During the Q&A portion of this SearchCompliance webcast on cybersecurity, Georgia Weidman, founder and CTO of Shevirah, Inc. and Bulb Security LLC, explains the factors fueling enterprise security threats, the importance of risk management and highlights how the internet of things is muddling the cybersecurity threat landscape. Weidman also explains the risks associated with enterprise mobility strategy and offers pointers on best practices organizations should be adopting to bolster cybersecurity.
Editor's note: The following is a transcript of the Q&A portion of Weidman's webcast presentation on how enterprise cybersecurity is being influenced by mobile, IoT and nontraditional endpoints. It has been edited for clarity and length.
Are there any metrics companies can use to make sure risk assessments, vulnerability assessments, and pen testing are working?
Georgia Weidman: Your risk assessments, they produce risk scores, which can be tracked in a registry and measured to be trending down. So, hopefully, the numbers go down. Your vulnerability assessments, if they're done continuously, should show you a reduction in the number and severity of the vulnerabilities over time. And with your penetration tests, they should produce fewer and less critical findings over time as they're repeated. You've got to do these things continually. If you're doing the mitigations and you're building a more secure or a more mature security program, you are going to see these risks go down.
What are the most pressing enterprise security threats related to mobility that companies might not know about yet?
Weidman: I think the biggest problem companies have is that they fail to recognize that they don't own mobile. They are going to carry these in and out of the enterprise and they administrate poor hygiene when doing so. A lot of corporations think that they have a handle on mobile because they have enterprise mobility management or they require everybody have mobile anti-virus.
They think it solves the mobile problem. And no one even says what good mobile security hygiene is. Like I said, the security awareness training doesn't cover it. Companies really need to step up with the user training, since the users are going to be the biggest threat to mobility.
Once a company has used these techniques you talked about to identify their security compliance gaps, what's the next step? Who needs to be involved with implementing these new cybersecurity processes to curb enterprise security threats?
Weidman: I think that secure mobility is cost-prohibitive at this point for most organizations. The NSA has spent the last four years trying to define what secure mobility is. Security has to be about risk management: That they're accepting that there are going to be risks around mobile. They are going to get compromised in some way. Knowing and understanding these risks is, I think, the key point. That means the senior management and the business management must be the ones making the decisions and they have to be involved in this.
How has the internet of things complicated companies' endpoint security strategies? Are businesses starting to understand and stop the new data threats posed by the IoT?
Weidman: Internet-connected devices continue to erode the perimeter. It was started by the smart phone; that was when the perimeter really started to break down. The internet of things makes it worse.
See other excerpts from this webcast presentation on cybersecurity
I don't think most businesses understand what smart phones did to their security, let alone the internet of things. A lot of companies are still really treating their enterprise network as a bunch of boxes on a bunch of pipes that are all attached to each other and not really thinking about all these new perimeters they have with every internet of things device that comes online.
I think we're seeing a lot more security in the newer versions of the mobile devices. But with each person who says, "You know, I'm going to build a connected device," you know, X, Y or Z security may not be the first thing on their minds. So, it may take a few iterations of the next coolest device before it reaches critical security mass.