The Biggest Problem In Cyber Security Right Now
Is the biggest corporate issue specific to tools, communication, diversity, or something else?
CNBC Cyber Security Reporter and author of the new book, "Kingdom of Lies", Kate Fazzini joined episode #87 of Task Force 7 Radio once again to talk with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, about the biggest problems facing corporate cyber security teams today.
See Related: “Telling The Cautionary Tales Of Cyber Crime”
Fazzini also provided her opinion on why government agencies are struggling with cyber security, how we need to better train our workforce to defend against attacks, and what are some of the biggest mistakes cyber security companies make with their marketing efforts. Fazzini lets the audience know what inspired her to write her new book, whether or not cyber security conferences are still a valuable training tool, and what we should do to attract more women into the cyber security workforce.
Diving Into The Biggest Corporate Problem
Rettas dove right into the show asking Fazzini what she thinks is the biggest problem in corporate cyber security right now. Fazzini said that there are a lot of problems, but in her own personal experience, “there’s a major problem that still exists with communication. I think that one of the problems that I see on a really regular basis is these companies— they have people going out to the big events, they have cyber security tools that they're using, but when you see what actually causes some of these big incidents it still boils down to an issue of somebody higher up not getting the urgency of patching a certain problem to the right person. And that's something that I am still sort of waiting for a big solution to,” she explained.
Rettas expanded that people are going out and buying technologies thinking they’re going to have some push button solutions, and that’s really not the case. Fazzini agreed adding that people don’t like to talk about process because it can be really boring. “You think of the role of a process engineer in the cyber security organization, it's not exactly the flashiest kind of job, but it is really one of the most important jobs,” she said.
There are certain incidents that are going to trigger something that is perhaps a violation of GDPR; it's perhaps a privacy violation that would be very different than something that might trigger say, New Jersey's notification law. Within a company there are different people who need to be stakeholders at different times, and that can get really tricky if you don't have it down on paper, or written somewhere, or at least codified in some way.
See Related: “Baltimore Blames NSA For Ransomware Attack”
Rettas said that if you go into some of these cyber security organizations and ask them for their process maps in their operations, they don’t have any. It can be confusing to figure out someone’s role and/or responsibilities, and skillsets are, and what they think they’re supposed to be doing.
Everyone seems to reference the Equifax breach, and when you “get down to the nuts and bolts of what happened,” according to Fazzini, “it is just so important to remember that what really happened was, somebody blasted out an email that said, you need to update this patch, and one of the organizations didn’t do it.”
“And it just shows how, sending out the blast email reminder and calling it a day, isn't really the way to do things, because this is one of the biggest security incidents of the decade,” she said. “And anybody who's ever worked in an organization has been on the receiving end of that kind of hierarchy, where it's just an email blast ‘don't forget to update,’ and three months from now, we'll have a meeting where we'll go over a PowerPoint showing how many updates actually occurred.”
Communication Issues Within Government
Fazzini also pinpoints communications issues as a major problem within cyber security in government, noting that they’re just on a much larger scale. “So you're not now talking about just business units, but huge organizations, branches of the military, that really need to talk to each other, and do a little better job or speaking together when something is happening,” she said.
“We saw in the elections what happens when there is this breakdown,” Fazzini added. Whether it's with the DNC, you've got the FBI, DHS willing to help with some hacking going on in their campaign. You have CrowdStrike coming in to help clean up the mess afterwards. And if you go and you see the after effects of that, you'll notice that even with all of these different players supposedly helping them, there were vulnerabilities that stayed, and those attacks continued even after they knew that they were happening.
“You have a bunch of different groups, some of them with different motivations and different politics just unable to talk to one another and get things done. I don't think that's improved a lot,” according to Fazzini.
Rettas concurred, “This is a really good point because I think even when we talk about patching, it might be the security folks that are saying hey, here's the newest vulnerability that's out there that we need to patch, but when they do that, they pass it on to an operations team. It's not necessarily even in the cyber security group that actually patches these networks.”
“And that's why these fusion models that are being implemented across the industry, are extremely important to try to correct this problem, but we're nowhere near where we should be,” he added.
The Disconnect Of Cyber Security News
Fazzini next talked about some of her background experience that made it very clear that coverage of cyber security incidents or events were not accurate. A lot of the information was wrong, but even more important; the coverage was so often focused on things that just had very little impact on peoples’ lives or on business. The depth of reporting was just 43 million people breached, 85 million people, etc. “And as I really thought about what is the thing going on cyber security that really hurts business, that was not the thing that was being reported,” she realized. “And also the stuff that really hurts consumers, things like wire fraud that you will lose hundreds of thousands of dollars if you're a small business owner, or you're selling a home to this type of fraud that involves phishing, it's very simple, but that is what really cuts deep to actual people.”
Fazzini added, “Losing your social security number even, or certainly losing your credit card number isn't something that has a really deep cut for most people. And I wanted to get to those stories that were really affecting actual human beings.”
The stories that Fazzini wants to be able to tell are those that have to do with victims who lost a lot of money they can’t get back, or a stolen identity that is missing for years and they can’t untangle themselves from it.
Cyber Security Education And Training
Fazzini also teaches in the applied intelligence program at Georgetown, and is really grateful to be a part of it. But she noted that it's also a nontechnical program. It’s more for people who are like Fazzini who kind of fall into, a skill set of a program manager for example, or communications specialist, etc.
See Related: “Utility Of Cyber Security Certifications”
When talking to CISOs, Fazzini gets a lot of feedback about the kinds of skills they need such as engineering skills, threat hunter-type skills, or a good handle on the use of the different tools in the space. That can be hard to cultivate in a university environment. Fazzini hopes to start thinking about training people to do these jobs — in a world where some are spending their money to bribe their way into Ivy League schools.
“And I think that's something that I really want to explore in the future is what are those technical skills that are most sorely needed, and how do we educate people. I think that it can be kind of a vocation, I think that there are a lot of people out there who could do some of these jobs and not even have to go through the whole university process and then you have this very lucrative six figure career that you can build on,” she said. “I don't see that a four year or master's level education is necessary for some of the really critical jobs we need to fill.”
Cyber Security Marketing Mistakes
Fazzini next talked about some of the biggest marketing mistakes she sees within the industry. One of the biggest she often hears from CISOs is vendors trying to burn each other each other publicly. She explained that when these vendors go head to head on their own personal blogs, etc., and companies see that — it spooks them. “I don't know that I can trust these guys. Are they firing from the hip, are they loose cannons? I think that's a huge mistake especially if you're trying to actually sell your product,” Fazzini said.
Another big mistake Fazzini mentioned marketers make is overselling how technologically advanced the product is. You might fool a journalist or CFO, but once you get to the CISO, or somebody with a lot of experience, “they’re going to know that what you’re calling AI is not AI, and they’re going to know that what you’ve done is repackage an existing product.”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub. To listen to this and past episodes, click here.