[BreachExchange] Don't forget to go the 'last mile' on cybersecurity initiatives

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 11 18:48:31 EST 2018


For more than a decade I have advised executives in government, the private
sector, and at nonprofits on communicating about the risks of cyberattacks,
terrorist attacks, and natural disasters. Cabinet secretaries, CEOs, and
college presidents aren't the only voices that matter in a large
organization, however; I also listen closely to CIOs and IT managers, and
talk with internal and external communicators as well. I have studied
examples—good and bad—of information security and disaster preparation and

I constantly ask the question: What fell through the cracks before, during,
and after a major incident like a data breach or a cyberattack? Here's what
I have learned.

The "last mile" problem

Almost all organizations have taken steps to protect against a data breach
or a cyberattack—some made large investments in security ahead of time,
others only did so after suffering a major loss. But what I have found to
be the most common gap or missing link was not high-tech or particularly
costly—it was the flawed hand-off of critical security information from the
CIO level through IT staff and contractors and into the hands of employees.

Translating information security policies and procedures into clearly
understood language and useful, relevant materials is absolutely essential,
but it's not enough. As I've written over the last year on TechRepublic,
organizations must go a step further and empower employees to be part of
the solution. That's the "last mile" in cybersecurity, and also the one
that's most neglected.

Security questions every business should address

When I advise organizations on how to go the last mile to better protect
against a data breach or malicious cyberattacks, I recommend they consider
these questions.

1 - Do your top information security (CIO/CISO), IT, and internal
communications or employee relations leaders know each other? Do they work
together to build a security culture up and down the organization?
2 - What do IT staff and employees think of the organization's information
security training and education resources? If the answer is a collective
eye-roll, that's a clear area for improvement.
3 - Are other parts of the organization that support employees—like
onboarding, travel, and employee assistance program (EAP) staff and
interns—included in the discussion about security?

Keep your objective in mind

Remember that cybersecurity is, in effect, a "people problem" that involves
technology. Getting all those people to become an asset toward your overall
security might seem hard, but it's not nearly as difficult or expensive as
having to rebuild your IT systems, and the trust of your customers, in the
wake of a major breach that could have been avoided.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180111/d71721ea/attachment.html>

More information about the BreachExchange mailing list