C-Suite Network™

Categories
Best Practices Growth Management Skills Technology

The Importance of a High Performance Cybersecurity Team

In this six-part series I am going to address five pillars for creating a high performance security team. we are starting at a high level in this article and then each week I will go into more detail on another pillar.

Because cybersecurity professionals face a lot of adversity and burnout it is incredibly important for their leadership to understand what it takes to create a high performance security team.

If you are the type of leader who is striving to make big things happen for your organization, protect your organization’s data, and possibly create a competitive advantage through security, a high performance security team is the answer. If you are reading this and you don’t have a security team at all, then forming one or bringing in security consultants is the place to start. As you build that team you can incorporate the lessons from this series in order to build a high performance team from the ground up.

High performance teams in general get more done with less effort and with better results. They have less drama and more creative ideas. A High performance security team is one of the cornerstones of your competitive advantage because when you have rock star security talent that isn’t going to leave, you have something your competition probably does not, which puts you in a leading position.

You are probably intimately familiar with teams that are not high performing from your own experiences throughout your career and so am I, that is why I wrote The Corporate Detox. Therefore let’s dive right into the signs of a high performance team because so you can start focusing on what you want vs. focusing on what you don’t want.

The signs you have a high performance team:

  • Team members genuinely like spending time together and trust each other
  • Everyone is working towards a shared goal and vision
  • Projects are completed on time and on (or under) budget
  • Assigned roles are based on individuals strengths and interests
  • Team members communicate with each other and with you (their leader)
  • Everyone talks about what is working and what isn’t working
  • During brainstorming sessions no idea is ridiculed
  • Everyone is encouraged to participate in discussions
  • Feedback is provided in real time and in a constructive way
  • There is no finger pointing or blame when things don’t go as planned
  • Roles and accountability are openly discussed
  • No one is “just hanging in there” and counting down the days until Friday

If your security team is missing some of these signs, it’s okay, you can turn it around, and I’m going to provide you a roadmap to do this. In this series, each article will discuss one of the five pillars of not just high-performance teams, but EPICC high performance teams:

EPICC Teams are Engaged, Productive, Have Integrity, Collaborate and Communicate.

Now between reading this and next week’s article, I encourage you to conduct a review of your current security team. How many of the signs that I described in the above checklist can you say your team embodies? How many need a little work? How many are non-existent? Don’t pad your answers; be honest because this will help you focus on what you want. When you see areas that you are not happy with you will better know what changes you need to make.

Sometimes it’s easier to identify what you don’t want in order to more clearly identify and define what you do want. In looking ahead to next week’s article in which we will discuss the first pillar, Engagement, start to think about the times you have been most engaged and the times you have been least engaged at work.

In the meantime you can always reach out to me at sharon@c-suiteresults.com to discuss this topic, security teams, or security strategy. If you enjoy podcasts you can listen to C-Suite Results Radio to tap into the wisdom of other successful business people who know the path you’re traveling.

 

Categories
Best Practices Growth Management Personal Development Technology

Cybersecurity Resources That Your Organization Must Have

This article is part of a series where we are discussing your role as an organizational leader in the cyberwar that has been all over the news on regular basis lately. I started with a frank discussion on whose side you might actually be on when you don’t protect your organization’s network. In the second article we discussed creating a culture of security and the third article was all about strategy. This is the fourth and final article in this series and we are discussing resources for your security team and organization.

In order for your security team to be on the front line of this cyberwar, defending your network and your data, they need to have the best resources available in order to defend against the many threat actors attacking organizations like yours every day.

One of the biggest challenges in this war we defend against in cyberspace is that it is always changing. The adversaries continue to get better and change their strategies, and if we don’t arm our people with knowledge and skills we will continue to be on the losing side. Depending on your industry that could result in a loss of data, intellectual property, or national security secrets, and could literally be a question of life or death for those in the healthcare industry.

New technologies emerge at lightening speed, which provide hackers new ways to launch their cyber attacks that we need to keep up with. Every time a new application is deployed, a new line of code is written, or a new Internet of Things (IoT) device is connected to the network, we invite the bad guy in. Not because we are asking to be attacked, but because they know how to use our technologies against us for their gain.

Let’s look at the three categories of resources and the key factors they address to win this never ending cyberfight waged against us on a daily basis.

People

Have you created your cyber team with the best offensive and defensive players? Like sports and traditional war, you have to have the best players or soldiers to win in a cyberwar. Not only does that mean that you have the right people in the right roles; it also means you have trained them and continue to train them. This applies to your internal employees and any third parties that work on-site or off-site to help secure your organization’s cyberspace and data.

Security personnel are in a constant state of adversity, trying to keep up with new technologies and threat actors. They almost never hear “job well done.” Often your security team is only recognized when something goes wrong, but not  for the success of stopping a breach, which is their job every day. Other employees are recognized for a job well done, for doing their job well, but the security team is often overlooked since their success is typically invisible.

People want to be recognized for what they do and often the security professional goes without such recognition most of their career. You want to help your team avoid burnout and apathy, this is going to be one of the key ways you can do that.

Time

Time is most definitely a resource and if you have ever said “I don’t have time for that” you know what I’m talking about. I’ve seen it myself, too many times, good people leave due to overwhelm and exhaustion.

This is a team of highly specialized people where you can’t afford high turnover. Not only because turnover is expensive in and of itself, but because these individuals have such specific knowledge that when they leave the time it takes a new employee to catch up is dangerous. In the time spent ramping up, they can easily miss what their predecessor would have seen. While you can’t avoid all turnover, it will happen, you can reduce the amount of turnover by understanding how much your team can actually do and providing additional resources like contractors, third parties, and tools where needed.

Whether you hire more staff or outsource, you must remember that time is a resource that cannot be changed and security is a role that cannot be given to just anyone or ignored due to budget constraints.

Tools

Every good mechanic needs a set of tools and the same is true for your security team. The problem often becomes which tools to use within your security team since there are so many and the tools can be very noisy. Noisy being all the alerts they can generate if not configured (or tuned) properly.

The best way to ensure you are getting the right tools for your team is to include your frontline defenders in the vetting process for new tools. Who knows better what you need, the person doing the work day in and day out or their manager or the executive team? You want what’s best for your security team so ensure the users are part of the decision making process.

It is often good to include a vendor-neutral security consultant who can ask questions of the vendor that you and your team may not have thought about and do it with complete objectivity.

  • What is the tool truly capable of?
  • Does your team already have a tool that can do something similar they are not fully utilizing?
  • Does the new tool integrate with the current infrastructure?
  • What alerts will it generate?
  • How hard is it to configure?
  • And often missed but extremely important, will you need a support contract or consulting contract from the vendor just to make it work?

With the right team doing the amount of work that makes sense with the right tools, you are setting your organization up for success in the fight against cyber attacks. If you have not given this issue much thought or deep thought before, that’s okay;, you’re not alone in that. It’s time to get started and the sooner the better because as we continue to see there are more and more breaches, attacks, and threat actors in cyberspace than ever before. As we continue to put more in the cloud, connect more devices, and have a larger remote workforce, this becomes more and more part of your everyday operational concern just like keeping the lights on and the water running.

If you want to discuss any of these resource concerns with a vendor-neutral consultant email sharon@c-suiteresults.com to start discussing the resource questions you have now. Sharon provides virtual Chief Information Security Officer (vCISO) and advisory services, consults with clients on security strategies, writes policies, and helps organizations of all sizes become and maintain security and compliance.

Categories
Best Practices Growth Management Personal Development Technology

Cybersecurity Strategy- Do You Have One?

Do you have a security strategy? I don’t mean locks and guards, I am asking if you have a cyber security strategy. Until recently there has been no shortage of frameworks for best cybersecurity practice and more regulations than most organizations know what to do with. But even with all of that, there have been minimal requirements to have a security program and even less enforcement on the issue.

That is, until now. The New York Department of Financial Services (DFS) has established their Cyber Security Requirements for Financial Companies (23 NYCRR 500 ). The new DFS regulation holds an institution’s senior leadership accountable by requiring an annual compliance certificate signed by a senior officer or board member. This is the first state legislation of its kind and I am sure with all the breaches we continue to see that it will not be the last, whether or not you live in New York.

One of the big differentiators in 23 NYCRR is the requirement for covered entities to develop a Cybersecurity Program. Other regulations require risk assessments and information security policies, but I am not familiar with any that have specifically require a cybersecurity program.

You can think of your cybersecurity program as your security strategy, which is important for the same reasons a business plan, a map, or an architectural blueprint is important. Without any of these you don’t know where you are going or how you are going to get there.

I’m here to let you in on a little secret. It’s not that a security strategy is difficult to create, it’s just that you, the organizational executive has never had to create one before. Everyone you talk to about cyber keeps throwing acronyms and technical terms around that you don’t understand and that has kept you largely at arms length from this topic. Because I don’t think you should be responsible for becoming a security expert I want to break down the mystery of a security strategy so that you can see it is doable and necessary.

Policies and Procedures

It all starts with policies and procedures. You already have these for so many areas of your business, it’s a matter of adding those applicable to security and then training your employees and continuing to make them aware. ComputerWeekly reported that a recent survey conducted at Black Hat Security Conference in Las Vegas revealed that 84% of respondents whose company has suffered a cyber attack attribute it, at least in part, to human error. Policies and procedures could have helped stop a large number of those. Sometimes people just don’t know what to do and with a lack of guidance will do what they think is best.

Risk Assessment

You have to know what your risks are to know what to protect and how to protect it and you do this through a risk assessment. This is required in every best practice framework and regulation I have ever seen.

A risk assessment asks a lot of questions to identify risks, severity, and likelihood. Questions like: What sensitive data do we have, How is the data transmitted and stored? What systems are used to host the data,? How are those systems accessible inside and outside your network? Do those systems have all critical security patches applied? Who are your third parties that access your data? How well are you employees and vendors trained? Who are your adversaries?

Most of this can be assessed through interviews with the people who interact with the data or manage your systems and through automated tools like vulnerability scanners. There is also a professional service called penetration testing where ethical hackers mimic what malicious hackers would do so that you truly understand your security posture and risks from the outside and inside of your network.

Risk Management

Prioritize prioritize prioritize, this will become your new mantra. Once you have completed your risk assessment you will be left with a list of low, medium, high, and critical items to remediate and manage. That can be overwhelming and you can’t fix it all at once so don’t try; the answer is the same whether you are trying to remediate your vulnerabilities or eat an elephant – one bite at a time. It’s a matter of understanding what the highest risks are, the easiest to fix first and those that are less important or more long term to solve for. This is where your security team and security executive is there to help. If you don’t have this team or person in place to run security then you bring in a third party to help with remediation and retesting.

Food for thought – The same ComputerWorld article said “Nearly 55% of more than 130 attendees of the 2017 Black Hat security conference in Las Vegas admitted their organizations had been hit by cyber attacks.” The reason I say that is very common to hear “it won’t happen to me.” Risk management is how you help ensure that it won’t happen to you.

Continuous Monitoring

Continuous monitoring, regular control testing, and at least annual risk assessments is how you keep this going. It is not a one and done project. This becomes an operational part of your business just like keeping the lights on. Whether it’s your internal team or third party consultants that help you achieve this, it must become part of your daily culture of security.

This includes implementing and maintaining technologies that can prevent a cybersecurity event and the processes and technologies for detecting cybersecurity events, responding to events and mitigating risks, and recovery from events.

If you are still wondering “how will I accomplish all this?”, don’t worry I understand that is a real question and concern. In my next article in this series I will discuss resources with you and the how you will do this. I want to make this as simple as possible because your organization, people, and customers need to be protected from malicious individuals and from costly errors. Please note I said simple, not easy; with the right people creating the strategy is simple, but it will take time and resources along with a culture of security to make it happen.

***

If you don’t want to wait for the next article email sharon@c-suiteresults.com to start discussing the resource or strategy questions you have now. Sharon provides virtual Chief Information Security Officer (vCISO) services, consults with clients on security strategies, writes policies, and helps organizations of all sizes become and maintain secure and compliant.

Categories
Marketing Personal Development Technology

Are You Missing the Third Kind of Search Marketing?

Most marketing teams know about Search Engine Optimization (SEO) and Pay-Per-Click (PPC). You have teams devoted to getting searchers to your site from Google and other search engines. But what happens after they get there? Do you focus just as strongly at getting them to convert? Do you focus on the third kind of search marketing–site search?

Site search–that box in the upper corner of your website–finds pages on your own site. It’s a critical way to convert those searchers who find your site into customers. Here’s why–the folks who search on your site are your most qualified visitors. Think about it. If you land on a website and don’t find what you are looking for, you probably bounce back to Google and search again. But what if you really want to buy from that company? What if you really think that company has what you are looking for? You stick around and perform a site search.

That’s why reports show that site searchers have conversion rates anywhere between 43% and 600% more than other site visitors. So, the question becomes, “What would they find with your site search?” Would they find their answer? If you’ve been ignoring site search, probably not.

If you’re spending precious resources on attracting searchers to your site because you know your customers use search, why would you ignore site search once they get to your site? But most companies do.

Get ahead of your competition by focusing on the third kind of search marketing, site search. Instead of just attracting searchers to your site, you will turn searchers into customers.

 

Categories
Best Practices Growth Management Personal Development Technology

Culture of Security

After a decade as an information security (a.k.a. cybersecurity) consultant, I had seen too many people who were just hanging in there or counting down the days till Friday. I started to take a great interest in company culture and employee engagement and I wanted to figure out how to solve this problem, especially as it related to the security professional.

Just like company culture and employee engagement can make or break an organization, as in, are employees happy to come to work and engaged or are looking for their next opportunity, the culture of security or lack thereof can make or break an organization in terms of whether they stay in business or lose everything to a hacker, security breach, or internal error.

One unpatched desktop or one phishing email is all it takes for the hacker to get started in successfully breaching an organization. How easy or difficult this is has to do with the culture of security. The intent of this article is not a scare tactic, it is purely a reminder or maybe a new way to think about the importance of having a culture of security.

There is an old Chinese proverb that I believe really says a lot about culture (of any kind), “the fish rots from the head.” If the top leaders in an organization are not serious about security or do not understand its importance, how can anyone else in the organization take it seriously?

Here are three questions you can start with to determine whether you have a culture of security, if you can answer yes you have started the process towards creating a culture of security and if you say no, well then you know where to start if you want to create this culture.

  1. Have you set and regularly communicate clear expectations that security is a priority and non-negotiable?
  2. Do you expect your executives to stop projects, even the important ones, if security is not implemented?
  3. Do your employees at all levels, know what to do in different scenarios, such as how to recognize a possible breach, attack, or error and how to report it?

I have seen projects implemented without security because the project was a high priority initiative from the C-Suite or the board. I’ve seen the business side win over the security side again and again where the security side had to compromise because the business was not going to budge. The fact that I’m even putting these two groups on sides shows that in many organizations there is no culture of security, because if there were, they would be working together to ensure that the business had what it needed while at the same time doing it in a way that is secure.

Part of a culture of security is having the best team possible, showing the organization that this is important by bringing in the best and not understaffing the department. It is also having a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) that reports to the CEO and not to the Chief Information Officer (CIO).  Too many organizations still have the CISO reporting to the CIO, and if the CISO does not have the same importance as the CIO, what message is that sending? Plus, if the CIO does not like what the CISO is saying because it could negatively impact a project, how easy is it to stop the security concern from going further up the chain of command?

The culture also includes a way to report security incidents or suspicions without repercussion. If someone thinks there is an insider threat, they need to have a way to communicate that for follow-up. If someone clicked on the wrong link and thinks they are the victim of a Phishing attack they need to be able to report that without fear of reprisal.

Does the CISO have the team he or she needs to offensively and defensively protect the network? How about the team outside of security; are the developers trained in secure coding and do project managers have enough information to know when to get help from security and who to talk to? Are there enough resources for the security team to do their job properly? This is an ever changing landscape and the hackers have unlimited resources while organizations do not. However, there has to be some budget for the security team to stay sharp and up on the latest trends.

Hiring great security people is a challenge because there are more security positions than qualified people right now and it is a field filled with adversity. Security professionals only get recognized when there is a problem; and that recognition is not positive. When the Security team does its job well, which means there has been no security violation or breach no one notices, it seems like “business as usual”  to everyone else. As a result, Security professionals often don’t get any praise or recognition for what they are doing well and only get the spotlight when something has gone wrong.

That is not a great frame of mind for most people to work in, and after time, after putting out fires, racing against the clock, and doing everything to protect the network, there is no recognition. Security professionals are getting burned out and they are ready to move on when they do not feel that there is a strong culture of security. That combined with the current gap in qualified professionals and number of positions available makes it even harder to maintain security for organizations.

Culture, any type of culture, starts at the top. If you are responsible at any level for the success of your organization and have not given the culture of security much thought before that’s OK, it’s not too late. And if you need help or want to discuss your specific situation or you are looking for additional resources email sharon@c-suiteresults.com.

 

Categories
Growth Management Personal Development Technology

Whose Side Are You On? The Cyberwar Question

In every war there are two sides, whether we are talking about military action, a football game, or the fight against cybercrime. What all these scenarios there have in common is there are some people on defense and those who are on the offensive side of the line. You are either the predator or the prey.

Since I am not writing for the Army generals or the New England Patriots, let’s talk about cyber attacks and which side you are on.

You are probably thinking I’m on the good side, the side that is defensively protecting my network, the side that is always under attack even though I never did anything to provoke it. And I’m here to say that might only be partially true.

If you are not fully committed to doing everything possible to stop the cyber attackers, you might actually be unwittingly helping the them more than you realize.

If you are not keeping your network secure, you are inviting hackers to use your network as a playground. A place where they can find vulnerabilities and practice exploiting them. A place where they can see what works and what doesn’t, what goes undetected and what gets noticed. If you are not creating secure websites and applications, you are giving the hackers more to learn from so they can then use it against other organizations.

Once inside your network you are also giving them a place from which they can launch their next attack. If the breach goes undetected in your network, which they most often do, they can launch an attack on someone else and make it appear to investigators that  you are the perpetrator, not them. And if you are connected to another organization’s network you might have just opened the doors for the attacker to gain access to them as we saw happen with the Target breach.

The attackers are fully vested in finding new ways to attack and get what they want, and if you are not equally fully vested in a security program, you are letting them win without putting up much of a fight. Just as you wouldn’t expect the US military to show up without a battle plan or for your favorite football team to show up without a game plan, it makes as little sense for a company or organization to show up without a security plan solidly in place.

If you are the CEO of an organization, you are responsible for what happens under your care. That means you are responsible for security and any breach that might occur. I’m not saying you personally have to be the one to figure out how to protect your network and the data that has been entrusted to you. You don’t personally have to monitor the network and know exactly what is happening at all times, but what I am saying is that you are responsible for ensuring you have the right people to do this, that they have the resources they need, the best strategy, and that a culture of security is in place.

Stay tuned for the next three articles in this series that will discuss culture of security, ensuring you have a security strategy, and having the right security resources.

As a 12-year veteran of the information security and compliance space, I invite you to send me an email at sharon@c-suiteresults.com or reach out via LinkedIn https://www.linkedin.com/in/smithsharonj/ to ask any questions you might have on this topic or other security topics that might (or should!) be keeping you up at night.

Categories
Management Marketing Skills Technology

The Social Devolution of Business

Since the mainstream takeover of the social networks in 2008, every small business owner has been nudged, persuaded and cajoled into adopting a presence on all major platforms, and for many the results are perhaps not what you may expect.

We all hear and read of the massive success achieved from the small independent business that blew up from their inspiring Instagram account or the personality-led business that became an overnight success with their viral YouTube channel. These meteoric results create a desire that you must heavily invest in your presence on social media to have any success in a modern business landscape. The reality is, many small businesses are performing mass self-sabotage from their current efforts and their involvement in social media marketing is causing their business to go backwards.

Before I get into the dangers I want to make a very clear and simple point. I am a HUGE supporter of how digital marketing and social networking can have a MASSIVE positive impact. It is just the practices that I see adopted by the masses are quite frankly embarrassing.

The primary problem is that the “dark-arts” and “ninja tactics” orchestrated by some of the world’s most creative marketers have delivered results beyond expectation and suggested to the masses that these tools provide the answer, missing ingredients or short cut to success. So much so that they now have forgotten many of the core principles of building a business.

In all of my experience to date, the one thing that has been the single driver of every single successful venture, project or campaign has been the following of my personal mantra for success.

“Do the basics, to a high standard, consistently.” 

What is happening in thousands of businesses right now is that the core principles of sales are being forgotten in favor of rolling the dice with the next magic campaign, social post or viral video attempt looking for short-term success.

In the real world, there are no short cuts and developing a sustainable customer base is created over time and built on trust.

Business developers know that questions lead to conversations, conversations create relationships, relationships create opportunities and opportunities result in sales.

Slowing the process down often speeds the outcome up. I often draw comparison here as looking for a partner for life as opposed to sex on the first date.

Back to the self-sabotaging behaviours that are costing businesses a fortune.

1. Pissing in the Wind

I do not understand why thousands of independent business owners rush to build their social platforms, invite a handful of friends to like or follow their page and then never plan anything else to build their audience. Worse than this they spend fortunes on creating graphics and then invest bucket loads of time into collating and creating content to post regularly and nobody is listening! They are just pouring productive time and effort down the drain and could have gained more success by opening their front door and shouting their offers into the street!

2. SPAM

We are all in the “people” business and to gain true influence it is important that both visibility and credibility are established before any opportunity to do business ever exists. Yet daily the prior trend of spamming people’s email inbox has been replaced with sending 500 word messages with links to videos or squeeze pages via Facebook messenger, direct messages or as an auto-response to a new follower. Please, please pretty please can people put a stop to this blindly unsophisticated intrusion of privacy and if you have something that may benefit me – please get to know me a little first.

3. IDGAF

I am pretty certain that most people do not want to read some of the mindless drivel that people are sharing on their social streams. Ask yourself before you hit the “post” button, will this represent me and my brand well? Can people engage with it? Does it serve others? Everybody now has the ability to be a full media production unit – great that you can be the journalist, please do not forget that you need to hold the role of editor too! In this age of information we are awash with content to consume – if you want yours to stand out then please make it good enough.

4. Egocentric Results

Yes, you are the most important person in your life – I get it! Unless you are Kim Kardashian, Donald Trump or Selena Gomez then the likelihood of people being that concerned about what is happening in your world is slim to none. Make your contact about your audience, understand them and provide them with things that serve their life, make their day easier, and things they love to talk about.

5. Aimless Distraction

Whether it is the thumb on your iPhone, the index finger on your mouse wheel or two fingers on the trackpad, the action of mindlessly scrolling through the sea of nonsense on your social walls is causing a tragedy in lost productivity. For many a homebased worker, high pay off activity such as prospecting, serving customers and planning marketing campaigns has been replaced with the vacant distraction of the soap opera of social media.

This article is delivered with the purpose of holding up a huge STOP sign and helping you to re-evaluate your activity and ask yourself if it is really working and genuinely driving results or is it simply draining from your limited resource and standing in your way of building a solid business foundation.

Perhaps the shift could move back to understanding the biggest value in these tools is how they can increase productivity, reduce geographic constraints and accelerate the building of new relationships.

Build your audience, serve your audience, engage with your audience and be prepared to bring the conversation “offline” and work the old fashioned way if you would like to see some true returns.

And if you can’t wrap your head around it to make it pay for you, stop it and get back to delivering the basics, to a high standard consistently.

Categories
Growth Management Personal Development Technology

Right of Boom – Planning for Post Breach

At this year’s (2017), International Information System Security Certification Consortium (ISC2) Security Congress, we heard a keynote from Juliette Kayyem. She is the former Assistant Secretary for Intergovernmental Affairs at the Department of Homeland Security under the Obama administration. She not only talked about the importance of being prepared in order to stop attacks, but also being prepared for what she called “Right of Boom.”

Right of Boom is what you do after an event (attack or mistake) has occurred, whether it be a bombing like the Boston Marathon, a mass casualty event caused by system malfunction like the BP oil spill, or a cyber incident. The event is the Boom and what comes next is Right of Boom (picture a timeline).

This article is focused on Right of Boom planning for cyber security and whether you are an executive responsible for security and/or IT or an executive outside of this area (CEO, COO, CFO, CMO, etc.) this matters to you because at the end of the day it could mean the survival of your business.

You can plan all day long to stop a cyber attack or incident through vulnerability and risk management, good secure coding practices, and security awareness training, but you can’t stop it all. There will always be an attacker one step ahead at some point in your journey, whether because they just have more resources and time than you do, or one of your employees simply makes a really big mistake.

Since you can’t stop it all, you must plan for Right of Boom, what you do after the attack, which will be the difference between staying in business and maintaining a good business reputation, or going out of business. Even if you don’t go out of business, the way you handle Right of Boom could be the difference between a few million dollars spent in recovery and notifications and a few billion dollars spent.

Planning for Right of Boom means that you don’t just focus on a defensive approach to stopping attacks, misuse, and errors, all of which can have a catastrophic effect. You also ensure that there is proactive planning, testing, and more planning on what you do after something goes wrong. It’s not a matter of if something goes wrong; it is a matter of when.

Too many organizations are notified of a breach by a third party and oftentimes months after the breach happened. That means months have gone by with an attacker in your network doing what they want, collecting the data, and using it for their own benefit. It’s never good news when you are told by a third party that you have been hacked and that you have been leaking company and customer data for months. And with the average cost per stolen record of $141 based on the 2017 IBM Cost of Data Breach Study, imagine how much that can cost your organization not to mention the loss of customers and reputational trust.

The cost of that cleanup is much less for an organization that can detect a breach in near real time especially if they know what to do upon identification of the incident, i.e. if they have a  Right of Boom plan. It means less data loss (if any) and more time to properly clean up the incident, as in get the servers working again with the vulnerability fixed and bad guy out of the network with minimal disruption to the business.

The only way that proper Right of Boom planning and response is possible is if your organization takes it seriously. Do you have a security team that is empowered to create Right of Boom response scenarios and test them? Do you have a security team that has the resources to identify a suspicious event, whether it be malicious or accidental? Do you provide training for your IT and user community to understand their role in Right of Boom? Do you have third parties on retainer or whom you can call that are specifically trained to help you contain and investigate an incident?

These are just a few critical questions to ask your security team. If you have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) they should be part of the C-Suite discussion on Right of Boom. They should have the resources they need and be tasked with and empowered to help ensure a Boom does not put your organization at great risk… or even worse, out of business.

If you do not have a CISO or CSO it’s time to either hire one or find a virtual resource that can help you on an as-needed basis with strategy planning around topics like Right of Boom. If you have questions about this or about finding a resource email sharon@c-suiteresults.com to discuss your specific situation and needs because security is what I do and I want to see your organization prepared.

 

 

 

 

 

 

Categories
Best Practices Growth Management Personal Development Technology

The Escape Artist – How to Stop the Data Thief

When you watch Ocean’s Eleven you know that breaking in is only half the battle; you also have to get out unnoticed or undetected. The same thing that is true for bank robbers and cat burglars also holds true for hackers.

If you are a business owner or executive responsible for keeping your customers or your corporate data secure and you think it’s all about stopping the bad guys (and gals) from accessing your data, you are missing what might be the biggest point of failure: their escape.

Over the years we have seen that many breaches are not noticed or identified for months and sometimes even years, which means not only did the bad guy get away with it, he (or she) was then able to unload their loot or start using the data without worry that they would be noticed. That’s good news for them, but not so good for you.

In order to fully discuss the escape portion of the breach, the part that most people forget to talk about or protect against, let’s look at the three main players or threat actors in this scenario. Going forward I will use the common term “hacker” to mean any of these threat actors.

  1. The external hacker with no authorized access to your network: These are the people who sit behind their computers anywhere in the world and try to find networks that are open or system vulnerabilities just waiting to be exploited. Open networks are typically those that do not have good firewall rules, have publicly facing systems that should not be publicly accessible, or have exploitable web application vulnerabilities. It only takes one bad line of code, one misconfigured firewall rule, or one forgotten system on the perimeter to leave your organization exposed.  Once you are exposed and they are in your network, that is where their fun begins.
  2. The third party vendor or partner who has direct access to your network (usually via VPN): These are the organizations outside of yours that you do business with and need access to your network. They might provide you data or receive data from you, they might monitor another system that you manage, or do a number of legitimate activities. However if you don’t know how secure their networks are, which you never truly will, or you don’t know who they employ, you have opened up your network to their network and their people. If they are hacked and that hacker finds the access to your network – boom, they are in.
  3. The trusted employee: Your employees are not going to harm you right? Most of them will not and even the ones that do are often not trying to harm you. But even those employees who mean no harm cause errors or misuse their credentials, which lead to breaches and data loss.

Once the data has been gathered by the hacker they need to get it out of your network and into their control, the escape. Allowing the escape is where many organizations fail by making this too easy or allowing the hacker to get out undetected. You must know all your outbound connections, they must all have a legitimate business need, they must be reviewed on a regular frequency to ensure they are still needed, and they must be monitored.

You may think this sounds like a lot of work, but if setup properly with the right tools and processes it does not have to be cumbersome going forward. If not built right the first time, it can take some time to put in place, but honestly the pain of discipline in this scenario is going to be much better than the pain of regret later.

If you are reading this and thinking, “I have no idea if data can get out of my network unnoticed,” start asking these questions to the people who work for you that manage your infrastructure. Here is the question you can ask, the answer you want to hear, and the next step if the answer is not what you are looking for. The Next Steps are high level and might require outside assistance or third party tools and vendors.

Question Answer Next Step
Do we have all our outbound firewall rules documented with business justifications?

You want the answer to be yes

Implement a plan to have the network team spend the next few months documenting all firewall rules. This will mean working with business owners to understand what traffic is necessary and where it has to go.
How often do we review the rules to ensure they are still needed? You want the answer to be at least every six months

 

Implement a plan, either manually or with automated tools to start reviewing rule sets at least every six months to ensure they are still needed, still use secure protocols, and are going to the correct destination outside your network.
What are we doing to monitor outbound traffic? You want someone to be able to give you specifics and have incident response plans that explain what they do if they see malicious or anomalous traffic. Document an incident response plan, determine what third party resources might be needed in the event of an incident, and put processes in place to monitor traffic for anomalies or suspicious behavior.
How would we know if sensitive data left the network? You want a specific answer that should be easy to find if it’s being done. Research data loss prevention solutions or other network detection tools.
Do we allow encrypted data out of the network?

The answer should be no – we only send encrypted data to organizations that we have vetted and only to specific IP addresses they have given us.

This is important because malicious users and hackers will actually steal your data and encrypt it with their encryption keys so that it is undetectable by Data Loss Prevention (DLP) software and so that no one can steal it from them. Yes they are often more aware of security than you are.

If no one can answer these questions or you are not happy with the answers, take a deep breath and start a new conversation. No finger pointing and no yelling, but an open and honest conversation with your staff about why this is important and how things are going to have to change in order to keep the data secure.

Lastly remember that tools do not solve all problems and only work when implemented correctly. There is no silver bullet no matter what a vendor tells you. Ensure you have the right people asking the right questions of the vendors if you are bringing in a tool or managed service offering to monitor your network.

This is of course just the start of the conversation and the beginning of what needs to be done. If this is overwhelming and you don’t know where to start or what to do next, I can answer your questions. Email sharon@c-suiteresults.com to discuss your questions or concerns on this topic. I am a 12-year security veteran and have seen 100s of different networks and situations and I am happy to discuss your situation with you.

Categories
Best Practices Growth Management Personal Development Technology

Belle’s World – Security

Has your personal information ever been hacked?

There are towns across the world, where people still leave their keys in their car and keep their houses unlocked. However, for many of us in urban or suburban areas that would be unheard of. If we were to do that the likelihood of having our car or having items from our house stolen would increase or has happened. Until people felt the effects of these robberies they continued to leave things unlocked and didn’t prepare with cameras and security systems which became the norm after these types of attacks happened. It wasn’t until individuals experienced it that they felt they should do something about it.

In today’s world we have another growing issue that is similar to the past but different in how its done – cyber security. Many of us have received phishing emails and the stats say that almost 30% of them get opened1. These phishing emails can come in both personal and professional emails. Therefore, as a company the risk is increased because the data is expansive and includes more

than just an individuals information. Why does it take an attack for a leader to realize they need to spend the money before to prevent these attacks versus after. Mostly, it about the human element of feeling too powerful and big that anything would happen to their company. Secondly, they are not truly understanding the power of cyber security to actually keep their companies safe.

One of the stories I heard recently was how the Boomer generation is still all about interacting with humans and the millennials are about interacting with technology. There is a little truth in this statement but it is after all a generalization. As I work with folks who have experience and have been very successful, it is hard for them to wrap their head around how far technology has come and the fact that people who be stealing data. They get the concept but not the enormity of the issue. Unless they get hacked personally they really don’t understand the need for their companies. Large companies are still getting hacked and many times its because the leadership has decided that it won’t happen to them and the financials at the moment are more important than a potential risk. However, the potential risk is much larger than what they can truly understand. The younger folks on the other hard are unable to influence their leaders to make the change and connect with them from the human element and therein sometimes lies the issue.

Even when it comes to cybersecurity, it is all about people. The hackers are people who are preying on companies and individuals. They put phishing emails or hack into systems through individuals. Individuals who are part of companies that house lots of personally identifiable information for employees and customers. Each of our devices are becoming smarter and connect to each other in many ways that we may not even comprehend. These devices are going from our homes to work to public areas. In our home, each person that has a different device is being connected and will be able to “talk” even more. There are so many channels from which a hacker can now infiltrate and do what they need to do. It is a real problem and the leaders who think it won’t happen to them need to spend some time truly understanding what cybersecurity is all about and get the right products and safeguards in place for the benefit of their own career and their companies.

There are too many leaders sitting on their previous knowledge and not moving with the times. In our lifetimes, technology is changing at an exponential pace. If we want to be successful for 50, 60, 70 years (due to us living longer) we will have multiple lifetimes and will have to continue to learn and grow at each step. It’s not easy when you have been the best at what you do for years and now the world is changing around us. It takes times, motivation and the right guidance to change your mindset to be able to handle the new things happening in the world.

How are you protecting your personal and company security information?

Welcome to Belle’s world. Everything in this world is based on a bell curve. Our media concentrates on giving advice to make everyone be a part of the masses.

This is a weekly series of Urvi’s insights on her perception of the world. They say perception is reality and she lives in her own fantasy world. This allows her to delve into the human element of our lives, helping individuals decipher their own souls, to understand, who they are and what they want, in the journey of life.

Belle’s world explores the extremes and goes beyond the surface. Ready to read about some of the “elephants in the room?”

Contact urvi, to discover your self-awareness that will unleash the innovation mindset within you and help you become both emotionally and financially wealthy. https://www.radicalroamer.com/ belle-s-world #thehumanelement