By Sandra Collins —
Everyone has a list. We keep lists of goals, things to do, shopping lists, bucket lists. The people with probably the longest list of things to do are those in charge of cybersecurity—the information technology (IT) professionals who seek to prevent hacking and cyber attacks on computer systems, as well as develop recovery strategies in case of breach. Given the ubiquitous nature of computers today, and the fact that they’re largely vulnerable to attack from hackers all over the world, cybersecurity professionals are very busy indeed.
I spoke with Roota Almeida, Head of Information Security at Delta Dental of New Jersey, on behalf of Women In Technology International (WITI), an international professional network. Roota will be speaking at the MIT Sloan CIO Symposium on May 18, 2016 in Cambridge, Massachusetts, on “Mitigating Cyber Risks in the Growing World of Internet-Connected Devices.” It turns out that on the long list of information security activities, this is at the top.
At the MIT Sloan CIO Symposium, you’re discussing mitigating cyber risk and connected devices specifically. Please talk about why you’re focusing on this area.
Almeida: The security of connected devices justifiably merits keen attention because the number of “things” connected to the evolving “Internet of Things” (IoT) is growing exponentially. IT Research firm Gartner has forecasted growth from today’s approximately 5 billion connected units to nearly 21 billion in 2020. More devices mean more threat access points, more data, and more connections—all representing the vulnerabilities keeping security professionals up at night. More and more, things are becoming interconnected. This is not only the “Internet of Things,” it will be the “Internet of Everything.”
The security industry started managing connected devices back with the advent of “BYOD” (Bring Your Own Device), the trend in which employees began to access company networks via their personal smartphones. Suddenly, users wanted 24-hour access to all types of web-based systems using any connected device, wherever they were located. Wearable devices are now added to the mix. The challenge for cybersecurity professionals has been to find balance between providing the accessibility users want and maintaining system security. We rely on different types of software and solutions to protect the information.
Tell us about some of the challenges you face in today’s cybersecurity environment.
Almeida: One of the biggest challenges is that the types of threats and access points are continually changing. Hackers and “hacktivists” (hackers driven by political or socially motivated purposes) are creative and ingenious, requiring our constant vigilance. Their expertise is growing and they are working hard to get through the security to access systems. To get what they’re after, they have to be right only once, but to stop them, security professionals have to be right every single time.
In particular, a system’s user identities are the most vulnerable link in its security chain. Security professionals must flexibly manage identification and authentication processes to allow access from diverse types of users, partners, and vendors, all using different devices worldwide, but at the same time we must ensure we’re resisting breaches and protecting the data.
And speaking of the data, the increasing amount of stored information adds additional complexity. Initially, people did not store data on their phones, except for telephone numbers. Now, a large amount of data and images are stored on phones and other devices, as well as a growing number of wearable devices. Security professionals must follow company data and ensure that it is secure, no matter where it is—on devices, on servers, or in the cloud.
Please elaborate about the nefarious elements of cyber crime—the people using their powers for evil instead of good.
Almeida: Unfortunately, the black market for stolen data and malware is thriving. In security circles, we refer to 2014 as “the year of retail” cyber attacks, in which a lot of credit card data was hacked. Hackers then realized that their timeframe to use stolen banking and credit card data was limited once the accounts were flagged, so they turned their focus to personal data and 2015 became “the year of healthcare” cyber attacks. Healthcare data is valuable on the black market. If your financial data is breached, you can get secure again, but if your private information is breached, you can’t get private again. Fingerprints, genes, DNA, and retinal scans aren’t going to change, they can maintain their value for much longer.
So far in 2016, we’re seeing an upward trend in the use of ransomware internationally. Ransomware is a type of malware designed to infect computer systems, holding them hostage by prohibiting access to the data until the owner pays a ransom to the perpetrators.
Infrastructure threats are another topic we discuss frequently. Unauthorized access to a nation-state’s infrastructure control systems, such as for power grids, dams, and mass transit systems, can pose significant threat to populations. Now, many governments are recognizing cybersecurity as a top priority. In the U.S., President Obama has proposed allocation of $19 billion for cybersecurity as part of the FY 2017 budget. In addition, the administration has worked with Congress to pass the Cybersecurity Act of 2015 to strengthen the country’s cybersecurity efforts. The legislation also seeks to make it easier for private companies to share cyber threat information with each other and with the government.
To encourage more collaboration within the industry?
Almeida: The people in cybersecurity have been working together cooperatively for a long time. Professionals from different kinds of businesses, industries, governments, intelligence agencies, and individuals have close ties and work together to protect against threats and emerging risks and to advance the collective effort against cyber crime.
We also continue to learn from each other, from the threats and breaches that have happened to others, and also from the resolutions to these events. CIOs are much more focused on building IT plans with integrated security, and investing in protection, monitoring, and incident response. We know in this day and age it is not a question of whether you will be hacked, but when. No one is immune.
It’s important for business leaders to realize that typically the cost of avoiding threats is much lower than the cost of recovering from them. However, when the time comes that you must recover from an attack, how you move forward and prepare after that attack is critical to its affect on your business.
What about Artificial Intelligence? What role do you think it will play?
Almeida: It’s really impossible at this time to predict AI’s evolution and how it will be used to protect systems or whether it will pose a security concern. Caution is warranted, however. Tesla’s CEO, Elon Musk, said not too long ago that we need to be very careful with artificial intelligence and that we’re “summoning the demon,” such as in a movie. We may think we can control it, but that may not be the case.
It sounds like you believe that large enterprises are doing a good job with security. How about small and mid-sized businesses?
Almeida: Yes, in my work in the industry and frequent contact with CIOs, I do think large companies are doing a good job. That said, businesses of any size or type should feel confident that they, too, can do a good job with security. Small businesses can work with managed security service providers (MSSPs) who will bring expertise and 24/7 monitoring, and will help with mitigating risk and complying with regulatory obligations in line with business objectives. Medium-sized businesses will often bring in MSSPs to augment their internal IT security teams. In any case, we advise all businesses to have proactive strategies and systems in place.
Business owners take heed: if cybersecurity isn’t near the top of your list, now’s the time to take action.
Roota will tweet from the MIT Sloan CIO Symposium: Follow her @RootaAlmeida.
Roota Almeida is a dynamic senior IT Executive and CISO responsible for successful implementation of information security, risk and compliance systems and strategies across multiple industries with global operations. Currently, she is the Head of Information Security at Delta Dental of NJ responsible for managing the development and implementation of enterprise-wide information security strategy, policies, risk assessments and controls.
Roota has over 15 years of direct experience in establishing and maintaining global security strategies, architectures, standards, and compliance while driving the necessary cultural changes to affect measurable improvements in the organizations security posture. Recognized as a thought leader in the industry as a Co-Chair, Governing Body Member and a frequent speaker at various information technology summits; she also has various articles and interviews published in security magazines and websites.