Cyberattacks targeting corporate data have become the norm, and the cat-and-mouse game between information security efforts and those targeting company information will likely continue for some time. As hackers continue to adapt to security controls, continuous monitoring and updating of data protection processes will be essential, said Christopher T. Pierson, Ph.D., EVP, general counsel and CSO at Viewpost.
In a series of video interviews from the 2014 ISSA International Conference in Orlando, Fla., SearchCompliance editor Ben Cole discussed modern cybersecurity strategy with speakers, ISSA members and attendees. Here, Pierson discusses why companies should continuously monitor and assess information security controls to ensure they can adapt to constantly changing cybersecurity risks.
What are the big cybersecurity threats that companies should currently have on their radar?
Pierson: Right now, non-signature based attacks and non-signature based malware are really heating up. We have seen a lot of point-of-sale attacks in the past year. I think those continue to be the matters that companies will have to pay attention to as they move forward and evolve. The traditional defense in depth methodology is still something that should be baked into every information security program, but we really have to look at non-signature based and behavior-based anomalies, as well as how we are baking security information management into the entire environment so we can pick up these different trends, analyze them and make sure that we are able to effectively defeat the cyber kill chain so that data cannot be extrapolated from the system.
The second thing that we all need to focus on is making sure that incident response is something that is included from the start. It has to be something that is trained on, something that is exercised.
Are there any particular cybersecurity strategies that have proven effective, or is it more important to stay flexible to better adapt to evolving threats?
Pierson: I think threats and vectors are always going to be changing. Having a good risk control self-assessment for what those threats are at a certain point in time, and making sure you are analyzing and assessing that every few months is something that every company should be doing. I also think we want to watch out for "risk by news" -- over-responding, overreacting to the latest threats in a manner that is not risk-based and in proportion to what your business is doing. But at the same time, you want to be able to make sure that your current security controls are able to scale and sustain those new threats and adapt to that threat landscape. It's analyzing, assessing, reviewing and then ultimately executing on your security controls as they map back to the threats on a continuous and systematic basis.
More Q&As from the ISS conference
As threats persist, biz more reliant on info security pros
Advancing technology poses big threats to business infosec
Company-wide security focus required to adequately protect data
Education, awareness key to cybersecurity
What role do information security professionals play in cybersecurity, especially in regards to how they collaborate with other departments to protect data?
Pierson: The old silo approach -- the approach where information security or infrastructure or IT being an entity unto itself -- I think those days are long gone. It's important to have folks that are baked into the cybersecurity process, from an information assurance, compliance, risk, even a legal/privacy perspective. Having pure engineers, pure analysts, pure security operations folks is just not going to be to the company's benefit in the long term. There must be compliance and privacy and risk and lawyers baked into this from everyday operations, and not just the run perspective but also the design and build perspective. Build in security controls. Build in privacy controls. And also as I mentioned before regarding incident response, the players should understand what the company is doing in terms of securing its own infrastructure, as well as the products or services that the company is offering.
With so many compliance regulations out there right now, how can companies make sure they strike the proper balance between being regulatory compliant and keeping data secure?
Pierson: I think it all comes back to a risk assessment in terms of what laws, rules and regulations apply to you, but really we need to go one step beyond that. Even if you are not a government entity, you should look at NIST guidance. The NIST 800-53 guidance and the NIST cybersecurity framework are free tools that are available to companies to help map those standards to what they are doing internally to meet their overall governance, risk and compliance objectives.
I think that the laws and rules are always going to change, always going to morph, but you never want to review laws anew each time they come out. What you want to focus on is what does the law mandate? What does it tell us? How have the threats evolved? Then, how can you build that into the current control set that you have? Do you already have it under control? Does the control just need to be tweaked? Is there a different type of residual risk now as a result of increasing penalties? If you have that overall governance, risk and compliance program and it is not siloed, I think that the entity will be sustainable, it will be scalable. That's where we really need to focus: implementation of the security controls on an ongoing basis, and sustainability -- whether those controls going to last and still benefit 18 months out. Then there's scalability: When laws change, when the company changes, when things grow and products and services change, are you still going to be able to take that same rule set and march forward with it?