This article is based on a panel discussion at IBA’s Fall 2022 Analytics Conference on Cybersecurity. This panel featured comments from Wayne Selk, Executive Director of CompTIA Information Sharing and Analysis Organization (ISAO) and Vice President of Cybersecurity Programs, Susannah Hope, manager in Deloitte’s Risk and Financial Advisory practice, and Kim Milford, who served as Executive Director of Indiana University’s Research and Education Network Information Sharing and Analysis Center (REN-ISAC) at the time of this presentation.
The world of cybersecurity data sharing and governance is changing — fast.
One change: compliance has exploded. According to Wayne Selk, the Executive Director of CompTIA Information Sharing and Analysis Organization (ISAO) and Vice President of Cybersecurity Programs, the development of laws like the European Union’s General Data Protection Regulation and the California Consumer Privacy Act have changed the capabilities of data sharing around the world.
Another? Susannah Hope, manager in Deloitte’s Risk and Financial Advisory practice, said that governing organizations and companies are increasingly understanding the value of cybersecurity.
Selk, Hope, and Kim Milford, who is the Executive Director of Indiana University’s Research and Education Network Information Sharing and Analysis Center (REN-ISAC), shared their perspectives during a panel on cybersecurity and data sharing governance during the 2022 Conference on Analytics for Cybersecurity, sponsored by the Institute for Business Analytics at the Kelley School of Business. The panel was moderated by Trinity Klein, a Senior Consultant for Deloitte’s Strategy and Analytics practice.
Another shift, Selk said, is taking place because threat actors are realizing how valuable data is, and that it can be used against individuals and organizations.
“Cybersecurity actually boils down to data security itself,” Selk said. “The perimeter of the traditional business model went out the window with the pandemic, though. It’s difficult from a cybersecurity perspective to ensure that the user who’s working from home has the correct access, knows what to do with that data, and understands the implications of that data.”
Milford also mentioned two related challenges: first, that it’s difficult to know what to do with data once it’s obtained; and second, that many businesses don’t want to share data on their own cybersecurity shortcomings.
“Businesses are risk averse and worried about reputational risk and lawsuits,” Milford said. “Many of them have had ransomware attacks, but few talk about how to prevent them. We need to open information sharing so that we can all get smarter from incidents.”
Issues may also come up because organizations aren’t able to, or aren’t sure how to, share restricted data.
“Organizations don’t want to share too much, because it can put them at risk,” Hope said. “If we can diversify the ways that people can share data, but consolidate it on the backend, there can be more consistency.”
Careers in Cybersecurity and Data Governance
As students explore potential careers in cybersecurity, they can consider how they might be able to contribute solutions or new ideas to the problems surrounding data sharing. Selk and Hope agreed that because higher ups are focused on what’s best for the business, it’s essential for new employees in cybersecurity to be able to clearly explain the value of data security.
“As a technical analyst, if you’re able to explain what the impact of cybersecurity data is in a business sense, you can help others in your organization realize that cybersecurity actually is a problem,” Hope said. “When it comes to cybersecurity, hierarchy shouldn’t drive the way you interact with people. Sometimes, the people who are in the systems — like the technical analysts — have the best knowledge of what’s out there.”
Selk and Milford gave a warning to students who are interested in careers in cybersecurity: the job comes with a fair amount of stress.
“Cybersecurity is a little bit like the Wild West,” Milford said. “There are better frameworks today than there were a couple of years ago, and great training, but you need to consider, ‘can I take the stress?’ You don’t have much control over when an incident or vulnerability happens.”
What’s Next for Cybersecurity Data Sharing and Governance
The panel also shared their predictions on the next 10-15 years in cybersecurity. According to Milford, integration will increase because data is beginning to cross streams of storage and usage, but significant privacy challenges come with these moves.
“We need to keep compliance restrictions in mind as we think about freeing data from its boundaries,” Milford said. “How can we narrow in on what will secure universities, private businesses, and healthcare cyber infrastructure? We need to be preventative and proactive, whereas right now, we’re still in a reactive mode.”
Potential members of the industry also have an individual responsibility to consider cybersecurity risks, Selk said. He mentioned that employees, and the entire workforce, should be better educated on the threats surrounding data sharing on social media.
“The future for cybersecurity is each of you in the room having awareness and understanding of what risk means to the organization that you end up working for,” Selk said. “As you look from the organization perspective, you should also think about the impact data sharing has on each and every one of your lives from a personal perspective.”
Leave a Reply