Tom Jacoby could write a book about what he has learned and experienced in the cybersecurity space over the past almost 30 years. The Coquitilam, B.C. company he founded – IOSecure Internet Operations Inc. – came into being in 1994 and then, as now, it was an IT services company that focused on online security.
“It was a different time,” recalled Jacoby yesterday, on day two of IT World Canada’s MapleSEC 2022. “And it was a time when companies were accepting really significant weaknesses in their IT infrastructure. The reason behind our name – secure internet operations – we came up with it long before the word ‘cloud’ came into popular usage.”
During a fireside chat with ITWC chief information officer (CIO) Jim Love, he said that the key to any successful cybersecurity initiative, be it today or when the company first launched, can be crystalized in four key words, which he called the “four Ps: People, Policy, Platform and Program.
“Ultimately all of our success in business comes down to our people,” he said. “It’s an overused phrase,” but, he added, having the right people with the necessary skills, the training, and the proper communication skills is paramount.
Many challenges happen, said Jacoby, because of a lack of communication: “Are the technologists in the company communicating with the lines of business to keep both the business secure and the business operating?”
And it is not only IT professionals in an organization that need to be aware of security; so too must support staff, particularly the personnel who might physically guard a building.
Jacoby recalled a “strange experience” that happened to him a few years ago when he was doing a project for a large telco provider in Canada: “I needed access to a particular part of the building, I had no reservation, had no appointment. I showed up at the door at 6:45 in the morning in this warehouse in a part of town that was not particularly safe.
“But I looked the part. I had a suit on – this is going back a few years – I had the tie, I had a briefcase, I had a laptop, and probably more importantly, I knew the name of a relevant project. And I was escorted in, and dropped off at the equipment I needed to work on.
“But right next to me was the central office phone switch, which is critical infrastructure for a large city. And I was left alone with it for the day. I didn’t want access to it – it had nothing to do with what I was doing. But there it was … the point being that all of our staff throughout the organization are key to our security success. And we have to make security more approachable, not scary.”
It is imperative, Love added, to create an environment where the “guy in the suit” can be asked “do you really belong here?”
Policy, said Jacoby is the one thing he finds the most rewarding – and the most frustrating: “It has such a bad name, associated with pain, associated with hundreds of hours of difficult conversations. But it doesn’t have to be that way. It’s about ensuring we have the right layers of security on the right data for the business to operate. And these can be some pretty straightforward conversations. I see so many of our customers spending lots of money on industry leading products, without policy or people in place to benefit from them.”
During the session, he provided several examples of what can happen when policy planning goes awry.
“One involved a customer that was being too aggressive with their policies. The policies made sense, but they were being applied everywhere in the organization, and IT infrastructure crumbled. It could not keep up with the load to check everything so thoroughly, so many times it really hurt the business,” he said.
Another involved an organization that, he said, “was too lax in creating a security policy. They relied on a junior IT resource to come up with a policy in the early days of the internet, and it is a large company, we all know of them. And they had enough resources to be able to put their entire accounting department natively on the internet with no layers of protection at all.
“Obviously, that was nothing we recommended. One of my senior managers today is still haunted with that phone call he got a few days afterwards, with the customer calling, saying, ‘it’s all gone.’ All their data was gone. All their accounting system devices were empty.”
As for Platform, Jacoby said, “it is effectively the toolset that we use, but it has to be an integrated solution. We can’t just look at things in isolation. Every tool has issues, every tool can be compromised and only by adding layers can we have a hope of protecting ourselves.”
The fourth “P” revolves around having a solid program: “The bad guys are out there working 7-24, 365 days a year. They have labs with this exact same infrastructure we have, they have the same firmware on it, they have the same configurations on it, they’re testing it every day, they only have to be once right in in order to access us. We need to be strong every day and need to have the proper program in place.”