IA: What are some of the major challenges you believe you and your counterparts at other companies/government entities face in the next year? What about the major threats to your organization and its critical data?
SS: Employee diligence is an ongoing effort. As previously mentioned, we spend considerable time and money on employee awareness. We understand that employees are focused on getting their jobs done and do not always think before clicking. Therefore, we marry our awareness efforts with numerous automated protections to help defer the risk of malicious activity initiated by user behavior.
IA: Any advice on how to tackle these?
SS: A program of constant diligence. When responsible for protecting a highly complex and distributed environment, it is important to leverage scalable technical solutions that complement robust end-user training programs.
IA: What are the threats/newer applications that you think you and others in your position must address this year? How will you do this?
SS: I do not foresee a new class of attacks, but rather continued sophistication of existing attack vectors. I believe that malicious events will continue in the same frequency and leverage greater use of stealth. The obvious signs of the ‘Nigerian scam' messages will be replaced with highly credible and real-looking phishing and other social threats that prey on the average user. The continued proliferation of social media will aid in fostering these attack vectors and lead to an increased success rate.
IA: What are the security technology must-haves companies/governments should have in place?
SS: We have grown past the basic use of firewalls and anti-virus. Those are now defined as the preschool requirement of security. More robust security programs will leverage a mixture of data leakage prevention solutions, malware detection, application level firewalls and forensic tools.
IA: What about policies and programs?
SS: These are a must-have in any organization. The security policy defines what is acceptable. It is then possible to leverage policies to establish control baselines, which are measured across the organization.
IA: What's your best advice to others when it comes to building a strong security program?
SS: Ensure that your security strategy maps successfully to your company's risk profile. Security is highly subjective and can be ultra-conservative, such as top-secret government installations, or it can be loose and flexible, like a new start-up organization. A successful security executive must understand the appropriate level of risk in their organization and then build their security program to complement that risk level.
IA: Any hobbies, destination spots or other more personal areas of your background that you would like to share?
SS: Not that much. I recently started to pick up golf and enjoy a good game of poker or chess. I also volunteer in the industry and currently sit on the board of directors of ASIS [a securitty organization with 37,000 members worldwide that develops educational programs]. I am also a past member of the board of directors for the Information Systems Security Association [ISSA, a nonprofit, global organization of information security professionals and practitioners].