Modern companies have to constantly be prepared for and protect against potential information breaches. As data protection lapses have evolved into a major threat to businesses' operations and bottom lines, information security professionals have become the drivers of cybersecurity strategy efforts as companies strive to protect their assets.
In a series of video interviews from the ISSA International Conference in Orlando in October, SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, information security consultant J. Michael Butler discusses how information security skills must evolve as data protection becomes a top business priority.
What cybersecurity threats should be on companies' radars right now?
J. Michael Butler: All of them. What I usually tell people is that I'm most concerned about the threats I don't know about. We see a lot of things coming in our AV software, we get indications of particular types of threats. We can go look for that, we can go investigate that, but what I'm concerned about is when there might be something out there that we have no clue is there. The general wisdom is to always assume you've been acquired by someone, somewhere, so I'm concerned about finding that is true.
More Q&As from the ISSA Conference
Advancing technology poses big threats to business infosec
Company-wide security focus required to adequately protect data
Education, awareness key to cybersecurity
Former CIA CISO implores companies to remember the data protection basics
Are there any universal cybersecurity strategies that have proven effective, or is it more important to stay flexible to adapt to evolving threats?
Butler: Both. All of the tools are important, but more important than the tools is having the appropriate personnel that know how to use the tools. You certainly want to use everything to your advantage to track what might be happening in your systems. At the same time, you have to remain flexible because the technology is so flexible. You don't have a choice.
As these threats and the tools to combat them evolve, how must information security skills evolve? Does this change information security professionals' roles in their organizations?
Butler: I don't know if it has changed it so much as people are getting a better idea of what that role really means. When I started training in forensics, which is my specialty, it was several years before there was an incident that caused the legal department to find out I could do what I could do. Then I became more active and they have kept me busy ever since. I think that may be typical in any area of security. Once we develop the skills and see what it can do for us, we can get the right people behind it that have the right skills to support the tools and the systems. Then, we can actually get back the data that is going to help us ward off the threats.
How do companies balance numerous compliance requirements with cybersecurity and data security efforts?
Butler: It's going to depend on the company. It depends on what your product is; it depends on what your organization is trying to do as to what tool is going to be best, what method. That really morphs depending on the organization you are in, the kind of data you have and how you are trying to protect it.
How have professionals' information security skills or roles changed in the last several years, and how can companies educate and train them to make sure they are prepared?
Butler: I think the role has changed in that we are becoming more important to the organization. I see security roles expanding, I see more and more people involved in security as different organizations find out how important security is. That's a big part of it: How you stay fresh and approach your task and do what you need to do. That requires a lot of training, a lot of webinars, whatever it takes to keep up with current trends, with the changes in technology, to address the new threats.