As President of the Association of Information Technology Professionals (AITP) of Atlanta, I am honored to host some of Atlanta’s top technology professionals for our monthly meetings. And our October meeting on cyber security was certainly no exception! We were thrilled to hear from Joe Marroquin, CISO at Encompass Digital Media. He has an extensive background in technology and is an accomplished author as well.
It was a pleasure to have Joe lend his knowledge and experience that he gained over a 20-year career in global consulting as well as being a former United States Naval Line Officer. In the Navy, he focused on cryptography, networking, database and taught at the War College.
I learned so much from his presentation that I can’t fit it all into this blog post. But here are a few of the main takeaways. If you want more, check out this timeline of privacy and security.
IT security through the years
Information technology (IT) is one of the most vibrant, fast-paced fields. IT is changing and developing at tremendous speed. So much so that it is becoming harder and harder for tech professionals to keep up to ensure digital security and privacy.
If we think about 30 years ago, circa 1990, how was IT different? How has the technology that we use changed? How was the world of security different?
Even if you think back 10 years ago, we live in a fundamentally different world then we did then. The speed of change continues to increase. And in IT, we are constantly working to stay ahead of the curve.
To truly understand where we are and where we are going in security and privacy, we have to understand what came before us.
Now let’s go back 100 years.
Digital privacy isn’t a new concept. If we take a look at the 4th Amendment of the U.S. Constitution, we see protecting ones privacy mentioned as, “The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures…”
Now, of course, the colonists weren’t concerned about the government obtaining their personal emails or listening to their cell phones, but this is where we really see the right to privacy and security born.
If we fast forward to the early 1900s and the 18th Amendment, we already start seeing changes in technology. People had telephones and could call across state lines. And with technological advances comes an adjustment to security and privacy.
For example, if you’re having a conversation in your living room with friends, you expect privacy, right? But if I’m talking on the phone to my friends, is the privacy still there?
With the 18th Amendment and prohibition came bootlegging. Roy Olmstead was an infamous bootlegger whose Supreme Court case saw a shift in privacy. The FBI wiretapped his phone to catch him in the act and they were successful. Olmstead was arrested and charged with bootlegging. He and his attorneys argued that his 4th Amendment right was violated.
However, in Olmstead v. the United States (1928), they ruled that Olmstead’s 4th and 5th Amendment rights were not violated. Even though Olmstead expected to have privacy in his own home; his right to privacy didn’t extend to his personal phone calls.
This was later overturned by Katz v. United States, which developed the Katz test to determine where U.S. citizens should feel like they have a right to privacy. It also placed a focus on protecting the person’s privacy, not a place. That was 53 years ago.
So, what’s happened since then?
Government sponsored laws:
- The Department of Defense – Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes more than 300,000 companies in the supply chain. The Department of Defense released CMMC version 1.0 on January 31, 2020.
- The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is a federal law that required the creation of the national standards to protect sensitive patient heath information from being shared without the patient’s consent or knowledge.
- Cyber Assessment Framework (CAF) provides a streamlined approach to assessing the extent to which cyber risks to essential function are being managed by the organization responsible.
- Public Company Accounting Oversight Board (PCAOB) is a nonprofit corporation established by Congress to oversee the audits of public companies to protect investors and the public interest by conducting accurate, independent audits. The PCAOB oversees the audits of brokers and dealers.
Private professional groups: As the government started coming out with more and more regulations, private professional groups also started to emerge. These groups included the American National Standards Institute, American Association of Public Accountants and the Information Assurance of Small and Medium Sized Enterprises. They were put in place to ensure that businesses and people operate in an ethical way.
International standards: As more problems arose and more questions were unanswered, even more standards were developed to ensure privacy and security. Some of these standards boards include the Information Systems Audit and Control Association (ISACA), CompTIA Security Training and International Organization Standardization (ISO27001). From what Joe has seen from an Information Security perspective, ISO27001 has become the standard that a lot of companies in the industry use.
In any medium to large company, you are probably touched by some of these standards daily. When looking at privacy from this angle, what you’re really dealing with is your company’s compliance policies. This is where things like end-point management, access control management and asset management systems come into play.
Are the laws and compliances keeping up with the fast-changing technology?
Government laws and standards always lag the technological advances that we see every day. For example, if you have a device that connects to the internet, within 20 minutes it could start getting attacked if you don’t have security in place. Unless you have endpoint protection, it will probably be overrun by viruses within 24 to 48 hours.
But something that keeps me feeling optimistic is that we live in an exponential world. There are few problems that we can’t solve. There is always someone somewhere that can solve this or any other problem.
With compliance, if you leave your door unlocked or if you allow someone to put the server on the internet without bringing your Data Architect in to ensure it is secure, you are sacrificing safety for business sake. Being aware of what or who is coming into your systems is crucial.
The big, bad AI
Like I’ve said, technology innovations are growing and changing faster than our laws and compliance can keep up with. Sophisticated machines are now able to search for open ports to gain access to our servers if we leave them open. Our regulations aren’t just keeping people in check, they’re now responsible for keeping machines in check, too.
With AI and machine learning, it’s easy for us to fall into the trap of, “AI will solve all of my problems and make my coffee too.” If we have a gap, we need to learn how to correctly fill that gap safely.
“The industry is building tools that are helpful, but if we’re not careful, we could be using a hammer to screw a screw. But if we do our due diligence as IT professionals, we should be able to mind the gap between the business and technology,” Joe said.
If we follow our processes and standards, we can take care of the “blocking and tackling” of security. And that will hopefully keep most of our problems at bay. It’s staying on top of your security and not taking the easy way out to counter their machines. It’s not person against person anymore. It’s truly machine against machine.
You know, frankly, I miss the days when I could run a cable to my neighbor’s house and watch the new season of the Mandalorian. But every day, we face the reality that our databases may be hacked, our laptops might be overrun with viruses or simply that our kids may stumble somewhere dark on the internet.
But if we lock our metaphorical doors, ensure our security infrastructures are up to date and we hire the best and brightest security and cloud professionals to help us protect our data, we can stay one step ahead of the game.
About the author
Steven Wright serves as a Senior Account Executive for Synergis and volunteers his time as President of the Atlanta chapter of the Association of Information Technology Professionals. Steve has had a career in technology, spanning more than 25 years. He has always served in an advisory, and relationship development capacity, working within sales and business development groups for healthcare technology outsourcing, manufacturing, professional service, and, most recently, the staffing industry. In his free time, Steve enjoys learning about new and emerging technologies. This love of tech has helped him aid clients and candidates alike in their career and talent journeys.