On January 22, James Stanger, CompTIA senior director of product development, moderated a panel of three IT pros on the topic of cybersecurity. Titled, “The State of Security 2017: A Report from Experts in the Field,” the group discussed uptime and critical systems, justifying the cost of cybersecurity and making the most of limited budgets and strategies for combatting cybersecurity breaches and attacks.
Gary Harbison, chief information security officer (CISO) for Monsanto Information Security Office, said that his team works to find out what systems are most critical to the company to prioritize where to focus their redundancy and disaster recovery efforts. He added that the events they need to prepare for have changed with the evolution of cybersecurity.
“We’re seeing more and more that disaster recovery events are coming from cyber-events than from traditional disasters that we would think about,” Harbison said. “A cyber-event is just another category of disaster or larger adverse event that impacts the availability of our systems, and having disaster recovery capabilities or plans in place on how to recover from a cyber-attack or otherwise is helping us figure out how to bounce back.”
Compliance Does Not Equal Security
Joey Smith, CISO for Schnucks Markets, manages security for a chain of grocery stores with pharmacies. His critical systems include point-of-sale systems and filling prescriptions. As a retailer handling medical information, he also has to comply with federal regulations around customer and patient privacy. Smith said that meeting the minimum requirements for compliance is a good start, but it’s not enough.
“I think there’s an industry fallacy in that we believe that once we meet compliance, we’re good. I think the challenge for myself and others is moving that message up that compliance does not equal security,” he said. “Compliance is not a bad thing – if you’re configuring and deploying your strategy in a way that is secure, your compliance program is going to naturally follow that, and it will be that much easier.”
To justify the cost of security, Ryan Frillman, director, information security and compliance for Spire Energy, looks at the business risk and the risk reduction return. If the systems that deliver natural gas are breached or go down, it could result in unhappy customers, lost revenue or even lost lives. When you have an issue, there’s also the risk of brand tarnishment. He has used examples of other organizations that have been hacked as a way of saying, “We don’t want to make the same mistakes.”
Prioritizing Security Strategies
In terms of security strategies, the group discussed ransomware, distributed denial of service (DDOS) attacks, phishing and the vulnerabilities presented by devices and IoT. With so many risks out there, one attendee asked how a small business can prioritize what to protect.
“You don’t know what to protect if you don’t know what’s open,” Frillman said. “Have an external consultant do a PIN test. … You may be focused on firewalls and intrusion protection, but it’s the unknown that you need to look at and make sure you have a view into your environment.”