Practice 7: Vulnerability Consultations
Repurposing Monitoring Data for Awareness
Numerous sources of potential security awareness data
Non-technical staff may have trouble understanding why cyber risks affect them; leverage the data already collected through audit committees, penetration testing, phishing analysis, and tools like data loss prevention (DLP) to demonstrate real vulnerability and engage end users more effectively. See Tool 1 in the appendix (page 56) for a compendium of key performance indicators for security awareness.
Making the most of monitoring tools
A DLP tool monitors data transfers such as email for information that could be sensitive (e.g., a nine-digit code that could be a Social Security number) and can block outgoing communications. To make the most of a DLP investment, the CISO at Texas State University kept the tool in learn mode for six months, to discover where on campus sensitive information was moving and pinpoint root causes of unsecure behavior.
Using DLP to Fine-Tune Security Outreach
Calibrating interventions with monitoring data
Analyzing the DLP information, Texas State’s CISO visited unsecure departments one by one to discuss security rules and implement specific fixes for unsecure data transfers. The appropriate intervention is a factor of data type, location, and root cause; the CISO used a combination of campus-wide emails, one-on-one meetings, and process redesign to prevent the risky behavior identified through DLP monitoring.
A 90% decrease in "bad" emails
DLP analysis allowed the CISO to focus valuable in-person conversation time on departments where there were real, recognizable issues. Bringing actual data of vulnerability focused and grounded discussion. Using real data to prioritize interventions paid off; within six months, the percentage of emails containing sensitive data decreased by 90%.
Practice 8: Security Scorecards
Making the Most of Required Board Reporting
A bottom-up summary of risks for the board
When the board of trustees at Ohio State University sought increased reporting from IT, the CISO developed a simple self-grading survey mechanism for campus. The annual survey is based on a standard National Institute of Standards and Technology (NIST) framework, with 100 questions developed in cooperation with campus experts (e.g., general counsel). The local academic, finance, and IT leaders are required to sign off on scores before the survey is sent back to the CISO.
Security "heat map" for board of trustees
For the board of trustees, the CISO builds a university-wide heat map with 160 columns representing units and 30 rows representing risk areas. The board can easily identify which categories have security controls that are working well, where there are outliers that need additional help, and where problems across campus could prompt a systemic fix.
Scorecards Show Units’ Relative Security
No one wants to be last
To maximize the impact of No One Wants to Be Last campus surveys and help units understand their own vulnerability, the CISO produces department-level scorecards that compare units to peers (e.g., academic departments, research centers) and the institution as a whole. The scorecards help local academic and finance staff set benchmarks for improvement, understand peer comparisons, and identify key areas for remediation in the coming year.
Visibility sustains engagement
Attention from the board and new visibility into risks for business and academic leaders has already generated positive results for Ohio State. In its second year, the survey gained 100% participation from units, and instead of pushing units to accept cybersecurity policies, there is overwhelming department demand for CISO involvement with security consultation and policy writing.
Practice 9: Demonstration Hacks
A Warning Units Can’t Ignore
Vividly illustrating "this could happen to you"
While most leaders are practical about risks and willing to take guidance from the CISO on how to protect data, CIOs suggest that sometimes more drastic action is needed. At one large, public university, the CIO partners with a private- sector firm annually to scan the institution’s network for vulnerabilities. The riskiest quintile is composed of IP addresses in departments with historically poor risk management, and the IT team guides the vendor toward demonstrative penetration tests that will make an impact with unit leadership.
Targeted hacks show dangers to "local" data
While non-technical staff might not understand the complexity of information security risks, a visual demonstration of real vulnerability to mission-critical priorities will generate action and new attention to risk mitigation. Demonstrations should be extremely private and non-punitive; the conversation around vulnerability is a valuable teaching moment for deans and administrators previously unfamiliar with new cyberthreats.
Practice 10: Self-Phishing
Pre-wiring Is the Key to Self-Phishing Success
Great in theory, distracting in practice
Self-phishing is a controversial tactic for many CIOs and their teams, and for good reason: a self-phishing campaign sent out without notification of end users and key stakeholders can cause confusion, anger, and wasted time across campus.
Targeted preparation maximizes campaign benefits
Successful self-phishing begins with extensive pre-wiring that clarifies the intention, scope, and ramifications of the campaign. The core message for all those affected by selfphishing is that the campaign is a service on behalf of campus to protect their data and the institution, not an attempt to expose or punish users that may be vulnerable.
Moving in the Right Direction
Student and faculty better prepared after being self-phished
At Eastern Michigan University, effective pre-wiring with campus partners before the self-phishing campaign helped reduce the account compromise rate month over month for students and employees, delivering real savings to the IT help desk and internal units. Rather than the campaign meeting with campus opposition, the IT team found that staff and faculty were gratified to learn about their vulnerability and wanted to know how they could be safer in the future.
Making Risks Relevant
Incentivizing Secure Practices