Hi, I’m Ken Dawson, the CISSP-certified Chief Information Security Officer at ClearStar, and this is the next installment of For the Public Record—a blog that features thought leadership from the most seasoned experts on our staff, across all functions of the background screening process.
Most discussions, questions, and anxieties that we hear around information security, seem to be about things like firewalls, virus and malware detection tools, SSL/TLS, zero-day exploits, and sophisticated hackers. While all of the high-tech software and devices are important, information security is really all about people. If we look at it from the right perspective, we can see people are the key to understanding what we are securing, why it needs to be secured, and how we can effectively secure it.
What are we protecting?
The usual answers that revolve around data, systems, servers, databases, data centers, and source code hit at the various ways we store, access, and provide information. What they obscure is the real victim in any security breach—the people whose data is exposed. The reality is that it’s real people who are harmed when a security incident occurs—family and friends, coworkers, business owners.
By focusing on the real people who will be most affected by any vulnerabilities that can be exploited, we are able to see the true risks involved and prioritize our efforts properly. It’s often too easy to view all of this as having abstract, unnamed potential victims or to assign all of the risk to large entities like businesses or government agencies, but when we see that the impacts of the failure to address the risk is actually on individuals, it can help to motivate us to find solid solutions.
Why does it need protecting?
It would be easy to blame the potential vulnerabilities on insecure systems, aging software, inadequate controls, or unpatched servers. All of those can lead to exploits and breaches, but the root cause of the issue we’re protecting against is that people make compromises that allow access to the information. If you look at the latest publicly-revealed breaches, the common thread is that someone inside the organization was either careless about following procedures, was taken advantage of through social engineering, or was made vulnerable by an organization that didn’t implement controls with the necessary rigor.
These were all people-centered issues and not failures of technology or security controls. In many of these cases, the controls were in place but were circumvented through carelessness or a lack of vigilance. In other cases, it was the technology and security teams who failed to live up to their own security policies, leaving the person who was targeted open to the attack.
How do we protect it?
The answer is the same as the previous questions—people. What is needed to protect the information we are entrusted with is to have a solid team that is empowered to do what is needed, is trained properly so they know how to act, and is provided with the tools to do the job well. The tools and training will enable your people to avoid common vulnerabilities and attack vectors. The key to making this work is to empower them to work together as a team to act when necessary.
So the initial point of focus for us in information security should be placed squarely on people. That is, the people who trusted us with their data, the people who are most likely to be targeted by the bad guys, and the people who can work together to prevent the attacks from being successful. This is For The Record.
Let's start a conversation
Ken Dawson - Chief Information Security Officer
Kenneth “Ken” Dawson is a founding member of ClearStar and currently serves as its Chief Information Security Officer. Ken is responsible for evaluating, designing, and implementing background check technology solutions that combine information from disparate information sources in varied data formats.
Before forming ClearStar, Ken developed enterprise systems for United Parcel Service (UPS) and Kaiser Permanente. Ken began his career in software development and content delivery in 1990 while working as an intern for Conatec, Inc., an aerospace engineering firm.
At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.
