Cyber Security
INFORMATION SECURITY: Not just for hackers
H By Anthony Langsworth
ardly a day goes by without reading about the information security skills gap. Changing IT landscapes (e.g. virtualization, cloud, BYOD, IoT, BlockChain, AI) coupled with increasing technology reliance, attack sophistication and frequency, mean even non-tech companies need information security expertise. However, the information security industry focuses heavily on hacking. Conferences that focus on new exploits or defences, like BlackHat, are "proper" information security conferences and those focusing more on business, as RSA does, less so. This binary viewpoint – you are either a security person or not and there is only one “true” information security professional – does more harm than good. Hacking is technology focused, leading to technologycentric thinking or tunnel vision. Information security needs people that can articulate security issue impact, potential solutions and their cost in terms that non-security people can understand. Information security needs people that can talk to non-information security people as equals instead of just being "the security guy." How often do frustrated information security staff complain about people not prioritising security? About
40 | Australian Cyber Security Magazine
how people need to be more vigilant? About the lack of repercussion for lapses? Bridging the divide needs two things: expertise in other business areas; and the credibility to be listened to. Expertise can be valued at an individual level, in the management or the boardroom. Credibility usually requires acknowledged expertise over an extended period. Security solutions are not just technical. For example, we live in societies governed by laws. These can be standardised government security requirements as FedRAMP or IRAP. These can be contractual obligations like PCI-DSS, covering credit card transactions. These can hold organisations accountable, like mandatory breach disclosure legislation, or protection of privacy, such as the European Union’s Data Protection laws. Effective legislation requires knowledge of both law and information security and the political nous to get it enacted. Financial systems also surround us. Those that punish those with weak security and reward those with proper security will only evolve if we (consumers and investors) value security more. Cyber insurance has potential. Cryptographic technologies like bitcoin and blockchain