Mobility has been a blessing and a curse to modern businesses as they struggle to balance its business benefits with the information security headaches. To protect vital business data, organizations should empower and educate users to play their security role when accessing business data beyond the company's walls, said MIT Medical information security officer Roy Wattanasin.
In a series of video interviews from the ISSA International Conference in Orlando, Fla., in October, SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, Wattanasin discusses why user empowerment should be a big part of businesses' information security program.
More ISSA conference Q&As:
Education, awareness key to cybersecurity
Former CIA CISO implores companies to remember the data protection basics
Lacking internal security governance strategies pose big threats to sensitive data
What do you think are some of the big cybersecurity threats out there right now?
Roy Wattanasin: Right now, it's really the people. We need to educate and empower users, remembering it's not only about technological controls. It's about educating people. You can train people all day, but people are going to click on links. You also want to ensure that you are making sure you are not only doing training for the business, but also doing training users on where they can improve information security at home.
Are there any universal strategies that have proven particularly successful to information security, or do you think it's more important to stay flexible and adapt as threats evolve?
Wattanasin: It's important to be flexible, but also to have approval from the board and management as well by keeping your information security program up to date. Always be prepared. You can use all the methodologies, all the frameworks, but always keep a proactive sense of mind and be able to respond to different threats and breaches that occur.
With so many threats and vulnerabilities, how has that changed the information security professionals' role and how they interact with other departments?
Wattanasin: It used to be people, process, technology, but now that process has changed. Information is all over the world, on different devices like integrated health devices, the Internet of Things. As the technology has evolved, it involves being a technologist. As an information security professional, your job is really protecting everything around the perimeter.
How can companies strike the right compliance and security balance?
Wattanasin: It's really just empowering your users. Have your training program, your security awareness program and your policy around not only the business you are trying to protect, but outside the company as well -- what decisions your end users and employees should make when they are at home. Do they have to update? Do they need a virus scan? Do they need a new program? So, it's empowering your users, not only when using technology but also by having them understand why you are doing this.