How to Minimize the Impact of Cyber Attacks on Businesses?

Mark Alvarado, Director of Cyber Security & IT Compliance, Academy Sports + Outdoors

Mark Alvarado, Director of Cyber Security & IT Compliance, Academy Sports + Outdoors

Alvarado is a digital risk specialist with 19 years of expertise in the IT industry. He is responsible for assisting enterprises in identifying digital risks and recommending solutions or controls to close the gaps. He is also a certified IT security specialist familiar with endpoint security, vulnerability management, identity management, data loss prevention, threat remediation, and best practices for securing IT infrastructure. Prior to cybersecurity, he spent 11 years working in high-speed manufacturing.

AS THE DIRECTOR OF IT SECURITY, COULD YOU EXPLAIN MORE ABOUT WHAT YOU'VE SEEN IN THE SECURITY LANDSCAPE IN YOUR LINE OF WORK?

Criminals have found cyberspace to be an increasingly appealing hunting ground over time. There are two reasons for this; first, people today are more connected to internet-based technologies. Our devices are connected to the internet, we conduct transactions over it, and we are trying to connect across it in various ways. While an increasingly connected world makes our lives easier, we also need to think about the security that comes along with it. Most companies are already leveraging technology, and the pandemic has now forced them to do so for those who didn't. Growing tech companies have opted to make remote work easy for their employees, which has enabled cybercriminals to access anything that connects to the internet remotely. We know that data is now the 'new black gold for hackers. They want your data to either sell or exploit and will use ransomware to extort money from you. That is why cybercrime activities are lucrative in the industry. Second, breaches occur because big businesses do not do enough to put the right controls in place, resulting in a shortage of cyber security and cyber professionals to do the job. If the technology exists to help criminals commit cybercrime, it also exists to keep them out. You make it much easy for them if you don't secure your organization. Many businesses are utilizing technology such as AI and ML that allows them to be more efficient and automated today, but some firms still do not—either because they are unaware of it or because they do not want to spend money on it.

COULD YOU ELABORATE ON SOME OF THE BEST PRACTICES BUSINESSES MAY USE TO IMPROVE THEIR SECURITY?

Establishing a governance and compliance structure is one of the greatest initiatives. I first began working in the IT business, and I found that many organizations lacked a clear standard operating procedure and framework in place to set that governance. The framework consists of standards, guidelines, and best practices to manage cybersecurity risk. That's why the government had to start regulating and enacting rules because 'big business' was not doing enough. Security has since been split into two categories: operations and governance and compliance, which helps to keep everything under check. The operational side is responsible for securing things that people use daily. In contrast, the GRC side is responsible for ensuring that you are following the rules and complying with data privacy and data protection legislation to keep the bad guys out.

WHEN IT COMES TO IDENTIFYING ENTERPRISE SECURITY SOLUTION PROVIDERS, HOW DO YOU GET THEIR ATTENTION? IS THERE A PROCEDURE FOR EVALUATING THEIR VALUE PROP AND PARTNERING WITH THEM?

Before choosing the right vendor, we need to understand where our organization is and where we want to be. We must ensure that our roadmap is realistic and we are aware of the regulatory compliance and where our data is flowing. Some businesses operate on-premise, others have moved to the cloud, and many enable employees to use their own devices (bring your own device). This is how company data is transferred to non-company-owned devices, posing new issues. We need to look for the correct tool; otherwise, chatting with vendors may take you down a rabbit hole.

ANY PIECE OF ADVICE THERE FOR UPCOMING PROFESSIONALS IN THE FIELD?

I would advise aspiring professionals to be well-versed in a few areas, particularly the business side. Unfortunately, I've seen many professionals become so engrossed in technology that they cannot apply it to the business side. To understand where the difficulty lies, I believe that every CSO should have a comprehensive understanding of business and technology—how it operates, where data flows, and the infrastructure.

"I Think Security Folks Should Learn About Databases, Operating Systems, Hardware, Configuration, And Coding To Understand How To Secure Them Before Becoming A Cyber Professional"

Another key consideration is to be aware of what is on the horizon regarding data privacy and protection. They must ensure that their organization complies with state-specific data privacy and data protection laws. After they've grasped those concepts, what are the company's risk appetite and business strategy? Finally, they must ensure that their IT security program is aligned with their business objectives. Because if any company wants to use your security plan, you must be able to justify it in terms of business operations, financial aspects, and regulatory compliance. These points will be very useful to be successful in the industry.

Read Also

Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee
Dear CIO, You Must Support The CISO: It's For Your Own Good

Dear CIO, You Must Support The CISO: It's For Your Own Good

Christos Syngelakis, Group CISO, MOTOR OIL [MOH: GA]
Ensuring Cyber Security through Cloud technologies

Ensuring Cyber Security through Cloud technologies

Eric McKinney, Enterprise Infrastructure Director, G & J Pepsi-Cola Bottlers