Today, I am going to talk about a term that is used widely
in Cybersecurity, but it is not a technojargon.
Rather, it is a word that is used in everyday language, and this is “Trust”. In the world of Cyber, we hear about the Zero
Trust Framework, the Circles of Trust, Implicit Trust, blah, blah, blah. But now the question comes, is “How much
trust do we invoke with the people and machines that we encounter on a daily
basis?”
This is a question is a tough one to answer, as it is up to
each individual to decide on this. But,
when it comes to the protection of digital and physical assets, a study from “Kroll”,
entitled the "2023 State of Cyber
Defense” found some interesting trends:
*Only 37% of the CISOs have faith that the company they work
for have implemented all reasonable means of having a Cyber defense.
*There are more mistakes being made with installing security
tools, such as Network Security Devices.
*Most striking, CISOs have more trust in the regular employees
than their own IT Security team.
The report can be downloaded at this link:
http://cyberresources.solutions/blogs/Kroll_Report.pdf
Obviously, the first thing that comes to mind is that a CISO
(or even a vCISO) should for the most, have complete (or at least mostly) into their
IT Security team. After all, who can
they count to put out the fires, when the going gets tough? This kind of Trust can also be referred to as
“Misguided Trust”. A formal definition of
it is as follows:
“It is loyalty placed in other persons or organizations where
that loyalty is not acknowledged, is not respected, is betrayed, or
is taken advantage of.”
(SOURCE: https://en.wikipedia.org/wiki/Misplaced_loyalty)
So what can be done to help improve this issue of misguided
trust between the CISOs and their IT Security teams? Here are some tips that can be easily
followed:
1)
Don’t assume!!!
It is human nature that managers
will always have a layer of assumption ingrained into their thinking. This can be a good thing and a bad
thing. But unfortunately, it errs much
more towards the latter. When it comes
to the CISO, however, they assume that everybody in the company will understand
what they are talking about, even when it comes all the way down to the administrative
assistant. The CISO thinks that through just
one round of training, all employees will be well versed in how to combat a
Phishing threat. But this is not
true. Some employes may learn quickly,
but the truth of the matter is that most employees will not pick up the first
time. It is quite likely that they will
need repeated training over and over again, and at regular times. So as a CISO, you should never
assume that employees know what you know!!!
The rule of thumb here is to walk a mile in each of the
employees shoes. In other words, look at
the job titles of the people you will be training, and try to customize the training
around that, and the department that they work in.
2)
Set up metrics and KPIs:
Nobody likes to be gauged by this,
but the harsh reality is that this is the only way to hold people
accountable. This is obviously the case with
people in sales. But what about for an
IT Security team? These can be a bit
harder to figure out, but some of the best ones are how quickly they can at
least detect and respond to a threat variant.
I don’t think its fair a metric to judge how long it takes to put something
out, because each threat vector and have varying levels of impact. But the bottom line here is that
accountability will lead to a greater level of trust that is not misguided!!!
3)
Don’t take things for granted:
Whenever there is a tech issue with
a server or a workstation, the natural feeling is that employees will take it
for granted that the IT Department will fix it within minutes. But this is not true. This is also the same fact with the IT
Security team. When a security breach
happens, people think that it will be put out in a few minutes. But the truth of the matter is that this is not the case. It can take days, or even weeks. The full time to recovery can take even
months, depending upon the severity of it.
This is where employees should not take these teams for granted, and the
reverse is true. The CISO should not
assume that the existing processes in place will fix the problem. While this should be the case, they
won’t unless they are tested and retested on a regular basis, and updated with the
needed software and firmware patches.
4)
Involve everybody:
When developing the Cyber goals and
objectives, the CISO must craft their plans so that all key stakeholders, and even
all employees are involved to some degree or another. The CISO must be transparent and honest in everything
that they do, so that for the most part, everybody will be on the same
page. But probably the most
important thing to remember here is to maintain an open line of
communications!!! People want
to be heard and respected, and so does the CISO. The only way to have this is to have that
direct line open 24 X 7 X 365.
My Thoughts On This:
As mentioned earlier in this blog, the Zero Trust Framework
is a methodology where absolutely nobody can be trusted. I should know, as I have already written numerous
published books and eBooks on this topic.
But in the end, there will always have to be some level of faith and
trust. The question is how to go about
building it up properly, so that it does not become “Misguided”.
No comments:
Post a Comment