Get new articles and guides, a curated list of events and job openings, and more. Sign up now.
A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
Tessian CTO and Co-founder, Ed Bishop was joined by Elvis Chan (Supervisory Special Agent of the FBI) and Bobby Ford (then-Global CISO of Unilever, now Senior Vice President and Chief Security Officer at Hewlett Packard) to talk about the evolving cybersecurity risks and discuss how to keep organizations protected.
Watch the full conversation and Q&A here, or read on for three of the key takeaways.
The COVID-19 pandemic expanded the cyber threat landscape rapidly and exponentially
BF: When we ask how organizations can navigate the Covid-19 pandemic, we have to recognize that overnight the threat landscape expanded exponentially. From a security point of view, having employees move to work remotely is equivalent to setting up a new office for each employee. So technical controls are important, but there are also a number of administrative controls that need to be considered.
Employees need to be aware of the added responsibility they have to secure their environment while they work.
I recently spoke to a buddy of mine who told me about a meeting his colleagues had about pricing. During the meeting, one of the participant’s wives walked by in the background, and another participant recognized her as an employee of a competitor!
So it’s not just about technical controls, but also physical controls and being mindful of your environment.
EC: There are a lot of bad people out there looking to take advantage of the disruption, and use the pandemic as a social engineering tactic. This includes using it as a lure for spear phishing, phishing, and making fraudulent websites (i.e., asking people to donate money or buy goods like masks). Most people also think of home as a safe environment and will leave their laptop unlocked or take personal calls in communal areas, but as Bobby said, this cannot be relied upon. Junior workers may even be living in shared homes, where they don’t know their flatmates that well.
Ensuring employee well-being is a key part of better cybersecurity
BF: It is a lot harder to stay focused when working from home. When we go into the office we put on work clothes and enter a professional environment where we can focus on the job at hand. We don’t have that luxury when working from home. Additionally, it is important to remember that what we are experiencing right now isn’t ‘typical’ work from home – we are working from home in a crisis! So it is even harder to remain focused, meaning guards go down, and the attack vector goes up.
Employees are stressed and vulnerable, soit is vital that we bring security into the discussion in a positive and empowering way. Ultimately, employers need to create a secure working environment without employees even knowing it.
EC: Even though we may be on ‘technology version 5.0’, we are still on ‘human being version 1.0’, so above all else, we need to focus on the well-being of employees.
We need to shift the emphasis away from security awareness programs, and towards employee wellbeing programs.Happy and healthy employees are better able to focus and take onboard any training, and will understand that what is good for the company is also good for them.
Organizations need to approach security decisions with their specific needs in mind
BF: Unless you are a technology or cyber company, you need to understand where you fit in the hierarchy. For me it’s always business first, IT second, and cyber third. IT is there to enable the business to happen, and cyber is there to enable the business to take risks. Every organization is different, and in order to make good security decisions, you have to understand your risk exposure, who owns the risk, and figure out what security means for your organization.
EC: The FBI cannot endorse any app for teleconferencing over another. What I would say is that it really depends on what you want to use it for. So if you’re a teacher who needs an app for teaching your lessons, I think Zoom is a fine product. On the other hand, if you want to be having more high-level or propriety discussions, you probably want an app that is more reliable with better encryption and a better track record. Though I am not endorsing it, the FBI uses Microsoft apps, for example.At the end of the day, there are lots of equivalent products, and it is really about just seeing what fits your needs best.
For more from Elvis and Bobby on security in the changing world, watch the full interview, here.
CSO at Hewlett Packard Enterprise
Bobby Ford is the Senior Vice President and CSO at HP and former CISO at Unilever and has held senior security leadership titles at organizations across industries, including government, consumer goods, healthcare, and now technology. And, having secured organizations with hundreds of thousands of employees, he truly knows how to implement successful security strategies at the enterprise level.