“People come and ask what VPNs to buy or how to design their Wi-Fi,” he said. “As cyber professionals, sometimes I feel that we’re doing a disservice by answering that question. You should do those things – but at a certain point in [the organization’s] maturity.”
His proposal in the meantime? Focus on the “basics.”
“If you do those things, then it’s appropriate to do some of these other things, he said.
Speaking on the final day of the RSA 2019 conference, Lord was interviewed on the keynote stage by RSA Program Committee Chair and Symantec’s CTO, Hugh Thompson.
And he came armed with a checklist to put his words into action.
- Patch your software applications
- Require employees to use 2-Factor authentication
- Deploy a password manager
Lord said that the recommendations actually take up one page – printed front and back – with further details in support of each bullet point on the checklist. But that’s the gist of it. And for Lord, it’s more than enough.
“When I take look at all the attacks I see in the news, if you do these things, you won’t become one of those headlines, he said. “The basics are actually the real innovation.”
He said this will involve discipline, going step by step, with people who may not have deep experience thinking about the security of the products and applications they use each day.
“Even something as simple as updating phones turns out to have issues,” he said, recalling when he encountered staffers who couldn’t update their devices because they had run out of memory. At that point, they had to figure out how to copy – or upload – their pictures to free up storage. “But I also ran into cases where they didn’t know why I was asking them to update their software. They really didn’t know why.”
“Again, if you don’t have any prior experience, it can be daunting,” he said, adding that’s why he’s urging a move to keep things as basic as possible.
Looking ahead, Lord suggested that tech companies could help by implementing automatic protocols, rather than rely on organizations to take the responsibility of ensuring that their workers toe the line on cyber security.
“There is a history of technology providers not making security a default,” he said. “We have an opportunity to reprioritize how companies do security.”
At the same time, he recognized the constraints of a system that doesn’t always reward managers for putting cyber security at the top of their to-do list. People get promoted for more users and thus, more sales, not necessarily for making people safer, Lord said.