Welcome to CISO Compass, a new monthly column where I will share key insights related to cybersecurity.
Education is integral to information security. It is my goal that this column will increase awareness, stimulate broader discussion in the community, and help generate new ideas to combat ever-escalating cyber challenges.
With the New Year comes new hopes, dreams and aspirations. To me that begs the question: What does the cyber community see ahead for the coming year?
Interestingly, it is expected to be more of what we have seen in the past. Common predictions include potential threats related to the 2020 elections in the U.S., more targeted ransomware, more ways to attack the cloud, and an explosion of problems with deepfake technology.
What does this all mean? Why are predictions saying we will see more of what we already know about?
Let us ask a different question: What must we do differently to prevent attackers from successfully using the same methods over and over?
First, we need to create a ‘security aware’ culture in our organizations. You do not need to be a technical person to understand the need. In fact, it is a shame security continues to be looked at as a technical issue. It is a business issue. I think about it this way: If information technology is the circulatory system for a business, security is its immune system.
Creating a security-aware culture requires identifying lieutenants who can help permeate those values across the organization so that everyone understands and embraces best practices.
I will be initiating a new program this year to support this approach. Many chief information security officers at state agencies have already expressed a keen interest to me in this effort. Let’s get our lieutenants ready!
Secondly, we need to look at our ecosystem. How do we manage our service delivery ecosystem better? The state of Washington has a vast number of tools and technologies, with many of them performing the same function. I expect many agencies have plans to implement more technologies this year. However, people and technology are the two vectors that allow the bad guys to do what they do.
Here’s a relevant data point to consider. Not too long ago, researchers at Carnegie Mellon University found that between 1% and 5% of all software defects are security vulnerabilities.
They also found that commercial technology typically has 20 to 30 bugs for every 1,000 lines of code. That’s a lot of mistakes and a lot of security vulnerabilities.
We need to pay closer attention to how people interact with technology and what the loopholes are within the technology. We need to be innovative and not solve yesterday’s problem with yesterday’s solutions. But this is an issue that requires all of us working together to solve.
So, I am calling on you for help in providing innovative solutions. Please send me your thoughts and suggestions on approaches to deal with this issue.
I also want to recognize a colleague who is championing a new approach to help bridge the ongoing cybersecurity skills gap. Matt Beaumont, the Chief Information Security Officer for the Department of Retirement Systems, is championing the Microsoft Software & Systems Academy (MSSA) program, an effort to assist transitioning service members and veterans in finding security and technology jobs within Washington state government. I was excited the minute I heard about his work and have joined with him to support this very important program. Please join me in thanking Matt for his work.
We need more people entering our field, and we need to do more to help prepare the next generation of cybersecurity professionals. In that vein, I am traveling to Western Washington University (WWU) next month to congratulate students who came in first at a recent Pacific Northwest National Laboratory capture the flag competition.
While at WWU, myself and some OCS colleagues will run students through a security incident scenario, hold a Q&A session, meet with faculty and run a cyber escape room to reinforce fundamental cyber hygiene principles.
We’re looking forward to the opportunity to engage with students at the cusp of their careers.
I look forward to a great new year and our continuing partnership to serve this great state. Thank you for the work you do, and for your efforts to keep Washingtonians’ data safe.
State Chief Information Security Officer