Today I attend CLOUDSEC 2016 in London, which gave an insight in how to take control of the cloud and have a good cyber security strategy.
The speaker of the day for me was Rik Ferguson, who made a few interesting points.
During the Panel Discussion: "Key Questions Every CEO Should be Asking About Cyber Security", he made the comment, that we should sandbox our users. This may have brought a laugh to some of the more technically focussed audience who would blame users for everything! What Rik clarified was that organisations should allow users to make mistakes safely, and be able to learn from their mistakes.
During his session "Take Control: Empower the People", there was a delay setting up the presentation, where Rik began to discuss the IT Skills Shortage. Why do employers looks for certifications rather than people? Many job adverts look for qualifications such as CISSP, CISA, CISM, etc but not character traits. As Rik points out, organisations should be looking for people with tenacity, who are analytical, lateral thinkers, natural problem solvers, and people who can think differently. Much like my belief, there isn't an IT Skills Shortage, employers aren't looking for the right things!
A few takeaways include:
- "The board don't understand Security" - They don't need to, security need to understand the business.
- "Compliance is the obligation, Security is the aspiration"
- Have an Information Security program in place
- Ensure employees are educated, aware and engaged
- Form an incident response team - Include technical, legal, finance, PR, marketing and the board
- Investigate and fix incidents in a timely fashion - Look at people, process and technology
- Notify customers in the event of a breach
- Learn and Improve