It seems as if every day there's a high-profile i at a big-name company, with hackers finding increasingly innovative ways to attack and steal information. One of the biggest under-the-radar information security threats, however, is that technology advances so rapidly that it makes it difficult for companies to keep pace with the latest and greatest data protection strategies, said Jim Wiggins, executive director at the Federal IT Security Institute.
In a series of video interviews from the ISSA International Conference in Orlando, Fla., in October, SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, Wiggins discusses why employee education and training will be essential to offset the rapid evolution of information security threats facing businesses today.
What do you think are some of the biggest cybersecurity threats right now?
Jim Wiggins: I think technology and how fast it moves is really one of our biggest threats today. When we think about [the] workforce, one of our challenges is that every couple of years we are introducing all sorts of new technology, because it's very difficult for the workforce to keep up with it. That really becomes one of the bigger challenges, and from a threat perspective, it's important we keep the workforce properly trained and up to date on the latest and greatest knowledge, skills and abilities.
Are there any particular universal strategies that have proven particularly successful to protect data, or do you think it's more important to stay flexible and adapt as threats evolve?
Wiggins: There are a couple of ways to look at it: One, you could look at buying solutions that try to address all of the different cybersecurity threats out there. I'm a little biased because I'm from an educational background, but I think it's the people that we need to start thinking about investing in. Organizations need to be thinking about how can we invest in our people, how can we get them the right kinds of knowledge, skills and ability to identify, quarantine and in some cases remediate a lot of the current cyberthreats. As they evolve, you'll have the right kind of people with the right kind of cognitive abilities to adapt to them. We won't have to be constantly buying new appliances that deal with the new threat profile. We'll have the people and the workforce to be able to handle a lot of those issues for us.
More Q&As from the ISSA Conference
Company-wide security focus required to adequately protect data
Education, awareness key to cybersecurity
Former CIA CISO implores companies to remember the data protection basics
Lacking internal security governance strategies pose big threats to sensitive data
With all these security threats and vulnerabilities, how has that changed the information security professional's role and how they interact with other departments?
Wiggins: A lot of people want to create cybersecurity experts who can do everything. A good example of it is from the movie 300, where they had a few hundred individuals who could help ward off the army of a million. Every soldier knew their position: They knew whether they were guarding the front, the rear, the left or the right flank. They knew what their role was supposed to be. If we think about that with regards to cybersecurity, I think there is an opportunity to really build teams within organizations that would incorporate all the different departments that you are making reference to.
Rather than looking at this as a one-off type of thing with one person or another person, we need to be thinking collectively about how to build the right kind of response teams to be able to deal with a lot of these cyberthreats. Then, of course, go back to the education and the training I was mentioning earlier, and train people in different areas -- whether they are a forensics guy, or an incident handler, or whatever they happen to be.
How can companies strike the right compliance and security balance?
Wiggins: That's a tough challenge. The adage I like to think of is with regulation comes with this idea that we've got to do it because the government says we have to, or policy says we have to. There are a couple of ways we can think about security. Do we think about security as an investment or do we think of it as an expense? That particular mind-set really drives, in some ways, how we go about incorporating security into our organization. If we are doing it for compliance services, because of the fact that we have to, there's always striving for just doing the minimum.
If we start to look at it as an investment, we change the paradigm a little bit. We think about what the organization gets out of security. I think that is the crux of it: Organizations that think about security as an enabler, something they can take advantage of, really get an opportunity to go beyond that compliance consideration because they are already doing what they are supposed to be doing rather than just doing what they are told to do. As an educator, that's how I try to sell security to organizations: Let's not sell it based on fear, uncertainty and doubt, but let's focus on the investment aspect of it. What do we get out of it? What types of capabilities can we take from it? That's one way to address the issue.