Security Culture. PHOTO: Cybercrime Magazine.

CISO Report: It’s All About Security Culture

Interview with Jason Rader, Chief Information Security Officer at Insight Enterprises

David Braue

Melbourne, Australia – May 22, 2022

The CISO Report is sponsored by KnowBe4.

Building a security culture is hard work — and as the CISO of Fortune 500 IT consultancy Insight Enterprises, Jason Rader knows better than most what it takes to pull off the transformation effectively.

Working in both a client-facing consultative role and as what he calls “the spiritual guide of our security practice,” Rader spent the past seven years driving such change through Insight itself — providing more opportunities than most to walk the proverbial walk, not just talk.

“One of the unique value propositions of me as a security practitioner being the CISO of Insight,” he told Cybercrime Magazine, “is being able to take the solutions that we use in our own organization, as a Fortune 500 company, and take those same solutions where we’re solving security problems to our clients.”

It’s an unusual position to be in for a team of what Rader calls “business consultants who are security experts” — and it has given him an unusually high awareness of the many dynamics that challenge companies as they try to improve their security capabilities.

One of the biggest challenges has been the compartmentalization of most companies, which have sporadically funded IT departments to invest heavily in infrastructure — and then left that infrastructure as-is despite rapidly-changing market trends.

With modern cloud-based application environments requiring a different architecture and supporting infrastructure, Rader said, too many companies were finding them hard to modernize — and even harder to secure.

“A lot of organizations were built on infrastructure that might still be built upon from those days,” he said, “and now we’ve hit a situation where we’re dealing with a situation way beyond the capabilities that we’ve prepared for.”

The natural inclination may be to increase spending on security solutions — Cybersecurity Ventures has predicted global cybersecurity spending will exceed $1.75 trillion across the five years to 2025 — but just spending money isn’t enough.

Compartmentalization “happens in most organizations, and makes [security] a really difficult problem to solve,” he said. “The easy thing would be to write a check and get a bunch of technology dropped in place that lets you fix this, but that’s not how it works.”

“What we need is the people and the time to get all of these things ingrained into the culture, so that we can be more secure.”

Keep your friends close and your users closer

Yet as in all things, effectively managing people and time is a very different proposition than just implementing technology solutions.

The high profile and potentially extreme damages of ransomware have been particularly helpful in getting users to appreciate the magnitude of the threat they face: “I’m not a FUD guy and I don’t like to [use that to] sell what I do,” Rader says, “but I think ransomware has made a lot of people pay attention.”

Education and ongoing engagement are crucial to ensure that users keep paying attention, Rader says, no matter what technology or security policies are being implemented.

“Probably 25 percent of what I consider my job is making sure that the user base understands the risks that they expose the organization to while doing their day-to-day,” he explained.

“I consider my job as a CISO to inspire the folks that work for my organization to understand their role in what they play — and it’s not ‘security is the Department of No.’”

Rather, being an effective CISO means “making sure that they don’t have to make those ethical decisions for the organization on their own because we’ve got policies and security controls in place that make them feel more comfortable.”

“We’ve got to align with the business, and partner with the business. Giving them boundaries, I believe, is an important thing.”

Yet boundaries are only part of the solution: as the cybersecurity skills gap continues to constrain the industry, Rader has been considering how the industry can improve its pipeline of future talent — and he thinks the key lies in engaging with tomorrow’s cybersecurity specialists well before they have even started university.

Fixing the pipeline

With many cybersecurity courses inevitably lagging the state-of-the-art, Rader said, the company and its clients often end up having to compensate for antiquated university courses that can’t change quickly enough to keep up.

“When you get folks out of university or other programs, sometimes you have to train them up,” Rader explained. “There’s such a massive amount of work that has to be done, and there’s no clear-cut way to accomplish all those things in one easy step.”

The ever-changing nature of cybersecurity hasn’t helped to normalize a curriculum that universities can follow, he said, noting that institutions like welding school or truck-driving school.

Such programs “have complete respect for their programs and are relatively well defined,” he said, “but a cyber program or security program that includes compliance, or regulatory, or QA across a wide part of the business — that’s hard to solve for.”

To overcome this gap and build a security culture that users can relate to, aligning with those users is crucial.

“That constituency is really important to get involved and help them understand,” Rader explained, “because they can help you the most with the security posture of the organization. So leadership has got to think about security as part of the overall product that they provide.”

“People are going to have to be constantly retrained and made aware of these situations, and we’ve got to be honest about it.”

“Don’t just say ‘follow your company’s policy,’” he continued. “Say ‘here is our policy, and here’s what we do’; that makes it more meaningful to them. And we’ve got to make it more meaningful to them, because people really do start to pay attention when it affects them.”

Ultimately, Rader said, the CISO’s role is to not only design and execute a security strategy, but to help users and other stakeholders embrace security in everything they do — all the time.

Cybercriminal activity, he said, “is prolific, it is happening to everybody and the headlines only make it to the front page every so often — when this is happening every single day.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.