The Current State of Cybersecurity Performance

An interview with Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security

In your opinion, what are some of the most challenging cybersecurity issues organizations currently face?

Balancing the needs to consistently do the fundamentals with meeting new challenges and threats. It is hard to consistently patch vulnerabilities day in and day out, over and over with the stress of knowing that it just takes one opening to allow an attacker into your environment. New projects dealing with the cloud, for example, are not only much more interesting, but they often come with more recognition. Naturally, employees want to work on those new, higher profile projects. Consequently, leaders are challenged with keeping continuity and focus on the foundational tasks where staff turnover is high due to low morale and the repetitive nature of the work. Plus, organizational gratitude for keeping the lights on is low. Rare is the company that celebrates meeting the patching SLAs, but roll out a new version of your website and it is bonus time. IT Operations has had this challenge for years, but security comes with additional risk and less willingness by management to outsource.

What industries need to be most proactive in improving their cybersecurity tactics?

I think the educational industry needs to fundamentally improve but not in the traditional sense. They need to make cybersecurity education a priority in primary and secondary education curriculums. A 20-minute talk once a year on career day or during National Cyber Security Awareness Month is not equipping today’s youths with the knowledge to protect themselves from cyber threats. In 2020, colleges and universities are still graduating thousands of engineers and programmers who are not required to pass a single, cybersecurity course before joining the workforce. It’s no wonder the OWASP top-10 hasn’t really changed in a decade.

With an upcoming US presidential election, cybersecurity is top of mind for the federal government. In general, how should local, state, and federal governments address cybersecurity?

Legislation needs to catch up to technology. The US lacks a national law that sets data security standards. There are no security statutes to set minimum data security requirements. Each state has their own, unique data breach notification law. Traditional notions of national sovereignty and country borders have not fared well when applied to the Internet and global commerce.

How are organizations defending against cybersecurity threats?

Based on the unending news about breaches, not very well. On the plus side, seeing more adoption of automation and orchestration. In the past, security teams were so afraid of disrupting some aspect of the business or causing even a minor inconvenience to the end-user experience that issues would go unresolved or new solutions would be ignored. Now filtering rules are automatically updated in real-time, based on machine analysis of incoming phishing emails, rather than waiting for a change request to be reviewed and the next change review board meeting. We must allow security to adapt at the same speed as the attacks with the necessary procedures to revert to a prior state if necessary.

Are there any regional trends in cybersecurity practices that you have noticed?

Look no further than the new CCPA and its impact on California residents. I recognize that many companies outside of CA will need to comply but the impact on small, local “mom and pop” businesses can be substantial relative to similar companies in states less regulated with laws that heavily favor businesses.

How are organizations equipping their staff to better understand/handle cybersecurity issues?

One game changer has been the gradual shift in attitude toward cyber incidents. No longer are they automatically career ending events with the CISO taking the blame. Allowing for bad cyber events to occur just like in the physical world has freed security personnel from defaulting to always answering no to aligning with the risk appetite of the company.

What is the first step to becoming more cyber secure?

Get professional cybersecurity help. Companies will spend tens of thousands of dollars on outside legal counsel, advertising and other SG&A service costs and then balk when it comes to investing in cybersecurity assessments. On the personal side, the same is true. People will hire plumbers and electricians but then think they can secure their entire smart home technology landscape by themselves.

What are the biggest trends you see taking shape within the cybersecurity industry that will have major impacts in the next 3–5 years?

Privacy will consume a much larger portion of the security activities and budget. We all realize that privacy is not just a Legal or HR issue. Advances in hardware and software technology are fueling a data collection and retention explosion. As data analytics becomes common practice across all facets of a company’s operating rhythm, protecting the confidentiality and integrity of the raw information and trending reports will expand beyond the current PII elements.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store