Modern information threats come in many forms: from hackers looking to steal intellectual property to oblivious employees who don't know they are putting data at risk. Companies are beginning to realize, however, that solid data protection protocols can actually serve as business enabler. As a result, information security professionals are getting much more of say in corporate decisions and how data protection efforts must be considered when making business decisions, said Marci McCarthy, CEO and president of Tech Exec Networks Inc.
In a series of video interviews from the 2015 ISSA International Conference in Chicago, SearchCompliance editor Ben Cole discussed modern information security strategy with conference speakers and ISSA members. Here, McCarthy discusses information security best practices and why end-user security awareness is the front line of corporate data protection efforts.
How can companies promote the "culture of security" that was the theme of the ISSA International Conference?
McCarthy: The culture of security at an organization is really tantamount to information security executives' mission and being effective in an organization. They really need to get out there and communicate to their boards of directors, their end users, the stakeholders, as well as the information security community at large, on what they are doing and how they are doing it. Promoting a win-win attitude when your best day is when nothing happens -- which is never the case -- is really all about promoting your success.
How has new and involving technology, such as the IoT, complicated the information security professional's role?
McCarthy: It started when everyone wanted to bring their iPad to work, and their iPhone, and all their various devices -- the mobility aspect has really driven that. Now there are tons of other devices and ways to connect to the networks and the Internet to do their job more effectively, from point-of-sales terminals to when UPS or FedEx folks come to your house and scan packages. The reality is that's where the future is going, and you have to embrace it to enable the business. It's going to bring you closer to your customer, it's going to streamline the supply chain at the end the day, so we have to embrace it.
How has the InfoSec professional's role changed as information security has become so important to a business's success?
McCarthy: More and more, information security professionals are getting in front of boards of directors and steering committees and becoming part of the leadership team. They are realizing that security is an enabler. It's not a matter of if you are going to be attacked or breached, it's a matter of when. Having those lines of communication already in place preemptively, doing all that you can to manage to the risk, is really the only way the information security professionals can elevate themselves to be much more effective in their companies and protect their companies' information.
End-user security awareness training
How can companies make sure their security policies and processes are staying up to date with modern threats?
McCarthy: It's really about end-user security awareness type of training programs -- doing the pen testing and the phishing type of attacks, and making them aware. It's sort of deputizing your end users so if they see something coming in to your organization that doesn't look right, they are allowed to raise the red flag and not be chastised for doing that. It may be crying wolf -- but I'd rather have the end user crying wolf a little bit and be much more cognizant of what they are seeing on their email or in their environments, than have them click on something and all of a sudden you have a Trojan Horse that entered your environment, and six months later you have an APT.
Public/private sector information sharing for cybersecurity has become a big issue of late. Do you think it is a good strategy for information protection purposes?
McCarthy: Quite frankly, it's a little one-sided. I was invited to represent Georgia in Washington, D.C., at the TechAmerica Fly-in conference, and we met with our senators and congressmen on this particular topic. What we learned was that 90% of the infrastructure belongs to the private sector, and 10% belongs to the government. Although our government has a tremendous amount of information, they are sharing it on a very limited basis with the private sector. There is a total imbalance. We are a nation of laws, so they can't information share, per se, and tell you something is going on in your environment.
I know security executives who have partnered through InfraGard with the FBI. When they do get a briefing, they go into a room with no pencils, no pens, no cameras, no phones, no paper -- really nothing. They are being shown IP addresses, for example, and information that is threatening their company's infrastructure, and they are not allowed to take that information away with them, to bring that back to their information security operations and forensics teams to do a proper investigation. There is a lot more that needs to be done in terms of a real partnership. A partnership is really about being 50/50; it can't be 90/10.