Aiden was proud to host the first in a series of discussions with technology leaders on the much-needed IT-Security Paradigm Shift — the trends in technology and leadership strategy that are helping organizations reduce cyber-risk and improve response times to cyberattacks.
We’ve compiled the 5 top takeaways for leading conversations from the board of directors down to the engineers in order to bridge the gap between IT-Security.
#1 Avoid “cyberspeak” for maximum impact and awareness across an organization
Technology leaders need to speak in a way that resonates with business leaders and not just “techies” in order to get on the same page. One way to do this is to avoid acronyms.
“It’s become part of our role to evangelizeand to communicate what [cybersecurity] means in business terms. There are many aspects to this conversation and it’s important to be able to speakin plain language,” said Casey Santos.
Speaking in terms that upper-management and non-technical members of your organization can understand is key to winning support for better IT and security integration. These soft skills also serve a dual purpose:getting buy-in for better investment in cybersecurity from decision-makers, and growing your IT career—no matter your current role.
“Removing jargon from our vocabulary when we talk to executives and boards is where it really starts. As you move up in the ranks as a technologist, we need to do this or we can’t move forward…Aiden is focusing on bringing this into plain language so everyone can understand.”– JoshuaAaron
#2 Nudge management and purse stakeholders to take cyber seriously with real-world examples
“Most board membersdon’t understand how APIs work, what CI/CD is, and assume an acceptable level of cyber–risk is 0% — even though they’ll write off 10% of transactions to fraud,” – Anthony Johnson.
It can be hard to quantify all of the risks an organization takes on due to weak cybersecurity. While widespread cyber attacks are getting more attention in the news, many board members lack the necessary cybersecurity awareness to accurately gauge what’s truly at stake in their organizations.
One strategy is to make the consequences of poor cybersecurity more relatable, by illustrating how cybercrime affects our friends, families, and larger communities. For example, almost everyone knows someone whose identity was stolen or experienced credit card fraud.
“Not only educating them on what happens at a company but what can happen personally, gives you empathy. When it touches something personal, in addition to a company dimension.” – Casey Santos
Amplify those risks to core business KPIs, like customer engagement (Businesswire found 81% of consumers would stop interacting with a brand that had been breached) and you’ll get closer to bringing the point home. Gina Osborne recommends inviting a local member of the FBI to talk to your board members and other upper management about the consequences of poor cybersecurity, and why robust security starts from the top-down.
“Tabletop exercises are impactful, but it has to be personal. At my last firm, I had a security professional use a pineapple device to siphon PII(Personally Identifiable Information – like a social security number or telephone number) from local devices of people in the room … stakeholders were talking about it for months.” —Joshua Aaron
#3 “We’re not going back to the way things were” – making Automation and AI cybersecurity standards
“Thousands of endpoints need to be considered. Some were more prepared than others when dealing with this. When we go back to hybrid, we’re not going back to the way things were.” AnthonyJohnson.
It’s no secret that the COVID-19 pandemic has accelerated digital transformationefforts much sooner than expected. This left some companiesless prepared for the challenges of managing a remote workforce and their attack surface grew exponentially, almost overnight.
“Attackers are using automation too … if we don’t automate, we’ll be left behind.” — Casey Santos
Panelists recognized that as distributed environments and hybrid working are here to stay, tools to automate and automatically adapt cybersecurity processes are essential to reduce cyber risk now. Threat actors routinely optimize attack strategies with artificial intelligence and automation, and it’s time for organizations to fight fire with fire.
Anthony Johnson also pointed out the risks that remote data access and security responseintroduce in your IT security plans, “remote working is increasing human error because of the likelihood for distraction [when working from home] versus SOC environments for incident response. Automation is imperative to maintain security now, and likely well into the future.”
#4 Leverage high-visibility cybersecurity news to focus on fundamentals
“SolarWinds woke people up to the vulnerabilities we are facing. It doesn’t change my lens on how important security & tech are to solving this problem, but it makes more and more companies aware and increases their desire to invest more.” – Casey Santos.
Panelists like Casey didn’t see major structural investment into IT security in light of the SolarWinds hack. Moreover, Anthony highlighted that most large businesses appear to have made up for any loss of reputation or business continuity in responding to the breach.
What is more tangible is the pressure third-party vendors have to maintain robust cybersecurity, especially in the IT space. “Supply chain is critically important, but there are fundamental basics, understanding suppliers, vendors, patching — this is what sets the successful organizations apart,” said Anthony Johnson.
Moving forward, Retired Cyber FBI Assistant Special Agent in Charge Gina Osborne encouraged more firms to use HR as an onramp to better cybersecurity; train new hires to recognize insider threats and become familiar with access control (e.g. when people move from different jobs within an organization, do they maintain access to data they no longer need?).
#5 Diversifying the IT talent pool will reap significant rewards — but there’s still a long way to go
“Promote these opportunities to get people engaged. It’s up to all of us to find these junior people and assure them that coding is not a scary thing. There are two companies: those stuck with legacy tech and those moving toward the future.” — Anthony Johnson
A lack of diversity in thought, and representation, across STEM will hold organizations back from rising to the growing cybersecurity needs of today. Anthony pointed to the relatively small number of women minority CISOs as a sign that there still needs to be genuine, systematic efforts to mentor and train the next generation of cybersecurity professionals.
Casey Santos also pointed to a growing number of public-private collaborations between research universities and private companies like Apple and Microsoft, that are working to balance the scale in the favor of increased representation of BIPOC and other marginalized communities in the cybersecurity circle.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.