Instructor Insight – Cybersecurity Q&A

George Pauwels is a veteran Technical Instructor with over 30 years of experience it the IT industry. He holds several vendor certifications in cybersecurity, and also specializes in Cisco technology.

Many companies have seen the benefit of remote work and will be adopting a hybrid work-from-home model in the future. How can businesses prepare for this sweeping change?

George: One of the most prominent challenges organizations face is that security issues are addressed on an ad hoc basis without acquiring a complete understanding of what threatens the achievement of their business objectives.

For organizations that have developed a formalized risk assessment function, the next step in addressing the risks associated with remote access would be to adopt a standardized industry framework similar to the National Institute of Standards and Technology Special Publication 800-46: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security documentation. Documentation of this format will guide the best, industry-standard approaches to address the risks associated with remote access.

Without a formalized risk assessment function, organizations will have no idea what threats exist to achieve their business objectives. Addressing this one, not well understood, the perceived threat will have the same result as patching a single hole in a sieve of security vulnerabilities.

Anyone can be the target of a security breach. What are your recommendations for companies to properly inform their end-users of potential security risks and preventative best practices?

There are three activities every organization should engage in to ensure its employees are equipped with the knowledge necessary to address security threats. Those three activities include awareness campaigns, formalized corporate training, and industry-associated education.

Awareness campaigns focus on providing constant subtle reminders of what threats exist for the organization and what the employee can do when recognizing those threats in the wild. Awareness campaigns usually follow formalized corporate training.

Formalized corporate training is an activity where subject matter experts engage the organization's employees in instruction and discussion of the current corporate threat landscape. Training comes after industry-associated education.

Industry-associated education involves a more role-specific evaluation and understanding of security concepts, and for some, the proper operation of security controls to provide adequate protection of company assets.

One of the popular misconceptions is that information security is a "Set it and forget it" activity. It is important to remember that people need constant reminders and updates on the importance of protecting corporate information assets.

We often refer to cybersecurity as a "team sport." What do you recommend as a winning IT security strategy for most organizations?

Corporate culture is one of the most common reasons an organization's security-related goals are successful and/or are not. If the team members do not have a winning attitude, it is doubtful that they will be successful. Shaping the corporate culture comes from the top. Upper management must create an inclusive environment that is conducive to success. If upper management does not display, encourage, and endorse a winning attitude, the team will flounder if they are distant, non-transparent, and inconsistent. To coin a well-worn quote that some attribute to Mahatma Gandhi, is it vital that they "Be the change they want to see in the world."

What are some next steps for those individuals who are not in the IT department or focused on security? What level of security training do you think is necessary?

Certainly, for end-users the best choice CyberSAFE Extended Edition. It really helps drive security awareness and provides best practices that they can immediately implement. It is also only a half-day in length which is convenient.

And how about for those more advanced that are currently in the IT field?

Too many to name here since United Training offers a wide variety of security related courses but I can certainly highlight a few. Microsoft recently introduced a new set of courses focused on identity management. You can get those details on our Microsoft Security page . CompTIA maintains a cybersecurity certification pathway which is a great option for those a bit more advanced. For experienced cybersecurity professionals I would direct them to the Certified Information Security Systems Professional (CISSP) course or several courses titles from EC-Council such as Certified Ethical Hacker (CEH) or EC-Council Computer Hacking Forensics Investigator (CHFI) . Should also mention Cisco security as well. So a lot of different options based on your experience option and vendor of choice.

Thanks to George for his valuable insight.