The skills required to be successful in IT security are changing. In a recent survey (download a free copy here) 30.7% IT leaders reported that a lack of skilled IT professionals is the greatest barrier to preventing data loss. Respondents also listed incident response management, expertise analyzing large datasets, communication with non-IT executives and departments, and security certifications as skills they expect to be more important in the next five years. But it’s not enough to invest in your skills, you also need visible projects to demonstrate your value within the organization. This article covers five such projects.
But before we dive into the list of projects, let’s first frame what’s important – for executives that means what delivers the most value to the business. Today, there is greater visibility for IT security with non-IT executives and the board of directors. The reason is simple: security breaches cost the company money and can result in the CEO losing his job. Executives and the board are understandably concerned about what appears to be an increasing number of high-profile breaches, which can ignite a wave of class action lawsuits from consumers and shareholders. These breaches also attract unwanted attention from government regulators.
According to IT leaders, IT security is a now an executive-level and board-level concern at 61% of companies. As boards take a more hands-on approach in overseeing security, they are primarily interested in understanding the company’s security strategy, policy, and budget; security leadership; incident response plan; ongoing performance metrics; and employee education program. By leading projects that executives and the board are interested in, you’ll gain greater exposure for yourself. When you can execute well, it reflects positively on the entire IT security department from you all the way up to the CISO.
Once you execute a project well and deliver measurable results, you’ll be able to socialize the project internally. You can also identify opportunities to educate other IT professionals about how you approached the project at conferences and perhaps even in the news media.
Here are five IT projects to accelerate your career:
1. Use Real-Time Coaching to Improve Security Awareness
When CIA Director Michael Brennan’s email account was hacked, it wasn’t the result of a sophisticated cyber attack using multiple zero days. It was closer to “advanced, persistent asking nicely what his password is.” According to Verizon’s 2015 Data Breach Investigations Report, phishing accounts for 95% of attacks attributed to state-sponsored actors. The report also found that 23% of recipients open phishing emails and 11% click on attachments. Clearly, traditional security awareness training programs have not reached all employees.
While companies can do more to prevent phishing by using email payload inspection, a DNS sinkhole for new domains for 48 hours, and enforcing inbound filtering, making users more aware of cyber threats is still one of the most effective ways to prevent these incidents. In addition to traditional security awareness training, conducting simulated phishing attacks and coaching users who clicked on links in mock phishing emails has been shown to double retention of security-related concepts with end users and reduce vulnerability to phishing.
- How To Successfully Phish Your Own Firm
- Top 9 Free Phishing Simulators
- 5 Reasons for Segmenting Your Phishing Simulation Campaigns
2. Proactively Enable (Not Block) Cloud Usage
IT security has a reputation within many organizations as the department of “no”. As users discover that there are thousands of free or low-cost apps that can help them do their jobs better, IT security has recognized that not all of these applications are fit for enterprise data. In response, they have attempted to block as many cloud services as possible. But with over 20,000 cloud services, they often end up blocking well known apps, which forces users to find lesser known and much riskier apps in the same category.
Mike Bartholomy, senior manager for information security at Western Union, has taken a different approach. Under his leadership, Western Union’s IT security team monitors cloud usage and uses a rating process similar to a credit score to assess the security controls of each cloud service. Simultaneously, the company is proactively enabling cloud services within cloud service categories that are growing in popularity – such as Box for file sharing and collaboration. By proactively enabling cloud services and securing their use, IT security has become an enabler of the tools that drive innovation and growth in the business.
- 17 Security Criteria to Look at When Evaluating a Cloud Service
- How to Implement a Cloud Governance Framework – Whiteboard Walkthrough
- Use velvet gloves, not boxing gloves, to beat shadow IT
3. Complete Your Incident Response Plan
By the time a data breach occurs, it’s too late to formulate an effective incident response. While 82.2% of companies have an incident response plan, fewer than half of these companies have a complete plan that covers security remediation, legal, public relations, and customer support. Companies are even less likely to have cyber insurance, which can recover a significant portion of the costs of a breach. For example, following a credit card breach in 2013, Target’s insurance covered $90 million of the $264 million cost of the breach.
In addition to implementing a plan to respond to a breach, IT security can also deploy a process to proactively detect breaches. In the case of Target, if the company has been able to effectively detect and stop the breach on the day it began, the impact of the breach would have been much smaller. In the end, it took Target almost two weeks to identify and stop the breach, allowing attackers time to pilfer 40 million customer card numbers. Incident detection software such as SIEM, IDS/IPS, and user and entity behavior analytics (UEBA) can help identify incidents in their earlier stages so IT security teams can respond.
- The First 48 Hours: How to Respond to a Data Breach
- 4 Best Incident Responses of All Time
- Data Breach Incident Response Checklist
4. Create a Cross-Functional Governance Committee
Today, 21% of companies have a cross-functional committee responsible for setting and enforcing governance policies. These committees generally include representatives from IT and IT security, but they also tend to include legal, compliance/risk, audit, and the line of business. It’s especially important to include the line of business since end users are the primary consumers of technology within the organization. When end users don’t feel their needs are being met, they often go around IT and find their own solutions, resulting in shadow IT.
As part of running a governance committee, you’ll likely find yourself doing something you may not have done very often before: presenting to your organization’s executives and board of directors. They are interested in the policies in place, as well as metrics that track adherence to these policies. It is important to track key metrics before, during, and after taking action to enforce new corporate policies in order to demonstrate the impact of your work organizing a governance committee and enforcing policies.
- 7 Common Cloud Security Questions Asked by the CEO and Board of Directors
- Essential PowerPoint Template: Cloud Usage and Security for Executives and the Board
- The CFO’s critical role in promoting cybersecurity
5. Drive a Data-Centric Security Initiative
In an earlier era, IT security was focused on securing the network perimeter. Now that an increasing volume of corporate data is stored in the cloud, security needs to adjust to a world that no longer has a defined perimeter. There are a number of technologies designed to protect data in this new world including cloud access security brokers (CASB) and information rights management (IRM). What they have in common is that they secure applications and data in the cloud and on unmanaged mobile devices, rather than focusing on the network edge.
In Gartner’s 2016 list of the Top 10 Technologies for Information Security, the analyst firm ranked CASB as the number one technology of the year. CASB takes many existing security capabilities – including encryption, data loss prevention, access control, threat detection – and applies them to corporate data in cloud services. Like endpoint security and network security before it, cloud security is poised to grow into a strategically important function for every organization as they experience greater cloud adoption.
- Streamline the Cloud: How Companies Use Cloud Access Security Brokers
- Companies Sniff Out Employees’ Cloud Habits
- Cloud security culture a building block for today’s businesses
Improving your skills and getting additional certifications are important steps in improving your value to your organization (and your career prospects). Once you have these in place, pursuing high-visibility projects – ones that get the attention not only of IT security peers but also non-IT executives – and executing on them well can help you accelerate your career within your company. They also provide ways to build your brand because you now have something meaningful to speak on to a group of attendees at a conference or even to a reporter.