Top 10 tips Cybersecurity Experts want you to know
Jurijs Rapoports - X Infotech
Jurjis Rapoports is the Senior Security Engineer of X Infotech. Rapoports notes that in many cases, the reason companies have their security compromised is because they have not prepared for enough real life threats. His suggestion is to turn to pen testers and red teamers in order to prepare for the methods that security breachers might use. He states:
"It’s like boxing. If you learn only how to defend yourself, in a real fight, you will lose because you will not know how to understand the nature of punches, what they can be like and from what degree a punch will knock you out."
Rebecca Wynn - Matrix Medical Network
"It's not a matter of if you ever have a data breach; it's actually when anymore. If the CISO can recover as quickly as possible... that's a win."
Mark Hellbusch - GB Protect
Senior Cybersecurity Consultant of GB Protect Mark Hellbusch states that GDPR is merely the first step in protecting your personal information globally. He notes that it is the responsibility of senior leadership to "drive and shape the data privacy program across all business units".
"To ensure that personal privacy programs extends to all business units requires senior leadership to become the driving force behind your organisation’s efforts."
Dmitri Alperovitch - CrowdStrike
CTO and co-founder of CrowdStrike Dmitri Alperovitch noted that many security breaches occur because adversaries tailor attacks specifically to their subject. Crowdstrike's methodology is to focus on the adversary activity in order to detect the development of a threat before it has the chance to attack. Alperovitch states,
"If you focus on what they're trying to do and start detecting that, you create a fundamentally different platform that can actually capture attacks regardless of who is orchestrating them."
Stu Hirst - PhotoBox
Head of Security Engineering at PhotoBox Stu Hirst has a variety of techniques that helps him to stay ahead of the curve in the realm of cybersecurity. He states that by using Twitter, Blogs on LinkedIn and Medium and Youtube, one can keep up to date with the latest in security news. He also recommends using online courses, attending conferences and observing the work of your competition.
"There are some fundamental security leaders across the globe. The main players. But there are also some great security people in all manner of industries. Seek them out on LinkedIn/Twitter etc."
Dan Cornell - Denim Group
CTO of the Denim Group Dan Cornell notes that software is utilised in near enough every industry in the world. As a result, coders control the pace of innovation and as a result, control the security of the systems that they are developing. He states that many coders do not understand the workings of security. Seeing as cybersecurity is often seen as specialised and non-essential, Cornell states that it needs to simplified for programmers to think about. They key is for programmers to start thinking "What shouldn't my program do?" in order to anticipate risks as they develop software.
"This may not alleviate all security issues but it will start to change the landscape and start to set the foundation for building more secure systems in the future".
Theresa Payton - Fortalice Solutions
President and CEO of Fortalice Solutions LLC, co-founder of Dark Cubed and the first ever CIO of The White House Theresa Payton begins by stating that every company's culture is different. She believes that the CIO and CISO of a company should be working hand-in-hand to make sure that "the best technology experience and the most secure environment is there for your employees as well as that customer data that you have fiduciary responsibility for". It is important for both parties to have a shared strategy to ensure optimum security.
"If you make it so secure that the employees can't do their job and take care of the customer, they will work around your security processes which means you will lose line of sight of that data, and you cannot protect data that you don't have line of sight of."
Shannon Lietz - DevSecOps
Founder of DevSecOps Shannon Lietz has an interesting tip, which is that software developers should learn about the importance of security alongside learning to develop. What this means is that security becomes an integral part of a business's process. By doing this, businesses will have to worry less about defending after the fact and will instead be more protected from the inside.
"We want to do things like build up a developer’s capabilities, have them understand what logs mean to them, be able to track and trace against attackers, and ultimately be able to make decisions about the logic that they have in their products so that they can make those products safer."
Alexandru Catalin Cosoi - Bitdefender
Chief Security Strategist of Bitdefender Alexandru Catalin Cosoi regularly talks about the dangers of all forms of technology and how something seemingly innocent might actually compromise your security. Take, for instance, a smartwatch. Cosoi states that "hackers could use poorly configured smart gadgets as backdoors into a corporate network. This is down to the fact that they are currently lacking the proper security mechanisms." Cosoi warns that companies should enforce guidelines and principles that limits the use of smart technologies.
"Wearable devices should be regarded as mobile devices, but with ultimate portability and the potential to affect businesses in a way no other gadgets ever have. For example, imagine employees walking around the office with Google Glasses on and attending meetings or reading important documents."
Chandra McMahon - Verizon
On the discussion of considering the best companies to work for within the realm of cybersecurity, SVP and CISO of Verizon Chandra McMahon offers her insights. She states that many companies claim that they "do security". What McMahon suggests is that aspiring security experts should ask "How much are you investing in your security programs? What has been your year over year growth in your security investments?". This advice provides security professionals with the right guidance to join a company that has the best infrastructure.
"None of you would want to work for a company that says 'We do cyber, we need someone to do cyber' and then you get there and you realise it's just words on a sheet of paper but there's no leadership at the company level."