In my first blog post, three infosec experts shared with me their thoughts about learning from one’s mistakes and feeling a sense of belonging in the field. But there is so much more to learn in information security.
In this blog, Jamie Rees, an information security leader, thinker and speaker; Teij Janki, CISO at Sunnybrook Health Sciences Center; and David Shipley, cybersecurity speaker, writer and leader, return to offer some advice to newcomers and to reflect on industry change.
Question: For a newcomer, what areas in infosec should people strive to understand first?
Jamie Rees: Here’s my general advice for newcomers: breathe deep and be nice. There will always be a lot of work to do and emergencies to respond to, especially when it’s early on in your career and you’re busy doing the on-call rotations and incident response jumps. Those obligations can be a constant source of stress, and as such, they can place a strain on your personal and professional relationships. However, it’s important to note it’s the relationships that really fix things.
Try to breathe deep and be nice. Think about the other side of the table and how what’s happening is affecting their goals. Ultimately, a shared understanding is required for any group of people to make progress, so be the first to try and reach it. Whether we are newcomers or old-timers, we can all take a lesson from Hamlet: we have to remember, “There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy.
Technologies and methodologies will come and go, so we can’t allow ourselves to get caught up in our favorite tool to the detriment of the organizations we serve. It’s crucial that we be open to new ideas and constant improvement. Security is something that helps a business achieve its goals. With that in mind, it’s up to us to focus on helping them get to where they need to be as safely and securely as possible. We operate in the real world, which means the plans we might come up need to have some flexibility if they are to survive.
Teij Janki: In my opinion, from a strategic standpoint, newcomers would benefit from understanding the business strategy/goals at least at a high-level. This will help to understand if InfoSec acts as a business enabler instead of a barrier (the why).
Then, from a tactical standpoint, understanding the business use of information for operations or decision-making purposes (the what). This helps to understand if effective and efficient C-I-A controls are in place.
Finally, understanding the proper classification of information (e.g. public, confidential, or private) is also a key understanding (the where). Note: ‘the when’ is always and ‘the how’ is always evolving.
David Shipley: Newcomers need to understand the economics of cybercrime, as well as nation-state or corporate espionage. They need to understand that this is a $400-billion problem for the United States (three trillion dollars globally) that’s growing on a daily basis.
I also believe it’s critical for newcomers to first understand the human dynamics behind cyber security before diving into any specific technical domain. They need to understand that hacking humans (social engineering, phishing, etc.) is far easier than finding and exploiting technology vulnerabilities.
They also need to understand the human factors that influence an organization’s maturity when it comes to risk analysis, threat analysis, security governance, operations, and willingness to take security seriously.
Question: What are the top two most important ‘thought’ shifts you have seen in the last 12 months regarding infosec/cyber security?
JR: There has been an increasing amount of talk about board- and executive-level involvement in cybersecurity this past year. It has been building for longer than that, but there has been a bit of crescendo this past year, a development which has been fueled in part by a number of high-profile stories involving boards’ accountability and by a series of articles recommending that board members get involved.
I am also pleased to see movement on the need to close the skills gap in cybersecurity. People are getting used to the idea that to fill some of these roles, they may have to break out of the cookie-cutter HR profile and look to more non-traditional resources.
We should realize that not everyone has to be a computer science graduate to play a role in a program’s success. In fact, we see that economics, psychology, etc. are disciplines that bring interesting and useful perspectives to the industry.
TJ: I see a thought shift from the “not if, but when we are hacked…” to “we have been hacked, how long does it take us to detect and remediate?.” This is based on the concept of Advanced Persistent Threats continuously changing the threat landscape.
The other shift is in the black-market trying to monetize stolen information; moving the focus from financial records (i.e. credit card info) to medical records (i.e. Personal Health Information).
DS: I think the Ashley Madison hack showed that the theft of personal information can have profound consequences in the lives of affected individuals. (We know of at least one suicide as a result of the breach.) I think the recent spate of ransomware attacks against healthcare also shines a much-needed spotlight on hospital security, including data security and IoT security.
It’s my hope that one or more of the questions answered in this post provides you with a different perspective or additional insight. May they prove helpful to you in your journey thinking and wondering about infosec!