Things are getting ugly out there. I had a chance this week to chat with Gary Hayslip who is the first CISO for the City of San Diego. He also co-authored the book the “CISO Desk Reference Guide” about the changing roles of the CISO and how to be prepared for today’s current threat landscape. This discussion came on top of a Forrester Report [Disclosure: The report was funded by Varonis, a client of the author] detailing just how poorly prepared private and public companies are to protect their data and the devastating breaches in companies like Yahoo and organizations like Democratic National Committee.
Let’s talk about what I learned from Gary and we’ll close with some of the highlighted survey results. By the way Gary will be at RSA and is a fascinating guy to talk to, so, if you are there and see him you’d likely find a chat fascinating.
Management is important
One of the reasons San Diego is in far better shape than most of the organizations I speak to is that the mayor and the city council, likely because of the growing tech presence in San Diego, were solidly behind the effort to make the city more secure. One of the primary reasons I see security efforts fail is because the security organization is often treated as little more than a symbol and are generally under resourced and underfunded. That isn’t the case in San Diego. At around 1.5 million people San Diego is ranked 8th by size in the U.S.
San Diego’s problem
Currently the city is managing 5 petabytes of data that is effectively owned by its citizens. This is a massive amount and when Gary took over no one seemed to know who was accessing this data and how it was being used. This represented a huge city resource/asset, responsible for an equally large city cost and it wasn’t being adequately managed or protected.
Phishing, and ransomware attacks have increased sharply (ransomware by 10x) over the last several years. In addition, the city has a whopping 4,000 vendors who have permissions to access and potentially change city data any number of which possibly could be fake.
He looked at a broad cross section of solutions and only Varonis did what he felt needed to be done. This allows him to not only immediately respond to internal breaches, but nip successful ransomware in the bud limiting the damage done. How he got there was having a detailed understanding of the exposure so that he could set a rigid criterion that was vendor independent allowing him to get underneath marketing and sales promises and select the best vendor. His process is likely as important as his selection.
Sign up for CIO Asia eNewsletters.