Perspectives From 3 Of The Top SMEs In Information Security
As we approach the new year, I am very pleased to have a discussion with four of the most prominent technical SMEs in the world of cybersecurity; Kenneth Holley, George Platsis, and Christophe Veltsos. Their answers that follow offer practitioner perspectives and advice on some of the key issues and technologies that encompass the future of information security. It is worthwhile keeping their comments as a source reference for the C-Suite and anyone concerned about protecting their identities and data.
CB – Can you share a bit about your backgrounds and how you became involved in cybersecurity?
George Platsis: Save the geek factor, becoming involved in cybersecurity was anything but linear. What started as business continuity/organizational resilience turned into something much larger, where I began looking at linkages between security and economy. Basically, looking at how these systems are very much dependent on each other and if one goes, so does the other. That led to looking at national security and constitutional/international issues. Ultimately, ended up where I am today: focusing on human vulnerabilities related to cybersecurity and information warfare. All the disciplines are linked together.
Chris Veltsos: I came to cybersecurity via the software development world. Programming was my first passion, but to be fair, cybersecurity and cyber risks weren’t much talked about in the late 80s. While I was taking computer science courses, I encountered my first virus in the late 80s early 90s, and while I didn’t pivot right away, the experience left me puzzled about the world we were building, at the dawn of the information age, so susceptible to the influences of nefarious software.
While I came to cybersecurity and cyber risks from the technical side, it’s the business and human psychology side that I’ve connected with the most, and that’s the area where I would say I have experienced that most professional development in the past decade. What I love about cybersecurity is that it’s not an IT issue but a business issue, and it’s finally treated that way. Some CISOs (and CIOs and CEOs) still see this as an IT issue, but the evolution of this mindset is undeniable. In my opinion, we’ve only begun to scratch the surface about ways to improve the People and Process side of cybersecurity and cyber risks: how we make decisions, how we communicate risk, how risk considerations are infused into every part of the business. Cybersecurity wasn’t part of MBA programs a decade ago, but this issue is certainly finding its way into business courses today.
Kenneth Holley: My professional background is rooted in software engineering. I served in the United States Navy for six years, where I worked with and on the first generation Naval Tactical Data System (NTDS) and surface warfare simulation software. Following my separation from the Navy, I settled in the Washington, DC area and founded Information Systems Integration (ISI).
ISI’s initial focus was on software development, including the early days of HTML, website, and web app development. Driven by my deep interest in computer networking, ISI shifted its focus in the late 1990’s to meet the burgeoning need for network infrastructure design and network security. As the CEO of ISI for the past 24 years, I lead an organization which has become the preeminent authority in cybersecurity for the world’s most influential government affairs firms.
CB – 2017 is almost over and breaches continue to mount in number and severity. From both a technical and risk management perspective, which cyber vulnerabilities need immediate attention to help stymie the breaches in 2018 and how should they be prioritized?
Chris Veltsos: For most organizations, the focus should really be to take care of the basics. Things like:
Patching (patch completion rates, time-to-patch windows, determination and patching prioritization of critical systems that are exposed to the Internet);
Backups (ensuring you perform regular backups, test them routinely, and ensure that not everything is connected all the time);
Don’t forget the people factor — there are many quick wins that can be achieved when people are included in security awareness. Employees can be human sensors, and can not only avoid making silly mistakes, but also provide early warning of things being strange.
Not just technology, but processes as well — security isn’t a project to be implemented and forgotten about. It needs to be part of the fabric of the business, and processes should be reviewed to determine how well security is integrated into each, and in turn, how each process influences the security posture of the organization.
I’m sure my colleague Paul Ferrillo wrote about adopting the Cloud. But you shouldn’t deploy anything in the Cloud until you know exactly how you’re going to test that things were deployed correctly and securely. So many breaches in 2017 were a result of not having checked that a cloud-based storage unit was properly secured.
For the more mature organizations, they should test their security controls to gain assurances that those controls are working the way they’re supposed to and to find ways to improve them.
More mature organizations should also look at where the CISO (or equivalent role) is positioned in the organization chart. CISOs reporting to CIOs creates more problems than it solves.
Kenneth Holley: As a global community, we have done an excellent job in pushing cybersecurity technology forward, particularly advancements within the realm of human-driven AI threat detection, automation, and orchestration. That said, we’re losing the war against cybercriminals. It’s my belief that we need to intelligently alter our tactics, refocusing on the human aspects of the problem. In order to counter the ever-increasing sophistication that cybercriminals are bringing to bear, we must focus on the people behind the machines. Unfortunately, much of the recent advancements in AI-based cybersecurity solutions seek to remove valuable human judgment while at the same time eliminating biases. Human judgment and decision-making – and all of the subtleties which accompany them – is the uniquely powerful essence of who we are. The very things which cybercriminals have become masters at leveraging against us. The goal should be to amplify, not replace, human judgment through a truly powerful approach which creates superior, collaborative solutions. This should our focus going forward.
George Platsis: 1) Fix the basics. 2) Fix the basics. 3) Fix the basics. Look at all the big breaches of the last while and they almost all have a similar thread: somebody screwed up. The tech does (mostly) what it is supposed to do, even when complex and convoluted. It is the humans that are making the most basic mistakes though and that’s costing us. Whether it is failure to patch, forgetting to do maintenance, or not being able to identify a spearphish attempt, these mistakes hurt. And we only have a limited amount of resources, so we should be spending wisely. A full flick of the switch to all AI won’t work. Humans need to up their game.
CB – How serious is the threat to our critical infrastructure and the Industrial Internet of Things? What can and should be done to harden critical infrastructure against cyber threats?