We believed that cybersecurity in the workplace wouldn’t exist without IT. Well, that statement has evolved into something more inclusive. In reality, there is no cybersecurity without IT, business, AND employees working together with shared objectives and influential culture.
Every organization should approach cybersecurity by integrating the IT department, business units, and employees. We’ve said it before, and we’ll repeat it, within the modern IT organization everyone needs to be a cybersecurity professional, from technology consultants to administrative staff.
So, although there is an “I” in “IT,” there is still no “I” in “team.” And cybersecurity is undoubtedly a team sport. Most important, as teams learn to accept the shared responsibility of creating and maintaining a “secure environment” for business operations and communication activities, they can better prepare to tackle the challenges of increased attacks on systems and people. In our journey to explore the many opportunities and challenges consultants face while navigating cybersecurity in the workplace, let’s take a look at what we have learned so far and expect to learn soon:
Business Email Compromise and Social Engineering
When we asked a group of CIOs in the Southern California region what their biggest concern was for the immediate future, their answer was clear: cybersecurity and social engineering.
IT professionals recognize Business email compromise (BEC) as one of the most effective methods for attackers to access networks, databases, files, or, worse, identities. Specific to BEC, the human component (employees) is most vulnerable. Thus, CIOs must develop a plan to align their people, processes, and tools.
Malicious parties are well-aware of corporate safety measures, so they continue to hone their skills, working harder to deceive employees who aren’t staying one step ahead of the threat. Of course, as the title of this article entails, preparing to successfully negate a cyber threat (in the form of BEC) isn’t the sole responsibility of the consultant or employee. All personnel must engage with the threat, ready to learn and adapt. After all, in the digital era, we are all on the front lines of cybersecurity. Since every consultant and employee faces a cyber threat at some point in their career, here are the common forms of social engineering that must be identified:
- Baiting
- Phishing
- Pretexting
- Tailgating
- Scareware
- Social Media Engineering
Identifying and minimizing the threat of social engineering begins with awareness, and awareness is dependent on a company culture that rewards testing, education, and growth. Of course, this is highly dependent on a workforce of employees and consultants who are open to security-skills development and motivated by the new and continuous challenge.
On the other side of the equation, modern IT organizations look to leaders with an aptitude for developing their workforce using continuous learning programs (webinars, meetings, clinics, team events, content strategies) as well as transparent feedback loops (penetration testing). With a focus on transparency, this cross-enterprise collaboration drives the success of security objectives. It prepares internal teams to respond strategically to a threat, firmly planting the CIO in the captain’s chair.
A Process for Cybersecurity in the Workplace
Analyzing informal feedback provided by a current CIO of a Fortune 500 company in the Orange County, CA region, and taking a page from the FBI’s playbook, here are essential factors to consider when creating a “before the storm” checklist:
Identify your most valuable assets — data and systems — and answer the questions: where are these assets? How are they acquired? Stored? Who has access? How do they gain access?
Make the response plan second nature for IT. Rehearse. Rehearse. Rehearse!
Strategize and facilitate a monitoring program using education, testing, and feedback — empower vs. intimidate.
Measure progress across teams and end-users, making adjustments to align with the internal culture.
Make insights available from testing results to management for more effective talent development and team building.
Curated from the FBI’s latest cybercrime report, 2017 was a milestone year for the FBI’s Internet Crime Complaint Center (IC3). On October 12, 2017, at 4:10 pm, the IC3 received its 4-millionth consumer internet crime complaint. An alarming yet not surprising statistic, the FBI’s dedicated cybersecurity team developed a response plan inclusive to organizations of all sizes.
Even more appealing to technology workers, this top-level plan provides an order of operations that applies to most situations involving social engineering, from phishing to scareware. According to FBI feedback, when a company identifies a cyberthreat or experiences an attack, they should do the following:
Assess: ID computer, port, sender, destination
Isolate: compromised devices, network
Collect: Content, images, logos, keywords, verbiage
Notify: Internal management, Law enforcement, end-users
The Talent Perspective on Cybersecurity in the Workplace
The path forward is clear for IT professionals: social engineering remains a credible daily threat. An essential detail for talent managers to consider: a person’s aptitude for understanding the importance of cybersecurity as it pertains to their role and the organization is an invaluable asset to the team.
In the IT industry, where the need for security professionals exacerbates an already significant talent shortage, successful compliance from cross-enterprise teams influences growth opportunities for individual talent. In other words, learning from a robust and well-equipped team of infosec specialists (and becoming one yourself) can open doors and present paths for growth.
Reports estimate 350,000 cybersecurity positions open in the U.S. this year — in addition to the 780,000 already filled (statistics provided by National Initiative for Cybersecurity Education (NICE)). So, it’s clear that every IT consultant has an opportunity for growth concerning cybersecurity. To begin identifying these opportunities, here are a few actions to consider:
Partner with your client’s infosec team
Complete certifications to compliment your current IT skill set i.e., GIAC, Security+, GSEC, CEH, CISM, CompTIA Security+, or CISSP.
Set aside 30-minutes per day, learning how your current specialization can benefit from understanding cybersecurity best practices, applying these to your projects, often reading through articles and news.
Practice early adoption of platforms and tools within your scope of work, seeking out new technology, and understanding how it can add value to your work.
Update your resume and portfolio every six months, adding certifications and descriptions of projects that show your new skill set and active learning.
Becoming well-versed in cybersecurity practices provides immense opportunity for IT consultants who wish to choose the projects they work on and the companies they work with. A higher number of technologies are being made accessible to companies for monitoring and risk mitigation. As a result, technology teams must adapt, and talent development or establishing a successful talent pipeline is a priority for these companies.
One such example shared by Caroline Baldwin of Infosecurity Magazine, Telstra (Australia’s largest communication provider) opened two new security centers to support a network of 500 security experts. Shortly after launch, plans for centers in Asia and Europe were already underway due to the center’s success, bolstering support from partners and customers for their rapid innovation to be the most secure company in the market. Of course, this ultimately drives the need for skilled talent — and plenty of it!
Other global companies are now adopting this model.
As CyberSeek found, the highest abundance of opportunity is in the “operate and maintain” category of security jobs. This relates to roles in support and administration of IT systems, positions that closely correlate to many other responsibilities IT professionals own. In an eye-opening statement which adds perspective to the immediate need for new talent channels, Matthew Sigelman, CEO at Burning Glass Technologies stated,
In every state, the employed cybersecurity workforce would have to grow by over 50 percent to align with the market average supply and demand ratio.
Whether you view the glass as half empty — or half full — there’s work to be done for technology professionals across the enterprise; any chance of protecting not only companies from the growing threat of cyber attacks but people and as well requires immediate attention to talent.
The more we talk about the threat to people, the more attention society as a whole gives to the subject. The reality is that business leaders, IT, and employees need to work together, sharing the responsibility of developing and strengthening people, processes, and tools to create a secure environment where everyone can thrive. Because after all, security has become a team sport.
Emerging Culture Around Cyber
Cybersecurity is a part of a company’s workplace culture. Leaders who understand the importance of having everyone on board — business, IT, and employees are leading this internal transformation. Their job titles may vary, but their mindset is shared. And that mindset embraces a responsibility towards creating the most secure environment humanly possible for the company. In essence, this shared ownership acknowledges and accepts the boots-on-the-ground mentality in the daily battle against cyberthreats. So, the question is: how are companies building this culture?
Today, employees and consultants are obligated to perform their role in alignment with the best security practices. How we talk — and think — about this obligation determines if the culture permeates throughout the organization. Successful IT leaders use motivation rather than intimidation.
Let’s face the facts; if you want someone to do a job well, they must want the same. And what better way to motivate a person than providing a mission-driven reason to do their job well.
“The conversation about cybersecurity doesn’t stop once a company receives broad-level buy-in,” says Spencer Summons, Head of Information Risk & Security at Tullow Oil.
“The culture shift begins when people place equal concern on threats to systems as they do people. Cyber will be top-of-mind when everyone is talking about, an important aspect of any culture. It’s about introducing emotion into prevention. It has to be real for them, so we’ve been showing hacker demos and showing them what might happen if someone hacks into their machines, Summons shares.”
“Pride is conducive to building a culture around cybersecurity,” says Peter Gibbons, Chief Security Officer at Network Rail.
And as it turns out, pride can be cultivated through an alternative narrative, one that emphasizes the vulnerability of the end-user — people. As Gibbons reveals, accomplishing this requires workers to frame cybersecurity as a business problem rather than technical concern. After all, employees and consultants often choose to work for a company based on their mission. If that mission aligns with a vibrant culture and buy-in across the enterprise, everyone wins.
Adopting this emerging “cybersecurity in the workplace culture” is open to every company, every team, and every employee. And the price of admission? A mindset shift and continuous training regime. Make it more about humans and less about failure. And most importantly, believe in the ability never to let the “user” down while they consume a product or service. There’s pride to be felt in responsibility.