Reasons why April fools’ should be international cybersecurity awareness day!

Reasons why April fools’ should be international cybersecurity awareness day!

I HAVE ALWAYS LOVED APRIL FOOL’S. As far as I can remember, from my early childhood memories until today, I never lost the habit of doing some kind of silly harmless prank. Some were reasonably amusing, like when I posted a (obviously fake) check-in at the top of Mount Everest and informed a client that I would be late for an important meeting. Other instances led me to somewhat complicated situations, for example, when I changed the date of my birthday in social networks to 4/1. Aside from an entire day of online congratulations, (that was the point of the joke, by the way) at the end of the day, I discovered that my colleagues decided to throw a surprise party at work. Some of them were not entirely happy to know that it was all a joke, but in the end, we had a good laugh.

You may be wondering: What does this have to do with cybersecurity? Well, the fact is that over the years (and those small pranks had a part in it) I have noticed that during April fool’s people are far more skeptical regarding what is published on the internet. Is Google will print and send a hardcopy of email to your home? Oops, this must be a lie. Will Google launch a “pet-friendly” search engine for your cats and dogs? Of course not! Will Subway launch a line of “subzero” ice cream including tuna, chicken tikka and marinara meatballs flavors? That is quite funny, but no truth in it.

Homer would approve that!

And that’s it! For one day we adopt a critical vision and skeptical attitude that despises the idea that “if it is on the internet must be true! “. Now I ask, why not adopt this same posture when we receive an “email from the bank” asking to revalidate your password in order to ensure your account will not be blocked? Why not acting the same way when a Word or Excel file, downloaded from a non-so-trustworthy site, asks to enable macros? Why, as Bruce Schneier used to say, does the user has to pick dancing pigs over security every time? With the attitude April fool’s approach this we can change that!

Good information security depends on PEOPLE, processes and technologies, most of you have heard time after time that “people are the weakest link”. Unfortunately, this statement has remained a mercilessly truth during the last couple of decades, with very little sign of improvement. What is the point of acquiring top security solutions, without implementing sound processes and having employees trained and fully aware of their security responsibilities?

At the end of the day, when it comes to people, what we really need is to ensure is the balance of knowledge, skills and attitudes. Again, if replicated all year long, this skeptical attitude we use during Aprils fool’s would have a spectacular result against threats that has been causing nightmares to security professionals: From any form of social engineering, phishing, spear-phishing, ransomware infections and most other forms malicious codes, the list is extremely large.

May April fools’ last year long! It is my most sincere and humble wish!

Corporate Culture: It is a great information security tool. This is why you should not overlook it.

CORPORATE CULTURE: IT IS A GREAT INFORMATION SECURITY TOOL. Culture, in general terms, can be understood as a set of ideas, habits and social behavior in a specific group. This translates into values, beliefs, ideologies, beliefs, group behavior. In a corporate environment, it is only natural that absolutely every organization has its own culture. And yes, this is one of the key factors that can define the success or failure of information security.

The fact is CULTURE EATS STRATEGY FOR BREAKFAST. The phrase, originally attributed to Peter Drucker, has never been as true as in modern organizations, especially in subjects related to Information Security and Risk Management. Corporate culture can either motivate or drain the energy of professionals. Understand: Culture is the environment where corporate strategy, even the most well defined, blooms or agonizes. Any company that tries to disconnect these two factors is creating an unnecessary risk on the way to success.

peter01

Over the past years, several companies have learned – the hard way – that neglecting information security can bring disastrous impacts on operations, brand and financial results. This scenario leads us to believe that the mindset of senior management should have evolved into a more mature approach, where security is seen as a business facilitator and incorporated into all aspects of the strategy and transmitted in corporate culture, right? Yeah, dream on.

Read more

(ISC)² Security Congress LATAM 2015: Surviving a poor cybersecurity corporate culture

I am very satisfied to inform that my paper has been selected for presentation at the (ISC) ² Security Congress Latin America 2015 to be held in São Paulo on 24 and 25 November.

congresso-isc2-latam

My presentation is titled Information Security – Surviving a poor cybersecurity corporate culture, if you wish to know more, here is the abstract sent during the call for papers:

During the last couple of years, several companies have learned – the hard way – that neglecting Information Security can have disastrous impacts on operations, brand and financial results. This scenario prompt us to believe that the manager mindset should have evolved to a more mature approach, where security is seen as a business enabler and incorporated on every aspect of the strategy.

The truth is that – even now – little has changed. Security is still mostly regarded as a pure technical discipline and perceived as unnecessary cost and bureaucracy by managers and business alike. That is until a major incident happens, and all of the sudden those alerts sent by the security team become relevant.

Who is to blame? The business that disregarded sound advice, or the Security Team that did not know how to communicate in business terms?

The great challenge is not a technical one. Cloud, Big Data, Business Transactions, Data Leakage, for each risk there are several technologies that could be implemented to solve the issue. However, that amounts to nothing compared to the trials of create a strong cybersecurity culture, involving strategy, mature processes and specially people.

The main objective of this presentation is to discuss the creation of communication bridges from the Information Security Team to all levels of the business. Going beyond the simple implementation of technology, to address the challenge of creating a proactive cybersecurity mindset.