As the chief executive officer for ISACA, a global association of 125,000 cyber-security, IT governance and assurance professionals, Matt Loeb has his eye on the risks that both the public and private sectors face. Increasingly sophisticated cyber-criminals and far more complex enterprise IT environments introduce enormous challenges.
Here are some of Loeb’s thoughts and recommendations on everything from reducing risks to President Obama’s recent cyber-security summit, and the role of industry and government.
Baseline: How do you view the current cyber-security environment?
Matt Loeb: The tip of the iceberg is above the water’s surface, but if you actually go down underneath, there’s this big mass of ice that nobody can see. I think the current state of affairs is that we’re at that tip.
Cyber-criminals are very smart, they have enormous resources and, as a result, they’ve monetized their work. They’re moving faster than those of us who want to keep everybody safe. We’ve found that it typically takes 230 days before an organization identifies a breach.
Baseline: What do you see as the biggest problem?
Loeb: The research shows that 86 percent of organizations think the biggest risk they face is an attack within the next 12 months. They’re expecting it. At the same time, only about 38 percent of these organizations think they’re prepared to deal with the attack.
There is an enormous demand for expertise in cyber-security, and organizations are having an extremely difficult time finding qualified people. Ninety-two percent of organizations say they can’t find the skilled candidates they require.
Baseline: What can business and IT leaders do about the skills shortage?
Loeb: The problem with this line of work is that it is akin to becoming a doctor. It requires a body of knowledge that goes beyond textbooks. There are two paths that industry can take.
First, retrain people already in IT, especially those who display an interest. Second, focus on the university community. Curriculum must better integrate digital security, and graduates must be better equipped to deal with cyber-security.
Baseline: What are your thoughts about the White House summit, and what is necessary to get private industry and government collaborating more effectively?
Loeb: The White House summit didn’t break any new ground, but it reinforced the need to address a number of issues and challenges related to cyber-security. This type of discussion is critical. Industry and government must work together in a coordinated way, including dealing with the legal aspects of the problem, establishing jurisdictions, and catching and prosecuting cyber-criminals.
There also must be a significant emphasis on sharing information. That’s an area we are pursuing as an organization. ISACA has groups and bodies that are in formation and focused on information sharing.
Baseline: What are your suggestions for business and IT leaders who must deal with cyber-security challenges?
Loeb: It all starts in the boardroom. There must be recognition of the level of risk that exists, as well as what it means for a company and its brand. And businesses must be willing to make greater investments in cyber-security.
There must be greater awareness—particularly among those who are not technical experts—about the types of attacks that occur and all the different mechanisms that are now used. In the end, cyber-security is matter of public safety, national security and the economic security of the global economy.