Occam’s Razor states that the best solution to a problem is the simplest one. This week, CISOs on Twitter discussed the implications of simplicity for enterprise security. Unsophisticated attack methods remain pervasively successful in corporate environments. Alternatively, less can be more when implementing technologies and building a security strategy.
Despite momentum towards sophisticated advanced persistent threats driven by organized criminal hackers and state-sponsored groups, rudimentary attack methods such as phishing scams continue to keep security professionals up at night. Many of these methods target the first and often last line of defense: end users. LocalTapiola Group CISO Leo Niemelä put his finger on human error as an enduring security concern in 2015. Consequences of human error can range anywhere from a compromised essential to the failure to enforce multi-factor authentication for a service. As past incidents have proven, both can have catastrophic outcomes for a corporation.
— Leo Niemela (@leoniemela) June 2, 2015
UK Air Traffic Services’ Andy Rose went further, declaring that infosecurity starts and ends with people. The sheer variety of ways in which the human element can come into play makes it crucial that enterprises consider users at all steps of their security strategy. This means putting user experience at the center of security decision-making, from reinforcing security culture to selecting intuitive technologies.
— Andy Rose (@AndyRoseCISO) May 30, 2015
There’s a tendency to limit discussion of the human element of security to the challenges regarding users, but Security professionals are people too, however, and a solid security strategy will strive to make their lives as easy as possible. Specifically, Jeremy Richard of ACTICALL Group described the shortcomings of security technologies that impose overwhelming workloads on security teams. 71% of survey respondents believe that the failure to get the most out of security technologies puts their organizations at risk. There are two pertinent attributes to consider when evaluating a security technology. First, does this technology provide relevant, actionable insights? Security teams can be spread thin when dealing with “noisy” or excessive security alerts without direct paths to remediation. Second, how will this technology interact with others already in place in your environment? Technologies that either require rip-and-replace implementations or provide siloed insights are not only more time-consuming; they also fail to optimize the synergies of analyzing data across a variety of vectors, reducing the context and therefore the accuracy of findings.
Complex IT Security Products Putting Companies at Risk https://t.co/hFUFdYXgn0
— Jeremy Richard (@jeremy_richard) June 1, 2015
Twitter’s Michael Coates shared the some relieving news for CISOs: boardrooms are cutting security teams some slack when it comes to liability for breaches. Instead, boards are directing blame straight to the top of the organization, naming the CEO the most responsible party. This outlook reflects the belief that security requires a company-wide effort, with buy-in from the top. While board may be looking to CEOs, CEOs will in turn be looking to their CISOs, so we’re not really off the hook yet.
Who do boards hold responsible for data breaches? http://t.co/x5s7Sz767P
— Michael Coates (@_mwc) June 2, 2015
Ultimately, the prioritization of information security comes from recognizing cyber risk as an element of enterprise risk management. EY’s Mark Brown shared an article on the importance of getting the CFO behind cybersecurity initiatives. With data breaches significantly hurting companies’ bottom lines, boards need to consider security costs as part and parcel of financial risk mitigation.
— Mark Brown (@markofsecurity) June 1, 2015