CISO Report. PHOTO: Cybercrime Magazine.

CISO Report: Former FBI Agent On Cybersecurity And Culture

Fortune 500 CISO says small businesses are exposed

David Braue

Melbourne, Australia – Jun. 16, 2022

The CISO Report is sponsored by KnowBe4.

Working in small companies may provide “a huge advantage” by exposing security staff to other parts of the business operations, but one CISO who started small — and now manages cybersecurity for a $10 billion industrial giant — knows that many smaller businesses are nonetheless disadvantaged in many ways compared to their larger peers.

Having formerly spent a decade as an FBI special agent heading computer investigations and staff with incident response, computer forensics, log analysis, malware analysis and other tasks, Adam Keown has seen the whole spectrum of approaches to cybersecurity — and knows what factors often make the difference between effective and ineffective security.

“The size of the agency or company can often make a huge difference,” Keown — who now serves as global CISO with Eastman Chemical Company — recently told Cybercrime Magazine, noting that at a recent information-security conference he attended “my cybersecurity budget is larger than some of the IT budgets represented at that particular location.”

Bigger budgets naturally help large cybersecurity organizations when it comes to rolling out new technologies or executing cybersecurity training campaigns — but larger organizations also gain relative advantages, Keown said, by being able to partner with schools, other IT colleagues, and related parts of the business that have the complementary skills necessary to manage cybersecurity as effectively as is necessary.

Access to these skills — technical skills, or business auditing skills — “has been the best advantage that I have seen in my years,” Keown said, “by being able to reach out and pull in individuals who maybe haven’t traditionally been a cybersecurity professional.”

In this respect, however, size can make all the difference, with smaller companies struggling to access skills typically possessed by employees they don’t have — or that are normally contracted from other providers.

“The overall view of cybersecurity has been an afterthought,” Keown said, “and we have a larger amount of spending to catch up where we have not had cybersecurity in the past.”

“Smaller businesses are unfortunately often left scraping by,” he added, “or trying to get folks that have professional capabilities that they wouldn’t normally have access to.”

Cultural challenges persist

Yet while budgets and access to skills can help some companies stand out from their peers, Keown said another significant difference often stems from the way IT and information security are handled organizationally.

Despite years of trying to educate executives about cybersecurity, Keown said, many businesses still treat security capabilities as just another thing that IT staff are expected to take care of.

Companies “are most successful when you know multiple areas around technology, and even outside of it, to include legal markets and privacy items,” he said. “Without understanding that cybersecurity is its own niche — or, in my opinion, a superset and not a subset of IT — companies think that the IT shop can just perform these cybersecurity skill sets when they can’t.”

The problem is particularly pronounced in smaller companies, he said, that “don’t even see a difference between cybersecurity and traditional IT” — and that philosophy inevitably leads to situations such as the previous case where a CEO contacted the FBI after being caught by business email compromise (BEC) scammers.

“He told me with tears in his eyes that he didn’t know how he was going to make payroll for his couple of hundred employees,” Keown recalled.

“These types of situations are very dramatic, not only for the employees but for the CEO who’s representing them. He cares about them, and wants them to be able to make their bills and cover their own personal financial obligations.”

Despite such anecdotes being widespread — most CEOs would have either been hit by ransomware attacks or know someone who has — Keown said “we still struggle working with smaller companies, and even some larger companies, just encouraging them to do simple things like authenticating incoming email.”

“There are so many basic things and fundamental activities that we can’t folks to include their IT teams in taking on and preventing inside of their company,” he explained. “That’s where the biggest struggle is.”

Know your audience

Apart from underestimating its importance, one of the biggest mistakes many companies — and vendors —make is to continue discussing cybersecurity in terms of fear, uncertainty and doubt (FUD) by focusing on the dramatic potential consequences of failing to focus enough on cybersecurity.

Threatening that a company may be the next one to be compromised “is not the dialogue of the business,” Keown said.

“That’s the talk of a pharmaceutical company or a government agency — but it’s not the talk of a manufacturing plant, and it’s not the talk of”

“When you want these organizations to understand why cybersecurity is important,” he continued, “you have to go back to the fundamentals.”

Those fundamentals — often summarized using the mnemonic CIA for confidentiality, integrity and availability — all reflect business issues rather than cybersecurity FUD.

Business leaders may not understand cybersecurity and its true place in the organization, Keown explained, but they definitely understand what would happen if their core systems were down and they couldn’t keep a product flowing.

“It’s important to understand your audience,” he said.

“All businesses care about confidentiality, integrity, and availability — and those are the key aspects to having conversations with those business leaders: hone in on one of those conversation areas so they fully understand why we’re taking the cybersecurity measures that we are.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.