Manage Learn to apply best practices and optimize your operations.

Fast-advancing tech makes information security threats tough to grasp

It seems as if every day there's a high-profile i at a big-name company, with hackers finding increasingly innovative ways to attack and steal information. One of the biggest under-the-radar information security threats, however, is that technology advances so rapidly that it makes it difficult for companies to keep pace with the latest and greatest data protection strategies, said Jim Wiggins, executive director at the Federal IT Security Institute.

In a series of video interviews from the ISSA International Conference in Orlando, Fla., in October, SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, Wiggins discusses why employee education and training will be essential to offset the rapid evolution of information security threats facing businesses today.

What do you think are some of the biggest cybersecurity threats right now?

Jim Wiggins: I think technology and how fast it moves is really one of our biggest threats today. When we think about [the] workforce, one of our challenges is that every couple of years we are introducing all sorts of new technology, because it's very difficult for the workforce to keep up with it. That really becomes one of the bigger challenges, and from a threat perspective, it's important we keep the workforce properly trained and up to date on the latest and greatest knowledge, skills and abilities.

Are there any particular universal strategies that have proven particularly successful to protect data, or do you think it's more important to stay flexible and adapt as threats evolve?

Wiggins: There are a couple of ways to look at it: One, you could look at buying solutions that try to address all of the different cybersecurity threats out there. I'm a little biased because I'm from an educational background, but I think it's the people that we need to start thinking about investing in. Organizations need to be thinking about how can we invest in our people, how can we get them the right kinds of knowledge, skills and ability to identify, quarantine and in some cases remediate a lot of the current cyberthreats. As they evolve, you'll have the right kind of people with the right kind of cognitive abilities to adapt to them. We won't have to be constantly buying new appliances that deal with the new threat profile. We'll have the people and the workforce to be able to handle a lot of those issues for us.

More Q&As from the ISSA Conference

Company-wide security focus required to adequately protect data

Education, awareness key to cybersecurity

Former CIA CISO implores companies to remember the data protection basics

Lacking internal security governance strategies pose big threats to sensitive data

With all these security threats and vulnerabilities, how has that changed the information security professional's role and how they interact with other departments?

Wiggins: A lot of people want to create cybersecurity experts who can do everything. A good example of it is from the movie 300, where they had a few hundred individuals who could help ward off the army of a million. Every soldier knew their position: They knew whether they were guarding the front, the rear, the left or the right flank. They knew what their role was supposed to be. If we think about that with regards to cybersecurity, I think there is an opportunity to really build teams within organizations that would incorporate all the different departments that you are making reference to.

Rather than looking at this as a one-off type of thing with one person or another person, we need to be thinking collectively about how to build the right kind of response teams to be able to deal with a lot of these cyberthreats. Then, of course, go back to the education and the training I was mentioning earlier, and train people in different areas -- whether they are a forensics guy, or an incident handler, or whatever they happen to be.

How can companies strike the right compliance and security balance?

Wiggins: That's a tough challenge. The adage I like to think of is with regulation comes with this idea that we've got to do it because the government says we have to, or policy says we have to. There are a couple of ways we can think about security. Do we think about security as an investment or do we think of it as an expense? That particular mind-set really drives, in some ways, how we go about incorporating security into our organization. If we are doing it for compliance services, because of the fact that we have to, there's always striving for just doing the minimum.

If we start to look at it as an investment, we change the paradigm a little bit. We think about what the organization gets out of security. I think that is the crux of it: Organizations that think about security as an enabler, something they can take advantage of, really get an opportunity to go beyond that compliance consideration because they are already doing what they are supposed to be doing rather than just doing what they are told to do. As an educator, that's how I try to sell security to organizations: Let's not sell it based on fear, uncertainty and doubt, but let's focus on the investment aspect of it. What do we get out of it? What types of capabilities can we take from it? That's one way to address the issue.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What type of security training and education does your organization use to ensure employees are doing their part to protect company data?
Unfortunately there is no such focused training other than the standard ISMS (Information Security Management System) based on industry standard ISO 270001. Most of the employees go through it. However, if someone is looking for a training like this , one could look at the insider threat program and certifications offered by CERT (SEI)
Organizations definitely need to offer some sort of data protection training to employees, and to review/update these training procedures often. The complications come when companies try to develop these training techniques-- every organization has unique risks and it might be difficult for organizations to find training programs to use as an example. The most important factor for companies is to figure out what information they have is most vulnerable, and plan data protection training accordingly.
Cyber security threats are quite high but it boils down to companies; training employees on different tech advancements is the only way out of threats.
Yes training is important, but it will be difficult to set up training regimens given how quickly threats and tech evolve. Once a business sets up training to offset a particular threat, that threat might be old news and a new one is posing problems. Biz might be better off training employees on not doing stupid things and being careless with data.
I'm not seeing anything about detection and mitigation, which I had thought was the way we were moving these days. I'm also not seeing anything on social engineering, which my understanding was the primary problem rather than any specific technical issues. 
If we're going to expect EVERYONE in an organization to have the knowledge that IT is expected to have and implement, then why have IT at all? Let the geeks do their job in keeping systems and facilities safe. That will allow other employees to do the jobs they were hired for. Then the company will make money - probably - and time won't be wasted by getting everyone on the same page. I don't need to know how to fly a plane to take a trip. I just need to know that plane-flying people are in the nose of the tube and they know how to get us airborne and land the tube at our destination. Trust IT until there's a problem, then clean house and get better IT people.
Okay, but even the passengers in the plane need to know not to take fire, guns, and explosives onto the plane, because it makes it harder for the plane-flying people to do their jobs.
I'd agree with both of you - it can't be all on IT, but we can't expect employees to know more than the basics, either. "Don't make things harder than they need to be" is probably a good mantra/goal for non-IT staff. 
Heh. Agree with both viewpoints. Very diplomatic. :)
Maybe politics will be a good second career.