At the 2013 ISSA International Conference in Nashville, Tenn., Christina Torode, editorial director at SearchCompliance, sat down with Baroness Pauline Neville-Jones, the U.K. special government representative to business for cybersecurity, appointed by the prime minister and a member of the House of Lords.
During her presentation, Neville-Jones, who is also the former minister of state for security and counterterrorism, said most companies have their heads in the sand when it comes to cybersecurity. In this Ask the Expert video, she explains why understanding an organization's IT systems -- and its vulnerabilities -- is the first step toward protecting information.
During your presentation, you said that it was pretty alarming how many companies didn't think they had a problem with cybersecurity. You also mentioned that companies, in general, are not looking in the right places to ensure cybersecurity and information protection. What is the right place to look?
Baroness Pauline Neville-Jones: This is a question of understanding your systems. Part of the problem is that there are many companies where employees are not really masters of the technical systems that they're dealing with. That is an area where corporations need to strengthen their expertise, which relates to a further problem, which is a shortage of people. This is a real skill-shortage area. There are multiple problems.
More from the ISSA Conference about protecting information
Data security updates expected in 2014
How public, private sector can benefit from protecting whistleblowers
Nevertheless, often the answer to that question is that [companies] simply don't understand where they need to look. They also don't understand, very often, the relationship between where data is stored and how it's accessed, and who accesses it and how we need to limit that. The thought doesn't occur to them that you can perfectly well penetrate a system via somebody's scheduling -- their calendar or their diary -- and get information about an important contract via a route which actually is not related to the data store, but is related to operations.
You have to understand the relationship between these various things and where you might be vulnerable, and why you might be vulnerable. Very often, companies don't realize the company they keep. A very, very large number of companies these days are operating well outside their domestic environment. They've got businesses in foreign countries, and they need to understand the degree of risk they may be carrying.