As organisations prepare for major transformation of their business or operating model, CIOs are having to devote time, skills or resource to storytelling. As Digital Transformation Director Steve Homan recently told the Horizon CIO podcast “If you go to bed thinking you have over communicated, then you have probably done just about enough”. But it is not only business change that requires constant good communications, so too does the ever increasing security agenda.
In the second of two podcasts with Ojas Rege, chief strategist with security services provider MobileIron the US based expert says communications is key to organisations in the battle to avoid a major cybersecurity attack.
“People are the first and last line in security and the technology is just an enabler,” Rege says ahead of a Horizon CIO roundtable event. “A lot of organisations talk of the insider threat and we know that this is a major threat vector, but there is a reverse side of that, which is how do you get insider help. There will be malicious activity inside the organisation, but how do you make sure that the other 99.09% of your organisation is aware of security and is aware of what actions to take,” the strategist says of how a well informed workforce become the frontline of defence as they can instantly spot a change in the organisation or its systems.
“Communications, was not necessarily one of the criteria that was used to hire into IT organisations historically, but if you are a technical expert in IT but you cannot communicate effectively to your end user community, then you are only doing half of the job,” Rege says of the growing importance of good communications from technology teams, something that was raised by the CIO of the Boston Consulting Group Adel Du Toit (left) on the Horizon CIO podcast. But Rege says how CIOs communicate is essential:
“If I only tell you there is a threat, that sounds like the sky is falling every single time and the way the business hears that is ‘now you are going to tell me what I can’t do. Threat, threat, threat, don’t do this, I have to run a business, that doesn’t work for me.’
“So the story is much broader and you say: ‘here are the things we want to do as a business, here is how I as a security organisation is going to help you, the elements of my plan, the impact of those and here are the trade offs we are going to make,’ so I am building my story around the business and how security is an enabler rather than a restriction of end user behaviour, then I have a story that the business not only wants to hear, but the business will also get on the same page as me and I will get the behaviour I want.”
Rege believes this focus on communications is essential also because of the structures of major organisations. The MobileIron strategist says the senior leadership team are well aware of the threats, especially in a week such as this where the hack and cover up at ride hailing service Uber has been headline news. But Rege believes mid-level do not understand the impact and creating a climate of fear will not change their behaviour.
“The thing that drives the behaviour on the front line is the ability to do their job better so the whole notion of security as an enabler is so fundamental and it becomes part of the story, part of the RoI and part of the architectural model that CIOs have to make,” Rege says.
Having warned CIOs to not use threatening language, Rege says the technology community also needs to change its message: “The biggest challenge is that there are lots of security vendors who say there is lots of threats out there, and the sky is falling. Why? Because that is how they sell their software and it is not that this is not true, but security services that do not drive adoption and innovation are not going to be successful in the long run,” he says.
Shadows of BYOD
Following the release of the iPhone in 2007 CIOs faced a new phenomena, that staff would want to buy their own technology and carry out work tasks on it. Bring Your Own Device (BYOD) was a major topic of debate, but posed security fears for CIOs.
“The iPhone was seen as a threat, but the combination of basic security encryption suddenly made it something that the enterprise could use. So security became an enabler as it allowed a device that was so in demand by the users of the organisation to be accepted,” Rege says. He believes BYOD was a major form of shadow IT: “In the past, shadow IT was a horror for most organisations and shadow IT was perceived as bad stuff happening outside of IT’s control and it was a pain and a lot of security issues.
“Mobile changed the mindset and then shadow IT became the best indication of what my users want and to see what services are being used that are not provided by his or her department, those are the services that are really making a difference, it could be a device or an application, so then the CIO can see that these are the services they should be supporting,” he says.
Discussing shadow IT, Rege says that as organisations today struggle with productivity, especially in the UK, shadow IT is an indicator how to help productivity: “Macros were the first shadow IT, organisations recoiled at first, they didn’t think about productivity, and it all comes back to productivity, that is how innovations come about. The key for the CIO is how do I let my organisation tap securely into innovation. I should not be a restriction of innovation,” he says.
One benefit of BYOD and shadow IT that has come about, Rege believes, is that it can limit the impact of attacks such as Wannacry, the malware that hit many organisations including the NHS in 2017.
“As you look at the new operating systems entering the enterprise, that heterogenous environment is more complex, but it also helps security. Think back to Wannacry, because we had heterogenous environments of all these unpatched PCs one attack was able to take everything down. If you don’t have a heterogenous environment you can’t have an attack that takes everything down, you have layers of functionality and security that are self reinforcing,” Rege says.
Back in October 2016 internet domain name service provider Dyn was the victim of a major denial of service attack (DDOS) and Rege says of this attack: “What if that had happened to a power grid rather than an entertainment service like Netflix. The lesson was that we have a tremendous number of devices on the network and if a malicious attack can activate the devices and drive packets out of them, I can take down networks. What brought Dyn down was baby monitors and fridges and smart cameras and these were the devices that the botnet attacked and they created so much traffic it brought the network down,” Rege explains.
Dyn estimated that the attack had involved “100,000 malicious endpoints”, Dyn said at the time of the attack.
“I’m hoping that the attack opened up a lot of eyes to a new kind of threat: what happens as IoT systems come into the enterprise network? If I am a CIO I spend a lot of time thinking about my network and all the IoT services I am deploying and there are whole series of devices entering my network, such as if HR give everyone a FitBit or facilities installed self-ordering fridges, so there are all these endpoints on my network that I do not control.” Rege says that every CIO faces a Dyn type incident as wider areas of the business add services to the networks the business relies on.