#316 – JEFF BROWN – FUTURE OF WORK – CYBER SEC – INTERVIEWED BY HOWARD WIENER

Jeffrey W. Brown is a recognized information security and IT risk expert with a strong track record of more than two decades implementing cost-effective controls for global Fortune 500 financial institutions including Citigroup, Goldman Sachs, GE Capital, BNY Mellon and AIG.  He currently serves as the first CISO for the State of Connecticut.  His latest publication, The Security Leader’s Communication Playbook, is scheduled to be published in the Fall, 2021 by CRC Press. 

What drives the business model of your profession?

For cybersecurity, many of these elements are interconnected. The increasing digital footprint, continual struggle for talent and highly remote workforce all combine to form new security challenges. The increasing complexity of our digital lives and the addition of new technologies like AI, Internet of Things (IoT) and robotics will increase attack opportunities. The cybersecurity world is likely to get worse before it gets better.

The good news is that there are also more people interested in working in the field. There has never been so much information available either, we now have Masters programs and even PhDs as well as probably a hundred industry certifications. It wasn’t like this twenty or even ten years ago. I’m seeing increased cooperation in the industry as well, with groups like the Cybersecurity and Infrastructure Security Agency (CISA) and industry Information Sharing and Analysis Centers (ISACs) for sharing information. A lot of attacks tend to be used over and over and the more we can share this information with each other, the better prepared we will be when they are turned on us.

What major changes have you seen over the past few years and do you see coming in the next few?

The cloud has been a major driving force in our industry for some time, but when COVID-19 happened, there was a huge acceleration on cloud efforts that were already in progress. I think in the future, company’s that have and maintain their own data centers will be the exception. The highly distributed nature of IT and the shared responsibility model between company and cloud provider will be tricky to navigate.

I also think that security programs will have to work closer with the business than ever before. Serverless computing and Dev/Sec/Ops are driving technology deeper and deeper into the business and security will need to get closer to the business to understand risk and how to best implement security controls.

Which of them do you think will be the most impactful? In the near-term? In the longer term?

For companies that remain remote, the concept of the security perimeter will be forever challenged. There can no longer be a “behind the firewall” mentality when people and systems are so distributed. It was a dated concept anyway, but some security pros will need to catch up to this fact.

There’s a lot of change going on with technology. Serverless computing, cloud, VDI and other technology are going to be challenges. Security is really a collection of disciplines, each with their own sub-disciplines. We need to understand the technology as well as IT and then go even deeper to understand how to secure it.

Which will be most difficult to navigate and why?

People issues will always be the most difficult to navigate. People remain the weakest link in security and the need to focus on problems like phishing and security training and awareness will continue to take center stage. Work from home has introduced new challenges with shared machines, insecure home networks, printing sensitive information and discussing sensitive information. The concept of the office as a walled fortress with badge readers and security guards has become irrelevant in this world. Cybersecurity is one of the few disciplines that needs to educate every employee in a company. It’s a tough problem, but we need to continue to make security accessible and understandable for average users.

How do you think your profession will have to change to adapt?

Security professionals will need to struggle more to ensure that they have and maintain a seat at the management table. There may be a number of compromises managing the new remote workforce and we will need to make sure that security stays engaged in these conversations and balances security requirements with business needs. We are not always going to be able to say no to new technologies, so we need to take a negative stance infrequently and with a lot of caution. We should be enabling new technology through proper security controls, not just standing in the way of progress and trying to halt progress.

What advice would you give to anyone contemplating entering or remaining in the profession?

The demand for cybersecurity professionals will continue for the foreseeable future, and the need for talent in this space continues to grow. While even many white collar professions have been hit with workforce reductions, security roles that focus on risk management, strategy, business operations and IT will continue to thrive. However it’s a dynamic field, so people should understand that you need a life-long learning approach to succeed. To me, this is what makes it such an exciting field in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *