The SIIA is delighted to introduce one of the newest members to join SIIA’s Software & Services Division, CISOSHARE. I had a chance to sit down with VP of Sales & Marketing, Ryan Vallone, to learn a little more about security programs and technology. Please find my interview below.
Rhianna: Tell us about CISOSHARE and what makes you unique.
Ryan: CISOSHARE published one of the first methodologies for implementing an organizational security program in 2005 and have implemented this approach in hundreds of organizations around the world. Being the first organization to focus solely on security program development within our offering and our experience in helping organizations to improve their programs makes us unique.
Rhianna: CISOSHARE describes security program development as having 4 primary functions in an organization. Can you tell us more about these functions?
Ryan: Any healthy security program within an organization has a repeatable set of processes and documentation, along with people and technologies to perform these processes to produce the following functions:
1. Ability to establish a benchmark for security – In any organization, security touches every process, technology and physical element. Should passwords be 10 characters or 2, should locks on the door be physical keys or access cards? A healthy security program will define these elements, often is a suite of security policies, standards and guidelines, across an entire organization.
2. Ability to measure against this benchmark- Once a benchmark has been established, the security program will implement and perform processes to measure the environment against this benchmark.
3. Ability to aggregate these measurements and present to management so they can make informed business decisions – Information gathered from repeatable measurement activities will be presented to management in order to make informed decisions, even if that is to do nothing.
4. Supports the execution of these decisions- Once a decision has been made, a healthy security program will support the implementation of that decision within the environment.
Rhianna: Why is it important for companies to use a security program compared to a security technology that relies on artificial intelligence?
Ryan: A healthy security program is like a repeatable training regimen with the end result being the ability to make and then implement better informed decisions about security within an organization. These decisions are still best made at this point by a human because they take inference, opinion, and often the ability to gather further research on a decision point before a decision is made.
Many security technologies, especially those that claim artificial intelligence as their primary capability, are only as effective as the logic they have been programmed with and the data they can ingest to aid in the decisions they make. For example, though not a security technology, Pandora uses AI to play the songs I want and when to play them, but it still cant play the exact song I want when I am feeling great on a run, or bad, when it starts to rain or at the exact moment before I take on a hill. It probably could if it was programmed to, but the logic or access to necessary data is not there yet and it still takes me, as a human, to change the station or hit next.
The same is true for information security AI centric technologies. These technologies do not have proper logic embedded within them at this point nor access to all the information they need to make a proper decision, no matter how much they claim they do. They can perform certain tasks within a specific security process, but at this point the big decisions are still best when left to human that has been provided information via a systemic security program.
Rhianna: There has been increasing attacks on companies lately, why is this happening and how can companies protect themselves in 2017?
Ryan: Organizations have been getting successfully attacked for years, but what has changed is that the costs to doing nothing is more expensive than to implement an ability to prevent and detect these attacks. The only way to do this is to implement an effective information security program that supports the ability to make informed human decisions about how to protect a business and then support the execution of those decisions once made.