VP of Enterprise Risk and Security
To sum it up in one word: dialogue. And that’s dialogue with transparency. The security function in the private and public sector has realized that we're really all in this together. So, if you're a company that's getting attacked by a nation state or a state-sponsored group, you're fighting a losing battle going it alone. Being able to collaborate and consult with each other on these issues is a big advantage.
Our industry is realizing that our economic livelihood could be at stake, too. So the dialogue that's been fostered has really been positive. Although nothing has come out from the governmental side yet that has any teeth, some of the dialogue that has been occurring, particularly regarding active defense, is encouraging in the spirit of overcoming some of the legal hurdles that previously made it more difficult for companies to cooperate with the government.
I also think this increased dialogue directly stems from a heightened awareness about cybersecurity, particularly on the government side. With constituents asking about breaches, especially the sensationalist nature of high-profile breaches and the resulting revelations including the intelligence work that's been leaked, the government cannot simply tell us, “This is something that doesn't really affect you.” It has forced a dialogue about the subject matter and it's become important to them.
From a consumer perspective, I obviously love IoT, but from a cybersecurity perspective of an executive charged with protecting a company, it significantly expands my attack surface. I have what seems like an infinite amount of scenarios for which I have to contemplate and prepare from a vulnerability and threat perspective because all it takes is one exploited vulnerability for a breach to occur.
Working in the private sector, we are not yet experiencing the full impact on cybersecurity preparation that IoT necessarily brings with it. Right now, its biggest impact is on the continuity side, such as the BotNet attack that was used to bring down certain parts of the internet last year. It is mostly the services upon which we rely that impact us the most currently, which we, as customers, have little ability to control.
We anticipate, however, a much larger impact down the line with respect to the lack of security being built into IoT devices. Little attention is being given in securing these devices by IoT manufacturers because the ROI is not there. Consumers like them because they're relatively inexpensive. But once you start layering embedded chips and encryption, for example, it starts getting more expensive to harden those devices and consequently, more expensive for the consumer. Right now, the low cost is driving the consumer desire, but we anticipate that changing as increased focus on security measures rise.
A delicate balance exists there between usability and security. When you look at these types of resources, you have to adequately assess the security exposure and risk that go hand in hand with them. We made a decision as a company that our security and protection outweigh the perceived benefits of these shadow IT resources. It always goes back to one’s risk appetite. You have to articulate the exposure associated with the risk, let the business decide the appropriate balance between usability and security, and then work with IT to enable the desired process.
A great deal of emphasis should be placed on end user behavior modification because you're only as strong as your weakest link. Although we can control and implement technology for protection, we cannot ultimately control the actions of individuals. The user will be the one who makes or breaks the strict controls we put in place.
Any information security training is only truly effective if it informs and changes user behavior. That's how our company approaches it, and we have experienced great success with it. We promote numerous campaigns on security awareness, including ensuring our employees are familiar with our escalation process for reporting when people get phished, and positive recognition programs.
We also have metrics in place that help us manage user behavior, such as click-through on phishing. Obviously you want to begin with the end in mind. The end goal of any awareness training campaign should be changing user behavior and having them think twice.
I think it's changed considerably. Three to five years ago, it was a role whose duties perhaps weren’t viewed with the appropriate gravity that should be attributed to it. With the recent high-profile headline-grabbing breaches, the concept of information security and the CISO role have changed drastically, to the point where a lot of CISOs I talk to now feel like they have a seat at the table.
Our security function previously was housed in our IT department. Because information security is one of the industry’s top risks, it is a continuing dialogue we have. We decided to realign this function and make it a true enterprise program, moving it outside of IT as a separate department to remove any apparent or perceived conflicts of interest.
Today, any company that is going to take payments or deal with customer data must have a good security policy – it’s just table stakes. Today’s CISO needs to be able to talk the language of the business and refrain from using technical jargon and instead discuss vulnerability and risk. For example, a CISO needs to answer questions such as, “What does that mean? What's the impact? How is this going to prevent me from selling more widgets or enable me to sell more widgets?” It’s ensuring that the CISO is a well-rounded businessperson who can articulate technical terms in a way that are meaningful to the business and the key decision makers.
This calls for a lot of softer skills and leadership skills that a stereotypical “techie” may not inherently present. But a CISO must still have a solid understanding of all the technology aspects of the business as well. This blend of technological expertise and business acumen will be in high demand as companies look for better business options.