Hackers can infiltrate businesses in countless ways, and virtually every employee has a role in company data protection. What often happens, however, is security professionals' cries for help with protecting information fall on deaf ears, said Kevin Johnson, CEO of Secure Ideas.
In a series of video interviews from the ISSA International Conference in Orlando, Fla., in October, SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, Johnson discussed why it's up to the entire company to focus on security processes that assure adequate data protection.
What do you think are some of the biggest security threats out there right now?
The reality is the security threats we are facing today are the same security threats we were facing 20 years ago, which actually bothers me quite a bit. The biggest challenge for most organizations is explaining why people have to care. I think if they really just start looking at that and explain to their staff, explain to their customers, explain to their vendors, 'Here's why we care about this,' we'll see a much better result. We'll see fewer Home Depots, fewer Targets.
Are there any particular universal strategies that have proven particularly successful to protect data, or do you think it's more important to stay flexible and adapt as threats evolve?
I think it's a combination; I don't think it's an either/or. You have to stay flexible, because things do change. New technologies come out. We can talk about IoT and wearables and privacy in the cloud and all that kind of stuff, but at the same time, we have to have a strategy of fixing. One of the things I think that works very well is to stop treating security as a separate body. Recognize the fact that security is everybody's responsibility; it's part of every single part of your business. Your developers, your users, your admin, your management, [they] all have to take [security] into account. If we go that route, we have a much stronger foundation to build on.
More Q&As from the ISSA Conference:
Education, awareness key to cybersecurity
Former CIA CISO implores companies to remember the data protection basics
Lacking internal security governance strategies pose big threats to sensitive data
Mobility, new tech will force companies to rely on users to assist data protection
With all these security threats and vulnerabilities, how has that changed information security professionals' roles and how they interact with other departments?
I think that's exactly what they need to do: Work with the rest of the company. The role we have played, traditionally, is of the 'no' people. We really need to adjust. We've been saying this for a while now, but we are just now starting to see movement where we are taking operations like DevOps and Agile development, and embedding them into development. We need to take security and embed it into development. Take security and embed it into our project management, into our business processes, our vendor relationships. Instead of having this ivory tower team, we have to have security professionals that understand what the business does, what IT does, what developers do. I don't hire pen testers. I hire people who have built systems who can become a pen tester because they better understand what they're dealing with.
How can companies strike the right compliance and security balance?
What most companies need to realize is that compliance is: 'You must be this tall to ride the Internet.' That's all it is. Instead of focusing on compliance, if you focus on security you will find that you are compliant. As a matter of fact, PCI DSS 3.0 has recognized that and started to turn compliance requirements into part of their 'business as usual.' If we focus on security, you will still check those boxes, but you will check those boxes in a way that is accurate.