Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

No One Secures it Alone: Engaging your staff in the fight against cyber criminals

13 views

Published on

Presented at BloomCon 0x04 - bloomcon.cc

Abstract:
So you think you can stop the attackers? Guess what? You can’t, at least not alone. Even the best coders, hackers, or computer geeks don’t stand a chance protecting their company alone. The soft-skills required for running a successful and engaging security program are too often overlooked.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No One Secures it Alone: Engaging your staff in the fight against cyber criminals

  1. 1. MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2017 Wolf & Company, P.C. No One Secures it Alone: Engaging your staff in the fight against cyber criminals
  2. 2. Bio • Sean D. Goodwin • CCSP | CISA | CISSP | GCIA | GCIH | GSEC | PCIP | QSA • Bentley University / SANS Technology Institute • Senior Consultant – IT Assurance • 0xSeanG on social
  3. 3. Agenda • Common pitfalls • Building a proper foundation • Beyond compliance – explain the “why” • Grassroots support
  4. 4. Key Terms • AWARENESS –focuses on changing behaviors • TRAINING –teaches new skills –will be role-specific
  5. 5. COMMON PITFALLS
  6. 6. That’s a Compliance or HR Function • Compliance-driven Programs • “I think HR covers that during on-boarding” • IT/IS is too busy chasing down alerts to train users Lance Spitzner / SANS – MGT 433
  7. 7. IT/IS Misses the Mark • “Curse of Knowledge” • End users are too dumb • Focuses on the wrong things https://www.behaviormodel.org/
  8. 8. BUILDING A PROPER FOUNDATION
  9. 9. “Never let a breach go to waste” – Randy Marchany “When you have a breach, you only have a window of 2-3 months of extra support for your security program; act fast or you will lose that support” – Jess Garcia
  10. 10. Executive Buy-in • Have a project plan in place • Don’t go straight for the cash • Start small • Ditch the hoodie!! https://www.method123.com/images/project-lifecycle-v2.jpg
  11. 11. BEYOND COMPLIANCE
  12. 12. Start with “WHY” • Take time to understand the business • Tailor the answer to “Why does security matter”
  13. 13. Individual Benefits • Lunch and Learn • Personal Device Reviews • Resources for family members • Special Events
  14. 14. GRASSROOTS SUPPORT
  15. 15. Security Awareness Committee • Gather volunteers from all key business areas – Deeper understanding of their processes – Get someone in your corner • Allows for easier reinforcement training sessions – IT/IS not always there in person – Themed follow-up • Personal pride – Formal naming (Ambassadors, Champions, Advocates, etc.)
  16. 16. POSITIVE Reinforcement • Wall of Sheep vs. Wall of Fame • Track “wins” by department • Individual Kudos https://www.wallofsheep.com/
  17. 17. Final Points • Keep it short / non-technical • Provide updates to leadership • Play the long game • Focus on small “wins”
  18. 18. Resources https://seangoodwin.blog/bloomcon4

×