Saturday, September 16, 2023

How To Fix Misplaced Trust In Cyber: 4 Golden Tips

 


Today, I am going to talk about a term that is used widely in Cybersecurity, but it is not a technojargon.  Rather, it is a word that is used in everyday language, and this is “Trust”.  In the world of Cyber, we hear about the Zero Trust Framework, the Circles of Trust, Implicit Trust, blah, blah, blah.  But now the question comes, is “How much trust do we invoke with the people and machines that we encounter on a daily basis?” 

This is a question is a tough one to answer, as it is up to each individual to decide on this.  But, when it comes to the protection of digital and physical assets, a study from “Kroll”, entitled the  "2023 State of Cyber Defense” found some interesting trends:

*Only 37% of the CISOs have faith that the company they work for have implemented all reasonable means of having a Cyber defense.

*There are more mistakes being made with installing security tools, such as Network Security Devices.

*Most striking, CISOs have more trust in the regular employees than their own IT Security team.

The report can be downloaded at this link:

http://cyberresources.solutions/blogs/Kroll_Report.pdf

Obviously, the first thing that comes to mind is that a CISO (or even a vCISO) should for the most, have complete (or at least mostly) into their IT Security team.  After all, who can they count to put out the fires, when the going gets tough?  This kind of Trust can also be referred to as “Misguided Trust”.  A formal definition of it is as follows:

“It is loyalty placed in other persons or organizations where that loyalty is not acknowledged, is not respected, is betrayed, or is taken advantage of.”

(SOURCE:  https://en.wikipedia.org/wiki/Misplaced_loyalty)

So what can be done to help improve this issue of misguided trust between the CISOs and their IT Security teams?  Here are some tips that can be easily followed:

1)     Don’t assume!!!

It is human nature that managers will always have a layer of assumption ingrained into their thinking.  This can be a good thing and a bad thing.  But unfortunately, it errs much more towards the latter.  When it comes to the CISO, however, they assume that everybody in the company will understand what they are talking about, even when it comes all the way down to the administrative assistant.  The CISO thinks that through just one round of training, all employees will be well versed in how to combat a Phishing threat.  But this is not true.  Some employes may learn quickly, but the truth of the matter is that most employees will not pick up the first time.  It is quite likely that they will need repeated training over and over again, and at regular times.  So as a CISO, you should never assume that employees know what you know!!!  The rule of thumb here is to walk a mile in each of the employees shoes.  In other words, look at the job titles of the people you will be training, and try to customize the training around that, and the department that they work in.

2)     Set up metrics and KPIs:

Nobody likes to be gauged by this, but the harsh reality is that this is the only way to hold people accountable.  This is obviously the case with people in sales.  But what about for an IT Security team?  These can be a bit harder to figure out, but some of the best ones are how quickly they can at least detect and respond to a threat variant.  I don’t think its fair a metric to judge how long it takes to put something out, because each threat vector and have varying levels of impact.  But the bottom line here is that accountability will lead to a greater level of trust that is not misguided!!!

3)     Don’t take things for granted:

Whenever there is a tech issue with a server or a workstation, the natural feeling is that employees will take it for granted that the IT Department will fix it within minutes.  But this is not true.  This is also the same fact with the IT Security team.  When a security breach happens, people think that it will be put out in a few minutes.  But the truth of the matter is that this  is not the case.  It can take days, or even weeks.  The full time to recovery can take even months, depending upon the severity of it.  This is where employees should not take these teams for granted, and the reverse is true.  The CISO should not assume that the existing processes in place will fix the problem.  While this should be the case, they won’t unless they are tested and retested on a regular basis, and updated with the needed software and firmware patches.

4)     Involve everybody:

When developing the Cyber goals and objectives, the CISO must craft their plans so that all key stakeholders, and even all employees are involved to some degree or another.  The CISO must be transparent and honest in everything that they do, so that for the most part, everybody will be on the same page.  But probably the most important thing to remember here is to maintain an open line of communications!!!  People want to be heard and respected, and so does the CISO.  The only way to have this is to have that direct line open 24 X 7 X 365.

My Thoughts On This:

As mentioned earlier in this blog, the Zero Trust Framework is a methodology where absolutely nobody can be trusted.  I should know, as I have already written numerous published books and eBooks on this topic.  But in the end, there will always have to be some level of faith and trust.  The question is how to go about building it up properly, so that it does not become “Misguided”.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...