Ken Presti, Research & Analytics 10/29/19
With all the media coverage around foreign governments and various types of state actors conducting cyber operations against other governments and corporations, you may be thinking that your company is in the clear and has nothing to worry about. Let’s take a quick test:
If your company has no money, no creativity, no talent, no successful products, no major customers, and is basically on life support waiting to fold its tents, then congratulations! You’re probably not a target.
Everybody else, buckle up!
I had a long conversation with Leo Taddeo, the chief information security officer at Cyxtera, one of the world’s largest colocation providers with 57 datacenters around the globe and a robust cybersecurity practice. Leo is one of those guys whose resume can make you feel like a bit of an underachiever. He has a degree in applied physics, did a stint in the military, practiced law, and spent 21 years as an FBI agent, starting out focused on crime and counterterrorism until he was moved into cyber program, rising through the ranks to become the special agent in charge of cyber in the New York office. In that role, he ran the largest cyber-investigative unit in the FBI, handled infrastructure protection initiatives, and also conducted some data gathering operations, which he immediate stressed were court authorized. Now CISO of Cyxtera, he’s responsible for the company’s infrastructure and also product security.
Smart fellow, Leo is. So, while digging into the weeds on IT security, it wasn’t surprising when the discussion turned to state actors and enterprise vulnerabilities.
“The widespread use of cyber tools by nation-states is really changing the game,” he said. “We have, of course, an increase in the sophistication of criminal groups, but what is really new is the use of cyber-offensive tools by adversaries, like China and Russia, against our government networks and also our private sector. The risks have gotten worse and the threat has increased, so companies have been getting very sensitive to the potential for true harm to the enterprise.”
When nation-states or their hired hackers are coming after you, it’s usually about the theft of trade secrets, or the pilfering of technology differentiators. Sometimes it’s about some punitive measure, as was the case in the high-profile Sony hack. Or sometimes they want to use your company as a means of accessing the infrastructure of a partner organization which, in such cases, would be the actual target of the operation.
“The real challenge is to create the kind of layered defense that makes it very hard for them,” he said. How do I make my most important assets the hardest to get? How do I lengthen the time for them to get in, and shorten the time it takes to detect them?”
Note the message around delay and detection, as opposed to prevention. If a player at that level is determined to get in, they probably will. Thus, successful defense is as much about detection and remediation, as it is about best-effort prevention. The other key component, Taddeo added, is effective communication.
“Many times, we assume that the technical component is the most important part of incident response, because we want to get the systems and operations back up and running and minimize the impact,” he said. “But I’ve always believed that the technical aspects are not as important as the communications aspects. If you look at what really harms a company after a cyber breach, it’s not they’ve lost data or a server. What they have lost is trust, and that trust is lost when communications are not concise, clear, and open. So, when you form a task force for incident response, the most important person in the room is the one responsible for outward communications, meaning what are we going to tell our customers and partners? What are we going to tell the government because the government reaction is much more severe when the government suspects the company is withholding information improperly, and thereby putting other people at risk.”
Taddeo added that cyber breaches rarely remain a secret for very long. So, the messaging needs to be honest and clear, or else speculation will run rampant and government intervention will be almost assured.
Much of this, of course, falls under the emphasis of the enterprise CISO, who these days needs a much broader skillset than dealing with ones and zeroes.
“If a person has spent their entire career in the technical capacity, I don’t think they’re fully equipped to be a CISO in the modern enterprise,” Taddeo added. “A modern-day CISO needs to be a strategic business thinker who is fully tuned in to what is important to the business. That is where collaboration with the other business leaders comes in. You have to understand what makes your sales team effective, what data they use, how it’s stored and how its protected. You have to understand your product team, how they are innovating, what data they are using to innovate and how they’re storing it, communicating it, and protecting it. Similarly, you need to understand the board strategy for the future of the business and for the future of the IT strategy.”
For more details on building a comprehensive approach to IT security, please contact me at Kaizen Advisory – email@example.com