Could the majority of breaches be “completely preventable” for little money?

Could the majority of breaches be “completely preventable” for little money?

What was at the heart of the BA, Marriott, Equifax, Capital One and Travelex breaches?

Basic error, says Greg Van Der Gaast, Head of Information, University of Salford. Greg, explains that these breaches could have been “completely preventable” at a small cost. And yet, these companies chose to spend vast amounts of money on technology in lieu of a holistic application of the basics.

Greg, recently told us on the teissPodcast, that “simple asset management” is at the root of many of these overlooked basics – most people have assets that they are not aware of, so it’s essential for security teams “to know the business and to engage people in the business.”

What’s the key to achieving that level of visibility in an organisation?

Greg says that he contacts every single person in each part of their business and asks to have a cup of coffee with them.

He’ll ask them questions such as, “Where are you based? What do you do? What systems do you use? What kind of data is that? How does it all connect?” He says he does this, “so I become aware of what’s actually out there instead of just looking at what my tools are telling me on a screen.” 

Taking the time to sit with people in your company and asking them what you can do to help them – will pay you back multifold and their perception of you will change completely, he explains.

“Then you need to build relationships with your management to give you the capability to proactively solve those issues,” he adds.

Embracing leadership skills as a CISO

Greg considers CISOs to be far too technical, although progress is being made, “There is still a huge amount of indoctrination of how we do things – and that tends to be built on a very technical foundation, and so that natural curiosity is missing. We tend to make things worse for ourselves by layering all of these frameworks and these best practices and compliance.” 

Greg adds that a lot of people are still building security according to standards they’ve downloaded off the internet, “as opposed to for the business they have in front of their face.”

“We use the fact that people don’t understand us to our advantage. There are a lot of great CISOs but a lot of bad CISOs too who are just fleecing their companies. Lots of budget, lots of people, lots of spending but delivering little value,” he stresses.

Greg says a level of “altruism” is currently missing from the role: to be a successful security leader – it’s essential to look at things holistically, care about people and be a business enabler. 

Listen to the full interview on our podcast where Greg talks about how he avoids metrics, how to engage the business and how a bit of altruism can get you a long way in preventing breaches and helping you achieve your security goals.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]