5 Tips to Reduce Insider RisksThe CISO's Guide to Regaining a Measure of Control
The situation: An ambitious Intel employee wanted to do his job of maintaining IT systems more effectively by following a new procedure that saved him 25 percent time. So, he took it upon himself to shoot a video and post it on YouTube. Unfortunately, in his attempt to share his accomplishments with his peers, he accidentally exposed proprietary equipment information, which subsequently made the chief information security officer very nervous.
"I will not say this could lead to a significant IT breach, but we knew this video would immediately get picked up by media, competitors and search engines," says Malcolm Harkins, CISO at Intel Corp, the IT chipmaker." So, our initial reaction is almost like a virus."
Harkins knew there was no malicious intent. The employee either did not fully understand the social media policy or the ramifications of it. In response to the incident, Harkins created a new awareness program for employees such as this one, who tried to do the right thing, but made a mistake in this process. He made these employees put in extra work hours and engaged them to indentify possible gaps in social media policy, then coached them on IT security best practices.
This case clearly illustrates the slipping of information controls from the organization to the hands of the end-user. And Harkins, like many other CISOs, is trying to balance security and privacy with the loss of control brought forth by new technologies such as social media, cloud computing and mobility.
"The action and manifestation of risk is not necessarily evident to today's users in the way it was in the past," Harkins says, "and that creates a big inherent challenge for a CISO."
'You Can't Stop the Future'Intel's experience is typical of the new jitters CISOs face as they see their technical product data, sales data and customer information being accessible through employees' mobile devices, third-party vendors and social media networks.
"In the past, we had our data and information nailed to our networks and organization, but now you can't stop the future - information is everywhere," says Theresa Masse, CISO for the State of Oregon.
"These are all new attack vectors and avenues to exploit the weakest link, the human in the process," says John South, CISO at Heartland Payment Systems, a payment card processor. "I cannot stop thinking about what the next attack will be. How will it be perpetrated? What technologies will be used? What confidential information will get exposed? And what will be the potential damage?"
South finds younger workers especially wanting to use personal devices to do business, but without understanding the security implications when accessing corporate information via these devices.
"If a device falls into the wrong hands, the impact on a company's competitive positioning, brand and reputation could be severe," South says.
For Masse, fear sets in as she finds state agencies embracing cloud capabilities without a complete understanding of information security in the context of enterprise risk and how data needs to be protected.
"Business units take risks they don't understand," she says. For instance, though most cloud service providers promise 24/7 availability, their data centers can go down, and what happens in such situations? How is data security managed? What back-up procedures do these providers have? "You don't want to be the person impeding progress, but agencies need to know the legal and security implications of moving data outside our controls."
5 Tips for Retaining ControlAs a result of this increasing loss of control, CISOs are taking appropriate measures to implement effective IT security policies and new awareness programs.
"I am constantly turning the Rubik's cube of risk in my head and trying to balance these interesting changes in the risk dynamics, in a way that we are not shying away from the new technologies," Harkins says.
Among suggestions for retaining appropriate measures of control:
- Build on Business Acumen: To be effective as leaders, CISOs need to increase their business influence and impact. Taking the approach of blocking certain capabilities and saying "That's not allowed in our environment" will probably generate more risk, Harkins says, because employees can then bring their personal devices into the workplace and pose additional risk.
So, CISOs need to constantly seek input from business leaders in devising policies around these channels to ensure they understand what their safeguards mean for the business. For example, embracing consumerization can increase the number and diversity of devices and operating systems at an organization, which on one hand, actually helps reduce risk, because companies don't have a single point of failure or risk of compromise, Harkins says. Here security leaders need to understand how to balance the risk with what's best for the business. And then craft policies to define how they will allow the employee to use their device within a corporate network.
- Be Prepared: Given the reality in the workplace, CISOs need to invest the right time and resources in being prepared for the worst, says South. At Heartland, he invests time to test and re-test his staff's incident response and security monitoring activities to ensure that when an incident occurs, their plan is comprehensive enough to take into account all the current threats.
- Implement an Effective Social Media Policy: In the State of Oregon, Masse spends substantial time meeting business stakeholders and agency heads to ensure they are incorporating best policies to address the emerging risks stemming from these channels. For instance, the state agencies have very clearly set guidelines for employee expectations and appropriate behavior in their use of social networks.
A sample from Oregon's employee expectation guidelines:
"Take care to ensure that personal use of social media when you are off duty does not negatively impact the workplace, your co-workers or the agency. As citizens who are public employees, we can express ourselves as individuals about matters of public concern, but we must not imply that our personal opinions reflect the views of state government or our agency. This applies to whether you use personal equipment or the state's information technology assets. When providing your personal opinion on matters that involve the agency, provide a disclaimer similar to the following: This is my personal opinion, and I am not representing the official position of my agency."
Also, the state takes disciplinary actions against employees who are negligent in following these policies on a case-by-case basis.
- Implement Active Monitoring Activities: In light of the uncertainties surrounding emerging technologies, South exercises a more granular level of control over the various types and behaviors of applications that are flowing across the mobile and social computing platforms. He invests in appropriate Internet perimeter technologies and security policies to minimize enterprise risk by restricting application downloads on mobile devices and controlling access on the classification and sensitivity of information shared. These security controls alone do not guarantee that an employee will not inappropriately share sensitive information, South says.
"Its how we personally engage and continually update our technologies and people in addressing new types of threats that will give CISOs a greater visibility and control over what our employees can do on these channels."
- Emphasize Awareness and Training: At Intel, Harkins provides an aggressive training program on social media and IT security best practices to end-users by discussing concepts like perceiving IT risk. Users don't necessarily see that posting personal information about themselves on a social media site can put them at risk for a targeted attack, or that clicking on a link can expose them to malicious software that can infect the company's systems and data. "They don't see these threats while doing social computing, and this is the biggest vulnerability," he says. In these training sessions, he discusses real-world scenarios and mistakes committed by Intel employees to make them aware of their action and consequences.