Intelligent CISO Issue 9 - Page 43

E R T N P X E INIO OP so you can monitor where you are and then work to improve it by reaching out to various employees and groups. Having that visibility and control also increases awareness of the problem and once you’re aware, that’s when action becomes much easier. If you don’t have this information, how do you actually inspect what you can only expect? How would you summarise the main benefits of LastPass for enterprise customers? It’s really about being able to close the other 50% of the windows and doors of the organisation. I also think being able to report out on that, being able to understand where you are and see that improvement, is also very critical. There are now vendors who can produce security scores, like credit | Issue 09 scores. And with us, we have a password score. As you look at the pressures particularly large enterprises face when it comes to risk and risk mitigation, anything you can do to quantify that risk, and then also prove you are improving over time on that, is really critical to both maintaining your funding and getting more of it. Is there any best practice guidance you would give to CISOs about password management? It’s ok to admit you have a problem. It’s ok. You’re not alone. That’s number one. And two – you have to recognise that it’s bigger than just your organisation. This has to do with people’s personal habits as well as professional habits. It might seem like a good answer to your problem is to make password requirements harder in order to protect all of the systems – cloud, on-prem, etc. But I think all you’re going to get there is rebellion. So, keep it simple; complexity is not the answer. As you look at passwords, recognise that you only know less than half of what apps your users are using. So whatever solution you choose, you want your employees to feel comfortable bringing a new tool into their workflow. I think that’s some of the biggest advice. And then work with the vendor on that rollout, as there are a lot of innovative things you can do – everything from office posters to games, to putting shared passwords in so people actually have to get access to it and log in so they can get that information. u 43