The scope and impact of security threats were front and center at the Federal Trade Commission’s (FTC) hearings on data security in December 2018. Two days of panels and presentations zeroed in on the current threat environment and the wide range of potential solutions.
Malcolm Harkins, Chief Security and Threat Officer for Cylance, sat on the ‘Data Security Assessments’ panel, which tackled real-world topics, from cyber insurance to trusting third party vendors to where organizations should really be spending their security dollars.
(No time to read but still want to hear Malcolm’s insights? You can find his podcast on the topic here.)
Government Technology Insider (GTI): The panel you sat on included cyber security, insurance, accounting, and finance experts, and focused on data security assessments. Even with all those voices and perspectives, you seemed like a contrarian. Why is that?
Malcolm Harkins (MH): Given my background in finance, economics, and not being a technologist, I sometimes have a different view into the problem and the causes of how to solve it. But, a long time ago back when I was Chief Security and Privacy Officer at Intel and, before that, Chief Information Security Officer, I concluded that the biggest vulnerability we face today and in the future is the misperception of risk.
That misperception is guided by the biases that we all bring to the problem based on our backgrounds, our education, the budgets we’ve got, the psychology, the sociology of things. And so, when I look at misperception of risk as a vulnerability, the mitigation for it is diversity of perspective. I always try and inject a diverse perspective to ensure that the contrast and the contours of the dialogues occur. In fact, even just last week was the World Economic Forum and they published their Worldwide Risk Report every year. Once again, cyber is in the top of it. But they cover climate change, income disparity, polarization of societies and so on.
At the back of this hundred and some page report, they do a risk reassessment and they ask people to comment on prior forecasts and provide some perspective. There’s a paper in the back of it called Managing in the Age of Meltdowns; one of the things that they talked about in this was the need to encourage skepticism. To manage risk more fully, leaders need to cultivate skepticism through diversity. They point to some research that indicates that diverse groups ask tougher questions, share more information, and discuss a broader range of relevant factors before deciding. Researchers found that banks with fewer bankers on their board were less likely to fail. The explanation was non-bankers were more likely to disrupt group thinking by challenging seemingly obvious assumptions. That’s what I tend to do.
GTI: It’s often hard for someone in a leadership position to remember to question their own assumptions. It’s easy to just keep doing the same thing repeatedly because, why not. There’s inertia that’s involved in that but there’s also the position of, “If it ain’t broke don’t fix it.” But maybe it is broken and you’re not aware of that because you haven’t questioned your own assumptions.
MH: Oh, definitely; I believe that. Those cognitive biases that we all bring are often the source of small errors that then trigger major failures in complex, tightly coupled systems. I’ve seen it in my own history in the past couple of decades and I think that also bears something to think about when we’re making decisions with regard to risk, with regard to controls, with regard to the budgets that we’re looking at and trying to deal with the issues that we have.
GTI: Well let’s bring that perspective and skepticism to the discussion of the Federal Trade Commission hearings. As I mentioned, the topic was data security assessments for the panel that you sat on. And often, the solution for assessing security — whether that means using internal staff or bringing in independent third parties — involves spending money, either for people or as you suggested at the event. AI and machine learning tools. And one concern was that small companies and new businesses may not have the necessary resources. But, larger established companies and federal agencies have been hacked spectacularly. Is money the real issue here?
MH: It can be; there’s certainly some potential underfunding in some organizations that can occur. But, I think we need to look at total cost. One of the talks that I’m giving at RSA next month, is “Expense in Depth: Managing your total cost of controls.” As I’ve said before in our conversations, we’re throwing money at the problem without getting the business outcomes. I also hold the view that innovation can come from starvation.
Sometimes those that are the most limited are forced to be the most innovative; if you have limited resources, if you have limited budgets, it doesn’t mean you can’t punch above your weight limit. It just means you’ve got to get really, really, creative and make sure that the effectiveness and the efficiency of what you’re doing is solving the problem at hand. And where you need that extra little bit of money or staffing, then go make a solid business case. But always asking for more and more and more and, more, which is what we’ve been doing for decades, by and large hasn’t solved the problem.
GTI: Yes, CISOs are often in difficult situations. They’re constantly getting hit from all sides, internally and externally. But the answer isn’t necessarily, “We need a new piece of technology or we need more people.” It’s frequently, “How do we apply what we have?”
MH: Exactly; in some cases, you do need a new piece of technology, because you need a new approach. It gets back to, instead of asking for more, ask for better.
I think we get caught in this trap of, “More and more and more, I need more bodies.” Why do I need more bodies? Because we didn’t solve the problem of malicious code, so, “I’ve got to throw people into the security operations center, I need to do a pen test.”
Well, by and large, most pen testing organizations, and I said this at the hearing, if you look at the data security assessment business, how do people make money? They make money by throwing bodies at it. I go hire a pen testing firm. What do they do? They charge me by the hour. And they throw bodies at it. Are they incentivized to make it more efficient and more effective? No.
But, here are some newer technologies out there from a couple of organizations that are automating the pen testing, getting that routine task done through a tool. And then have it be a continuous pen testing so that you have got continuous control validation on your environment instead of throwing bodies at it. And so, that’s why I think we’ve got to look at those economic models and figure out a different way by looking at this as an economics problem.
GTI: Well let’s explore that a little further. You’ve said multiple times and at this event, industry vendors have an economic incentive behind what they do. Part of your job as CISO is to figure out just what that incentive is. When you’re dealing with critical things like patch management for your existing software or if you’re hiring an outside assessor, how can you make sure your interests are really being served?
MH: It doesn’t mean that you don’t use those vendors. You just have to really understand how they make money. And if they make money by putting more staffing on it, then you can challenge them and challenge yourself to go look for a more automated way to do that labor-intensive work. And there are tools out there to do that.
Patching is no panacea. Again, for upcoming RSA talk, I’ll give an example of a bank that I had a dialogue with a year and a half ago that had 14,000 ATMs all based on Windows 2003. Microsoft doesn’t provide support or patch for it anymore. And you started having the ATM frauds where malicious code was getting on ATMs to spew out cash. So, they’ve got a risk, they’ve got systems that they can’t patch. Microsoft wanted 600 dollars a system to patch it — and there’s news articles that indicate that that’s the rough cost — roughly $8.4 million to get Microsoft support for the potential to be patched, and you still are vulnerable and traditional AV was eating up 10-12 percent of the ATM machine performance.
Complete flawed control. Now the option was upgrade the ATM machines. Well, they cost 8-to-10 thousand dollars a pop; 14,000 of them, that’s $140 million. Plus, you still have the cost of patching. Plus, you’d still have traditional AV on there, which wouldn’t stop much of anything — 20 to 40 percent effectiveness and it would still be chewing up 10-plus percent of the system performance.
I talked to them about a different way: do the ATMs function fine for dispensing cash? Yes. So, the only issue you have is the potential risk. Yes. OK, well, why don’t you buy an AI/ML pre-execution capability like Cylance has, put it on those machines, spend a couple million dollars on additional network segmentation to further create a layered defense for those ATM machines from other networks, and then put some additional fraud controls in place for another couple of million dollars.
You’re out of pocket 5-to-6 million dollars, you’ve solved your problem, you leave the ATM machines there, you don’t touch them until they’re required to be upgraded because they just don’t work anymore. Or, you go spend 8-plus million dollars for a solution that still doesn’t solve the problem, or you spend 140-plus million dollars to upgrade the systems. What’s the lowest total cost and the strongest control? After we got done with that dialogue, he’s like, “Well, your approach is the strongest control at the lowest total cost.” So, you must tease out what you’re trying to do and what outcomes you’re trying to achieve.
GTI: At the FTC hearing, you were presented with a number of hypothetical scenarios. Among them were a couple about cyber insurance. Cyber insurers must know just how risky it will be to insure your business. Will how does an insurer is looking for mesh with what an organization should be concerned with? Shouldn’t they be the same things?
MH: You could argue they could be the same thing. Because the insurer wants to understand your state of control they understand your risks and stuff like that but still the cyber security insurance area is like the Wild, Wild West. There are all these causes, there’s all these caveats, and you just need to look in the news. Zurich Insurance and Mondelez, the large food manufacturing company that was breached last year, are in a lawsuit for 100-and-some-million dollars, if I remember correctly. Mondelez has made the claim and Zurich is saying they’re not paying it. So, they’re in court because Mondelez said, “We had cyber insurance and we had business interruption impact and expenses. And we believe we’re covered.” So, I think it’s, again, not a panacea.
I think it’s a good thing to have. I think it’s a good thing to consider. But if there’s a fine print that says you didn’t patch, there’s fine print that says your systems weren’t completely up to date… there could be all these little, hidden ‘gotchas’ in the fine print.
You may have made the right risk decisions not to do certain things because of the implications on something else. Again, patching can actually generate risk, it can disrupt operations. So, if somebody didn’t patch, it could have been for the right risk reason. But then if there’s a compromise that occurred, the insurance company might not pay out because it says you didn’t patch even though you made the right risk decision when you looked at it.
So, it’s a complicated space. And the insurers, they’re there to make money. They don’t want to pay out things that they can get out of paying out. But they want to collect your premium.
GTI: From the perspective of a business organization that’s trying to protect its data, protect its users, protect its operations, we really need to be focused on prevention and immediate awareness of issues as much or much more than, “How do we fix something after it happened?”
MH: Oh, totally agree. And I think that that’s why we’ve got to look at it holistically: how do you prevent it, how do you detect it, how do you respond to it? Insurance is a response mechanism, to get some money back for the impact and the cost incurred because of the event. But if you use it as an instrument strategically and say, “We’re going to get cyber insurance and we’re going to understand how to better protect our environments” — and some insurance companies are starting to do this.
They’re trying to help people think of best practices, think of things that they can do to mitigate the risk. Just like some car insurance companies talk about safer driving and they do training and they’ve sponsored safety mechanisms like anti-lock brakes or seatbelts, back in the day, and things like that. So, I do think the insurance industry can have some motivations to help more broadly reduce the risk. But you must think about that from a long-term perspective versus tactically what the insurance might cover today and whether you’re going to end up in a battle on a payout later.
GTI: Regarding the parallels to the auto insurance industry, there are, of course, devices that you can put in your car so that your insurance company can track just how safe a driver you are. Is that something that you see down the road coming from a cyber insurer?
MH: I do know, in some cases, to get a better premium and better coverage, the insurance companies are in some cases doing an assessment. They’re running a tool, they’re having somebody go in and review policy and practices and stuff like that. So, I do think it’s almost the equivalent of that, where they’re doing some level of inspection. Now, whether an insurance company will fully move to that, I don’t know. But like I was talking about in terms of automated pen testing. If I was an insurance company and I was providing somebody coverage, I would probably insist, as a part of the premium that they pay, that I run an automated tool to do penetration testing and then feed them the results of that back. It helps manage their risks and it helps manage my risk of having to pay out and keeps them in a, perhaps, better state of security.
Come back to read part two of our conversation with Malcolm Harkins on the FTC’s Data Security Hearings. Subscribe and get it directly in your inbox.