In the final installment of this S.O.S. blog series, we will cover the organization-level efforts you can take to help combat Shiny Object Syndrome within your company’s cyber security program.
As we mentioned in the first part of the series, one of the main causes of S.O.S. is the increased awareness and focus by boards of directors and C-suites on cyber security and how this newfound awareness leads to “trendy” cyber security solutions being pushed down to the security team without proper consideration for how they will impact the existing program.
This mentality often puts the security team in a bind as they likely already have a plan for the continued improvement of their program (as outlined in the second part of this series) that includes evolving internal policies and processes along with introducing new tools to address specific needs. Unfortunately, security leadership usually doesn’t do enough to educate company executives on their strategic plans, and how it will not only continue to provide good security for the company’s assets but also enable the business to constantly innovate and consequently meet customer demands. If only they would take time to educate, security teams could prevent business leaders from feeling the urge to jump on every new shiny object/tool that comes on the market. This shortcoming is further aggravated by the tendency of security professionals to lack talent in speaking executive jargon. The result is the famous line from Cool Hand Luke – “What we’ve got here is failure to communicate.”
Speaking Their Language
This pitfall can be addressed by the security team if they regularly engage with company executives and inform them of the strategy they are pursuing to protect the company’s important digital assets. The first step in doing so is to understand how business leaders value security and then create measurements that line up with this criteria. For instance, your team may currently communicate the number of incidents your program blocked and present the raw numbers of malware events, NIDS events, etc. This kind of communication usually degenerates into a recitation of statistics that are largely meaningless to the board/C-suite.
Instead, you should focus more on presenting the trends of the types of attacks you are stopping and where they are coming from, delivered from a risk-mitigation perspective. In another example, you may show results of a decrease in the number of application-based attacks and then tie these results to improvements made by your development team in producing better code that in turn makes your applications less vulnerable. In addition, you can analyze malware trends and align directly to employee training on phishing and other social engineering attacks.
Ultimately, you’ll want to turn your presentation into one that depicts security investments as something similar to insurance. Board members and C-suite executives can easily relate to the concept of risk and how insurance serves as an important mitigation tool. Use publicly available information on the costs of data breaches and show how the investment they are making, or that you are asking for, will save the company real dollars, as well as soft costs that usually accompany a breach like reputation and lost business. These areas will resonate much better with your executives and enable them to appreciate the true value of security to the company. The rapport you gain will in turn make it easier for you to win approval whenever you request for increases in the departmental budget.
Educate & Empower
The second effort you can undertake to combat S.O.S. is to integrate security into the DNA of your organization. Empowering employees with a deeper understanding and appreciation of security can pay large dividends. The more people understand why cyber security is important and the more they are encouraged to identify and report potential security issues, the better off your organization will be.
One of the best and most cost-effective cyber security tools is security awareness training. Threat actors are enhancing their skill set to create and deliver social engineering attacks that even some security professionals could fall victim to. These types of attacks, whether phishing or other web-based methods, have become more sophisticated, targeted and difficult to identify. This is why a robust and continuous awareness training program for all employees is essential.
It’s also important to focus some of your efforts on your development team. Train them to write secure code and understand why security should be tightly integrated into their development lifecycle. Doing this will reduce the vulnerability of your applications, making them less attractive targets and providing a more robust cyber security program.
In many organizations, employees don’t feel any compulsion to report potential security issues because their organization lacks an easy mechanism to do so and/or are not treating reports seriously. If this is happening in your organization, you should implement a simple solution. For example, you can have employees email potential phishing attempts to phishing@ABCcompany.com, and then have your security team review and provide prompt responses. A great way to encourage participation is by rewarding users who identify issues that end up benefiting the company.
When people understand the importance of security to the company, and are well trained and empowered to report security issues, they will generally respond well – resulting in significant improvement of your overall cyber security program.
Combating shiny object syndrome is not always easy, but can be accomplished at the organizational level by focusing on two key areas: communicating to company executives and training employees. With these two implemented and a renewed approach to security measures, your organization can defeat this illness and begin focusing on your true security goals.