Information security executives need to be strategic thinkers
by Mirko Zorz - Editor in Chief - Monday, 17 June 2013.
The approach I advocate is to start by bringing all internal stakeholders together in a collaborative forum. I think it’s critical that information security leaders find a way to provide visibility throughout the organization and get communications flowing so they can build a collaborative spirit and obtain buy-in from all impacted parties. Together, the group can identify the organization’s “crown jewels,” be they systems, applications, or information. They also can best determine where the “third rail” issues reside that would create unacceptable consequences should they come to pass. With this information in hand, you can prioritize the risks and focus on solving the issues.

BYOD adds a layer of complexity, no doubt. Everyone recognizes it brings benefits and drawbacks to the table. That said, its adoption is inevitable in most organizations, so I think you should sensibly embrace it instead of battling it.

BYOD drives a change in the way we think – we must be laser focused on protecting our virtual assets, because they will reside on a growing number and variety of devices that are not exclusively under our control. For me, that means taking extra precautions in close proximity to our intellectual property crown jewels, while empowering employees to leverage BYOD as much as possible to maximize their productivity.

Is it realistic to expect an organization will get ready to address all potential security risks? How much preparation is good enough? How do you tolerate risk?

Unlike the physical battlefield, cyber warfare is changing far more rapidly, with an unlimited number of permutations and combinations. There are so many more points of vulnerability, and the science is advancing at lightning speed. So, addressing all potential security risks may be outside the realm of possibility, but you have to try. This is where the value of building a team of stakeholders who can collaboratively prioritize the risks comes into play, so you can best prepare for the most likely scenarios.

My mantra is, “Don't become complacent.” Challenge yourself and your organization to move outside of your comfort zone. Static defenses like the Maginot Line didn't work in the 20th century, and their cyber-security equivalents will suffer a similar fate. Be resilient and always maintain a forward-leaning security posture.

There’s definitely a cost vs. risk vs. impact tradeoff. If the risk and/or impact of a threat are infinitesimally small, and the cost of preparation and prevention exorbitantly high, you may make a conscious decision to focus your resources elsewhere. You tolerate this risk by understanding that you have limited budget and personnel, and you’ve targeted them to those areas that you’ve identified as being more likely to occur and/or more impactful if they do come to pass. Here’s where the strategic planning, technical excellence, and first-class analytics of our team at Exostar give me the comfort I need to sleep at night.

How important is security awareness? Do you believe in employee training?

I take a bit of a paranoid perspective – everyone in our organization is a target, and trust from the outside must be earned and consistently validated. My goal is to convey a similar posture to all Exostar employees. Security awareness is vital at all times; otherwise, our business becomes vulnerable. I want our employees to recognize that threats such as malware and social engineering are adaptive. That means everyone constantly must remain vigilant. It is frequently the vigilant user that spots an anomaly before it becomes a real issue.

I absolutely believe in employee training. Every new hire gets to spend some quality time with me. I personally deliver training so individuals not only understand our policies and procedures, but why we have put them in place and what might – no, would – happen if they didn’t exist. In addition, every employee must attend training updates on a regular basis, because our approach is constantly evolving as we strive to stay a step ahead of the changing threat landscape.

Training should be more than just a box-checking exercise with a slide deck. I think this individualized, face-to-face security training allows everyone to better connect with the business, and that leads to better outcomes for all of us.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th