Scott Schanbaum, co-founder and CIO of Specialized Security Services, Inc. (S3), consults with clients world-wide on cybersecurity trends and best practices in vulnerability management, security penetration testing, security consultation and assessment, policy development and implementation of security hardware and software solutions. Clients depend on his extensive background in defining shortfalls and implementing solutions within diverse industries.
Schanbaum conducts training sessions and hosts information workshops internationally including major business centers such as New York City, London and Rome at Forbes Magazine business conferences. He has conducted training sessions for the U.S. Department of Justice, Scotland Yard and British intelligence agencies. As an expert on the EU General Data Protection Policy, international clients rely on Schanbaum to help ensure their compliance with this sweeping new policy.
Christopher P. Skroupa: What is the greatest challenge today for companies seeking cyber solutions?
Scott Schanbaum: The interpretation of the idea of a “Solution” may be the greatest challenge. A “solution” is unique to each company and with the layers of C-Executives personnel – CISO, CIO and CTO – it is difficult to get everyone on the same page. Even if you can get a like-minded trio, they must present the challenge of acquiring products – cue CFO – and having the resources – cue HR – to carry out to fruition. The challenges are many, but from a simplistic perspective it’s about how to do more with less. Meaning, the IT group must protect current and new implementations using more specific software with less resources.
I find these challenges to be true in larger organizations than in the small- or medium-sized companies. With that being said, a cyber solution is made up of more compartments than ever; as Networks have become more complex, the security tool sets have become more need specific. The ability to have a solution/tool that can tackle the protection against attackers is mind boggling.
Skroupa: Seems as though the proliferation of cyber solutions adds a layer of complexity to an already complex challenge. Do you agree?
Schanbaum: In most cases, it is an old technology being updated and rebranded. The skill sets needed do not change that much, but it’s the terminology and how things are integrated that have wholesale changes. Cybersecurity solutions have become more surgical in the way the protect. I see things at root level, and I see how these software vendors have developed or created a need for specificity of protection of particular service, application, device or even a complete network. This is the place where additional layers of complexity are added, some are needed and some are created and appear to be new or that they provide solution to provide complete protection within a network.
Skroupa: How do large, complex organizations, seeking solutions clarify how to best plan for, invest in and execute on the appropriate complement of solutions?
Schanbaum: This idea brings out my cynical side. I have seen the plans go astray, why? Many reasons; mostly dollars and cents, or changes with the C-Executives. The plans that work are those that take into consideration and leveraging the current corporate culture, the current technology and the expertise within the IT group. When we discuss change or solutions in a Corporate Environment, there will always be some pain. Changes, even the smallest amounts, are not always met with open arms. This is something Specialized Security Services, Inc. helps IT groups to understand and accept. In a culture that is automating processes and procedures as much as possible, the clarification comes from tried and true programs. Clarification and understanding comes via communication, regular face to face conversation. In fact; I used to tell people that the most important aspect my job was “talking” and helping all the players to get on the same page and embrace the changes that are going to happen. Remember, the definition of insanity: There is a train coming down the tracks, and you believe that the train can be stopped. That is insane, the train is going to keep moving just like changes are going to happen. So, get on board embrace the change!
Skroupa: Will there be a breakthrough moment when solutions integrate or embed into business process?
Schanbaum: I believe that business processes and security solutions are like parallel lines. No matter how close they get they will never meet. This integration of the business and security processes will always be born out of necessity and will be driven by the desire of the corporation to protect its data. Specialized Security Services, Inc has worked with many of its clients to integrate these processes from the inception of a project. However, somethings will never change, the security process is a secondary discussion a projects inception, but it’s never a priority. It is my opinion that the security process should be integral part of project that will move any type of data within or out the network. Due to time constraints, network speed requirements and uniqueness of each corporate network I do not see a time when a security solution can completely address the needs of the business processes out of the box.
Skroupa: Is this anticipated and if so how far out on the horizon are we project this shift will take to occur?
Schanbaum: I do not believe this will occur. With the development and compartmentation of how networks are designed. Network security can be analogous to how a baseball team uses a pitching staff in a single game. There is the pitcher who begins the game, there are short and long relievers, setup pitchers and closers. Over time, the strategy of the game gets more and more specific. Security solutions are exactly the same; Antivirus/Malware are specific to a device and more often than not separate software installation. Firewalls have specific modules that provide specific security functionality based on licensing so that they can be tailored for a specific business processes. Again, this brings out the cynical side of me. Why? What is the incentive for a software or hardware vendor to build a tool that will meet the needs of the business? It is in software and hardware manufacturers best interest – money, money, money – to develop specific tools for specific security solutions that can be custom tailored to the needs of the business.
Skroupa: In the meantime, what’s the best approach for finding clarity in complexity?
Schanbaum: I have been doing this for more than 20 years and I love what I do. I am geek, I don’t really think about much else. I am still in the field working with my engineers on a day to day basis. The complexity is not going to go away, ever! In a world where corporations are under attack from attackers more and more, the ability to stay ahead of the bad guys will be more difficult to protect the data within the corporate infrastructure. Call me old-school but the greatest asset we have to contain the bad guys is the human element; face to face conversation brings about clarity to complexity and allows for the building of a powerful solution. It is never easy to navigate all of the pitfalls of developing security solution that can be married to the business process. It is like the movie The Martian: “Everything in Space is designed to kill you, so you can die or you can science the s–t out of the problem.” In my opinion, that is what we do every day, we chip away at one complex issue at a time. It starts with one person but it the end it takes a team to identify, clarify and simplify the complexities and carry them to fruition.
Scott Schanbaum is a regular speaker at many of the cybersecurity related conferences put together by Skytop.
Follow us on twitter @SkytopStrat, and on Facebook @SkytopStrategies. Find us on YouTube, too, for exclusive interviews, panel discussions and debates that are prime examples of the market moving dialogue held at our various conferences and summits around the world.