Six Reasons Why Information Security Executives are Really Superheroes
On Wednesday, February 6th, they came in large numbers, including Forescout’s Julie Cullivan, Chief Technology and People Officer, to the I.S.E. (Information Security Executive) Southeast Event in Atlanta, hosted by T.E.N. Inc. There were no capes, no masks, no futuristic cars and definitely no spandex. Yet, the battle scars were real and the war stories sincere.
So, why the reference to superheroes?
Because our hard-working security leaders have special powers and abilities to keep all the networks safe. Here are the six reasons why I believe our information security executives are really superheroes:
- They fight against invisible devices – One executive highlighted the risk of having even one unknown device on the network that could serve as a “jump off point” into the whole network. It’s a known fact that ransomware targets these unknown devices. Many of these devices enter the network when business units experiment with new and innovative technologies. What does a security team do to minimize unknown devices? Often, they must categorize use cases in order to justify putting the devices on the network. The key is to always make the information security team a partner in these discussions, ensuring their input as early in the concept or procurement phase as possible. That way the security team is seen as a hero rather than the bad guy who takes away privileges.
- They battle with vendors and demand secure protocols and devices – Third-party risk management is consistently top-of-mind for security executives. What if you decided to add smart TVs or other audio-visual equipment to an office? Seems like a simple task, but to a security team is it complicated. These devices could communicate with each other across the network through raw Oracle SQL statements. Or they could be configured using the “plug-and-play’ method of using default passwords. A confident executive pushes back on the third-party vendor to ensure the communication protocols used are secure. They insist that encryption, multi-factor authentication and strong passwords – basic best practices are implemented along with the new devices. A security team follows a strict code of conduct.
- They fight manual processes – Many executives commented on the fact that they are exploring the use of AI. “There are incredible advantages to be had in crowdsourcing knowledge [and] leveraging AI on the operational side,” Julie Cullivan explained. Many executives agreed that the days of tracking devices with spreadsheets and relying on CMDBs that were long outdated should be in the past but are still today’s reality. As one CISO expressed it, “don’t let perfect get in the way of very good”. Though they concurred there is no perfect solution because cyber threats change every day, you have to start somewhere. Security teams begin with governance. Without governance, it’s hard to establish a structure wherein you can achieve total device visibility. The continual fight against manual processes ensures quick reflexes and reaction time.
- They get creative to educate users – Security awareness, though a household term is still largely ineffective in many companies. It was refreshing to hear from a CISO who created a security-themed video production with employee actors. The production was filmed at HQ and was then presented at an annual company function. The production was such as success that the employees asked them back to the next quarterly event. Creative ways to educate employees on cyber hygiene encourage everyone to fight against threats. Security executives become the best advocates of these programs.
- They make friends inside and outside the organization – Great CISOs don’t try to go it alone. They break down silos and encourage collaboration at the C-level with executives such as the Chief Legal Officer and Chief Compliance Officer. They also empathize with their constituents. In the world of medical technology, a device offline could result in a loss of life. Healthcare CISOs must delicately weigh the need to secure these devices with the mandate of availability. To do this, they work hand-in-hand with device owners and sometimes legal teams to ensure the highest patient care is maintained. Many CISOs today are tasked with not only data security but human security. Being the visionaries that they are, they not only conduct risk assessments and table-top exercises as a security team, but they go so far as to partner with local law enforcement and other authorities to avert and ultimately prepare for crises. They are keenly aware of the disparity in budgets that exists for security technology. For example, small hospitals might be less prepared for a cyber-attack if their budget for technology is minimal. So, utilizing forums such as the I.S.E. event, they are eager to share their knowledge and gain insights from others.
- They party like rock stars – The day ended with a formal gala, awards ceremony and dessert and champagne reception. Rivaling the Grammy Awards in its elegance and choreography, the hard-working executives nominated and celebrated each other’s achievements in the areas of leadership and projects that reduced risk and improved information security significantly for their companies. The camaraderie and deep respect exhibited signaled a close-knit community united in the war against cyber-crime.
Congratulations again to all the nominees and winners of the I.S.E. Southeast awards. As a leader in device visibility and control, Forescout supports your mission to make the online world a more secure place. Learn more about the business value of visibility and control in this IDC white paper.