Shira Rubinoff: Episode 17 Forward Focused
Welcome to Forward Focused brought to you by Pypestream Digital Labs, a thought series on customer experience, artificial intelligence, and enterprise automation. I’m Evan Kohn from Pypestream and I’m talking with Shira Rubinoff. Shira is President of startup incubator, Prime Tech Partners. She’s a recognized cybersecurity executive who built two cybersecurity product companies and led multiple women-in-technology efforts.
She’s also President of social media security firm, SecureMySocial, she’s practiced as a psychologist and holds several patents in areas related to the application of psychology to improve IT and cybersecurity.
Shira, great to have you with us!
A pleasure to be here, thank you.
So Shira, you often speak about the human factors of security. Why is that important for large companies working to stay ahead of cybersecurity threats?
Well, that’s a great question, Evan. That’s actually something that everybody has to think about. You know, there’s talk around the industry as a human being the weakest link in the chain of security. I actually take a different perspective at it and I say, let’s make the human the solution to the problem and not the actual problem at the end of the cybersecurity chain.
I do a lot of discussions around cyber hygiene within an organization and I’ll tell you why that is important and I’ll break it down to four categories that I’ve been discussing. The first would be training across the organization from the top down, which basically means that proper training within your organization from board level down to interns needs to be addressed on a regular basis. When you’re training, we’re talking about cybersecurity related trainings, whether being phishing awareness, whether being any types of training in the security space needs to be done on an ongoing basis within the organization.
The important piece of the ongoing is that typically in the past, the way companies would look at this would be, “Okay, we’re going to have two days a year of training for our employees.” They’ll throw a big hoopla; they’ll have this great day organized for their organization, they’ll go through everything from top to bottom, and then they’re done for the day. You go back to any of those employees – a few days later, a week later, a month later – they’ll remember the day, but they won’t remember specifically all the areas that they needed to be focused on in terms of training.
The second step is global awareness and global awareness touches again, also on the training but also global awareness which is your cyber culture within your organization. What are the rules that’s within the organization? How are they approached? How are they put in to the regular culture of day-to-day life within the organization, so it becomes something they live by. Global awareness that needs to be embraced by all.
The next would be updated security and patching within the organization and that’s pretty obvious what that leads to. But when it comes to patching, having a dedicated team that would deal with the patching certainly tends to go in in that space but we’ll just get to number four, which would be zero trust.
Zero trust deals with identity, deals with access, deals with all sorts of who is able to access specific information and data within the organization. What zero trust does is it puts a stop sign before any movement within the organization to grab data. When you’re able to do that, you’re able to manage who has access to the data at any time in any step they do to take it.
That’s like the first overall feeling of cyber hygiene with an organization, but companies deal tremendously with the security piece. But we have people, technology, and the process that lives between. We have the humans we have to deal with; we have the humans that deal with the technology, that implement the technology, and also how the technology actually affects them. Then you have a technology itself, but how do you mesh the two? It’s the process in between that is actually going to yield the secure organization. When you deal with the human factors piece, which is a very long topic but a very important topic, we really have to look at the human as just as an important factor as the technology itself within the organization and then you mesh the process in between to make them work together.
That’s very interesting and I could see how organizations can overlook that vital human component. When you look at the threat landscape, Shira, where are the largest cybersecurity threats today? You know, beyond the operational components you discussed regarding the human factors of security, what else can companies do to protect themselves, their employees, and their customers?
Well, that’s a loaded question and a very good one as well. I think it goes to the organization looking at the global threat landscape that they are facing. We have to deal with many areas around the organization to deal with cybersecurity as a whole. We have the bad actors. We have the countries that our looking the to infiltrate our security as a whole. We have also sorry, another big piece that I didn’t mention that comes to the human factor piece, all the major data breaches to date pretty much have been done from a point of non-malicious or malicious insider threats. Malicious being somebody malicious within the organization wanted to specifically take data or take information and walk it out of the organization in order to cause havoc or cause problems for the organization, or they were targeting something else. And non-malicious insider threat would mean somebody within the organization who has access to the data that may share the data with somebody that they shouldn’t be, an organization they shouldn’t be, sharing across social media, or just being negligent with their complete personal cyber hygiene in terms of how they lock down the data and information that they have access to.
The threat landscape is massive. We have all sorts of technology that’s able to deal with many different segues within the threat landscape and cybersecurity, but we have to really start looking up from the inside out. Now one of the big things that organizations are doing today, and making a lot of strides with, is the sharing of information which in the past has not been the case. In the past is, “This is my information, I’m gonna deal the way I deal with it, you come up with yours and hopefully, we’ll be able to be tight on that.” But now a lot of large organizations to their credit realized the more that we’re able to share, the stronger we are as a whole. So this is becoming something that organizations are more clinging to and have really highlighted and are really showing a much stronger connection to.
We’ve talked about the theme of digital transformation in past episodes. For many organizations staying ahead of this evolving cybersecurity threat landscape requires an ongoing transformation mindset. Why do you think it’s important for organizations that maintain this ability to take on digital transformations?
I think it’s a very important piece. Again, it boils down to the people within the organizations. Just think for a moment, you have your CEO, you have your CIO, you have your COO, and everybody’s incentivized with their own school of areas that they have to cover and areas they’re responsible for.
So think of it from a security perspective. Let’s say, for example, that there’s a new patch that comes down because there’s been some breach somewhere and they need to patch the system. You’re gonna have the COO, who’s in charge of the operations of the organization, who does not want to slow down what happens when a patching occurs; will just dial back a little. In order to do proper patching, you need to also test it out, you have to look at every single device from the organization. So let’s hope that although, OS systems are all updated and they’re able to receive patches at first, people have downloaded different third-party software to their own personal devices. So you also have to think about all the time and effort and money it takes to push through a proper patch to an organization. Then once it’s all sitting there, you also have to do a test run so there’s a time delay, there’s cost involved, there’s a lot of things that go into play. But then you have your CIO says, “Listen, we got a deal with your security breach. We’ve got to make this happen.” You have two people who both have to do their job importantly, but they’re both incentivized from different areas. With digital transformation, we’re able to have these people work hand-in-hand and in some ways, we have to say, “Okay, let’s incentivize them together to make these things happen.” One person should not be worried about time, speed, and effort when other person’s only worried about security; we have to really mesh the two.
Digital transformation is very important. That’s one area that I highlighted in it, but there’s quite a few and it’s certainly something that industries are embracing today.
How about on the consumer side and we’re often reminded to change our passwords, to not use the same passwords everywhere, to actively monitor security and privacy settings of software we use. So we’ve talked about, you know, what companies need to do. What else should consumers do to protect their data?
So I would say it goes to what organizations need to do and one aspect is know where your data sits, know who has access to your data on a personal level. When people do online shopping, people have social media, we have credit cards, online banking; it’s enormous. People go to the doctors, everything’s digitalized and when we have access to all these other portals, we’re giving over information in ways that can be accessed.
So human nature, I need to remember my password. I’m gonna make it something memorable or I’ll make it something that, you know, I’ll just keep changing it back and forth to one of three different passwords. You know, I’ve gone to different organizations, where I do consulting, and it was very interesting to see even on high C-level employee areas, they had little Post-Its with passwords taped to it. So, you know, that’s human nature, “I want to remember.”
However, that is obviously not the right way to go. There are different password keepers that people should be using. You should change your password often. Never share your password. And obviously, the old way of going with mother’s maiden name and fingerprint. There’s all sorts of things that are no longer utilized for secure passwords and more that are coming on the pikes. Always use two-factor authentication, out-of-band, and make sure that you have access to it and able to wipe information if your device is or stolen. It’s always just being here being secure with who you are and what you’re doing.
And just one point I’ll mention on social media, which is a huge thing that people lack and they suffer from, which is the oversharing of information on social media. Some millennials, the general consensus is that we need to share in order to be relevant so we share everything. We don’t care about privacy. Again, many different generations think a little differently. Whether or not that’s right or wrong, I’m not going to pinpoint the generation but I will say a few things. Never post that you’re away on vacation when you’re on vacation, that’s just a overall global thought.
Also, when you’re on LinkedIn, which is a big portal for people gaining access and being able to steal information and garner information on somebody, you’ll have employees who work for a company and utilize LinkedIn as, “Okay, I want to be relevant for my next possible job. I want people to look at it and say, ‘Hey, I want to hire that person.’” They’ll put as much information as they can about what they do, who they are, and everything else like that. They may at a time have somebody reach out to them maybe from a competing organization, but a high level person within the organization. That’s very flattering. Well, of course, I’ll friend them in on LinkedIn and then maybe a little conversation starts and maybe a little back and forth starts and it’s very easy to create a profile on somebody by going to all their social channels if they’re sharing everything across the social channels.
So I’d say be careful what you share and if you share something, understand that it’s going to be a world readable. If people think they lock it down to be private, don’t be silly that way. If somebody takes a screenshot of it and shares it elsewhere or somebody tags you in something else, you won’t have your privacy protocol set up properly, it will be made public.
So if you take the mindset of anything that you ever put out online will be world readable, you might be more diligent in the cybersecurity space for yourself.
Listeners, hope you heard that. No more sticky notes with passwords. Be careful what you’re sharing on social media. Should go without saying but consider it another warning. And Shira, we talked about cybersecurity challenges, threats companies face; easy to kind of get depressed around kind of the doom and gloom here. What gives you hope that it’s not all so bad?
Well, I think that actually boils back to one of the things I said earlier, which is that these companies are banding together, the larger security companies a lot of them are sharing intel and sharing information to work as a team to really be more cybersecure as an industry as a whole cybersecurity environment together. And I believe that the sharing of information is actually showing that moving forward together, we can actually make headway in this space.
I think that there’s tremendous amounts of technology and amazing security coming down the pike being utilized appropriately and properly. It’s going to be obviously more secure. We have AI coming down and being utilized in a much stronger way so organizations now realize we have to be way more proactive than reactive. It’s, you know, it’s very hard to keep up to this space of being proactive when there’s so many threats coming down the pikes and we’re literally being reactive and reactive and reactive, but you need to do hand-in-hand proactive and reactive in order to stay ahead of the space. And I do believe we’ll get there.
You’re releasing a book called, Cyber Minds. Can you tell us a bit about some of the topics that you write about?
Certainly, thank you. Yeah, so Cyber Minds is being released by Packt Publishing in London. It talks about cybersecurity as the way I’ve used cybersecurity is umbrella over all other technologies. And within the book, I’ve written a number of chapters on the human factors of cybersecurity and how it relates to all these technologies including blockchain, cybersecurity in a cloud, data breaches, trends, IoT, global terrorism, AI. And within the book, I also was able to interview some of the top minds in these spaces. Some really amazing people with amazing insight, highly recognizable. Very flattered that I was able to get their interviews in the book and very much looking forward to its release.
Shira Rubinoff, we’ll leave it there. Thank you for joining us. Where can our listeners find you?
Thank you. They could find me on LinkedIn. They can also follow me on Twitter @Shirastweet, same handle on Instagram, and looking forward to connecting with more of you. Thank you, Evan.
Much appreciated. Thanks for sharing your insights. Listeners, thank you for tuning in. You can access more Pypestream Digital Labs content at pypestream.com/insights. If you’re listening on Apple Podcasts and like what you’ve heard, please rate us, give us some stars. We always appreciate you taking a moment to help spread the word to other listeners. Thanks to our editor, Kat Zink. We hope you join us for the next Forward Focused podcast.