There are no real shortcuts to most security problems

For Xerox Chief Information Security Officer Dr. Alissa Johnson, human ingenuity, partnerships and automation are the answer to most security problems the company has encountered and might yet encounter.

“The future is an amalgamation of many futures, shaped by privacy policies, breaches, all types of threats and cybersecurity responses. Changes in any of these change the trajectory of the future,” she explains to Help Net Security. “We try to comprehend all of the possible futures and to prepare for them. There are no real shortcuts. I wish there were, but there aren’t.”

So, the company gets ready for the unknown by championing a multi-layered approach to security, whereby one layer can serve as a safety net for the others.

Cybersecurity insurance shouldn’t replace defense

One of the security layers that every enterprise should maintain to optimize their security is cybersecurity insurance. But while having it makes good sense, relying on it as a replacement for sound security practices does not.

“Diverting more funds into cybersecurity insurance instead of bolstering defenses increases the likelihood of a breach. More to the point, though, insurance payments can’t make up for all of the damage done by a cyberattack,” she points out.

“When customers’ personal data is stolen, businesses can lose trust. When trade secrets and pricing become available to competitors, reputations and brands can be weakened and business can be lost. Fixing the problem can be a big drain on time as well as money. And make no mistake, the costs are high.”

The various security layers are meant to complement one another. “Expecting that one layer to replace or compensate for a lower investment in another is shortsighted,” she opines.

Defending against APTs

Dr. Johnson was, at one point, the Deputy CIO for the White House. Today her two overarching goals are ensuring the security of the Xerox corporate infrastructure and all the products they sell that connect to the internet.

To defend the company’s infrastructure against advanced persistent threats, the company employs advanced, persistent defense built on intrusion prevention, compromised device detection, documents and data detection, and external partnerships.

For intrusion detection they rely on solutions such as internal firewalls, user access solutions, and authentication and whitelisting technology from McAfee. To detect compromised devices they employ measures such as firmware verification.

They keep personal and confidential information safe through capabilities such as secure print and encryption features. Finally, they work with compliance testing organizations and security industry leaders such as McAfee to enhance and protect devices with the latest security standards.

“By partnering with cybersecurity leaders, we gain expertise that complements our own, and by automating we ensure that our routine security monitoring is fault-proof while freeing our best minds to work on our toughest problems,” she notes.

“In the process, we are establishing and nurturing an infrastructure and culture that is ready to preempt and respond to any and all threats, now and in the future. We bring that same mentality to our customers and our partners, sharing with them the data security lessons we have learned on the front lines of protecting our printers, scanners and other connected office equipment.”

Dealing with the cybersecurity skills shortage

According to reliable estimates, 70 percent of jobs in the cybersecurity field will go unfilled by 2022.

Xerox’s answer to expanding security needs and insufficient labor is, again, automation and partnerships.

“Automation because talent needs to be pulled away from babysitting data centers and blinking lights, to focus on high-risk, high-opportunity data that gives the user a richer, higher-level experience. Partnering because a more open culture with vendors cooperating to develop technologies that meet the challenge can compensate for widespread duplication of effort across organizations,” Dr. Johnson explains.

Getting the board on board

But for an effective defense, it’s crucial to get the company’s board and the C-level executives on board and to work well with them. The key to doing this is good communication, solid strategic plans and strong execution backed by measureable results.

“C-level executives need to understand your situation, to know how real the threats are, and to know how damaging and how costly breaches can be. Fear can be a great motivator, and in this case, the fears are very real,” she explains.

“Once you get their attention, you need to lead them with a strategic plan that addresses your situation. Our plans emphasize leveraging our expertise and that of partners, and automating wherever possible, to make the most of the resources we have. These are concepts that we apply successfully in other parts of the business, so our executives are quick to grasp where we’re going.”

With top executives on board, they’ve gotten consensus to make cybersecurity a critical focus area in their research labs as well as a critical customer requirement, so security is “baked in” during product development.

The final requirement – measureable results – is achieved by measuring their performance in a number of ways, including tracking attempts to breach their infrastructure and their success rate in keeping would-be intruders out.