ISACA hosted a free live webinar on how certifications and education get applied to real world e-commerce and governance cybersecurity issues titled “Cybersecurity: e-Commerce, Governance and Applied Certifications” on Tuesday,15 December 2015. We recently spoke with presenters Michelle Mikka-Van Der Stuyf, president and CEO of BizStrat Technology Corporation, Sally Smoczynski, CISSP, managing partner of Radian Compliance, and Diana Salazar, CISM, CISA,CRISC,CGEIT, executive security advisor (ESA) of Magellan Group, about cybersecurity: e-commerce, governance and applied certifications. Read the interview below.
Q: These are some big topics. How are they impacting organizations today, and what do companies need to know?
Michelle Mikka-Van Der Stuyf (MMV): We shared real-experience information on how we practically apply cybersecurity solutions in business and government. To help attendees focus, we started off with some shocking cybersecurity stats. We also provided insight into just how encompassing cybersecurity is, how you can get a more strategic view of your greatest risks, and where companies should apply their security resources.
Sally Smoczynski (SS): I reviewed the root causes of cybersecurity incidents—why did they happen and what could have been done to prevent or mitigate the impact? I’ll explore why information security governance outside of IT is essential for strong policy and procedures management. I also discussed making sense of regulatory frameworks. Which ones do you use, and how can they be better managed? Finally I discussed the value of a management system.
Diana Salazar (DS): Regulations may fall behind as people continue toward bring your own devices (BYOD) and bring your own cloud (BYOC); therefore, organizations need to use a continuous assessment process of controls and a framework for information sharing, data movement and greater interoperability among legal and privacy bodies. They should review technology challenges (application, profiling, digital education and web tracking), remove data for right to be forgotten requirements, and increase transparency on the data organizations are collecting and required controls using comprehensive frameworks.
Q: How do you apply those points to your organization?
MMV: Cybersecurity is as much about practice as it is solutions. Our business/technology solutions always integrate risk and risk mitigation to deliver a sound, safe and secure result. Often companies want to push security to the side to save time or cost, but we believe security is a must-have and won’t break those standards to deliver a solution that is not in the best interest of our client or their industry.
Education and certifications are keys to maintaining cybersecurity. Cybersecurity information is constantly changing, so it’s critical to stay current with industry news by following breach intelligence, attending conferences and other industry events, and collaborating with CISOs and other security professionals. We apply certifications and education in every solution. By being educated on risks and solutions, including practices that give you a leg up against the inevitable breech, you’ll be serving your customers’ cybersecurity needs well.
SS: You have to practice what you preach. In Radian’s case we’re applying a strong security awareness program and practicing good data protection habits. We are an implementer of ISO 27001 so we focus on best practices and relevant risk mitigation to support our clients’ programs. We perform internal audits to many ISO standards and identify areas of improvements to reduce the threat of cybersecurity incidents and information security incidents.
Internally, we strengthened our security posture based on what we learn in the field. Organizations need to take a holistic governance structure to protect their information assets. Tools can help detect incoming threats, but people are the biggest threat, including their social media habits.
Information security governance outside of IT is essential for strong management of policy and procedures. Governance needs to include HR, physical security, training, marketing, legal and other departments. IT plays a very important role, but not the core.
DS: Using a continuous assessment process organizations enable defensibility and resilience. Generally review controls fit into three categories: protective/preventative which enforces acceptable behaviors, detective/audit controls which perform a monitoring activity, and reactive controls which respond to a detective control providing an alert or corrects an unacceptable situation. When there is a breach one of these simple categories, preventative, detective or reactive control is missing. Applying these categories with a framework enables an organization to reduce an adversary’s ability to do harm. Frameworks provide the ability to determine which controls apply to the organization.
[ISACA Now Blog]