Archives for posts with tag: CISOs

logo-date+slogan(banner)

Just back from my hols and it’s heartening to see that whilst I’ve been away so many great movers and shakers in the IT security world have signed up to get involved in Security Serious Week in October. So many of the CISO community have already committed their time for free to offer seminars and webinars on a host of great subjects including Unilever, BT, Canon, Lloyds Bank, HSBC, GSK, Publicis Groupe, Markit, Willis and The Economist to name but a few!  Our loyal analysts including Ovum, Quocirca and IDC are on board and yesterday I was delighted that the Department for Culture, Media and Sports have agreed to get stuck in with events during the week and rally other Government departments to do so too – way to go!  The week should be incredibly insightful to any organisation wishing to become more security savvy!  So if you’re an IT security specialist or IT security organisation that wishes to impart your pearls of wisdom to other businesses to make them more Security Serious then why not organise a webinar or seminar. We’ll promote it for you on www.itsecurityguru.org and www.securityserious.com.    We’ve also got loads of companies participating in the press photocall at 12 noon on 26th October outside the Tower of London (find out more at www.securityserious.com) – where everyone will have a banner with their logo on it to show the world they’re “Taking Security Seriously”.  By participating in the day not only will you be counted as a company that’s Security Serious but it’ll be a great networking event as we’re all going to meet in the pub after the photocall – CISOs, analysts, press, vendors and other IT security professionals.  Hopefully, by getting together new contacts will be made and we can work together to make UK Plc a safer place to do trade Online! If you want to brainstorm how you can get involved then email me Yvonne@eskenzipr.com!

logo-date+slogan(banner)

Here’s an event that you’re going to want to be involved in because it’s for every company who takes Security Seriously!

The campaign is called SECURITY SERIOUS and we’ve dedicated an entire week to it from 26-30 October.  The campaign will push the message to the business community that – we’re taking Security Seriously and so should you!

We’re hoping to get 50+ best of breed companies who are good at IT security to help other companies become more security savvy through a range of exciting events! We’ll kick off the week with a photocall outside the Tower of London at 12 noon on 26th October.  Everyone will be there with their company logo and huge banner that states that we’re all pulling together to show that “UK PLC is serious about IT security. We’ve arranged for the press to take pictures at the photocall and then we intend to create a social-media frenzy around the whole week!

During the week we have lots of free lectures and events that companies are offering on a first-come first-served basis. These will be on a range of cyber-security topics – it could be “getting the board’s attention”, “how to stop breaches” – “Finding the right tools to securing an SME” etc.

We’ve already got some amazing large companies behind the week doing some really exciting events, BUT we want to get a huge momentum behind and need your help with the following:

  1. Let us know if you want to be involved in the photocall opportunity – if so we’ll get a huge placard with your logo on it.
  2. Can you support this event by offering something positive to other businesses during the week – it could be a webinar, free software, seminar in London, internal seminar to your staff, something inspiration and creative!  We’ll promote it through Eventbrite and Brightalk and on the website with your logo as a supporter of Security Serious.
  3. Who could you invite to get involved apart from your own company?
  4. Add the event and logo to your email signature
  5.      Blog about it.

YOUR INVOLVEMENT AROUND THIS EVENT WILL NOT COST YOU A PENNY – it’s all about the community collaborating as an industry to get best of breed security professionals from great organisations working to help others become more security savvy – that way we can improve the security posture of UK PLC!

So please let us know how you’d like to get involved asap so we can build your event and idea into the website and campaign.

For more details email Yvonne@eskenzipr.com

get-it

It’s a funny one this subject about IT security – it always comes back to the users – without us there wouldn’t be any security issues! And without us we wouldn’t need security experts to keep us in check!  We need them and they need us – right!

Every year we organise the IT Security Analyst & CISO Forum which is a wonderful opportunity to get raw and heartfelt insight into how the CISOs are feeling – what they are seeing, what’s troubling them and what they’re doing to find sensible solutions around the problems they’re facing. I felt hugely buoyant after this year’s gathering of CISOs they really seem on top of what’s going on! They were openly collaborating and helping one another – they understand they’ve got huge security issues – but there’s nothing out there that they can’t cope with.  Calm is afoot.

What hit me the most was the realization that users are useless when it comes to security – we the users just don’t care – if it’s in our way we’ll get around it – so there was a consensus in the room that “we need to move away from a No to a KNOW mentality” – because it just ain’t working! So you can’t try and block users from trying to do their jobs, but find the tools to make sure you are on top of what they’re doing with the information.

Oh dear but then that’s not all that easy is it because the 2 next biggest bug-bears that the CISOs discussed was Shadow IT and privileged user management – that’s top of mind the moment.

Shadow IT was a real first for me, what I mean is the term, (sorry I’m a bit behind with the lingo these days), they were all harping on about this being a really big problem – that’s us people yet again in PR and marketing, sales and management – we keep downloading these wonderful sharing apps that make everything so simple for our wee non IT brains – you just download the app and hey presto we can all share spreadsheets and contacts etc amongst our colleagues quickly and efficiently. Quickly and efficiently was never really in the security programmers DNA which is why we always come to an impasse with the security folks.  The likes of google sharing apps, DropBox, Box etc are causing a real pain in the backside for security – secure data is being shared outside the organisation willy nilly – but the good news is that these bright young CISO are onto us – they know what we’re up to and are now learning how to discover, monitor and remediate us where necessary.  At least with the coolest tools out there – they can keep the auditors happy and show they’re doing their best to meet the demands of the compliance chaps!

So we can keep working away with our apps because the IT security folks realise they’re onto a road to no-where – so instead of fighting it and saying NO they’re moving to a culture of KNOW instead.

So the other problem they really started to sit up and talk passionately about was the thorny problem of managing privileged users. Hmmm, it’s the human factor yet again! The typical scenario went as follows: One person is given access to the sensitive stuff, they then share it with a colleague when they go on holiday, a consultant comes on board they then get given access, the original person is promoted into another department or leaves, they hand over access to another new person but still retains access to the original information even though they no longer need it and so on.  One CISO from a major bank who shared his angst found his sentiments were mirrored by most of the other CISOs around the table – “Companies grow very quickly and you get lots of changes so we try to conduct regular privileged access account reviews, but I have to admit it’s one of the biggest problems we have not yet solved.”

It’s the thorny old problem – if you don’t drill into your staff that the data is a major asset of the company and it needs to be respected and dealt with responsibly then it won’t be respected.

Back to good old user security awareness and best practices then! You train your staff and they’ll be your biggest allies – get their trust, get them to take on a bit of the responsibility for security – and you’ll go along way to solving the problem.  That’s the conclusion I came to after listening to these savvy and very switched on CISOs, the reason they were so chilled was that they’ve learnt that security is a really big problem and it’s us users who are their biggest problem – but these guys have a strong handle on what’s going on they’re getting to grips with user awareness and responsibility!  They all admitted that it helps that over the last year the boards are giving them more air time at least 15 minutes every 6 months!  It means more so than ever they have the ear of the board who are giving them the responsibility, time and money to focus on putting security where it needs to go.  For more on what the CISOs talked about at the Eskenzi IT Security Analyst & CISO Forum read Ron Condon’s blog at http://www.itsecurityguru.org

bug picture

So what bugs really bite at CISOs?

  1. Malware bugs
  2. Those Hacker buggers
  3. Their staff
  4. Or lack of staff
  5. State on state bugs

Actually, what really gets their goat is No.2, the staff who continually mess everything up for them, and then No. 3, the lack of trained, skilled staff who know how to stop the stupid people screwing up their systems.

How do I know this? Because once a year Eskenzi PR organises the IT security analyst & CISO forum where we get a room full of very outspoken CISOs who really don’t hold back when it comes to sharing their thoughts, bug-bears and irritations with their peers.  A few select vendors are invited to hear from the community who buy their wares and we also fly in a dozen of the world’s top analysts who learn from these heated and honest exchanges.

Looking in from where I sit, I’d have thought they would be most worried about all the external threats tirelessly trying to get in their networks from every angle.  However, these breaches and bugs are not what get these guys riled up; that’s par the course – something they expect and can almost prepare for.  What they all share is a real frustration in that they can find the technology to prevent the breaches and bugs, but their users turn it all on its head with their stupidity – and it’s a problem that doesn’t seem to want to go away.

One comment I especially liked was “you can’t take the IdioT out of the user” – it’s what they do with the data that’s the biggest problem!  Another observation came from an impressive female CISO who said that 100% of computer crime involves people.  Obvious, but she’s right and it makes you think!

Okay – here’s the lesson: we must learn to respect the data we use on a daily basis. That means wherever it is and whenever we’re using it, we need to consider whether it is valuable and, if it falls into the wrong hands, what harm could it do to ourselves, the customer and of course the company?

However, one eminent venture capitalist who attended our event cited a recent Economist article that stated that stock prices are often unaffected by breaches, which starts to make me really confused – what’s it all about if you can suffer a major breach and then it doesn’t really affect the company –  why bother?  Maybe that’s why CISOs are so relaxed about external threats!

But it does cost money to sort out the mess that users make when they infect a system by opening an infected email or uploading infected data from a contaminated USB.

Apart from being hugely frustrated by their internal staff, which was definitely shared by all concerned, it seems that the second really big pain point is the lack of skilled people in IT security.  There just isn’t the quality or quantity and, when you do find someone, they just don’t know how to communicate to get their message across.  There was a common thread in the discussion, where they felt that when they did find the right people with the right skills they then couldn’t fit in with the culture of the company.  The big question is how do you turn geeks into people’s people in order to get the funds for IT security from the board?  One very smart CISO, (although saying that all the CISOs that attend our event are the smart ones that take a real effort in collaborating and pushing the boundaries) gets a digital agency to help with his messaging and visuals so that when he has that very small window of opportunity to talk to the board, they quickly get it!

They all believe that, in order to get things done in IT security, you’ve got to become a good communicator – which means investing in training to communicate well so you can be compelling and convincing.  You need to talk to the board in the language they understand and that goes for the users themselves.

Another smart suggestion to get skilled people to push the IT security message was from a CISO who had employed the CEO’s PA to come and work for him, as she knew exactly the culture of the company and how to get around everyone to get them to listen. She knew politically who to push and who to ask to get things done.  So employing internally and drawing talent from other parts of the company was definitely a method that had worked for this particular CISO.

Everyone thought that a framework of the right questions that the board should ask the CISOs was a good way to go, and badly needed.

I suppose the conclusion to the day was that no matter what happens out there, the CISO’s biggest concern is to keep their own houses in order; and that means training their staff to respect the data they deal with and getting them the right employees who know how to communicate to help them to do this.

Yvonne Eskenzi Yvonne@eskenzipr.com