Blog post

Simple People Centric Security Actually Works at Large Midwest Energy firm

By Avivah Litan | December 07, 2016 | 2 Comments

I just returned from a Gartner peer-connect event where some 65 CISOs shared experiences, concerns and visions for a more secure future.

There were many substantive discussions but one that stood out was a case study presented by a CISO from a large Midwest energy firm who implemented some simple people-centric and whitelisting security steps that reduced his incidents by almost 80%.

People are the main attack vector, and by tightening up their vulnerability to spear-phishing, exploits, and other attacks, the company would be much more secure.  Major program steps included; establishing a ‘fun’ teambuilding security awareness program, standardizing on a Chrome browser, creating an Internet café at work where staff can engage in personal browsing in a secure network segment, and a white list of applications and allowable website traffic which was developed over time.

Here are the specific steps the firm took:

In 2014

  • Governance: Established a cross-functional group of business leaders that met regularly, focused on security education and then began to deploy tools
  • Early Roll out: Discovered that in 2014, of the 400 plus security incidents at the firm, almost 90% were triggered by employees’ personal use of the Internet.
  • In 2014, the CISO took these straightforward measures:
    • Standardized on a Chrome browser, and eliminated use of legacy IE required by enterprise applications.
    • Deployed application whitelisting to eliminate application sprawl and coached employees to approve business required applications
    • Implemented a security awareness program that was ‘fun’ to partake in.
  • Program Results – in 2015 the firm had more than a 60% reduction in security incidents at a time when attempted attacks were increasing.

In 2015

  • Internet Café for personal browsing: the firm set up a Internet café on a separate network segment where employees could engage in personal browsing from their own personal devices. Personal browsing from other corporate network segments on corporate devices was ‘softly’ discouraged and disallowed
  • Internet Whitelisting: all corporate traffic was proxied through a whitelist. A process was set up to expand the whitelist based on information security review of business justification – the whitelist grew quickly from about a thousand sites to about 12,000 but then began leveling off 6 months after it was introduced.
  • Program Results: In 2016, security incidents at the firm dropped about 40%

Overall Results

By implementing these straightforward people-centric security measures, the firm dropped their security incidents from over 400 in 2014 to just under 100 in 2016, representing about an 80% reduction in events.


We spend so much time chasing the latest technology and promising new shiny solutions, while neglecting our most vulnerable attack vector – people.

This energy firm proved that by implementing people-centric security and whitelisting, the attack surface is dramatically reduced.  And now, the firm can concentrate on the smaller population of leftover security events – by applying more people-centric measures and a good mix of layered security technologies.   I think we should all follow this sound approach.

Comments are closed


  • This is right on Avivah! It is always helpful to engage people in this and all processes. Technology alone won’t cut it.

  • Ken Mages says:

    W3C is doing some interesting stuff.