During remarks on “Security and Privacy after 2020” at the virtual Cybersecurity Symposium for Smart Cities ’20, Dr. Marcelo Peredo, CISO for the city of San Jose, discussed short-term and long-term risks to consider, what smart cities can do now to resolve privacy and security issues and what they should be concerned about; and potential gains in store. Among the takeaways:
• The threat landscape has changed, Peredo said during the panel discussion with Zulfikar Ramzan, chief digital officer at RSA Security; and in the short run, governments need “to really adapt and to really embrace some of these new technologies that will help us protect moving forward in this new normal.” That means deploying and enforcing multi-factor authentication, not just two-factor authentication, to ensure that devices have the correct security postures before they join your network. It can mean adding layers between devices or adding a security broker and ensuring any issues are mitigated through constant interaction. And it also means doing updates and security patches — basics that are sometimes overlooked in the rush to roll out remote work and get devices to staff.
• In the longer run, governments also need to look at privacy and how things should be done from legal and ethical points of view. San Jose is working “very hard,” the CISO said, on establishing its new privacy policy, which is based on principles like only collecting and sharing the data it needs, controlling what it has collected, and being open and transparent.
“As we embrace this new world, I think the protection of the data and making sure that we collect only the data that we’re supposed to collect … will be important,” the CISO said during the conversation, which was moderated by Matthew Rosenquist, CISO at Eclipz.io Inc.
• Asked his thoughts on zero trust and his worries in implementing new protection technologies, Peredo pointed out that San Jose has embraced the National Institute of Standards and Technology (NIST) cybersecurity framework — but he noted that changes in the threat landscape mean whatever security levels were acceptable last year have changed. A methodical approach to managing risk may yield the best results, the CISO said, because entities can bring formulas or approaches to bear when applying their available resources to decrease risk. Zero trust, he added, enters the picture when officials analyze risk controls, how they should be viewed and implemented for the best performance.
• This has been a year of historic challenges on multiple levels for government. But as bad as it sounds, Peredo said, “we’ve been waiting for this moment in the sense that as cybersecurity professionals for the past 10 to 15 years” or more. The pandemic has prompted organizations to change or consider changing how they do things — including, of course, technology and innovation — and it offers IT professionals “your opportunity to get on that big table, to come up with your big ideas, with your big solutions,” he said during the Adaptable Security event. All the procedures that now, because of virtual and remote work, must be digitized and all the automations that are now needed must be embraced “because otherwise the businesses are coming to a halt.” Civic governments may be sacrificing “some of the benefits of doing things kinetically” as process migrates online. But are they gaining in other ways? He said: “Absolutely.”