Raffi Krikorian, the new Chief Technology Officer (CTO) for the Democratic National Committee (DNC), was recently interviewed by Wired, and he said that his plan to improve security includes a “bunch of staff training” and “a series of simulated phishing attacks on the entire DNC staff.” The DNC’s 2016 data breach serves as a cautionary tale for the potential impact on an organization’s reputation, so his efforts may provide insights for organizations looking to improve information security. Krikorian’s previous experience includes Uber’s Advanced Technologies Center and VP of Engineering at Twitter.
Krikorian’s plan reinforces the longstanding emphasis on training which is included in various internal control frameworks, such as NIST 800-53r4, ITIL, ISO 27000, COSO, and COBIT 5. Occasionally, the conversation among information security professionals is one of doom and gloom, bemoaning that training isn’t effective enough. Nevertheless, Krikorian is including training as a fundamental component of the DNC’s turnaround, an endorsement of the conventional approach.
Phishing simulations go hand in hand with the training. After all, the effectiveness of training and awareness efforts needs to be measured, and quizzes can only be relied on so much. By performing phishing simulations Krikorian is adding a real-world component to his training program. He can track results over time and measure improvement. Individuals who need additional training and support can also be identified if they are repeatedly phished in the simulations.
In addition to focusing on the human component of his information security program, Krikorian is making changes in technology as well. He plans to implement multi-factor authentication and encrypted communications (Signal). These types of changes can be difficult to implement for users who are reluctant to change procedures, but the DNC has the unwelcome leverage of having just been through a devastating data breach, which may serve to make end users more willing to adapt.