Click here for Part I
Managing programs and developing solutions to safeguard sensitive data everywhere
Bob Olsen is the CEO and founder of North Star Group and COMPASS Cyber Security. Headquartered in Washington, D.C., North Star Group is a project management and risk management firm offering technical services to clients in across government, nonprofit, and commercial sectors. COMPASS, short for Comprehensive Applied Security Solutions, focuses on cybersecurity issues such as training, testing, policy development, threat intelligence, remote security monitoring, and vulnerability scanning. A U.S. Army veteran, Bob brings years of leadership experience that have helped North Star earn rankings in the Inc. 500/5000 along with recognition as a SmartCEO Smart100 Best Run company in the Mid-Atlantic region (2012). Additionally, the magazine named Bob a Smart100 CEO for 2011. He is also Executive in Residence and Adjunct Professor of Cybersecurity at The Johns Hopkins Carey Business School, as well as a board member of school’s Dean’s Advisory Council.
Q. Can you take us through the companies’ approaches to cybersecurity?
BOB OLSEN: The pieces, which I feel are equally important, are what we call the “three pillars”: technology, people, and policy. On the people side, it’s really about making sure that your organizations have the basic security awareness. Everybody within an organization has a responsibility and a role when it comes to protecting that organization’s data, whether it’s the receptionist at the front desk, whether it’s somebody on the loading dock. It could be somebody in finance or HR. Everybody has a role, and it could be just purely from a physical security perspective, or it could be from a very hands-on from a data perspective; maybe you’re in the IT department and you have a key role when it comes to protecting data. But everybody has a role, so we really get organizations to understand that fact, and then we also tailor security awareness to those roles. So, everybody needs to have a basic awareness, but then certain departments—maybe HR, legal, finance—need to have more advanced training to have a deeper understanding and knowledge of what they should be doing from a data protection perspective.
What’s really interesting about that pillar of the three pillars is, because technology is so ubiquitous in our lives today, the lines are blurred between our professional lives and our personal lives. What that means is a lot of the lessons and a lot of the guidance that we give to individuals, when it comes to their business or their professional cybersecurity awareness, is directly transferable to their personal lives. Pretty much everybody’s got a mobile phone, and so when we share even just best practice tips on how to configure an iPhone in the most secure way, that’s information that they can go and share with their husband, wife, children, extended family, and significant others, and there’s direct benefit to that.
Part of our vision and, really, our mission at COMPASS is we’re using information security and cybersecurity awareness across the entire population. Our vision statement is “shifting the world’s data to be safe and secure.” It sounds like maybe an unrealistic objective, but the reality is that the only way that we’re going to reduce the number of breaches and security incidents, we believe, is by educating everyone. Again, everybody has a role. Maybe someone’s at their house and they’re accessing their corporate network through their home computer, and if they haven’t taken the necessary steps and the organization hasn’t dictated and defined the policies about acceptable use in a home environment, then you’ve now introduced a really easy way potentially for a bad actor to get in. It’s this holistic kind of ecosystem approach that we believe is really one of the only ways that we’re going to be able to make a difference.
The third piece is the policy piece. Human beings are human beings, and in the absence of rules and regulations, they typically tend to follow what I’ll call the path of least resistance. They may or may not make decisions that are in alignment with the organization’s desire when it comes to maybe mobile device rules, or mobile media like USB drives or thumb drives. If it’s not well defined and communicated to the employee base then, in most cases, they’re going to make decisions that aren’t in their organization’s best interests. These are really kind of the three areas we focus on.
Connect with Bob on LinkedIn