Three ways a CSO can stop being the bad guy

Some executives are learning to say yes, instead of no

doctor evil
Cliff (modified) (Creative Commons BY or BY-SA)

Are you the Dr. No of your company, always with security-related reasons for stopping or slowing down projects?

When you meet with management, is it to ask for more money for security or else horrible things will happen? If so, do you say it like, "one meeeeellion dollars" while petting a white cat? You do know that one million dollars will hardly make a dent in the problem. Better make it, "one beeeeellion dollars."

(Yes, I know it was Dr. Evil who made "one meeeellion dollars" a catchphrase, but it was Dr. No who said it first.)

And when you're not going around telling people to stop doing what they want, or asking for money, are you delivering bad news about breaches?

"I was the least invited person to meetings," recalls Adam Ely, who, before founding his own security company, San Francisco-based Bluebox Security, used to manage security, risk and compliance at companies like TiVo and Walt Disney.

"I would 'no' to a lot of things because there was risk and I didn't have a solution," he said.

But some security executives are redefining their roles to become people who say "yes," and restructuring their departments around becoming enablers of business.

Here are some of the ways they're doing it.

Eliminate spam and phishing emails

Hartford, Conn.-based insurance giant Aetna recently switched to the DMARC email authentication.

"It authenticates all our emails to the Internet service providers," said Aetna CISO Jim Routh. "That's 65 million spam and phishing emails that they're not receiving."

Consumers benefit from reduced risk and Aetna benefits from having lower costs due to not having to deal with phishing-related issues, he said. And it's even helping bring in new business.

"The security department led the initiative with marketing," Routh said. "Traditionally, they don't get along. But at Aetna, we do. Now it's a feature in sales calls with employers who are choosing Aetna to provide benefits to their employees."

In fact, Aetna was the only health care company to receive a perfect 100 percent score last year in a survey by Agari, an email security company. The other 13 health care companies all scored "vulnerable" or below, with an average security score of 17 percent. According to Agari, an email that says it's from a typical health insurance company is four times more likely to be a fake than one that claims to be from a social media company.

Adopt cloud gateways

CSOs are typically well-aware of the problems with cloud applications.

"They expose organizations to security risks such as sensitive data leakage, unauthorized privilege escalation, denial of service, and so forth," said Nir Valtman, CISO, Retail, at Duluth, Georgia-based NCR Corp.

So what does everyone at a typical company do? They sneak around. They sign up for cloud applications without telling anyone, and next thing you know, the whole company is running in the cloud, security be damned.

According to research by CipherCloud, one of the leading cloud gateway providers, 86 percent of cloud applications used by companies were unsanctioned "shadow IT," with the average global enterprise using more than 1,100 cloud applications.

Valtman recommends that security departments look at cloud gateway technologies to secure cloud applications.

"These gateways provide aggregated discovery, control, auditing and analysis tools to ensure that cloud application usage is secure," he said.

Cloud gateway vendors can help fully secure such popular cloud apps as Salesforce, Office 365, Google Apps, and online storage providers while still preserving functionality.

And they can provide limited security, such as access control, to any other commercial or home-grown cloud app.

"Transparent to the user, you can automatically verify devices, IP addresses, locations, OS and more. This prevents phishing, malware, social engineering and other attacks," said Yair Grindlinger, CEO & co-founder at Redwood City, Calif.-based cloud security firm FireLayers, Inc.

By having a solution to offer, CSOs can actually get ahead of cloud adoption, instead of playing catch-up.

But cloud gateways aren't just for cloud users. Companies selling services in the cloud can also partner with cloud gateway vendors to provide their clients even more security -- while not compromising on functionality.

That would make security a selling point and a revenue generator, not just an expense item.

Listen to rank-and-file employees

When Adam Meyer was CISO at the Washington Metropolitan Area Transit Authority he would hold open forums during lunchtime, with coffee and snacks, where anyone from the company could come and ask questions.

He originally expected people to work-related questions, he said, "and it turned out to be 99 percent personal questions and 1 percent corporate."

People would come up to him and ask about their teenagers' computer use, about whether to trust their mobile banking apps, and other personal questions that had nothing to do with the company.

But that actually worked, added Meyer, who is now chief security strategist at Sterling, Vir.-based SurfWatch Labs Inc.

"By making it personal, now those users became more cyberserurity aware in their jobs," he said.

And they began to see where the security department was coming from.

"It wasn't some big policy coming down, it was a personal conversation between them and me and they knew I was just looking to do the right thing," he said.

In addition, users were more inclined to share problems they were having, allowing the security department to get out ahead of potential issues.

For example, one person complained that filing sharing was too burdensome, inspiring the company to decomission their own storage solution and switch to cloud-based storage, after working with the cloud provider to implement specific rules for credit card information.

"It allowed us to reduce malware threats, like ransomware," said Meyer. "We got better availability, better data loss prevention, and a happier workforce -- and we ended up chopping storage costs in half."

Users are just trying to do their jobs to the best of their ability, he said.

"The question is, how can we enable users to be more diligent in security, but also enable them to do their job quicker," he said. "Business isn't in business to lose money -- all those users are there to perform a function. If you remove the barriers for the end user, you're now touching a lot of the organization."

Meyer urged very CSO and CISO to begin building working relationships with other business leaders in their company, and to stay positive.

"If a business unit wants to deploy something in six months, you make sure you do everything you can to meet their six month target," he said. "They can't wait two years -- they're throwing money away, in their eyes. Don't stop $50 million of potential revenues for $2 million in risk. That makes no sense. Assume the risk and move forward."

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)