Privacy Debate Rages, Cyber Progress Made Through Diversity: Security Pros
Both privacy and the shape of the cyber workforce were hot topics on the March 5 episode of “Task Force 7 Radio.” Host and information security executive George Rettas spoke with Chief Risk and Security Officer at Neustar, Inc., Tom Pageler, and Information Security Consultant at Sapphire-Security Services, Debbie Christofferson.
The show’s first segment tackled the ongoing “privacy versus security” debate in the context of Chinese policy, while the back half of the show featured Christofferson on the talent crisis, women in cyber, and more.
Apple In China
Rettas said that Apple is “now kowtowing to the Chinese government’s demands to keep Chinese customers’ iCloud data on Chinese servers.” Encryption keys are also to be stored in the nation as well.
Rettas called the privacy debate one of the most difficult ones to have, especially when you have “terrorists running around out there using encrypted technologies that law-abiding citizens use to protect our privacy rights as free citizens of the world.” He said “these terrorists use these same technologies to communicate with each other in a way that shields their conversations and data from law enforcement officials.” The goal: “to further their atrocious acts of terrorism.”
Rettas continued, “I still land on the privacy side of the debate. I don’t believe we can let the terrorists erode our freedoms.”
Pageler, a frequent guest of the show, said, “I do think it’s a global trend where nations of the world are trying to restrict privacy to their citizens. We’re seeing it in Russia, with the General Data Protection Regulation (GDPR) in Europe, which is going into effect in May. Now China’s asking for data hosted in the cloud to be hosted there.”
Asked if Chinese laws are meant to protect Chinese citizens, Pageler said the question becomes: Do we risk making silos – as geographic regions rely on only specific technologies?
Pageler said that although he does not have a cure-all for the issue, he doesn’t “want to get to a point where we’re (strictly) isolationists, or no companies operate in China because it’s too restrictive.”
“I do love the U.S., because we have freedoms that others don’t. As a citizen of the U.S., I do know that the government has to go through due process to get information,” Pageler added. “So even though Apple is securing my cloud, they’re not just going to easily share it with the government. That’s the freedom I get as a U.S. citizen.”
Rettas called for a “collective response” from companies in the U.S. and around the world, so they don’t just have to capitulate and freely give information away.
Pageler even said that the service could still be provided in the geographic area in question, but that restrictions could be placed on it so that citizens may be drawn to complain.
Progress In Cyber
Christofferson, a consultant for Sapphire-Security Services and a contractor with the Cloud Security Alliance, began her discussion by outlining the generational layout of cyber security. “My generation, we created the foundation and baseline for what exists today (in cyber security),” she said. “It wasn’t there before… The field continues to evolve, but it’s young.”
On risk, Christofferson alluded to the internet of things (IoT), cloud computing, drones, camera usage and more, saying, “The internet of everything is a big risk.” The cyber expert also said that with today’s mega-breaches, everything winds up online, causing security teams to seek both individual and organizational protection. “Cyber security continues to evolve at the speed of light, just like technology has. But in keeping up with technology, you really can’t, because it’s always running ahead – and we’re running behind.”
Much of the conversation returns to risk management. Christofferson said organizations should continue to question what the company exactly does. “There are key risks you have to look at,” she said. “What Arizona State University does will be different than what Boeing does to protect their business, or the FBI – it varies by the business.”
In building a cyber security program from the ground up, Christofferson called for executives to: look at the organization and its audit findings, talk to key stakeholders, see what the key risks are, set up a security steering committee (depending on the size of the company), interact with experts and start building a plan for what the risks are. “It isn’t just about securing everything,” she said. “It’s also the cost of securing it… If there’s no plan in place, you should be putting (one) in place.”
See Related: U.S. Needs GDPR-Like Privacy Laws: Cyber Expert
The ‘Talent War’
On obtaining skillsets that are in high demand, Christofferson said, “Cyber security is not an entry-level field. If you’re coming out of college with an Information Security degree, it doesn’t make you ready to just come in,” she said. “There is (still) way more demand than there are positions. Companies need to be more creative (in their hiring processes).”
She said most openings are for engineers and analysts, which are highly technical positions that require extensive background. Still, Christofferson suggested there is a “trainable workforce (out there).”
“People can be transitory… A lot of people in IT can move to cyber security if they want to,” she continued.
“There is a gap, but I think the workforce is out there,” she added.
On women, specifically, entering the cyber security workforce, Christofferson said, “I don’t see limitations in the market for women, and I’ve been in (the market) for a long time.”
The consulting cyber expert said that oftentimes, women do not offer to speak at industry events. “I don’t see them stepping up much,” she said, before adding that men respond to calls to speak at similar outings.
“Step up and step out of your comfort zone,” Christofferson advised. “And when you speak to women, they’ll tell you what they can’t do…when they’re just as good as anyone you’re interviewing. They diminish themselves or tell you what they can’t do. Men don’t ever do that, they’ll interview 100% for a job they’re maybe 60% qualified for. Women make sure you know that distinction. But, there are unlimited opportunities for women that want to do this!”
Outside of the gender binary, the “TF7 Radio” guest advised for those in the back-end of cyber security to work on soft skills so that their careers don’t stall when they’re asked to do more within the organization.
The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes of "Task Force 7 Radio," click here.
Find Christofferson on LinkedIn, here.
Be Sure To Check Out: 'Not Going To Automate Our Way Out': FBI's David Wallace