With reports of huge data breaches becoming common, there is no shortage of case studies companies can reference to learn the cybersecurity strategy "don'ts." The problem, according to Security Awareness Company president Winn Schwartau, is that companies ignore these past mistakes when implementing information security processes.
In a series of video interviews from the ISSA International Conference in Orlando, Fla., in October, SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, Schwartau says companies don't learn enough from the past when it comes to cybersecurity, and discusses why interdepartmental communication is vital to information security.
What do you think are the big cybersecurity threats right now, what should be on companies' radar?
Winn Schwartau: There are only three things that matter right now, in my opinion: apathy, ignorance and arrogance. I've been doing this for 35 years, and we're seeing the same mistakes being made over and over again. That applies to most organizations, at some level.
Are there any universal cybersecurity strategies that have proven successful, or is it more important to remain flexible and adapt as threats evolve?
Schwartau: Yes to both. You have to be flexible because you don't know what's coming tomorrow. I remember when the first DDoS attack that came out, a lot of us said 'Wow, that was cool.' Evil. But cool nonetheless, because you can appreciate the technology. The common framework should be to learn your history first, learn what's been done. There is a lot of information, a lot of experience to learn from instead of trying to start brand-new and creating something out of nowhere.
We have history and fundamentals that are just being completely ignored. Stick to fundamentals. Use common sense. You take those two and hopefully it will help you rethink things and realize that technology itself is not going to solve everything. From an engineering standpoint, it's just a common sense view.
How has the information security professional's role evolved in the organization and how do they work with other departments to ensure effective cybersecurity strategy?
More ISSA conference coverage
ISSA 2014 conference to explore security professionals' growing role
When it comes to cybersecurity, don't forget the basics
Schwartau: It's absolutely required to have a cybersecurity department, or some sort of cybersecurity focus within your organization. I see in some cases where stovepiping still exists: Here is physical security with the guards and the guns. That database doesn't talk to my AD, so I don't know if Bob is at home or in the building, or sitting at three different desks at the same time.
If you don't have everything talking to one another, you are going to have an epic fail. I see IT departments not talking to the security department when they are doing development. The business units develop business needs and initiate programs without talking to the security department first and understanding the risk that may be associated with it. From the highest levels of the organization all the way down to the operational business units, they need to be talking to each other a lot more than they are now.
With so many new compliance regulations being released, how can companies make sure they strike the right balance between compliance and information security?
Schwartau: Every compliance thing we see today is based on one document. In the Computer Security Act of 1987, the U.S. Department of Management and Budget created a document called Circular 130B that basically was a fundamental framework of data protection. If you look at HIPAA, PCI, GLBA -- they are all fundamentally the same with slightly different twists. They say the same things about what you need to do, but none of them say how to do it.
We have these new compliance things coming out, but they are all fundamentally the same flavor. Again, you have to go back to the basics, stick to the fundamentals and best practices. And, like we said earlier, stay flexible because tomorrow it's going to be different.