Infosec leaders will make mistakes over the life of their careers, but according to a Canadian chief information security officer (CISO), being paralyzed with indecision is the worst.
“The number one pitfall is failure to start,” Kevin Dreyer, chief information and security officer at Ontario-based general contractor Maple Reinders, during a panel discussion of CISOs last week at the MapleSEC security conference.
Some security pros see all the obligations and responsibilities involving cybersecurity “as an insurmountable task,” he said. “Then you rely on hope.”
He advised those in that position to go through a cyber insurance application. These days, insurance companies have a long list of requirements for organizations to meet if they want to qualify for coverage. A long list — but, Dreyer said, it’s a start.
“Some of is very simple,” he said, “and you’ll be surprised that you already have some of the tools. You’re paying for them, you’re just not using them properly”
The second pitfall, he said is making your security awareness program feel punitive to employees. “If they feel like ‘I got caught [in a test], this is going to affect my performance review,’ or anything like that, then when they fall for a real phishing scam they’re not going to bring it to your attention.”
Rather than threaten employees with discipline, “celebrate their honesty,” Dryer advised.
Related: A fireside chat with a security consultant
Co-panellist Natalia Bakhtina, director of cybersecurity and IT risk management at insurance broker BFL Canada, said the biggest mistake some infosec leaders make is thinking that buying a cyber tool will solve all their cybersecurity problems. “Just because you have the best dishes and the best recipe book doesn’t mean you will cook the best meal,” she said. A good cybersecurity program needs the participation of everyone in the organization.
“Cybersecurity awareness is a lifestyle,” she added. Not only do employees need to be shown and convinced to do the right things, they also have to believe what they do is valuable to the organization. That’s why CISOs have to take every opportunity when talking to employees at all levels to remind them about the good cybersecurity brings.
In most cases the leader can’t do it alone, Dreyer added. “If you reflect on your own most difficult personal moments in your life, it’s not a matter of your ability to pull up your bootstraps, but the person who you can call to help you get off the ground.” That’s why, he said, infosec leaders need a network of knowledgeable people they can sometimes lean on.
The MapleSEC series of virtual and on-location conferences is organized by IT World Canada.