CISOs and cybersecurity professionals alike need to come to terms with this simple truth: Part of your job description, written or implied, is to change culture. This is true for cybersecurity professionals across industries, but couldn't be more true within higher education. As information security programs mature, the magnitude of that responsibility may wane over time, but it will never be eliminated. Words can be a powerful ally in accomplishing this goal, but they can also be a formidable enemy. In fact, some of the culture we are tasked with changing exists because of our well-intentioned but poorly executed attempts at communicating technical problems to nontechnical audiences.
Cybersecurity is not wholly an IT issue; it is an institutional issue that IT departments have been asked to wholly resolve. Do you see the contradiction? This has to be rectified, but doing so hinges on a shift in culture that understands this shared responsibility. Words we choose, or withhold, can be used to help others appreciate this fact.
Think before you speak by employing these guiding principles:
- Speak in terms of risk. Always.
- Eliminate all fear, uncertainty, and doubt (FUD).
- Rely heavily upon real data, use cases, and metrics.
- Understand the University's mission and relate all security initiatives back to it.
- Don't underestimate the power of a question.
- Never imply security is a product or a destination.
- Reinforce a secure by default mentality.
Let's go through some examples.
What not to say: It's not if, but when, a breach will occur.
This is a true statement, but it's a soundbite without full context and explanation. Some interpret this statement to mean, "A major breach is unavoidable, so why bother investing in security?" Well, that was counterproductive! Besides, this is no longer news to anyone, and just because people say this out loud doesn't mean they believe it.
What to say: When a breach occurs, we want the ability to contain damage and be in a defensible position regarding our risk-based decisions.
This statement conveys the fact that a breach is inevitable, but also explains why that does not mean inaction is an effective approach. There are clear benefits to taking security seriously. You wouldn't throw all caution to the wind when driving because of the stark reality that a car accident within your lifetime is virtually unavoidable, would you? On the other hand, if every time you put the key in your ignition, you sent a goodbye text to your loved ones, wouldn't that be overemphasizing a risk everyone is already well aware of? While being paranoid is an accusation I used to perceive as a compliment, it also indicates a failure to adequately communicate real-world risks and threats to those who don't live and breathe security.
What not to say: I recommend heavy investment in security before investing in any other initiatives.
This one hurts because I want to say it! I really do. But it's not realistic. Once you let these words slip out of your mouth, you've inadvertently let everyone believe that you've lost sight of why security efforts exist. Security enables the business to operate, not the other way around.
What to say: Not investing in security up-front is an assumption of significant risk to <insert strategic or departmental priority here>.
It's important that we bridge the gap between information security and the business, all the while conveying the fact that responsible security controls and practices require resources.
What not to say: If our Alumni database gets broken into, it's going to cost you a lot of money. The Super Accurate Breach Report estimates $150 per record. So, for a database of this size we are looking at $76 million dollars.
What to say: Have you come across any studies that show the impact a data breach can have on future donations to the university? A previous incident of a much smaller magnitude cost us <insert amount of direct costs>, plus some negative publicity. It's important that we balance risk with the needs of the business.
Although we are expected to be subject matter experts on all things related to cyber, don't presume to know the impact of a breach to every business unit. Let the business executives own that evaluation, with some helpful guidance. Asking a question gets them thinking about the problem too. After all, it's our problem. Adding some real-world experience gives credibility to the question.
What not to say: If you want to be secure, we need to buy a really big firewall, SIEM, and NAC.
What to say: Here are the top risks that deserve our attention. And here are the most cost-efficient controls that can address one or more of those risks to a reasonable degree.
Never lead with solutions prior to explaining what the risk is. That's like someone walking into your California office and trying to sell you a winter coat. Maybe they know something you don't know, but I'd bet the forecast says 90 and sunny all month! On the other hand, a quick review of weather patterns may reveal that there's a cold front coming in. You were right about not needing a winter coat, but a windbreaker is completely justified. In other words, if you didn't know about the risk to begin with, would you invest to reduce it? I wouldn't. Don't assume everyone knows how easy it is to crack the password "password."
What not to say: We need to close all possible firewall ports because <insert nation state of choice here> is actively breaking into our systems.
What to say: We've had over 1.5 million connection attempts from unknown IP addresses this month, many from areas of the world we do little or no business with. Let's unlock doors where doing so benefits the university, but lock doors that don't, which will remove unnecessary risk and reduce our attack surface.
This is one of those areas where data can be eye-opening. Sometimes it's as easy as turning on auditing and showing someone how many login attempts are taking place against their computer. Other times, it takes a little more conversation and explanation, but data is powerful. The underlying theme is "secure by default" rather than assuming risk with little or no benefit.
What not to say: Security is successful when nothing happens.
What to say: Security can be measured, similarly to measuring a person's health. There is no perfect barometer, but there are certain indicators we can watch closely.
Provide a one-page summary of some key metrics that are easily understood by all. Number of infections blocked by institutional antivirus, vulnerability scanning results, number of significant incidents, and time to resolution of those incidents can all be easily gathered and shared on a regular basis. You can add some dollar amounts from time to time to demonstrate value; money saved per malware infection prevented is a good example. Bear in mind that these types of dollar figures will, and should, be taken with a grain of salt. Don't overstress them.
In conclusion, it is safe to say that we are all in this together. It's important that we don't take for granted the fact that others in our organization, even IT experts, don't fully appreciate the risks we are trying to address day in and day out. It's our job to explain them in a realistic and understandable manner. It's equally important that we don't take for granted the fact that nobody understands the business of higher education better than our own business leaders. Healthy and effective collaboration is the only way to achieve any level of success. We can't control the threats we are up against, but we can control the words we use when explaining them to others. "Think before you speak" is good advice in all areas of life, even in the challenging field of cybersecurity!
Matthew Nappi is the interim chief information security officer at Stony Brook University. Subscribe to Nappi's blog or follow @matthewnappi on Twitter.
© 2016 Matthew Nappi. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.