Where does security sit in the IT organization? What techniques do you use to improve security awareness? How do you handle phishing and suspicious activity from insiders and contractors?
Imperva CISO, Shahar Ben Hador, answered these questions and more in a Q&A webinar we held featuring his perspectives on a number of IT and security-related topics. Compiled below are excerpts from six questions and answers we found particularly interesting and thought you might also find valuable.
Click here to view the full webinar: “Unedited: Tales, Tips and Technologies from a Security Company CISO.”
The IT org chart at Imperva is different from those of other companies. Tell us about that.
Shahar: Many times information security projects get their start from within IT operations, because of the awareness and the knowledge that they have. But when I was promoted to the CISO position our CIO and I decided to have IT operations report to my department. Architecture, business applications, program management and strategy remain with the CIO, but having IT ops report to me tells the operations teams to get all the research they need to implement a security program while also raising their awareness.
I’m sure there are a few envious security chiefs hearing about this. But from talking with other CISOs we understand that this could be very valuable—not only from the standpoint of security awareness for IT operations, but also how it lets you ensure that their priorities remain security-focused. Even more significant is to have direction over the budget.
Shahar: Yes, I think it’s working great. I have a great ops team with strong leadership. While I have the last word regarding priorities, they understand the needs. I don’t have to always get involved for things to be done.
An example is how we address vulnerabilities, with new ones always being discovered. In our process, the [info security] team prioritizes what needs patching, and then IT does the patching. The organizational structure permits a very effective process for these two teams to work toward a common goal.
Imperva is a security company producing security tools, with a staff full of security-minded people. With insider threat being a chief concern, how do you improve security awareness among the [1,000+] employees located around the world?
Shahar: We’re trying to be very open in how we communicate and train our people. We’ve created a phishing awareness program to help employees better detect such emails and how to effectively deal with them.
As a part of one campaign we spoofed an email from a woman who has done a lot of work for Imperva, but is not an employee. It asked staff to update their email signatures to match hers. Without doing their due diligence, sure enough a few hundred people clicked on it.
You’ve been running a lot of these campaigns. Is Imperva making internal progress in relation to dealing with phishing attempts?
Shahar: Yes, we’re seeing a declining trend in the number of people who click the links. But it’s an ongoing educational process. The difficulty level rises in the next campaign, so we expect some more people to click again. We’ll run it the next few quarters and see if we can improve as an organization.
As you look back over the past three to five years, what has significantly changed your expectations as Imperva’s CISO?
Shahar: So many things have happened in the last few years. Everybody knows about Edward Snowden and his NSA revelations. While he hasn’t changed the threat landscape, he has changed awareness of the insider threat, that not all insiders carry good will. Very few have malicious intent, but all organizations have to protect themselves from the rotten apples. The insider threat is one that all need to be prepared to defend against.
I suggest building your strategy in layers…having five or six layers gives you more opportunities to thwart the bad guys. Yes, cyber criminals need only one successful boot cycle, but successfully passing the first layer doesn’t have to equate to them reaching their prize.
What type of extra security do we wrap around contractors who work for Imperva?
Shahar: We pay more attention to what they’re doing. We store contractors’ credentials in a dedicated repository and assign them a higher risk level within our analytics and identity management programs. A suspicious employee activity gets one score, while the same activity by a contractor gets scored higher.