June 25, 2015 By Diana Kelley 3 min read

This is part two in a three-part interview with Kelley Misata, a Ph.D. candidate at Purdue University’s CERIAS. In the first installment, Misata discussed privacy and risk communication and its relationship with security.

Question: At your Lonestar Application Security Conference (LASCON) keynote, you encouraged attendees to “reframe what we think we know” about privacy and to move away from “scary stories” and fear. How can we move from a place of fear to reframe the conversation?

Answer: There are a few things we can do on this front. First, we need to be patient with ourselves and others. This is all very complex, fast-moving stuff we are dealing with in security. For many veterans in this field, it is second nature to think a certain way about technology and security, but for average users, it is still very mystical and sort of scary. But there are ways to get information across that people can understand. For example, I have a way of teaching how Tor works by using envelopes and pieces of paper.

Fear is useful in some instances but harmful in others. It makes our hearts beat fast and we lose our breath, making it difficult to think clearly. What I tell people often is: Let’s first acknowledge there are bad people in the world. Right? OK, now that we acknowledge they are there and can even assess their motives, let’s get busy with learning about where we can control our own safety. Being afraid of the bad guys will not help us stay any safer. But what we can do is to think about what security and privacy means for us as individuals — learn what we have at risk and what needs to be protected to what level.

Last, we need lots of voices at the table when we are talking security. Though there are extraordinary experts in the information security and privacy field, where we can help reframe the conversation is to bring more voices into it. I’m fortunate that Dr. [Gene] Spafford and Dr. [Marcus] Rogers saw that an MBA like me would add value to the conversations of security at Purdue and that there is value in bringing nontechnical minds into the equation.

At the end of the day, we can all read about scary stories about information security, threats and breaches in the news every day. Where we have opportunity is to help people understand what it all means — not sugarcoat it, but make it easy for people to digest — and arm ourselves with better tools to manage it. And remind people to breathe! I was afraid for years at the hands of one person (cyberstalker) — I’m done being afraid and I want to helps others to stop being afraid, as well.

Kelley, what are you learning in your research at Purdue about how cybersecurity can help improve the ways crisis centers support people in crisis? Is this a tools problem? A process problem? A little of both?

Well, I’m just beginning the deep dive into this research, but from what I’m seeing at the surface, it is a combination of technology, policy and people that need to work in concert in order to provide the best possible security for the moment.

We have an opportunity to help these centers identify what is at risk (digital assets) and what systems they currently have in place to protect themselves. We also have an opportunity to assess what off-the-shelf security products or free technologies they are using and how. Are these tools providing the levels of privacy, security and anonymity the user is expecting?

Second, many of these crisis organizations are nonprofits or funded by government agencies. Examining policy, regulations and laws for these organizations as it pertains to information security and privacy should also prove to be very interesting.

The humans in the system can never be overlooked. There is significant research on bring-your-own-device (BYOD) and other employee- and employer-related topics in information security. I’m curious to see not only how this is the same/different in the crisis center environment, but also how education around security and privacy is discussed within these organizations.

In the end, it is a system of delicate connections between technology, policy and people I’m very curious to look into — in environments where safety is a top priority.

In the final part of this series, Kelley Misata discusses her experiences as in instructor on Surveillance and Privacy at Emerson College.

Get more great insights from Kelley Misata in this exclusive podcast

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today