68
To protect against cybercrime, every organization needs to build
a culture of information security. ere are three elements related
to security: technology, people, and processes. In order to effectively
execute this, leaders in this space need to become "Sneaker CISOs."
Sneaker CISOs (Chief Information Security Officers) are more
focused on people and process than they are on technology.
Too many security professionals today are
so deep into the technology that they don't pay
enough attention to the people and processes.
I was one of them. But technology can't secure
technology. at's a lesson I learned the hard
way when I started working with public
utilities.
Prior to that, I'd been working for
government agencies, where all we had to focus
on was the operations side. e utility industry
was for-profit, and so it also had a business
side, where systems were being digitized. At
the time I started, the operational side was all
analog.
When the operational side started
to become digitized, they committed the
cardinal sin of connecting their operational
technology to their business networks to
make their regulatory reporting more efficient.
Someone was able to make their way into the
operational technology, which is typically not
very sophisticated, and began to encrypt the
systems that were running it, and shut down a
gas pipeline.
If they had consulted a security engineer,
safeguards could have been put in place
before connecting the systems. ere's
little technological difference between the
Windows 10 used in enterprise systems, and
the Windows 10 that the U.S. Air Force uses.
e only difference is "people" and "process."
at's when I realized that, in the digital world,
Feature By: Tony Carothers
HOW TO WIN AT
CYBERSECURITY: BECOME
A 'SNEAKER' CISO
In the world of cybercrimes, the effective execution and deployment of technology, people, and
processes are the first steps in building a culture of information security.
