Protecting Critical Infrastructure from Our Bad Habits

Protecting Critical Infrastructure from Our Bad Habits

SIA Education@ISC West will provide conferees with more than 70 sessions of valuable information on important topics in the security industry at the Sands Expo in Las Vegas on April 10-12.

Jerry Bowman, RCDD, RTPM, CISSP, CPP, CDCDP, President of Square Mile Systems LLC, will present one such session, Protecting Critical Infrastructure from Our Bad Habits, on Wednesday, April 11 at 9:45 a.m. Bowman chatted with SIA about his session in an exclusive interview for the SIA Blog. Register for ISC West at, and find more info on our education sessions at

SIA: Can you tell us a little bit about your background and how you were inspired to present on the topic of “Protecting Critical Infrastructure from Our Bad Habits” at ISC West?

Bowman: While I’ve been involved in protection of critical infrastructure most of my professional life, I became more focused in 2014 when I was voted onto the Board of Directors for the FBI’s InfraGard Public-Private partnership. During my three years there and in the final year as president, I was exposed to even more detail concerning the threats to the high-profile critical sectors.

SIA: Briefly, what do you anticipate are key important takeaways concerning bad habits and human error in your session?

Bowman: U.S. National Institute of Standards and Technology, International Organization for Standardization, and National Geospatial-Intelligence Agency all focus on identification and management of key assets as the first step in protection. This bottoms up focus along with the emerging priority on respect for the business’ outcomes, expands the remit of all security professionals and moves them away from checklists and into a mindset that customizes all security countermeasures to fit the business’ tolerance for risk.

SIA: Anecdotally, how much of a threat are “bad habits” to the security of critical infrastructure? Is the “people factor” fully considered in most security planning?

Bowman: A significant percentage of incidents are attributable to the “people” aspect of security risk management. Development of sound policy and processes along with training programs can significantly reduce or eliminate the effectiveness of emerging threats. Both physical and cyber security would benefit from awareness and training of both security professionals and all other stakeholders of any critical sector. Imagine how many threats would be mitigated if backdoors were eliminated from converged facilities equipment plugged into the production network?

SIA: What’s an example of a common mistake made by people that introduces risk into a security paradigm?

Bowman: Staying with the management theme, it is absolutely critical for those in the Communications Sector (IT) to know what they have through bottoms up audits and lifecycle tracking of data assets. Shadow IT and risk introduced by unauthorized personal devices would be significantly reduced if data center and network managers simply knew what they had and physically where it was located.

SIA: How do security managers best work to mitigate human error or bad habits?

Bowman: Break the mentality of thinking about security as a checklist. We can’t successfully protect any critical infrastructure that way, because we no longer have a static list of threats. With the bad guys constantly thinking up new attack vectors we now must protect against what we don’t know.

SIA: What’s one thing you would like folks to think about prior to attending the session?

Bowman: Think about the 16 critical sectors identified by the Department of Homeland Security and how many of them they are charged with protecting in their jobs or businesses. Some may only have one, but others might have four or five. I would encourage them to think about the dependencies between them and which good habits could enhance security quickly (80/20 rule).

Register for ISC West at