This week’s Cybersecurity Awareness theme is “Educating for a Career in Cybersecurity”. We felt it was the perfect opportunity to sit down with our Virtual Chief Information Security Officer (vCISO), Bob Thomas. Bob gave us the inside scoop on the importance of his role for helping our Kyber clients. In addition to our regularly scheduled business reviews, he is able to drill down on security, data access, and device management.
Q: Why is it important to have a CISO or vCISO?
A: I am partially the tie between the technology and the people. I use the word “partial” because I am not the one that is implementing the technology. I am the one that is proposing tools and enlightening the client on the solutions to their pains and the necessity behind it. Then there’s compliance. It is my job to help them understand the different pieces of the puzzle that they just don’t understand today. There’s no way we can expect them to understand the different aspects of cybersecurity tools and how they work without having the experience of a CISO. I can take a simple approach to important security solutions and make a non-technical person comfortable with making cybersecurity discussions.
Q: What’s the best way to create a cybersecurity corporate culture with non-technical people?
A: To a non-technical person, cybersecurity can seem like a daunting subject. To get the right message through, the best approach is to have them steer the conversation. I go in at our business review meetings with the intention of listening to them and creating a flow of conversation geared around their business concerns with a sprinkle of security. I ask questions like “What are you guys up to?”, “What’s new?”, “How are things working or not working?” and just listen to what they have to say. No one knows a business better than the employees. They have their experiences in their projects and I have my experience in cybersecurity. My goal is mold the two worlds together to create a comfortable environment with open conversation around security.
For example, one of our clients told me they were unhappy with their phone system so we worked on a solution for that. They told me half of cell phones were company owned so I gave them suggestions for better managing those devices. We talk about data back up and money applications. Another client had a work laptop stolen in a European airport and as a result we had to have a discussion on mobile device management (MDM) and other technology that would allow us to wipe the machine clean to prevent stolen data. An open conversation introduces me to their concerns and I make a proposed plan that will best suite their individual needs.
Q: What’s the most common vulnerability for SMB’s? How can they overcome it?
A: The biggest vulnerability SMBs have is their lack of expertise in cybersecurity. People need to be aware of risks. In a past situation, I had a client that had 10 people have access to the same admin password and it was set to never expire. Others had post-it note passwords on desktops and laptops just out in the open. That’s no good. They need password policies enforced and implementation of mobile device management (MDM).
I am here to bring control into these situations. My goal is to make the right recommendations that fit exactly into what their mode of operation is and making sure it won’t be a pain for them to use on a day to day basis. I bring the attention of so many different issues that the intended audience couldn’t possibly remember everything. I am here to help prioritize and strategize and constantly beat the drum on one or two specific things. That way, they are more likely to get things done and have a better understanding.
Q: How do you determine what the right tools in the security stack should be for your clients?
A: In regards to compliance, every industry is going to have a different regulatory factor. In general, the Kyber platform was created in mind to fit a multitude of industries. For example, our HIPAA solution shows gaps and what to do about it but doesn’t actually go out and do it for them. It’s possible to use it stand alone but it’s better to integrate the program with other tools to actually get things done. Most SMBs don’t know where to begin when it comes integrating the right tools especially because they don’t have the internal experience like the larger corporations do. I help them understand the necessity of our security stack and how it can work hand in hand with their compliance solution.
Q: Why is proactive cybersecurity more important than ever?
A: Hackers are becoming more sophisticated therefore so should the smaller businesses. They’ll do whatever they can to find a vulnerability to attack. If someone has a firewall, it’s going to make a hacker’s life more difficult because it will be harder to get in. Because of that, SMBs have become more vulnerable. The “bad guys” are buying software from someone else, licensing it, and using it for illegal transactions. They’re making use of other technologies to broadcast phishing attacks. The reality is, this sort of trade off didn’t exist 10 years ago. The increased popularity and frequency of these transactions are creating a necessity for proactive cybersecurity measures for SMBs. Especially since they are a large target in the grand scheme of it all.
Q: What advice would you give to companies that are trying to make their systems and networks more secure?
A: There’s way more risk today between key loggers, social engineering, phishing, spear phishing, etc. We can essentially access anything from any device at any time which comes with more inherent risks. If you leave the door open just a crack, somebody will drive a truck through it especially if you make it easier for them. And if they do, always make sure you have a data backup, the backup is working, and the data is stored in multiple places. It should be on-sight for quick restore and automatic updates.
While we can help SMBs point out their strengths and weaknesses and make suggestions to enhance their cybersecurity posture, we cannot enforce the decision making and policy making. SMBs should take control of their internal policies and procedures and enforce them. Things like password policies and internet usage should be defined at the company level and pushed to all employees. One of the biggest risks to businesses are their employees. Cybersecurity awareness training and a cohesive plan involving people, technology, and processes will definitely strengthen anyone’s overall cybersecurity.