The next expert whom we had the opportunity of speaking with is Joel Norris. Joel is a Certified Information Systems Security Professional (CISSP) with 20 years of experience and expertise in designing, implementing, and troubleshooting network infrastructure and security. He is also delivering classes on Vulnerability Management and Delimit of Systems and System Requirements at Swiss Cyber Forum. Continue reading and uncover his insights around insider threats and learn how Joel stays up to date with industry news and updates affecting cyber security.

1. Hey Joel, welcome to our “Security Expert Interview Series”! We appreciate you sharing your opinions with us and our audience. Can you give us an introduction about yourself, Joel? How did you venture into cyber security world?

Hello. I am Joel Norris. I started my adventure into IT by joining the US Army Reserves, from there I got my first real job working with Raytheon migrating UNIX systems then started to work with SAP. I ended up working at a helpdesk for a few years before going to Afghanistan in which I became an information manager officer.

Eventually, I ended up working for the US Government as an Information System Security Manager of one of the US Army Commands. I would say I always had an interest in Security especially because of a military background. I started off with Security in 2010 then went on to get certified ethical hacker, then to CISSP. So to answer the main question when did I start getting into the field of security I would after Security, it was when I started to understand security basics in better detail.

2. You are holding the position of Cyber Security Manager. Please tell us about some of the biggest challenges you face in cyber security.

I think one of the biggest challenges is working with most organizations is going to be working with IT operations to ensure they are practicing and implementing security controls and best business practices. Most organizations view the security teams as the ones to manage any security issue and provide funding if a change is needed for security. In reality, the security implementation belongs to IT operations and application teams. So one of my biggest challenges in the private sector has been working on behavioral change within the IT department.  

3. Do individuals and businesses underestimate the importance and real need to be cyber safe?

I think ultimately they do, everyone is looking for the magic tool to take care of the security posture. The problem is that in order to ward off security risk you have to address your weaknesses and sure in some cases tooling helps but in reality manpower is needed to fix the issues and most organizations would like to innovate instead of securing their enclave. Sure, addressing vulnerabilities is not as fun as working on a project that will enable businesses to get better reports or work in a more automated way.

But in order to reduce your overall risk exposure, someone has to do the work. I also find that some organizations spend thousands or even millions to work on detection which is good, but the business should understand detection does not equal security if you leave the doors open at the end. In simple terms you have a house in which you have to secure, Where do you begin, I think most people continue with remodeling the interior of the house by putting in new appliances. But what you should focus on is the doors, windows, and fences if you are trying to secure your house.

4. Do you find that businesses are changing in the way that they consider data and how it can be utilized for strategy?

I think businesses are becoming more aware of security issues, in that new incidents are impacting business on a daily basis. In the last organization I was in, they thought security was important but not important enough to spend an adequate amount or to even run system built-in tools to improve the overall security posture. It was not until a partner had a major breach until management addressed what we have in place to help us prevent this situation from impacting us.

5. We would also love to hear your opinions on insider threats. How have insider threats evolved in the last 5 years?

I think insider threats have always been in the background. It is not that they have just appeared out of nowhere and are on the increase. I think what has changed is the ability to detect insider threats, hence why it has become more of a topic for organizations. You have to keep in mind employees are people and people will always try to take advantage of certain opportunities. 

6. In fact, insider threats are a massive problem for organizations across many industries, particularly now with new remote-working arrangements. How these threats can be stopped and prevented?

In order to put light on the situation of these types of threats, you would have to start defining and implementing Data Classification policies and data loss prevention methods. Organizations could start managing their data in a secure way and monitor the activity around it. However, I still think it is a little further away in that most organizations do not even manage their third-party vendors properly.

Most organizations will trust that vendors have their best intentions in place for them and grant them access to almost anything through VPN. So if organizations are not even managing third parties right they are far from managing insider threats.

7. How do you stay up to date with industry news and updates affecting cyber security?

I belong to other organizations that focus on security topics and take training anytime it is available. I think one key thing to remember when you work in this field is you do not know everything and must stay up to date. I also follow various podcasts and security groups to stay relevant. 

8. Finally, if you could give your 25-year-old self just one piece of career advice, what would it be?

Starting a security company, joking aside, I would tell myself to not stay in the helpdesk that long and start moving into coding, even though I dislike it but it is relevant and I only see it growing. I see a shift in security from Plans and Policies to more technical.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.