote in his book, The Five Anchors of Cyber Resilience, international cooperation between law enforcement agents is non-existent or weak at best. As both geo-political and geo-economic tensions crank up, according to the World Economic Forum Global Risks, the prospects of achieving a binding global cybercriminal justice system invariably pale.

Granted, there have been sporadic efforts to address this void. In 2018, Antonio Guterres, the United Nations chief, issued a withering assessment, saying, “Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare; it is not clear how the Geneva Convention or international humanitarian law applies to it.”

History also is a guide. At the 2015 G20 summit held in 2015 in Belek, Antalya Province, Turkey, G20 leaders agreed on language pledging not to conduct cyber-enabled economic espionage. But because the G20 communiqué was non-binding, it represented only form, not substance. It did very little to de-escalate rising cyber tensions or alter deep-seated nationalistic motivations. Messy situations demand strong leadership, but as powerful nations have significant stakes in the game, we are likely to see more of the same.

Third, while commercial cyber arms creators may not harbor intentions to sell their wares to repressive regimes or criminal mobs, it’s inevitable that these tools will eventually fall into wrong hands. The NSO Group, for instance, claimed that its program is licensed to authorized government agencies “for the sole purpose of fighting crime and terror.” But once a vendor sells powerful cyber weapons, it has little to no control on how and when that software is used. The 2016 incident in which a ghostly group of hackers infiltrated the Equation Group, a complex hacking enterprise believed to be operated by the NSA, provides a chilling example. The cyber weapons were later repurposed to debilitate several institutions, such as the NHS hospitals in the UK, resulting in billions in damages. Further compounding an already grave situation, insurers are now refusing to pay cyber claims when attacks are deemed “acts of war.”

What’s at stake here is innovation, peace and human development. Hacker incursions into critical infrastructure such as WhatsApp, which connects more than a billion people across more than 180 countries, can negatively alter consumer trust – derailing innovation and human development. As Tim Cook, the CEO of Apple, accentuated in a recent Time article, “Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it.”

About the authors

Phil Zongo is a director and co-founder of Cyberresilience.com.au, an enterprise that develops the next generation of cyber leaders. He is the Amazon best-selling author of “The Five Anchors of Cyber Resilience,” a practical cyber strategy book for senior business leaders. Zongo has won multiple industry awards, including the respected 2017 ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS audit, control and security.

Darren Argyle is a non-executive director and co-founder of Cyberresilience.com.au, an enterprise that develops the next generation of cyber leaders. He is a former Group Chief Information Security Officer (CISO) at Qantas Airlines. Argyle was named in the top 100 Chief Information Security Officers globally in 2017 and in the top 100 Global IT Security Influencers in 2018 by the SC Magazine. He was recently appointed Ambassador for the Global Cyber Alliance in recognition of his collaborative work advising small businesses on critical measures they can apply to defend against cyberattacks. He has nearly 20 years of experience in international cyber risk and security, with broad expertise in providing hands-on leadership, strategic C-level and board direction, and cybersecurity program execution.

Three strikes and you're out is one of the more well-known sayings in baseball, but it only takes one devastating cyberattack to inflict huge damage on Major League Baseball or any of its 30 teams.

At Wednesday's session, "It's Only Baseball: Technology and our National Pastime - A Security Perspective," at ISACA’s 2019 North America CACS conference in Anaheim, California, USA, Neil Boland, the CISO of Major League Baseball, and Albert Castro, director of information technology with the Los Angeles Angels, provided perspective on the scope of the security challenge for an organization with such high visibility as MLB.

“Baseball has a lot going on,” Boland said. “We have a lot of fans, a lot of games, a lot of activities throughout the course of the year, and a lot of exposures around the globe in many, many countries. The sport continues to grow, and the consumption of the sport continues to grow.”

The session traced the rise of prominence of security in baseball from when security was an afterthought to today’s state, in which the bottom line is: “This is critical. Don’t mess it up.”

MLB works with numerous partners, which is often where the most challenging security considerations come into play. Boland said MLB is taking steps to strengthen partner onboarding and provide further guidance on mitigating risks.

"There's just a vast amount of partners we work with to pull this off - 162 games a year, not even counting spring training and the postseason for a club, and [multiply] that by 30 teams," Boland said. "There's a lot of data, a lot of tools and a lot of systems, and some of them are really important, like industrial control systems to keep people safe."

Recognizing the scope of the challenge, in 2017, Boland helped to implement a program to better protect the league and its clubs from cyberattacks, standardizing the security stack and integrations. A vastly increased use of mobile platforms, IoT and cloud services means the traditional perimeter is gone, putting the onus on MLB to provide simple and reliable tools that prevent attacks.

"We wanted to raise the bar a lot higher," Boland said. "We wanted to be faster than the next guy running from the bear."

Boland encouraged session attendees to move quickly to upgrade their organizations’ security posture rather than delay in search of the ideal solution.

"Any layer that you can add that just makes life harder for your adversary is a good thing, even if it's not perfect," Boland said.

Unlike the sport’s signature rivals such as the Red Sox and Yankees or Cubs and Cardinals, Boland emphasized that everyone needs to be on the same team when it comes to cybersecurity, and said it is important to share information on cyber threats.

"I ring the bell, and I think that's really important to do, because we're all in this together," Boland said.

Beyond the security realm, Castro highlighted the way that teams leverage technology in areas such as ticketing, sponsorship activation, fan engagement and scouting and developing players.

“The access to information has just grown exponentially and with that has come the ability to do all kinds of really sophisticated analysis that just makes technology critical to running a baseball team,” Castro said.

K. HarisaiprasadEmployees and guests can use IoT-based access control for convenient access. Through their mobile device, they can be connected to a facility’s access control through digital ID securely.

IoT is an integrated network of devices that are connected through internet, capable of communicating with each other without human intervention. Every device in the network has a unique IP address assigned for communication. They are connected with specific sensors to perform some action at a trigger of an event.

In IoT access control systems, each lock, access controller, card reader and other associated devices are provided with unique IP addresses with which they communicate among themselves. These devices are connected through wireless networks to their mobile/software application. An alert is generated if any malicious activity is generated in the system. The alert could be in the mobile application or in the software application. Authorized mobile devices gain access to the electronic access control through their unique IP address.

Here is a closer look at the features and challenges of IoT-based access control:

Features

  • Indoor wayfinding. Users can benefit from indoor wayfinding and their accessibility options can be seen on their mobile devices.
  • Secure access control. Access credentials are easy to manage and update. Doors can be opened from a distance.
  • Instant confirmation. Users can get instant confirmation of access requests.
  • Convenient interaction. It provides easy interaction with other users and also provides location details to users.
  • No physical ID. Physical ID is not required; therefore, the risk of it being stolen or lost is eliminated. 

Challenges

Theresa PaytonEditor’s note: Theresa Payton, former White House CIO and a prominent cybersecurity expert, will deliver the opening keynote address at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City. Payton recently visited with ISACA Now to reflect upon her time in the White House and provide analysis on how the technology and cybersecurity landscapes have evolved in her time since leaving the role. The following is a transcript of the interview, edited for length and clarity.

ISACA Now: Are there aspects of working as White House CIO that you miss? What might those be?
Working at the White House was truly like no other experience I’ve had – it was thrilling and ever-changing. The nature of the work is one thing, but when you add to it the fast pace with the rapid advances in technology during my tenure, it made supporting the mission of the White House exciting and challenging, to say the least! I enjoyed that pace and that mission, and do still miss it. I also miss the talented staff that I worked with, many of whom still serve today.

ISACA Now: How different would that White House CIO role be if you started today as opposed to in 2006, from a technology standpoint?
I was CIO at the White House from 2006-08, right at the beginning of the social media revolution, Internet of Things devices, and the first iPhone released in 2007. It was a fabulous time for integrating digital transformations while still maintaining high levels of operational stability, resilience, and security. We were laying the groundwork for today's cybersecurity.

Moreover, while cyber criminals have been active since technology has existed, it’s the pervasiveness and creativeness of cyber criminals that differs today. Anyone with a laptop and $20 can buy a ransomware kit on the dark web, so the access to malicious tools and the ability to learn how to use them has never been this easy to do. The attacks for 2019 and beyond will be both nation-state sponsored as well as attacks sponsored by criminal groups and hacktivist groups. The past attacks of 2016-2018 provide a barrage of alarming wake-up calls. The slowdown and widespread unavailability of the internet in the US and parts of the EU on 21 October, 2016 due to the DDoS attack against cloud services host provider, Dyn, reminded us of the fragility of the internet infrastructure we rely upon.

The disturbing trend of an increasing number of nation-states with more advanced cybersecurity capabilities continues to threaten destabilization across the globe from a national security and economic security perspective. However, there is also an increased ability for a relatively unsophisticated threat actor to be successful within the cyber domain. The reason for this is twofold. First, the increasing availability of automated hacking tools in the public domain provides the ability for individuals or groups of individuals with a basic set of skills, or just financial means to buy their way in, to achieve success. Second, the increasing availability of elastic computing infrastructure provides attackers with the ability to design and deploy relatively sophisticated attack infrastructures with ease.

ISACA Now: What are the most important components of successful incident response?
The most important thing when considering incident response to a cyber incident is the upfront planning before something bad happens. Without proper preparation, your company could be utterly non-functioning for days or weeks. Ensuring that you have the correct backups in place to restore your systems and making sure that all employees know the proper protocols and chains of command makes an already stressful situation much better. Storing logs for the correct amount of time and capturing the right elements of information is crucial to determining who has attacked you, how they got in, if they are still there, and how catastrophic the incident will be to your company's operations and reputation. Digital forensics also is essential because you can review the logs and facts as to what happened to prevent another attack.

The reality is that business execs can’t outspend the issue – it’s an IF not a WHEN – and they must be prepared. Cybersecurity no longer is something that can exist in a vacuum. It must be elevated to the board level and given a seat at the table. Companies can face extreme backlash and brand reputation issues if they mishandle a cyber breach. Conversely, companies that handle a breach well can not only rebound, but grow.

ISACA Now: Privacy is another of your major areas of interest. Do you sense that GDPR and other similar regulations that are being enacted will have the intended impact of more responsible data privacy and data governance?
A big fear I have is that regulation is often onerous and expensive to implement, the money spent on regulation prevents start-ups from entering the space, and it’s money diverted away from R&D. To date, the US Congress has kept legislation “technology-neutral.” If legislation were to pass and be signed by the President, technology companies would owe consumers certain legal duties for the first time. That’s an incredible first step. What I'd like to continue to see is a culture change in big tech that consistently prioritizes consumers. That will require a close partnership between big tech, public officials and users of technology.

ISACA Now: What do you consider to be the most pressing challenges for cybersecurity professionals as we move forward?
Cybersecurity approaches and plans are evolving , and so are the tactics of cybercriminals. Cybersecurity professionals need to know as much as they possibly can about cybersecurity, and I highly recommend that they stay a constant student of their profession. We are seeing more and more cyber professionals have responsibility for the business side of security, not just the technical side of the matter. I’d encourage all cyber professionals to know the strategic business priorities of their organization and how security relates to those priorities. Several years ago, cybersecurity was seen as only a technical issue – and while that’s still true – cybersecurity is more than anything a brand issue. Cyber professionals must acknowledge the significant implications an adverse event can have on a company’s reputation and do everything in their power to balance implementing technologies and to create interoperability while also fending off cybercriminals.

We must design security for the human. They can’t enact these processes and procedures that are so complex that regular, non-tech employees find ways around them. You have to figure out where your company stands on the secure-ease of use continuum, and go from there. For example, many of us have installed child-proof or safety items in our houses for toddlers or pets, yet we still tell them, “Don’t touch this.” But, just in case they do, we have designed safety features into your house with them in mind. We must build the same security safety nets into our work and daily lives. Design them for your employees and for yourself. Just know they will use free WiFi, they will recycle passwords, they will respond to emails that are tricking them into giving up information – they will break all the security rules because they are not security employees.

Rasool Kareem IrfanCyber risk is business risk. Business are digitizing and governments are putting in place policies to promote digitalization and smart-city projects. While this helps citizens and organizations to adopt technology advancement, the continuous increase in cyberattacks, in both frequency and sophistication, pose significant challenges for organizations that must defend their data and systems from threat actors.

Most organization has outsourced their IT security management tasks to MSSP (managed security service providers) and very few still retain their internal SOC (security operations centers). These organizations generally started their journey only with security device monitoring management services (such as managed firewall services) and slowly added security event monitoring using SIEM solution components. The growing threat landscape and difficulty in hiring security cybersecurity professionals with the needed expertise makes it more difficult for organizations to understand the tools, techniques and tactics used by adversaries.

Need for cyberthreat information sharing
The need for cyber threat intelligence has become better understood by governments and organizations lately. NIST encourages greater sharing of cyber threat information among organizations.

In today’s large security product and service industry, offerings such as firewalls, endpoint protection and managed security services (MSSP), are enhanced by threat intelligence capabilities. The threat intelligence cycle has key steps, as depicted in the figure below.

According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Cyber threat intelligence feeds for security operations
Often, organization need to detect the threat quickly and do not want to waste time investigating false negative alerts, thereby remediating the vulnerabilities and mitigating the attack vector more quickly. The typical questions that the security operation center has are:

  • Has our sensitive information been leaked?
  • What threat actors could be targeting my organization’s capabilities in the coming months?
  • Who are my top adversaries? Are they credible?
  • Can I be advised of their activity within a short period of time of it occurring? Which underground sites do they frequent? Who is known to be associated with these adversaries?
  • Is a connection to this Internet Protocol (IP) address bad? Who owns the IP? To which internet service provider (ISP) is this IP address connected? What other IP addresses are registered by this company?
  • Is this URL dangerous? Who registered the domain? Have they registered others? If yes, which ones? Which types of threats were served from this website? Is other malicious activity linked to this URL?
  • Which vulnerabilities in my environment are actively being exploited “in the wild”? Who are the threat actors selling or using these vulnerabilities? Which malware and other threats are leveraging these vulnerabilities? What types of organizations are being attacked via these threats?
  • Is this “Zero Day” attack rumor true?
  • What do the bad guys know about my organization and its staff? Are they selling access to my systems or my intellectual property?

If cyber threat intelligence feeds can provide answers to the above questions, it allows security teams to more efficiently address threats.

Use cases of security telemetry enrichment with cyber threat intelligence in today’s security operations centers
Taking a use-case-centric view is still the ideal and pragmatic way to start a journey for the SOC with cyber threat intelligence and improve the overall security program. A few use cases/examples include:

  • SIEM tool integration for maintaining threat watch lists with existing logs flowing in from existing SIEMs. Threat intelligence data is overlapped on top of existing logs to detect threats by matching indicators of compromise (IOCs), such as IP addresses, file hash and domain names (examples: IBM XForce Threat Intelligence, EclecticIQ’s Fusion Center, Anomali).
  • Threat intelligence has been a boon for IDP (intrusion detection and protection) in recent years, and many clients report improved detection and blocking capabilities for a range of threats simply by enabling the intelligence subscription for their IDP systems (examples: Trend Micro’s Reputation Digital Vaccine for its TippingPoint IDP, Palo Alto Network’s MindMeld).
  • Phishing is a pernicious and prevalent threat that remains an effective way to gain access to organizations’ resources. Threat intelligence can help identify elements of phishing campaigns to speed up detection/response actions and help with proactive measures, such as prevention/prediction (examples: Proofpoint, ThreatConnect).
  • Vulnerability management prioritization has moved away from thinking about vulnerability severity. Instead, the No. 1 priority is on “which of your vulnerabilities are being exploited in the wild.” Threat intelligence gives organizations the ability to determine which vulnerabilities present the biggest risks (examples: Kenna Security, Recorded Future).
  • Surface, “Deep” and “Dark” Web Monitoring customers can use threat intelligence services to get prior warning of threats and better understand how the threats work and where they’re being seen. This helps them to perform brand monitoring (examples: ZeroFOX, Kela Targeted Threat Intelligence, SpyCloud).

There are many cyber threat intelligence service providers in the market, and the number appears to be growing. Not all services that are marketed as threat intelligence actually provide that type of content, so it is important to understand what problem customers are trying to solve. While both commercial-based premium services and open-source feeds exists in market today, security operations needs to validate the solutions that help them to acquire, aggregate and act upon the threat intelligence that they need.

About the author: Rasool Kareem Irfan is a trusted cybersecurity advisor with wide experience across various industry verticals including healthcare, life science, banking, financials, insurance and telecom sectors. He holds the global security certifications (such as CISM, CEH, ISO27001 Lead auditor) and multi-vendor technology certifications (such as Palo Alto, Symantec, Cisco, Checkpoint, Proofpoint). He is prominent blogger (www.rasoolirfan.com) in areas including cybersecurity, blockchain, IoT, artificial intelligence, robotic process automation, open compute project, and cloud, and works closely with reputed national and international forums and institutions.

Cybersecurity may soon become an issue of higher concern than physical safety. We already share too much personal information online without paying attention. When it comes to businesses, the risks of data leakage and inefficient software is even more serious. Forbes has recently published 60 predictions regarding cybersecurity in 2019, and one of the first facts mentioned is quite obvious: data should be protected by technology, not just legal regulations. It is the right time to implement web security software for your business.

Top five must-have security tools

Computer Antivirus
Sensitive data on your PC often becomes an object of interest for competitors and hackers. The first thing you need to do is to install a good computer antivirus program to prevent data theft and deal with malware.

Computer antivirus programs can delete, isolate or cure a file, depending on a situation. In all cases, these programs aim to prevent expansion. However, they cannot provide 100 percent protection. A lot depends what regular updates are happening, new viruses that are constantly appearing and evolving, whether smart online behavior is occurring, etc. PCMag has come up with a rating of the best antivirus software, which can help identify an optimal solution for your business site.

SaaS Security
SaaS is a model of using business apps in the form of web services. These software solutions work on a provider’s server, and users get access via a web browser, by renting them and paying monthly.

A provider takes care of the proper software functioning, ensures technical support, installs the updates, improves protections, etc. Thus, users don’t have to think about technical support and can focus on their business goals. Other SaaS advantages include:

  • low cost of exploitation
  • short terms of implementation
  • low barrier of entry (you can test it for free)
  • providers provide full support
  • full mobility limited only by internet access
  • uniting geographically distant workers
  • low requirements to computer specifications
  • cross-platform solution

Some would argue that SaaS has serious disadvantages, like insecure commercial data transfer via third-party platforms, low speed, and difficulties with access in case of connection interruptions. However, the reputation of SaaS providers improves together with the development of encryption technologies and broadband web connection, helping business owners to address these challenges.

Content Management Systems
WordPress is currently the most popular CMS in the world, used by more than half of all website owners. Those who are familiar with its functionality will wonder how an ordinary CMS can help to make a website more secure? The advantages may not be as obvious as in the case with antivirus.

However, if you use WordPress, you don’t have to share files via emails that are easier to hack. Thus, it helps to prevent data leakage before a serious launch. You can create many accounts with different rights and permissions. One or multiple people can be in charge, while the access to some sections by other content managers will be restricted. Moreover, there are numerous extensions and plugins designed specifically for security upgrades. You just need to conduct research and start using tools that will make your business website a safer place for users.

CMS may not be the key software that serves security purposes, but the right choice of software will help to avoid some security issues in the future (particularly by easy integration of additional solutions).

Monitoring Tools
The more profitable your website is, the higher the cost of mistakes. Critical event monitoring helps to control your income and stay aware of the most important changes. Good monitoring tools help enable secure business sites do the following:

  1. Be the first to find out about the current indexation status of important pages. Set up email notifications to learn instantly about changes in server response code, indexation status in robots.txt files, meta tags, etc.
  2. Generate content ideas by learning what your competitors do. Just follow new URLs and changes on old pages of the chosen website. Use this information to evaluate SEO strategies and extend to your content plan.
  3. Estimate the activity of people involved in website development. Control your employees and contractors with the help of a detailed report.
  4. Don’t let anyone hack your website. Detect suspicious redirects, adding/deleting of pages, and similar activity during the early stages.
  5. Compare changes on particular pages to changes in ranking positions. It will help to detect the effect of changes and to build a successful strategy for website development in the future.

Monitoring tools are numerous, each offering a specific approach and solution for your business. Sitechecker.pro is one of the best. It offers convenient navigation, step-by-step guidelines, unique monitoring strategy, and an all-in-one platform that allows for performing audits of the website and of separate pages as well.

eCommerce Software
If you plan to sell something, you will need to deal with a lot of personal data: names, addresses, emails, phone numbers, credit card numbers, etc. This is a huge responsibility. Keeping this information secure in the digital environment is crucial for customers and for your business. A single mistake can infringe on your customers’ privacy and ruin your reputation.

eCommerce platforms help to simplify the process of securing your website, also by easy integration with the other software, plugins and other features. You will be able to view the history of changes and orders, and view or download reports without needing to share data with other programs. Only the authorized users will be able to access this information.

eCommerce software helps to integrate other software solutions and apps. If you choose a proper solution, you can handle all tasks at once:

  • Process and manage orders on all stages, from current selection to delivery and feedback, with changing an order and payment processing in between.
  • Manage the inventory to organize a convenient and attractive catalog, to replenish items that are in high demand, etc.
  • Improve ranking positions thanks to built-in SEO tools that help to take your web resource to higher positions in the organic search without additional expenses.
  • Computerize the calculations, including shipping costs and taxes that vary depending on the clients’ location.

Bottom line
According to TechRadar, the average costs of cyberattacks exceeds US$1.6 million. Over the next five years, it is expected to cost businesses over US$5.2 trillion. Sometimes an attack can lead to a data leakage that delays the start of a project. Sometimes it ruins a business completely, regardless of its type and specialization. A question is not whether to use the above tools or not. It is about which one to start using to keep your business successful. 

Larry AltonWith each highly publicized data breach or cyberattack, it becomes increasingly evident that businesses can’t sit back and hope their security strategy is strong enough to withstand an assault. Something needs to be done sooner rather than later – and you need the support of your employees.

Why employees are hesitant
You can design a thorough, comprehensive cybersecurity strategy that protects your business from all major threats and weaknesses, but all of your efforts are futile without the support and cooperation of your employees. They’re the engines that make the entire operation run. Without them, you’ll find it impossible to execute to the degree that’s necessary to be successful.

Unfortunately, employees aren’t always immediately willing to buy into a new security strategy. Their hesitancy is usually rooted in three underlying factors:

  • Lack of awareness. Sometimes employees simply don’t understand the need for greater security. As such, they view any new rules or changes as unnecessary and a waste of resources.
  • Inconvenience. Even when employees do understand the need for advanced cybersecurity, they can be hesitant to adopt new solutions that are inconvenient on the user side of things.
  • Resistance to change. One of the major underlying factors is a resistance to change. People generally prefer to maintain the status quo and will do whatever they can to avoid significant change.

In order to get employees to buy into a new security strategy, you’ll have to identify which of these factors are in play and overcome them through careful execution.

How to get employees on board
Getting employees on board with your new security strategy isn’t a challenge to take lightly. However, here are some simple steps you can take:

1. Help employees understand why.
Employees don’t always have the same level of understanding about security issues that you possess. It’s not something they have to worry about on a daily basis, so it doesn’t seem like a pressing issue. It’s your job to make them understand why it’s important.

Two-factor authentication (2FA) is a great example. Initially, employees won’t like the idea of having to perform two steps in order to log in – understandably so. But you can help them understand why it’s necessary.

InMyArea.com explains it like this: “2FA is your last line of defense and a very good one at that. Should a hacker compromise your unique password, they still would not gain access unless they had your cellphone and could receive the 2FA unique code.”

Sometimes an explanation is all that’s needed. Take the time to explain why you’re implementing changes and what value it yields the business and its employees.

2. Cast a vision.
In conjunction with explaining why new security measures are needed, you also need to lay out a vision that helps them connect the dots.

“Clearly state what is changing and why. Show employees where you are today and where you intend to be tomorrow,” entrepreneur Lindsay Broder writes. “Make sure you show them why this matters to the organization, how it will positively impact their careers and how you plan to measure success.”

3. Implement the right training.
The best type of training happens when employees are able to participate, as opposed to being subjected to classroom learning and lectures that are difficult to grasp.

The training portion of your implementation is arguably the most important piece. Take it seriously and develop exercises and practices that teach them how to handle specific situations that they’ll encounter on a regular basis.

4. Follow up.
After implementing your new security strategy, there has to be some follow-up. In other words, you need to gather feedback, analyze data, and address how change is happening on both a micro and macro level. Anything that isn’t adding up will need to be changed, optimized, or refreshed.

Get the ball rolling
Don’t underestimate the importance of having support from the bottom-up. You can’t implement a successful cybersecurity strategy without getting your employees to fully buy in. By focusing on their hesitancies and resistance, you can improve adoption and enjoy a smoother roll-out.

What will you do?

Editor’s note: For more insights on this topic, see research from ISACA and CMMI Institute on building cybersecurity culture.

Panashe GarandeI recently took to LinkedIn to air my views on one of the most talked-about topics in the world of tech: the cybersecurity skills gap. The skill gap is often discussed in urgent terms and, given my job as a cybersecurity recruiter, I see how it plays out in practice. But information security is a broad discipline, and I think we need to be more specific when we talk about a “skills gap.” I believe the genuine talent shortage is in hands-on areas, like application security and DevSecOps.

Last year, Forbes released an article stating that the cybersecurity skills gap is an “industry crisis.” As attacks get worse and more commonplace, it noted that companies need cybersecurity professionals more and more. But because of a perfect storm of scarce skills and high demand, security jobs come with a high salary, meaning that businesses not only struggle to find the right people, they have to pay top-dollar to get them.

All of that means that cyber-criminals are having a field day, as the article illustrates. Attackers take advantage of ill-prepared companies, knowing that they are likely to be successful. It’s clear that the industry does need to improve, for the sake of customers and businesses alike.

And to do that, we need good people, with the right skills. The industry has known for a while that those people are not easy to come by – there are simply not enough of them. There are a lot of reasons for that shortage, and it’s worth bearing in mind that it’s not the easiest industry to work in; the stress of the work means that mental health issues are rife.

Specific security
But I think that it’s not enough to say that we need to “fix the skills gap.” We need to delve deeper into where that gap actually is, how it comes about, and what we can do to fix it.

In my view, the really hard-to-find people are professionals with hands-on experience, who can competently throw themselves into application security and DevSecOps teams. As I wrote in my original LinkedIn post, these are areas where you may actually have to get your hands dirty, not just consult on what should be done.

From my experience in the cybersecurity recruitment industry, I think this gap exists because the most common route into technical AppSec is through a programming background. The job requires people with the right technical skills as well as a security-focused mindset, creating a hard-to-find niche. With hands-on roles, you need to be technically proficient as well as be able to understand and integrate security into the work. That’s not an easy thing to find.

Solutions?
A few industry insiders got in touch to give me their views on this problem. For Allan Degnan, DevSecOps/Security lead at Dixons Carphone, it remains about the people. By giving security staff opportunities to progress while remaining in a technical role, those talented people will be able to achieve the personal success that they want, while remaining in the technical positions that they enjoy and have trained for, rather than having to become managers.

Mario Platt, director of cyber security at Broadlight, told me that it’s about getting non-technical people comfortable with “actually touching tech” – and to do that, they need to be given the space to fail, he said.

What we don’t need are more consultants. Security consultants, of course, are valuable contributors to the cybersecurity world. But for now, we need to roll up our sleeves, and dig into addressing the skills gap in targeted fashion.

Ed MoyleMy first job in security – and in fact my first job out of school – was for a biometrics company. There were a lot of upsides to that job: the work was fun, the engineers talented (most of us fresh from school), and we had a cool project to work on. There were some downsides, too, though. For example, it left me with a skepticism of practical biometric applications – at least when it came to actually using them myself.

Don’t get me wrong, I was still an avid follower and fan of biometrics technology for years; I piloted it, deployed it, advocated it, etc. But for years – even decades – after that first job, I absolutely refused to use it. That may sound surprising from someone directly responsible for building and deploying the technology, but I think when you hear the reasons, you’ll understand why.

Specifically, the company I worked for was a startup. As anybody who’s worked for a startup can attest, budgets can be thin – and, as a result, when it came time to create marketing materials, we used an unmodified image capture of my right index finger as part of the marketing push. You know how you’ve seen biometrics companies sometimes use a fingerprint as part of their logo or on marketing glossies? Well, the image our company used just happened to be my fingerprint. To this day, if you know where to look, you can still find it; I won’t tell you how, but trust me when I tell you it’s still out there. My fingerprint was on the website, on marketing glossies, was shown on live TV, and was on business cards.

One thing that publicly advertising a high-res image of your fingerprint will do to you is make you nervous about how it might be misused. For example, I knew exactly how someone could inject that image into our system (or systems like it) and trick the system into logging you in as me. Having done exactly that routinely (for testing and QA purposes), I knew it was possible – even likely.

Adding to the skepticism was the fact that the engineering team I worked with came up with a few additional techniques to spoof the system. For example, the readers we used employed a smooth, glass platen (almost never done nowadays for authentication systems). It would sometimes – about a quarter of the time – retain a film of oil on the platen exactly conforming to the fingerprint ridges of the last scan. Properly shaded and with some dust or ground pencil lead, you could use this oil to trick the camera into thinking it was a legitimate capture. “Liveness detection” was an option of course, but frankly it was so “persnickety” (would increase the false reject rate so much) that nobody used it in practice.

The changing of the threat model
The reason I’m telling you all this is that something happened subsequently that I think is illustrative of an important point – that a change in the threat model can make all the difference in the safety (or not) of using a given technology for a particular purpose.

I say this because it happened to me with biometrics; I’ve gone from “avid skeptic” to “avid user.” I use it to log into my laptop, my phone, various different apps on my phone (password managers and the like), and sometimes even for physical entry to secure facilities. In short, the barrier went away.

What changed? That fingerprint image is, after all, still out there. Sure, the technology has changed a bit – most readers are capacitance now rather than optical, and extraction methods (such as how the fingerprint is processed and compared) are better and faster. But the essence of the process is still very much the same: a fingerprint is rendered down to minutiae and stored, subsequent minutiae extractions are compared, and a decision (is it the same or a different fingerprint?) is rendered. What’s different now is the threat model.

The threat model has shifted for a few reasons. In the context of a mobile phone, the fingerprint is taking the place of a PIN or password to gain access to the device itself – the same is true of my laptop. Meaning, someone would need to have the actual device itself – in addition to the fingerprint – in order to actually misuse or try to spoof the biometric. It’s not a remote login scenario like replacing my network/domain password or using it for login to a website or remote resource. Am I nervous about someone downloading and using my fingerprint for login to my phone? Not so long as they need to actually steal my phone or laptop to do it. It seems to me that anybody going to the trouble to steal my equipment could just as easily log in other ways and save themselves the hassle.

For actual physical entry to a secure facility, the threat model doesn’t concern me, either. There are a number of other supporting controls beyond just the use of a single biometric (such as hand geometry or fingerprint). They are probably also looking at my ID, there’s a PIN or password that I need to know, a badge to wear, and people that will throw me out if I look suspicious. It’s one link in a chain of which several elements would all have to fail in order for something bad to happen.

The point I’m trying to make is that the threat model determines the suitability of the control and can mean the difference between a technology being safe or not, a control being sufficient or not, and an application deployment being viable or not. In other words, basing what we deploy – and how we mitigate risks – on the specific threat scenarios that may be reasonably encountered in the field is critical. This is why systematic and workmanlike threat modeling (using whatever flavor of model you prefer) is so important and, in my opinion, why more people should do it. In fact, if I had taken the time to threat model the whole “fingerprint image as marketing” proposition, I probably would have (wisely) pushed back. Threat models can change (to become either more risky or more safe) depending on how and where a given technology will be used or how and where a given control will operate. Understanding what those factors are – and when they change – will absolutely provide value.

It’s important to think about leadership in the cybersecurity realm through the lens of the “lines of defense” model. If you are a leader that is executing in the first line of defense (1LOD), then your job is the proper and timely execution of control activities (processes and technologies) to ensure that your organization is properly protected. If, however, your job is in the second line of defense, (2LOD) then you need to make sure that you have thoroughly communicated the risk associated with various actions (and lack of action) to decision-makers so that they can make an informed decision.

This clarity is often muddled as most cybersecurity organizations find themselves operating in what is often called the 1.5 line of defense. They operate some controls: data loss prevention (DLP), endpoint detection, protection, and response (EDPR), intrusion detection, and incident management. However, they also are frequently responsible for reviewing configurations and patching, as well as involved with features and capabilities of applications, infrastructure, and third-party organizations, and advising on the good, the bad, and the ugly therein.

Being an effective cybersecurity leader while working in the 1.5 line of defense is about maximizing two distinct, yet opposing, principles. First, you have to manage cybersecurity operations as if you can 100 percent, absolutely defend the organization from every bad thing that can befall it. Staff in these organizations need to know that they have the ability to prevent attacks from happening and can catch the perpetrators in their tracks. They need to know that you are going to invest in them, their training, and their capabilities to ensure they can protect the organization.

At the same time, you have to know that, on a long enough timeline, everyone fails. There will be mistakes made by people in the organization or by business partners. You won’t be able to get funding for all the resources and technologies you need to mount the best defense. You may be attacked by someone who has the capability to overwhelm your defenses, despite all efforts to the contrary. Lastly, the threat and vulnerability landscape changes so often that there can be hidden holes in your defenses that might not come to light until after it is too late.

Being an effective cybersecurity leader means helping your staff avoid the burnout, guilt, and depression that comes from not getting the headcount needed, the funding for the new project, or worse yet, experiencing a data breach when the inevitable comes to pass. To lead effectively, you as a leader need to employ the principle of ensuring informed decisions happen and residual risk is accounted for and governed. The business doesn’t have to invest in every security solution available (in fact, doing so may impede their ability to effectively operate), so long as you have appropriately informed stakeholders of the bad outcomes that could come to pass from not choosing the more secure option, and having them accept the risk associated with such bad outcomes.

Risk acceptance is the cybersecurity leader’s “get out of jail free” card – not in an “I told you so” way, but in a cooperative manner that helps the business view you as a partner, not an impediment, and the cybersecurity staff feel as though their concerns have been addressed.

About the author: Jack Freund, Ph.D., CISA, CISM, CRISC, is Director, Cyber Risk Management for TIAA, member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.

1 - 10
Next
Copy Item to All Language Codes
Lists/SqtResources/AllItems.aspx
0x0
0x0
ContentType
0x01009AF1BC4E56474a80B49512D1B30D6EEC
225
Manage Subscriptions
/_layouts/images/ReportServer/Manage_Subscription.gif
/Knowledge-Center/Blog/_layouts/ReportServer/ManageSubscriptions.aspx?list={ListId}&ID={ItemId}
0x80
0x0
FileType
rdl
350
Manage Data Sources
/Knowledge-Center/Blog/_layouts/ReportServer/DataSourceList.aspx?list={ListId}&ID={ItemId}
0x0
0x20
FileType
rdl
351
Manage Parameters
/Knowledge-Center/Blog/_layouts/ReportServer/ParameterList.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
352
Manage Processing Options
/Knowledge-Center/Blog/_layouts/ReportServer/ReportExecution.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
353
View Report History
/Knowledge-Center/Blog/_layouts/ReportServer/ReportHistory.aspx?list={ListId}&ID={ItemId}
0x0
0x40
FileType
rdl
354
View Dependent Items
/Knowledge-Center/Blog/_layouts/ReportServer/DependentItems.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rsds
350
Edit Data Source Definition
/Knowledge-Center/Blog/_layouts/ReportServer/SharedDataSource.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rsds
351
View Dependent Items
/Knowledge-Center/Blog/_layouts/ReportServer/DependentItems.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
350
Manage Tapthrough Reports
/Knowledge-Center/Blog/_layouts/ReportServer/ModelTapThrough.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
352
Manage Model Item Security
/Knowledge-Center/Blog/_layouts/ReportServer/ModelItemSecurity.aspx?list={ListId}&ID={ItemId}
0x0
0x2000000
FileType
smdl
353
Regenerate Model
/Knowledge-Center/Blog/_layouts/ReportServer/GenerateModel.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
354
Manage Data Sources
/Knowledge-Center/Blog/_layouts/ReportServer/DataSourceList.aspx?list={ListId}&ID={ItemId}
0x0
0x20
FileType
smdl
351
Load in Report Builder
/Knowledge-Center/Blog/_layouts/ReportServer/RSAction.aspx?RSAction=ReportBuilderModelContext&list={ListId}&ID={ItemId}
0x0
0x2
FileType
smdl
250
Edit in Report Builder
/_layouts/images/ReportServer/EditReport.gif
/Knowledge-Center/Blog/_layouts/ReportServer/RSAction.aspx?RSAction=ReportBuilderReportContext&list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
250
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XsnLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
FileType
xsn
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.2
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.3
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.4
255
View in Web Browser
/_layouts/images/ichtmxls.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&DefaultItemOpen=1
0x0
0x1
FileType
xlsx
255
View in Web Browser
/_layouts/images/ichtmxls.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&DefaultItemOpen=1
0x0
0x1
FileType
xlsb
255
Snapshot in Excel
/_layouts/images/ewr134.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&Snapshot=1
0x0
0x1
FileType
xlsx
256
Snapshot in Excel
/_layouts/images/ewr134.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&Snapshot=1
0x0
0x1
FileType
xlsb
256