Interview with Harris Schwartz
Email interview held on 12th September 2017 – as follows between Alan Radley (questioner) and Harris Schwartz (relator):
1. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?
In many cases, the cybersecurity problems in organizations leads to the problems of consumers, in unfortunate events of sensitive data being exposed or disclosed without permission or authorization. For organizations, the ongoing threat of the “human”, lack of policy or standards, lack of protecting and securing sensitive data, continue to be the ongoing theme, even with all the data breaches over the last several years. Some organizations that believe if nothing has happened to them, then why the need to be proactive. For consumers, I think when it comes to social media and the like, too many take for granted these social media platforms and share way too much information about themselves and their families. I think families with kids need to make efforts to educate and make their kids aware of “living securely in an online world”. There are plenty of resources available on the Internet. Plus, October is Cyber Security Awareness month – do a search for “Stop Think Connect” and find some great resources.
2. What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?
Interesting question. Vulnerabilities in operating systems and applications – constantly exploited by bad actors to surveil organizations and gain access (kill chain) – on the other side, organizations not doing enough from a threat and vulnerability management perspective to ensure systems are patched on a regular basis and in a timely manner. Running other tools to evaluate both perimeter and internal systems for vulnerabilities. Sure, some could blame the app authors and vendors, but at the end of the day once these updates are released, there needs to be a regular cadence to ensure patching occurs. Then there are the organizations still running end of life (EOL) apps and operating systems, e.g. Windows 2003.
3. Where do you go to find your “science” of cybersecurity? Back in the day, it was the various mentors I looked up to / regularly collaborated with on various subjects and problems (to solve). Nowadays, it’s being entrenched in the industry and problems, and pulling from the long history and problems of yesterday.
4. Do you recommend a particular cybersecurity blog that our readers could follow?
There are so many blogs and resources nowadays, and I tend to use a combination of expert blogs like Brian Krebs, along with vendor blogs and sites and some of the large org’s like CNET and Wired. If you search for top security blogs, you’ll find a plethora of top 50 or 100 blogs.
5. What keeps you up at night in the context of the cyber environment that the world finds itself in?
Now that I’m consulting with company executives as a virtual CISO, not much keeps me up like it used to when I was working for companies and organizations directly. But, hearing about vast cyber data breaches and major outages always has me watching and monitoring closely, as I often get asked – what to do to resolve the situation if it were to happen to me.
Thank you kindly Harris Schwartz for taking the time out of what must be a busy schedule to answer our questions in such an enlightening way.
Interviewee: Harris Schwartz,
Executive Security Advisor,
Harris Schwartz – Biography
A global security, risk and investigations professional, with over 25 years of private sector experience; experience in the design, development and implementation of comprehensive security, investigations and intelligence strategies in a variety of business climates and organization cultures. Demonstrated experience as a Problem Solver in developing security and risk programs for a variety of business sectors, designing comprehensive threat mitigation solutions, managing and leading incident response for critical information security and cyber security concerns, enhancing data security and privacy across global organizations, coordination and managing and mentoring of direct reports and multiple departments.
- Successfully implemented Information Security programs across various network, infrastructure and cloud landscapes.
- Led small and large teams in large, global organizations (often matrix managed).
- Implemented information risk management and security intelligence programs, coordinated with enterprise and line of business stakeholders.
- Designed, implemented and managed legal and regulatory compliance efforts for mandates such as PCI, SOX, GLBA, HIPAA, SOC2, GDPR.
Established governance, policies, procedures, standards, guidelines, controls, assessments, dashboards, metrics and reports required for monitoring, executive and board-level reporting.
- Implemented Security monitoring operations for Security Information and Event Management (SIEM), File Integrity Monitoring (FIM), Data Leakage Protection (DLP), UBA/Insider Threat and Cloud Access (CASB).
- Implemented various security frameworks (ISO 17799, ISO 27001, NIST, NIST CSF, SANS CIS, CSA) for global cyber security programs.
- Managed and governed relationships e.g., with regulators, vendors, partners and payment card processors.
- Developed and managed partner security program to assess and mitigate 3rd party risk to the organization.