[BreachExchange] 5 areas IT leaders should be followers

Destry Winant destry at riskbasedsecurity.com
Wed Jun 24 10:33:27 EDT 2020


Enterprise leadership is not only knowing how to lead, but when to follow.

Recent events have demonstrated that sometimes, to lead is to follow.
Here are five key areas when following is the path to great

1. Mobile security

The single richest target for mobile cyberattacks is the c-suite,
according to a report from MobileIron called "Trouble at the Top" (and
also according to common sense).

If targeted socially engineering attacks via email and SMS aimed at
employees can be described as a "spear phishing attack" or "phishing
attack," those targeting high-level executives is a "whaling" attack.
As in a big-fat target.

Top executives tend to carry and have access to higher-value data.
They also tend to have the most relaxed attitudes toward mobile
security, according to MobileIron. Such executives find mobile
security protocols frustrating, limiting and confusing.

Leadership and authority means that the c-suite has the power to
ignore security protocols -- using unsupported devices and apps and
skipping multi-factor authentication, to name just a few examples. But
this is a mistake, and a common one.

Leadership doesn't confer expertise. It simple means that your own
personal mobile security tools and practices need to be at least as
strong as other employees, or you become the perfect target -- easier
to hack and more profitable to breach.

So when it comes to tools, policies and practices for mobile devices,
enterprise leaders need to follow the lead of security specialists in
the company -- and show all employees that security systems are for
all employees, no exceptions.

2. Password policy

A few years ago, I was leading a brainstorming session among IT
leaders and security specialists. One of the participants was the
security lead for a major metropolitan court system. One of his first
initiatives upon taking the position was to fix their almost
non-existent password policy, which included requiring strong

One judge -- whose password for accessing the court system, including
court records, was something like "password123" -- simply refused to
use a strong password or even change his weak password for another
weak password. He just didn't want to and flat-out refused.

Since no one overruled the Judge -- an exception was made so he could
continue to use his easy-to-guess password (which he no doubt used
elsewhere as well). This failure of leadership -- this unwillingness
to follow -- exposed the community's legal system to a catastrophic
privacy breach.

BrandPost Sponsored by Forcepoint

Remote work has spurred rapid adoption of cloud-based video
conferencing—and securing such tools comes down to understanding how
employees use them.

He did this because he was a bad judge -- or, at least, was a man
capable of bad judgement -- and a weak leader.

Leadership in this case is to follow the password rules like everyone else.

3. Security spending

Ok, you still need to lead and not follow on this one.

But it's time to take the recommendations of security specialists in
your organization more seriously when they recommend security budgets.

Gartner says spending on information security may increase only 2.4%
this year, down from previous projections of 8.7% (total 2020 security
spending is expected to exceed $123 billion). Cloud security spending
is expected to grow 33.3% this year. It's not clear whether these
predictions represent some companies increasing spending and others
going out of business. We'll find out eventually.

Of course, every organization has a different calculation to make on
budgeting for cybersecurity, taking into account existing
infrastructure, number of employees, the nature of the specific
industry, the risks business impacts of such spending and deployment.

In a world where coronavirus crisis has forced an acceleration of
digital transformation, as well as other trends that include remote
work. The attack surface of the average organization has suddenly
increased. Both digital transformation and remote work increase cyber

The crisis has also been accompanied by (or driven) a rise in attacks.
DDoS attacks are way up (fewer attacks, but their complexity and size
are much greater than in previous years). Mobile phishing attacks are
way, way up. Attacks that targets work-from-home employees are through
the roof (well, through consumer ISPs, anway). Cybercriminals are
exploiting the pandemic.

Attacks are on the rise. The cost of attacks are on the rise. The
risks are on the rise. Cybersecurity spending and IT infrastructure
spending should reflect all this.

Many companies are cutting back drastically. The easy places to cut in
the short term for most organizations are business travel, office
space and executive bonuses. The hardest way to cut is layoffs and the
closure of business units. But the must unwise place to cut is

Listening to the budget recommendations of the security specialists in
your organization requires real leadership because if the higher
spending stops catastrophic attacks, you'll never get credit for it.
The spending will seem unnecessary because you'll never know the
extent of the damage prevented. However, if you ignore the requests
and slash the security budget and you're unfortunate enough to be hit
with a catastrophic attack that could have been averted, you'll
definitely get the blame.

4. Pandemic response

Responding to this pandemic, future pandemics or any society-wide
crisis or natural disaster requires creativity, empathy, transparency
and decisive action. But a pandemic is no time for iconoclastic

Public health officials and pandemic-response leaders are detailing
guidelines, best practices and rules for how to protect society from
viral infections. And to be a good leader during a pandemic is to stay
current with and follow these rules.

More than that: Show by example (even if it feels symbolic). Wear a
mask. Enforce and participate in social distancing rules. Enable and
maximize work from home policies. Stay closed when the advice is to
stay closed and don't open until the advice is to open.

The coronavirus crisis is one that threatens public health, and also
threatens public mental health. This is the best time for role
modeling -- to model self-care in support of your employees physical
and mental health.

In short, leading your company, department or team during a pandemic
means helping public health officials lead.

5. Employee-initiated philanthropy or advocacy

Sometimes social causes, charities, philanthropies or other good works
seize the imagination of a critical mass of employees, and they start
organizing to support it with actions or fundraising.

The response to this by leadership can be one of three general
directions: 1) Resist or suppress it; 2) take no action; 3) join and
support from a leadership position.

While it’s a great idea for leaders in the company to develop causes
to support, these also come from employees, too. And when the cause is
compatible with the values of the organization, the best response is
to support materially by offering resources, time and money to support
the cause.

We live in troubled times. Now is the time to step up and lead. And
great leaders know how and when to lead. And they know when to follow.

More information about the BreachExchange mailing list