- DSNews - https://dsnews.com -

How to Win at Cybersecurity: Become a ‘Sneaker’ CISO

This piece originally appeared in the September 2022 edition of DS News magazine, online now [1].

To protect against cybercrime, every organization needs to build a culture of information security. There are three elements related to security: technology, people, and processes. In order to effectively execute this, leaders in this space need to become “Sneaker CISOs.”

Sneaker CISOs (Chief Information Security Officers) are more focused on people and process than they are on technology. Too many security professionals today are so deep into the technology that they don’t pay enough attention to the people and processes. I was one of them. But technology can’t secure technology. That’s a lesson I learned the hard way when I started working with public utilities.

Prior to that, I’d been working for government agencies, where all we had to focus on was the operations side. The utility industry was for-profit, and so it also had a business side, where systems were being digitized. At the time I started, the operational side was all analog.

When the operational side started to become digitized, they committed the cardinal sin of connecting their operational technology to their business networks to make their regulatory reporting more efficient. Someone was able to make their way into the operational technology, which is typically not very sophisticated, and began to encrypt the systems that were running it, and shut down a gas pipeline.

If they had consulted a security engineer, safeguards could have been put in place before connecting the systems. There’s little technological difference between the

Windows 10 used in enterprise systems, and the Windows 10 that the U.S. Air Force uses. The only difference is “people” and “process.” That’s when I realized that, in the digital world, everybody in the organization has a role in security.

As a security leader, you need to partner with those closest to the box, educate them, and empower them to protect the box. That is why the first step in building a culture of information security is always to put your sneakers on, walk around, and get to know the people.

Here’s who to meet, what to talk about, and how to build those partnerships:

There are always business risks outside of information systems that have to be weighed and balanced when deciding just how to allocate budget and resources. Our job is to educate, inform, and remediate if the organization wants us to. Stay in your lane, and you’ll stay sane.

As a security professional, it's very rewarding to fix a vulnerability, or thwart an attack. It’s a big part of why we get into the profession in the first place. But, we must realize that we cannot secure anything within the organization on our own.

True security efforts come through a groundswell of collaborative efforts. It’s more rewarding when the lights come on and people begin to understand that they play an active role in these efforts. Attending annual security training, update your passwords, and not clicking on suspicious emails is just the beginning.

Those are broad-based technical vulnerabilities. But everybody has a role that’s dependent on their role within the company. If you’re in accounts payable (AP), for example, you need to be up on the latest business email compromise scams and have methods in place to spot and defeat them. If you’re working with external vendors, you need to be aware of your organization’s requirements for how they handle your information.

Our job is to break down the us/them barrier and build those partnerships, because security is a "we" thing. Early in my career, I unwittingly created resistance to security by focusing on rules and technology. Once I changed my approach, most of the barriers I had been encountering disappeared.

Bugs and vulnerabilities can be fixed, but infosec never ends. People, processes, and technology are always changing, as there are updates to technology on a regular basis.

Processes are always being evaluated for efficiency and maturity. If you educate and empower the people, the processes can change. The technology can change, but the mindset stays. And that's how you build a culture of cybersecurity.