We’ve all seen those notices at airports, railway stations,
on buses and elsewhere: “If you see something, say something.” It’s the
government’s attempt to get every single Australian involved in - and
personally responsible for - the nation’s security. Thankfully the threat level
is very low and most of us, I suspect, have little concern and little
expectation of finding anything untoward.
Clark’s suggestion is that companies encourage employees to
be alert for and report any suspicious activity - such as phishing emails,
phone calls asking for their password - by setting up a ‘catch of the day’
regime, where the reporter of the most significant threat is recognised and
rewarded.
“We have done this with many companies and we have seen a
ten fold increase in the amount of information they are getting from users,”
Clark said.
He had another suggestion: delegating to users responsibility
for monitoring their own online activity to check for compromised devices by
giving them information on outgoing traffic. “We say to them ‘You sent seven
pieces of data today. These are the destinations you sent emails to, and you
sent HTTP from your iPad. These are the times and these are the destinations.
Is that all OK?’”
He concluded: “It's a huge culture shift. Now you have a
whole army of people in your company helping you. It's a great way to spend a
little bit of money and a lot of extra resources.”
But the culture shift is also the problem. It requires CSOs
to have a whole range of interpersonal communications skills, something that
many lack. This was reinforced by another comment Clark made, and by comments
from IBM at another briefing the same day.
The average tenure of a CSO in the US is 16 months, Clark
said, and lack of communication skills is the number one reason for their
precipitous departures. “They might be very smart and very good at IT and they
might know how to stop the bad guys, but they don't know how to articulate
that. They don’t know how to talk to the board and sell the business on why
they need to do certain things. They start locking things down and they don't
last very long. Either they get frustrated because nothing moves or the company
gets rid of him because they are causing problems.”
Over to IBM, which was briefing journalists on its white
paper ‘Truth Behind the Trends’, a distillation of learnings gleaned from
interviewing 87 IT leaders from companies across a range of industries “to
understand how mobility, cloud and security trends are playing out ‘at the coal
face’ of their IT departments.”
Asked what IBM had learned from the security professionals
in the sample Scott Ainslie, security expert, IBM A/NZ, said: “Security people
tend to be somewhat introspective and a little insular. So it is always a
challenge to get them to speak about the problems they have within their
company. It was quite interesting to discover that they don't share
information. As a consequence they think that the problems they are
encountering are unique to themselves.”
He was asked if he thought this insularity compromised
security professionals’ ability to protect their companies. His answer was
unequivocal. “Yes…because it means they try and tackle their problems
independent of external advice and from our experience getting external advice
or seeking collaboration from similar like-minded people is very helpful. More
often than not the problems they are facing are not unique and if they work
together collaboratively their chances of finding a solution much greater.”
While these comments from Websense’s Clark and IBM’s Ainslie
highlight the need for security professionals to work on their communications
skills, the same is likely to be true for IT professionals across the board.
US-based wireless networking company Aruba has just produced
a white paper ‘20/20 Vision: Introducing the IT Pro of the Future’ for which it
asked 159 IT pros around the world - via an online multiple choice survey - for
their views on how the IT industry would look in 2020. It also held focus group
discussions with IT managers responsible for global strategy execution, and with
their staff.
Eighty eight percent of IT pros responding to the survey
said that communication would be a key skill in the future and 89 percent said
that the communication of IT policies to the wider company would be crucial.
The whitepaper was not focussed on IT security
professionals, nor was Aruba’s conclusion, but it could well have been: “From
upgrading security software to dealing with the chief executive that returns
from a conference demanding that all employees are given iPads, the IT
professional must be able to set expectations, communicate change, and create
and enforce policy to all levels of the business. They must be able to
simultaneously support the business and lead it to a successful future.”
Such people are likely to be rare and highly valued. A
report from Burning Glass Technologies, a company that develops technologies to
match people with jobs, says that demand for cyber security professionals grew
3.5 times faster than demand for other IT jobs over the last five years and
about 12 times faster than demand for all other jobs.
The Australian Government released its National Security
Strategy in January. It had much to say about the need for cyber security, but
made no mention of any initiatives to boost the number of cyber security
professionals.
No comments:
Post a Comment