InfraGard Presentation – Cybersecurity – It starts with Who!
Recently I was honored to speak at the Chicago Infragard Chapter Meeting. I discussed my 30-year career in Information Technology and specifically some of the more spectacular failures I’ve experienced. I know it seems a bit odd to confess where and why things have gone wrong, but don’t those events stick with you like a paper cut? All too often, I looked like Peter Falk in the TV show Columbo – scratching my head and not having a clear understanding of what happened.
Technology and Process: Not the Answer
I relied on Technology-Process-People to organize security, but I learned that bolt-on Technology and restrictive Processes fail at Cybersecurity. We need to focus on People for a secure organization, and Identity Governance drives it. Let me illustrate the need for Identity Governance by walking through incidents I’ve been involved in, the IT Risks that drove these issues, and how they can be addressed.Traditional Audit Mentalities Fail
Early in my career, I set some expectations and standards I adhered to:- Use the rules: start with compliance defined processes
- Self-assess: review whether you met the requirements
- Audit: the auditor grades your work
- Fines and penalties: a missed checkbox costs money so fix the mistakes
- Standard Operating Procedure: going through the motions
- Got HACKED again!
Results of Security Failures
On the surface, the types of failures I experienced in my attempt to “just make us secure” weren’t all the same:- Personal Injury: Chemical tank sensor misreadings, SCADA machine takeovers
- Financial Fraud: Stolen hard drives, credit card rebates, business email compromise
- System Outage: Pick your favorite authorized and approved change
- Reputational Damage: Look folks, we made the Wall Street Journal (again)
- Corrupted Data and Systems Compromise Data Integrity: ransomware and malware incidents
- Intellectual Property Theft: How do we have people working for us and our competition?
Human Nature: The Real IT Risk
These core risks were human, not technology, risks. Consider the connection between the problems and the quotes from senior leadership (some of which might include sarcasm):- Fragmented Approach to IT Security – “Let me tell you how IT really runs here” or “That’s less than 1% of our business”
- Lack of inclusion of IT Risk – “The Security Team just doesn’t understand”
- IT Primarily considers Availability or Convenience – “As long as it’s up and running”
- Poorly Executed IT Projects – “It failed because of scope creep”
- Lack of Incident Response – “We can figure it out as we go”
- Lack of Business Continuity Planning – “Just give me my team”
- Lack of control of Data and Applications – “Our company believes in transparency”
Focusing on People: Driving Security with Identity
The risks I identified led me to some inevitable conclusions:- People are our best asset – Education is more than training
- Security is people not technology
- Human nature is the cause of and the solution to most security problems! (An almost-quote of Homer Simpson)
- People are why reputation risks matter – Start damage control by knowing your audience. Consider and consult many points of view.
- People take time to trust you:If you lost that trust, it is hard to rebuild. You must be consistent and honest.
- Start by securing your people and compliance will follow
- Develop a better approach to developers, the cloud, and software-as-a-service
- Don’t block activity without understanding purpose, gain visibility
- Set the wake-up alarm to Identity, Security, and Privacy.
- Wake the organization up to the impact of Information Technology on business.