Why Privacy 1.0 Isn't EnoughISACA's Robert Stroud on Privacy Recommendations
Among the top five resolutions security professionals should make in 2014 is what's known as Privacy 2.0, says ISACA's Robert Stroud, who outlines the need for increased scrutiny around personal information.
"What we've got right now is ... a bifurcation in the marketplace," says Stroud, a member of ISACA's strategic advisory council, in an interview with Information Security Media Group [transcript below]. "One group, who is probably a little bit like myself, is trying to hold onto their privacy and information. The second group is of [the] attitude [that] 'if the world knows everything about me, then I've got nothing to hide."
Either way, security professionals need to know what kind of personal information is freely available and how it's being used, Stroud says.
"That's one of the challenges of privacy now, information that's freely out there and available on the web through your day-to-day dealings," he says.
In an interview about 2014 information security careers, Stroud discusses:
- The top five resolutions for InfoSec professionals;
- How IT professionals can slim down big data;
- The details of Privacy 2.0.
Stroud is a member of ISACA's Strategic Advisory Council. ISACA is an independent, nonprofit, global association that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. A past international vice president of ISACA, he serves on its framework committee. Stroud also is a governance evangelist as well as vice president of strategy, innovation and service management at CA Technologies.
5 Resolutions for Security Pros in 2014
TOM FIELD: How did Information Systems Audit and Control Association go about establishing the specific resolutions for IT security pros in 2014?
ROBERT STROUD: One of the great things about ISACA is it is a membership organization of over a hundred and ten thousand individuals, many of which are security professionals. So what we've done through the course of the year is surveyed and discussed trends that are issues that are merging in their day-to-day roles and came up with a collective list. Then, we pared that list down to five issues and concerns that we're seeing in the industry now; those challenges that are of most interest to the industry professionals preparing for the start of 2014, and the challenges that it will bring.
FIELD: What needs to happen for security professionals to prepare for Privacy 2.0?
STROUD: Privacy 2.0 is the next generation of privacy that is going out there, and I think a number of events and issues have happened in recent history that have made people aware of their privacy and the fact that their personal identifiable information is being leveraged and used sometimes for good and sometimes for bad. So what we've got right now is almost a bifurcation in the marketplace, two groups. One group who is probably a little bit like myself, trying to hold on to their privacy and information, and the second group who are of an attitude "if the world knows everything about me then I've got nothing to hide." These two groups are going to continue for a period of time, but I think one of the things that we need to be aware of is that privacy is something that you need to understand. You need to be able to look after and control what people know about you, what information is freely available, and how that information is used. I'll give a good example. Recently, there was a survey of industry professionals in one of the industries that I'm involved in, and I knew nothing about that industry or the fact that my name had been leveraged and added to that group. Now, their writing of me and my skills may have been correct or incorrect, it didn't really matter. The reality of it is that I had no insight into that information being used, and that is one of the challenges of privacy now; information that is freely out there and available on the web through your day-to-day dealings. It can be collated and aggregated to come up with an opinion or proposition, or even an offering, of you. I think we need to be a little bit guided of this information of personal data. It's a currency that we want to leverage and use, spend when we need to, and hold on to when we don't. So one of the tips that I will give the listeners this year as we move into 2014 is, understand where that privacy information is being used. I'm not telling you not to do it. What I'm trying to do is be aware, and in being aware you can make good decisions on whether you're going to allow it to be available or not.
Slimming Down Big Data
FIELD: The second resolution is to slim down big data. What is it you're asking IT security pros to do?
STROUD: There is an explosion of data out there today. Let's all be clear; we've now developed techniques and tools that allow us to aggregate structured and unstructured information. In a recent 2013 ISACA IT Risk Reward Barometer, one out of four respondents chose big data as a major issue they should be aware of. One of the interesting things that I've learned in my time as an IT professional is: Garbage in is often garbage out. So one of the things we have to do as we work at how to manipulate and leverage big data for value for our organizations is we want to really understand which information sources we're using; what is of value and what's not. As you consolidate one of the things, I'd like to really share as a technique, certainly in 2014, is eliminate those data sources that don't add a lot of values, that don't really help drive you to business outcomes. It might be fun to analyze it, but the reality is, we're all about driving value. For 2014, slim down the big data, use the sources that make sense, understand where they add value. I'm not saying throw away the others, but maybe bring other data sources in a managed way so that you can leverage them and understand the value.
Hot Cybersecurity Jobs in 2014
FIELD: Where are the sectors where cybersecurity and data analytics expert jobs are the hottest in 2014, and what are organizations going to have to do to be competitive?
STROUD: Let's be very clear; cybersecurity has become a high profile topic in the last 12 months where all are aware that cybersecurity is an issue and that we need to start protecting businesses from these attacks. It is kind of becoming the new battlefield, or the new area of concern, for enterprises where people may look to disrupt or actually attack their business. These professionals are hard to find and are out there for sure, and they need to understand the business and the business value. You need to go out and hunt these people down, bring them into your organization, and effectively position them so that they cannot be caught up in red tape in terms of implementing effective systems, but also executing as well. You really need to look for these people and bring them in and again empower. Now some people call data analytic experts data scientists. I think we're really going to start to see these people and come about, you know I'm aware of many organizations now looking for data scientists. You're going to be looking for the right skill sets, and these data scientists are probably going to have not just the ability to analyze mathematical logics of data, but they are going to have to have a business savvy sense so they can understand where trends and patents can equate to business competitiveness and value. These people are going to have to be fairly well-compensated in 2014, and their job descriptions are going to have to be good as well. I tell everybody who I speak to, if I were starting in this field right now, I'd be looking to go into either cybersecurity or a data scientist role because I think that is going to be the hot job for the next few years.
Using Security Experts
FIELD: The resolution I find most interesting is re-thinking how your enterprise is using your information security experts. What do you mean by that?
STROUD: We ran all the components even at one stage of my career, laid the lines to our branches. Well that doesn't happen anymore today. A technology solution stack is made up of many partners, many suppliers, maybe cloud or maybe not, maybe private cloud or maybe not. One of the interesting things that we need to understand now is that this complex environment opens up many opportunities for the enterprise to be attacked or exposed. What we've got to do now is start having our own information security experts be hunters. To go out there and understand the risk profile of the organization and the opportunities therein where we can be intact. So instead of your threats coming from internal ...we're going to have to start looking for these external threats and the previous one links to a little bit with cybersecurity. What you've got to do is proactively seek out and detect the threats, understand what they are and build up an intelligence capability so that you can understand where these attacks are going to come from. Ultimately to do this, you're going to have to understand your threat and risk profiles. What we are suggesting at ISACA is that you go and invest in an operational risk analysis process; understand where the exposures to your business are from a financial perspective, from a business perspective, from a continuity perspective, and place the most profile and effort on those areas rather than trying to do it across the whole estate. It is truly about identifying the threats and vulnerabilities, and investing the most effort there rather than everywhere.
Internet of More Things
FIELD: What are we talking about when we get to the internet of even more things?
STROUD: I can't imagine 50 billion devices as I try and think it through. Imagine a day where everything is just connected to the internet, where you've just got every device in your personal life linked to the enterprise, is linked to every aspect of our life. That is where we're heading. Intelligence centers are being installed in most devices; wearables are becoming a big option today, where you know your pulse rate and heart rate are being consistently monitored. I think as we move forward, we're going to have to understand this. We're going to have to not run away from this, but effectively leverage it. You know my example I've given before is that my internet of things in my house is the ability to remotely control the alarms, the locks, the heating, and soon the appliances in my house remotely from my iPad. Every device in my house is interconnected, and I can leave my house and say, "Oh I forgot to lock the door," and I can quickly look on my iPad and press a button. That it is in every aspect of our life, this is where we're heading to.
You know many of you may have bought a car recently, and that car is connected to multiple devices. In fact, one car I was recently looking at reports the health of the car back to the dealer on a regular basis, so that the car manufacturer can understand how those components that are put in that vehicle are performing; it can proactively warn you where you need service or maintenance. These are the types of value propositions we're going to start to see from the internet of things in terms of our personal life, and of course they are going to spread into our enterprise life as well.
The interesting thing about this is, most of these devices are going to be invisible to us as consumers and end users. So one of the things I'm saying to enterprises is you need to be aware of the fact that the internet of things is coming. You need to work at how to leverage it and use it for good and power. In doing so, it's going to come with a lot of opportunities, and of course, with some threats and vulnerabilities. You need to understand these and effectively manage them. I don't think we can imagine the proliferation of devices in our wildest dreams at the moment that we'll see in the next few years. It is coming and coming fast.
Preparing for Challenges
FIELD: How should IT security pros best be preparing themselves for the challenges of 2014?
STROUD: I want to just summarize it in three things. First, one of the things I recommend to our members at ISACA is that you look at the intellectual property that we develop to help you now. We've talked about codes in the past and the opportunities and frameworks that effectively govern and manage their organizations. One of the things that we've done in the last 12 months at ISACA is develop a lot of practical guidance, white papers, contents, guides and even audit guides to help our membership and those outside it to understand the threats, vulnerabilities, opportunities and how to effectively leverage that. So one of the things I'd like to really challenge the security specialists out there with is to go and look at the ISACA website and do a search on cybersecurity, privacy, big data, internet of things, and you're going to get a number of white papers, standards, and guidance there that you can leverage and use.
You need to be able to leverage and use those, but most importantly, before you use them you need to keep yourself current with these trends that are happening in the industry. These trends are coming, and they are going to impact your business. You need to then take these trends and map them to your business impact. It's not that business impact when you think about it, how you can leverage these for both positive so that you can grow the business, and of course how you can protect the business and mitigate the risk where appropriate. Do an effective risk assessment.
Go look at the ISACA website, at the materials there, keep yourself current, and then of course keep your certifications up to date. Ensure that you're meeting with professionals in this space, leveraging their content and intellectual property. At ISACA, we offer a number of certifications to help you. One is our certified information security manager or CISM, and the second is our C-Risk, which is certified in risk information systems control. Look for these certifications. They will certainly help you and keep you aware of what you're doing, and how to do your job effectively and efficiently.