2019 Security Predictions: A Look At What Happened So Far
Dan Lohrmann joined TF 7 Radio to discuss predictions at end of first quarter
Chief Security Officer of Security Mentor Dan Lohrmann was the guest on Episode #78 of Task Force 7 Radio Monday night, joining Host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies. Lohrmann is an internationally recognized cyber security leader, technologist, keynote speaker and author.
During his career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cyber security and technology infrastructure teams from May 2002 to August 2014, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
See Related: “Cyber Security Challenges, Focuses 2019”
Lohrmann’s popular predictions for Government Technology magazine was the topic of discussion on the TF 7 Radio show starting with critical infrastructure as a major vulnerability among many other major predictions.
His predictions article is a roundup of online threat forecasts, cyber security trend reports and top insights from security companies and experts in the industry. Lohrmann then presents his prediction awards which are:
- Most Creative — Beyond Trust – “Millennials Ruin Everything” — (Based on a privacy prediction on the evolving prediction of privacy and how young people don’t care and share.)
- Newest & Specific — “Bring your own security (to work) takes off” — (MalwareBytes)
- Most Scary (yet practical) — Cybercriminals Will Compete for Dominance in an Emerging IoT ‘Worm War’ (TREND MICRO)
- Most Common and Likely — More large-scale security breaches — (almost everyone)
- Most Disagreement Among Security Companies — The Role and Value of AI in 2019 (Many predictions highlight how AI value is way overblown).
- Best Overall Advice in Predictions — Well-known Vulnerabilities Will Continue to Dominate Cyber Attack Reports (Beyond Trust and others)
Q1 Predictions So Far
Rettas noted that with one quarter down, “have any predictions already happened?” According to Lohrmann — yes, more breaches. There have already been major critical infrastructures being hacked in the headlines.
Rettas wondered if there were any contradictions or disagreements between some of the vendors that made predictions in Lohrmann’s report.
Lohrmann said that is the case mainly with artificial intelligence (AI). If you look everywhere in the cyber security industry professionals are saying “AI will take over ‘fill in the blank.’” So you have IBM saying AI is transforming cyber security and of course is doing a big push with Watson (as seen by the commercials around that). But other companies like Forcepoint are saying it’s overblown – AI is not helping cyber security at all. In fact, they’re saying it’s machine learning, but not true AI – AI is still five to 10 years away. This is just one example, but companies are lining up on both sides.
Another example of disagreement or contradiction is with the cloud. Some say all meaningful breaches will be in the cloud. Others say no, mobile devices. The reality of it is these companies in most cases have a vested interest, so it impacts what they say.
From Government To Private Sector
Rettas and Lohrmann switched gears a bit to talk about the National Association of State Chief Information Officers (NASCIO) list of State CIO Top Ten Policy and Technology Priorities for 2019, to see if these top-of-mind topics are in line with the other industry predictions they discussed.
Topping the list is security and risk management, followed by cloud services, [Government] consolidation and optimization of operations, digital Government, a lot around budget, wireless connectivity, CRM, data management and analytics, enterprise IT governance, and mobility access management.
Lohrmann said that cyber security has been number one on this list for several years. It is clearly top of mind, as risk management is the same as security.
Rettas then brought up digital transformation, which has a lot of influence on this list. “Can the public sector handle digital transformation?” he asked.
“They’re behind,” explained Lohrmann. If you hear that Facebook and bigger companies like them are having issues, then the government is typically behind. When it comes to state, local, city, Government around the country — some are a little challenged, some are in between, and some have a “huge gaping hole.”
Rettas asked Lohrmann about his transition from Government to the private sector. Lohrmann explained that he was lucky that he had networked with CISOs already before he left – he already had relationships in place. “I was already blogging and speaking at conferences while in Government.” He said that he left five years ago and is getting even more attention today.
Based on his experience, he offered this advice:
- Look at what your unique skill set is. What is your secret sauce?
- What do you love doing most?
- What are you passionate about when get you get work in the morning?
- Utilize those things and be an enabler. You can’t be the security guy that always says no all the time – bring solutions, not just problems.
- Have to be business-aligned and innovative. Speak the language of the business.
Lohrmann then brought up a story that almost got him fired while he was CISO of Michigan in 2004. The hot topic at that point was Wi-Fi — it was being put into hotels, airports, McDonalds, etc., and he was totally against it. “I was saying we can’t do this,” Lohrmann added. “My boss [CIO] at the time put together a plan to put Wi-Fi in all public conference rooms. I came into the CIO meeting, saying no – it’s not a secure technology.” His CIO then told everyone to “leave the room except Dan.”
Lohrmann was told at the time, “If that’s your answer, you can’t be the CISO anymore. I know you know your stuff. Nobody questions your technical skills, ability, etc. I’ve been to other conference rooms in other places – what do they know that you don’t know?” Lohrmann was then given one week to find out and come up with a plan to install Wi-Fi, or give his resignation.
“That was a real watershed moment for me,” Lohrmann said. It made him ask, ‘How do you enable, and not just disable?’ You can say no as a cyber security professional and that’s fine, but if the business fails, you won’t need any security because there will be no company, Lohrmann warned. “Bring proactive solutions. Give people a range of options – bronze, silver, gold. Or, economy class, business class, first class. “All [of those options] get there safely, but with a different experience.”
See Related: “Albertsons CISO On Proactive Approaches To Security”
“What do you love about your current job?” Rettas asked. “I love telling people how they can improve their current situation,” said Lohrmann, adding that it’s not just about the end user, but the average person. Everyone uses a smart device, the cloud, etc. Showing them how to protect themselves in an interactive way really helps the masses.
The Cyber Security Talent Shortage
When it comes the cyber security talent shortage, “It’s bad, it’s everywhere, it’s global,” said Lohrmann. What he hears again and again is that everyone wants people with experience, but that means different things to different people.
Rettas wondered if managers are being too meticulous. He explained that a lot of this can be learned. Do we need to rethink the way we’re hiring people?
“I agree. You can fall off the horse on either side,” Lohrmann said. A lot of people want a mirror image of themselves. They’re looking very specifically, which makes it a challenge. However, people with a great attitude and great work ethic can be great employees. “I’ve seen it again and again,” he said.
For example, when Lohrmann was CISO 14 years ago, a student kept going back to him for a job, but Lohrmann didn’t want to hire students at the time. “I told him I don’t want to hire students and he said I’ll work for free. Anything you need – I want to do cyber security.” Lohrmann said that the student ended up being one of his best cyber security guys three years later. Now he’s a global rock star and cyber expert. He had that passion … that drive – and was teachable. “He didn’t have what we needed on paper, but he was a great guy,” Lohrmann said.
Lohrmann and Rettas offered this advice for professionals looking to get into cyber security:
- Get hands-on experience. You want to be able to say “I’ve done this before, not I’ve read about it in a book, or I passed a test.”
- Have an honest assessment of where you’re at vs. where you want to be.
- Start as a student.
- Get practical experience early. (Also find out early if you really like it – there are so many different cyber security roles out there.)
- Certifications can help. Having a degree can certainly help depending on the situation.
- Network in the industry. There are so many conferences, and organizations. Learn about other’s jobs, go do lunch.
“You’ve got to take an honest look at where you’re at now; see where the holes are, network like crazy and then fill those holes with the right training, the right certifications … and then go for it!” Lohrmann closed.
See Related Event, “Cyber Security Digital Summit – Spring 2019”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.