Yes. One of the main objectives in our security programme is building human firewalls. We have an elaborate awareness campaign that focusses on engraining “security mentality” amongst our staff. Frequent phishing and other social engineering assessments, demonstrates the real dangers and susceptibility of cyber threats and helps staff to be more vigilant and get into the habit of reporting things that are out of the ordinary.
My view is that security must be an enabler, not just a bunch of controls (read stumble blocks). The user experience in utilising systems are key, especially when considering the radical changes brought about by digital transformation. We have moved visible security controls from the forefront to the background thus creating a smoother user experience but retaining a lot of controls and monitoring in the background. Creating awareness around the controls and changes to the IT and business environment is critical, as this demonstrates the value of digital transformation and the security layer implemented along with it.
We have embedded security in all IT operational activities and programmes. The security team is involved with operations and projects from early onset. Creating awareness amongst staff and management forms a key element to the SecureByDesign principle. Our awareness programme deals with this issue head on and staff, management and Board is trained on the importance thereof. The success of the awareness campaigns is evident in that staff approach the security team before they embark on new projects.
A security programme must cover all aspects of an organisation, not just IT. It must include the people and process elements a well. The programme must be risk based and must focus on organisational weaknesses. Understanding the security landscape and potential threats relevant to the organisation is fundamental. Engaging with top management and understanding / analysing security risk from their perspective gives significantly more depth to your programme. By having top management embedded in your programme ensures buy-in and support which is critical for the success of your programme.
Yes, to a degree. In-house security teams are limited to exposure of threats that impact only their own environment. Outsourced security teams give have exposure to threats permutated from other environments, thus are in the position to provide a richer security service. However, I would not outsource the entire security function. I would still keep have an in-house seasoned security professional, who has the organisations best interest at heart, that oversees the outsourced security functions.
Very important. Technology and threats changes constantly. Not understanding emerging threats and it’s potential impact to your organisation can in essence put you at greater risk. Your security programme should be dynamic enough to allow for rapid changes, and also directional changes in order to deal with emerging threats.
In My View…
I have a strong IT technical background and worked my way up from a junior technician, to a network admin, to IT Manager over a course of 18 years. When our organisation experienced a breach in 2014, I had to face the harsh realities of a breach and had to learn a lot of things in a short space of time. Becoming the Information Security Officer of the same organisation made me proud as it was a testament to my achievements post the breach in the security space (developing and implementing a holistic security programme and ISMS, for the organisation), and by doing so, gaining the trust of business management and the board.
Building a holistic security architecture that covers, cloud, endpoint, application and data security though innovative thinking in an effort to improve overall security posture, maximise on current investment and reducing overall security expenditure.
Implementing an outsourced SOC. Through constantly challenging SOC operations and deliverables we have a significantly better and stronger SOC service than when the project started.
In principle, I personally do not condone this kind of groups, and neither will I participate; however, I do believe that they are important to society in bringing “bad” things to the fore and exercising pressure on relevant parties to address societal issues.
People are very easily perceived with “trust”. In my view, security activities tend to focus on outward and inward activities, and often not on internal activities. Furthermore, human behaviour is difficult to monitor using technology, thus you have to rely on other people to recognise abnormal behaviour and then report it. This is a challenge as not many people seem to want to be “whistle blowers” due to distrust in confidentiality matters, i.e. keeping their identity a secret.
Very important. Technology and threats change constantly. Not understanding emerging threats and it’s potential impact to your organisation can in essence put you at greater risk. Your security programme should be agile enough to allow for rapid changes, and also directional changes in order to deal with emerging threats.
Don’t miss Henry’s case study presentation at CISO Africa 2020:
Case Study: How to Overcome a Data Breach