CSOs and CISOs should target executive-level management with specially tailored messages that prompt strongly motivated buy-in, even using a bit of fear if necessary, said a panel of state security officials and consultants.
While the NASCIO conference focused on the state government vertical market, insiders suggest that the perceptions are applicable to related user groups, such as K-12 education, as well as areas of the private sector. And while the focus was IT security, the nature of issues covered bleed over into policies that affect physical security technology just as much.
"What should they know?" posited Elayne Starkey, chief security officer for the State of Delaware. "Awareness as to how close they are to a breach is powerful. There's nothing like a breach to get people's eyes open and get some money flowing."
Although Starkey said she isn't a fan of "fear factor" tactics, they can be surprisingly effective in delivering the vulnerability message. Starkey will often open security seminars with a slide that mocks-up the front page of a local paper with a headline story about a data breach. The article might draw facts from real-life cases, but Starkey is bold enough to use the names of state department heads and their agencies in the mock-up, which she says truly engages their imagination about both the monetary and political costs of a breach.
"A simulation is equally powerful," she added. Breach simulations, which are part of Starkey's training programs, allow managers to get a first-hand look at the havoc a data breach or cyber attack can cause.
Security education also is at a crucial point because of the amount of young people entering the workforce. Although cybersafety programs are finding their way into school curriculums now, the current generation grew up with no concept of security best practices or cyberethics, said Samuel McQuade, graduate program coordinator, Center for Multidisciplinary Studies at Rochester Institute of Technology.
To this demographic, software piracy, cyberbullying and hacking are all considered acceptable behavior. "All people currently coming into employment have had no training for responsible behavior online," McQuade said. McQuade further critiqued current Internet awareness efforts as too fragmented, saying that schools should be teaching Internet safety, data security and cyberethics as three elements of a larger whole.
"Technology policy must account for human factors," he said. "You must harmonize technology and education policy investments." This means embracing new networking technologies, like Facebook and Twitter, not banning them, he said. "You can embrace social networking to promote a new era of digital democracy." Bans, McQuade said, don't work and simply perpetuate the outlaw culture youthful users bring in with them. "They'll find a workaround, just like they always have."
Finally, many managers don't grasp the sizable threat they face from malicious insiders--current or former employees or contractors who have access to information and use it to commit a crime, usually fraud or sabotage, said Dawn Cappelli, technical manager, threat and incident management at Carnegie Mellon University's Software Engineering Institute.
Citing data from annual surveys by CSO magazine, Cappelli noted that over the past four years, 40 to 55 percent of respondents said they experienced an attack from an insider. As we've reported on Security Squared, in many cases this involves as much IT access control as physical access control. Former employees, whose access should be terminated as soon as they leave an agency, can often gain entry into a facility, log-in remotely, or both because of poor security policies and a failure to link or consolidate personnel and security system databases.
Popular targets are state driver's license and ID card data, which can be used to fraudulently document illegal immigrants. Cappelli noted that many executives still don't understand how much organized crime has become involved in data theft. "Often the employees are not stealing the data for themselves," she said. "They don't make that much, and they are offered what they think is a lot of money, and so they steal the data."
Hand-in-hand with this problem goes the "unwitting accomplice," an employee or official who is tricked or duped into permitting unauthorized access, Cappelli added.
To craft effective awareness programs, Starkey recommended CSOs and CISOs look for creative communicators in their organizations. She suggested that separate safety and security messages be crafted for state citizens, state employees and executive management.
"Don't just tell them what the rules are," Cappelli added. "Tell them what the consequences are."
Security was a major topic of discussion at the NASCIO meeting. NASCIO's own survey data found that security now ranks as the fourth IT priority for state CIOs behind consolidation, shared services and budget and cost control. Two years ago, security did not make the list. There was also significant overlap with physical security issues. The primary security issue for state CIOs, according to a poll taken at the opening session, was theft or loss of laptops and handheld mobile devices.
Original article by: Steven Titch