Photobank - Fotolia

Evolving tech forces fresh look at IT security processes

In this Q&A, vArmour CISO Demetrios Lazarikos discusses how rapidly advancing technology is influencing how companies plan and train employees on new IT security processes.

As business processes become increasingly digitized, rapidly advancing technology can provide automated, real-time data analysis to help reduce operational costs and increase efficiency. But as businesses strive to take advantage of new technology, the huge amounts of data being generated is forcing businesses to re-examine their networks to ensure company and customer information stays protected.

During a recent virtual trade show sponsored by TechTarget and ISACA, vArmour CISO Demetrios Lazarikos discussed how new technologies -- and the data being generated by them -- are influencing modern companies' IT security processes. During his presentation, titled "How IoT and New Tech Changes Modern Cybersecurity," he discussed the new IT security protocols necessary to avoid information risk when performing real-time, big data analytics. Here, Lazarikos answers VTS audience questions pertaining to IT security processes and best practices that he didn't get to on the day of the show.

What is the major security concern for medical research applications installed on mobile devices?

Demetrios Lazarikos , CISO, vArmour Demetrios Lazarikos

Demetrios Lazarikos: Great question. I worry that the application may have been built without security in mind. What I mean by this is that any application should go through an architecture and tech review by qualified, trained professionals. From my work in this area, I strongly recommend that organizations hire an infosec practitioner for this function, or contract it out to a reputable firm. Also, remember that there are scanning tools available now to scan the mobile device code to look for vulnerabilities before the application has been released to production.

What is the real threat, and what is at risk in the internet-of-things (IoT) arena when it comes to the industry or the business?

Lazarikos: IoT is moving rapidly to integrate systems, networks and data together. I believe the threats will increase due to something being overlooked with IoT devices or that the device isn't built with security in mind.

How can technology teams, such as IT security or IT audit, respond to the business teams that push back on considering key IT security controls during implementation projects that involve electronic information and information systems?

Because of the nature of what we do and the constant change in our industry, it's critical to have infosec training budget for practitioners.
Demetrios LazarikosCISO, vArmour

Lazarikos: Working with business teams that are moving so quickly can be challenging. From my experience, what I've seen work is partnering with the business to be sure it includes exit criteria during the architecture and technical design phases of building an application. During these two phases, practitioners can figure out pretty quickly if PII [personally identifiable information] or sensitive data requiring mandatory compliance will be affected. If the business is willing to overlook these mandatory regulations, then maybe it's time to educate your legal team about some of these practices.

Additionally, you may want to speak to an executive sponsor about some of these practices. At the end of the day, if something bad happens in the organization with these particular projects, chances are you'll be asked to provide some insight about what you knew and how you made the business leaders --and your boss -- aware of the gaps or risks. Always document what you did as part of ensuring the business was aware of the risks.

What are your thoughts on spending resources on cyber-awareness training, especially for SMBs with limited funding? Should resources be focused somewhere else, or is training now a critical part of any security posture?

Lazarikos: Budget constraints affect everyone. Because of the nature of what we do and the constant change in our industry, I believe that it's critical to have infosec training budget for practitioners. SMBs are usually limited by travel and training expenses -- that's why I encourage everyone to check out the ISACA- and TechTarget-sponsored training series. There's also a ton of information out there on the web with infosec training by topic, such as networks, systems, application security and mobility. You just have to find your niche and explore what's online to help you if you have budget constraints.

Another place you can find out what's going on for training is a meetup in your area, or check out ISSA, ISACA, (ISC)2, or OWASP meetings to learn more.

Next Steps

Read more about modern IT security controls and strategies:

The M&A angle to IT security assessment services

A CIO guide to IT security processes and best practices

Cloud security: Addressing redundant controls

Dig Deeper on Risk management and compliance