sponsored

Designing a People-and Business-Centric Approach to Security

Michael Riggs, vice president of information security for Interbank1, LLC, describes how to align people-centric security with business needs, offers a variety of tips on training and data sprawl, and the details changing role of the security practitioner.

fb img 1513256142629 100744452 large
Interbank1, LLC

Michael Riggs, vice president of information security for Interbank1, LLC, describes how to align people-centric security with business needs, offers a variety of tips on training and data sprawl, and the details changing role of the security practitioner.

Is it important to include people-centered components in an IT security strategy?

It’s absolutely critical. Often when something bad happens, the entry point is the human, and it’s not necessarily a failure in technology or process. People-centric security means engaging your end users, your customers, and your business partners in practicing good security. It’s providing training and resources to your employees to help them identity and handle security threats and malicious insider behavior.

How does it work?

It’s what I like to call good cyber hygiene. Stop clicking on things you shouldn’t; stop casually surfing the Internet. It’s about expectations, and building into the culture of the organization what good IT security looks like.

Phishing our end users to see who clicks on suspicious emails can be a very powerful exercise, as long as it provides carrots and not just sticks. When those exercises become punitive, you make it less likely they will lead to better compliance. You also need a feedback loop after an incident so you can, for example, ensure the rest of your defense in depth works in case another user accidentally clicks on a phishing email.

How has the definition of insider threat evolved, and how are you addressing it?

Overall the problem remains about the same. Most insiders are not malicious. The vast majority of such threats result from unintentional risky behavior, such as a user uploading a document to Dropbox so they can work on it out of the office.

But accountability is critical. You need to hold the user responsible if something they did resulted in the compromise of 11 billion records. And, again, you need to learn from such incidents so you can prevent a recurrence.

In smaller organizations, preventive steps include not granting overly generous user access rights to your systems, and ensuring your data loss prevention (DLP) measures work correctly so you can remove at least some of the temptation.

How do you track the “sprawl” of data in the cloud and on user-owned devices?

A good solid third-party vendor management program is key. What is the reputation of the vendor? What is their financial health, their track record in delivering against their service level agreements or contractual terms? What are their information security controls, and how are they audited? Where they keep their data? Then marry that information to what is your appetite for risk if things go bad with them.

For devices owned by users or the enterprise, end point management is very important. Ask yourself if you understand what data resides on that device, and if the user loses control of that device, what are the risks? For corporate and personal data comingled on a personal device, consider solutions such as containerization of the data or the creation of different profiles personal and corporate data.

How do you follow data as it flows through this new environment?

At the basic level, control the applications and how they access the data. As you mature as an organization, data classification becomes very important as well. Maybe there are some documents internally that should never be emailed. Maybe you build some controls around that, and classifications, via tagging, to ensure that data doesn’t leave in a way you don’t want it to.

How do you see your role changing?

The security practitioner has to become not the person who says “no” but the person who can help the business do business in a way they need to, securely. It’s our job to be the guardrail protecting users from risk, not the speed bump slowing their work.

We have to learn the business and understand its language. And we have to be thought leaders and drive a vision for security. We see so many security professionals coming in with the newest shiniest technology, and implementing it in a silo without an overall security strategy. One example is meeting a regulatory requirement for a phishing policy with a process that covers email but ignores social engineering, such as phishing attacks over the phone or in person at the front desk. Without a more comprehensive strategy, you’re just checking check boxes for your entire career without meeting the organization’s security needs.

Related:

Copyright © 2017 IDG Communications, Inc.