Perspectives From 3 Of The Top SMEs In Information Security
As we approach the new year, I, Chuck Brooks, am very pleased to have a discussion with four of the most prominent technical SMEs in the world of cybersecurity; Kenneth Holley, George Platsis, and Christophe Veltsos. Their answers that follow offer practitioner perspectives and advice on some of the key issues and technologies that encompass the future of information security. It is worthwhile keeping their comments as a source reference for the C-Suite and anyone concerned about protecting their identities and data.
CB – Can you share a bit about your backgrounds and how you became involved in cybersecurity?
George Platsis: Save the geek factor, becoming involved in cybersecurity was anything but linear. What started as business continuity/organizational resilience turned into something much larger, where I began looking at linkages between security and economy. Basically, looking at how these systems are very much dependent on each other and if one goes, so does the other. That led to looking at national security and constitutional/international issues. Ultimately, ended up where I am today: focusing on human vulnerabilities related to cybersecurity and information warfare. All the disciplines are linked together.
Chris Veltos: I came to cybersecurity via the software development world. Programming was my first passion, but to be fair, cybersecurity and cyber risks weren’t much talked about in the late 80s. While I was taking computer science courses, I encountered my first virus in the late 80s early 90s, and while I didn’t pivot right away, the experience left me puzzled about the world we were building, at the dawn of the information age, so susceptible to the influences of nefarious software.
While I came to cybersecurity and cyber risks from the technical side, it’s the business and human psychology side that I’ve connected with the most, and that’s the area where I would say I have experienced that most professional development in the past decade. What I love about cybersecurity is that it’s not an IT issue but a business issue, and it’s finally treated that way. Some CISOs (and CIOs and CEOs) still see this as an IT issue, but the evolution of this mindset is undeniable. In my opinion, we’ve only begun to scratch the surface about ways to improve the People and Process side of cybersecurity and cyber risks: how we make decisions, how we communicate risk, how risk considerations are infused into every part of the business. Cybersecurity wasn’t part of MBA programs a decade ago, but this issue is certainly finding its way into business courses today.
Kenneth Holley: My professional background is rooted in software engineering. I served in the United States Navy for six years, where I worked with and on the first generation Naval Tactical Data System (NTDS) and surface warfare simulation software. Following my separation from the Navy, I settled in the Washington, DC area and founded Information Systems Integration (ISI).
ISI’s initial focus was on software development, including the early days of HTML, website, and web app development. Driven by my deep interest in computer networking, ISI shifted its focus in the late 1990’s to meet the burgeoning need for network infrastructure design and network security. As the CEO of ISI for the past 24 years, I lead an organization which has become the preeminent authority in cybersecurity for the world’s most influential government affairs firms.
CB – 2017 is almost over and breaches continue to mount in number and severity. From both a technical and risk management perspective, which cyber vulnerabilities need immediate attention to help stymie the breaches in 2018 and how should they be prioritized?
Chris Veltos: For most organizations, the focus should really be to take care of the basics. Things like:
- Patching (patch completion rates, time-to-patch windows, determination and patching prioritization of critical systems that are exposed to the Internet);
- Backups (ensuring you perform regular backups, test them routinely, and ensure that not everything is connected all the time);
- Don’t forget the people factor — there are many quick wins that can be achieved when people are included in security awareness. Employees can be human sensors, and can not only avoid making silly mistakes, but also provide early warning of things being strange.
- Not just technology, but processes as well — security isn’t a project to be implemented and forgotten about. It needs to be part of the fabric of the business, and processes should be reviewed to determine how well security is integrated into each, and in turn, how each process influences the security posture of the organization.
- I’m sure my colleague Paul Ferrillo wrote about adopting the Cloud. But you shouldn’t deploy anything in the Cloud until you know exactly how you’re going to test that things were deployed correctly and securely. So many breaches in 2017 were a result of not having checked that a cloud-based storage unit was properly secured.
- For the more mature organizations, they should test their security controls to gain assurances that those controls are working the way they’re supposed to and to find ways to improve them.
- More mature organizations should also look at where the CISO (or equivalent role) is positioned in the organization chart. CISOs reporting to CIOs creates more problems than it solves.
Kenneth Holley: As a global community, we have done an excellent job in pushing cybersecurity technology forward, particularly advancements within the realm of human-driven AI threat detection, automation, and orchestration. That said, we’re losing the war against cybercriminals. It’s my belief that we need to intelligently alter our tactics, refocusing on the human aspects of the problem. In order to counter the ever-increasing sophistication that cybercriminals are bringing to bear, we must focus on the people behind the machines. Unfortunately, much of the recent advancements in AI-based cybersecurity solutions seek to remove valuable human judgment while at the same time eliminating biases. Human judgment and decision-making – and all of the subtleties which accompany them – is the uniquely powerful essence of who we are. The very things which cybercriminals have become masters at leveraging against us. The goal should be to amplify, not replace, human judgment through a truly powerful approach which creates superior, collaborative solutions. This should our focus going forward.
George Platsis: 1) Fix the basics. 2) Fix the basics. 3) Fix the basics. Look at all the big breaches of the last while and they almost all have a similar thread: somebody screwed up. The tech does (mostly) what it is supposed to do, even when complex and convoluted. It is the humans that are making the most basic mistakes though and that’s costing us. Whether it is failure to patch, forgetting to do maintenance, or not being able to identify a spearphish attempt, these mistakes hurt. And we only have a limited amount of resources, so we should be spending wisely. A full flick of the switch to all AI won’t work. Humans need to up their game.
CB – How serious is the threat to our critical infrastructure and the Industrial Internet of Things? What can and should be done to harden critical infrastructure against cyber threats?
Kenneth Holley: Extremely serious. We must work rapidly to replace legacy infrastructure systems with modern, fully hardened systems end-to-end. In addition, true air-gapping for critical infrastructure is a must. Finally, a cybersecurity regulatory / standards body is a necessity for these systems.
George Platis: Protecting critical infrastructure warrants serious attention. IIoT devices, just like IoT devices, need to be secured out of the gate. They’re low hanging fruit for malicious actors. The #CyberAvengers have suggested a type of certifying authority to ensure these devices are safe and secure. We need more security by design mentality too.
Chris Veltos: Pandora’s box is open, and unfortunately we’ve done a seriously poor job at realizing the kinds of plagues and evils that we allowed to spill into this world. On the topic of IoT, I applaud efforts of governments around the world to try to steer manufacturers and consumers towards better-engineered products that have implemented security-by-design and privacy-by-design. However, market forces are at play here, and with a global market, it’s tough to control what gets built, to what specifications, and then find an appropriate way to share that information with potential buyers. There’s no “energy-star” rating system for IoT security or IoT privacy.
Regarding critical infrastructure, the US government has been worried about this for several decades, but the private sector — which owns most of the actual infrastructure in this country — has been slow to react and implement much-needed upgrades and safeguards. Forcing the CEO of a utility company to testify in front of Congress after a blackout doesn’t do much to scare the rest of the utility companies into compliance. So, in my opinion, we’ll have to wait for a significant national-level disaster to “wake up” and do something. I see lots of parallels with road safety: many roads are poorly designed but aren’t scheduled for improvements until there’s been a number of horrendous crashes with significant loss of life.
What worries me about the critical infrastructure is that we don’t have to look far in time or distance to see examples of what can happen: entire cities or even states without power; cascading failures; polluted water supply; unstable underground gas pipelines. Just in the past two decades, there have been many documented cases of countries or terror cells waging these kinds of attacks. These are not “maybe’s” or “what-if’s”, these are documented instances of weaknesses in our nation’s critical infrastructure. Heck, even the sewage systems could be a target; what kind of a crappy situation is this?
CB – How does artificial intelligence, machine learning, blockchain, quantum encryption, and other “futuristic” technologies fit into the cybersecurity toolkit in 2018 and years ahead?
George Platsis: Personally, keeping a close eye on blockchain and quantum encryption. Blockchain as a technology seems very solid and can revolutionize how we test the integrity of our data. The questions here become: is it scalable and can it be implemented at commercial/consumer levels. I think yes, over time. Quantum encryption is another game changer. This technology seems sound as well but faces technical challenges. Are we going to throw up a whole bunch of satellites in the sky to get this working? Doesn’t seem like a great idea with all the space junk already out there. If we can get quantum encryption working over large distances close to the ground – like 1,000 miles – this tech may really shatter our current ways of doing business.
Kenneth Holley: My personal passion and work are in the area of threat detection and I believe that 2018 will the year of hyper-context. Hyper-context threat detection goes significantly deeper than current human-AI threat detection models by not only looking at past behavior, but also predicting future behavior based on highly specific details, including preferences, organizational relationships, and interdependencies, among other things. In effect, we are humanizing threat detection. By its very nature, hyper-context relies on people, deep and long-standing relationships, and most importantly, trust.
Chris Veltos: The 2016-2017 AV test report mentions that there’s now “four new malware samples per second.” How exactly do you expect security controls relying on manual interactions to keep up with the trend lines? We need AI/ML not because it’s going to solve everything (at least not for another 2-3 decades), but because it allows us to begin to keep up. I’ll say it again: AI/ML allow us to begin to keep up with the frequency of new malware samples, with the frequency of attacks and false positives, and with the increasing complexity of triaging incidents happening in ever-more-complex IT systems.
Blockchain and Quantum Encryption are two other very promising pieces of technology. The former should allow us to be more trustworthy transactions, while the latter is a race against time as there are many countries engaged in very promising experiments into quantum computers, the advent of which would render current encryption nearly obsolete.
CB – You all, Paul Ferrillo, Esq. George Thomas, and Shawn Tuma, Esq. and me, have joined forces for a special quest called #Cyberavengers. Can you elaborate on the educational mission and vision of this collective effort?
Chris Veltos: Paul Ferrillo had the vision to bring us together. I am honored to be part of the Cyber Avengers, a group of seasoned folks that are down-to-earth and not full of themselves. The seven of us combined have lots of expertise, but seek to share our ideas and recommendations in plainspoken English instead of technobabble or legal mumbo-jumbo.
What brings us together is our desire to help our fellow human beings, our fellow business-people. Cybersecurity isn’t hard. Yes, it can be scary, and yes, if you’re dealing with some techies who want to use their position to boost their ego, it can be highly frustrating.
But remember that the ultimate goal of cybersecurity is to help your business stay in business (or achieve business objectives); there’s no path forward without cybersecurity. You need cybersecurity today much like you need dependable and transparent accounting. Your business simply won’t go very far without both.
George Platsis: “Cybersecurity” as a concept has been mystified. While that approach has worked out great for a few (IT professionals, CIOs/CISOs, CTOs, the vendors) it hasn’t really worked out for the rest of us. We need to demystify this word so everyday people can do their part. That’s why the #CyberAvengers try to make things simple. Some things are. We’re not asking everybody to become coders and ethical hackers. We’re asking people to patch their systems, identify spearphish attempts, don’t leak information, and be smart about your online habits. We just don’t have enough resources (money, bandwidth, time, you name it) to rely on purely technical solutions. Some people have made off like bandits for the last few years, but they haven’t exactly made us safer. That’s what the #CyberAvengers want to do. We want to reach everyday people and we also want to reach the decision makers too. Let them know there is a smarter way about spending your money and there are things you can do to keep yourself safe without some complex security add on to your system. Ultimately, it comes down to this: defending the interests, namely the security and economy, of the United States. That’s what we do.
Kenneth Holley: The vision and mission of the #Cyberavengers are wide and deep – from the everyday person to policymakers. The message is clear and simple: we’ve reached the tipping point and it’s time to take cybersecurity – on an individual level all the way to the national level – seriously. Practically, we provide tangible steps, instruction, and guidance on how to adopt a sound cybersecurity posture, plan for cyber-incidents, and build overall resilience. I am extraordinarily gratified that our tireless work is resonating across the board. Ultimately, our lives, livelihoods, and democracy hang in the balance – and we will not stop in carrying our message forward.
Also available on BizCatalyst360