CISOs often dream about adding hands to the infosec team to ease their burden. However, a risk management consultant says they fail to take advantage of a resource under their nose – the organization’s employees, who are the most likely to kick off a security crisis.
“The very last line of defence is the individual sitting at a desk,” Ken Muir of Vaughan, Ont.-based Uzado told the annual SecTor security conference in Toronto on Wednesday.
IT forgets “they have an army of people behind the scenes that can help them as well. But they don’t use the employees in the organization to help out because for them it doesn’t like they’re part of their plan.
“The security department is like a brotherhood – they sit behind closed doors and they make all these plans but don’t tell anybody
“You should be training people all the time: What does a potential compromise look like? What does a bad email look like? … Without explaining what those things are they can never be part of your force.”
Muir’s main argument at his session was that organizations need to get back to basics if they want to better secure their environments. And one of those basics is security awareness. The others include patching and performing regular off-site backups.
The gold standard of security planning revolves around following internationally recognized frameworks like NIST and ISO 27001. But these are hard to implement for all but large organizations, Muir argued. SMBs should just pick the most important controls for them, “and get really good at them.” Having metrics to measure progress is vital, he added.
“Why are we still getting hacked today?” he asked. “People are spending billions of dollars every year on technology, there’s lots of companies that have the money and the ability to maintain these environments and they’re still getting hacked? … I get it if you’re an SMB and don’t have the resources, but why are major corporations still getting hacked?”
“There’s no discipline around security today,” he complained. As evidence, he pointed to the lack of regular and solid patch management which led to the spread of the WannaCry ransomware.
“Don’t worry about what the hackers are doing. Don’t worry about their levels of sophistication, because it will always be way beyond the level of understanding of most people. You’ve just got to be good at what you do.”
It’s a matter of where the infosec team puts its scarce resources, he said.
One audience member complained vendors are only willing to sell expensive solutions that won’t integrate with other equipment he has, so network visibility is hindered.
“That lack of visibility is a big problem for organizations,” Muir replied.
In an interview Muir said that infosec leaders suffer from a lack of resources and skilled people because what they’re being asked to do is too much. “So let’s resize that and look at what they can accomplish. And if they can do more, that’s great.
“At these conferences people talk about artificial intelligence and quantum computing, and its very interesting. But for a small to medium-sized business, this is Star Trek stuff. They’re not going to get there until that technology becomes more affordable. So what can we do in the meantime, that’s where we need to be focusing.”