Chris, congratulations on the book! Let’s start by talking about your past a little bit. What do you remember about your first interactions with computers? Was there a moment when you thought, “Yeah, I’m going to be involved with this for my whole life?”
My first interaction with a computer was as a teenager in Greece. My friend Sotos was working for UNIVAC (now UNISYS), and he was charged with reporting the results of the world-famous 3-day annual automobile race called the Acropolis Rally. He asked me to help him. I was in high school at the time, and he had just returned from the United States with his Masters in Computer Science from the University of Michigan. This was in 1978, and the computer was the size of a mini refrigerator, just as loud and clunky, and would only take 8-inch floppy disks!
Right then and there, I knew. This was amazing! I wanted in.
Scroll forward about 7 years, and I was the recently appointed director of academic computing at Pratt. I vividly remember the first IBM personal computer (the AT) arriving at the university. It had a a 10Mb hard disk and formatting the drive took, oh! I don’t know… it seemed like hours, but I loved it. I loved everything about it! Tinkering, troubleshooting, teaching others about computers, everything about it.
Then, I got involved with BITNET, a precursor to the Internet used at some universities, and it was all downhill from there! Before you know it, we were killing viruses that were propagating via floppy disk! What’s not to love?
Ah, the good old days! Tell me, aside from the method of attack (networks instead of floppies, etc), what has changed about the “threat landscape” since you got started, and what if anything has remained consistent? Clearly, there is a lot more at stake these days than there used to be.
A lot has changed. Certainly the “vectors,” as you suggest, have changed, and that will continue. The more the technology changes and advances, the more new vectors (i.e., ways to attack) and new, sophisticated payloads (i.e., malware, viruses, etc.) will evolve with it.
The motives have also changed. Early on, it was mostly a game for hackers—just trying to see what they could do. Later, it became about espionage. And the profit motive followed soon after that. These days, it’s almost entirely about the money, though of course, espionage and cyberwarfare are still huge concerns.
The thing that has remained the same is our inability—and frankly, often our unwillingness—to confront this risk. Prevention is almost never a priority. That has not changed, and we pay for it every day.
What about information technology as a field? How has game changed since you got started?
I think the profession evolved to keep pace with the technology. We went from main frames to mini computers to desktops, laptops, and smartphones. Networking was evolving right along with the devices, connecting them faster and better.
Those of us who were on-board early on followed this evolution. For instance, I didn’t study “networking,” I studied computer science. I learned programming in languages like Fortran and COBOL, and I learned computer architecture and engineering. As far as “modern” IT goes, I learned right next to the people that were developing the concepts and testing them out. The speed of this evolution was, and remains, so blindingly fast, that staying on-top of it becomes a full-time job. Even now that computer science students study the current state of the field, by the time they have their degree at hand and start work, the landscape has changed.
Sounds like it can be very tough to keep up with it all! But this makes me think about how the fundamentals of cybersecurity are as much a question of psychology as they are technology. Reading your book, I was struck by the massive role basic human psychology plays in dealing with cybersecurity issues. After all, fancy terms like “social engineering” and “phishing” are really nothing more than conning somebody out of their password.
Yes, you are right! Many executives miss that and think about cybersecurity in terms of the technology only. But cybersecurity is all about people and asset preservation. Hackers get to these assets by first compromising people. And the truth is, people are much easier to compromise than a sophisticated defense-in-depth cybersecurity program. Anthropologists, psychologists, and sociologists can be invaluable to an organization that needs to build and maintain a sophisticated cybersecurity defense.
Thinking back on all the different organizations you’ve interacted with over the years, what personal qualities make for the most successful cybersecurity efforts? What behaviors or personality types should executives seek out and/or incentivize?
The most successful cybersecurity efforts are those that are sponsored and actively evangelized from the top. If there is no buy-in from the board and the C-Suite, the program will fail. That’s a guarantee. Paying “lip service” to a cybersecurity initiative is condemning it to failure.
Therefore, the first personal quality that I look for in the board and the executive time is sincerity and transparency in what they say and how they follow-up. The second quality—and again this goes from the top down—is engagement. A company with engaged management and engaged employees will have a far better chance to succeed in rolling out a cybersecurity program, than a company with disengaged, unhappy, and isolated employees and managers. If the question is what to incentivize, I’d say invest in your culture! Start there, and success will follow!
What are the mistakes that you see companies making again and again when it comes to cybersecurity?
The most serious mistake that I see is that companies confuse cybersecurity with Information Technology. They think of cybersecurity is an “IT” problem. It is not. It is a risk-management problem. Companies need to understand that cybersecurity and IT are two parallel tracks: IT creates value, and cybersecurity protects value. One cannot “report” into the other, or the “train” derails. We need to understand this and plan accordingly.
Do you find that IT departments themselves have trouble understanding this distinction? Or is that more of a boardroom issue?
Both. It’s easy for the board room, or the C-Suite to shift responsibility to the IT department. “The tech people handle this…” is a common answer from these types of companies, and the first sign of serious trouble ahead.
For their part, the IT folks can become possessive, guarding “their territory” at all costs. After all, they recognize that cybersecurity can, and should, audit IT. If the “own” the cybersecurity function, then they “audit” themselves, and to no surprise, they find little to be concerned about. No matter what IT tells you, they should not run cybersecurity. Even the best IT professionals will be biased towards their own shop. The functions must be separate.
I imagine it can be challenging for executives who don’t specialize in technology to deal IT specialists who, let’s be honest, are not necessarily known for their bedside manner! What advice would you give to folks who are maybe a little intimidated of the geeks in the server room?
It takes two to tango! Yes, the “geeks in the server room” need to learn to explain things in business terms. But, the “geeks in the board room” need to meet them half way. This is a major driver behind my book – establishing a simple, understandable language for all involved. That’s step one. Neither party can handshake alone. So, my advice? Start by engaging each other. Go to lunch! Go have a drink! Start learning from each other! It’s all about relationships and communications. Be genuinely interested in one another, and before you know it, you’ll have one big happy family!