“It’s not you, it’s me.”
If you’ve ever ended a relationship or, sadly, been dumped, you’re probably familiar with that line. In my mind, it will forever be associated with an episode of Seinfeld.
When George’s girlfriend tells him, “It’s not you, it’s me,” he’s enraged – not because she’s dumping him but simply because she beat him to it. By using the age-old line on him first, she kills his opportunity to look good while doing a bad thing. George cares more about looking like ‘the good guy’ during the breakup than he does about the relationship itself.
Oddly, that same line kept popping into my head after I attended the IT security conference, SC Congress Toronto last week. During a session called ‘Top Three Threats,’ I noticed that all three panelists espoused a security philosophy that goes far beyond just focusing on outside, external dangers. Rather than just blaming everyone (and everything) else, they’re also looking inward to ask, “How is our organization responsible?” and “What can we do better?”
If you edit the line for today’s IT security environment, it becomes, “It’s not just you hackers, malwarists and other bad guys, it’s us.”
Another theme I noticed during the panel: the biggest threats are people, not things. Instead of focusing on dangers that are purely technical (software bugs, hardware glitches, viruses, etc.) the panelists talked about human beings, their behavior and their psychology.
Bear those two themes in mind when reading this list of top threats discussed by the panel, which focused on the financial services sector:
The ‘no’ mindset: By saying ‘no’ to every staff request, “we’re starting to get in the way of our employees doing their jobs,” said Jeff Stark, VP of IT and information security officer at Bank of Tokyo-Mitsubishi UFJ Canada. “(And) it’s actually making us less secure,” he added. How? By driving workers towards shadow IT, for one thing. “Don’t blame your end users,” said Stark. Instead, educate them and work towards ‘yes’ together.
The ROI blind spot: We focus a lot on calculating the ROI of security solutions yet not nearly enough on calculating the cost of risk, said Phil Umrysh, director of information security and compliance at LoyaltyOne. To educate staff, lay out all the costs of a breach after every security incident, he suggested. Can you say ‘yes’ to staff requests that may veer into risk points? Sure, said Umrysh, as long as you assign a dollar value to all that risk.
The vendor’s victim: “Why are we allowing (vendors) to create software that’s bug prone … and paying them tons of money?” asked Bobby Singh, VP and CISO at TMX Group. He called for customers to band together and push back toward vendors. “I don’t know if we’re gonna win that battle but we’ve got to at least fight it.”
It’s not that these CISOs are relinquishing the upper hand to hackers and other threats from the outside world. What they are doing (unlike George Costanza) is taking an honest, realistic look inward. As Singh put it, “We’re done chasing … We’ve got to be better.”
Unlike George, they’re more concerned about doing the right thing than about looking like good guy victims.
The post Financial services CISOs know exactly who to blame for IT security issues appeared first on expertIP.