ASU expert on how businesses are dealing with data breaches

Monday, September 18, 2017

The recent Equifax data breach is just one in a growing list of businesses experiencing cybersecurity failures. So how are they dealing with it?

Professor of Practice and Director of ASU’s Cybersecurity Education Consortium Kim Jones doesn’t want to be cynical but feels businesses are “using a risk-versus-return attitude toward exposure of data.”

That said, Jones does believe they’ve made great strides in understanding the value of data and the threat posed by hackers. But with a 300,000-job talent gap in the cybersecurity arena, there’s definitely room for improvement.

On Wednesday, Sept. 20, ASU West will host “An Evening of Cybersecurity” for students looking to become cybersecurity professionals and help fill that talent gap.

ASU Now spoke with Jones ahead of the event to learn more about how businesses are dealing with the threat and what students can expect from a career in the industry.

Question: How are businesses responding? Are they stepping up their cybersecurity defenses?

Answer: I hate to sound cynical … I do believe businesses are beginning to better understand the value and need of data on one end, which is better than when we talked one year ago. They’re spending a lot more time understanding the threat and ways people can get into their data. But, as much as I hate to say it, I think they’re also using a risk-versus-return attitude toward exposure of data. Name the last organization that went out of business because of data breach. [We couldn’t.] So from a reputation-risk standpoint, has this sort of thing become passé? Is the consumer going to respond in any sort of negative fashion? To date, unfortunately, consumers have become more accepting of the fact that their data is going to be out there. So in my opinion, businesses are beginning to look at security, instead of being something essential, as something that is a value add. We’re at the point where, if I’m more secure than my competitor, I might be able to draw more customers, but it’s still not seen as essential as one might hope it would be. And that’s being driven by the fact that the consumer has accepted that more of their data are out there and they’re continuing to put more out there in the name of convenience.

I’ve had friends approach me about the Equifax breach saying, "My data has been exposed so many times, I can’t even count anymore." In that sort of environment, where data has been compromised three or four times over, it depends on what the demand will be by the consumer to take additional action.

Q: What advice would you give to startups or businesses with limited resources?

A: The Cybersecurity Education Consortium is actually in the midst of putting something together for small businesses to give them practical skills. In Arizona, a majority of businesses are classified as small to medium, so we’re putting together some practical knowledge workshops for them that should be available in the next few months.

For me, it’s important to understand that you can’t create Fort Knox, but you can get to a heightened level of care associated with your network and data. And that mind-set of care will help. Think about it: A retailer looks at his or her foot traffic with that kind of care on a day-to-day basis. They look at things concerning availability of inventory, quality of inventory, how the inventory is positioned, how that affects foot traffic of the store. I’m not saying that it should overshadow everything else, but the care of understanding your data is an asset and a resource. And businesses usually meet about 80 percent of the threats out there. So I can’t give you Fort Knox; just because I have a sign out front saying I have a security system doesn’t mean someone won’t try to rob me, and they might succeed. But I can at least make it harder for them.

Many network providers have packages with basic security tools out there that are available as part of a business subscription, and there are small firms out there that provide different levels of protection, such as Terra Verde, an Arizona-based cybersecurity firm. And those will allow you to scale to certain levels of protection. You need to understand your data hygiene and treat your data and network as resources within your environment that need care and feeding.

Q: What can students looking to become cybersecurity professionals expect to be dealing with when they enter the field?

A: Two things: The term "typical day" is an oxymoron because every day is different. To quote the Navy SEAL team, the only easy day was yesterday. It won’t grind you into the ground, but it’s not just a career — a big portion of it is a calling. Cybersecurity people are absolutely the biggest optimists in the world. Every day, there is someone out there threatening to get access to resources and data you are trying to protect. And for every thousand of them, there is one of you. And you have to plug those holes. But you make people safer every day, and there are very few careers that are that rewarding. It’s also mentally engaging for me; it’s like playing three-tier chess. Every day you have to think like the bad guy, but you also have to think how to make something secure and work in an environment without just shutting the environment down.

There is a huge talent gap in cybersecurity of about 300,000 jobs in the U.S. Part of the reason it exists is because security technologists don’t really do a good job of taking about what we do and how we do it. When my kid was younger, he wanted to go into the gaming industry. Well, what does that mean? Coding? Design? He didn’t know. Lots of folks think it sounds sexy and cool, but they don’t know how to get in there.

Cybersecurity is the same way. There’s a lot more to it than hacking. It requires skills beyond just technical; it requires creative thinkers who know how to communicate, who understand business and policy. All these interdisciplinary things we teach at this university go into forming a great cybersecurity team. So a lot of what this event is about is showing kids, hey, the fact that you haven’t hacked by the time you’re 15 doesn’t mean you’re not good for cybersecurity. And we have lots of fun; we expose them to people from all walks of life who found their way into the field. It’s a good step if we’re going to try to close that 300,000-job talent gap.

Answers edited for clarity and length. Top photo: Professor of Practice and Director of the Cybersecurity Education Consortium Kim Jones at his office on ASU's West campus. Photo by Charlie Leight/ASU Now