Three things executives should know about cybersecurity

Our society is increasingly digital, utilizing more technology and collecting massive amounts of data in every aspect of our lives. We also have witnessed an increase in the number and complexity of threats to that digital world over time. Investments in cybersecurity tools and expertise are being made at unprecedented levels. According to Gartner, a research and advisory firm, global expenditures on cybersecurity and information security will approach $124 billion in 2019. 

I recently sat down with Dr. Carolina Cruz-Neira and Philip Huff at the University of Arkansas at Little Rock to bring awareness to common misconceptions in the cybersecurity industrial complex and tips for companies who want to implement effective security protocols against these growing cyber threats.

Dr. Cruz-Neira’s official titles include Executive Director of the Emerging Analytics Center (EAC) and interim Computer Science Department Chair, and Arkansas Research Alliance Scholar, though those don’t fully represent her achievements. Dr. Cruz-Neira is an esteemed computer engineer, designer, and technology pioneer who invented the CAVE (an immersive virtual reality environment) and has been at the forefront of data analytics, visualization, virtual and augmented reality technology and research for over 20 years. Philip Huff is an assistant professor who recently joined the EAC as a cybersecurity research fellow, fresh from the front lines of cybersecurity work at the Arkansas Electric Cooperative.

Huff, Cruz-Neira and several others from state and federal entities are working with the American Cyber Alliance, a new initiative to create partnerships among private sector, academia, government, and military that will strengthen our country’s defense against cyber attacks.

JF: What are the top three things executives in every sector need to know about cybersecurity?

PH:  One of the big problems in cybersecurity now is the lack of workforce required to perform the necessary function for companies. It’s a rising part of every organization, with risk growing larger over time. It does require in-house personnel to really understand the risk. That involves hiring a lot of people, usually local people, so it can be a problem just to find people that are qualified to do the job in a way that provides value to the organization. Identifying your cybersecurity workforce needs and developing the pipeline should be a huge priority.

Measuring effectiveness in cybersecurity is very important – having the right measures in place to understand the investment that is being made and whether or not you are actually reducing risk. You can throw lots of money and resources at cybersecurity but if you don’t have good understanding of how it’s reducing the risk then you might get stuck with some expensive technology and systems that may not be optimal for your organization.

Another major issue is understanding that the threat is imminent. What I mean by that is – there’s not a lot you can do in today’s computing environment that completely removes risk of a cybersecurity incident. Preparing for the incident and being able to minimize damage when something happens should be a main focus of the cybersecurity team. The idea that you’ll be completely secure, that your organization will not have to deal with cyber threats, is totally false. Just about every type of organization has been a victim in some way of cyber attacks. The threat actors are incredibly sophisticated and are able to implement attacks so well that it’s impossible to remove the risk completely.

JF: What is something most people would be surprised to learn about cybersecurity? Are there any common misconceptions?

PH: There are a lot of misconceptions about the world of cybersecurity. I think it would be surprising to know how much data companies might have out there and how difficult it is to constrain data. With increasing use of cloud services, VPNs, and other platforms, the organizational boundary that you have in place and what you’re protecting has increased in scope. Even the amount of data that people have to analyze to understand their cyber risk has increased. As we increase use of automation, deployment of information systems, it could also be surprising to know how vulnerable the company’s operations actually are.

JF: In what ways is Arkansas poised to move the needle on cybersecurity?

PH: Arkansas has made a lot of investments in educating students, and those investments are going to pay off in producing the cybersecurity workforce. One of the biggest assets for cybersecurity in any organization is a capable workforce. By having that, we attract national and federal partners for collaboration.

We also have a lot of critical infrastructure that intersects in Arkansas. Electric infrastructure, trucking and logistics, food and agriculture, there’s a lot of that going on in Arkansas, which means a lot of risk for the U.S.

Another advantage we have is that we are nimble and small enough to communicate across sectors and the state rapidly which can be hard in large states and large organizations that aren’t tied geographically to each other.

CCN: Another asset is that many of the students in our universities are local. Compared to national average, Arkansas has a higher U.S. undergraduate student population. Having a higher percentage of domestic students allows us to contribute more aggressively to the cybersecurity workforce due to their ability to receive security clearances and other credentials needed for some cybersecurity jobs.

JF: How did UALR come to work with the American Cyber Alliance?

CCN: We were part of the team the developed the vision and strategy for the American Cyber Alliance led by Lee Watson.   As we got deeper into the discussions, we realized there was not a well-integrated approach to cybersecurity in the U.S. Everyone was kind of doing their own thing. Interaction between industry, government, military, educational institutions is not easily facilitated.  

When a cyber attack or incident happens in your company, you can’t just call 911. So who do we call? That is a fundamental issue we are facing today.  Many companies have become very savvy in cybersecurity and they have their own tools and methods to deal with cyber threats, but there is no easy way to share that with the government, military, or for training and educational purposes.  With the military, people involved in cybersecurity need security clearance, the information can’t be shared with the public.

We need to look at cybersecurity as a big umbrella at the national level that involves K20 academia, industry, government, and military and try to figure out the needs, what training can be done, and what innovations need to be made. To some extent, the tools used in cybersecurity today are not as technologically advanced as tools that are used in other sectors where technology plays a key role. We realized that Arkansas is like a microcosm of the U.S. – we have a large community of industries where cybersecurity is critical, we have a large number of government organizations, and a convergence of some important national infrastructure.

Blog post contributed by: Jennifer Fowler Director of Education, Outreach & Diversity, Arkansas NSF EPSCoR Arkansas EconomicDevelopment Commission Little Rock, Arkansas Email