One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 364375 |
| Date de publication | 2017-05-11 13:00:00 (vue: 2017-05-11 13:00:00) |
| Titre | What Got CISOs Here, Won\'t Get CISOs There |
| Texte |
A common theme at security conferences for many years was the common complaint that security departments lacked a voice at the table. CISOs were sometimes treated as second-class C-levelers, and were often not represented at the board.
(Un)Luckily, in recent years, the rise of nation-state hacking, large breaches, data dumps, and financial penalties has put security under the spotlight for many organisations.
Finally, the recognition and visibility that so many security departments have craved for so long here.
But with this, come a new set of challenges.
Dealing with a newer, and more senior set of stakeholders requires security teams to add new tools to their proverbial utility belt to be able to communicate and educate more effectively. Convincing a CEO that cyber-pathogens they read about on an in-flight magazine is nothing to worry about requires a different tack than when dealing with an auditor.
Perhaps one of the bigger challenges that presents itself to security teams is fending off the snake-oil salesmen that have been attracted by 'cyber' security and want to make a quick profit. While these types often lack the skills or expertise to improve security, they do present themselves as well-polished and well-spoken and are often well-versed in tactics needed to gain the ear of a senior stakeholder.
While all these distractions and attacks can't be thwarted, there are some strategies that CISOs and security teams can adopt to position themselves better and prevent this:
Here are five non-security tips to help security teams:
1. Put toothpicks in your data
Security historically has presented data in a rather statistical manner. But merely stating how many suspicious emails your spam filter caught is akin to describing your umbrella by the number of raindrops it stops.
The debate to find the ideal security metrics has raged on for many years without showing any signs of slowing down. One way to look at the problem is by asking how the existing data could be presented in a way that is aligned to the target audience expectations.
For example, research has found that when you tell people that what they are eating or drinking is a high-end product, they won't just say that it tastes better than a cheaper product — their brains will actually experience it as better. This was proven by two Dutch pranksters who snuck into a large food-industry expo in Houten, The Netherlands. The pranksters served McDonalds food cut into pieces with toothpicks on trays, telling attendees it was an organic product.
Tasters described the samples as tasting very rich, and very pure.
Try presenting data differently with some toothpicks and see how it changes perceptions.
2. Reframing
Security on its own has little meaning. Many businesses will judge security teams and their effectiveness based on how they feel about it.
Most will tend to frame risk based on how they have perceived it in the past. Although this isn't wrong in some cases, at other times, particularly where experience is tied to a negative perception, these habits need to be changed - or reframed.
In this regard, there are two areas that a CISO can focus on to reframe.
The first aspect is around framing context correctly and involves framing something that seems undesirable, and showing the benefits in another context. For example, Rudolph's red nose was an anomaly that made him stick out from the other reindeers. But the red nose saved all the reindeer on a dark and stormy night.
Similarly, many security controls may seem undesirable in some situations, can become a great asset given the right con |
| Notes | |
| Envoyé | Oui |
| Condensat | related “think 2017 2misperceptions 5th able about absorption accessible action actually add adopt africa after aids akin aligned all although amongst anomaly another answers any approach approaches are areas aren't around ask asking asleep aspect asset assume attacks attended attendees attracted audience auditor aware awareness babies based batteries; baylis because become been beggar behind being belt benefits better bigger board bowls box” brains brand breaches break british broadcasters brooklyn businesses but buy campaign can can't capable cares cases caught cause causes cbe ceo challenges change changed changes changing cheaper chinese ciso cisos class clean combat come comes comfort common communicate company competitive complaint concentrates conclusion conducted conferences content context controls conventional convincing copy correctly could craved cream customers cut cyber dangers dark data dealing debate delivered departments described describing didn't different differently direct disheartening distractions distributed diversifying does doesn't doesn’t doing down drinking driven driver dumps dutch each ear eating educate educated effectively effectiveness electricity emails employees end ends energy enterprise even evolve example execs executives exist existent existing expectations experience expertise experts explained expo exposure extension external eye fact far faster feel fell fending file filter finally financial find first five flight focus focusing food found frame framing from front function gain get given gives golden good got graham great habits hacking had has have help here high him his historically holding homeless houten how ice idea ideal ignored illiterate improve incentivise incentivised incidents increased industry information informational infosecalien initiatives instagrammable instead integrity internally invented invention inventor involves isn't issues it's its itself judge just know knowledge labelled lack lacked large latch lead leaflets learnt least less levelers levels listen little lived locals long look looking luckily made magazine make management manner many market masses may mcdonalds mean meaning means measurable measures media medium meet mentoring merely message messages metrics monitoring more most motivated much nation need needed needs negative neither netherlands new newer newest night non normally nose not nothing number off often oil one onto organic organisation organisations other out outside own packaging pampers part particularly parts past pathogens penalties people perceived perception perceptions perform perhaps periodically: photos picked pieces pitching places policy polished population position pranksters present presented presenting presents prevalent prevent preventative previously pricing problem procedures product profit programmes proven proverbial pure put questions quick radio raged raindrops rather read real reason receive recent recently recognition red redesigned reframe reframed reframing regard reindeer reindeers religion remote represented requires research resources reward rich right rise risk role rudolph's sales salesmen samples saved say scare scared second securing security see seem seems sees selling senior served set several share show showing sign signs similarly simply situation situations skills sky sleep slowing snake snuck social solutions some someone something sometimes sources spam spoken spotlight spread stakeholder stakeholders state states stating statistical stem stick stop stops storieswhat stormy strategies strategy struggled studies successful supporting surprising suspicious table tack tactics take tap target tasters tastes tasting team teams teams: technical television tell telling tend than them theme themselves these they’ll they’re think this: three through thwarted tied times tips tools toothpicks top touch touting trays treated trevor try two types umbrella under understands undesirable until use using utility value versed |
| Tags | Guideline |
| Stories | Solardwinds |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.