When companies are planning out their cybersecurity strategy today, they often have to strike a difficult balance between preventive and protective tools to protect their assets against cyber attacks. International Business Times spoke with Dave Mahon, chief security officer at CenturyLink, to learn more about cybersecurity trends in the corporate and technical space.
Mahon has been with CenturyLink since 2001, where his work has focused on areas including enterprise security, cyber defense and network fraud protection. Previously, Mahon worked as vice president of corporate security at Qwest Communications and was also a Supervisory Special Agent with the FBI until joining Qwest in 2006.
IBT: In your experience, how have companies and the information security space evolved within the past few years as more businesses have become aware about the threats from hacks/data breaches?
Mahon: Some companies have evolved and some have not evolved. There are three types of information security or cybersecurity programs across all the industry verticals 1) reactive 2) proactive and 3) predictive. Most of the industry verticals are somewhere between reactive and proactive. Very few have reached the advanced state of predictive. Businesses that have become more aware of the threats have moved their information security programs and cybersecurity programs from being a Technical Solution Based Strategy to a Threat Focused Strategy.
By this, I mean these businesses recognize that our profession is cyber risk management and that you must focus on the adversaries – nation states, multination criminal organizations, hackers, terrorists and insiders. These businesses are moving from being proactive to predictive, studying the adversaries, determining their objectives, developing actionable threat intelligence and implementing enterprise-wide cyber security strategies that enable the achievement of the corporate objectives.
For enterprise/corporate customers, what unique challenges do these customers typically face with maintaining sound cybersecurity practices compared to typical consumers?
Corporations are in the unenviable position of having to respond to several challenges that the typical consumer does not face. First, Litigation Risk – corporations and their Boards of Directors are being sued for negligence if they do not have an adequate Cybersecurity Governance, Risk and Compliance Programs.
Second, if the corporation is a publicly traded company they must comply with the U.S. Security and Exchange Commission Disclosure Guidance on Risks within the context of cybersecurity risk if they are considered material risks for the business. Third, corporations that want cybersecurity insurance must meet the requirements of the insurance providers.
What’s one cybersecurity issue that businesses should be paying attention to?
The most important issue to pay attention to is to be sure you have a well-thought out cybersecurity strategy and that the strategy enables the achievement of business objectives. Second, understand this is a risk management profession and while you need technical expertise you also need leaders with risk management experience.
Third, after you have developed your strategy, assess your capabilities. If you cannot implement your strategy due to inadequate resources, strongly consider obtaining assistance from a Managed Security Services provider. Fourth, have clear metrics that track your objectives. Fifth, understand what actionable threat intelligence is and how to enrich your capabilities by studying the adversaries who are attempting to disrupt your business operations.