From the CSO: Embrace the Human Nature of Security
The Chief Security Officer for a large credit card processing company kicked off his presentation with a simple question: Being that infosec teams know all the things they’re supposed to be doing…why are they still struggling?
He indicated that much of the problem is rooted in a focus on compliance rather than security. Most organizations that experience a PCI breach, he said, are fully compliant with PCI DSS. A tunnel-vision approach to what he called “paper compliance” is likely to leave organizations lacking in effective, organization-wide cyber security initiatives (a caution we’ve shared ourselves in the past).
The CSO feels that, in general, infosec teams have not spent enough time on people and culture, and he thinks that’s holding organizations back. He believes a triad of technology, processes, and people — in which all get substantial attention — is the best way to move the dial on cyber security. He also offered these pieces of advice:
- Focus on risk reduction rather than risk prevention. There is no way to eliminate risk, but you can manage it. People and technology can both help on that front; it shouldn’t be regarded as an “either-or” proposition.
- Infosec professionals need to care about the factors that make people feel secure. If two sides keep speaking a different language, it will be hard to make progress.
- Understand and account for human drivers. As he said, “People don’t write down passwords to make you angry. They do it to make life easier.”
- Recognize that your end users — and your executives — are getting security messages from sources other than you. Make every attempt to find out what those sources are — particularly in the case of your CEO.
From the CISO: Work to Change the Culture
The CISO of a large credit card company spoke of the importance of a company-wide approach to cyber security. “Security is all about strong teamwork. You need to engage the entire company to change the culture,” he said. (He recommended viewing a 1977 film called Powers of Ten™, which offers an interesting and scientific take on perspective.)
He advised the infosec professionals in attendance to make the effort to quantify end-user risk reduction, and he emphasized the need to help executives understand risk reduction methods overall. “You need to lead toward sustainable cultural change,” he said. “Show where improvements are coming from and think about how you want to frame your conversations with key decision makers.”
He also recommends that organizations “federate” security. Working together with common goals and implementing a risk-based decision-making model are two ways to improve an overall security posture, he said.