I sat down with OnRamp’s Head of Information Security, Nikola Todev, to gain his insights on enterprise security planning and strategy.
Businesses leaders are challenged every day with managing their teams, their systems, and their technology. The juggling act has recently become more difficult with the rise of cyberattacks and security breaches—and the stakes are higher than ever. From poor access management to malicious insiders to failure to report security incidents, organizations are paying dearly for their errors through record-breaking fines and reputational damage. In 2016, the OCR collected a total of $23.5 million in penalties. Unfortunately, the OCR has already levied $11.4 million in fines in 2017, and it’s only February! Needless to say, we could all learn from others’ mistakes and work towards improved information security.
I recently spoke to Nikola Todev, head of information security for OnRamp, who drives our information security strategy and ensures we focus on mitigating the issues of today, as well as the unknown challenges of tomorrow. Here’s what he had to say:
How did you become interested in information security and what is your interpretation of the field?
Todev: Information security is not a specialty, it’s a mindset. I was greatly intrigued and influenced by system design—specifically, creating processes that satisfy both customer and business needs. It’s not as simple as it sounds; you must think about it from all angles. I learned from my mistakes along the way. Most of what I know comes from experiences that were difficult to forget. I learned from unfavorable situations that resulted from poor risk mitigation or insufficient design. My goal for the information security systems I develop and implement today are to ensure the availability, confidentiality, and integrity of our data and services.
What are the largest threats organizations face in 2017?
Todev: There are numerous reports (Like Verizon’s Data Breach Investigation) that pinpoint where threats are coming from if you’re interested in seeing the breakdown, but the main ones to note are targeted [deliberate] attacks for data extraction. I expect that ransomware attacks will rise this year, due to insufficient security awareness, lack of training, and the sophistication of social engineering techniques.
Despite the number of data breaches and security incidents in 2016, a recent survey of 550 global organizations called the “2017 Cybersecurity Report Card” noted that 43% of organizations grade their cybersecurity as a “C” or worse. What’s causing this phenomenon?
Todev: Investing in security is similar to having an insurance policy; it’s not easy to justify the cost until something bad happens. And it’s not cheap—information technology systems are complex and implementing the right controls comes at a price. You need to budget for infrastructure investments and increased operational costs.
You mentioned mitigation earlier. What are the components of a good mitigation strategy?
Todev: There are two necessary components for any successful mitigation strategy: awareness and visibility. Remember, people can be a threat, but they can also be the protection. Visibility is essential in order to address incidents in a timely manner. I say that because it’s a matter of when an incident will occur, not if it will occur. How fast you’re able to detect and properly respond to an incident makes all the difference.
What defines a strong security culture? Is it measurable? If so, what metrics do you use?
Todev: If we want to manage something, we must find a way to measure our efforts. This is certainly the case for your organization’s security culture. Use the following key performance indicators (KPI) as part of your plan: training attendance and participation, security quiz scores, the number of suspicious events reported by employees, the number of total incidents versus reported suspicious events, reported risks, documented managed risks, and the overall downtrend of your organizations’ risk exposure.
What advice do you have for security officers and leadership teams that are struggling to develop a strong security culture?
Todev: If you do not have controls in place, start with the vision. As long as there is a vision for where you want to be, with the support of your executive team, the other pieces will fall into place. The next step is to establish a proper risk management program to provide much- needed answers on what requires protection and how those assets or systems will be protected. Prioritize the implementation based on risk probability and impact.
We can all agree that risk management training is necessary for everyone within your organization. What style of training seems to work best and how often do you recommend that the training takes place?
Todev: Risk management is all about perspective. There are many books and standards that discuss risk management, but the best tactic is to link risk management to something your audience already knows and understands. This makes it easier for them to integrate the process into their daily tasks. When you think about the consequences of your actions, including who and what is impacted, you establish the foundation of risk management. From there, risk management is about discovering issues, systematically documenting them, and noting how each issue will be addressed. Only you can determine how often your organization needs training.
What resources do you use to educate yourself and keep up with the latest and greatest in cybersecurity?
Todev: There are numerous public sources that detail the latest trends–Twitter feeds, online magazines, journals, (ISACA, InfoSecurity Professional), government and private sources. I take into consideration how new technologies, systems, and user behavior work together and apply that knowledge to my risk management practices. Also, most of the security certification organizations provide regular updates on latest security trends and issues.
What are your recommendations for those who do experience a breach or security incident?
Todev: Instead of thinking about incidents once they happen, try to think in terms of “what is needed” when an incident happens. You will find that there are many things that can be prepared in advance, including the answers to “who, what, where, and how.” For example, your plan should note how you detect problems, who manages the problem, the communication channels involved, how stakeholders are alerted of an issue, and how data is collected and managed after the incident. I find it useful to create an incident response team within your organizations and train them via simulation for all identified possible scenarios. It’s pretty eye-opening; a simple simulation can expose many challenges you were not aware of before.