A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
CyberSecurity is all about teamwork
September 21, 2010 at 12:19 pm #111445
Almost want to say DUH! except for the reality that this mindset needs some dramatic reinforcement in the IT Security Community
From Dark Reading
Turn Workers Into Security Partners
Rather than just protect employees or protect against them, security managers should rely on users to help defend the business
By Robert Lemos, Contributing Writer,
Sept. 20, 2010
When the “Here You Have” worm started spreading last week, Intel had only a small number of its computers infected.
The company’s traditional defenses definitely helped, but a critical advantage was its well-trained employees, says Malcolm Harkins, the chief information security officer for Intel. When workers saw the worm and recognized it as a threat, they immediately started calling the information technology team.
“The employee base saw it, they reacted really quickly and helped us contain it by alerting us to it and then telling others not to click on it,” Harkins says.
With the ubiquity of mobile devices and the ability to do work anywhere, companies need to change their mindset toward their employees and treat them as security partners. Recent research has found that employees are increasingly bringing personal devices, such as smart phones, into work or using personal web services, such as social networks, at work.
Attempting to block workers from accessing potentially dangerous technologies does not work, says Ted Schadler, a vice president and principal analyst at Forrester Research. In their new book, Empowered, Schadler and co-author Josh Bernoff argue that managers need to help employees use today’s innovative technologies to help companies thrive.
“If you are too obstructive, workers will just do an end-run around you,” says Schadler.
Many companies have treated workers as a flock to protect or as wolves to protect against, not as the shepherds they could be. For security managers, that means teaching employees not just how to avoid threats, but to help protect the company against them.
“We rethought our security strategy and, you know what, people are the new perimeter,” Intel’s Harkins says. “So if you embrace that part of that perimeter, I think your monitoring and detection increases dramatically, which then gives you a much better response time to mitigate exposures.”
While companies should continue to deploy data protection technology and monitor logs to detect potential data leaks, recruiting employees through training can provide a contingent of additional security help, he says.
Moreover, the security team itself can use innovative technologies to help its mission. For example, Intel’s security teams use occasional “Web jams” internally — collaborative sessions with team members and employees to build awareness for security and corporate policies. The social networking helps the security team connect more closely with employees, says Harkins.
“People want to have debate and discussion,” he says. “We see it as a channel to leverage to get people to understand this risk issues.”
Finally, allow employees to make mistakes and own up to them, say Harkins and Schadler. Taking responsibility is part of empowering the employee to help security, rather than hindering it.
“Mistakes sometimes happen,” Harkins says. “Don’t overreact to mistakes. Use it as a learning experience for the employee and it can be a learning experience for the security people as well.”
You must be logged in to reply to this topic.