By day, I am the Chief Security Officer of Liquidnet, the world’s global investor network, responsible for information security, physical security and business continuity planning. (Of course, all of the content on this blog and the rest of my social media empire reflects my opinions and not those of Liquidnet).
If I were to be asked about my approach to security, I would characterize it as people-centric. Yes, we need to put technology in place to protect, detect and respond to threats, but making employees resistant to the increasingly clever psychological tricks which attackers use to gain access is the foundation of a successful security program, IMHO. When you read about the data breaches which make the news, it always seems that the sequence of events leading to the disclosure started with an email to an employee. Inoculating your employees against the most common tricks employed by social engineering attackers is a very cost effective security measure.
Once your human firewall is in place, it is time to apply technology to backstop it – some attacks will bypass humans (for example, exploitation of vulnerable software or web apps). And human enabled attacks will sometimes make it through. There are a number of “Security 101” steps which you can take to make your company a less attractive target to attackers. My favorite guide to getting the basics in place is the “Essential 8” controls published by the Australian government. Implementing the controls they recommend doesn’t require expensive technology and will deter many if not most attackers.
In my copious spare time, I am a volunteer EMT on the Weehawken Volunteer First Aid Squad and a member of the Weehawken Historical Commission.