On December 18th, 2013, the public was informed about one of the biggest data thefts in history; nearly one-third of American consumers were in jeopardy of their information becoming compromised via a massive Target hack. As more information unfolded, it became clear that Target was both the victim and the culprit. Evidently, hackers had begun capturing credit card data in November of 2013 and the company overlooked multiple red flags.
The crisis became a catalyst for more questions than answers. These cyber hackers had acted immorally and illegally, but Target failed to prevent the breach or handle it well. What could have been done to stop such a security breach? What should Target have done differently once it occurred? Does the government need to become more involved private affairs concerning cybersecurity? What happens now?
The newly appointed Director of Government Affairs for ISC2, Dan Waddell, may have some answers. Waddell spoke with Chris Dorobek on the DorobekINSIDER program about the current state of cybersecurity and why we should all be paying attention.
ISC2’s role is to act as a liaison between federal government and cybersecurity workforce. They monitor the latest cybersecurity legislation and policies from the hill to keep industry leaders informed.
Waddell reiterated how cybersecurity is no longer just an “IT play.” Many organizations define their risk and valuable information differently, but all must create a secure process to protect their data. Today, a company’s CEO must be tech-savvy enough to communicate with the IT department.
The director then spoke of how cybersecurity pertains to people, process and technology. “So I think it takes a lot a smart people on the frontlines. But make sure that they can look at those threats and vulnerabilities and be able to talk to the leaders in business terms, and in risk terms to say hey, look, you know, if we don’t patch this, this is going to be your impact; whether that be a cost impact, or a reputation impact, or a data loss impact, as it pertains to the federal government.”
Recent Target outrage over credit cards has sparked conversation on private versus public safety. “I think one of the things that we saw from the Target breach was the need to share information,” said Waddell. “That information needs to be shared in a quick and efficient manner so that folks across the line are protected.”
Today, all facets of an organization must work toward cybersecurity. “IT definitely needs to be part a that conversation,” said Waddell. “But the CSO needs pathways into HR, into legal, they need to have those types of abilities to make decisions and reach out to these different organizations so that when a breach does happen, [the fix] can happen pretty quickly.”
Waddell measures how he successfully performs his job by the feedback he receives from the federal government. He also measures it by the amount of jobs he provides. “There’s obviously a tremendous shortage with security folks right now, so anything we can do to help kind of increase those numbers would be a success in my book,” said Waddell.
Another goal of ICS2’s is to create the next generation of “cyber warriors,” said Waddell.
ISC2 is providing input to some colleges on their curriculums “so that once [students] get out into the workforce, they’ve already got a lot a that institutional knowledge ready to go.”
The federal government has a unique issue because some of the very people who have the skills to increase federal cybersecurity are the ones who end up threatening it. Many hackers, or the ‘bad guys,’ have the skills to be in the federal government but often lack the desire to work there, Waddell said. He hopes to integrate them into the government’s cyber workforce in order to create a stronger defense against an ever-growing offense of hackers.
Without the benefit of hindsight, we need to beat the hackers at their own game.