TechRepublic's Dan Patterson interviewed Alissa Johnson, Xerox Chief Information Security Officer, at Black Hat. She discussed defining IT processes, simplifying the tech industry, and more. The following is an edited transcript of the interview.
Alissa Johnson: In defining or redefining your IT processes, the first thing I look at are: What are my crown jewels, and what are the requirements around those?
You know, we have taken a broad brush stroke at times and said, "This is the policy or this is the process of all data sets." Now, I think, is the opportunity with the influx of investment dollars, our budget for CISOs are definitely changing. We may have to now take a granular look and say, "What are our crown jewels, and how do we best protect those crown jewels and put the process thinking and policy thinking around that."
SEE: IT leader's guide to cyberattack recovery (Tech Pro Research)
When I am determining what the most valuable assets are, I'm thinking of, "What's going to cause me to cry at night if something happens to it?"
I'll just take my own personal example. Order numbers are not as important to me as social security numbers, credit card numbers, things like that. And so, you have to take a look at the data sets and say, "Well, if something happens to this set, will it impact me more than if something happens to another set?" If I look at it from that perspective, I do understand that the culmination of all data sets is a rich environment. It's a rich data pool, but we can't always take the same amount of investment and apply it to all.
Sometimes, we can't take the same amount of policies and processes and structure and apply it to all. I think sometimes, it's a better way to parse out what you want to do with what by looking at it saying, "What's going to cause me the most heartburn? What's going to cause me the most heartache? Who is going to scream if I don't have this data?" And if I say, "Well, you know what, Mr. CEO, I don't have the order number, but I still have the social security number of all of our customers, or I still have the credit card numbers of all of our customers," things like that are really, really important. I think that's a better balance. We're looking now in the future thinking about balance.
SEE: IT leader's guide to the threat of fileless malware (Tech Pro Research)
I think it's our responsibility in the cyber security industry to simplify. We've kind of over-complicated it, and you know what, I'll go broader than that and say the technology industry. In some ways, we've kind of over-complicated technology. We talked about technology processes that have been over-complicated that make it more difficult. Now that we're in this bigger data set, we have now what we call the "Internet of Things," right? So that gives us this bigger amount of data, but not just a bigger amount of data, but a bigger amount of people who have to understand it.
So now, my dad doesn't just have to understand or my mom. My grandma has to understand security, so we've got to simplify these concepts a little more. That's number one. Number two, we have to make it simple. We have to make it so we don't have to teach them as much about it, and so when I think about even in my own organization, I want everything to be simple so that I don't have to tell the developer the things that he needs to do. It's automatically or innate in him in order to make a secure device or a secure component.
If I say to him, "I need you to do this, and do this, and do this," and list all of these things, all of these process that I need him to include in order to make a device secure, he may think, "Wow, you're just making this heavy for me."
Developers want light, they want agile, they want quick. They want modular, and so if I give it the, "What's in it for me and the execution part of it?" I think that makes it simpler, so my biggest key point, I think moving into the future and even in how I think about it now is simplification.
- IT leader's guide to big data security (Tech Pro Research)
- Eight things you should know before launching a cybersecurity career (free PDF) (TechRepublic)
- Digital risk protection in 2018: New vendors, new leaders, new wave (ZDNet)
- Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
- Why more people don't use simple two-factor authentication (CNET)
- You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.