“You have four weeks to create strong cybersecurity habits in a business with 500+ employees. What would you do, and why?”
Granted - such a request “may indicate a big problem in [the board’s] understanding of security,” as Fred Scholl (Monarch Information Networks) points out below, because in this scenario, “[t]he CISO has failed to proactively educate leadership.”
We posed the question to our circle of InfoSec Luminary Lineup contributors anyway. Nothing focuses the mind like a deadline.
Jordan McQuown, CIO at LogicForce Consulting, writes in response: “[U]ser awareness, reinforcement and training are key to improving security habits.” So how do we get there, fast? Jordan reminds us that “[t]ypical attackers are looking for easy targets” - and provides ample advice how to frustrate their plans.
Richard Caplan (LeClairRyan) points out the importance “to clarify the rules and responsibilities” in such a concerted effort. And like Jordan McQuown , Joseph Raczynski (Thomson Reuters Legal) urges CISOs to create teachable moments: “Companies need to phish their own employees.”
Steve Durbin, Managing Director of the UK-based Information Security Forum (ISF), includes a warning in his contribution. Given the time restraints in this scenario, he writes, “[l]ooking for a silver bullet will be a waste of time.”
Steve advises to step back and understand the bigger picture first, then “let risk drive the solution” His “Ten tips on how to make cybersecurity a habit on a deadline” round out this InfoSec Luminary Lineup.
Tip #4 on his instructive list below is our favorite. Why?