The IT security landscape is changing. What can you can do to promote a culture of IT security in (and out) of the office?
By Tom Barkley
It’s not easy to be a manager in today’s tech-enabled workplace. But rest assured, there are a few simple steps that can help promote a culture of IT security both in and out of the office — and make things easier for you and your IT security chief.
Real Business recently sat down with Mark Leary, vice president and chief information security officer of Xerox, who has more than 30 years of experience in security management and technical intelligence. He held similar roles at TASC and Northrop Grumman before joining Xerox last year. He previously served 22 years in the U.S. Army, where he established the information operations capability in computer network defense and information assurance for the U.S. Army Reserve.
Mark talked about what keeps him up at night and how managers can help companies stay protected against the proliferation of IT threats — from hackers and corporate spies to simple employee error.
Q: How has the IT security landscape changed? Are things only getting more complicated for IT staff — with telecommuting, hacking, corporate espionage, etc.?
Mark Leary: From a business perspective and security practitioner’s point of view, this is the era of the perfect storm. First is the fact that technology is accelerating, particularly when we have new emerging technologies around bring your own device and mobility, cloud computing and cloud service providers, IT consumerization, and the proliferation of applications that can be on any device.
The second element is the business model of adapting them. In the past, most organizations had this castle mentality — that the data resided on the networks and infrastructure that they owned, and they allowed just certain people or business processes through a firewall. Today, business is conducted well outside the corporate border.
The third element is the threat landscape. As these new business models emerge and new platforms are being utilized, often the rush to market leaves security by the roadside. There’s a wide gamut of threat, and they have specific motivations — whether it be a 14- year-old in the basement writing a virus just for fun, or state-sponsored espionage trying to steal intellectual property or trade secrets.
Q: So what keeps you up at night? Is it more the external threat from hackers or spies, or simple employee error – someone who loses their laptop?
ML: It’s all the above. You live the life for so long, it just becomes part of your makeup. You’ve kind of resigned yourself that this is the new normal, and you grow accustomed to understanding, “What’s the threat picture today?” Central Asian threat actors are financially motivated and are looking for an opportunity to conduct some kind of fraud. Or it could be the fact that we’re involved in a particular region where there’s a natural disaster, so what’s our level of service.
On the flip side of the threat, I worry about our employees and whether we have established a “culture of security.” There’s what I call just good cyber-hygiene. Every morning we get up and brush our teeth, comb our hair, and take our vitamins. It’s kind of the same mindset you want employees to have. I’ve signed on to my desktop and check that I have antivirus and it’s running. I’m backing up my desktop to my file share. Once it becomes part of the culture, it becomes internalized. It’s just part of your average day. It’s as natural as brushing your teeth or combing your hair
Q: Are there some simple steps managers and everyone else can take to make the CISO’s job easier?
ML: A lot of people think this is a technology problem, but it’s clearly a behavioral problem. We must understand the information that we’re managing on a day-to-day basis, and just take appropriate measures to protect that information relative to its sensitivity. And the common cyber-hygiene approach is clear — use strong passwords, remember to lock your computer before you leave, make sure you have antivirus in place, accept the software updates that come every Tuesday, and make sure you back up your computer.
If we just practice some very simple, common behaviors, a lot of the security problems that we have — from potential breaches or incidents — are actually mitigated. And from the manager’s perspective, it’s really their role to ensure that proper behavior is being practiced by their employees.
(This was excerpted from an article that was first published in Real Business, a website from Xerox that provides ideas and information for decision makers in business and government.)
Links to More Information
Microsoft Safety & Security Center: Practical security tips for you and your family, useful resources and links, and a forum for you to provide feedback and ask security-related questions.
StaySafeOnline.org: From the National Cyber Security Alliance, which seeks to educate a digital society to use the Internet safely and securely at home, work and school.
Stop. Think. Connect: A national public awareness campaign sponsored by the U.S. Department of Homeland Security. The campaign seeks to help the American public understand cyber threats, and empower the public to be safer and more secure online.