To protect against cybercrime, every organization needs to build a culture of information security. To do that, infosec leaders need to become “sneaker CISOs.” There are three elements to security: Technology, people and processes. Sneaker CISOs are more focused on people and process than on technology.
Too many security professionals today are so deep into the technology that they don’t pay enough attention to the people and processes. I used to be one of them. But technology can’t secure technology. That’s a lesson I learned the hard way when I started working with public utilities.
Prior to that, I’d been working for government agencies where all we had to focus on was operations. The utility industry was for profit, and so it also had a business side, where systems were being digitized. At the time I started, the operational side was all analog.
When the operational side started to be digitized, they committed the cardinal sin of connecting their operational technology to their business networks to make their regulatory reporting more efficient. Someone was able to make their way into the operational technology, which is typically not very sophisticated, and began to encrypt the systems that were running it and shut down a gas pipeline. It was quite terrifying.
If they had consulted a security engineer like me, we would have put some safeguards in place before connecting the systems. There’s little technological difference between the Windows 10 used in enterprise and the Windows 10 that the U.S. Air Force uses. The only difference is people and process. That’s when I realized that, in the digital world, everybody in the organization has a role in security.
As a security leader, you need to partner with the people closest to the box, educate them, and empower them to protect the box. That is why the first step in building a culture of information security is always to put your sneakers on, walk around, and get to know the people. Here’s who to meet, what to talk about, and how to build those partnerships.
As a security professional, it's very rewarding to fix a vulnerability or thwart an attack. It’s a big part of why we get into the profession in the first place. But we have to realize that we can’t secure anything within the organization on our own.
Real security comes through a groundswell of collaborative effort. It’s more rewarding when the lights come on and people start to understand that they have an active role in the security effort. Attending the annual security training, updating your passwords and not clicking on suspicious emails is just the beginning.
Those are broad-based technical vulnerabilities. But everybody has a role that’s dependent on their role within the company. If you’re in AP, for example, you need to be up on the latest business email compromise scams, and have processes in place to spot and defeat them. If you’re working with external vendors, you need to be aware of your organization’s requirements for how they handle your information.
Our job is to break down the us/them barrier, and build those partnerships, because security is a "we" thing. Early in my career, I unwittingly created resistance to security by focusing on rules and technology. Once I changed my approach, most of the barriers I had been encountering disappeared.
Bugs and vulnerabilities can be fixed, but information security never ends. People, processes, and technology are always changing. We get updates to technology on a monthly basis. Processes are always being evaluated for efficiency and maturity. If you educate and empower the people, the processes can change. The technology can change, but the mindset stays. And that's how you build a culture of cybersecurity.
About the author: Tony Carothers is the Security Systems Engineer at Corpay, a FLEETCOR company. He has over thirty years of experience in information security, working in both the public and private sectors.
Antivirus software is not enough. Apex Technology Services used its decades of IT and cybersecurity
experience to create budget-friendly network security packages every company needs.
Please take a moment to fill out your information so we can contact you directly regarding your request.
iGaming is one of the fastest growing industries on the internet. For those who may not be aware, iGaming refers to online casinos, online slots, poke…
It is easy to get lost in all the new phone releases when multiple happen yearly. Consequently, most new functions go unnoticed because people do not …
Embarking on the journey to bring a new product into the marketplace is an exhilarating adventure that blends the thrill of innovation with the meticu…
MySQL on AWS is the deployment of the MySQL database system on Amazon Web Services (AWS) cloud platform. MySQL is one of the most popular open-source …
Responsive images are a fundamental component in responsive web design. They adapt to the size of the user's screen, delivering the best user experien…