Cyber Security Is A Global ThreatAdd bookmark
On this special episode of TF7, host George Rettas features three guests who are also set to appear at the first event of a four-part Series at the University of Oklahoma on Global Risks and Threats. First up is Thomas Finan who served as a Senior Cybersecurity Strategist and Counsel with DHS’s National Protection and Programs Directorate. Next, Cheemin Bo Lin, the CEO and President of Peritus Partners speaks. Dr. Shad Satterthwaite, the Director for Executive Business Programs in Aerospace and Defense and a colonel in the U.S. Army Reserves, wraps the episode up.
Encouraging The Private Sector To Invest In Cyber Security
Tom discusses his experience at DHS, where he established and led the agency cyber security insurance initiative. The DHS mission is to protect the nation’s critical infrastructure from cyber and physical attacks. However, DHS actually has no power to force anyone in the private sector to do anything.
It was up to Tom, then, to view the challenge with a different lens. How can he encourage the private sector to better invest in cyber security? Tom recognized that, just like car insurance promotes prevention as much as damage mitigation, cyber security insurance held the potential to clean up and streamline cyber security initiatives. In other words, organizations that make wise investments against cyber risks are given coverage on more favorable terms. This worked both as a way to strengthen cyber security efforts while mitigating damage when incidents occur.
However, in the beginning, there wasn’t enough data to price the risk. Tom wanted to fix that, “And so we started a group. It was known as the cyber incident data and analysis working group or CDAWG for short. And that arguably was the most awesome acronym in use across the federal agencies at that time.”
The Business Case For Cyber Security
Next, Tom discusses the business of cyber security. Too many enterprise leaders disconnect from cyber security, because they see it as a tech problem and kick it off to the CISO. Too many CISOs can’t communicate the tech problems in business language the C-suite understands, so the importance of investing in cyber security gets lost in translation. Tom suggests an ERM approach, noting, “If we can get those three, the chief risk officer, the CISO and HR on the same page and cross-pollinating within that broader context of enterprise risk management, I think companies are going to do a much better job of prioritizing their key risks based on what's mission critical. And then ultimately making a better investment that makes them safer over time.”
Tom also discusses cyber diligence, cyber security awareness month, why HR are poised to be cyber security champions, and the pros and cons of the Cyberspace Solarium Commission’s 75 recommendations for how the government should advance cyber security as a national priority.
The Ultimate Multitasker
George introduces Cheemin Bo Lin next, who is in the unique position of being both a company CEO and Board of Director for public and private boards. When George asks how the cyber security discussion is framed in both offices, she responds, “Cybersecurity is discussed within an enterprise risk framework due to its impact on business continuity and resiliency. It's not a technology issue contained within organizational silos, but instead it's a business imperative that we regularly discuss between management and the board… It's very important because it needs to be addressed from a strategic cross department economic perspective. It's truly enterprise-wide. The other risk George, such as regulatory, geopolitical, operational risk, or even a financial crisis like we're in now, each one of the risks, just like COVID, we have to access its likelihood and impact and we need to have a response strategy, mitigation, governance and monitoring.”
When discussing the board specifically, Cheemin makes the point that board has a multifaceted governance and risk oversight role. That means the board needs to understand the implications of cyber risk, including public and SEC disclosure and reporting requirements. Boards are also tasked with asking the right questions, which means they need to have a decent understanding of cyber security. Finally, boards need to ensure management has staffing, budget and an enterprise wide cyber plan.
COVID-19 And Cybersecurity
Cyber crimes are on the rise due to COVID-19, as cyber criminals are notorious for taking advantage of crises. Cheemin recognizes that different enterprises are on different legs of the cyber security journey. Where her corporation is in remediation, other companies may be in education and audit mode. The problem is, even as workers move home to shelter in place, the show must go on. Products still need to launch and supply chains need to remain active.
By understanding that cyber attacks are a “when,” not an “if,” best practices need to be fleshed out fully. Data governance, tight permission access, and ongoing testing ensures that, during times of crises, companies adjust quickly and accordingly. Cheemin implores enterprises to save themselves the pain of learning from after the fact by having the discipline to model scenarios and put plans in place before a crisis happens. She also notes that treat actors are taking the focus off of their tpical targets—financial services, utilities, and universities—and moving toward currently vulnerable industries like healthcare, medical suppliers, and pharma.
Next, Cheemin laments over the fact that the more technology an enterprise deploys, the more vulnerable it is. “Greater connectivity, greater risk. We continuously see the increased usage of IOT connected devices. We see private and public clouds explode for good reasons. We see the external networks and we see these massive system-to-system connections within the enterprise, within an ecosystem, or perhaps even attached to the government or critical infrastructure. These technologies and tools that have benefited us so much … can also increase cyber vulnerabilities if not properly managed, monitored and remediated. Using examples, Cheemin recommends accelerating digital transformation and cyber security efforts to mitigate these risks.
Last But not Least
Finally, the Director of Executive Business Programs in Aerospace and Defense at The University of Oklahoma, Mr. Shad Satterthwaite, joins the show. Because of its close proximity to the Tinker Air Force Base and a large aerospace and defense industry, the university created an executive MBA program designed for working adults.
When asked if information security is integrated into the program, Shad says, “Absolutely. It's very important. In fact, there are three IT courses that are in the program. They'll be taking one right off the bat: information technology. And then they're going to take another one in analytics. And then I think that the capstone toward the very end, the last course they take is data management and security. Because the situation that we're in, if you're going to be working in that industry, that really is kind of the buzzword. So it's very important component of the course.”
Next, Shad discusses his career trajectory and interest in cyber security, starting all the way back with the introduction of Windows and later the internet. Shad was wowed by the potential for good but was also profoundly affected by its dark side—for example, that Timothy McVeigh, responsible for the Oklahoma City bombing, learned bomb-making on the Internet. He also discusses “fake news” on the internet, before it was titled as such, and how malicious actors prey on the naivete and gullibility of Internet dwellers.
As a military man and now an educator, Shad explores the idea that cyber weapons are the perfect weapon. “I'm amazed at countries like North Korea. They don't have a lot of resources, but they've got some people that have been trained, they're pretty bright and able to pull off some of these hacks that they've been able to do. It's pretty sophisticated. And I would think some of these countries see this as a possible trend. Other countries using cyber more and more as a weapon or weaponizing as information in a way too. So I don't think that's going to stop because it's fairly easy to do.”
Shad is encouraged by the public’s awareness of cyber campaigns but explains that individuals and entities still have a long way to go.
To listen to this and past episodes, click here.