“Strengthening, separating and segregating networks, and cryptography”. This is what was meant by security when Marta Beltrán began her career 15 years ago. As this author, lecturer and researcher (she is the coordinator of the first cybersecurity degree in Spain) points out “the aim was simply to protect data in motion and data at rest- Since then, we’ve changed how we interact with technology, and we work on different concepts in relation to protection, “we start to talk about managing logon IDs, secure development methodologies, malware and advanced threat protection”.
In 2014, you wrote Cloud Computing, Technology and Business. How do you think the cloud has changed in terms of security?
I would say that we’re starting to protect our cloud systems. Until now, products and services have been created that are marked by the needs of the client, only worrying about how well they work, but not at all about security. Security was usually added on at the end of the creation process. In the last two years, we’ve taken a quantitative and qualitative leap as far as cloud security is concerned. We’re starting to be more aware of its importance, and of the fact that, for example, externalizing part of the technological infrastructure doesn’t mean forgetting about the risks that we’re running. The provider is no longer the only source that needs to concern itself with the company’s security. Most users are now aware that there exists a shared responsibility, that there are threats when it comes to contracting cloud-based services, and the measures and protection that need to be taken are different for each of these specific services. An antimalware agent isn’t the same for a PC as for a cloud-based service.
Constant innovation can be a challenge in terms of security. How do you manage to stay up-to-date?
You need to have a clear strategy. There are certain sectors where the appetite for innovation is part of their key strategy, and so this allows them to advance more quickly and to take more risks. Others, such as the industrial sector, or critical infrastructures, tend to be more conservatives because citizens and governmental administrations depend on their services (airports, nuclear power stations, power plants). In the case of startups, which are very cloud focused, and usually have everything externalized, it isn’t that it suits them to be innovative, rather that they must innovate to survive. This is why they tend to assume more risks, and their innovation can’t have a negative impact on the security environment. This is always going to depend of the sector, the business, the country. At the university, what we try to do is to have as much technological transparency as possible. We allow ourselves to be more innovative, to think big, in order to convey that innovation to companies, to the productive sector, and to administration. This exchange of knowledge is important: subjects that are researched at the university need to reach companies.
How important is it to train employees?
Training and awareness, in both personal and professional environments, are very important. People aren’t always aware of the risks they run in the personal ambit, or of the fact that it can have consequences in the professional sphere: the use of unprotected networks and devices from which people often access personal banking, or where sensitive information is stored, or from which people access corporate accounts. In the case of the professional sector, the internal risks, which are so common, most of the time aren’t down to malice, rather to carelessness or imprudence, or even a lack of awareness of the rules. Companies must take security seriously, provide training about company policy (about laptops, networks, having secure passwords). We must implement security from the very beginning, have a clear idea of what can be accessed and what can’t, and designate a security contact with whom to make contact in case of incidents.
What cybersecurity advice would you give a company that wants to stay safe in a new ecosystem?
I would tell them that it’s important to apply common sense and to stay protected at an appropriate level, according to the risks that they’re facing. From a technological point of view, there aren’t as many limitations as it may seem. That is, there are already cybersecurity solutions for almost every problem that we could have to face. I would also say that it’s important to approach security from an incremental standpoint. Once you know the risks you’re facing, you can’t expect to resolve them all in one day, because they are always going to be changing. As you try to mitigate risks, other new risks are going to appear. Companies must start out from a base scenario and go on improving non stop, acquiring new knowhow, and new practices to face up to constant threats.