We spend a lot of time and money setting up defenses to prevent cyber threats from breaching our organizational perimeters, but we hardly spend any time on the mess we have inside. Applying Privacy by Design principles to the data and systems within your organizations can make it very much harder for cyber thieves to steal your important information when they do finally breach your networks.
Click on the link below to see the presentation I gave at this year’s Cyber Threat Summit in Dublin, Ireland on October 24, 2017:
I just gave this presentation to nearly 200 attendees of the ICTTF Cyber Threat Summit 2015 in Dublin, Ireland.
For those of you that attended; thank you!
Through this presentation I hope I was able to communicate three points:
How company/agency executives put their agencies at risk by blindly trusting that they are doing all that can be done to secure their networks, applications and data;
That leadership’s approach to motivating employee’s to practice better cyber hygiene needs to mimic principles of behavioral economics theory that advertisers use; and
By changing the way they ask questions to their senior staff (mainly their CIO/CISO), they can a) have better proof that necessary cyber protections are in-place, and b) they will have a better understanding of the unaddressed cyber risk their company/agency faces.
Everyone is missing the boat on the insider threat issue – INSA too…to paraphrase James Carville, “It’s leadership stupid.”
Government and private sector organizations are the primary reason for insider threats – senior leaders and the boardroom grow them internally.
With very minor exception, NO ONE COMES TO WORK FOR YOU ON DAY ONE WITH THE INTENT TO HURT YOU, steal your secrets, or sell your intellectual property.
It’s how you treat them, over time, that turns them into insider threats.
You put them in the wrong jobs;
You fail to trust them;
You make it hard for them to do their jobs;
You put asshole/untrained managers over them;
You treat them like furniture;
You , threaten their existence in your companies and agencies;
You kill their spirit; and
Then, you wonder why they decide to hurt you.
Want to reduce/eliminate the insider threat? Treat you staff the way you did on day one:
Welcome them as a human being;
Be aware of how they are cared for in your organization;
Show them you care about them and their families;
Give them a future;
Put r-e-a-l leaders over them;
Give them a voice; and
Pay them well.
In other words, treat them as you would want to be treated.
Now, why is that so hard?
And, why do NONE of the plans I have seen for combatting the insider threat even mention poor leadership as a factor?
INSAonline.org | 9.12.13 Assessing Insider Threat Programs of U.S. Private Sector http://www.insaonline.org/i/f/pr/9.12.13_InsiderThreat_WP.aspx
“When Johnny reports to work for you on Day 1, they DO NOT intend to do you or your organization’s information systems any harm; something happens to them, either in their personal or work life that changes this – the CEO’s or Agency Head must be held responsible for making sure they know what’s going on with all of the Johnnys (and Janes) in their organization to prevent the good people they hired from becoming insider threats.”
While most of the world is focusing on “technology” as a solution to preventing insider threat attacks to organization/agency information and systems, hardly anyone is focused on leadership’s responsibility to create and sustain a work environment that minimizes the chance for an employee to turn into an insider threat.
On October 21, 2012, I had the chance to speak on this issue at the 2012 International Cyber Threat Task Force(ICTTF) Cyber Threat Summit in Dublin, Ireland a few weeks ago; here is a video recording of my presentation, I hope you find it informative and useful.
The British Standards Institute (BSI) issued ISO/IEC 27001:2005 Lead Auditor (TPECS) certificate to Chuck Georgo today. ISO/IEC 27001
ISO/IEC 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.
NOWHERETOHIDE will be publishing a series of blog posts over the next few weeks to help educate organizations about the standard, its criteria, and strategies for achieving compliance.
It is important to understand that ISO/IEC certification is not a one-off exercise. To maintain the certificate the organization will need to both review and monitor the information security management system on an on-going basis.
