Weekly Update #8 – CONs and Security Awareness

2018 ISACA New England Conference

This week I was fortunate enough to attend the 2018 ISACA New England Conference. Between catching up with clients and colleagues I was able to sit in on a few interesting sessions.

The CISO for Verodin presented on the concept of continual control validation. The presentation was pretty interesting. The idea is to deploy “agents” throughout the network to replicate a production device, and then continually “attack” those agents. This allows you to verify the preventative and detective controls within the production environment.

Protiviti was on-site speaking about Robotics Process Automation (RPA) and it’s implications in the Audit world. There was a demo of some manual tasks being semi-automated to be a bit more efficient, mainly eliminating the concept of sampling, and testing a full population in the same, or even less time. I am not totally sold on the idea, as the current use-cases seem like bolt-on software to accomplish the same end result of some basic scripting commands. I am curious to look into this a bit more, as automation is definitely the goal – it’s what computers were meant to do. I’m just not sure RPA is providing anything new to the space – Hopefully I am wrong!

As a perk, the closing keynote was given by Ted Demopoulos, and I was able to grab a signed copy of Infosec Rock Star: How to Accelerate Your Career Because Geek Will Only Get You So Far.

Overall I was happy with the event. Not only did I get to catch up with a number of folks I haven’t seen in awhile, but the conversations during the presentation sessions sparked some areas for further digging on my end. And the CPEs to maintain certifications are an easy sell for the cost. I am definitely looking forward to the 2019 event.

SANS Security Awareness Report

Additionally, the 2018 Security Awareness Report from SANS was released – you can get a copy here.

Key Findings

Without stealing all the thunder from the report, there are four (4) key findings worth calling out here.

  1. Most awareness programs require 1.9  FTEs to change behavior, and 3.6 FTEs to achieve cultural impact and implementation of a metrics framework.
  2. Budgets are not as big of a concern as time to implement the program.
  3. Soft skills are the key to a successful program.
  4. Finance and Operations departments were the biggest blocks to a successful program implementation.

How do these observations match up with your environment? Do you have adequate staffing to run your security awareness program? Have you established the necessary relationships internally to bring your program to the next level?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s