“If IT leadership doesn’t care about security, people are going to focus their efforts where they think leadership wants more focus, time and efforts.” – Charles Platt, The Art of Email Security.
For any business to succeed in today’s realities, it must have a strong online presence, which could help its brand grow and attract new customers.
Pretty much everyone has online access. It’s a land of free entry that can take you from one place to another in a matter of seconds. But you see, the exposure you have on the Internet has another side of the medal. The threat can come at an unexpected time and from an unexpected side. It’s the responsibility of IT leadership to identify real-time cyber threats, monitor firewalls, explore possible system vulnerabilities and database entry points, and so much more.
All that while keeping the security team in the clear about critical situations! It seems like a tough job that demands remarkable leadership qualities.
But is security taken as seriously in the business sector as it should be? Not necessarily.
IT Leadership Is Often Ignored
One does not climb too high without a safety harness, right? Unfortunately, the reality is different.
No doubt about it, you don’t ever break out from obscurity without rolling the dice. But doing that when you already have an empire behind your back is a different story.
Taking uncalculated risks while wishing to stay successful for as long as possible is, what they call, a pipe dream in today’s reality. Smaller companies are a so-called ‘lower-hanging fruit’, while massive corporations are attacked more often because of their stature.
Every company needs security-focused IT leadership, but not all of them have one, for many reasons.
40% of IT leaders say cybersecurity jobs are the most difficult to fill, making the global mission even tougher to achieve. Understaffed and often under-budgeted IT leaders face the broad task of protecting digital assets, fighting off the challenges brought in by a third party, and minimizing the potential harm from people who work for the company.
Lots of ground to cover, so this is not a ‘one man army’ job.
What Makes a Great IT Leader?
The leader role is reflected in a person's authority and awareness about the unavoidable risks that await your company online.
A leader helps improve the lives of other people or improve the system they live under. In the IT context, the leader’s goal is to enable business strategy, act as an enabler, use IT to innovate, transform the business, and focus on its capabilities.
It becomes clear that such a person is a crucial member of any team involved online, and having one can only help make your brand more reliable and trustworthy in the eyes of partners. And even while that is an undisputed fact, management often dismisses the importance of such people in their company.
As Will Rogers once said, “Being a hero is about the shortest-lived profession on Earth”.
It applies to CISO positions, as the average tenure on the vacancy is 17 months. Not exactly a dynasty-like career. The margin for error is very slim, and this is not a position where key staff can make any mistakes. IT leadership lives in a different world.
Leaders are responsible not only for their own safety, but the safety of others too. They need to think not for one or two people, they need to think about dozens, even hundreds and thousands of people who work for them every day, all while keeping business interests first on the priority list.
That’s a lot of work, but here’s a little perspective on how the uphill battle can turn into a more even ground, if not a better strategic position.
Email’s Place In Modern IT Security
When most hackers are targeting your non-technical employees for easier entry with spear phishing emails, it only makes sense to decrease the risk of such an attack and understand why email is key for IT Security.
Yes, hackers compose scam messages that seem like legitimate emails to get the login credentials from your employees, and as practice shows, no training in the world can prepare employees for such attacks. Phishing relies on social engineering tricks, which makes it such an effective weapon - as people, we can’t be in the anti-phishing mode all the time.
In the last year alone, spear-phishing emails were employed by 71% of groups that staged cyberattacks. Email is the easiest attack vector that will continue to get the better off companies and their employees. As such, email should be protected with utmost effort and dedication.
How can that be achieved? Dedicated instruments help in that, and when it comes to email protection, you may look in StealthMail’s direction.
StealthMail is using a different model of message transferring than regular emails, never exposing them to the public Internet and keeping them encrypted at all times inside your own company. The keys that decrypt the messages are not stored on third-party servers like in most solutions, instead, they stay with you at all times.
But what if you found out that StealthMail doesn’t hurt the existing IT infrastructure, being deployed on a cloud inside your own company? If you are interested to learn more about StealthMail, you’re always welcome to do so at StealthMail.com.
But security solutions alone do not work out all the problems.
For technology to work, it has to be used by people correctly. Three main components in security are people, process, technology. Let’s talk more about it.
People and Processes: Checklist for IT Leadership
“If you don’t have a corporate strategy, don’t have the understanding of the security, and if you treat it with negligence, and don’t address this within the management team, sooner or later, you will be breached.” - Johan Nordstrom, Art of Email Security.
IT leadership sets an example of how seriously security is taken inside the company.
When newcomers enter the working space, they have to be introduced to the policies and processes correctly, ideally by the top security person in the organization. Because you can’t make a first impression twice, you better show new people how seriously you treat them and what you expect from them in the future.
For this process to be successful, you must ensure the following steps are completed:
- First things first, a physical inventory recount is necessary. This is required to supply the new hire with appropriate equipment and to keep track of devices at the company’s disposal.
- After documenting new worker’s hardware, IT personnel must check if all the essential software is installed and if it works properly. Workers shouldn’t have access to download and update the software, so preparing everything before their first day makes the most sense to save everyone’s time.
- When meeting new hires first, please get to know their IT proficiency to understand their starting awareness level. Teach new hires about the threats of public Internet and attacks that exploit email (man-in-the-middle attack, spear phishing, BEC/EAC, etc.). Show them how to identify those threats.
- Provide new hires with proper security policy training. Having IT training materials and manuals are the most efficient way to educate a new worker. Asking your employee to learn about local IT policy before the start of machine utilization is vital. Ensure that new hires sign data privacy agreements and describe the visitor’s policy after learning about local policies.
- New people should be encouraged to ask questions, so it is better to be friendly with them so they would feel no pressure while interacting with others. Hostility towards uneducated colleagues will push them away from the company, making IT leadership even tougher. Encourage new hires to report anything out of order to you directly. Please make yourself available as much as possible, be open to their problems and issues.
- IT personnel have to set up all the corporate messaging apps, accounts, and email, explain how different it is from personal ones, and why they should only be used for work-related tasks. It’s also critical to clarify the rules of outsider device usage in case of a “Bring Your Own Device” policy. Ideally, this is not the best practice, as third-party devices can store all sorts of malware and pose a potential threat to all other devices.
- Employees have to be protected against data loss with efficient backup mechanisms. They have to know how to store, share, and secure the information correctly. Setting an auto screen locker that would require a password from them after they resume the session is simple to set up but goes a long way to secure corporate data. It should be applied on both the desktop and the phone.
People should feel that security is important not only to you but to all the employees too. Educate, educate, educate - that's the only key to get people to respect the policies inside the company.
If you would like to give people more information without acting like a helicopter parent, consider picking up “The Art of Email Security'' book for free. The book features a lot of valuable lessons from top Chief Information Security Officers around the world, but is written in a language that everyone can understand.
And finally, always remember that security is not a state, it’s a process, and it’s the responsibility of IT leadership to enforce it.
Link in die Zwischenablage kopiert!