No, not the POTUS. We asked TSC Advantage president Sean Doherty how cybersecurity has changed in the 10 years since he founded TSC, and what cyber threats will dominate in 2017.
1. You have a background in the military and national intelligence. What about cybersecurity hooked you?
When I was in the military in the late 1990’s, the information age was just beginning to create complex security challenges, such as the ways in which terrorists used it to communicate with each other. From a defensive standpoint, the U.S. military then faced new risks because of the simultaneous need to protect a growing number of vulnerable data points, and to attack those used by terrorists. This forced me to quickly establish security measures, and there is nothing like a real-life situation to help create defense out of necessity.
As technology and cyber capabilities increased, so did my interest. I was fascinated at the idea that an adversary half a world away could track someone through the digital crumbs they leave, and use that information to create a full picture of a person’s patterns. Because this valuable information can be used against individuals and U.S. industry, I started to focus on adequate protections for sensitive business and consumer data.
2. You’ve been at this 10 years. How would you say “cybersecurity” has changed since 2007?
Cybersecurity has evolved in a short period of time. In the early 2000’s it was nascent, with people focused on commercializing products. Major software companies were delivering technology to the masses, but in their rush to be first to market, they failed to consider the ramifications of weak security. It wasn’t baked in and it now lags behind.
Ultimately, a series of mega-breaches focused public attention and signaled to industry that security challenges had irreparably changed. Once cyber attacks targeting companies’ innovation became the new norm, companies felt the ramifications and began to invest in changing the attackers’ game, wherein the enterprise offers no real obstacle and is left responding to attacks. Corporate boards realized cyber protection isn’t a “nice to have” feature of corporate security or IT, but rather an enterprise responsibility for companies large and small. The Sony hack was a reminder that defending vital business assets, including intellectual property, goes beyond technology to also include personnel and processes.
Even now, many companies assess merely their perimeter security, despite the fact that threat intelligence and cybersecurity research shows breaches occur via multiple venues (insider, vendor, supply chain, phishing, etc.). Today, a mature cybersecurity posture should include a multidisciplinary effort where companies leverage systems and services to secure their data, define their assets, and understand first- and third-party liability.
3. TSC Advantage works in both the public and private sectors. Who do you think is leading the conversation and the solutions?
The short answer is both. The long answer is that the government has promoted the protection of critical infrastructure via the Executive Order on cybersecurity and the NIST framework, as well as the Information Sharing Act. Federal agencies still move at the speed of government though, while cyber attackers are constantly evolving.
In the commercial world, heavily regulated sectors such as financial and health have both the incentive and interest to lead on cybersecurity. Guidebooks and recommendations generated for these sectors can be used by other businesses. While not all recommendations apply, they provide operational and tactical ideas to supplement the NIST framework. Unfortunately, a good number of organizations outside of these heavily regulated industries view cybersecurity as a cost center, something to bolt on to the business. Dynamic cybersecurity threats demand a built-in approach where companies implement security practices early on and enterprise-wide, and realize the value of that investment well into the future.
4. What do you think the most pressing threats are for 2017?
Insider threats that wittingly or not create access that can lead to potentially massive breaches. Threats evolve and become more sophisticated, but many still rely on a human factor to gain access. Take Stuxnet for example, or 2016’s huge increase in ransomware and business email compromise targeting CFOs and CEOs. These happen because attackers know someone will enable it.
Organizational dependencies are another growing threat. An increase in overall awareness and protection of the “main” organization will force hackers to target entities that organizations have relationships with, such as those in the supply chain or vendors. Most organizations are unable to allocate funds to every single area that needs protection. Assessing a supply chain identifies gaps, and from there, it can be determined what areas are critical and what are non-factors. Companies can then prioritize spending and create vendor standards to establish the most resilient security posture possible.