‘Handle Fear By Understanding’: Q&A With KnowBe4's Erich Kron

In the New Year, insiders and analysts are predicting the threat landscape to intensify – that could mean more mega-breaches, more data loss and more frustrated security teams. This comes as hackers grow increasingly bold in their efforts.

To counter that inevitable breach anxiety, or to bolster enterprise security in general, a number of variables are involved: technical solutions, communication and senior-level support. Technology is not the only mainstay in the cyber security discussion, that is.

To help us better understand that concept – how gaps could be sealed and security ranks could be boosted – we spoke with KnowBe4’s Security Training Advocate, Erich Kron, who has over 20 years of experience in the medical, aerospace, manufacturing and defense fields.

Kron has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in information security.

Each month Cyber Security Hub will sit down with an executive from a solution provider in the space for a Q&A session, touching on a number of different topics to get a better view of the threat landscape.

Cyber Security Hub: How would you describe the state of cyber security at the moment (financially, or in terms of breach anxiety, etc.)?

Erich Kron: Challenging, would be the word I’d use. The threats that we’re seeing today, and sheer volume of threats and quickness with which the bad guys are able to change their tactics for their attacks, is very difficult for people to keep up with. I think there are a lot of people falling behind, or feeling like they’re barely keeping their head above water.

(On breach anxiety): What I see happening is, executives are now realizing the sheer volume of breaches we’ve been seeing, and what damage it can do to the organization and reputation. Executives are losing their jobs over this.

For many years, security people were looked at as people who made a bunch of noise, who were stopping progress. Now, we’ve really gotten the people’s attention. They’re now realizing how critical security people are.

It’s now easier to get funding for security-related projects. That was always a challenge, it’s gotten easier; however, it’s opened a door. People understand what’s going on. In many cases, they spend way too much time looking at the technology aspect, implementing technology to try to cover holes we have in security. Unfortunately, when you deploy new technology, it costs you in financial dollars, but it also takes away from the ability for someone to do something else – the debt goes into the workforce, as well as money.

As people roll out technological solutions, we need more and more people to run these things. At some point it’s necessary to have technology solutions out there. But we need to focus on some other things that don’t involve quite so much technological overhead.

You handle fear by understanding. Once you know how something works, it’s not quite so scary. We can never expect executives to fully understand security, but there’s a couple of ways to tackle this. We need to be able to speak with the C-Suite eloquently… Fear, uncertainty and doubt – we need to get ahead of that. In addition, we must focus on people in the organization, the security culture, instead of just new technology… We need to focus on the security culture…and reflect some behaviors with them – to spot phishing emails, or report to the right people.

See Related: CISO Randall Frietzsche On Maximizing Resources, Reducing Overhead

CSHub: What is the easiest way to outline and understand the growing threat landscape?

EK: It’s done for us in the media; that is getting out there. There’s a lot of FUD (fear, uncertainty and doubt)… Our job as security professionals is to then explain to our leadership, to folks that matter, that you must peel (things) back to get to the truth of it. We must come up with ways to do that. Unfortunately, we don’t do enough on the policies and procedures side of the house. We have to have that conversation more.

CSHub: Similarly, how do you see the skills gap/talent crisis affecting the industry? How do you anticipate it to change in the short term?

EK: The skills gap is somewhat of a misnomer in some cases. There’s definitely a gap between seasoned folks and newer folks…What causes that gap? Again, we can point to the technology out there. Fancy new technologies are rolling out all the time. Everybody is looking for someone proficient in XYZ firewall (etc.)… The product is only out for a couple of years…How proficient is it? We then recruit for that. There’s now a talent gap…It’s a self-induced deal there.

I think there are a lot of people out there, both junior and midlevel, that could be easily leveraged toward doing some things. We’re not doing a good job of understanding what we really need in the organization. With job recruitment, HR folks don’t always understand what they’re asking for… (One job may ask for) one to two years of experience and a CISSP, where you need five years of experience…. (Sometimes) it’s pretty obvious that the organization doesn’t know what they’re looking for…

There is a tremendous amount of talented people out there, who can’t get past the front door of HR because of silly requirements. For a degree, for certifications, we must be careful we know what we’re asking for… That sort of thing will limit us from getting those people that are naturally good at this and have talents. We’re essentially shooting ourselves in the foot.

CSHub: Are there different initiatives underway to help boost the ranks?

EK: I really think what needs to happen is discussion between HR and leadership and security folks doing the job about what they’re really looking for. (They must) meet (and discuss) some of these roles. If we do that…we’ll do a lot better at getting the right people in there. It comes down to having (positions) well thought out before hiring people.

See Related: Evaluating Risk Leads To Proactive Security Practices

CSHub: How has compliance affected workflow? Is there a way to expedite compliance while still remaining diligent?

EK: We still need regulations regarding how we’re dealing with PHI (protected health information). And it has to be common sense or fair and reasonable when it comes to that… The regulating organizations have kind of missed the boat on some of that…

If you look at the threat landscape three years ago, and look at it now, you can consider some things now: Ransomware was hardly on the spot…now it’s everyone’s worst nightmare. How are regulations and regulatory requirements (changing that landscape)? (You have to) take that into account and (take a) meaningful (look) at the threat landscape.

Editor’s Note: Kron complimented regulatory measures such as the Health and Human Services (HHS) Guide on Ransomware, and its components that tackle PHI encryption and breach notification.

CSHub: What is one thing you would say to an active cyber security practitioner?

EK: I would reiterate: Don’t just focus on the technology. Don’t forget the company culture and policies and procedures. Too many people are bogged down, mired down. We throw different technology at things and end up with an overwhelming debt of time to be able to manage it all… I’ve seen it happen too much…