Skip to content ↓ | Skip to navigation ↓

The recent Anthem hack that may have compromised 80 million people’s personal health information reveals just how mainstream data breaches have become in recent years. In response to this rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business.

However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams. It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.

Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy. These expert responses are presented below.

 

 

Larry Clinton | @ISALLIANCE

Larry ClintonClinton is President and CEO of the Internet Security Alliance, a multi-sector international trade association focused on cyber security. He has published numerous articles and best practices on cyber security and has been featured as a cyber expert in virtually all the major media outlets, including CBS News, Fox News, MSNBC, NYT, WSJ, PBS News Hour, Morning Edition, CNN Situation Room and MTV. Clinton has testified on many occasions in both the House and Senate and has briefed industry and governments around the world, including the NATO Center of Cyber Excellence in Estonia, The Organization of American States in Argentina, and a two-week state-sponsored tour of India. He is also the author of Cyber Security Social Contract, which is the first, and most often cited, reference in President Obama’s major policy paper on cyber security and was also endorsed by the House GOP Task Force Report on Cyber Security; as well as the Handbook for Cyber Security, which was published in 2014 by the National Association of Corporate Directors and later endorsed by the Department of Homeland Security.

How can security professionals help boards/executives improve their cyber security literacy?

“Yes, boards of directors need to learn more about cyber security. However, it’s just as important for cyber security professionals to learn their language of business as it is for them to learn ours. Board members are not comfortable talking about technical standards and NIST Frameworks, so we need to contextualize cyber security in terms they understand—growth, profitability and innovation. Rather than thinking of cyber security as something discussed in case of a breach, we need to locate security issues within the business decisions boards make—mergers acquisitions, product launches, etc. Ultimately, cyber security should be intrinsic to business decisions just as legal and financial issues are.”

Tweet this mistake

David Meltzer | @DAVIDJMELTZER

david_meltzerDavid is Chief Research Officer at Tripwire where he is responsible for working with customers, partners and industry experts to imagine, innovate and deliver on advancing the state of the art in protecting Tripwire’s customers from the most sophisticated attackers in the world. David previously served as VP/Engineering at Tripwire, joining in 2013 through its acquisition of nCircle where he served as Chief Technology Officer and VP/Engineering. David has been an entrepreneur, leader, software developer, security researcher and generally obsessed with network security for the last two decades.

How can security professionals help boards/executives improve their cyber security literacy?

“Connecting what is being done to recent events is a great way to connect with boards and executives. The latest major breaches all make it to the Wall Street Journal, so you can assume you don’t need to convince these people that security is a real problem and they should worry about it. They know it is a problem, and they are worried. But they probably do not know what can they actually do about it. So if you can tie it back to that breach they already know about, give them a little bit of the inside scoop, and say ‘Yes, we know how that happened, and that incidents points out just how important this one security control is,’ then you have a jumping off point to educate them about a particular area of security, why it is important to them, and how the budget and priorities they are setting can keep them out of the news.”

Tweet this mistake

Thom Langford | @THOMLANGFORD

Thom_LangfordThom is responsible for highlighting and advising on delivery, compliance, and industry security risks across North America, Europe, and India. Having successfully built security and IT programmes from the ground up on numerous occasions, Thom brings an often opinionated view of risk, both in assessments and management, but manages to do so with humour and pragmatism (mostly). Thom is also an international public speaker and award-winning security blogger.

How can security professionals help boards/executives improve their cyber security literacy?

“Boards and executives are as literate as they think they should be. They may have expertise in finance, people, law, or whatever else, but this expertise is spread across a number of people.

One approach is to try to convey cyber security risks to executives in terms that they readily understand, e.g. financial, personnel, or legal. Even so, getting members of the information security team to be represented at the executive level of an organisation is a far more effective first step in helping board members understand cyber security as much as they understand other business functions.”

Tweet this mistake

Andrew Rose | @ANDYROSECISO

Andrew_RoseAndrew Rose is the CISO and Head of Cyber Security for the UK’s National Air Traffic Service (NATS). Prior to this position, Andrew spent many years as a CISO in the legal sector, working with several of the top global law firms to establish effective security functions, gain ISO27001 certification, and chair the sector’s security interest group. After leaving the legal industry, Andrew became a Principal Analyst with Forrester Research, where he helped build security practices in $1b+ organizations across the globe while conducting research into critical aspects of the current and future CISO role, which included in-depth research into cyber security, the human firewall, and IoT. Andrew holds a master’s degree in information security and is a regular contributor to media outlets such as the Wall Street Journal, The Financial Times, Wired magazine, CNBC and the Times newspaper.

How can security professionals help boards/executives improve their security literacy?

“Visibility and influence at the board level is something that CISOs have sought for many years, and now it’s becoming a reality. Unfortunately, many CISOs are struggling to deliver. Put simply, board members have a single question – ‘How secure are we?’ CISOs know that this is an almost impossible question to answer; however, we have no choice.

Acknowledging this, you must seek out peer comparison, maturity assessments, and real world examples to answer this question in as pragmatic a manner as possible. You can also tie your answers to established business metrics and show how your function not only protects your company’s investment but builds value, too.”

Tweet this mistake

Sarah Clarke | @S_CLARKE22

Sarah_ClarkeSarah Clarke is a security Governance, Risk and Compliance specialist with 14 years hands-on experience in IT and infosec. After receiving a business degree, she took a stop-gap IT helpdesk job and never looked back. Along the way, she has gained invaluable experience in desktop engineering, network management, network security, compliance management, change and vendor security assurance, and enterprise security risk management. Sarah is passionate about bringing clarity and common sense to the industry. (Her award-nominated blog and articles for trade magazines are popular because they do exactly that.) Moving on from a number of years working in financial services, she now owns Infospectives security GRC consultancy (specializing in embedding risk into security audit and assurance activity), serves as a founding advisory board member for the GiveADay charity initiative, and is a regular contributor to and staunch supporter of The Analogies Project.

How can security professionals help boards/executives improve their cyber security literacy?

“Board members are heinously busy, necessarily profit-focused, and experts in their own right. That must be respected to the extent that you need to make your communication with them concise, risk-focused, and relevant to their business and/or personal priorities. You have 10 seconds to make your value argument. If you miss your target, their attention will wane really fast.

Acknowledging these challenges, I believe a shake up is overdue. Infosec professionals need to shrug off the trivial or “tick box” image of awareness. We should create a new role, a Security Communications Manager, who could be tasked with improving stakeholder interactions from shop floor to boardroom and using proven marketing and psychology tools to get it right.

Effective communication isn’t just nice to have; it’s the hub around which all security value cycles.”

Tweet this mistake

Adrian Sanabria | @SAWABA

Adrian-Sanabria-Headshot-Web-SmallAdrian Sanabria brings a broad perspective on security to 451 Research, drawing on more than 12 years of enterprise security experience. With a background in system administration and system architecture, he was the security architect and chief incident handler for Elavon, one of the largest payment processors in the US. The highlights of his consulting career at Sword & Shield Enterprise Security included designing compliant and secure solutions for large retail organizations, structuring PCI compliance activities for merchants and acquirers, helping a large public university create policies and improve disaster-recovery plans, and performing security assessments for domestic and international clients. Most recently, Adrian joined Clayton Homes, a Berkshire Hathaway company, as a senior security analyst, guiding and maturing its information security program. Beyond his professional occupations, Adrian is involved in various volunteer projects within the security community, such as the National Board of Information Security Examiners’ (NBISE) efforts to provide analysis on information security job roles and hiring through the Operational Security Testing Panel. Adrian is also involved in the Penetration Testing Execution Standard (PTES), and he occasionally blogs.

How can boards and executives best assess the impact of security incidents?

“Planning is the key to assessing the impact of incidents. A solid business impact analysis and risk assessment will estimate the likelihood and damage incidents could cause. The value of a comprehensive and well-tested incident response plan cannot be overstated. A company comfortable with its IR process will be much better equipped to deal with and assess the impact during and after an incident. Consume as much information about past incidents as possible. The impact of a serious incident depends not just on how a company handles it but also on how the media, customers, and investors react to it, as well.”

Tweet this mistake

Theresa Payton | @FORTALICELLC

TP headshot in red blazer by RKleinTheresa Payton says that fighting cybercrime is key to our national security. After spending 16 years as a financial services technology executive, she served as the White House CIO from 2006 to 2008 and then founded Fortalice in 2009. Payton is the co-author of two books, Protecting Your Internet Identity: Are You Naked Online?, which was featured on American journalist Katie Couric’s TV show, and Privacy in the Age of Big Data, which was featured on The Daily Show with Jon Stewart. She was also named one of the 25 Most Influential People in Security by Security Magazine and a Woman of Distinction in STEM by the Girl Scouts Hornets Council.

How can boards and executives best assess the impact of security incidents?

“The day your company discovers it has been breached is not a matter of ‘if’ but of ‘when.’ Preparing, planning, and especially testing for a cyber incident is crucial for all companies, both large and small. Whether your company has been actively managing cyber security risk for years or you are just beginning to develop an incident response capability, it is critical for boards and executives to engage employees in developing a robust, integrated approach to incident response. Unfortunately, companies too commonly put this task off and then find themselves flat-footed during a breach.

The best way to assess the impact of security incidents is before the breach happens. Start with focus groups or surveys with your customers. They will tell you their pain points, knowledge of which can help your board and executives best assess where to start first. Of course, never forget the regulators (federal, state, industry sector) and make sure you please them, too.”

Tweet this mistake

Alex Hutton | @ALEXHUTTON

Alex HuttonAlex Hutton is currently Director of Operational Risk at Zions Bancorporation. Prior to this, Hutton was an entrepreneur involved with several successful startups. He served as CEO for Risk Management Insight and as a principal in the Risk Intelligence group for Verizon, which was involved in the development of the VDBIR. Hutton is an avid security blogger, speaker and conference organizer, bringing a wealth of knowledge and experience on risk management and metrics to any discussion.

How can boards and executives best assess the impact of security incidents?

“Understanding the impact of a security incident takes two forms:

1.) Cash flow losses, and
2.) Reputation damage.

Regarding the first point, there are two things to understand. First, breaches come in all sorts of shapes and sizes, but individual breaches usually aren’t catastrophic based on immediate cash losses. Breaches are catastrophic usually because of reputation damage, with B2B companies suffering more because of the nature of their sales model being built on trust. To illustrate, imagine your best sales person going into your biggest (or most contested) account after a breach. Security has made their job even harder.

For B2C companies, an individual breach, while unpleasant and costly, is usually not catastrophic. Reputation and trust in a B2C sale is really more about the quality of the product than a personal relationship. That said, it remains to be seen if a series of breaches may devastate a brand, not unlike how a series of low quality products might devastate an automobile brand.”

Tweet this mistake

Ben Rothke | @BENROTHKE

Ben Rothke (2)Rothke is a senior information security and risk management professional whose career incorporates a successful track record across multiple corporate and consulting roles of securing IT assets for numerous Fortune 1000 companies. His specialty is analyzing and weighing in on cyber security, information risk, and regulatory compliance requirements in an effort to protect corporate data assets and business opportunities as well as maximize revenue in alignment with corporate goals and initiatives.

How can boards and executives best assess the impact of security incidents?

“You should ask the Corporate CIRT Director for the annual security incident impact statement. That statement details the security incidents, as well as their costs and impact to the organization.”

Tweet this mistake

Lee Munson | @SECURITY_FAQS

lee munsonPreviously recognised by Tripwire as an Infosec educator, Lee Munson is a retail manager who years ago discovered a huge passion for information security, an interest which has led to him to write for his own blog, as well as for many leading online security websites.

How can boards and executives best assess the impact of security incidents?

“The effective assessment of a security incident begins long before any such event ever occurs. Proactive boards will have already set up a computer security incident response team that includes technical experts, key members of the management team, public relations experts, and legal representation. Empowered to make an initial assessment, the team will be able to work through a pre-prepared incident response plan that the board and executives will have been key in designing. Through effective communication, the board and executives will then be able to gather all relevant data in a timely manner and determine the severity of the incident and therefore influence the response accordingly.”

Tweet this mistake

Rebecca Harold | @PRIVACYPROF

rebecca prof (3)Rebecca has over two decades of information privacy, security and compliance expertise. She is CEO of Privacy Professor® and is partner for the Compliance Helper® and BA Tracker®. Rebecca has led the NIST SGIP Smart Grid Privacy group since June, 2009 and has been an Adjunct Professor for the Norwich MSISA program since 2005. She has written 15 books and published hundreds of articles, and she is currently writing The Practical Guide to HIPAA Privacy and Security Compliance, 2nd Edition, as well as Data Privacy for the Smart Grid.

What frameworks are most effective in assessing whether an organization is acting prudently over security matters?

“Over the years, I’ve found that you cannot depend upon just one framework. You need to use a variety of frameworks in order to help fill in the gaps that separate them. I like to use the following in combination:

  • ISO/IEC 27001 & ISO/IEC 27002: These provide the basics for an information security management system (ISMS) and a comprehensive list of controls to consider
  • OECD Privacy Principles: Information security practitioners must know the appropriate controls to build into systems, applications and networks, and so they much know the basic privacy principles. These are also the core requirements of around 90% of the world’s privacy laws and regulations.
  • COBIT5: This is a great tool to use when you need to go back into your program to determine the specific types of controls being used for each of the information security standards and policies. And this year, ISACA is creating a privacy program management framework that will integrate with COBIT5, so it will truly be a comprehensive way to check on both information security and privacy controls.

There are many others that could also be used according to specific industries and organization size, but generally speaking, these three work well for all industries and sizes of organizations.”

Tweet this mistake

James Arlen | @MYRCURIAL

Arlen,James-headshot-webJames Arlen (CISSP, CISA, CRISC) is Director of Risk and Advisory Services at Leviathan Security Group where he is responsible for the development and delivery of Leviathan’s professional services. For more than 20 years, James has held consultant and staff roles, delivering information security solutions to Fortune 500, TSE 100 and major public-sector organizations. James is also a Contributing Analyst with Securosis, a member of several advisory boards, a frequent speaker at conferences, an irreverent commentator / podcaster / blogger, and a prolific contributor to standards bodies and media.

What frameworks are most effective in assessing whether an organization is acting prudently over security matters?

“The simple answer is that there is no perfect framework. Every organization actually is a unique and special snowflake. The gap between compliance and security is real. Information is an asset. In the same way that organizations build their own frameworks of controls to protect other assets, the information asset deserves a level of effort beyond a cookie cutter approach to ‘Are we doing good enough compared to others?’ It demands that we instead ask the more important question: ‘Are we doing what our shareholders expect us to be doing?’ Ultimately, you should take what you can from ISO27000-series, NIST-SP800-53, and others, and make it your own.”

Tweet this mistake

James L. DeLuccia | @JDELUCCIA

jdeluccia520James J. DeLuccia IV is a Senior Manager in the Advisory Services practice of Ernst & Young LLP. He is a published author with John Wiley & Sons, and he specializes in multi-national enterprise governance, privacy, and security initiatives involving holistic technology and controls reengineering. DeLuccia oversees the firm’s ISO advisory and certification services in the Americas. His published clients include Google, Rackspace, Equifax, and AT&T. Additionally, DeLuccia supports and conducts research in the DevOps and high velocity global technology environments. His recent personal research has led to the How Not to Be Hacked book series released in 2014 and 2015

What frameworks are most effective in assessing whether an organization is acting prudently over security matters?

“To prudently assess an organization’s security matters, a frank review of the function of security is required. A framework is only as valuable as honest adoption; here it is the principal requirement for senior leadership. Given this truth, the most effective in assessing security is ISO 27001:2013. This is a management framework that, when done honestly, can draw in significant factors and raise them to leadership. The simplicity in the framework (less than 20 pages) has been effective at coordinating security functions of organizations with 20, 50, 100, and 1,000+ security professionals. Additionally, this framework derives further strength from the expectation of additional security domain safeguards, such as privacy controls, cloud controls, and third-party assertion. The ultimate benefit is it’s international management that is free from nation state perceptions.”

Tweet this mistake

Tony Sager | @COUNCILONCYBER

Tony Sager PhotoTony Sager is the Chief Technologist and a founding member of the Council on CyberSecurity – an independent, international, non-profit organization whose mission is to identify, validate and sustain best practices in cybersecurity. He leads the development of the Top 20 Critical Security Controls, a worldwide volunteer project to find and support technical practices that stop the vast majority of attacks seen today. Tony retired from the National Security Agency in June 2012 after 34 years as an Information Assurance professional. During his time at the NSA, he served as a mathematical cryptographer, software vulnerability analyst, and executive manager of the Agency’s premier cyberdefense organizations. His journey down the road to “cyber-geekery” started on an Apple II Plus, sometime during the Bronze Age of computer security.

What frameworks are most effective in assessing whether an organization is acting prudently over security matters?

“Most frameworks are like the old Sears catalog – filled with great things but overwhelming and with all choices left to the reader.

But cyber risk is a shared problem. An effective framework is not a list or catalog. It should pool the knowledge of a large community to identify specific, highest priority actions based on real data about threats. It must allow for multiple implementation paths and ‘tailoring.’ And it must openly support an ecosystem of tools, learning from others, measurement, and negotiation about risk.

An effective framework helps an enterprise make good decisions, implement them, and then share them.”

Tweet this mistake

Claus Cramon Houmann | @CLAUSHOUMANN

Claus_HClaus Cramon Houmann is addicted to everything Infosec and is trying to contribute to the community by adding a “defending SMB’s in today’s evolving threat environment” POV. Claus currently runs an IT Consulting company plus works as Head of IT for a bank in Luxembourg. Claus previously worked in the IT outsourcing industry for many years. Claus is acutely aware of the need to improve lingo and understanding of Information Security and all the issues and challenges this involves, so he has been working for many years to improve his own lacking communication skills in this regard. Claus actively supports initiatives that aim to improve security for us all, most notably the iamtheCavalry movement and The Analogies project, which he hopes to help spread to Europe/globally. Claus runs a security twitter feed of aggregated infosec news and events, an account which he mostly uses to learn more personally. Claus is also an active blogger for Information Security Buzz and Peerlyst.

What frameworks are most effective in assessing whether an organization is acting prudently over security matters?

“No framework is. It’s more about adopting an approach that makes the Board of Directors take security seriously and spend an adequate amount of time debating and weighing options and risks.”

Tweet this mistake

Tim Erlin | @TERLIN

tim_erlinTim Erlin is a Director of Product Management at Tripwire and is responsible for the Suite360 product line including Vulnerability Management, Configuration Auditing, and Policy Compliance. Previously, in his nearly 10-year tenure at nCircle, he also held the positions of Senior Sales Engineer and QA Engineer. Tim’s career in information technology began with project management, customer service, as well as systems and network administration. Tim is a member of ISSA and frequently hosts corporate webinars on various topics, including regulatory compliance.

What does the future threat landscape look like, and what should heads of security do to prepare for it?

“There are two aspects of the future threat landscape to consider. First, as an executive, you should know that managing cyber threats is no different from managing other business risks. The fundamentals are the same, though the content is different. Just as with other areas of the business where you don’t handle the day-to-day operations, you don’t need to understand every term or detail in order to evaluate and address risks. You do need people with this knowledge and skill to accurately inform you, however. Cybersecurity is simply part of doing business.

Second, while you can skip the technical details, you absolutely can’t skip understanding how different threats would affect your business. In most cases, the IT security people can provide you with the technical impact, but only the business owners can really understand how the loss of a server or Internet connectivity affects the bottom line.”

Tweet this mistake

Tony Bradley | @TONYBRADLEYBSG

Tony_BradTony Bradley is a respected authority on technology. He writes for a variety of online and print media outlets. He has authored or co-authored a number of books, including Unified Communications for Dummies, Essential Computer Security, and PCI Compliance. He has been a CISSP (Certified Information Systems Security Professional) for over 10 years, and he has been recognized by Microsoft as an MVP (Most Valuable Professional) in Windows and Windows security for 9 consecutive years. Before founding Bradley Strategy Group and launching TechSpective.net, Tony Bradley was Chief Marketing Officer for Zecurion—a leading data loss prevention company. Prior to that, Bradley was Director of Security at Evangelyze, and was previously an IT administrator and information security consultant working with companies like General Motors, American Airlines, Marathon Oil, and PepsiCo / Frito Lay. Mr. Bradley is a frequent guest of the IMI-TechTalk radio show, and has made appearances on a variety of other radio and TV shows. He is frequently quoted, and has presented at a wide range of events.

What does the future threat landscape look like, and what should heads of security do to prepare for it?

“Threats continue to evolve and mature as fast or even faster than the technologies they target. IT and security managers need to shift from the belief that the threat is ‘out there’ and understand that no matter where the threat originates, the net result will be suspicious activity inside the network. Organizations should operate from the assumption that they’ve already been compromised and continuously monitor for anomalous or malicious behavior. That will shorten the time it takes to detect and identify attacks and minimize the scope of the damage to data and network assets.”

Tweet this mistake

Patrick Miller | @PATRICKCMILLER

Patrick MillerPatrick Miller is Managing Partner at Archer Energy Solutions, providing security and regulatory advisory services to key critical infrastructure sectors. He is the founder, director and president emeritus of EnergySec, a 501(c)(3) nonprofit National Electric Sector Cybersecurity Organization. Patrick’s diverse background includes key roles in the Energy, Telecommunications, and Financial Services verticals. He is a recognized international speaker on cybersecurity and regulatory approaches for critical infrastructure organizations and government agencies.

What does the future threat landscape look like, and what should heads of security do to prepare for it?

“Technology innovation is going to move the foundation under our feet. It will be deeply embedded. Everything, even our hardware, tools and materials, will be digital and connected to everything else. It will eventually disappear from sight and vanish into the fabric of our lives. Securing legacy equipment and tomorrow’s leading edge will push our limits. Regulation won’t be able to keep up. Our data will be our most important asset, and we will need to innovate our business approach and risk profile to embrace this, or we will be consumed by this new technology-centric world.”

Tweet this mistake

Nikk Gilbert | @ARCHANGELNIKK

Nick.GilbertWith more than 18 years of executive-level experience in cyber security and information technology, Gilbert is a respected thought leader within government and private sectors. He focuses on building success by understanding the needs of the customer, by enablement of the business through a deep understanding of the corporate strategy and its culture, and by using technology as a true enabler to achieve this synthesis. Gilbert’s experience includes working as a CISO and CIO for the American Department of Defense, as well as for NATO and the U.S. Navy, where he was awarded the Meritorious Civilian Service Medal. He is also a Distinguished Fellow of the Ponemon Institute and has been a frequent speaker at technology events throughout the world.

What does the future threat landscape look like, and what should heads of security do to prepare for it?

“The future threat landscape will continue to evolve as more of our daily lives are pushed into using all things technology. A proliferation of new services and devices (read IoT) used in new ways will open the door for hostile forces to take advantage of consumers and businesses. It’s quite clear that threat actors are always looking for the shortest path to the most reward. Security professionals need to be innovative thought leaders who share a common vernacular with Boards and Executives to advise them on these risks. It is only then that the business, information security, enterprise risk and other organizational players can build an effective program to protect our future.”

Tweet this mistake

Martin Fisher | @ARMORGUY

Martin FisherMartin Fisher leads the security team at Northside Hospital in Atlanta, Georgia. He’s spoken widely on information security topics at SOURCE, ShmooCon, SecurityZone, HouSecCon, and a variety of BSides events. Martin co-hosts the award-nominated Southern Fried Security Podcast, which has been online since 2004.

What does the future threat landscape look like, and what should heads of security do to prepare for it?

Security needs to realize that there is no single threat landscape anymore. The threat landscapes are stratified, and each one requires different perspectives and responses. At the lowest layer, we have to defend against the automated scans and attacks that happen everywhere all the time. In the middle, we have to protect against smarter attacks against any target of opportunity. Finally, at the top layer, we have to deal with the targeted attack. We have to evaluate our specific risk from each layer and act (and spend) wisely.”

Tweet this mistake

John Walker | @SBLTD

john_walkerVisiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia[to 2015], CTO and Company, Director of CSIRT, Cyber Forensics, and Research at Cytelligence Ltd, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts, Board Advisor to the Digital Trust, Originator of the Cyber-VAULT Service providing specialist Cyber Training and Services, and a Member, and Advisor to the Forensic Science Society.

What does the future threat landscape look like and what should heads of security do to prepare for it?

“The future Threat Landscape is now dictating the need for a new breed of security professional who is willing to evolve and immerse themselves into the world of cyber security with less emphasis on understanding the conventions and soft niceties of standards and guidelines. To combat the current threats, which are obviously winning the race in 2015, this new breed needs to understand and appreciate the technical nuts-and-bolts of new age threats such as APT. Anything less will disable us in our fight against cyber-criminals.”

Tweet this mistake

Brian Honan | @BRIANHONAN

brian.honanAn author, Founder & Head of Ireland’s CSIRT, and Special Advisor on Internet Security to Europol, Honan is an internationally recognized leader in information security. His contributions help shape the world in which we live. Honan also inspires the next generation of infosec professionals by serving as an adjunct lecturer in information security management at the University College of Dublin.

What does the future threat landscape look like, and what should heads of security do to prepare for it?

“While the technologies we use in business may change, the threat actors and the threat landscape will in many ways remain constant. New technologies won’t revolutionize the threat landscape; they will simply evolve. The big change will be the technical savvy user who will look to use various devices, apps, and services. For example, Bring Your Own Device (BYOD) is nothing new; we have had to deal with BYOD ever since we had modems and floppy disks. As such, CSOs will need to better communicate and engage with users to make them aware of the risks and provide secure alternatives.”

Tweet this mistake