Cyber Expert Discusses Risk Assessment, Proper Skillset

Benefits Of Cyber Degrees; Plus, 'Agnostic' Standards



Dan Gunderman
07/17/2018

JustProtect Inc.’s CEO and Co-Founder, Vikas Bhatia, joined “Task Force 7 Radio” host George Rettas on July 16 to discuss risk assessments, cyber security services and today’s security skillset.

Bhatia, who joined Rettas for the whole program, began with some background on his introduction to cyber security. He said he fell into it during the “dotcom” era in the 1990s. His first exposure to a security-related incident was the “ILOVEYOU” virus – where he was charged with removing power cables from the organization’s servers. From there, Bhatia moved into security, with another hurdle of cleaning up after a malicious insider.

Bhatia said he entered cyber security in an “unconventional manner,” but that it was a “learning experience from the get-go.”

Technical & Tactical

Asked by Rettas whether cyber security is strictly technical, the JustProtect Inc. Co-Founder said, “You need to know technology, but the biggest thing you need to understand is the business, and risk… If you don’t understand risk concepts, then just the technology isn’t good enough.”

The “TF7 Radio” guest also said that as he was coming up through the cyber ranks, there wasn’t really a “formal training.” He said maybe two colleges in the U.K. offered a master’s program in computer security.

“We self-taught,” Bhatia said. “We learned from the ground up, by making mistakes, without structure.”

He then praised the existence of today’s degrees and numerous certifications. The catch, however, is that oftentimes these students become strictly academic and do not carry business (and practical) fundamentals.

Bhatia added that earlier in his career, he “pretended to be a lot more technical” than he really was. He suggested that had he not done that, he would have picked up more “soft skills” which could help firms.

“If you’re interested in cyber security,” he said, “know it has many domains, so find two or three that interest you and get really strong in those domains. And keep abreast of the rest of them.”

Expectations

In today’s populated cyber security space, Bhatia said that expectations on the consultancy side still run pretty high.

The program guest said firms believe these individuals are “unicorns” and are experts in every domain. That said, he suggested practitioners/consultants at least have a fundamental understanding of each vertical, since the expectation is there.

See Related: Data Privacy Expert Defines 'Moving Target Defense'

“People still think cyber security is a technology problem,” he said. “They don’t see it as their problem, so they call you in and view you as a ‘magical unicorn’ that will solve all of their problems.”

Diversification

The “TF7 Radio” guest told Rettas on the program that in today’s market, there has been diversification amongst security firms. But he suggested organizations “stick to what they’re good at.”

For example, if a law firm is offering cyber security services, it’s his opinion that those services be kept to the legal angle.

“Don’t be an audit firm offering pen testing services,” he continued. “But certainly be involved in cyber security… In the event of a breach, you do need lawyers, and people who do remediation…”

SMEs

In discussing relevance with small and midsize enterprises (SME), Bhatia told Rettas that “SMEs don’t have the luxury of deep pockets, or of being traded.” Still, he called the Target breach a “catalyst for larger organizations, and for regulators, to look at how SMEs were managing cyber security posture.”

Are these services accessible to SMEs?

“Historically, they weren’t very available,” Bhatia said. “But we’re starting to see a shift in the marketplace in the types of services being provided.”

He said if a smaller firm is working with an IT firm, and it offers cyber services, then the SME should “leverage that.”


Risk Assessments

Bhatia called the assessments a combination of business and technical controls, with the expectation that something is going to happen. The wider question is: Are organizations able to respond if something goes astray?

What larger companies are saying, Bhatia suggested, is: “Do you have buy-in at different levels? Would you be able to put your best foot forward, or be on your back foot?”

A major subtopic here is vendor risk. On the subject, the JustProtect Inc. Co-Founder said, “In the olden days, the ecosystem was very perimeter-focused. We don’t live in that world anymore. Target was the catalyst for third-party risks becoming a huge problem.”

See Related: KPMG Cyber Director Outlines 'Expert Generalist,' Unified Data

The risk, however, goes even deeper than third parties – to fourth or fifth parties. “You don’t want a fourth-party risk to trip you up,” Bhatia said, “and regulators are starting to pick up on that. It really has a business impact.”

In many versions, the assessments are spreadsheet- and procurement-driven.

“Fundamentally, you have security people providing security questions. They’re security questions written for security professionals. But really, for smaller organizations, it’s not a security person that’s responding.”

The “TF7 Radio” guest said IT and CTOs are “getting lumbered with these spreadsheets.” In the best-case scenario, he continued, firms can hire a freelancer or retain a CISO to help them navigate the questions. If not, though, the CTO or IT Director must complete it as a technical exercise, without truly knowing the ramifications.

‘Deer In Headlights’

Bhatia said one repair could be in improving the way these assessments are framed.

“In getting (them), the immediate response is like a deer in headlights,” Bhatia continued. “You must respond to every question…and work out what the assessor is trying to obtain from you. (Instead), make friends (with them). Pick up the phone and ask to speak to the security people.”

He said a request for a “helping hand” and “inner strength” within smaller organizations could do the trick in improving posture and overall efficiency.

Internally, Bhatia also said that the CTO or CIO should be able to talk to the business, lay out the domains and compare the expanding duties with the job specifications. He said a “candid conversation could bring in business a lot earlier.”

He continued: “If you don’t take a broader look at what you’re trying to do, align with the business and (adopt an) agnostic set of standards, you’ll be consistently chasing your tail.”

Altogether, Bhatia made it clear that risk accountability spreads across the business, and is not just stationed over IT or security. This is true of SMEs, as well as large enterprises, although each deal with a differing resources.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.


Be Sure To Check Out: CSO Talks Pyramid-Shaped Risk Framework, Cyber 'Agility'

RECOMMENDED