By Sandra Collins
Everyone has a list. We keep lists of goals, things to do, shopping lists, and bucket lists. The people with the longest list of things to do, probably, are those who are in charge of cybersecurity - the information technology (IT). Not only do cybersecurity professionals seek to prevent hacking and cyber attacks on computer systems, but they also develop recovery strategies in case of a breach. Given the ubiquitous nature of computers today, and the fact that they're vulnerable to attack from hackers all over the world, cybersecurity professionals are very busy indeed.
I spoke with Roota Almeida
[RA], Head of Information Security at Delta Dental of New Jersey, on behalf of WITI's Boston network
. Roota will be speaking
at the MIT Sloan CIO Symposium
on May 18, 2016, in Cambridge, Massachusetts, on "Mitigating Cyber Risks in the Growing World of Internet-Connected Devices."
It turns out that on the long list of information security activities, Cyber Risk is at the top.
Collins: At the MIT Sloan CIO Symposium, you're discussing mitigating cyber risk and connected devices specifically. Please talk about why you're focusing on this area.
: The security of connected devices justifiably merits keen attention because the number of "things" connected to the "Internet of Things" (IoT), and how they are growing exponentially. In 2016, the IT Research firm, Gartner has forecasted growth from approximately 5 billion connected units to nearly 21 billion in 2020
. More devices mean more connections, more data, and more threat access points-all representing the vulnerabilities keeping security professionals up at night. More and more, things are becoming interconnected. The interconnection is not only the "Internet of Things," but it will be the "Internet of Everything."
The security industry started managing connected devices back with the advent of "BYOD" (Bring Your Own Device), the trend in which employees began to access company networks via their personal smartphones. Suddenly, users wanted 24-hour access to all types of web-based systems using any connected device, wherever their location is. Wearable devices add to the mix. The challenge for cybersecurity professionals has been to find a balance between providing the accessibility users want and maintaining system security. We rely on different types of software and solutions to protect the information.
SC: Tell us about some of the challenges you face in today's cybersecurity environment
: One of the biggest challenges is that the types of threats and access points are continually changing. Hackers and "hacktivists" (hackers driven by political or socially motivated purposes) are creative and ingenious, which requires our constant vigilance. Their expertise is growing, and they are working hard to get through security to access systems. To get what they're after, they have to be right only once; but to stop them, security professionals have to be right every single time.
In particular, a system's user identities are the most vulnerable link in its security chain. Security professionals must flexibly manage identification and authentication processes to allow access from diverse types of users, partners, and vendors, all using different devices worldwide, but at the same time, we must ensure we're resisting breaches and protecting the data.
And speaking of the data, the increasing amount of stored information adds additional complexity. Initially, people did not store data on their phones, except for telephone numbers. Now, a large amount of data and images are stored on phones and other devices, as well as a growing number of wearable devices. Security professionals must follow company data and ensure the safety, no matter where it is-on devices, on servers, or in the cloud.
SC: Please elaborate on the nefarious elements of cyber crime-the people using their powers for evil instead of good.
: Unfortunately, the black market for stolen data and malware is thriving. In security circles, we refer to 2014 as "the year of retail" cyber attacks, in which a lot of credit card data got hacked. Hackers then realized that their timeframe to use stolen banking and credit card data was limited once there were flags on stolen accounts, so they turned their focus to personal data, and 2015 became "the year of healthcare" cyber attacks. Healthcare data is valuable on the black market. If there is a breach of your financial data, you can get secure again, but when the breach is your private information, you can't get private again. Fingerprints, genes, DNA, and retinal scans aren't going to change; they can maintain their value for much longer.
So far in 2016, we see an upward trend in the use of ransomware internationally. Ransomware is a type of malware designed to infect computer systems, holding them hostage by prohibiting access to the data until the owner pays a ransom to the perpetrators.
Infrastructure threats are another topic we discuss frequently. Unauthorized access to an infrastructure of control systems, such as for power grids, dams, and mass transit systems, can pose a significant threat to populations. Now, many governments are recognizing cybersecurity as a top priority. In the U.S., President Obama has proposed an allocation of $19 billion for cybersecurity as part of the FY 2017 budget. Also, the Administration has worked with Congress to pass the Cybersecurity Act of 2015 to strengthen the country's cybersecurity efforts. The legislation also seeks to make it easier for private companies to share cyberthreat information with each other and with the government.
SC: Does this encourage more collaboration within the industry?
: The people in cybersecurity have been working together cooperatively for a long time. Professionals from different kinds of businesses, industries, governments, intelligence agencies, and individuals have close ties and work together to protect against threats and emerging risks and to advance the collective effort against cybercrime.
We also continue to learn from each other, from the threats and breaches that have happened to others, and from the resolutions to these events. CIOs focus on building IT plans with integrated security, and investing in protection, monitoring, and incident response. We know in this day and age it is not a question of whether you will be hacked, but when. No one is immune.
It's important for business leaders to realize that typically the cost of avoiding threats is much lower than the cost of recovering from them. However, when the time comes that you must recover from an attack, how you move forward and prepare for that attack is critical to its effect on your business.
SC: What about Artificial Intelligence? What role do you think it will play?
: It's impossible at this time to predict AI's evolution and how it will be used to protect systems or whether it will pose a security concern. Caution is warranted, however. Tesla's CEO, Elon Musk, said that we need to be very careful with artificial intelligence and that we're "summoning the demon," such as in a movie. We may think we can control it, but that may not be the case.
SC: It sounds like you believe large enterprises are doing a good job with security. How about small and mid-sized businesses?
: Yes, in my work in the industry and frequent contact with CIOs, I do think large companies are doing a good job. That said, businesses of any size or type should feel confident that they, too, can do a good job with security. Small businesses can work with managed security service providers (MSSPs) who will bring expertise and 24/7 monitoring. They will help mitigate risk and comply with regulatory obligations in line with business objectives. Medium-sized businesses will often bring in MSSPs to augment their internal IT security teams. In any case, we advise all companies to have proactive strategies and systems in place.
Business owners take heed: if cybersecurity isn't near the top of your list, now's the time to take action.
Roota Almeida will tweet from the MIT Sloan CIO Symposium: Follow her @RootaAlmeida.
Roota Almeida is a dynamic senior IT Executive and CISO responsible for successful implementation of information security, risk and compliance systems and strategies across multiple industries with global operations. Currently, she is the Head of Information Security at Delta Dental of NJ responsible for managing the development and implementation of enterprise-wide information security strategy, policies, risk assessments, and controls.
Roota has over 15 years of direct experience in establishing and maintaining global security strategies, architectures, standards, and compliance while driving the necessary cultural changes to affect measurable improvements in the organization's security posture. Recognized as a thought leader in the industry as a Co-Chair, Governing Body Member and a frequent speaker at various information technology summits; she also has various articles and interviews published in security magazines and websites.
Sandra Collins, Owner, Curious Dog Marketing.
Sandra Collins email
Other Cybersecurity Resources: