A lack of communications enables breaches and helps derail cybersecurity projects

ByKayne

Communications issues are one of the less obvious challenges associated with the deployment of any new technology. A lack of end-user communications inevitably limits the adoption and usage of new security technologies, and a lack of understanding gives users reason to circumvent new security controls. However, this does not have to be the case, and this article will examine the effects of communication (and lack thereof) on two different client projects.

The client was a mid-sized financial company in the eastern United States. They purchased a technology product to help address their cybersecurity risks associated with managing escalated user privileges, and they sought to run the project as a technology project. An initial set of administrators were trained on the product. Despite recommendations from the vendor, the client chose to not   involve their PMO and to not produce any end-user training or communications other than a hastily-composed email informing each user that they would have a new method of gaining escalated permissions. This email was to be sent out five minutes before each server deployment and only to the users affected. Similarly, the client chose to disregard recommendations that they notify the help desk of any new troubleshooting procedures.

It would be an understatement to say that the project did not start well for the client. I met with the client several years after their initial deployment of this technology to find that they were still struggling with end-user adoption. Users claimed the technology made their jobs more difficult, and each line of business could delay and push back against the adoption of this technology. At least one known instance of data exfiltration had occurred on a server where the solution had been delayed due to end user opposition. The CSO had written off the technology and was actively pursuing new vendors to replace this failed deployment.

In comparison, the second company was a retail company in the western United States. They had chosen to deploy a security product to achieve regulatory compliance on a limited subset of high-visibility servers. After several discussions with the CSO, a VP, and a senior manager, the client agreed that they would not treat the project as a technology deployment but rather as a business program, despite it being limited to less than 10% of the servers in their compute estate. A project manager from the PMO was assigned to the project and immediately grasped the need for adequate communications.

An initial email introducing the program was sent by the CSO to the administrators and users on the servers within the scope of the program. A follow-up meeting was held, with several senior managers explaining to their staff why the program was necessary and how it would help them address regulatory concerns and also the risks associated with data breaches. These sessions were recorded for staff who could not attend in person.

Each server where the technology was being deployed followed a standard communications template:

  • One month before the deployment date, the change management board was notified and would often approve the deployment

  • At the same time, the help desk and provisioning teams were notified that support and provisioning procedures would be changing for that server

  • Three weeks before the deployment date, the users were notified of the pending deployment and asked if they had any questions. This notification came in the form of an email, and in some cases, was integrated into standing staff meetings

  • Two weeks before the deployment date, the users were sent an email with the email address, phone number, cell phone numbers, and war room location of the project team. This way, in case anything was perceived to have gone wrong, users could pick up the phone or walk over to discuss the issue immediately with the project team.

  • A week before the deployment date, the users were sent another reminder about the pending server deployment.

  • On the day of the server deployment, the help desk updated their support procedures so that, for the following two weeks, all calls about the deployed server would immediately be routed to the project team

  • On the day of the server deployment, users were sent an email before deployment and then post deployment. In cases where standing staff meetings were scheduled on deployment days, managers would remind their staff as part of the agenda.

  • Two weeks after the server deployment, the help desk would resume handling support cases associated with the deployed server.

The advantage of this emphasis on communications was clear both during the initial phases of the project and several years later when I met with the client for a follow-up over coffee. The two-week help desk transfer of ownership to the project team helped to define and build internal support procedures for the new security technology and led to an internal FAQ where users would often be able to solve their own problems. The project manager had been recognized and promoted for their contributions to this essential cybersecurity program. And the external audit firm retained to verify quarterly regulatory compliance had no findings associated with these critical servers after years of operation.

When planning any migration or deployment of new technology, businesses should carefully consider the best way to communicate the intent and need of the new technology to those users affected by it, as well as to those who work in supporting roles. Otherwise, businesses may find their best-in-class security solutions stymied by mediocre basic communications.

Similar Posts

AI in Cybersecurity: The Good and the Bad

ByKayne

“[AI] allows a threat actor to scale a lot faster and across multiple channels,” Kayne McGladrey, chief information security officer at compliance management company Hyperproof, told Built In. “And the defensive tools haven’t quite caught up. Unfortunately, none of this stuff is going away. This has now become a fixture of the landscape. It’s part of our new, modern cybersecurity hellscape that we inhabit continuously.”

5G and What it Means for Cybersecurity

ByKayne

“Consumers should use the ‘guest’ network of their home Wi-Fi routers as a dedicated network for IoT devices, so if one of those devices were compromised, the threat actor can’t easily pivot to more valuable data.” That’s the case for newer devices, he says. “For older, cheap, IP-based security cameras and digital video recorders (DVRs), the easiest way to secure them is to recycle them responsibly as there often are no security updates available.” The ability to update devices over their lifetime is essential to security, and should factor into buying decisions, he says.

Episode 55 — How Informed is the Board of Directors on Cybersecurity Risks?

ByKayne

With the global cost of cybercrime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative. According to the Diligent Institute survey ‘What Directors Think,’ board members ranked cybersecurity as the most challenging issue to oversee. Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. Kayne McGladrey, Field CISO at Hyperproof and a senior IEEE member sheds light on this important aspect of cybersecurity governance. The driving question being: How informed is the Board of Directors to provide effective oversight of cybersecurity governance?

What Thoma Bravo’s latest acquisition reveals about identity management

ByKayne

Identity management of users and devices is key for CISOs to manage the risks associated with unauthorized access to sensitive data and systems, according to Kayne McGladrey, Field CISO at Hyperproof and IEEE senior member. “From a control operations standpoint, the two most important capabilities are the ability to validate a user’s behavior when it deviates from the norm, and the ability to quickly de-provision access when it is no longer needed,’’ McGladrey told VentureBeat.

For example, if a user regularly logs in from Washington State using their Windows-powered computer to access a single program, there’s little reason to prompt them for a second authentication factor, he said. “But when the device changes, perhaps a new Mac computer that’s not configured correctly, or their location suddenly changes to Australia, they should be prompted for multifactor authentication as part of identity validation before being allowed to access those data,” McGladrey said. When a user leaves an organization, their identity access should be rapidly revoked across all platforms and devices. Otherwise, organizations run the risk of a threat actor using the older access and credentials, McGladrey added.

The New CISO Journey Includes Tried & True Old Steps

ByKayne

“It remains a very complicated role because you have to ultimately be able to speak, to three separate audiences: the business folks- who are interested in cost controls and also cost savings and cost improvements, and material effect of the business. The technology folks: who want to know that you’re doing the cyber right. And legal folks: who want to know that they’re adequately shielding the business from legal and regulatory risk.”