#16 – THE END POINT IS THE CENTER (CISO@RISK) – JOHN MILLICAN

Posted on by

John Millican pixIn a conversation with Bill Burns, Director of Information Security at Netflix, he told me that he wanted 2500 firewalls.  Before you think he wants to make a major networking equipment buy, let me put his comment in context.

We were discussing how the nature of network defenses had changed over the years.  In the “good old days” the focus was on creating a strictly delineated security perimeter between the trusted and untrusted networks with a firewall at the edge.  But those days are long gone.  Today the Internet is accessible from virtually every desktop.  Conversely stated, every desktop is accessible from the Internet.

So was Bill saying he wanted to turn every desktop into a firewall?  Kind of yes, but not really.  He was actually saying that every person using the Internet was constantly making security decisions, and he wanted them to do so intelligently.  And, he is right.  With the advent of phishing, drive-by and watering hole attacks, the user is the ultimate end point and should be the center of our attention.

Now if you agree with this or even if you do not, ask yourself how much money are you spending on security awareness end user training compared to what you spend on network perimeter defense?  Odds are there is a major disconnect here.

Many argue that money spent on security awareness training is a waste, and it is true that it can be difficult to measure its effectiveness.  But, it is not impossible.  Take phishing attacks for example.  Alternatives exist that are not only cost effective but can readily provide metrics that can demonstrate success or point to areas for improvement.

I have a new dog in the house that gets very excited whenever someone comes to our door.  Right now I actually look forward to the doorbell ringing because I know it represents a training opportunity.

At least two companies, PhishMe and Wombat, are taking a similar approach to phishing security awareness training.  There are open-source alternatives as well.   These services actually create micro training opportunities for you by conducting simulated phishing attacks on your behalf.  But, instead of something bad happening when the user falls for the attack, they turn it into a small training opportunity. An opening to a conversation at the precise moment when the susceptible person is vulnerable and engaged. Even better, these services provide metrics down to the department or individual level to help identify content improvements or people who need some additional training.

Bill’s training encourages people to forward any suspicious emails to the security team for analysis; they don’t try to train staff how to become spear phishing experts. The message is simple: if you see something suspicious, forward it to the experts. Bill told me that they have experienced a significant improvement in their users’ abilities to recognize phishing attacks after using this training methodology.

So when thinking about end point security do not stop at the device.  Remember the person using the device and turn them into your final firewall.

Bio:

John Millican is a business-first manager with strong experience in driving value to the enterprise through IT and Information Security (IS). His experience is divided between positions in both industry and third party IT service and Information Security provision.

John developed and led the global Information Security team for Expedia Inc. as its Chief Information Security Officer and was VP of IT Operations for Hotwire.com. He also founded and led a twelve person independent IT/ Information Security service provider. Clients and employers have ranged from small wholesale/distributors to regional financial institutions and Fortune 1000 Internet-based companies.  John’s most recent efforts have been focused on assisting clients with implementing Information Security programs, obtain ISO 27001 certification and to implement continual improvement methodologies within their organizations.

He is a Certified Information Systems Security Professional (CISSP) and was the first person to be certified by the SANS Institute for its core security programs – Windows Security, Unix Security, Intrusion Detection Analyst, Incident Handling and Firewall Analyst.  Additionally, he was co-author of the SANS Security Essentials Toolkit.

John has a Bachelor of Science in Business Administration degree from the University of Akron.

Leave a Reply

Your email address will not be published.