“Guess who wins every year?” asked Theresa Payton, CEO of Fortalice. “The bad guys win every year. Who is their target? You.”
Payton, former chief information officer for the White House under the Bush administration from 2006 to 2008, captivated delegates at the with her talk “From the Firing Lines to a Fireside Chat: Perspectives on Personal and Professional Security from a Former White House CIO.”
Some organizations will be targets regardless of what they do, but most become targets because of what they do. It’s important for organizations to think about their overall supply chain and the accountability aspects of that chain, she said.
Payton shared some numbers and asked delegates to guess what they represented:
• 243 days. That’s the average number of days cyber criminals are in your network before you know it.
• 90 seconds. That’s how often malware mutations appear. The malware is tweaked just enough to get by antivirus software.
In short, that means security centers look a lot like Lucy and Ethel in the chocolate factory. “That is the mental image of security centers,” Payton said. “We’re stuffing chocolates in our pockets and calling it incident management.”
Social media is creating real breaches and challenges for corporate America, she said. She shared a story about a company that lost its website. She found it, but it was being held for ransom. An employee unwittingly let hackers gain access through a phishing email. The employee was trying to save the company money on a domain account renewal by using a coupon for Godaddy.com. The company ultimately paid the $500,000 ransom to a business in China.
“Watching a grown man cry is a very uncomfortable thing,” Payton said. “This was a model employee trying to save your company money.”
Security centers must do a better job educating employees about tools and teaching them how to think like a criminal.
When you consider the opportunities for bad guys to get in, “the good guys have to get it right every time. The bad guys only have to get it right once.”
Her tips to improve a company’s security posture:
• Name your digital assets
• Practice a digital doomsday
• Training and policies and procedures
• Tech tuning
• Security in the supply chain
When you go back to your office, “spend time with your team discussing security,” she said. “Take time and name the top two critical assets during the staff meeting. Have a corporate communications and someone in customer service run the mtg. Then practice a disaster.”