Previously, in Part 1 of this 2-part article, Phil Agcaoili, CISO, discusses the five core issues of basic cyber hygiene.
As a Society, We Can Raise Awareness and Protect Ourselves
Even if you’re not a big fan of government being too heavily involved, think about food safety. When you go to a restaurant, you know that the Department of Health has assessed it by their grading report, which is posted in the front window, and if you go to a restaurant that has failed, you’ll know it because they'll be closed. If you look at public health and safety on a larger scale, there are global organizations like the Center of Disease Control that support worldwide health needs.
Cybersecurity is the same thing. When there's an outbreak in the U.S., Russia or China you're always going to ask yourself: "Is that bad activity going to make its way towards me? Am I ready for that when it comes?"
Cybersecurity is in its infancy when it comes to issuing major recalls and limiting exposure of damage. For example, in 2014 there was a series of vulnerabilities in Heartbleed and Poodle within the SSL (secure socket layer) protocol. By the end of the year, all the major standards bodies, including the PCI Security Standards Council, updated their standard guidance to say, "We're going to outlaw the use of all versions of SSL and TLS versions 1.0 and below". That's an example of an industry recall back in 2014 and we're still dealing with it as an entire industry. Everything has to be TLS 1.1 or higher by June 2018 to be compliant with the PCI Council, and many are still going down the road eliminating those insecure protocols.
When it comes to the Information Sharing and Analysis Center (ISAC) or the Information Sharing and Analysis Organizations (ISAO) model applied to the consumer space, there’s probably not a place for that. There are outlets for people when they get frustrated by products, like the Better Business Bureau and the U.S. Federal Trade Commission (FTC). Organizations that don't meet your needs represent the biggest ISAC for a consumer and, in that case, consumers should consider buying products that they trust and share their experiences with their friends.
The Internet is much more adaptive, so we don’t necessarily need anything formal. There are a lot of places for customers to give negative reviews for a variety of issues, including poor or missing security and privacy features or practices. For example, recently, there was an instance of an IoT garage door opener maker called Garadgt that, after a customer left a bad review on their website and on Amazon, decided to ‘brick’ the customer's product by denying him access to the company’s cloud servers. Customers have tons of outlets at their fingertips: Twitter, Facebook, the company's online forum, Amazon or other consumer sites.
Since we're looking at this in the context of awareness for consumers, here’s one more example of IoT. Out of all the CIA WikiLeaks going on – one of them was around the NSA having back doors into Samsung smart TVs. If you do a little bit of research, you’ll see that the FTC actually fined Visio earlier this year because Visio was spying on their customers via WiFi on their smart TVs. The information collected was sent back to Visio, and the FTC caught them. LG had a similar data collection concern a couple years before that.
Pretty much all the smart TVs have had cybersecurity problems or IoT problems either from a privacy or security perspective. In the context of the enterprise, most companies have board rooms or meeting rooms or general use areas that have smart TVs in them, not to mention personal consumer technologies like smartwatches, health tracker watches, other tracking devices, thermostats, HVAC equipment, manufacturing systems, web cameras, tablets, and smartphones. It’s more than just laptops that IT departments are worried about these days. These consumer devices don’t have all the security and privacy controls an organization may expect them to have – and the organization may not realize the risk they are putting themselves in due to the information collection and dissemination via these devices.
Then there’s the small business. Many small businesses use a lot of off-the-shelf commercial or consumer devices to run their business, most of which haven’t been built with security and data protection in mind.
Embracing and Encouraging Diversity in Cybersecurity
Because I'm an immigrant (a naturalized citizen of the United States), I'm blind to anything other than the best candidate for a role. My personal belief is that you have to understand what the needs are for a role, and then figure out what the skill sets, experiences, and personality are that could make someone right for that role.
Here’s an example. I have a detection and incident response team. It tends to be hard to find good incident responders and threat hunters. What I've found is that people who are musicians and artists, (people who are right brained) tend to do well in these roles because they're creative. Many creative people who may not have been InfoSec experience can fill these roles pretty well. And from an equal pay perspective, gender doesn't matter. Some of our highest-paid employees are diverse people, like me.
In terms of what to look for when hiring, we're still at a point where there's a lot of debate on what it takes to be a good cybersecurity professional. We haven't professionalized this industry yet so the basics are debated, but there tends to be some common elements of what employers are looking for. I typically look for candidates that have at least a bachelor’s degree, that have at least 3 years of information security experience, and hold at least one security, risk, governance, application security, forensics, hacking, audit, or project management certification. Some of you may believe that these are unicorn requirements for a cyber security professional, but that’s what a CISO needs in their organization in 2017 to be great. Several studies show that I’m not alone here, cyber security employers are looking for highly educated, highly experienced, and a credential workforce.
To ensure that my team has current and a varied set of skills, I highly encourage job rotations within 18-36 months for all employees. They’re expected to continuously stay current on information security, obtain security certifications, and gain experiences and a variety of skill sets through the job rotations. It may not just be to move up into management ranks, but to move around laterally within the technology space and business environment to be more engaged and complete business and security professionals.
To me, the pinnacle of being a coach is to identify key talent, put them in the right position, give them opportunities to create, innovate and succeed and provide the team a system to excel in.
We’re at a time where the world needs more security experts who are caring, engaged, mindful, diligent, and who can communicate. I encourage folks not to stay in their offices, but to reach out and to help share concerns, elevate risks, and to help steward others who are less aware. The more that people know what the concerns are, the safer people can be when they’re informed and can make a choice.
About Phil Agcaoili
Phil Agcaoili is the CISO of Elavon and Senior Vice President at US Bank. He's the former CISO of Cox Communications, VeriSign and SecureIT, and helped transform security at GE, Alcatel, Scientific-Atlanta, Cisco and Dell.