BY CHRISTOPHER P. SKROUPA | FORBES CONTRIBUTOR 5/30/2017
Scott Schanbaum, co-founder and CIO of Specialized Security Services, Inc. (S3), consults with clients world-wide on cybersecurity trends and best practices in vulnerability management, security penetration testing, security consultation and assessment, policy development and implementation of security hardware and software solutions. Clients depend on his extensive background in defining shortfalls and implementing solutions within diverse industries. Schanbaum conducts training sessions and hosts information workshops internationally in major business centers such as New York City, London and Rome at Forbes Magazine business conferences. He has conducted training sessions for the U.S. Department of Justice, Scotland Yard and British intelligence agencies. As an expert on the EU General Data Protection Policy, international clients rely on Schanbaum to help ensure their compliance with this sweeping new policy.
”We take a trusted advisor approach to help enterprises focus on the critical aspects of their business by building a security strategy that adapts to their specific needs.
Christopher P. Skroupa: What is the greatest challenge today for companies seeking cyber solutions?
Scott Schanbaum: The interpretation of the idea of a “Solution” may be the greatest challenge. A “solution” is unique to each company and with the layers of C-Executive personnel – CISO, CIO and CTO – it is difficult to get everyone on the same page. Even if you can get a like-minded trio, they must present the challenge of acquiring products – cue CFO – and having the resources – cue HR – to carry out to fruition. The challenges are many, but from a simplistic perspective it’s about how to do more with less. Meaning, the IT group must protect current and new implementations using more specific software with less resources. I find these challenges to be true in larger organizations than in the small- or medium-sized companies. That being said, a cyber solution is made up of more compartments than ever; as Networks have become more complex, the security tool sets have become more need-specific. The ability to have a solution/tool that can tackle the protection against attackers is mind boggling.
Skroupa: Seems as though the proliferation of cyber solutions adds a layer of complexity to an already complex challenge. Do you agree?
Schanbaum: In most cases, it is an old technology being updated and rebranded. The skill sets needed do not change that much, but it’s the terminology and how things are integrated that have wholesale changes. Cybersecurity solutions have become more surgical in the way they protect. I see things at root level, and I see how these software vendors have developed or created a need for specific protection of a particular service, application, device – or even a complete network. This is the place where additional layers of complexity are added. Some layers are necessary, some are created and appear to be new, some provide a solution for complete protection within a network.
Skroupa: How do large, complex organizations seeking solutions clarify how to best plan for, invest in and execute on the appropriate complement of solutions?
Schanbaum: This idea brings out my cynical side. I have seen well-laid plans go astray, why? Many reasons; mostly dollars and cents, or changes with the C-level Executives. The plans that work are those that leverage the current corporate culture, the current technology and the expertise within the IT group. When we discuss change or solutions in a Corporate Environment, there will always be some pain. Even the smallest changes are not always met with open arms. This is something Specialized Security Services, Inc. helps IT groups to understand and accept. In a culture that is automating processes and procedures as much as possible, the clarification comes from tried and true programs. Clarification and understanding comes via communication and face-to-face conversation. In fact; I used to tell people that the most important aspect my job was “talking” and helping all the players to get on the same page and embrace the upcoming changes. Remember this definition of insanity: There is a train coming down the tracks, and you believe that the train can be stopped. That is insane, the train is going to keep moving just like changes are going to happen. So, get on board and embrace the change!
Skroupa: Will there be a breakthrough moment when solutions integrate or embed into business process?
Schanbaum: I believe that business processes and security solutions are like parallel lines. No matter how close they get they will never meet. The integration of business and security processes will always be born out of necessity and will be driven by the desire of the corporation to protect its data. Many times, the security process is a secondary discussion at a project’s inception and never a priority. It is my opinion that the security process should be an integral part of a project that will move any type of data within or outside the network. Specialized Security Services, Inc. has worked with many of its clients to integrate these processes from the inception of a project. Due to time constraints, network speed requirements and uniqueness of each corporate network I do not see a time when an out-of-the-box security solution can completely address the needs of the business process.
Skroupa: Is this anticipated, and if so, how far out on the horizon are we project this shift will take to occur?
Schanbaum: I do not believe this will ever occur with the development and compartmentation (does he mean compartmentalization?) of how networks are designed. Network security can be analogous to how a baseball team uses a pitching staff in a single game. There is the starting pitcher, there are short and long relievers, setup pitchers and closers. Over time, the strategy of the game gets more and more specific. Security solutions are exactly the same; Antivirus/Malware are specific to a device and more often than not, separate software installation. Firewalls have specific modules that provide specific security functionality based on licensing, so they can be tailored for a specific business processes. Again, this brings out the cynical side of me. Why? What is the incentive for a software or hardware vendor to build a tool that will meet the needs of the business? It is in software and hardware manufacturers best interest (money, money, money) to develop specific tools for specific security solutions that can be custom-tailored.
Skroupa: In the meantime, what’s the best approach for finding clarity in complexity?
Schanbaum: I have been doing this for more than 20 years and I love what I do. I am a geek and I don’t really think about much else. I am out in the field working with my engineers on a day-to-day basis because the complexity is not going to go away, ever! In a world where corporations are under increasing cyber attacks, the ability to stay ahead of the bad guys to protect data within the corporate infrastructure also grows more difficult. Call me old-school, but the greatest asset we have is the human element; face-to-face conversation brings clarity to complex issues and allows us to build powerful solutions. It is never easy to navigate all the pitfalls of developing a security solution that can be married to the business process. It is like the movie The Martian: “Everything in Space is designed to kill you, so you can die, or you can science the s–t out of the problem.” In my opinion, that is what we do every day, we chip away at one complex issue at a time. It starts with one person, but it the end it takes a team to identify, clarify and simplify the complexities and bring the solution to fruition.