As high-profile data breaches have become the norm, companies are starting to see the value of putting more resources towards an information security strategy. For the best results, companies should start by looking at whether or not their own governance processes are doing enough to protect information security, according to Jason Smolanoff, vice president at Stroz Friedberg.
In a series of video interviews from the ISSA International Conference in Orlando in October, SearchCompliance editor Ben Cole discussed the state of cybersecurity strategy with speakers, ISSA members and attendees. Here, Smolanoff discusses why companies may have to reexamine their approach to information security governance in the face of modern data protection threats.
What are some of the big threats to cybersecurity and data protection that companies should be concerned with?
Jason Smolanoff: The biggest threat of a data breach is a lack of security governance within the company itself. There are a variety of attackers and attack threat surfaces out there, but all of those surfaces can be mitigated if a company really looks at [its] security governance internally first.
More ISSA conference video Q&As
To protect data, employees must know their cybersecurity role
Communication key to effective cybersecurity strategy
Don't forget the basics when it comes to information security
How should that change the information security professional's role in the organization and how they interact with other departments to ensure data protection?
Smolanoff: What I'm seeing is many information security professionals, while normally under the IT organizational structure, are slowly being moved out to under the general counsel and under the audit function of a company. By doing that, they are giving themselves a real opportunity to be an independent security voice for the company without having to worry [about] operational issues.
Are there any strategies that have proven particularly successful to data protection, or do you think it's more important to stay flexible and adapt as threats evolve?
Smolanoff: I think you have to stay flexible. For any company, one of the major things that they should do is understand the kinds of data they have that is regulated or is sensitive. Once you understand what data you have, you can then formulate a real information security strategy against any threat that's out there.
How can companies make sure they are striking the right balance between compliance and security?
Smolanoff: A company needs to use a standard of reasonableness based on the type of data they are handling. They have to put themselves in a position where if a breach occurred, they can say to a regulator or a state attorney general or anyone else that they put in reasonable security measures to prevent against the variety of attacks, and that if a breach does occur, it would have taken extraordinary methods for that attacker to get in.
If you can implement a strategy where at the end of the day you can make those [kinds] of claims, I think it mitigates the risk to the company with regard to competitive risk, with regard to loss or fines, or any other kinds of issues that could come down the road as the result of some legal or compliance action.