Importance Of Awareness, Automation And Relationship For Security Assurance

Jon Rogers, Ciso, Continental Resources

content-image

Jon Rogers, Ciso, Continental Resources

Recently we were interviewing for an entry level Information security analyst position and a candidate asked me, “With the really long time you’ve been in security, what changes have you seen over the last 22 years?” After getting past the feeling of being old, I told her that back in the daysecurity was all about blocking and preventing. It made relationships difficult and prohibited the business from performing to its maximum. As a security community we realized that stopping the business was not ideal for the success of the company or our careers, so we began loosening controls and improving monitoring. This moved the focus of the five elements of the NIST framework from Prevent to Detect. We still tried to prevent where we could but attackers were too far ahead of securityprograms so weagain moved the focus from Detect to Quickly Detect to limit the amount of time an adversary was in the environment. The concern is that controls will continue to loosen to allow the business to prevail but staying on this path could lead to a security program that is meaningless or non-existent. In the end, teams may revert back to the days of blocking everything to stop the bleeding and reassess their effectiveness, which nobody wants.

When it comes to relationships, partnering with the business and internal IT teams is key to a security program’s success, but partnerships are a two-way street

This brings us to today and the importance of awareness, automation and relationships, which will help prevent the scenario of returning to full prevention by balancing between enabling and securing the business. For awareness, we all know end-users are our first line of defense and they need to be properly trained to help defend the company against attacks. Even with training, there needs to be buy-in from the top to help push the importance of the training so everyone is engaged and has ownership in the protection of the company’s data, and their own in some cases. If you don’t have an effective security awareness program in place it needs to be a priority above all other security initiatives. Automation is an area that can help over-whelmed security teams and allow for more time with focusing on actual risk and building relationships. From thereyou’ll have a great foundation to a simple security program that will fit into any framework.

When it comes to relationships, partnering with the business and internal IT teamsis key to a security program’s success, but partnerships are a two-way street. If you’re not reaching out to your security team to involve them in business meetings, you’re doing them and your company a disservice. It can be difficult to reach out knowing the security personnel can be creepy people working in dark offices, but today’s information security staff is being trained to communicate with the business and they’re learning how to build relationships because we know we can’t do it alone and need your help. Ask your security team about the threats they see and the challenges they have. Also ask them if there is any way a process can be done differently using the survivorship bias philosophy, which is simply changing your focus from looking at what you know to looking at what you don’t know. You’ll be surprised how excited they will get from being asked such simple questions. If you want to take it further, act on their advice and ask how you can help them be successful. Let’s be the leaders we are and make a difference every day.

Read Also

Increasing The Capabilities Of Package Delivery By Using Oracle Autonomous Database

Increasing The Capabilities Of Package Delivery By Using Oracle Autonomous Database
Arief Rahardjo, Vice President Of Technology, Pt. Tiki Jalur Nugraha Ekakurir
At The Edge Of Cloud: What Does The Future Look Like For Drilling Automation?

At The Edge Of Cloud: What Does The Future Look Like For Drilling Automation?
Robello Samuel, Chief Technical Advisor And Halliburton Fellow (Well Engg.), Halliburton
Drones And Data: Designing A Framework To Maximize Innovation

Drones And Data: Designing A Framework To Maximize Innovation
Jason Diamond, North American Community Of Practice Lead For Uavs, Arcadis
How Agile Adapted in a COVID-19 World

How Agile Adapted in a COVID-19 World
Beth Schmidt, Director, IT Delivery and Agile Operations, Markel
Digital Procurement Transformation in Supply Chain Management

Digital Procurement Transformation in Supply Chain Management
Paul Blake, Associate Director, GEP Worldwide
Technological Innovations in the Supply Chain. Supply Chain Analytics

Technological Innovations in the Supply Chain. Supply Chain Analytics
Michael L Schoenfeld, Senior Vice President, Head of Contract Logistics- USA, DB Schenker