On April 19, CompTIA Senior Director of Products James Stanger led an enthused panel of cybersecurity experts to discuss the business of security. They identified today’s major issues, best practices and the IT skills that companies need to prevent and address cyberthreats. The conversation covered everything from phishing, ransomware and Distributed Denial of Service (DDoS) to IoT, robots and even Arnold Schwarzenegger.
“I’ve been hacked,” said Gary Fildes, InfoSec and cybersecurity inspector for the UK Office for Nuclear Regulation, in the voice of the Terminator. Earlier, he noted that there are two types of people – those who have been hacked and those who don’t know they’ve been hacked.
“The question is, what are you going to do about it?” he said. “You need to protect the important stuff you’ve got and put layered defenses around it.”
End Users and Cybersecurity
To answer that question, all three panelists agreed that user training is key, and that’s where the line between IT and business responsibility starts to blur.
“Whoever owns user training needs to own the defense,” said Ian Trump, global cybersecurity strategist for SolarWinds. “Businesses need to understand that if one person can transfer $50,000 to a Chinese bank, you have an internal authorization problem. You don’t have an IT problem. I don’t have a patch for that.”
Dave Hagedorn, knowledge management officer for the U.S. Army Space Personnel Development Office, described a system his organization has in place, where users are asked a security question of the day when they log in to keep security top of mind.
“People see users as the weakest defense here, and that needs to change,” Fildes said. “Users need to be our strongest defense.”
Identifying Vulnerabilities
On the IT side, it’s important to identify vulnerabilities, such as outdated technology, mobile devices and IoT devices.
“We know what the cure for ransomware is. We know it requires a layered defense, but we’re putting too much faith in single-point solutions, and then we sit there and we get angry at whatever vendor because we got hosed by ransomware,” Trump said. “If you’re running local admin, if you have old versions of Adobe Flash, if you have old versions of Java, you’re gonna get hosed, and no product on earth will give you 100% protection. So, adopt the best practices, put your layered security on top of that, and guess what? Ransomware isn’t a problem.”
Fildes echoed Trump’s sentiments by reminding attendees that some systems simply can’t be protected, and that’s where layered defense comes in.
People see users as the weakest defense here, and that needs to change. Users need to be our strongest defense.Gary Fildes
A Skilled Workforce
All three panelists agreed that it’s important to have a wide range of IT skills on staff, with employees who understand networking, development and security. Trump recommended pairing a full-stack developer with a security architect from the beginning so that apps are built with “security by design.” And Fildes recommended having a foundation of CompTIA certifications – A+, Network+ and Security+ – before moving on to more specialized security certifications.
“The underlying knowledge will see you better in the industry if you do it early on,” he said. “You need the basic skills knowledge.”
But, Trump added that organizations can compensate for a lack of skills with the proper investment in technology.
“Where things seem to fall apart is when you know your website has vulnerabilities,” Trump said. “You don’t have a vulnerability management program, you’re not prepared to make an investment in fixing it and you’re not prepared to make an investment to put something in front of it to protect it. Then that’s a poor business decision all the way around.”
Watch the on-demand webinar to hear more tidbits from this insightful and entertaining panel and earn Continuing Education Units (CEUs).