Cybereason Blog | Cybersecurity News and Analysis

Cybereason CISO Interview Series: Why storytelling matters in security

Written by Fred O'Connor | Apr 13, 2017 2:54:43 PM

The Cybereason series Stories from the Front Lines of Security Leadership will present insights from CISOs, security leaders and IT executives on topics including what's required to succeed as a security executive, how to convey the importance of security to an organization and how security leaders can advance their careers. 

From students to professors to trustees, John Knights, whose security career included serving as information security officer and director of enterprise technology at Wentworth Institute of Technology in Boston, has explained the importance of information security to a variety of users. In the first part of this two-part interview, he talks about why the tactic to reach people, regardless of position, is the same and how his IT background helped his career.

Your background is in IT. How and why did you transition to security?

I started in the technology field and kind of went around different areas for quite some time. I was actually exposed to security pretty early on. The journey for me started with the intent of ending up in security. I went around and played in different areas to get better experience in IT and to better understand what all the ins and outs are, to be able to effectively develop a security plan that’s comprehensive.

My first exposure was learning switching and routing and that really piqued my interest. That was 13 years ago.

What areas of IT did you work in before moving to security?

I initially started off in academic training with networking and system administration. I spent quite some time in end user support. I moved around and got into project management. And then I made a few skips from support to security after completing my masters in information assurance. My focus was on the policy and program development side, and letting the folks who knew the technology best do the technical aspects.

Why did you want to work in security?

It’s in my nature to want to protect and keep things operational. For me it’s always been more about the information assurance aspect. It’s not just the security side of things but the resiliency side of things. It’s about being able to actually bring a system back up, the recover-ability of things. Problem solving has always been a key element in my interests. So to me there’s always a problem to be solved. It’s not just keeping systems up and running, although there’s that aspect. It’s also the constant fighting of a threat. You’re never going to be 100 percent secure or prepared for it. It’s just something that’s never ending. There’s always something to do.

So your IT career proved beneficial to your security career?

Absolutely. Speaking to colleagues, it’s rare to have people come to the support side of the house. And to me it was integral, especially for what I did as an ISO because you really have to have an understanding of how users use technology and how they use the system for maintaining the data, storing their data.

Basically, how do they do what they do because you can’t develop a program that’s just based off of “Well I have these vulnerabilities on a server. I’ve got to put this firewall.” You have to actually focus on where is the data, how do people actually use the technology, what are the things they’re most susceptible to. All the security in the world can’t really safeguard against people willing to provide their passwords in a phishing attack.

Having the system and network background made the system and network folks want to talk to me and want to listen to what I had to say since I was speaking their language. That helped with them and being able to understand the business helped me with everyone else.

How do you convey the importance of information security to the different sections of academia?

It’s all the same tactic, which is the ability to tell the story of why is this important to me. And, of course, that answer is different for everyone.

Obviously students have different interests than faculty, staff and trustees. It’s tailoring the specific message to those end users but there are some common elements. It’s a lot of explaining the whys and hows: why is it important to them, how are you protecting them.

Students don’t necessarily care that you are protecting the integrity of the institution’s data. For them, it’s actually more of your security tools are stopping me from playing this game. So it’s helping them understand what the DMCA [Digital Millennium Copyright Act] law is and why you have certain things in place because history has shown that if you give them the choice of whether to break the law, they choose to break the law. That was a recent argument at a student government meeting. They wanted to to use BitTorrent and be given the choice to break the law. And I said, “Well, we can’t do that. We have to also protect the institution. And trust me, we have your best interest here.”

[Students] don’t always buy the message. Students will leave their laptops around and it’s showing them, “Hey, if this goes away, so does all your stuff.” And it’s showing them how much money it’s going to cost you. For a student, $2,000 is a ton of money. So I take that approach with them.

With trustees, you add a few zeroes to it. It’s about we’re not going to get sued, we’re not going to ruin our reputation. It’s really looking at the risk at that level. For faculty, you tell a story related to IT. And their ability to safeguard their IT, their ability to not lose 20 years of research. For staff, it’s along the lines of not getting in trouble. If I click on this, I know that I get in trouble so how do I not get in trouble. It is the person who accidentally sends an email with a spreadsheet full of PII [personally identifiable information] who is going to get fired. I don’t always like to do the FUD but sometimes it does work as long as that’s not the focus of it. It has been the trend among colleagues to move away from that type of presentation, at least with trustees. I find that it still works at the institutions I’ve worked at with the staff.

People do want to do the right thing, but security does mean you have to do a little extra work. And it’s our job as the IT folks to figure out a way to allow secure computing but also allow the business side to do what they need to do. It’s finding that balance and that’s the art side to information security.

How do you strike the balance between security and allowing the business to run?

The board is easy. They’re usually executives. They hear this message at their companies. They understand security more because they’ve been hearing about it since the Target breach so it’s been at the top of their mind for awhile. But with staff and faculty and sometimes students, what helps is using the security practice they use to safeguard their personal stuff, like your bank account. If you teach them how to do security well at home then they tend to bring those practices back to work. They can see the benefits if you can tie them back to their personal lives. Again, it's relating it to them. They understand the extra step.

I use real-world examples like man-in-the-middle attacks to teach them about VPN. I tell them to use our VPN to connect to your bank when you’re in a hotel or use your phone so you’ll connect to a secure network. And they get that. So if they’re already used to going through a VPN, now they know how to do remote connections to work. It carries over to their work life once they get used to doing it in their personal life, which tends to be a greater concern for them. Their personal account means a whole lot more [to them] than an institution’s bank account because it’s very real for them. I’d say that’s true for anyone.

Check back next week for the second part of the interview. And be sure to read our interview with former CIA CISO Robert Bigman.

Do you know a security executive who has great insights and would like to talk with us for this series? Email us at ciso.series@cybereason.com.