To Gain Influence, CISOs Must Get Security's Human Element Right

Focusing on certain elements of security in isolation can cause a false sense of security.

Rocco Grillo, Cyber Resilience Leader at Stroz Friedberg

March 29, 2017

5 Min Read
Dark Reading logo in a gray background | Dark Reading

It can be tempting for CISOs to look to the latest technology as a cure-all for securing their organizations. Inevitably, they're also occupied with security governance and compliance requirements. However, concentrating on these aspects in isolation can lead to a false sense of security.

CISOs should be careful not to overlook basic fundamentals around how their employees behave and interact with the organization's data and technology. Excessive sharing and access to information introduces significant risks. The more access to sensitive data that an employee has, the easier it is for cybercriminals to obtain a company's critical assets, if they successfully target their credentials. CISOs need to cast a wider net around who they're protecting and tailor their security plans to the way the business operates. Although it's not a quick-fix, focusing on employees can have a significant impact on a CISO's success and help limited budgets go further.

Here are four recommendations for CISOs looking to increase their influence and direct security efforts where they have the greatest effect.

1. Protect employees who have the keys to the kingdom.
Cybercriminals' primary targets are the decision-makers with the combination of access and authority. It's essential for CISOs to have a detailed understanding of how their executives operate at an individual level in order to protect them.

These targets are likely to use multiple devices, including PCs, laptops, smartphones, and tablets. They tend to travel, often globally, communicating not only from their cellphones but also over a VPN or connected to hotel Wi-Fi. They may be doing business in countries such as China, Russia, and others where they are at risk of falling victim to economic or political espionage. It can be a good idea to work with an outside provider to conduct security assessments on executives to test their susceptibility to social engineering emails and assess their security while on the go.

2. Be aware that others besides the senior leadership team have the keys to the kingdom.
Criminals seeking employee credentials are deploying increasingly cunning spearphishing and social engineering tactics and widening the net of targets that they view as "high value." Many CISOs mistakenly focus solely on the high-profile C-suite, board members, and those with domain access. Although these are crucial targets to protect, there are others in the organization that criminals are likely to target. For example, the head of communications who might have access to sensitive earnings data before it's public, the executive assistant who possesses all of the CEO's passwords, or the employee in HR or accounts payable who might be going through a tough time at home.

The executive leadership bubble is much wider than the leaders themselves, and others are often given more access than they need. Just as CISOs need to know what their critical assets are, they need to understand who in the "inner circle" could grant criminals access to them.

3. Deepen your search for critical data that those with authority can access.
When identifying a company's critical assets, security teams should probe senior leadership and innovators within the business. The C-suite, general counsel, chief marketing officer, and product development leaders might be creating, storing, and sharing sensitive intelligence to which only they are privy. Be sure to look beyond data that's regulated. If you're a brick-and-mortar retailer with substantial online sales, you may be focused on protecting credit card information, but if credentials are compromised, criminals can cause havoc — for example, by attacking your ecommerce site, manufacturing plants, or supply chain. Although regulated data may not be compromised, this could bring a company to a halt.

Once the critical assets are identified, there needs to be alignment with the board, which has the fiduciary responsibility to ensure that the company is safeguarding its most critical assets, whether through adequate funding, head count, expertise, or other means. Many organizations' security programs suffer because employees are given excessive access to data that they don't need; at all levels, access rights should be granted relating to job function and should be refreshed with any changes in responsibilities.

4. Leverage other stakeholders in your organization to be your advocates.
As technology increasingly touches every part of an organization, the "CISO of the future" needs a seat at the table when business decisions are being made. Cybersecurity now has more visibility at the board level. However, this isn't the case across all organizations, as leadership teams often mistakenly view cybersecurity in silos, as an IT issue, or as something they can take off their balance sheet with insurance. Whether or not CISOs carry authority at the highest levels, with limited budget and ever-expanding responsibilities, they must leverage others to become advocates for good security practices across departments. CISOs can then more effectively advise on how changes in the business affects cybersecurity, and encourage the entire organization to commit to a continuous process of improvement.

There is much that CISOs can do with others in the organization below board level: implementing training and awareness programs with HR; coordinating with the legal, PR, and other departments on their roles in incident response plans; aligning with risk officers to balance remediating and insuring against cyberrisk; and so on. CISOs must not allow themselves to be pigeonholed as purely technical practitioners.

A CISO's role will always require deep technical fundamentals. CISOs are also responsible for keeping the company compliant with multiple frameworks and regulations. However, if CISOs don't know how their employees are using and abusing data, information, and technology, they won't be effective at protecting critical assets and high-value employees. Even with the best intentions and largest budget, a CISO on the periphery of the organization won't be as effective as one who builds relationships and focuses on the business priorities and activities of their employees. 

Related Content:

About the Author

Rocco Grillo

Cyber Resilience Leader at Stroz Friedberg

Rocco Grillo is Stroz Friedberg's Cyber Resilience Leader and a member of the firm's executive management team. His cyber resilience team, which includes the company's incident responders and security scientists who deliver the firm's proactive and reactive cybersecurity capabilities, has successfully triaged some of the largest data breaches recorded in the last decade. Previously in his career, Mr. Grillo led Protiviti's Global Incident Response and Forensics Investigations, helped develop RedSiren Technologies (a leading managed security service provider and full services security firm that evolved out of Carnegie Mellon), and held management positions with Lucent Technologies and Bell Atlantic. Mr. Grillo is a CISSP, CRMA, PCI-QSA, and a Certified Third Party Risk Assessor. He is an affiliate board advisor for FS-ISAC and NH-ISAC, a member of the Shared Assessments Program Steering Committee board, the CLM Cyber Liability Council, and has also served on the board of directors of the NY Metro ISSA Chapter, the IT Policy Compliance Group, and the (i-4) International Information Integrity Institute Research Steering Committee.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights