CHAPTER 10
A Culture of Security for All

A part of governance, risk, and compliance campaigns is “setting a tone from the top.” Executive management should point out different types of cybersecurity threats and how they can be recognized. It should then be clear on what part IT plays in preventing the cyberattacks, and what part everyone else plays. Right now, I don’t know where this line is drawn. In the arena of cybersecurity, what should I worry about versus what is IT tasked with preventing?

Respondent, McAfee Online Ethnographic Study

The headline for the short article was barely noticeable, buried at the bottom of the page, along with a feature on the upcoming high school football game. Those who looked closer may have dismissed it outright as hysterical doomsday prophesy, “Is World Series Quake Coming?” Four days later, the magnitude 6.9 Loma Prieta earthquake struck, killing 63 people in its wake, causing billions of dollars in damage and disrupting Game 3 of the World Series at Candlestick Park.1

Earthquakes are terrifying specters of nature. Every day, several hundred occur worldwide, though most of us don’t even notice them. They’re relatively small in nature—magnitude 2 or less. Major earthquakes, greater than a magnitude 7, happen more than once a month. Great earthquakes of at least a magnitude 8 hit about once a year. Unlike their smaller siblings, we notice these major and great quakes. Even if we’re lucky enough to be spared Mother Nature’s wrath, the media ensures we recognize her devastation by filling our screens with the images of fallen buildings and victims in her path of destruction.

What makes earthquakes terrifying is their certainty. There’s no getting around an earthquake happening. Earth is active. Its plates are shifting. There’s no escaping this phenomenon.

And yet, for all their certainty, earthquakes are completely unpredictable. There’s no way to forecast an earthquake. That single point of distinction separates earthquakes from other natural disasters, like hurricanes, tornadoes, and floods, where scientific models can help people avoid a deadly strike.

Not so with earthquakes. They hit without warning. The United States Geological Survey (USGS) makes the point unequivocally clear on its website: “Neither the USGS nor any other scientists have ever predicted a major earthquake. We do not know how, and we do not expect to know how any time in the foreseeable future.”2

So when Jim Berkland, a county geologist, provided that unbelievably accurate (or extremely lucky) prediction of the mag-6.9 quake that rocked Loma Prieta back in 1989, those who missed the obscure headline days before were certainly taking notice of it after the dust settled.

Berkland used scientific indicators, like the presence of high tides and position of the moon to inform his predictions, of which Loma Prieta was one of 300 he had made in the past 15 years. In addition, one more data point Berkland included in his black box to calculate the probability of the quake was the number of missing animals as reported in local pet classifieds leading up to the event. His theory in including this unconventional metric? Pets run away when sensing an impending earthquake.3

This hypothesis isn’t new. For centuries, prognosticators have suggested that animals have a veritable sixth sense, capable of feeling vibrations or detecting electrical changes in the air or gas imperceptible to humans.

Science hasn’t been able to prove any such sixth sense exists—so far. Studies abound looking for the linkage between strange animal observations and a subsequent quake. Indeed, there are scores of anecdotal data points recording animals retreating, acting frantically, or otherwise exhibiting unusual behavior, though the body of “proof ” lacks the rigidity of controlled scientific experimentation to clearly link cause and effect.

But within this research, there does appear to be evidence that animals can, in fact, sense earthquakes before they occur. That’s not to say they can predict a quake, but they do seem to detect foreshocks, mild tremors that precede violent shaking, that are indiscernible by humans.

While the jury may still be out on whether unusual animal behavior can help humans forecast an earthquake, there is at least some evidence to show that animals are more in tune with subtle abnormalities in their environment—even if only by being on heightened alert just before disaster strikes—than humans are. Those few moments, however fleeting, can mean the difference between an animal’s life or death.

I believe the same is true for organizations that summon the power of the crowd—the proverbial herd instinct—to acquire and develop a sixth sense for cyber threats that is generally lacking in their counterparts. It happens when every employee hones her capabilities for practicing sound cybersecurity defense. More importantly, it occurs when the role of cybersecurity becomes so inextricably intertwined in the day-to-day job of every employee that the collective sixth sense of the organization amplifies the detection of threats before irreparable damage can ensue.

Let’s put a culture of security in place across your entire organization.

There’s something every employee can do and every functional leader can adopt to embed cybersecurity in the daily fabric of the workplace, to bring the might of the 12th Man to the cybersecurity field and the sixth sense of the collective herd to the first-order fight of the digital sphere.

To that end, this chapter sums up key questions and actions for every employee, manager, executive, and board member.

You’ve now been enlisted.

W.I.S.D.O.M. for the CEO/Board Member

  • Allocate at least 90 minutes to an upcoming board agenda to have your CISO give a meaningful view into your current cybersecurity posture.
  • Immediately reallocate budget to assets that are both highly strategic and highly vulnerable.
  • Spend at least 30 minutes in each board meeting discussing the topic of cybersecurity.
  • Have your CISO report on the status of red-teaming exercises (also known as penetration testing). Insist on these exercises as a discipline.
  • Consider appointing a board member with cybersecurity expertise.

W.I.S.D.O.M. for the Employee

  • Do not fall for social engineering campaigns. Be on the lookout for telltale signs of a malicious email, such as a sender’s email address. Don’t click on a link from an unknown source.
  • Be proactive and report any suspicious emails to your cybersecurity team immediately.
  • Ensure security patches on laptops, mobile devices, and other personal technologies remain current. Don’t delay a security update when it is pushed by your security organization.
  • Practice strong cybersecurity hygiene—use strong passwords, don’t reuse passwords, and avoid unencrypted USB devices.

W.I.S.D.O.M. for the Product Developer

  • Ask customers about their cybersecurity requirements as part of the discovery phase.
  • Make security part of any minimum viable product requirements.
  • Define your data requirements clearly and consciously in the design of any new product or service.
  • Build security ownership into each phase of the product lifecycle.
  • Stop the line should security be lacking or missing at any point of the product launch process. Reward and publicly recognize other employees across the company for doing the same.

W.I.S.D.O.M. for the HR Professional

  • Expand the aperture for cybersecurity talent—men and women, minorities and non-minorities, arts and sciences (STEAM). Review current cybersecurity job postings to look for diverse skills. Look for interview questions that contain unconscious bias, including popular varieties like, “Tell me about a time when . . .” or “Tell me about the latest hot innovation in cybersecurity.” Place at least one diverse leader on each interview panel.
  • Search your company values and see where you can add the word securely (or its derivative) to change their scope without altering their purpose.
  • Reward and recognize behaviors that bolster your company’s cybersecurity defense.
  • Work with your CISO to identify and control access privileges for your organization’s most valuable assets. Find a confidential, nonthreatening way for conscientious employees to blow a whistle or raise a flag when they see something resembling a malicious insider threat. When they do, reward them appropriately.
  • Ensure every member of the executive team has at least one cybersecurity key performance indicator (KPI).

W.I.S.D.O.M. for the Marketer/Communicator

  • Build a multifaceted communications plan with explicit executive buy-in. The plan should include answers to the following questions:
    • Even if the law didn’t require it, would you notify?
    • What if your company wasn’t responsible for the attack? How would that change the tone of your message? (Consider breach-by-association and data weaponization use cases as examples.)
    • When would you notify?
    • Whom would you notify?
    • What would you say if you didn’t have all information right away?
    • What would you be willing to offer customers as compensation or as a show of victim-centered empathy (such as free identity protection or offering to cover customer losses from a credit card breach, for example)?
  • Create the communications templates for each scenario identified in your plan. Leave placeholders to answer the following questions in your templates:
    • Who was impacted?
    • What data and/or systems were lost, stolen, and/or otherwise compromised?
    • Over what period did the breach occur?
    • What precautionary action do stakeholders need to take?
    • What actions is your company taking to correct the problem and mitigate the risk of it happening again?
  • Design the tick-tock schedule for every attack scenario.
  • Be sure your plan includes employees, whether employee records are breached or not.
  • Practice a communications drill of your plan at least once a year.

W.I.S.D.O.M. for the Finance Professional

  • Help CISOs and their teams speak the language of the business—risk management—by asking questions like:
    • What asset(s) are at risk?
    • What is the strategic value of the asset(s)?
    • What is the current level of vulnerability for the asset(s)?
    • What are the consequences (financial damages, intellectual property exposure, reputational risk) in the event of a breach?
  • To ensure cybersecurity is not an aftermarket afterthought, CFOs should ask the following for business cases submitted by other leaders:
    • How does the new [market, internal technology, customer product, etc.] change the attack surface for the company?
    • How does it alter the risk profile of the company’s most strategic assets?
    • [Assuming risk is increased] What additional investment is required (one-time and recurring) to bring the risk profile to its acceptable baseline? Is this investment included in the ROI analysis?
  • Mitigate risk as efficiently as possible by asking CISOs questions like:
    • How much investment in cybersecurity has been made in products still sitting on the shelf (shelfware)?
    • What is the plan for deploying those products?
    • When was the last audit performed to ensure security products are configured properly? What were the results?
    • When was the last penetration testing performed? What were the results? (Penetration testing was covered in Chapter 2 and refers to testing the effectiveness of an organization’s cybersecurity posture, typically by paying third parties to attempt to breach the company’s defenses.)
    • When was the last cybersecurity training conducted for all employees? What were the results?
  • Mitigate third-party risk by vetting vendors with an assessment of their security posture, including:
    • Looking at how the third party assesses and updates access rights and privileges.
      • Do you review user access rights at regular intervals to ensure that access rights are based on least privilege job requirements for their job role?
      • Is timely deprovisioning, revocation, or modification of user access to the organization’s systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties?
    • Understanding their business continuity process and how often they test it.
      • Do you have Business Continuity and Disaster Recovery Plans for planned and unplanned outages and do you test the plans at least annually? If yes, please describe the types of tests performed.
      • Do you record backups with regularity so that any corruption of data can be recovered with the backup, resulting in only an acceptable amount of data loss? Is restoration from those backups tested regularly?
    • Searching their change control guidelines for new users and/or new software for their systems.
      • Have all default usernames and passwords been changed on all of your systems?
      • Do you have controls in place to monitor and restrict the installation of unauthorized software onto your systems (e.g., uploaded malware, disable autorun, excessive admin privileges)?
    • Clarifying how any data passed between your company and theirs will be used, protected, and disposed of at the appropriate time (upon contract termination and/or in accordance with compliance standards).
      • Do you have procedures in place to ensure that production data shall not be replicated or used in non-production environments?
      • Is data destroyed securely from storage when the drives or data are no longer needed? Do you destroy non-functional hard disk drives before disposal or warranty return?
      • Do you ensure destruction of all confidential data within 30 days of termination of contract?
    • Knowing how they encrypt data at various states (at rest, in use, and in motion).
      • Is data encrypted when it moves between nodes, modules, instances, or virtual servers? If not, is there an option to add this capability? Describe the encryption used.
      • Is data encrypted when it is at rest (e.g., stored in a database, stored on a backup tape, etc.). If not, is there an option to add this capability? Describe the encryption used.
    • Assessing how they train their employees on cybersecurity awareness and hygiene protocol.
      • Does your organization have a security awareness and training program?
      • Does the organization ensure that personnel are annually trained in the organization’s security policies and required to know changes or updates to these policies?
      • Does the organization ensure that all personnel with access to confidential data have information security training for their respective roles?
      • Does the organization ensure that all personnel with access to personally identifiable information (PII) complete a privacy training class and are knowledgeable of any specific privacy requirements for the data being handled?
  • For your most strategic suppliers, consider hiring a third party to audit their security practices once a year.
  • If there is the slightest concern that one of your third parties looking to promote a relationship with your company does not hold itself to the cybersecurity standards you require, don’t allow them to promote it.

W.I.S.D.O.M. for the Cybersecurity Professional

  • Sound cybersecurity hygiene is nonnegotiable. Keep patches updated—on both physical and virtual infrastructure. Review your internal communications plan for notifying administrators of a vulnerability, including a periodic review of distribution lists to confirm accuracy. Install shelfware. Ensure proper configurations of security defenses. Back up your data (and test the backup system). Conduct regular penetration testing and provide regular readouts on progress to executives and board members.
  • CISOs and CIOs must align on metrics and goals. Establish roles and responsibilities for proper cybersecurity hygiene, including patching, backups, multifactor authentication and the like, at the beginning of each planning cycle.
  • Identify and allocate what portion of the budget will serve IT versus cybersecurity. Agree to key performance indicators (KPIs) and service level agreements (SLAs) to prioritize efforts and resolve disputes when they arise.
  • Invest in technologies that drive your business value up and that of your adversaries, down.
    • Cloud access security broker (CASB) technologies help secure sanctioned and unsanctioned cloud services.
    • Deception technologies distract and confuse adversaries.
  • Use artificial intelligence (AI) capabilities to identify the most advanced threats and address the talent shortage, but know its limitations. AI creates more false positives. Traditional threat intelligence has more false negatives. Both together yield high efficacy with lower false positives.
  • Carry the culture flag for cybersecurity at your company.
    • Spread it vertically by speaking the language of the boardroom and its executives (risk management). Partner with the finance organization to translate cyber-speak into metrics and outcomes most understood and valued by the board.
    • Spread it horizontally through culture awareness campaigns. Hire a communications expert to work with HR and Marketing to develop effective campaigns that make cybersecurity part of everyone’s day job. Deliver actionable scorecards to functional peers that measure employee understanding of cybersecurity principles and adherence to company policies.

Notes

  1. 1 D. Frances, “Ready for the Big One,” Sonoma Index Tribune, January 30, 2014, https://www.sonomanews.com/csp/mediapool/sites/SIT /News/story.csp?cid=3387701&sid=744&fid=181&sba=AAS.
  2. 2 https://www.usgs.gov/faqs/can-you-predict-earthquakes?qt-news _science_products=0#qt-news_science_products, Accessed March 20, 2019.
  3. 3 “Quake Predictor Suspended from Job,” San Marino Tribune (and San Marino News), Thursday, November 23, 1989, page 10.