alphaspirit - Fotolia

InfoSec professionals tapped to advance the 'culture of security'

ISSA International Conference organizers explain why InfoSec professionals have had to redefine their role as cyberdefense has become a business priority.

The 2015 ISSA International Conference kicks off Oct. 12-13 in Chicago, and comes as global cyberdefense continues to be a priority for businesses struggling with the impact of surveillance on consumer privacy, the increase of state-sponsored attacks and a string of high profile data leaks. Conference organizers said information security has become a pervasive challenge that requires the cooperation of the whole organization, and this year's conference encourages chief information security officers and their staff to "advance a culture of security" that permeates the business.

In this Q&A with ISSA International board director Candy Alexander and ISSA International Conference chair Stefano Zanero, they discuss how information security (InfoSec) professionals can promote a security culture at their organization, and how these employees' responsibilities have changed in the face of fast advancing technology and threats.

What can InfoSec professionals do to further a 'culture of security' at their organizations and make information protection a business priority rather than an afterthought?

Candy Alexander: In order to change company culture, it has to start at the top, with the "C" Suite. Once the CEO pays attention to security, the rest of the organization will follow. But in order to get the CEO to pay attention, the security person needs to understand the business.

In other words, the security people should be asking about the business and then doing a mini risk assessment to answer certain questions: Is the data safe? How can work be done in a more secure manner? Then they can go back and talk with the business and educate them about the potential risks and how they can be mitigated. By having conversations such as these, the business begins to see that security needs to be brought into new development and planning. It's a slow change, but effective.

How have InfoSec professionals' roles evolved as data protection has become a top concern for businesses all over the world? Have they become more involved in business decisions as information security has become more of a priority?

Stefano Zanero: Since we didn't really get to engage the board of directors, it was the board that gained an interest in us. All of a sudden the leitmotif of the conferences changed from 'how do I get commitment from my board?' to 'help, my board is asking very hard questions.'

This is our challenge at the moment: how to demonstrate the value of cybersecurity programs to a suddenly interested -- but not necessarily receptive nor informed -- board.

It has to start at the top, with the C-suite. Once the CEO pays attention to security, the rest of the organization will follow.
Candy Alexanderdirector, ISSA International Board

Alexander: As a professional, I'd like to say 'yes, our roles have evolved.' But it all depends on the industry and the level of the role in the organization. For the entry level staffer up to the mid-career level position, the role has become quite defined and on target within most organizations. There are clear expectations of what they are to do and how to do it.

However, we are still clearing the path at the more executive levels where the roles and expectations are all over the place. Progress is being made, but there is still the debate of whether a CISO should have heavy technical skills or more business skills. That is determined by the nature of the organization's business. That being said, we are seeing the scales tilt more toward someone having a solid technical background, but [who] more importantly can talk the talk and walk the walk when it comes to working with the business.

How has the Internet of Things complicated InfoSec professionals' roles? What new types of information security threats are created by the new prevalence of IoT?

Alexander: While IoT makes our lives easier to live, it has complicated things 'behind the curtain.' Now more than ever, it is more apparent that security needs to be 'baked in' during development cycles. This is something that the security profession has been saying for years … there is a cost for bolting on security after a product release. The cost is now higher than ever, and there is even the potential for the loss of human life. It has never been so important to ensure that security vulnerability checks be included and fixed within the development cycle. We are seeing it with the work that Chris Valasek and Charlie Miller are doing with automobiles. We have been seeing it in the biomedical device industry as well. It's time to get serious about security.

Zanero: Cyber-physical systems definitely pose novel challenges that some of us tried (rather unsuccessfully) to point out ahead of time -- I recall presentations by a younger and unknown Morgan Marquis-Boire that fell upon deaf ears maybe seven years back.

The issue is that evaluating the impact of a cyber-physical vulnerability requires a deep understanding of the system it is connected to, something that not all InfoSec professionals are trained to understand. This will probably increase the need for an engineering education for at least part of the cybersecurity workforce.

Next Steps

In these video interviews from the 2014 ISSA International Conference in Orlando, Fla., former CIA chief information security officer Robert Bigman said companies shouldn't forget the basics when it comes to data protection, and an MIT Medical information security officer discusses why user empowerment will be a huge factor in the future of cybersecurity. And in this article from the 2015 RSA Conference, results of a security ethics survey are broken down – and it turns out honesty is a tricky business

Dig Deeper on Risk management and compliance