K logix’s Cybersecurity Business Podcast interviews CISOs and other security leaders to hear their advice about the business of cybersecurity. This podcast gives our listeners actionable takeaways to help them increase the effectiveness of their security programs.
In episode 15 of the podcast, we interviewed Chris Holden, CISO, Crum & Forster. Chris discusses how to build a strong cybersecurity culture within an organization.
EXCERPTS FROM Q&A WITH CHRIS HOLDEN, CISO, CRUM & FORSTER
WALK US THROUGH YOUR CAREER – WHAT BROUGHT YOU TO YOUR CURRENT ROLE AT CRUM & FORSTER? I found the field of cybersecurity while I was in college at my alma mater Utica College, they were one of the few schools to have a cybersecurity degree, and there I focused on forensics and incident response as a minor. After college, I first started working in a forensics position for Hewlett Packard. And then from there moved on to a series of consulting roles where I branched outside of forensics into incident response, penetration testing, program development, NIST gap assessments, et cetera. I came to Crum & Forster about three or four years ago as a manager, and was promoted about a year ago to the CISO role to lead the organization’s security efforts.
YOU MENTIONED YOU WERE A CONSULTANT, DO YOU THINK THAT HELPED YOU PREPARE FOR THE POSITION YOU’RE IN TODAY? Absolutely. One of my biggest recommendations for young people coming up through their career path in cybersecurity is always to spend some time in consulting. The amount that you learn in such a short period of time working for different clients, seeing different organizations, being exposed to different facets of the industry. In such a short amount of time I was able to sit by some of the best penetration testers in the country, sit next to some of the best forensics and incident response people in the country and learn from them and get exposed to those different areas. It was imperative in my growth and my career trajectory.
YOU OFTEN HEAR HOW IMPORTANT SECURITY AWARENESS IS, BUT WHEN IT COMES TO SECURITY CULTURE, HOW WOULD YOU DEFINE WHAT A STRONG CORPORATE SECURITY CULTURE IS? The first time I think I realized that we had cultivated a strong security culture is when I started seeing cybersecurity start as adversarial and become a department where people are proactively engaging you. I was at an organization previously and cyber was introduced as a “not to be spoken to.” Why does cybersecurity always have this connotation? We’re here to help. From there, it’s always been an initiative of mine to be the department to come to for help in how to secure the organization.
WHERE DO YOU START? This is actually perfect timing being in September. One of the most monumental shifts I saw was a few years back. We took a big approach to cybersecurity awareness month which happens in October. We fostered some really great relationships with our employee base that we typically don’t get a lot of interaction with. It starts typically with weekly blog posts and just consistent interaction via email or the company’s internal website.
IS BRINGING PEOPLE LIKE AN FBI AGENT IN HOW TO ENGAGE THEM? BECAUSE THERE’S A PERCENTAGE OF PEOPLE THAT WILL BUY-IN RIGHT AWAY AND OTHER PEOPLE THAT THINK IT’S A CHORE, IS THAT HOW YOU GET THEM TO BUY-IN? I think that’s one of the most useful things. Because not only is it our standard awareness and our standard training that we’re already doing on a yearly basis, but it’s entertaining. These individuals come with really interesting stories of either major incidences that have made headlines and people are already either familiar with, or one-off incidences that affect everyday people and their personal lives as well. That definitely helps.
FROM YOUR PERSPECTIVE, WHERE DO YOU THINK PEOPLE FAIL WHEN IT COMES TO BUILDING A STRONG SECURITY AWARENESS PROGRAM? The most obvious is having an inability to communicate effectively with the business. The best cybersecurity professionals I know talk at too technically of a level that doesn’t explain the situation or the issues to the business in a way that they understand it. When you have people in HR or you have people in accounting, you have various business groups right there. Their primary goal is to do the best job at that position that they can, they’re not cybersecurity experts. They should never be cybersecurity experts. They need to be cyber aware and we need to help communicate how they can effectively be cyber aware in those positions.
DO YOU EMBED YOUR STRONG SECURITY CULTURE IN YOUR VALUE PROPOSITION TO TRY AND RECRUIT PEOPLE TO COME TO YOUR ORGANIZATION? Exactly. If I’m hiring an EDR engineer, they’re not going to be isolated in that box. My goal in hiring successfully is providing career development. As you mentioned, this is a very, very competitive market right now in cybersecurity so we need to bring that extra value to entice the right individuals to join our team. In cybersecurity, the really strong individuals are the ones interested in career trajectory. If in our interviews these people are asking about training that we provide and opportunities to provide change in the environment, I find those are often the people that are truly passionate about cybersecurity and often help the most.
WHEN IT COMES TO EDUCATING, DO YOU NEED A SPECIFIC PROGRAM FOR THE OTHER EXECUTIVES BECAUSE THEY’RE SUCH HIGH VALUE TARGETS? Yes. There is a baseline awareness program that all of our employees go through. We do run additional exercises for our executives. These are more intimate trainings on very specific use cases as decision-makers for the company. Often times, we’ll have another guest speaker or presentation come in. They’re very, very focused and tailored to helping these executives make decisions about the company in a cybersecurity focused way. We try to focus a little bit more on helping them understand that they are a higher value target for attackers.
IS CYBERSECURITY AWARENESS AND CULTURE SOMETHING YOU SPEND A LOT OF TIME ON, OR DID YOU SPEND A LOT OF TIME UPFRONT BUILDING A SOLID SECURITY PROGRAM SO YOU CAN FOCUS ON OTHER THINGS? I wouldn’t say that we’re in the category that we spend most of our time on security awareness, there was some initial setup early on that went into designing a little bit of the program. But we have it structured now in a way that it’s repeatable and consistent, but we change the content frequently enough to not make it boring and expected.
WHAT ARE THE TOP METRICS THAT YOU WOULD USE TO GAUGE THE SUCCESS IN THE ADVANCEMENT OF THE PROGRAM? The click rates and monitoring repeat offenders in the phishing campaigns is one metric we use. Another one we’ve been tracking recently is we’ve built out an identifiable system for reporting malicious emails. Your awareness should focus not just on not clicking on those emails, but also getting the users to do the right thing in reporting those emails. If one user receives a phishing email, it’s more than likely there’s been a few others that have received either the exact same one or a similar email as well.
HOW DO YOU THINK THE CISO ROLE WILL TRANSFORM IN THE NEXT FIVE OR 10 YEARS? We’re more than halfway through probably one of the most active cybersecurity years in history, with all the major breaches. I think awareness is becoming a bit easier, but also requires extremely consistent and pointed communications. As an example, when some of these major breaches have occurred, like the Colonial Pipeline or SolarWinds, there was a lot of misguided concerns around those. People are aware cybersecurity is an issue, but it’s helpful to get out in front of those issues and provide some context as its relevant to your organization, especially starting with your executives.