To bring us into 2018 I was fortunate enough to chat with Sandy Fadale, a Senior Cybersecurity Consultant with Mariner Innovations.
Throughout the podcast Sandy discusses trends and recent developments in the security industry. Over her career, she's noticed that security folks have transitioned from primarily administrative work, to being involved in all parts of the business as consultants.
We can learn a lot from the mistakes made in 2017, specifically how organizations need to focus on the basics.
Slow Down to Speed Up
With the increasing pressures for organizations to increase their speed to market to remain competitive, security measures and controls can take a backseat. It's important for organizations to keep security front of mind throughout the development phase and have it cemented in their processes.
It's critical for companies building IoT or software products to have a plan for product updates and clearly communicate that process to the consumer.
According to Sandy, we all know it's the four factors in building a security program are people, process, technology and culture. To get back to the very basics she recommends we start with basic technology hygiene.
A lot of organizations don't even know what they have. An easy first step: build an inventory of the technologies deployed within your environment.
With that inventory, you're able to build and maintain a patching schedule and understand how your environment is impacted by any security breaches.
Third Party Vendors
We've seen a number of incidents over the years where organizations were properly managing their own risk but not the risk of their vendors. Sandy discusses how security roles have changed from issuing edicts to becoming advisers to individuals throughout the organization on governance, privacy and security.
This advisory role of security professionals requires constant questioning what information third parties are collecting and how it's being stored. What level of access are they being granted to your system? How long do they need access and what's the process for revoking their access? Where is their data being stored?
An Evolving Role
Security profession's role is constantly evolving and Sandy recommends folks focus on building their analytical skills over 2018. While a healthy level of paranoia is common in the security industry, what's needed from security professionals now, more than ever are soft skills.
There are five skills Sandy believes are important to constantly work on a security individual:
- Critical Thinking
- Data Analysis
- Research Capabilities
For security programs to be effective, management needs to buy into the program. Their support is integral in growing a program. It's critical that an individual is given both the responsibility and the authority to build the security program and works with management to build a strategy to lead the organization.
Once a security professional has built an information security management system (ISMS), they can bring it to HR, legal, operations, sales, etc. to tweak as needed and develop buy-in from the entire organization.
Educating and Empowering Employees
As an employee, it's about learning how to do your job safely. By no means should security be your primary focus, but you should learn about ways to protect yourself and your organization.
Developers- look here for the top 10 coding vulnerabilities: OWASP
Ask questions to your IT department if you aren't sure of something, if an e-mail look suspicious, report it.
It's people within organizations that continue to be the primary targets of cybercriminals but an engaged and informed community can make all the difference.
Disclosure: Mariner Partners is the parent company of Mariner Innovations which is a reseller of Beauceron, and East Valley Ventures which is an investor in Beauceron.