We’re in the midst of a societal shift. Because Internet users can now conveniently login to virtually any new website with their Facebook or LinkedIn credentials, employees expect the same seamless experience in the work place, and that social mentality is changing the way companies are treating corporate information.
Leading executives and security providers got candid during a panel discussion at the recent Midmarket CIO Forum in Austin, Texas.
While few midmarket companies are currently equipped to employ full time CISOs, CIOs Ryan Loy of ADTRAN and Deron Egerman of Choate, Hall & Stewart LLP oversee information security efforts for their respective organizations and shared their experience with the audience of their executive peers.
Moderated by former federal investigator and forensic expert Brian Hill, additional panelists from leading security solution providers Cato Networks, Darktrace and Morphisec discussed evolving security strategies that focused on protecting key intellectual property.
Who’s protecting what and where?
“How many people could say they know where the crown jewels are within their company?” Loy asked. “Who knows what data is within their organization, where it resides, and what governance surrounds that data?”
Justin Fier, Director of Cyber Intelligence and Analysis at Darktrace, asserted that a recent trend with big data breaches places onus on networking teams to recognize when massive amounts of data are leaving their networks.
“Stop buying shiny objects and collecting them,” he suggested, noting that one of the first activities a recent CISO initiated upon receiving a $5 million allocation from his board was to strategically analyze his own security team.
He discovered a heavy reliance solely on security tools – they were dedicating a mere 45 minutes a day to proactive network monitoring – so 25 tools were pared down to just six.
Decreasing complexity across the IT landscape is another avenue to increased security posture, Egerman suggested, adding that his team has taken three stacks and collapsed them into one platform.
“If your organization is not looking into SSL traffic, there’s all kinds of uncontrolled data there. I only have one dedicated security person on my staff, so we had to choose a good partner.”
Only about 20 percent of midmarket companies offer continual, mandatory security training, according to Loy, primarily when onboarding new employees. CIOs must measure risks and determine the company’s highest risk vector to best invest security funding.
“Don’t fool yourself into thinking that end user training will fix all the problems,” Egerman cautioned, adding that it was one of his company’s youngest, most tech savvy employees that fell for a phishing scam almost immediately after completing a security training.