As risk professionals, we have a unique view of the interconnected risks facing our organizations. One of the ways our organizations can benefit from our holistic view of risks is when we use our established communication platforms and relationships to support others in the organization who are managing risks. One such partner for me is our Cyber Security team. They spend much of their days sequestered in the Security Operations Center (SOC) helping ensure our systems are protected. Although this is a critical function, an unfortunate side effect can be that they disappear for most employees. Out of sight out of mind, right?
Attackers try to get into systems constantly. At any given time, there is probably someone outside the firewall trying to access your system. Phishing is one of the biggest threats; emails are constantly coming in, and it takes only one employee clicking a link or opening an attachment for an attacker to gain a foothold on the network. Managing cyber security risks requires security tools and processes, such as an antivirus program and network security tools. There’s also a governance side to managing cyber security risks, as we want to have robust policies and programs in place to address cyber security.
Since our teams have been partnering up on security training and developing policies and programs together, our effectiveness has improved. Training has been hugely effective for us. There are only so many employees working in Cyber Security, but if you train everyone you suddenly have 500 cyber specialists.
Although we have security controls and email filters, malicious emails still find their way into employees’ inboxes. Our motto is “Think before you click”. When an employee gets an unexpected email from outside the organization, they should not click a link or open an attachment automatically. Training employees on how to identify malicious emails is essential to the security of your organization.
An organization’s risk managers and cyber security professionals have to have a lot of goals in common. Be partners. You can work together to identify and mitigate risks.
Do you know your Cyber Security staff? If not, I challenge you to reach out and make a new friend today. If you do, I encourage you to ask how you can help them identify or mitigate cyber security risks in your organization. Even if they don’t take you up on it, I’m willing to bet they’d appreciate knowing you’re on their side.
There are definitely risks in allowing third parties to connect to your network and pull data. We don’t have a lot of control over how a software vendor manages their own cyber security risk; we aren’t in their system monitoring their logs or patching their applications. Sometimes contract language is the only protection we have, so it’s important for Cyber Security staff to be looped in early in the process before software contracts are finalized.
*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*
By: Ed Penn
Cyber Security Supervisor, Eugene Water & Electric Board
Summary of Qualifications
Ed is a cyber security and compliance supervisor with over 21 years of experience maintaining a security operations center, supporting critical infrastructure Pprotection and various regulatory programs. He possesses a strong technical background supporting and maintaining a full stack of enterprise information security systems.
Responsibilities
Ed manages the Cyber Security department, which includes both governance and security operations. The mission is to identify what needs protecting, create controls to protect those things, monitor systems to detect emerging threats, respond to cybersecurity related incidents work with subject matter experts to reduce recover times. In addition, Ed coordinates hiring, training and the development of cybersecurity personnel. He facilitates the creation of education/training programs to ensure appropriate awareness of security policies, procedures and standards.
Business Experience
Ed has five years describing cybersecurity risks and possible mitigations so that system owners can make informed business decisions. He also has 11 years working in the financial sector and 13 years in the utility industry.
Education
AAS in computer science