Pwnie Express does not in any way condone fear mongering. That being said, the resignation of Target CEO Gregg Steinhafel (following a data breach that affected 40 million customers and will cost the company at least $148 million) is inherently scary, and not just in the InfoSec world. Those numbers should wake up even the most anti-IT, “we don’t need to spend money on that” executives. And with numbers like that, the business world is opening its eyes to the dangers, with publications like Bloomberg Businessweek and Forbes publishing the “CEO Guide to Cybersecurity” and “Five Smart Cybersecurity Moves from Top Security CEO's”.
But there’s still a lack of communication between the business world and InfoSec experts, which is more detrimental to both parties than many realize. Security is not an isolated problem, both in that the results of a failure affect the entire organization and that for an effective security posture, the entire organization must be involved. The question, then, is how to involve the organization and teach them about a problem that is inherently esoteric - 0’s and 1’s causing real-world trouble.
We recently spoke with a security consultant who talked about the challenges of educating an organization, and his suggestion was both practical and effective. He pointed out that the best way to teach awareness is by getting people’s hands dirty. Sometimes, quite literally - lockpicking is a popular InfoSec hobby, and it’s a great training tool as well. Not until they actually do something - lockpicking, hackathon (what can you find with a basic nmap scan?), or a staged attack - will most people understand what they are up against. With services like PhishMe, employees are shown that they are more vulnerable than they realize - and that phishing emails don’t always come from Nigerian princes.
Computer Weekly published an article on the usefulness of attack simulation in executive buy-in for security. Like a human penetration test, the staged attack can wake up even the most staid executives. With threats becoming real, IT security is suddenly a necessity, not an optional expenditure. Additionally, it helps to identify weaknesses in an incident response plan, as business execs unfamiliar with security problems are forced to understand what is actually wrong and who it affects - do they notify clients? the press? freeze accounts? Not unlike Chaos Monkey, these tests want to break (or simulate breaking) your system when the consequences are not dire. Computer Weekly’s source Marco Gercke said that “in a real cyber attack, I once saw a board take nine days to issue a press statement because they did not understand the complexity of their company’s IT systems.” By making security real to everyone in the organization, the organization’s security posture becomes more robust.
Think of it like Halloween - only every trick you dole out is actually a treat.
For another story on frightening CEO's with cybersecurity, see NPR's "Cyber Briefings Scare the Bejeezus out of CEO's"