Join getAbstract to access the summary!

The Cybersecurity Playbook

Join getAbstract to access the summary!

The Cybersecurity Playbook

How Every Leader and Employee Can Contribute to a Culture of Security

Wiley,

15 min read
7 take-aways
Audio & text

What's inside?

An indispensable guide to baking cybersecurity best practices into the corporate culture and everyday habits.

Editorial Rating

8

Qualities

  • Applicable
  • For Beginners
  • Engaging

Recommendation

Having lived through disastrous hacks and breaches at McAfee, one of the world’s foremost security software firms, author Allison Cerra proves an effective evangelizer for the everyday importance of corporate cybersecurity. Cerra offers detailed advice for each key player in the constant battle against hackers and cybercriminals, none more important than employees themselves. Her practical checklists for lead security officers, boards, the C-suite and HR and marketing professionals make this brief, accessible and engaging guide useful to building cybersecurity into the corporate culture.

Take-Aways

  • Much of corporate cybersecurity depends on the good habits of employees.
  • The C-suite and the board must address cybersecurity in every board meeting.
  • Product designers must build security into network-connected products and devices from the ground up.
  • Human resources plays an important role in building cybersecurity awareness, capabilities and resilience.
  • Develop and practice executing a detailed communications and response plan to any major security breach.
  • With risk management at its core, cybersecurity falls squarely within the CFO’s interests and responsibilities.
  • Chief Information Security Officers bear much of the burden.

Summary

Much of corporate cybersecurity depends on the good habits of employees.

One in five security breaches involves a mistake by a negligent employee. Mundane but important practices by employees in the firm represent one of the most vital defenses to cybercrime. These include creating strong passwords, changing them often, and not reusing them. Employees should familiarize themselves with common hacker tactics, including phishing emails. They should check with IT security before using cloud services and tools, use encrypted thumb drives, report suspicious emails and activity, never leave laptops and other devices with sensitive information unattended, and simply realize that hacker prevention doesn’t just fall to the cybersecurity team – everyone must contribute.

“Cyber threats are now so pervasive that they lurk around every connected device, every bit of data we take for granted.”

In most organizations, phishing emails succeed in fooling about 4% of employees and/or executives. Phishing emails – often in the guise of a message from a leader or colleague – invite the recipient to click on a link or download a file. When they do, they may compromise their credentials, introduce a virus or give a hacker entry to the firm’s networks. Employees need awareness training to spot phishing attempts and should report them to IT immediately.

Convincing employees to do these things proves exceptionally challenging in most organizations. Unfortunately, those responsible for cybersecurity often operate in the shadows, and when they do appear, their rules and restrictions just as often meet with derision as acceptance.

“Cybersecurity is a team sport with everyone needing to play her or his position for every minute of the game.”

Only by weaving safe practices and habits into the culture of the organization can Chief Information Security Officers (CISOs) and their teams hope to prepare the firm for attacks and minimize the damage. No organization can ever hope to prevent cyberattacks, but they can respond to them quickly and effectively.

The C-suite and the board must address cybersecurity in every board meeting.

Cybersecurity preparedness requires the combined efforts of all parts of the organization, led by a CISO who has the ear of the board and senior executives. Everyone in the organization should take responsibility for securing data, whether data are behind a firewall, in the cloud or on an employee’s personal smartphone.

Lest any executive or board member believe that cybersecurity belongs in the back office, consider that firms lose more than $600 billion each year to cybercrime, the third largest economic scourge globally, encompassing more than half a million attacks daily. Indeed, a full 25% of firms experience at least one breach every 24 months. Increasingly, governments punish these breaches by fining the firms. In the EU, for example, the average fine under Europe’s General Data Protection Regulation (GDPR) was almost $4 million in 2018.

Perhaps most worrisome of all, the talent market for cybersecurity professionals currently falls about two million short, even while cybercriminals gain sophistication in tactics and tools. New techniques and combinations of tactics appear almost daily – everything from Ransomware, in which hackers hold data they’ve stolen hostage until you pay (using untraceable cryptocurrency), to denial of service, where cybercriminals overwhelm websites with queries until they shut down.

Despite portrayal in the media as lone wolves, hackers organize online in communities on the Dark Web. Here they share information and strategies, and buy and sell stolen passwords. CEOs and board members must realize that for CISOs, this means fighting a continuously escalating battle with measures and countermeasures – a never-ending chess match. And though more than 3,500 cybersecurity software vendors compete, no single tool solves the problem. Unfortunately, technologies have a short useful life because hackers constantly probe them for vulnerabilities. In short, the game is one in which CISOs have to win every time; criminals only once.

“Bad actors want you to deprioritize cybersecurity as a nonstrategic investment. Don’t give them that power.”

To counter these odds and protect the firm’s most important and strategic assets, the CEO and board should put the topic of cybersecurity on the agenda in every board meeting. In these meetings, the CISO should present and update the board from a strategic risk management perspective, explaining how the firm is protecting its most important assets. For example, the CISO might summarize insights from the latest Red Team/Blue Team games. These exercises pit contracted external hackers – the Red Team – against the internal cybersecurity Blue Team to expose vulnerabilities and scenario plan against various types of attacks.

“Not only is your company destined to play defense against cybercriminals, but it must do so with near-perfect precision.”

With regular updates from the CISO, the board and CEO should earmark security budgets favoring the protection of the firm’s most important, strategic and vulnerable assets.

Product designers must build security into network-connected products and devices from the ground up.

Recent hacker attacks have attracted wide media attention. In October, 2016, a denial of service attack at Domain Name System provider Dyn brought down access to some of the Web’s most popular sites, including Twitter, Netflix and others. Hackers now launch these attacks using armies of bots and by gaining access through the dozens of connected, in-home devices the average American family uses, like baby monitors and DVRs. As inconvenient as the Dyn attack proved to millions of Americans, the specter of future attacks leeching into corporate networks looms larger. In future, a similar attack on fleets of self-driving cars could do unimaginable damage.

“Every adoption of a technology, be it mobility, cloud or the Internet of Things (IoT) subjects a company to greater risk.”

The lesson from Dyn and similar real or potential attacks pertains to the types of network-connected products and devices in the market. Developers have an obligation to make security a foremost consideration in product design, from the minimum viable product (MVP) stage forward. This means building security features as requirements, not as afterthoughts later on, and assigning accountability for continuous security monitoring and upkeep to product managers and others throughout the product life cycle. Anyone who sees or suspects a security flaw in a product should have the authority to stop its production or sale until resolved; indeed, they should receive reward and recognition for doing so.

Human resources plays an important role in building cybersecurity awareness, capabilities and resilience.

Most firms can’t find the IT security talent they need because a vast talent shortage pervades the United States and most of the world. HR professionals can ameliorate this problem by sourcing candidates in atypical places and with less obvious credentials. Foremost, women.

The first computer programmers were women, a tradition that continued through the 1940s and 1960s. Higher pay, bias in university admissions, and portrayals in movies and the popular media may have combined to make IT and programming less attractive to women. Women, minorities, and people with less obvious credentials but strong aptitude need more encouragement and opportunity to enter the field.

“As long as there is no shortage of bad actors, there will be no surplus of cybersecurity professionals.”

HR should also lead the charge to train employees in the basics of good cybersecurity practice; adjust reward and recognition programs to incentivize good security behaviors (including whistleblowing); continuously review personnel and their need for various access to sensitive data and repositories; add questions to job interviews to ensure consideration of candidates’ experience and attitudes toward security; and make sure that every executive has at least one cybersecurity-related metric in their performance plan.

Develop and practice executing a detailed communications and response plan to any major security breach.

Hacker stealth proves one of the most frightening aspects of cybersecurity. On average, a breach occurs six months before a firm knows it happened, and then it takes months more to contain it. Once learning of a breach, the average firm takes another month to report it to customers. Instead, report it immediately, get in front of the story to reduce the damage and to serve your customers ethically. When you announce it, make it about the victims – your customers – not the firm.

Prepare ahead of a breach. With your CISO, scenario plan for various types of breaches and role-play your response. Devise a full communications plan: who will you notify and when; how will your message change depending on your firm’s level of negligence; how will you handle emerging information, and how will you compensate victimized customers? Know exactly who will do what, in order, minute-by-minute after you discover the breach. Prepare your messages ahead of time – emails, executive statements, press releases – on what your firm plans to do. Include a sincere, empathetic apology. Have responses ready for tough questions.

With risk management at its core, cybersecurity falls squarely within the CFO’s interests and responsibilities.

Unfortunately, the CISO’s relationship with the CFO proves fraught in many cases because the CFO wants ROI and a CISO can never deliver it. CISOs must reframe their conversations with CFOs from a focus on ROI to one of risk management. For example, if the CFO asks why the firm should purchase a new security software or platform, connect your request to protecting a strategic, important and vulnerable asset – one at-risk otherwise. Where possible, estimate the financial damage that a breach might inflict. You can’t make guarantees but you can estimate risk reduction and potential avoidance of losses. The language you use with the CFO will also prove resonant with the CEO and board.

For their part, CFOs should hold CISOs accountable for how they’ve used resources in the past. For example, have they deployed past security technologies or have some stayed on the shelf? Have they maintained the effectiveness of past products, for example with the latest patches and upgrades? When was the last time they conducted penetration testing and what were the results? Have employees received the latest training? And so on.

“CFOs carry the flag for their organizations in ensuring the procurement process sufficiently vets third parties’ cybersecurity posture.”

CFOs should also ensure that the entire corporate supply chain conforms to IT security standards, including outsource partners, suppliers and any new products or platforms under consideration. Almost three-quarters of firms outsource all or parts of their IT, including elements of cybersecurity, and about 60% of firms have suffered breaches caused by vendors and partners. Though outsourcing some components of cybersecurity itself might make sense (for example, penetration testing), CFOs and CISOs should ensure that the core of the responsibility remains inside the firm: An internal team can reach a higher level of readiness than outside partners.

Chief Information Security Officers bear much of the burden.

CISOs must break down resistance to sound security protocols and gain the respect of senior executives and the board. CISOs can do so by striking a balance between policing employees who naturally want to use convenient, performance-enhancing tools and services, and allowing a free-for-all that puts the firm at grave risk. 

For the board and executives, CISOs must translate threats to strategy and risks – how potential attacks put revenue and the firm’s most important strategic objectives at risk. A CISO-guided tour of the Dark Web might show leaders that anyone can easily buy passwords into the firm’s cloud services, for example, just as reliance on these services is growing. CISOs can also share the results of phishing tests, which for example, chart the percentage of employees and executives who take phish bait. CISOs should brook no compromise concerning basic security best practices among employees and partners, like password management, and commonsense measures, such as comprehensive, encrypted data backups.

“AI, like any technology, is a weapon in both your company’s cybersecurity arsenal and your enemies’ arsenals.”

Of course, CISOs must work in lockstep with CIOs, whatever the reporting relationship. This includes agreeing on metrics and Key Performance Indicators (KPIs), penetration testing schedules and planned purchases. CIOs and CISOs often clash when the latter object to technologies proposed by the former. Avoid this by using services such as Cloud Access Security Brokers (CASB) who help manage cloud security. CISOs should also deceive hackers using decoys to draw them away from prized data and toward attractive bait, and use AI to discover attacks. AI promises to automate threat detection, allowing firms to better utilize scarce cybersecurity talent. On the other hand, it results in more false positives, which requires resources to investigate. And like any other tool available to CISOs, hackers have AI too, and have already used techniques like “Adversarial Machine Learning (AML)” to scramble firm’s machine learning models and/or produce mass false positives.

In short, just as safety has come to dominate airline industry culture, organizations must develop a “sixth sense” for detecting threats and breaches; an outcome possible only when cybersecurity infuses the culture. 

About the Author

Allison Cerra leads McAfee’s marketing and communications teams as SVP and chief marketing officer. In this role, she has seen firsthand the reputational and financial risks wrought by lax cybersecurity measures.

This document is restricted to personal use only.

Did you like this summary?

Buy book or audiobook

Comment on this summary

More on this topic

In our Journal

    Customers who read this summary also read

    Related Channels