Cybersecurity has become very complicated for businesses as new threats constantly pop up and old ones evolve. Companies have had to adapt business processes and roles to protect data against cybersecurity threats, which was a big topic at the 2014 ISSA International Conference in Orlando, Fla., in October.
In a series of video interviews from the conference, SearchCompliance editor Ben Cole discussed the state of modern cybersecurity with speakers, ISSA members and attendees. Here, former CIA chief information security officer Robert Bigman says many companies remain vulnerable because they overlook the basics when it comes to cybersecurity threat protection.
What are the biggest cybersecurity threats today, and what should companies be doing to react to them?
Robert Bigman: Frankly, the biggest threats are the same as they were five or 10 years ago. There are still threats from unauthorized access, malware attacks from code injections, phishing. Those haven't changed, and they won't change until we fix the problem, which is that computers aren't very secure. What has changed is that we've seen what is called the "democratization" of attacks. Some very sophisticated attacks which I used to see from nation states just a few years ago are now being done by hacktavists, or what I would call "front line" hackers, who really don't have a lot of skills but are using some very sophisticated code.
The problem is most companies have not configured their network architecture and IT programs to defend against these sophisticated attacks. They've been relying on commercial products, antivirus products, and now cyber-intelligence. The problem is none of it works, and is in fact completely ineffective. What they have to think about is how to engineer their systems and networks to minimize the threat of the malware even getting in. Once it gets in, if you have an Internet connection and you are a top-tier target, you are going to get hacked. That's what everyone is now learning.
More ISSA conference coverage
2014 ISSA conference to explore security professionals' growing role
Predictive intelligence proving to be a valuable security tool
Are there any universal strategies that have proven particularly effective for cybersecurity, or is it more important to remain flexible and adapt as threats evolve?
Bigman: Well, you shouldn't remain flexible and you shouldn't adapt. What you should do is be secure. It's kind of like football: We call it the "blocking and tackling" -- you've got to do the basic things right. Since I've retired I've been doing a lot of consulting, and I'll be honest with you, I haven't found almost any company that even does the basics right.
There are vendor and government standards for Windows configuration: it's step by step, do this and do that, turn this on, turn this off. I have not gone into a corporation where they even try to pay attention to those configurations. If they would do the basics, they would lessen their potential attacks. They wouldn't get rid of it, but they would greatly lessen it. However, they prefer to buy products and just pile on layers of products on a rotting foundation. They need to really work on the foundation.
What role do information security professionals play in cybersecurity?
Bigman: I've been working with many organizations, and I've seen them play a wide variety of different roles. What I worry about is two things that I see consistently across the private sector: The first thing is they don't have enough visibility and access to be effective. They are usually buried somewhere in the CIO organization, and it is the CIO who is the representative to senior management on security, not the CISO. It should never be that way, it should only ever be the CISO.
The second thing I see is that CISOs just don't get resources. They get money to buy products, but they don't get resources, funding and people to help build secure systems.
How do compliance regulations influence how companies approach cybersecurity?
Bigman: The simple answer is that it's not helping. The compliance police don't understand the complexity of information security. What they still do today, in 2014, is create a checklist. The problem is this takes up time and it doesn't get to the heart of the matter, which are the real crucial issues that I mentioned before, the blocking and tackling. The other problem I've noticed with the compliance police is that it's very issue du jour. For example, two years ago it was whitelisting. Last year, encryption was big. This year it's cyberintelligence. That doesn't help. The issues are the basic blocking and tackling, not whether they have specific tolls in place.