The BC Aware Campaign 2016 kicked off on Jan 25. This year’s campaign is a week-long calendar of events organized by various IT security, privacy, governance, risk and assurance organizations. ISACA Vancouver chapter has been instrumental in coordinating like-minded organizations to promote privacy and security awareness throughout BC by bringing their outreach efforts together under a single umbrella.
The BC Aware Campaign 2016 kick-off event was a panel presented by the CIO Association of Canada in association with ISACA Vancouver chapter. The panel titled “Cybersecurity: Who’s Job Is It Anyway?” attracted more than 100 executives from public and private sectors throughout BC. The distinguished panelists were
- Oliver Gruter-Andrews, CIO – Provincial Health Services Authority/Vancouver Coastal Health/ Providence Health Care
- Jim Attridge, Director, IT Security – BC Hydro
- Elisabeth Zornes, VP Cybersecurity Business & Operations – Cisco Systems, Inc.
- Erwin Martinez, CIO – Coast Capital Savings Credit Union
- Pam Snively, Chief Privacy Office – TELUS
The panel was moderated by Frank Schettini, CIO – ISACA International. The panel discussion was very informative. I would like to summarize some of the key points that were voiced in the panel.
Attacks are getting better, sophisticated, and targeted
A managed security services provider (MSSP) has reported to have received more attacks per second than the global total number of search queries that Google receives per second. The perpetrators of such attacks, uncharacteristically, are not teenagers anymore. They are well educated, organized criminals some of whom are state-sponsored. The number of cybercriminals is believed to be equal to half of the total number of the IT professionals today, incontrovertibly indicating that ensuring security and privacy will become even more complex and challenging in future.
Security is a strategic differentiator
Just as some organizations have failed to see information technology as a strategic differentiator, organizations may fail to view information security as a strategic differentiator. This view, however, was not held by the attendees and panelists who clearly understood that investing in information security can differentiate their firms and offer competitive advantages.
Boards are more and more interested in security
Ms. Zornes of CISCO mentioned that conversations about information security are not confined to the members of security team anymore; it has moved to the board level. More and more board members are interested in understanding the security posture of their organizations. This can be a good or a bad thing. Fear, uncertainty and doubt is a tactic that shortsighted vendors can capitalize on to extract contracts from the boards. There is clearly a need for a framework that would help boards to ask the right kind of questions regarding information security.
Response preparedness is important more than ever before
Security breaches are not a remote possibility anymore. They are the part of cost of doing business in an interconnected world. The question in the minds of many executives is not if but when a breach will take place. It is essential that organizations prepare a very solid contingency plan to react to and recover from the breach. This plan should include who should do what, what message should be communicated to the public and to the customers in the case of a breach.
Risk-based approach to design holistic security architecture
It is clear that all of the information assets are not created equal. There is an obvious need for a comprehensive method in order to assess what information assets are more important and to provide them with a commensurate level of protection. Paraphrasing Mr. Gruter-Andrews: it is like when you are going out in Vancouver, you need to have layers of clothing to protect yourself from the weather. Organizations should create a holistic security architecture which will make use of many solutions to guide their security efforts.
Training and education are still the key
Phishing emails full of misspelt words, written in a broken English are the things of the past. Today, adversaries are using very targeted, customized emails to trick employees into clicking a link in the email to infect the corporate networks. Social engineering is at its highest point today. How would an employee distinguish a phishing email from a colleague using an alias and giving contextually accurate information about the organization (which can be only known by a limited number of people) from a legitimate email from the same colleague? The bar has gone up so much that basic training would not be sufficient to deal with these kinds of sophisticated attacks. Employees, including executives, should be trained to be mindful about possible security attacks by adversaries with different objectives.
A skill shortage and customized HR development
With the speed at which cyber security domain is moving, it is not too difficult to see that there is a skill shortage in IT and that the gap between supply and demand for security professionals will widen in the future. The government should do its part to fund new programs in higher education, which will educate and train security professionals of the future. I was glad to hear from Honorable Amrik Virk, BC Minister of Technology, Innovation and Citizens’ Services that their new strategy for BC, which was released recently (https://bctechstrategy.gov.bc.ca), aims to address skill shortage in areas that BC organizations need including security professionals.
Another point that came out from the panel was that organizations should also put an emphasis on nurturing/preparing their own information security staff. Nobody knows the security posture of the organization better than those who are well-versed with the IT infrastructure of the organization. Building a trusted, skilled, creative security group who are good communicators should be a main objective of organizations.
This post originally appeared at Better Management of Information Systems blog.
Hasan Cavusoglu is an Associate Professor at the Sauder School of Business, UBC. His research interest includes IT risks, governance, security and privacy.