Welcome to Speed Data: Quick Conversations With Cybersecurity Leaders. Like speed dating, our goal is to capture the hearts of CISOs with intriguing, unique insight in a rapid format for security professionals pressed for time.
This week, we sat down with Jon Densmore, the CISO for First Mutual Holding Company. Jon shared his nonconventional foray into cybersecurity with host Megan Garza and explained how COVID-19 forever changed the data security landscape.
Read the full post below to learn more or watch Jon’s entire Speed Data episode to see why having a famous name can be a cybersecurity blessing.
The changing cybersecurity landscape
Jon Densmore never intended to pursue a career in data security.
“I kind of, in a way, backed into it,” he said. “I started in information technology back in 1999 when a lot of other people did the ramp-up to Y2K. I joined First Federal, and as the company grew, I saw more opportunity to specialize in information security.”
Since then, the CISO at First Mutual Holding Co. has seen impactful shifts in the threat landscape.
With the cloud, no longer could you build a moat around your data with firewalls and protect everything inside and out. You now have to think of your data as being everywhere.
Jon Densmore, CISO, First Mutual Holding Company
With this change, IT teams now rely on the user community to follow security best practices and be aware of potential risks.
“Back 10 years ago, you could keep users at arm’s length, but now that the data is with them wherever they are, you need to make sure that you’re including them in the process — having them actively involved in assisting you in protecting the data,” Jon said.
And data is traveling with end users more than ever. “Since the pandemic, there’s been the blurring of lines between home and work life,” Jon said. “People are used to doing home things on their work computer and work things on their home computer.” Having BYOD controls in place is crucial to protect “everything, everywhere, all the time,” he said.
Establishing a security baseline
One way Jon recommends defending against attacks in a changing landscape is by setting a benchmark for business as usual.
“When the sky is blue, and the sun is shining, establish those baselines of knowing what your normal activity looks like, and that way, you can identify abnormal, no matter what it looks like,” he said.
“In the banking industry, we train tellers how to recognize counterfeit money by having them handle thousands of individual bills of legitimate money,” Jon said. “That way, they instinctively know what ‘good’ feels like, so if anything different comes along, they recognize it right away.”
If all you ever focus on is threats or what abnormal is, then that becomes normal, and you have a hard time picking out the noise.
Jon Densmore, CISO, First Mutual Holding Company
Tips for safeguarding sensitive data
On the consumer side, Jon said protecting yourself against data exfiltration and identity theft only requires slight changes to your day-to-day behavior.
“In our personal lives, there are probably about five simple things that if we do consistently, we’ll never be a victim of fraud,” he said.
- Create unique passwords stored in a password manager
- Enable two-factor authentication
- Patch your systems regularly
- Freeze your credit accounts when not in use
- Learn to recognize suspicious phone calls and only use the direct phone number of your bank
“Simple things like that, you can get accustomed to doing and knock out at least 99% of the fraud out there,” Jon said.
The symbiotic relationship between orgs and users
Making these minor tweaks and implementing cybersecurity best practices can significantly impact a company’s security posture.
“There’s a saying we hear a lot that the user is the weakest link,” Jon said. “The user is the vital link; they are your eyes and ears out there seeing things, and you need to have a relationship with them.”
Your user community is not the enemy. If an employee clicking on an email causes your company to be compromised, that is a failure of your controls, not a failure of the employee.
Jon Densmore, CISO, First Mutual Holding Company
“Employees need to do their job, and for a lot of them, opening attachments and clicking on a link is a part of their job,” Jon said. “So you need to have controls in place to enable them to do their job without blaming the employee.”
As the leader in data security, Varonis continuously discovers and classifies critical data, removes exposures, and detects threats with AI-powered automation.
Ready to improve your data security posture? Request a demo to see Varonis in action.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.