LOUISVILLE, Ky. --- Far too many IT security pros are failing to capture the attention of upper management and empower employees to foster a security-minded culture, according to a noted security expert Jayson E. Street.
You've got to have a conversation. You can't just lose hope with them.
Jayson E. Street, security researcher
Street, a security researcher and CIO of Strategem 1 Solutions told attendees at the DerbyCon security conference that they need to change their perception of upper management. Every year security pros ask for more money for their program, but it's very unlikely that they are clearly demonstrating the outcome of previous investments, Street said.
"Saying they just don’t get it is a crutch we use," Street said. "I don't care how awesome you are at breaking something or figuring out how something is broken; if you can't communicate effectively to upper management, it doesn't matter."
Getting in the mindset that metrics are a powerful tool to demonstrate the effectiveness of ongoing security initiatives is a good way to begin to improve communication and boost the security program, Street said. Start tracking blocked spam and filtered virus attachments, firewall blocks and data from other security devices.
"You should love and embrace metrics because that helps your network get better," Street said. "You'll start understanding what is going on in your network and find out how well your network is running."
The success of enterprise risk management programs hinge on buy-in from upper management, say security experts. A study earlier this year conducted by Carnegie Mellon University showed that high profile data breaches has done little to get senior-level executives to understand the security and privacy risks within the enterprise. The study found that 70% of executives and their corporate board of directors rarely or never review security policies. It noted gaps in the way corporate CEOs and other senior executives take responsibility for the organization’s security and privacy practices.
Street, who said he also works at a major U.S. bank, makes it a priority to provide two security related stories for senior executives to read every two weeks when upper management meets. The stories help start a conversation and can help management better understand the threat landscape and how much risk is acceptable.
"We can't lose hope, be disgruntled and say no one is listening to us," Street said. "You've got to have a conversation. You can't just lose hope with them."
Street said his job is not to enact change, but rather to observe and report. Security pros must be effective at explaining were the risks are and the company is going to offset some risk with security technology and policies and also accept some risk, he said.
"If the CEO is running toward the edge of a cliff, I'm not going to stop him," Street said. "I’m going to tell him here's a parachute for $500 and here's an umbrella for $5. You've got to give them choices."
Street also urged attendees to learn to have a positive attitude and become approachable by end users. "The first step is to learn how to communicate effectively among ourselves," Street said. Join local security groups, speak at conferences and learn to interact with colleagues on research projects and ongoing security issues. The more speaking engagements and opportunities a person has, the better they get at engaging people, he said.
Effective security awareness training
Security awareness training can be effective, Street said, if it is approached correctly. A more effective security program will educate employees about how to be better computer users at home, not necessarily at the office. A program that teaches employees how to protect their personal data and their children from predators could foster a security mindset at the office.
"Users are getting compromised at home. Their children are talking to people online who they really don’t know," Street said. "They can't protect their own stuff how the heck do you expect them to protect your data?"