Traditional cybersecurity principles that stress confidentiality, integrity and availability also now need to encompass safety.
Not everyone who is pursuing a master’s degree in IT wants to commit to becoming a cybersecurity professional, says Kendall Giles, an assistant professor of practice in Virginia Tech’s Online Master of Information Technology program. “Yet in today’s world, I think certainly every MIT student should come out of the program with a basic understanding of security.”
To provide that foundation, Giles teaches a semester-long security fundamentals course titled Cybersecurity and the Internet of Things, which uses a case-study approach to concentrate on the main principles. As he explains, IoT is the common lingo we use to describe taking internet-connected sensors and putting them on devices that can compute and gather data. Yes, he acknowledges, sensors allow companies to gather data more easily, but IT and business leaders also need to remember that each of those devices possibly has vulnerabilities. “[I]f it’s easier for you to gather data, it’s easier for the malicious hackers to gather that same data and use it,” Giles says.
Because IoT involves physical devices, the traditional cybersecurity principles that stress confidentiality, integrity and availability also need to encompass safety now. That changes how companies should approach security, Giles says.
For one, the chief information security officer in charge of cybersecurity needs to work with the chief security officer in charge of physical security to develop a coordinated plan of action in the event of an attack. Second, given limited resources, organizations need to prioritize their critical assets and put in control mechanisms to protect those above all others. But the most effective way to address security concerns is to become educated, Giles says.
“Everything in our lives is online,” Giles stresses. “We can no longer afford not to understand the basic principles of security.”
David Raymond, a faculty member for VT-MIT’s online graduate program as well as deputy director of the university’s IT Security Lab, urges his master’s students to understand that business and cybersecurity need to work together.
While the cybersecurity team is busy putting together a layered approach with multiple levels of defense and checks and balances, the business side needs to help them prioritize the risks so they know where the work needs to focus.
When a security event occurs, too often he sees organizations treat them as natural disasters, something out of the control of the company. Better, Raymond asserts, to “treat it as some level of failure. Somebody failed to do something that caused it to happen.”
In the case of Equifax, a web application vulnerability that wasn’t fixed in March, when the patch was available, led to the May break-in and theft. Former CEO Richard Smith blamed a single employee for the problem to a Congressional committee. That response led to plenty of nonpartisan condemnation. As one representative asked during the hearing, according to The New York Times, “How does this happen when so much is at stake? I don’t think we can pass a law that, excuse me for saying this, fixes stupid. I can’t fix stupid.”
Raymond likens such mass cyber break-ins to a bridge falling into the water. “That is going to cause investigations [and] lawsuits, and the company that built that bridge is going to be out of business.” In civil engineering, he says, “there’s a compliance infrastructure and requirement that these things be engineered in a certain way. Security engineering just hasn’t gotten to that level of maturity.”
How can companies mature? One step Raymond recommends is adopting a “robust security framework” — a strong process for securing systems. An example is CIS Controls, produced by the Center for Internet Security, which is a prioritized set of actions for securing the organization’s infrastructure and its data.
“It starts with relatively simple things — like having a full inventory of computing devices that should be connected to your network and then periodically auditing your network to make sure there aren’t any unauthorized computing devices connected to it,” Raymond says. The point is to pick something and then do it. “You shouldn’t be making it up as you go along,” he says.
The most important driver for changing culture, however, is getting the two sides — business and information security — to work better together. Wade Baker, an associate professor of integrated security and a cybersecurity researcher in Virginia Tech’s Online Master of Information Technology program, has done research that shows, for example, that while company boards understand and value the business-level metrics for cybersecurity at high levels, the same isn’t true for the CISO.
“The board is craving this information. They need to know the organization is secure,” Baker says. “The CISO doesn’t really know how to explain it to them in a way they understand.” That, in turn, leads to a lack of trust, confidence and willingness to fund what needs to be done. As a result, he adds, cybersecurity initiatives don’t end up “in the right place.”
That’s why education programs that blend technical and business training — with a major dose of cybersecurity instruction — are so critical, Baker says. “It’s common that you have pure business with no technical and technical with no business. When you have people who live in both worlds, they’re valuable in an organization because they form a bridge.”
Virginia Tech’s Online Master of Information Technology program is offered jointly by the College of Engineering and the Pamplin College of Business. Ranked by U.S. News & World Report as the No. 2 “Best Online Graduate Computer Information Technology Programs” the past four years.