Infosec is probably one of the hottest topics around – after all it can affect any one of us! Chances are we know someone who has fallen victim of data theft, and with some of the biggest global companies taking an embarrassing hit to their own security in the last year it shows us that 2016 has to be the year organisations take measures to up their online security. Specialising in Infosec recruitment myself I know how pressing the need to find skilled candidates is for companies right now, and so I recently caught up with Tim Gurney, Founder of Wolf Software to find out more about his thoughts on Infosec:
(In a rush? Scroll down for the takeaway infographic from this Infosec blog!)
Firstly, can you tell us a little bit about your company, Wolf Software, and how you became involved in information security?
Wolf Software (founded in 2009), is a small local software company that specialises in creating secure and legal/regulatory compliant software. For example we were one of the first companies in the EU to release (open source) a drop-in solution for the EU Cookie Law. We also worked directly with Google (Analytics) to create a GA specific solution.
As for information security, this has always been a key interest for me. My first job out of university was writing software for the Police, so the concept of information security and the Data Protection Act were very visible all of the time. For me personally however I think one of the key areas of interest is around how to keep the information security, it is a constant game of ‘them vs ‘us’, a digital game of chess if you like, a constant challenge which has no simple ‘silver bullet’ solution.
What’s the goal of information security within an organisation?
The goal is a simple one, allow the right people access to the right information in a controlled manner, and only that. It isn’t about making access difficult or making information hard to access, it is about only allowing the right people access to the right information but in a controlled and safe way.
2015 the year of security cyber attacks? What do you think contributed to this?
There are many factors to this I feel:
a) There are now many more state funded groups that are carrying out large scale attacks.
b) The targets that are now being attacked are more in the public eye (high profile attacks)
c) The media has got a lot better at reporting the attacks rather than dismissing them
d) The Snowden revelations has made everyone pay a lot more attention
e) Changes in the law are now forcing companies to acknowledge and report breaches
I am sure there are others, but in general I think people are now more careful and aware of what is going on on-line, a lot of issues are reported both by the end user and the companies effected and I think this will continue throughout 2016-2017.
Which defence tools do you think have become less effective?
I don’t think defence tools have been less effective they are just more common place and so people attack them less. More attacks are now phishing based, SQL injection or social engineering, but this doesn’t mean a firewall has become less effective and you definitely wouldn’t consider removing it. Security is very much about building up layers of protection.
Are open-source projects more or less secure than proprietary ones?
This is a very hard question, and I could point to specific examples for both open source and proprietary being both more and less secure than the other. I think in general if there is a security issue then it often gets resolved quicker in the open source community purely because of the number of people who are involved, some projects have 10,000’s of people. Open source is also open to more scrutiny by its very nature, so intentional back-doors etc cannot be so easily hidden.
What effect will the GDPR have for online organisations?
This really depends on how it is actually implemented and how it is enforced, if it is anything like the cookie law (PECR), then it will not have much of an impact at all. Organisations shouldn’t need to wait for new legislation to do what I see as the right thing. Privacy isn’t something we should be invading because we might make money from it so even though I support the GDPR, I am a little disheartened that we have had to have this sort of law bought in just to help protect people.
As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities?
Simple answer both: Without knowing what the threats are you wont know if you are vulnerable or not. This is a virtual game of cat and mouse and it is very important to keep track of what is going on outside your organisation as well as inside. Regular audits are important to understand your current security position in relation to the desire security posture, as it education of your staff, given a lot of current breaches are ‘non-technical’ you need to ensure your staff also understand current threats if only at a high level e.g. do not click on links in email etc.
Hackers are becoming smarter and more sophisticated, do you agree and why?
Actually in the most part I would disagree, there are certainty more of them and a small minority are very skilled, but a large percentage are simply using tools they have downloaded or purchased on the dark web. State backed hackers are very sophisticated but that is largely because of the sheer scale of the support.
From a security point of view how can you see it developing in the next 12 months?
I think the problems will continue, medical practices will continue to be a large target for ransom-ware, large retail outfits will still be targets for credit card theft, and dating and social media sites will still be targets for user profiling and data theft.
Part of the problem is a lot of companies feel they will never be a target, security takes time, costs money and if implemented badly can cause your staff a lot of problems when trying to do their job. So it gets left as an after thought and often only gets addressed after the incident as happened.
Some companies are starting to learn and make changes, but I think it will be a slow road ahead, change takes time especially if you want to do it without impacting your customers.
What we need to do as a community is become more aware of the information we are sharing and who we are sharing it with, make sure you check your security settings on things like Facebook so you are not sharing everything with the whole world.
Can you tell me what you know about the skills gap in cyber security and what needs to be done about it?
There is a huge skills gap in security, it is only in recent years that universities have started running cyber security courses, and only in the last 1-2 years that those students have started to hit the market place.
Sites like HackerOne have helped fill that gap, and the idea of ‘bug bounties’ helps bring a lot of fridge hacker community to the ‘white hat’ side as it were, but it will take a number of years until there are enough fully trained people available.
In the meantime we will continue to rely on a small number of people who have the interest, knowledge and skills and sites like HackerOne.
(InfoSec Recruiter at Searchability)