It has been long known that senior executives of an organization are prime targets for social engineering and phishing attacks. A 2010 CSO article observed: “C-level executives are the juiciest targets for criminals, and they are putting the company at serious risk. These vulnerabilities won’t go away until everyone understands security, from the bottom of the organization, right up to the top.” According to FBI estimates, between 2013 and 2016, businesses lost more than $2.3 billion in business email scams most often targeting senior level executives.
The best way to promote change in organizations is for executives to lead by example. CISOs, it is your opportunity to lead in a very commonly ignored yet very frequently exploited area—your online presence. As I researched for this post, my LinkedIn search for profiles with the CISO job title returned 29,934 entries—almost 30 thousand opportunities and prime social engineering attack targets ready to be exploited against tens of thousands of organizations. If yours is one of these entries, it is your responsibility as the chief information security executive of your organization, to close this glaring security hole now. Let your ego give way to doing the right thing. Replace your job title with a less flashy one. I trust you to find the right low-key alternative. From now on, use the inconspicuous job title everywhere where your name might be publicly shared or listed including your LinkedIn and other social media profiles, your conference bios and so on. Having done this, encourage your CXO peers to do the same.
You might even go one step further and setup an “avatar” profile for your organization’s CISO to see what sort of audience it attracts. Monitor the avatar account to find out what solicitations your fictitious CISO will receive. Having a distinctive target name, you will also be able to tell how many spam emails pick up and target the avatar’s fictitious identity—a direct correlation to how useful and effective this simple measure of preventive obscurity is. As senior information security and IT risk management professionals, we still have a lot to improve on, but the change must start with us. As Gandhi famously said, “Be the change that you wish to see in the world.” We do want our organizations to be safer, don’t we?
P.S. If you are a recruiter or a conference organizer, I expect that you will not like my proposal, because it will make your job more difficult. There is nothing I can do about that. I hope you will still agree with the business rationale I presented.