Bruce Lobree, CISSP, CISM, CIPP, CRISC, is a SecureWorld Advisory Council member in Seattle and a Cyber Security Architect for Symetra Life Insurance Company.

Because Advisory Council Members have told us they love learning from each other, we asked him some questions about his role and challenges. Here is that question and answer session around cybersecurity.

SW: What is the most challenging aspect of your job?
BL: Dealing with fundamental foundational issues that have been in place for decades and the issues of modernization to high speed development putting security as an afterthought.

SW: In your opinion, how do you see current threats evolving throughout the rest of 2017?
BL: Attach vectors will still primarily go after the uneducated or unaware user, but the level of sophistication of phishing and social engineering will continue to improve.

SW: What do you think is the best way to promote security awareness within your organization (for those in other departments)?
BL: Online training and enforcement.  When people hear that someone was fired because they downloaded an infected application that was not approved for use, people will avoid doing the same thing so they don’t lose their job too.

SW: How do you deal with budget restraints when trying to implement new policies and procedures?
BL: Socialization of the information prior to requesting funding gets buy-in from leadership then when you ask for it there is a higher probability you will get it and if you don’t get the buy-in, you know not to go after it.

SW: How do you view current compliance and regulations? Are they doing enough or not at all?
BL: The issue is not the regulations or requirements for compliance, it’s people not being honest about what they are doing or manipulating the information to show they are in compliance when they know they really are not.  Current regulations are barely sufficient, but the risk of compromise should be sufficient to get companies to do the right thing.  Security professionals need to state facts about issues and stop using ghosts in the graveyard to scare people into thinking something bad is going to happen.  This will do more to get management to secure their environments than any regulation.

SW: What is your motivation for wanting to take your company’s security to the next level?
BL: Reputation, maintaining our customer base and turning security into a selling point over our competition.

Thanks to Bruce for sharing his insights on cybersecurity.

Do you think cybersecurity is - or will be - a selling point over the competition in your industry?