Yesterday we published part one of our recent conversation with Malcolm Harkins, Chief Security and Trust Officer at Cylance about how government cybersecurity leaders can mitigate cybersecurity noise to focus on the threats that really matter. In today’s installment, Harkins explains how he approaches this problem; read on…
Government Technology Insider (GTI): Do you start then with a blank sheet of paper and say, “All right, starting from today, here’s what we see, let’s reimagine everything? You’ve already got an investment, so how do you make that work from a business perspective?
Malcolm Harkins (MH): Put yourself in the role of the CEO of a retailer. Look at what Amazon has done to the retail marketplace; could they just sit back and say: well, I’m stuck in my brick and mortar and so therefore I can’t reinvent and I can’t reimagine the business? No, their job for their shareholders, their employees, and their customers, is to figure out how to reinvigorate, how to change the dynamics, how to keep the net income and revenue growth alive. It’s different because we’re a cost center and we have to manage within certain constraints. But CEOs and business unit managers have the same issue because markets are constantly changing and the economies of the world are constantly changing. So, they have a lot of strategic and tactical dilemmas and good businesses reinvent and reimagine themselves to stay on top.
GTI: One of the big takeaways from RSA and, in general, is that security is built on trust. Just how trustworthy do government users view the data that are driving the mission?
MH: I think it varies. In some cases because the speed with which businesses need to operate, in many cases, still blindly accept the data as having integrity because they all, in essence, need to keep up with the speed with which the world is moving. In other cases, what the security industry again pushes us to do is to say, “Are you really sure that Malcolm sent you that e-mail? Are you really sure that that attachment from Northam is valid?” And so it almost goes against that speed, because we blame the user when they open an attachment, click on the link, download something and bad things happen, rather than looking at it and understanding what technology failed.
So you have two balance things: the business needs you to move faster and trust it. But you also have this voice that says, “Let’s blame the user because they’re going to get phished, and so therefore you can’t trust anything yet.” And so, depending upon where you sit with respect to those, you can really gum up business processes and cause a level of, “I can’t trust my system, I can’t trust my users, I can’t trust my security controls.” And when you’re in that situation, you grind things to a halt which generates a business risk. But if you don’t have the right controls in place to manage and mitigate risk, again, you have a problem.
GTI: So you’ve got to get out of the mindset, then, of saying, “We can’t control this if we don’t get the users to do their part.” But, by blaming the victim, you’re in essence, abdicating responsibility as the CISO for making sure that the insecure data doesn’t get through in the first place.
MH: Absolutely. You know it’s one of the things that even when you think about it more broadly a dialogue that I’ve had with peers in the industry, one a few years ago that was in the food and beverage industry. We were talking about the fact that their CEO and their board didn’t necessarily care about cyber risk and they didn’t see it as important. As we talked, I asked my peer, “What’s the number one enterprise risk issue? What could cause an extinction event for your business or cause you to spend ten years and a ton of money to recover the brand.” And they talked about food and food safety. You know, “Is the lettuce tainted with E coli or has the hamburger meat gone bad? So that established that they understand macro enterprise risk so we moved to cyber risk. When I asked about cyber risk, they looked puzzled and replied that there was no link between food safety and cyber risk. But, if you look at the supply chain from slaughterhouse to the retail distribution of hamburger meat, there is, because the cow has an RFID tag that contains information about them.
Once it’s slaughtered, it gets packaged up, put on a truck with an industrial control system, the GPS unit, air conditioning for refrigeration. The only way en masse you know the food is safe is the integrity of that data. And if I was some, perhaps, a radical animal rights activist I could compromise the integrity of that data flow, I could kill your customer. My peer looked concerned and more so when I asked if they had a cybersecurity data integrity control effort around food safety data he shared that he’d been focused on PCI standards. While that will save money, the other will save lives. Data integrity must be a priority.
GTI: I’m seeing some parallels and what you’re saying to the recent rise in ransomware attacks against municipalities because a lot of people don’t even realize how much that impacts everything from renewing your driver’s license to public safety.
MH: The World Economic Forum publishes an annual risk report that comes out in February of every year and there are a couple of things in there that relate exactly to that. They talk about when risks cascade through a complex system, the danger is not of incremental damage but of a runaway collapse.
They came to the conclusion that worldwide, attackers could trigger a breakdown in systems that keeps societies functioning. The ransomware attacks in municipalities affect society’s functions depending upon where the attack is and what the implications of that are.
GTI: So are we, as a society, just kidding ourselves that the security and therefore trustworthy data is an achievable goal?
MH: I think you know some people think it’s impossible. I don’t think it’s impossible. You can’t eliminate risk, just like you can’t physically, but we can do, collectively, an enormously better job of managing it so that we don’t have the implications that we see today. And you know I love quotes. One of on that always has stuck with me is from Michelangelo: “The greatest danger for most of us is not that our aim is too high and we miss it that is too low and we reach it.” You could say we’ve aimed way too low and we’ve certainly reached that bottom tier of capability which is allowing the risk to continue to perpetuate and grow.
GTI: Malcolm I appreciate you sharing your insights with us. Any final thoughts on what you in the industry are seeing in terms of future threats and approaches?
MH: I think, certainly with the Internet of Things, the continued proliferation of every company and organization becoming a technology company, I think one of the biggest things that we all have to have the responsibility to do is not only put better controls in place as I’ve already mentioned, but because we’re all creating technology, whether it be a website, an app, you know, for internal use or external use.
We also have to put in place better security development lifecycle and ‘privacy-by-design’ practices in the upfront creation of technology. If we can do that, we also have much more leverage to prevent vulnerabilities at the beginning stages of the creation of technology. And that’s one thing we all need to go do because if we don’t do that we’ll continue to proliferate a level of sloppiness across the technology that will generate future vulnerabilities and then future risks that we have to react to.