We practically live online. Almost everything we do, from shopping to reading news, communicating, learning, working, even having fun, is done through a cloud application on a computer or mobile phone. That means your information and that of your relatives, friends, and clients, is also online. That’s why there are sites like fraudwatchinternational.com to help you keep this your information safe. With technology constantly changing and evolving – along with hacking – how safe do you think this data really is?

This was the focus of the Tech Talent Meetup panel discussion on November 22 at the BC Tech Innovation Hub. Security experts Greg Wcislo, Head of Security at SAP Analytics, Sabino Marquez, Chief Information Security Officer at Allocadia, Dominic Vogel, Chief Security Strategist at Cyber.SC, and Chris Thompson, Security Lead at Clio, talked about why security matters, greatest risks and threats, what companies do (or should do) to protect their clients’ data, what certifications and career growth opportunities are available, and what you can do to protect your own information online. Jeevan Saini, Information Security Architect at Vision Critical, moderated the evening with many interesting questions for the panel, which was followed by Q&A and networking over pizza and pop – provided by our event sponsor SIGnature Recruiting, who not only fed us all at the event, but also gave out Cactus Club gift cards to a few lucky attendees!

If you missed it, here are a few highlights:

Why does security matter in your organization?

Because it matters to our customers, and because our leaders need access to the right information in order to make decisions. Data is cash, and should be treated and defended as such. Security is an evolutionary journey that must be taken seriously.

Name one thing that has made the largest impact in improving your organization’s security posture.

• Investing in education and mandatory security training for developers.
• Having a point of contact for staff’s security-related questions or concerns, someone that has the power to go toe-to-toe with a CEO.
• Having the business buy into the idea that you can push and augment risk detection at the human end point. Companies often do blank checkbox training without taking into account that all humans and environments are different; to better detect risk, you have to dive into people’s worlds to understand how data flows, then customize training accordingly.
• Moving the mindset away from focusing solely on preventive technologies and investing in detection, which helps you understand how quickly you are able to respond to and contain breaches.
• Overall, the best way to protect data is to not store it at all; push back and ask if the information really needs to be stored and if it really delivers value to the organization.

It’s really difficult to secure everything in an organization, so how do you determine what is important to secure?

You secure what makes you money, what you’re contractually obligated to defend, and what is best practice. Focus on data that you use to make decisions, that belong to customers, that you’d get sued if leaked. You can’t protect everything; if you try, you end up protecting nothing. Threat model your systems and data, and prioritize accordingly.

We often hear that people are the biggest security liability. How do you measure and manage that risk?

• With an audit you will always uncover gaps and un-secure behaviours (if you don’t, you’re just not looking deep enough.) Question how people are working with data, and if they really need access to the data – minimum privilege is key.
• Use password managers with 2 factor authentication, and make them mandatory across the company.
• Test people’s phishing resiliency, then tie it to education. Phish your users too – this is an easy way to convince your leaders that something needs to be done.
• Empower users to detect risk on their own and practice security on the ground: sit with people, understand how they work, then provide solutions that are relevant to them.

What are some of your favorite or most used tools?

NMAP, Nessus, Acunetix, Burp Suite, Netcat, Brakeman, Retirejs, Zap, Fortify, Checkmarx, Appscan. Burp suite is popular for app security testing. “Owasp broken web applications project” is a great starter tool and free to download. Kali Linux is a good learner toolkit to download as well.

What are the most interesting emerging technologies and trends in security?

• RASP and AI, although AI is still further out from being useable. Technologies, whether AI or others, that will allow security analysts to save time and analyze real threats instead of potential threats will become increasingly popular, since it is impossible for an analyst to review all reports on any given day, which means something always gets missed.
• The maturing of security microservices as a service is a good way to cover the lack of security talent available, and allows smaller shops to quickly increase their capacity when needed.
• Scary trends are DDOS, which is harder to mitigate against, and the increasing amount of interdependency between cloud applications, which increases the attack surface; these problems will be hard to solve.

There have been many major security breaches recently; the DNC was hacked, as was Ashley Madison and Target. As security practitioners, what have we learned from recent breaches?

There are many lessons to be learned from stories like Target’s, but unfortunately there hasn’t been enough incentive for companies to do something about what’s being learned. Massive data breaches are usually tied back to something basic. Many of the threats can be mitigated, but often it comes down to a business decision: if the cost of breach is lower than the cost of protecting it, companies will take a breach. In this case, all we can do is some fear mongering to get them to buy into investing in security, but often business are not willing to trade features and usability for security, especially since generally there aren’t any consequences from the market. Businesses also need to remember to cover their security basics well, or there’s no point in spending thousands of dollars in state of the art shiny security tools.

How do I know if a company I’m providing data to (LinkedIn, Facebook or even a small online retailer) is taking security seriously? How can I tell if they are working hard to protect my information?

If the service is free, you are the product, and companies will protect your information to the extent that if they share your data they’re losing their advantage. Although big companies try to be secure to stay out of the news, if Facebook for example got breached, customers would still use it and it wouldn’t cost Facebook a dime, so they don’t care that much. Small startups will likely not be secure either, since it requires investment that is being used elsewhere. It’s hard for an individual to know how secure his/her data is; you can ask about a company’s security practices and 3^rd party claims audits if you get a chance, but there is very little you can actually do. Security audits are not even being read by anyone in the first place, there are no consequences and due diligence. We need to evangelize its importance, and demonstrate harm. In order for the industry to change, there needs to be a greater regulatory force, an outside entity to lead the charge.

What are a few things that I should do to protect myself online?

• Understand the difference between capital P and lower case p privacy; security is insufficient on its own to protect you online if you’re unaware of how it’s being used.
• Have everything encrypted and use encrypted tools and apps. Be mindful of privacy: use tools that make tracking difficult like VPN or browsers in private/incognito mode, and use tracking blockers like “Disconnect”.
• Make sure your apps are set to auto update, your web browsers are updated, and install ad blockers.
• Download and use a password manager (1password or lastpass for example) and use different passwords for every website you go to. Use 2 factor authentication whenever you can.
• Type your email address into https://haveibeenpwned.com to see if your information has been compromised.
• The biggest problem is that, for most people, convenience beats security; don’t fall into that trap.

As someone that wants to break into the security field, how can I get started?

Fundamentally, you have to be a technologist first. Then find out which of the 3 main areas of security interest you most: governance and compliance, application security, or IT security/dev ops. Incident response is probably the easiest to start with. Certain certifications can help get your foot in the door, CISSP and CISA for example. Software development is a great background to get into application security, as it makes for an easy switch and makes you more effective – if you understand how things are built, it’s easier to figure out how it can be broken. Learn a few key tools, the lingo, google “OWASP top 10”. There is a free online course from the University of Finland you can check out, and many other online resources to get started. A good security administrator is also a fantastic penetration tester, so learn both sides of the coin. Show genuine passion and seek out a mentor, there are many great security leaders in Vancouver and LinkedIn is a great resource to find them and reach out. Go to local association meetings in Vancouver, relevant events, do some networking. But remember: if you work at a company and you want to try out security, get permission in writing before you attack their servers or you can get criminal charges for it!

Final thoughts

The IT security industry is huge, but many still sell security in a box, and that just isn’t effective for companies. Your security strategy needs to be focused on the data that is most crucial to protest, and your staff education customized to your specific people and environment. Security is a growing market with a desperate need for talent, and as other technical roles get automated, security analysts and experts will still be in demand for years to come.

A big thank you to our panelists for sharing so many great insights with the group and to SIGnature Recruiting for feeding us and being such a great addition. We look forward to seeing you all at the next one.

Join Tech Talent Meetup to stay tuned on upcoming tech panels and discussions.

About the event sponsor: SIGnature Recruiting

“Since 2010, SIGnature Recruiting has been pairing exceptional people with short-term contracts and long-term careers in Vancouver’s flourishing IT industry. We have refined a process that focuses on quality over quantity. Because recruiting is a science and an art, not a numbers game. We weigh cultural fit and personality as heavily as skills and experience. Average won’t cut it. We only deal in excellence. Our team of tech recruiters have the foresight to look beyond one transaction. We think in terms of longevity and future potential, instead. We forge relationships that mean more than signing an offer. Essentially, because we care.”