First US Federal CISO Shares Security Lessons Learned

First US Federal CISO Shares Security Lessons LearnedGreg Touhill’s advice for security leaders includes knowing the value of information, hardening their workforce, and prioritizing security by design.INSECURITY CONFERENCE – Washington, DC – Greg Touhill encouraged his audience of security leaders, whom he dubbed “the cyber neighborhood watch,” to swap war stories and lessons learned during his keynote at Dark Reading’s inaugural INSecurity conference, held this week in Washington, DC.
当与我们组织相关的新闻成为媒体和公众关注的焦点时,我们也很容易成为黑客的攻击目标,所以我们的安全管理部门要做好相应的安全应急响应预案,配备足够的值班人手和提高监控的频率必不可少,必要时也可请求外部技术支援。
As the first CISO of the US federal government, and with an extensive background in government cybersecurity and the military, Touhill has several stories of his own. Drawing from years of experience, the Cyxtera president shared his own lessons learned to kick off an event created to bring cyber defenders together so they can discuss problems and challenges.
One of the biggest problems is explaining to the business how cybersecurity is a risk management issue. Most security pros struggle to communicate with business leaders, who “speak a different language than we do,” he explained.
“I keep on hearing executives talk about cybersecurity being a technology problem, and they keep pouring money into buying new stuff,” said Touhill as an example. The enterprise instinct to buy new protective tools often distracts them from the core problem of managing risk.
One of Touhill’s lessons was to avoid chasing fads. Sometimes new doesn’t mean improved, he noted. Security leaders need to keep tech current, not buy every new tool. They should do their homework and base their product decisions on both risk potential and business value.
企业安全意识之歌
Knowing the value of corporate information is a key part of evaluating and managing risk. Business leaders know their data exists but can’t explain what it means or how much it’s worth. It’s tough to know where to prioritize security if you don’t know which data is most valuable.
“Information is one of the most valuable assets any business, any operation has,” Touhill emphasized. “Look at your infrastructure, look at how you architect. Know the value of your information and don’t try to defend everything. Defend what you need to defend.”
Security leaders must also prioritize security by design, he continued, using the transition to the cloud as an example. “A lot of folks jumped into the cloud without knowing about the tall, craggy mountains on the other side of that cloud,” he pointed out.
Touhill’s lessons extended to security employees. “Humans fail all the time,” he said, but you can bring down the risk of catastrophic events by training people and making sure they’re appropriately resourced. Hardening the workforce is “critically important.”
“People are your weakest link but also your greatest assets,” Touhill continued. It’s up to security leaders to make the business case for additional training, which is necessary but expensive. The need for education will never go away. Team members, and colleagues across the enterprise, should be taught to “think like a hacker” and “be very suspicious.”
The sentiment extended to another lesson: have a zero-trust model. Most security pros haven’t taken a full inventory of all the trust relationships they have, he argued, encouraging the audience to look at where their trust lies and “be skeptical.” Knowing and remembering the value of information will be critical as a new wave of professionals enters the workforce.
“We’re raising a generation of folks who are freely surrendering their privacy – your privacy – by giving up information and not recognizing the value of it,” Touhill said.

Other lessons touched on security fundamentals. He urged the audience to identify where they aren’t mastering basics or being consistent. “How many times has someone gotten breached and left the backdoor open?” he asked, relating his advice back to thinking like a hacker.
Attackers will go for the underbelly, Touhill continued. They will check every door and window to make sure they are locked. And if they’re not, they will take advantage of it.
Ultimately, along with protective measures and strategies, leaders must also “be prepared for a really bad day,” he concluded. Security teams identify risk and threats, protect against them, and often build response plans but rarely exercise them to practice for a real incident. Those who need to practice the most often don’t.
In the best organizations, everyone participates in cyber exercises and drills – even the boards and the CISOs. “A bad day is going to come for each and every one of us,” Touhill emphasized.
Related Content:
Why Security Depends on Usability — and How to Achieve Both
Developers Can Do More to Up Their Security Game: Report
8 Low or No-Cost Sources of Threat Intelligence
Time to Pull an Uber and Disclose Your Data Breach Now
我们每隔一个月有安全邮件通讯,让员工可以在5分钟内了解和跟进最新的信息安全动态和威胁;我们每隔一月提供一份有趣的信息安全视频,让员工们的信息安全意识在5分钟的轻松时光里得到刷新和升华。

猜您喜欢

广安交警制作7000套安全反光书包套赠予学生
安全教育培训方案
网络安全法宣传视频系列001《网络安全法》背景知识
上将张阳自杀身亡 军媒发文怒斥 自杀逃罪 极其恶劣
HOLYCLOCK WHITSMITH
勿让新员工成为信息安全短板