Summer is over and as fall starts to settle in, football season starts again. It was while reviewing my son’s upcoming schedule that he pointed out that some of the earlier games in the season are against teams with more skilled players. However, he quickly pointed out that those games are at home and that this would be a big advantage to him and his teammates. This got me thinking about how those of us tasked with defending our organization’s information assets prepare to tackle our adversaries.

There have been recent headlines about attacks that nobody would blame any CISO for, which makes us think that criminals had all the advantages on their side, guaranteeing a win. Those articles give us a constant stream of news highlighting recent security breaches in organizations, warnings about Advanced Persistent Threats (APTs), how attackers are easily circumventing security solutions and how users continue to compromise systems by clicking on links or attachments.

How CISOs Need to Play to Their Strenghts

It was then that I thought that if a kids’ football team can look at how to play to their strengths to defeat their more skilled opponents, then CISOs should look to do the same. The biggest advantage a football team and a CISO has is that they always have home-field advantage.

Playing at home gives you many advantages over the opposition — you know where every bump and hollow is on the pitch. You know which end of the pitch is more favorable depending on the weather or which way the wind blows. You also have local resources to help support you.

We should look to those same advantages when defending our networks. The attacker has to learn how your network is connected together, where the valuable targets are in that network and how to avoid being detected by your security controls.

So if home-field advantage is such a plus, why are we reading about so many breaches? Are the attackers we face so highly skilled and sophisticated that we don’t stand a chance in competing against them?

It’s Often the Simple Mistakes That Allow Attackers to Breach Defenses

This is not the case. Yes, we do read many stories about sophisticated attacks and major breaches, but these tend to be rare items. If we look into the details of these attacks, we find that it is often simple mistakes that enabled the attackers to breach the defenses, resulting in any home field advantage being undermined. Just as in sports, if your team is not operating as a well-oiled machine, then your security program will similarly fail if it is not operating properly.

The IBM Security Services 2014 Cyber Security Intelligence Index (Index) highlights a number of examples where the home team lost by not focusing on the advantages they had over the attackers. The Index analyses the data from attacks and security incidents from IBM’s worldwide security operations and provides great insight into how the threats face all organizations.

For me, the key takeaway from the report is that 95% of all incidents involved some form of “human error” as a contributing factor to the incident. In other words, if humans had not been involved, 95% of attacks would not have been successful. So what type of “human errors” contributed to these incidents? They range from;

  • Users double clicking on links in emails or unsafe URLs
  • The use of poor passwords
  • The use of default user names and passwords
  • Lost laptops or mobile devices
  • Poor patch management
  • Misconfiguration of systems

The report also highlights how many companies are struggling to deal with the sheer volume of alerts their systems generate each day, if indeed they are monitoring those alerts in the first place.

Where Should a CISO Focus?

So it appears that instead of playing the home-field advantage and using all our resources to protect our systems, many organizations are not focusing on the contest at all.

Given the rising number of attacks, greater connectivity and integration of systems and our businesses dependency of secure and reliable systems, we need to properly focus on what we are trying to achieve and take better advantage and utilization of the resources we have in hand.

To do this, we need to better engage the business and senior management into accepting that information security risks are not just risks to the IT systems but indeed are risks to the business. These risks need to be treated and managed the same as any other business risk. We also need to look at how to reduce the “human error” factor. This will involve the CISO engaging with the users and providing effective security awareness programs. These programs should not just focus on the end-user, but those responsible for developing, implementing, managing and supporting our systems. This group needs to be made more aware of the risks against those systems and how they can better secure them.

As CISOs we will never fully reduce the “human error” factor, so we need to review how well we monitor our systems and whether or not we are monitoring the right systems, for the right events, at the right time. In addition, to do this, we need to ensure we get timely, actionable and effective alerts so that any attacks are detected and dealt with quickly and efficiently.

Playing at home is a major advantage, let’s make sure it’s not undermined by neglecting to ensure we’ve taken the proper preparations before we take the field.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks.However, while many organizations don't question the value of a CISO, there should be more debate over who this important role reports…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…