The Infosecurity ISACA North America Expo and Conference, held in New York this week, covered a diverse range of security-related topics.
Infosecurity sat down with event speaker, Frank Downs, director cybersecurity practices, at ISACA, to discuss his reflections on the conference and gain his insight into the overall state of cybersecurity.
Have you spotted any important trends at the show that surprised you?
One of the pleasant surprises I encountered is a marked growth in the amount of discussions related to cyber-maturity. Cyber-maturity is a relatively new term used to describe an organization’s preparedness level. This includes the level of understanding of its risk profile, its strengths, weaknesses, and any of its real-world or digital assets that what would be of special interest to an attacker. The growing number of sessions on these topics at this conference – and the depth of the material they’re presenting, are signs that companies and institutions are taking security much more seriously.
Haven’t most organizations been taking security seriously for quite a while?
They’ve certainly known about security issues for quite a while, but there’s a difference between the routine IT audits that most companies considered as adequate until recently and the growing move to more active measures that I’m seeing today. This includes including a deep, thorough analysis of the organization’s cybersecurity capabilities and weaknesses. This is a big change.
Until around 2014-15, most corporate leadership considered security to be at best a minor appendage to the IT budget and, at worst, a costly nuisance. Until then, conferences like this one mostly preached to the already-converted while the general consensus amongst C-level executives was that security wasn’t a priority. Thankfully, awareness of security as an issue that directly impacts competitiveness has finally hit the C-Suite.
Why did it take so long for that to happen?
Getting management to buy in was difficult, but not for the reasons one might commonly think. For one thing, it took a surprising number of high-profile data breaches at major corporations – and a lot of thankless educational work on the part of CSIOs – to convince people that their organization might be next. However, awareness was not enough. Getting large organizational cultures to change also required their leaders to acquire a deep understanding of the problems and their implications.
What finally triggered that change?
There were several things. One of the big, but poorly understood reasons for the difficulty was the lack of routine and meaningful communications between management and their security teams. As some of the presentations I’ve seen at the conference have pointed out, a large part of that problem is that each group tends to have a tightly-focused set of things that they pay close attention to. In most cases, few, if any, of one group’s major cares were ‘visible’ in the other’s world. Even more challenging than the groups’ mutually-orthogonal perspectives is that most top-level managers are already suffering from a serious case of information overload from the challenges they are already dealing with. Fortunately, CSOs and their disciples are learning to frame the issues they’re dealing with, and the operational challenges they face, using terms and concepts that are familiar and meaningful to C-level managers. As for executives’ limited bandwidth, the best they can do is frame their issues in a way that align with their management’s priorities.
So, organizational security is as much of a communication challenge as a technical challenge?
Precisely! I like to tell people that building an effective cybersecurity program is like a marriage, insofar that communication is an essential ingredient. The better the communication, the better the marriage.