Cybersecurity threats to personal and business data have become commonplace, and everyone who handles online information must do their part to protect it. Too often, however, end users don't know their data protection responsibilities, according to Reg Harnish, chief security strategist at GreyCastle Security.
In a series of video interviews from the ISSA International Conference in Orlando, Fla., in October, SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, Harnish says organizations aren't doing enough to improve cybersecurity threat awareness, and explains why user education is a vital aspect of data protection.
What are some of the big cybersecurity threats that companies should be paying attention to?
Reg Harnish: I think the industry has changed so rapidly that it's tough to keep an inventory of all the cybersecurity threats that we are facing today. I think there are a couple of things that we are either not doing well, or not focusing enough on. One is awareness, and how to change behaviors of end users like employees, executives and IT folks. Most security professionals will tell you that people are their greatest risk, but we're just not spending the time and money on addressing that problem. Until we do that, we're not going to get to a place where we are comfortable with our security, our safety and our privacy.
I think the second is really getting back to the fundamentals with security. There's tons of great technology out there, but one thing we really haven't done a great job of is figuring out is whether it is the right one, or if it is working. I don't think measuring our progress is a [skill] that we've acquired yet. I think general risk management functions are forgotten because companies are either distracted by using the latest technology or by compliance. We haven't focused our efforts in the right places.
Are there any universal strategies that have proven successful against cybersecurity threats, or is it more important to remain flexible as threats evolve?
Harnish: That's a tough question. There are some universal strategies, but they are high-level and not very prescriptive. Each organization has its own challenges and risks. If you are just copying someone else's cybersecurity program, you are probably not doing the right thing for your organization. It's hard to prescribe at a very high level.
Everyone should be doing risk management, everyone should be training their people, everyone should be thinking about prevention and response. But when it gets into the rubber hitting the road, you really have to know a little bit more about the organization. It's tough without knowing more about the environment.
With all these new threats, how has that changed the information security professional's role in the organization?
Harnish: As security professionals, we have to be educators. This industry is so infantile right now that we just don't know where it's going to go, so we all have to be educators. That means educating not only ourselves, but others that may not be in the field but are impacted by it. It's about translation.
More ISSA conference interviews
The key to cybersecurity strategy? Remember the fundamentals
Former CIA CISO touts the basics of data protection efforts
You have a lot of good security professionals out there who don't do a good job of understanding the business strategy, or aligning security with the organization's mission. That disconnect requires more pressure from us, more time and energy. People are less likely to be onboard with something if they don't understand how it affects them and their job. We've got to be better educators, better translators.
With so many new compliance regulations, how can companies make sure they are striking the right balance between compliance and security?
Harnish: I would argue that there really aren't many new laws and regulations out there, it's just that we haven't paid attention to the ones that exist. As professionals, if you are managing your risk appropriately, you are considering compliance right along with other threats. If you are not bringing those together, you are going to end up getting distracted by compliance.
We see plenty of organizations doing checkbox security, it's pretty common these days because organizations just don't know how to tackle security. Compliance gives them a list of things, and they say, 'I might as well check those boxes.' There's no assurance that that is actually helping them secure the things that are important to them.