Holding all employees accountable: Ensuring security across the enterprise

Holding all employees accountable: Ensuring security across the enterprise

430 readers like this
CIO Security Eye

DomainTools is in the business of helping companies assess and protect against cyber threats. As such, it would be more than a little embarrassing if the company itself fell victim to such a threat. The job of making sure that doesn’t happen falls largely on its CTO, Dr. Bruce Roberts. He heads up the IT group for the firm, wrote the company’s security policy document and is heavily involved in security training. But, as he’s quick to point out, ensuring security really involves everybody in the company, as it should in any enterprise.

CIO_Q and A

The Enterprisers Project (TEP): How do you get across the notion that security isn’t just an IT issue, that everyone is responsible in some way?

Roberts: I started pitching it to the company as, “We’re in the security space, we’re targeted. Do you want to be the employee whose laptop is compromised, leaving our CEO to have to go to a press conference about a breach of customer information?” I say this nicely, but people sit back and think, “Yeah, that’s probably not a good thing.” So that helps.

People want to do the right thing. They want to do their jobs well; they don’t want to be the person responsible for a breach. So you have to educate them and provide information in multiple forms. We do written documents, presentations, posters. We talk about breaches as case studies. I work closely with everybody here and the executive team to develop these policies and processes not in a vacuum but to get their support, so they can then bring the policies to their reports.

I also publicize specific phishing attacks. For example, there was a W2 scam going around, where people were sending emails to HR saying, “Please send us all the W2 forms.” We were targeted, but our HR manager, who’s been through the training I give, immediately brought it to my attention and knew exactly what it was. I made sure the rest of the company knew about it as well, so they understand the danger is real.

TEP: What kinds of things are in your policy manual that may be unusual?

Roberts: If you receive a USB stick at a conference as schwag, it doesn’t go on to our corporate computers. You bring it to me and I destroy it, because there are a lot of infection vectors that can come in through USB sticks. That’s probably the most unusual one.

TEP: What do you see as the largest threats looming on the security horizon that enterprises aren’t really talking about yet?

Roberts: One is adaptation. We see this on a regular basis. The bad guys change the way they do certain things when they know they can now be caught. We don’t talk a lot about how the other side has a lot of really smart humans and they’re going to evolve and change as [defense] systems change. Any product, any algorithm you build, any research method you use, has to understand that’s the case.

TEP: What do you do about that? How do you deal with it?

Roberts: You have to not rest on your laurels and think you’ve got a great system protecting you, and that you don’t have to continue to hunt for new techniques. As the individual responsible for internal security, I have to look for new anomalies or behaviors in my network and in my users’ computers that I haven’t seen before. You also have to to continue to pay attention to information out there about breaches that occur. You need to be able to understand this is a new novel technique that someone used to attack a company and make sure you understand how to protect against that.

The other thing that’s really a challenge is the sheer scope of vulnerabilities. It may get to a point where I can’t buy an unconnected fridge. That means, as an industrial user, maybe I’ve got fridges floating around in my enterprise that are connected to the network. Now I’ve got all sorts of little things in my enterprise to worry about. The Internet of Things is not just about the home – it’s about everywhere. So that’s going to bring additional vulnerabilities into enterprises that they may not think very carefully about. And sheer scope – there’s so many things out there with software in it that can be vulnerable and can be abused.

TEP: You ask employees to send you any phishing emails that you get, so you can examine them. Is there anything new or interesting you’ve been seeing lately?

Roberts: We see more targeted emails, more spear phishing than just phishing. It’s interesting the things that sometimes give it away, like using the wrong form of somebody’s name, maybe “Robert” when the employee always goes by “Bob.” We’ve had emails like that addressed to our VP of finance and our HR manager. But they’re trained to look for oddities and so immediately saw these as suspicious. Those are the things that suggest the training we do is valuable.

Paul Desmond has been working as an IT trade press reporter, writer and editor since 1988.  He has extensive experience covering a range of technologies, including networks, unified communications, security, storage, virtualization and application strategies.

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Carla Rudder
February 28, 2020

EQ is a must-have trait in IT today - but that doesn't mean all leaders have mastered this skill set. Take our poll to weigh in on the low-EQ traits that bug you the most.

Submitted By Carla Rudder
February 27, 2020

Are you leading or working in a DevOps team where some people work remote? Building a healthy culture presents some challenges - but experts say remote teams can become masters of collaboration and flexibility. 

Submitted By Bernd Greifeneder
February 27, 2020

Dynatrace CTO Bernd Greifender explains how an evolution of the "no operations" approach is making life easier for engineers and improving customer experience.


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.