How To Turn Intelligence Into A Risk-Based Discussion
Law Enforcement Professionals Make Natural Cyber Security Professionals, Says Task Force 7 Guest
Law enforcement professionals are a natural fit for tackling cybercrime because of their “investigative prowess,” according to Paul Cavicchia, a former special agent with the U.S Secret Service, who was the guest on episode 63 of Task Force 7 Radio Monday night, with host, George Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 Technologies.
“You have to be a very good investigator and follow your case, whether it's intelligence, whether it's risk, whether it's regular cyber fraud that you're working with the company; you have to have a very good, solid foundation in investigation and interrogation,’’ said Cavicchia, who is also a former agent with the U.S. Bureau of Alcohol, Tobacco, and Firearms, and a former narcotics detective with the Bergen County, New Jersey prosecutor's office. Cavicchia’s extensive background also includes positions as vice president of global security investigations at JPMorgan Chase and as an associate director of cyber security and intelligence with The Royal Bank of Canada.
Making the Leap From Law Enforcement To Cybercrime
Rettas started the show by noting that he and Cavicchia have similar law enforcement backgrounds with both starting out as in public service and then moving into the private sector. “This is a really, really big pivot that is difficult to do, and it requires a tremendous amount of thought and career management,’’ he said.
He asked Cavicchia what he would tell people in law enforcement looking to make the jump to the private sector and work in cybersecurity?
Although Cavicchia called himself a “lifer with law enforcement,” he said he saw other people starting to “jump ship” and go into the private sector, and decided it was time to “leave the safety net and what we loved to do something different.”
He said that when he was a narcotics detective, he started coming across tone dialers, which were used on pay phones to make calls free of charge and conduct long-distance scams. “Well that caught my attention,’’ Cavicchia said. “And I tried very hard not only to charge the bad guys … with drug crimes, but also with these electronic crimes, and I had a lot of assistant prosecutors laugh at me, because they said, ‘this is just a box.’”
When he worked for the federal government, he said he approached crime “with the same vigor,” even though he was dealing “with an older crowd that technology hasn't touched. So you become the new wave of law enforcement, or the kid that likes to play with toys as well as be an investigator.” Many times, he said, he found himself carrying around both his tactical gear and his forensic gear.
The challenge was examining hard drive samples “while being picked apart by your peers who … really didn't understand what you were doing.” But his pivot point was having someone advocating for him as officials began to identify people in the field offices “with a talent or a knack, or desire for this.”
Rettas asked Cavicchia to talk about how Fortune 500 companies began taking advantage of the skillsets that law enforcement officers have?
Cavicchia said that when he was developing an enterprise intelligence system for the Royal Bank of Canada, they started receiving intelligence from outside the company and security professionals brought the information to the affected line of business and began asking them questions.
“Once you start to work with the line of business and break down that silo and open that bridge of communication, you also start to see on the other side; that there are needs, [and] the basic bad guy movement is the same,’’ he said. “And as a law enforcement professional … you also have the ability to say, ‘I think we're going to go here,’ so you can make that prediction going forward.”
It’s the same scenario when it comes to risk, Cavicchia added. You need to use your investigative skills to figure out why something was “trending green, and now this month [it] is trending yellow.”
He added that “It's just that basic law enforcement nature, that Type A personality, that just harnesses and makes us, in a way, a utility player. We never say no to anything. We will always get the job done. And it'll always be 110% for that time and looking forward.”
Protecting The Brand
In the show’s second segment, Rettas noted that Cavicchia created the electronic crimes team at JPMorgan Chase, and asked what drove the need for that particular group? Cavicchia said security professionals “did a self-examination about how fraud is addressed and how it's investigated” and decided it needed to be split into divisions, and to hone on electronic fraud.
“We were making connections through a common source, whether it be an IP address, someone called in via telephone on an account, online logs, and how we were going to go about investigating these things,’’ he said. “Those things were the key to our investigations and the need for electronic crimes at JPMorgan Chase.”
The security team also delved into what he called “the control issue,” by going to the lines of business and figuring out what type of remediation needed to be put in place.
“That was the most important thing for the corporation as a whole, and for our value as a global security investigations electronic crimes investigation task force,’’ he said.
Once they determined what the “risk appetites” were, Cavicchia said the task force began implementing changes. “It was an amazing thing to see the change in the way the business operated plus the savings we were able to generate for the line of business,” which “translated into our own cost savings based on our investigations.”
One of the changes was cyber training, he said. “They were very open with us and we were able to break down those silos, which still affect business today, and I think we really streamlined the company in a certain way.”
Rettas observed that in law enforcement, “people who haven't made the transition into the private sector might be shocked that a lot of corporations don't care who committed the crime against them, they care about mitigating the risk that this poses.” He asked Cavicchia to talk about the team’s overall mission.
“It's all about brand protection,” Cavicchia said. “Yes, the arrests are sexy. We'd love to have your contacts that you worked with in the FBI or Secret Service help us with a case to get a caller overseas. That's a feel-good story for the C-level, and in the newspapers, and for our customers. But at the end of the day, it's all about the brand.”
He noted that Jamie Dimon, CEO of JPMorgan Chase, once said in a company town hall meeting, that “If the company is not around, it's no good to anybody in this audience. Everybody plays a part in this wheel for the fortress, for the company.” So Cavicchia said, “We always said to ourselves, "How do we protect Fortress Chase?"
The investigation started with traditional law enforcement, he said, but the bulk of it was focusing on risk, “and it told a very good story that our executives understood.”
When a security professional writes an investigative report, whether it's for a court or a corporation, “you're loading it with the detailed facts of what happened.” Once he started doing corporate risk assessment work, Cavicchia said one of the taglines he used with the business units was, ‘This is not a headhunt, we are not here to besmirch anybody's reputation. We are here for a common cause. That common cause is, we have an issue that we're investigating, and I need your help. And your help will be able to tell me how this control works, and I want your input … about how to make this better.’”
It helped that everyone participated in writing reports and agreed on the components before it was sent to the C-suite, he added. “That unified input was key,’’ Cavicchia said.
Communicating Cyber Intelligence To The C-Suite
In the show’s third segment, the two discussed how to communicate cyber intelligence to the C-suite. Cavicchia said it needs to be distilled down into the “need-to-know. If you're dealing with a certain issue, you have to give them a little background as to why this issue is important and how it works and how it affected the bank. Or how it affected your corporation,’’ he said. The C-suite wants to know what happened, how does it affect us, and what are we doing about it? “It's a three simple question process. We don't want to waste their time on fluff. We don't want to create a lot of noise.”
He pointed out that a lot of times when security professionals are talking to c-level executives, “it's not good news. There is never a good news story here with intelligence. Because bad guys are always attacking the bank.” As executives become more used to the security department and what they do, “they actually want to hear from you,’’ Cavicchia said. “Or, I find them actually reaching out to me and saying ‘I heard this on the news, I read this in the paper, are we affected by this, is it something we should be worried about?’”
When you educate the people you work with, Cavicchia said, you find that they will come to you “because of the trust they have and … they start to ask you questions ahead of time, rather than being reactive.”
Rettas noted that turning intelligence into a risk discussion is tricky, and officials are going to want to know as much information as possible. Both men talked about the important of training employees on risk and compliance.
Cavicchia said cyber security training and education is part of onboarding new employees, as well as updating them, as well as the C-suite on issues like the recently enacted GDPR in the European Union and the latest electronic crimes.
“You have to develop or work with communications on those programs, feed them the latest and greatest … and keep up with that yearly, giving them new trends as well.” Cyber security professionals, he said, should also make employees aware of the 1o “basic seasonal cyber frauds.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.