Q&A With Ricardo Bruno, CISO of Activesec
In the news, there is a seemingly endless flow of security breaches (Yahoo and LinkedIn being the most recent examples). Despite being well publicized, major companies are not the only ones at risk. We asked our friend – and infosec expert – Ricardo Bruno, to share some tips and information on how business of all sizes can be more secure.
Fun Fact: In 1988, Robert Morris infected computers nationwide by releasing the very first internet worm – using 99 lines of code. http://bit.ly/b67PpV
Over the past year we have noticed a spike in news reports about information security incidents, and data breaches, what do you think is the main reason for this increase in malicious activity?
Most of the affected companies have been vulnerable to these cyber-attacks for many years. They may or may not have known about their risks, based on the effectiveness of their security efforts, or lack thereof. What really changed was that years ago, just a limited number of individuals and organizations could perform such attacks, today, with a multitude of security attack information being widely available, any tech-savvy person can perform such attacks with a small budget. Additionally, all the years of [information security] neglect are starting to catch up to businesses that don’t have a good understanding of why/how they must protect information systems.
What advice would you give to individuals and companies trying to make their systems and networks more secure?
Even organizations investing heavily in information security have been victims of successful cyber attacks. While we should all target to build and maintain secure systems, I have been saying to my clients that “Defensible” is the new “Secure”. Business should plan their security strategy around the fact that attacks will happen and vulnerable systems will be taken advantage of, it’s only a matter of time. With good understanding of this reality, companies can implement strategies to detect and contain successful attacks before they negatively affect the business. Security teams cannot win the security battle alone, they need a voice representing security at the boardroom, so that security can be a building block for success.
Thank you for your time. Can you please leave us with some tactical tips that would help our companies stay on the safe side?
Thank you for having me! Below are some relevant tips for your audience.
CXO: Think of information security as a business enabler, something that exists to help the business succeed and protect its goals. Giving security a seat at the table will help the business better understand, manage risks, and protect its interests.
Product Folks: Make security a component of your projects from the get-go (i.e. make security a part of your SDLC process). Building security after the fact is painful and more costly.
Developers: Visit and get involved at the local OWASP [https://www.owasp.org/] community. They have a lot of resources to learn from and help you make a positive security impact through your work.
System Admin: The major software vendors, NIST, and NSA, frequently publish great guidelines on how to better secure their operating systems and platform software, check them out.
Desktop Support: Make sure your desktop systems have not only the latest operating system patches, but also make patching 3rd party applications, especially browser plugins a priority, that’s where most of the attacks and infections are happening today.
Security Ninjas: Be nice, be patient, and stay classy. Everything is going to be alright! We need to get more out there to foster relationships, and create allies within and outside our organization to help build a more secure community.