Intelligent CISO Issue 10 | Page 34

P RE D I C T I V E I NTELLIGEN CE  “My mandate was to do everything necessary to protect the university community,” the Head of Information Security reported. “We invested in technological solutions, but with 30 years of IT experience, I know that you need to invest in people, not just processes and technology. You need to make them human firewalls.” He added: “Look at it this way. You can put five locks on your door, but if you leave the keys under the doormat, the locks don’t do much good. Fortifying the human firewall is my utmost priority. The human element is the most important part of your defence.” “Hey, is this the right payment?” The cyber-programme director of a multinational utility echoed these remarks. “My CISO often states that if he had to cut all of his budget, down to The human element is the most important part of your defence. the bare bones, all that he would choose to spend on would be awareness and response,” he said. “We had a scenario where, all the way up to the CEO, they were ready to make a treasury payment until somebody finally picked up the phone and said, ‘hey, is this the right payment to be made?’ And it was blocked.” Referring to constant changes in attack techniques and the need for defensive adjustments, he added, “I’m reminded of a quote from Alice in Wonderland, when the White Queen was saying, ‘In order to keep up, you have to run as fast as you can.’” Removing phishing emails ‘sometimes in five or 10 minutes’ An operational risk consultant with a global financial company shared with us 34 Kamel Tamimi, Principal Security Consultant, Cofense Inc an example of employees helping the SOC stop phishing threats in minutes. “I don’t think security is going to be improved by the next best technology we put in place, whether it’s an appliance or a firewall or something that blocks at the proxy,” she said. “For example, we had a Word document with macros slip through our filters, so we just need to teach the humans that own our email addresses to be extra-vigilant.” She continued: “We see some departments reporting as high as 60% in phishing simulations, but they also report [real] malicious emails that go to our cyberdefence teams – and they get them out of the network sometimes in five or 10 minutes.” “That’s a return on investment.” Noting the futility of investing in technology while users remain untrained, a cybersecurity awareness evangelist at one of California’s largest companies said: “In one corner you’ve got US$10 million in defence perimeter equipment and on the other side, of course, you’ve got ‘Dave.’ A machine cannot apply a non-linear approach to a problem. A machine is just conditioned to do one thing. But a human-being with instinct can make decisions that are a lot more intricate.” His company too relies on employees to report actual phishing threats. “Last month, we saw 33 reported threats come into our IR inbox,” he said. “When you consider that a breach could cost six million dollars, that’s a return on investment.” “What did you do to prevent this?” The last word comes from another global financial company: “To not focus on phishing would be pretty negligent on any company’s part,” said the company’s Issue 10 | www.intelligentciso.com