Cybercrime is a plague on all industries, but a technology-borne problem at its core. So it makes sense that leading IT experts and infosec solution providers would step up to provide key advice to the tech community on how to protect customers from prevalent cyberthreats.
To that end, the nonprofit IT trade association CompTIA this month officially announced the launch of its new Cybersecurity Advisory Council. The invitation-only body will deliver informational content, guidance and recommendations to the tech sector, but anticipates that many of its takeaways will be applicable across multiple industries.
It has already moving forward with three major initiatives, one designed to help educate c-level executives on cybersecurity, another focusing on how to build a mature infosec program, and a third examining prominent cybersecurity policies and privacy regulations, and how to comply with them.
In February 2020, CompTIA first began developing the concept and recruiting subject matter experts – now 16 in total. By November, the council hosted its first virtual meeting, creating an agenda for the coming year. The council will be co-chaired by Tracy Holtz, director of security solutions for Tech Data Corporation, and Kevin McDonald, chief operating officer and chief information security officer at Alvaka Networks. Kevin Nikkhoo, CEO of XeneX, will serve as vice chair.
Still, there is no shortage of cybersecurity associations, organizations and alliances. What makes this one different? What is it, exactly, that this particular council’s members bring to the conversation?
“They are the preeminent teachers, and the thought leaders when it comes to the skillsets that those touching computers around the world have,” McDonald told SC Media. When tech experts are left out of cyber debates, “it becomes more of an ethereal commercial discussion rather than an actual solution-oriented, how-can-we-solve-the-problems-we-see-every-day kind of conversation.” McDonald said truly productive discussions around how to properly defend against cyber threats must rise above the noise and focus on the info challenges that tech players contend with every single day.
“Technology vendors have been driving the cybersecurity industry for most of its existence,” added Chris Morales, head of security analytics at Vectra, and a member of CompTIA’s new cyber council. “That is where much of the innovation of tools and techniques leveraged in cyber defense and warfare occur. More importantly, by the very definition of a cyberattack, it is the technology companies that are the targets and enablers of cyber breaches to occur in organizations in the first place. The tech sector cannot be an idle bystander and must contribute its expertise to the conversation for all the organizations and people that leverage that technology in their everyday lives.”
“Tech leaders are the experts on cyber technology and have significant wisdom and experience to share,” said Diana Kelley, CTO and co-founder of SecurityCurve, another council member. “We know what’s possible, where the risks are, and how to build resilience and privacy into systems. Leveraging the expertise of the tech sector will enable to world to move forward with cyber-technology quickly, responsibly and ethically.”
Three key initiatives
The Cybersecurity Advisory Council plans to leverage a variety of content delivery methods – including digital documentation (blogs, infographics, etc.), podcasts, webinars, and media and law enforcement outreach – to advance its agenda and influence its intended audience.
“In our first year, the advisory council is looking at the bigger picture trends that are timeless and persistent,” said Morales. “Attacks are tactical and change and adapt to the landscape and times. Our focus will start from the top, with a focus on validating why an organization needs cybersecurity, what that program should look like and how to define and measure success.
“We're focusing on how to help companies address some of the hard, long-term challenges in cybersecurity,” said Kelley, noting that this includes: “aligning cybersecurity with the board and the business and optimizing the security program as emerging technologies like the cloud and AI/ML are adopted. These are top of mind because they are hard problems that companies need support and guidance on.”
First among the aforementioned three key initiatives for 2021 is to help facilitate communication between security teams and the c-suite by educating upper execs on key cyber concepts. To accomplish this, said Holtz, the council will design informational content to instill such lessons as “where the risk exists within cybersecurity,” and “how to maximize the ROI” of cyber investments.
Regarding c-level executives, McDonald said there is a “desperate need” to address their “lack of technical knowledge and make them more comfortable with the IT-to-the-boardroom conversation.” They key, he added, is helping them know what questions to ask and how to ask them without fear of sounding uninformed or unsavvy.
“And I find them to be highly empowered when you actually break down for them the ‘geek speak’ that they hear all the time," said McDonald. "And they're much better at making decisions that are good for themselves and their organizations when someone slows down, stops with the acronyms, explains why what they're being told is important and allows them to exercise their fiduciary duty in ways that they can't when they're afraid because they don't even know what questions to ask.”
The council's second initiative is helping tech companies understand how to build an effective, mature infosec program, including where to begin and what to prioritize. “It can be extremely overwhelming,” said Holtz, and mere firewalls and endpoint threat detection are not enough. For that reason, the council leadership intends to “build out a roadmap” to help companies achieve proper network security, while also recommending various “metrics that can be leveraged” and “tactical…guides on policies and procedures” to help implement better security.
“Personally, I am keen on metrics that show resilience and incident response preparedness as industry standards that can be used to benchmark a security program maturity level, technology efficacy, and organizational efficacy,” said Morales. “Once we measure we understand our true ability. It is important we are measuring the right things.”
Thirdly, the council will attempt to help tech developers, vendors resellers and third-party partners – hone their internal security and privacy policies while also complying with a dizzying array of state and federal regulations.
“We believe that having parity across states and simplifying the regulatory landscape is really important because it's super hard… when you have 50 different state laws on cybersecurity that you have to deal with,” said McDonald. “And if you have customers across 30 of those states, you have a just a ridiculous myriad of rules that you have to follow, and they often conflict and it's hard to manage internal policies. So part of it would also be to try to find some level set that everybody can agree on. These are the basics, these are the things that we must be doing, and these are the things that would help defend you against the most common threat actors.”
As a side mission, the council is also expected to review the CompTIA Security Trustmark+, which is a certification of sorts that is bestowed upon companies that successfully implement a checklist of policies and procedures designed to detect, defend against, respond to, and recover from breaches and other security incidents, in a manner that is compliant with the NIST Cybersecurity Framework and key federal regulations.
CompTIA already has six other councils – including ones focusing on artificial intelligence, blockchain, drone, internet of things, business apps and channel development. Each year CompTIA gathers together all seven councils to collectively brainstorm on a larger issue. This year, we’re going to focus on remote workforce and all the security elements around that,” said Annette Taber, senior vice president of industry outreach at CompTIA.
There is no shortage of issues that the council can potentially tackle in the coming years. Council member and Huntress Labs CEO Kyle Hanslovan said that over the course of 2020, the various members identified what they felt were the “key trends and drivers that were either influencing defenders or accelerating the success of attackers.” Among them were new attack surfaces created by the boom in software-as-a-service applications, stricter cyber laws, and the complexities of “managing the risks from insiders, devices and the supply chain.”
I'd expect future efforts to move from the strategic level down the chain to operation and tactical guidance and education,” added Hanslovan. But for now, “each council member recognizes just how hard it is for practitioners to know where to start with security and how to navigate regulation and policies.”