This content is part of the Essential Guide: An IT security strategy guide for CIOs

Essential Guide

Browse Sections
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Reduce information security costs with smart strategy, personnel

As technology rapidly evolves, so do the seemingly endless data threats that come with its use in the corporate setting. To cope, businesses sometimes turn to the most hyped, expensive information security tools to help protect data. Instead, businesses should first focus on internal protocols and personnel training to help reduce information security costs, said Jeff Reich, chief security officer at

In a series of video interviews from the 2015 ISSA International Conference in Chicago, SearchCompliance editor Ben Cole discussed this new business focus on creating a "culture of security" with conference speakers and ISSA members. Here, Reich discusses how new technologies and businesses' increased data protection focus have changed information security's scope at many organizations.

With technology changing so fast, how does technology such as the Internet of Things complicate the information security professional's role?

The best tool any organization is going to have to ensure that they are the most secure is to have smart people creating a smart organization.

Jeff Reich: I'm not sure the Internet of Things is complicating the security professional's role, but it's certainly expanded its scope, there is no question about that. But a device is a device, and information is information. You're going to use different protocols and there are going to be different ways to access whatever it is you're dealing with on the Internet of Things, but at its core we still have devices that either have access to or transmit information that may or may not be confidential or sensitive. That's really where the focus is going to have to be.

Secondarily, if you have devices that are part of the Internet of Things, you want to be sure that no one is going to compromise that and affect the information. But I also want to make sure that no one is going to compromise it so that it's either abused to their advantage, or potentially used to my disadvantage, or the users' disadvantage. That perspective has been added to it, but it really is a larger scale than what security has been for the past 30 or 40 years.

How has the information security professional's role changed as InfoSEC has become so important to business success?

Reich: It has really advanced the profession. I've been in this field for close to 40 years, and I've seen a lot of changes. The underlying fundamentals really haven't changed, but now it's a lot more visible and information security costs a lot more if you don't do it right -- especially if you have consumer information, whether it's healthcare information, or financial information, or anything else that might be sensitive. In addition to that, you have sensitive company information that you might not want disclosed.

That's also expanded to international cyber-work, whether or not you want to call it cyberwar, or cyberespionage. One of the results of that is the recent cyberespionage treaty that was just agreed upon between the U.S. and China. That clearly has identified that the scope has changed, and the information security professionals now have more to do than simply reset passwords and grant access to resources. With all that being said, the underlying principles haven't changed, but you have to be a lot better at it. You need broader scope, and a larger set of tools and skills.

How can companies make sure their security tools are staying up to date to handle all these new threats? How can they make sure they don't get complacent?

Reich: This is going to sound very roundabout, but the best way to not become complacent is to not become complacent. But specifically, the way you can do it is not by buying a whole bunch of new tools and making sure that everyone is trained on using it. The best tool any organization is going to have to ensure that they are the most secure is to have smart people creating a smart organization. The smarter the organization, the less you have to spend on security because it's embedded within the people that know what they are operating every day; they know the value of the data, they know their vulnerabilities better than what a security person would, in many cases. If you can get the right tools and resources in their hands, and they are smart enough to know how to make that work, that's the best tool you can possibly implement to have a secure organization that is supported by the policies and tools the security team is going to bring to the table.

View All Videos