Scaring users into IT security

In order to get all employees to do their part in maintaining IT security, sometimes the best strategy is to simply tell them about the attacks and vulnerabilities that companies deal with.

There's nothing like telling a good horror story to encourage your employees -- from senior executives to rank-and-file workers -- to do their part in improving IT security.

Cisco Chief Security Officer John Stewart has all the technological tools in the world at his fingertips to help keep the networking giant's data and operations locked down. Yet, while many people in similar positions in smaller and less profitable companies would give anything to have Stewart's security team and budget at their disposal, the executive contends that his most powerful defense mechanism isn't found among his racks of network filtering appliances or layers of AV systems, but rather in the domain of the spoken word.

Addressing the ongoing CSO Perspectives Conference in Atlanta, Stewart said that his practice of sharing gory details of the attacks that get leveled at the company's computing systems every day is one of his most effective means for pushing everyone in the massive firm to keep security on their minds as much as possible.

Each Friday, the company's senior executives are asked to join a call on which one of Stewart's 250 security staffers recounts the most dangerous attacks and incidents that have occurred at Cisco over the previous week.

One of the best reasons to offer such briefings to ensure that workers have a firm grasp on the reality of today's threat-filled environment is because people don't realize what's happening when security teams are doing their jobs, he said.

Offering his advice to other security professionals gathered at the conference, Stewart said it's necessary to remind people of the nefarious activity that is actually going on -- even when you can stop it, because if you don't tell them, they'll usually start to forget.

"The call is about trying to shatter the illusion that nothing is happening; if you get too good at [security] sometimes people in your organization start saying that you're doing such a good job that maybe they should cut your budget," said Stewart. "Just because you can't see something doesn't mean that it isn't there; by telling people about the real attacks and incidents, we can show in dramatic ways what could go wrong."

The CSO said that the calls have had the desired affect of getting other Cisco executives more interested and active in improving any areas of security over which they have oversight or control.

Instead of ignoring warning e-mails or other traditional methods of keeping workers abreast of security issues, Stewart said that the verbal storytelling has made people more enthusiastic about staying informed about emerging attacks -- to the point where they often beg him for additional tales.

Page Break

In addition to sharing the gritty details of attempted cyber-espionage and malware attacks, the executive said it's also a key to align any threat reports with larger issues that are currently affecting the company, such as compliance mandates and data loss laws.

"Take advantage of moods; that's something that is very important to how people make choices about risk," Stewart said. "If you hit them with something after a real incident, they most often will respond before incident amnesia occurs. If you catch them at a time right after something real happens, more often than not [business leaders] will bite."

Among the other tips that the CSO offered about sharing stories from the dark side is to leave out the real names of those affected to prevent potential fallout for those involved and for the designated storytellers to play up the juiciest elements of any incidents they detail.

"Scare them with real objective data, and they will start listening, but also feel free to sexy-up the stories," he said. "If you make it interesting, people always want to know the next story, so you should also have other examples at the ready."

Another useful method for making security threats more relevant to employees at all levels is to use peers to inform them how easy it is to get victimized, according to the Cisco security chief.

For instance, a worker who was victimized in a recent attack has become a regional spokesman for talking about security threats with other Cisco employees in the EU.

"If you have someone who does something wrong by mistake, to fire them for it is ignorant, you have to consider all the details because a lot of these things can happen to anyone, and its much smarter to allow them to help you educate," said Stewart. "Make the victim your spokesperson to tell other users their story; peer pressure is a very effective teaching tool."