Jan 2, 2020
| 2 min read

Podcast #77: Cybersecurity: A Strategic Perspective - A Conversation with Heather Engel

 

Heather Engel is an experienced veteran of the cybersecurity space who has worked in the field for nearly 20 years. Heather currently serves as the Managing Partner of Strategic Cyber Partners, a firm which she founded. Working with both governmental and industry clients, Heather advises on several security areas including overall management and program development, risk, incident response, data, and executive support. Heather’s prior experience includes working with the United States’ Department of Defense.

In our conversation, Heather and I discussed an array of issues pertaining to enterprise cybersecurity. Topics explored include IT/OT, blockchain, the role of data, and more. We posited on the future of enterprise cybersecurity and Heather elaborated on how the space has changed over her career. We also looked at the make-up of strong organizational cybersecurity strategy in the age of digital transformation and as the threat landscape persistently evolves.

Recommendations:

Essentialism: The Disciplined Pursuit of Less, by Greg McKeown

Emotional Intelligence 2.0, by Jean Greaves

 

orange-line.png

 We'll notify you weekly about new podcast episodes, upcoming guests, and news. You can subscribe to the podcast and if you'd like to be considered to appear on the podcast contact us.

 

View Transcript

Good day everyone, and welcome to the latest Momenta Podcast. My name is Leif Eriksen, Insights Partner at Momenta, and our guest today is Heather Engel, Cyber Strategist, Managing Partner at Strategic Cyber Partners. She is an advisor to government and industry on risk management, cyber planning and security program development.

Welcome Heather, and please start by sharing with our audience a little of your background, and how you became a trusted adviser in the cyber arena.

Hi Leif, and thank you very much, thanks for having me on the podcast today. I’ll start just by telling you a little bit about myself, I had been doing cybersecurity for close to 20 years now, even before we called it security, back then it was just IT and locking down different types of information systems. I actually started with getting an advertising degree from Penn State of all things, and very quickly realized that information technology and databases and programming was an area of interest. So, I went back to school, got a little more training, then I was placed on a contract working for the Department of Defense. So, as I was working with the DOD, I got to see some really amazing things in my career, I did that in various capacities everything from exercises and training, to certification and compliance.

Over the course of my time with the DOD, in various capacities I worked with all branches of the service, was very fortunate to work with some really amazing people as I was doing that, then came out and started working in the commercial world. So, what I found when I transitioned to working in cybersecurity in the commercial space was that in the government there’s a lot of regulations, we make jokes about government red tape, but in terms of security, standards, and configuration management, there was a lot that the government required of their systems and networks, that just wasn’t being done in the private sector. So, I’ve been working in the commercial space for the last seven years, and it’s been a great transition, really interesting, I’ve had the chance to work with some really amazing clients.

Great, sounds like a great career so far. Tell me, what do you think has changed in cybersecurity since you started? You mentioned that back then at the beginning it wasn’t even referred to as cybersecurity, but I know there’s been fundamental changes in the course of your career, maybe share a little bit about what you think has changed, and what’s most significantly today than it was at the beginning.

Yeah definitely. So, when I went back and was started to really get my hands into IT, the focus was truly on understanding networks, how they communicated, the focus was on creating and working with some of the programming languages, that’s how we make everything talk to each other, and we didn’t call it cybersecurity.

We were doing things to configure our workstations, and configure our servers, in a way so as to make them a little bit more secure, but we really were focusing on the lockdown piece of it, we did defense, we didn’t do a lot of offence. Obviously since then, the number of devices that we’ve had to secure, and the type of devices that we have to secure now are exponentially larger. I think to some extent we don’t fully understand the impacts of all the things that are now coming online, and we call this the Internet of things where everything has an internet connection, and we don’t fully understand the impact of what that means for how IT is going to change, and how cybersecurity is going to change in the future.

One of the other really big changes is, when I first started all of this was considered an IT problem. So, it was someone at the helpdesk, or it was a network administrator, or a systems administrator who was working to secure these devices. Now what we’ve started to see, and where we’re really making progress is, we’ve elevated cybersecurity to be more of a risk management problem, and it’s gotten the attention of the executive level, and that’s really where it has to be. We don’t play by the same rules as the criminal who is trying to access your information, or is trying to knock over your network and give you some downtime; they play by a whole different set of rules, and so we’re having to really change our thinking from this defensive strategy, to really pulling everything in and having it be a total risk management strategy.

That’s interesting and begs another question which is, is it just the criminal? What you’ve just laid out, if I’m an industry leader I’m getting very nervous, because again as you say, the complexity has gone up by an order of magnitude in terms of what needs to be done to secure all of the different things that are connected to my systems, and I think that would keep me up at night. So, is it just the criminals that I need to worry about, or are there other risks so to speak that have to be addressed by cybersecurity?

Yeah, there are a lot of risks, and so obviously a cybercriminal is one risk, but what we are realizing now at the executive level is that we have massive amounts of data. That data can be used for good, for example, and I know you and I are going to talk a little bit about operational technology today, that type of data is something that we can use to transform the way that we do business. So, we can look at a system, and we can make predictive analysis to say this system is going to need maintenance, or this system needs to be replaced, we can do really phenomenal things with that data, but that also poses a risk. The more data that you have, the more information you have to protect that someone else, a cybercriminal or otherwise could potentially want.

We talk a lot about the amount of information, the Privacy Act, that we’re not seeing the publicly available information versus my personal information, so we don’t just have to worry about cyber criminals, it’s very easy for something as simple as a misconfiguration in a system to leak data. We see that in the news all the time where a database was placed on the open internet, and it was out there for anyone to see, that was just an unintentional error versus someone actively trying to access that information. So, the complexity of our networks, and the sheer amount of data creates a lot more issues than just the cybercriminal aspect of it, and so I will tell you you’re not alone when you’re thinking this is the kind of stuff that keeps me up at night. I think there are a lot of executives, both cybersecurity and otherwise that are awake at three in the morning thinking about these kinds of things.

Yeah, I can imagine, and they should be. So, you touched on the issue of operational technology, and of course there’s been a lot of talk over the years, mission years anyway, of the difference between information technology and operational technology, and I’m sure there are differences in terms of how you approach each from a cybersecurity perspective. Can you comment on those differences, and how cybersecurity varies depending on whether it’s an IT domain versus an OT domain?

For sure, and this is something that in order to really talk about this, we need to understand the difference between IT, which is information technology, and OT which is operational technology. So, in very simplistic terms, IT deals with information, and we can almost think of that like a service. Operational technology deals with machines that create products typically, whether that product is energy that supplies a city or a town, or whether that project is a widget that’s being manufactured.

And so again, that’s a really simplistic way of putting it, but if you’re putting it in terms of a service versus a product, we market those things very differently, we typically are selling to different types of people, we have different rules and regulations in place for a service versus a product, and if we are to bring it back round to cybersecurity, we have different ways and different types of things that we need to protect.

So, when we look at operational technology, and I talked a little bit already about the massive amounts of data that are generated, operational technology is simply a field that we’re just really starting to tap into with the amounts of data that are being generated, and that’s where we’re starting to see some of the really forward thinking organizations starting to move towards digital transformation. So, what that’s doing then is, the digital transformation aspect is really starting to create this dovetail, this cross-over between the information as a service, and the machines as a product. We’re finding now that we can take information that’s generated by these operational technology systems, and we can monetize it, we can use it to trouble shoot, we can use it to transform the way organizations do business, and even create new product sets or new services that we can then turn around and offer to our customers.

That’s just a primer on the differences between IT and OT, and again it’s a very simplistic way of putting it. The thing to remember about operational technology is that it’s not new, it’s been around for a really long time, but in the past if you think of a manufacturing plant floor, we typically have put the systems on the plant floor, and the cyber strategy, or the security strategy has been to isolate it, and leave it alone. Whereas information technology has always been about networks and communications, OT systems tend to have a closed nature. So, the more our OT systems converge with IT system, the more we need to apply some of the same rules, and some of the same thinking that we do for IT to our OT systems, and that’s very difficult.

What we find in a lot of cases is that operational technology, you can’t apply the same types of information technology rules and things to secure the information, as you can to an IT system. Operational technology just doesn’t support a lot of the regulations and best practices that are out there, and that’s very difficult for a lot of my clients.

That makes sense, it’s just a whole different world and a whole different philosophy, for sure.

The other duality that I’d like to explore with you, where there’s sometimes perceived to be a relationship, and other times not, is the relationship between cybersecurity and physical security. They’re often viewed as independent of each other, but as we know from some cybersecurity incidents that the problem got into the system due to a breakdown in physical security. The classic example of that is Stuxnet and Sneakernet, I could go back to when I first started in the technology business, the way we moved things around was you put things on a disc and moved it from one system to another, we just didn’t have the networks, even internally. That’s still possible of course, as long as there’s some sort of physical way for someone to plug into a machine, if they can physically get inside someone’s primer if you will, there could be problems.

So, what are your thoughts on that, how does that play out, how should companies approach that relationship?

A lot of the work that I do with my clients is helping them understand how their security needs to be applied in the context of, let’s say regulatory compliance. So, I work with a lot of clients particularly in the manufacturing space who are making things for the United States government. They have very specific compliance mandates in their contracts that they have to adhere to. Part of those mandates, and we can look across the domain of cybersecurity risk management, and we can find physical requirements, or physical security requirements, as part of just about every compliance mandate out there. So, whether you’re looking at payment card industry of the data security standards, whether you’re looking at NIST, they all include a section on physical security.

However, we can also flip that around and say, when we’re doing our physical security, there is absolutely a cyber component to that, so they both impact the other. I would say that in many situations they’re almost equal in terms of one doesn’t overrule the other. So, I’ll give you an example; if you’re talking about an access control system, so if I go into my company’s headquarters, we have a badge reader that I have to swipe my badge before I get access to the spaces. Well, that’s a cyber system, or that’s an IT system that controls my physical security.

On the flip side of that, the physical security, I think as humans we have this tendency to want to be polite, we want to help other people, we have this sense of empathy, and we see this all the time in  companies that have done social engineering-type penetration testing, where someone dressed in nice clothes with a clipboard, maybe they have a logo on their shirt, have been able to walk right into secured spaces without any kind of cybersecurity controls that are stopping them. So, that then is a breach of the physical security, it didn’t require any technology but then once they’re in there… you mentioned sneaker netting, we can bring in a USB drive, plug it into a system, maybe I’ve come in with a laptop, I can plug that system sometimes into the wall and get access to the network. We haven’t put the proper physical and network security controls in place.

So, they definitely impact the other, and you mentioned Stuxnet; to go back a little bit to some of the operational technology, Stuxnet was first identifies in 2010, there is reasoning to think it was actually being developed as early as five years before that, but it bridged the airgap through the use of USB which is a portable storage device. That is still an issue today particularly in the Department of Defense where several years ago they outlawed USB drives, for reasons that were similar to Stuxnet, and this is something that companies are struggling with today, they want their employees to be able to take that information, and maybe they have a business need for doing it. One of my clients provides information back to their clients, and the way that they give it to them is on a USB drive, so that’s a business need for them; they can’t just say, ‘We don’t allow this’, because that would be a massive shift in how they do business.

So, kinetic effects are really a big concern when we start talking about the convergence of information technology, and operational technology, that means that our operational technology and our physical systems take on some of the risk of information technology systems.

Wow, so again I’m listening to all this and I’m going, ‘A lot of challenges’. And again, I don’t know what the stats are, but I have to think based on my own experience that a lot of companies still treat these things differently, physical security and cybersecurity, IT/OT. When you go in and advise executives, what do you tell them in terms of how they should approach it, should there be one organization, should there be a committee, how do you bring everybody together to make sure that everybody’s in sync, that the strategy is in sync, is affective?

This is a really great question because I’ve worked with clients before, and when we start to look at the physical security, or some of the other aspects even of personnel security, because personnel security in a lot of ways impacts the physical security. You have someone leave your organization, whether by choice or whether they’ve been let go for some reason, and you don’t have the proper personnel security controls in place to even do things like collect that persons badge, or collect their keys, then you’ve created a physical security vulnerability, because that person could walk right back in at any time.

It’s really interesting because I’ve worked with some clients who when you finally get all these people in the room, you get the person who’s in charge of HR, you get the person who’s in charge of physical security, along with the IT teams, and maybe some executive leadership. I’ve been in rooms before where they’re introducing themselves to each other, and saying hello for the first time, and that’s really a challenge. The way that we approach that is different for every organization, so for a service-based organization, or let’s take an organization that provides cloud services as an example; I would approach it very differently with that cloud service organization than I would with a company that is manufacturing parts for an aircraft. So, a lot of it depends on the business risk, and the business need, and what is the mission of the organization, that’s something that we have to take into account when we’re doing our cybersecurity, when we’re putting together a strategy for the organization.

It’s not one size fits all anymore, we can’t just take a compliance checklist and say, ‘Well, you have to apply this no matter what’, you’ve got to really start at the organisational level, look at the threats to that organization, look at what they’re doing, why are they in business? They’re typically not in business to apply cybersecurity checklists, they’re in business because they’re selling something, whether they’re selling it to consumers, or whether they’re selling it to other organizations, they’re in business because they have a mission to deliver something. So, our security strategy has to fit the business mission, it has to take into account the risk and the type of operations that they do, otherwise it doesn’t work for anybody, and the minute that I leave, or the minute that the CISO who is left behind has a minute to sit down and breath, the whole thing’s going to fall apart, if it’s not specific to the organization.

We joke about, ‘It depends’, being the typical consulting answer, but it really does depend on the type of organization that you’re running, and what you’re trying to do. Your security has to support that, otherwise culturally it’s never going to take hold.

It makes perfect sense, and it goes back to your point earlier that this has to be executive led, the days of this whole exercise being led by the Head of Cybersecurity so to speak, versus the CEO or some part of the executive, I think are passed.

I want to change gears a little bit, one of the technologies that’s got a lot of attention lately, and one could call it hype is blockchain. The big buzz around blockchain is, it’s an inherently secure way to conduct transactions, and so when I hear something like that I say, ‘Okay, that’s great. So, does that mean you don’t need cybersecurity?’ ‘What are the impacts on cybersecurity?’ ‘Have you thought about this a bit?’ What are your perspective on the sort of blockchain and how cybersecurity might fit into that world?

I think to have a conversation about blockchain, we need to understand a little bit about it at a very high level. So, when we talk about cybersecurity, we typically look at it in the context of confidentiality, integrity and availability. We hear blockchain thrown about, you’ll see it in articles, you’ll see it in the news media, you may have sat in a meeting where someone said, ‘We should use blockchain for this’. So, it’s worth noting then that there are different kinds of blockchain, there’s the public blockchain which anyone can be a part of, and then there is a private blockchain. For example, if I was going to develop an application, and I wanted to make sure that the transactions within that application could not be disputed, but I didn’t want just the general public to have access to that blockchain, I’m going to create what’s called a private blockchain. Then we can also create a hybrid blockchain which combines the best or the worst of both worlds, depending on who you ask.

So, in the case of cybersecurity of the blockchain, we have to first understand whether we’re talking about the public blockchain, or we’re talking about a private blockchain. If I’m talking about integrity and availability, those two go hand-in-hand, because the way blockchain works is all transactions are public, and anyone can see the transactions that are happening in a blockchain. So, I’ll give you an example, you can in a lot of cases trace a ransomware transaction, or multiple ransomware transactions back to a specific account. Working with past clients, when they were faced with paying a ransom on ransomware, very often you’re given the number, you can trace it back and you can see who else has paid that ransom. Now, you can’t attribute it typically to a company or a specific person, but you can say, ‘Okay, this person has made $500 dollars in payments from ransomware. However, unless the account holder discloses their details, their privacy is typically maintained, once you get to the point of finding the account, seeing the transactions that are associated with the account, it’s very difficult typically to understand who is behind the account.

That’s where the confidentiality piece comes in, that’s not to say you can’t ever figure out who it is, but what the blockchain really does is it removes a central authority which could be compromised, and it puts the security of the transaction, or the integrity of a transaction across multiple nodes. So, any one of the nodes can confirm a single transaction, which then means if I’ve made a payment somewhere, it’s going to be recorded across several nodes instead of just one place. So, it removes that central authority, but what does this mean for cybersecurity? Well, there are a lot of experiments going on in the DoD and in other sectors, to understand how blockchain can be used to create more robust platforms and start to implement it in terms of, what can we really do with this, how can we make this so that transactions are indisputable, so that we are also keeping and maintaining the confidentiality of data.

So how blockchain is used really depends on the organization that are trying to implement it, and whether they’re trying to use public, private, or hybrid, that all really goes back to how you’re going to secure it, and how you’re going to put it in place. Again, there we come back to that same old ‘it depends’ answer, it really fluctuates based on what you’re trying to do and how you’re trying to implement it.

That’s a little bit of blockchain education, because I think we see that word thrown about so much. There’s a real lack of understanding of what it actually means, and what it does.

Yeah, there’s no question about that, and what you’re saying there is there may be some inherent conflicts depending on what you’re trying to use it for. We often hear about it in terms of the financial transaction, but there’s a lot of buzz and hype about using it for non-financial transactions, and what does that mean. Definitely we have a lot of work to do there, it sounds like.

And I would say too that this is a question of choosing the right technology to solve the problem, versus choosing a technology that may not be the right fit, or the right solution, but it’s got a lot of hype. That doesn’t just apply to blockchain, it applies to a lot of security products across the industry; do you want the one that has the fanciest advertising, that gives you the nicest swag when you go to conferences? Or do you want one that actually fits and does what you need it to do, and blockchain is no different. In some situations, it’s a great tool, in other situations maybe it’s not the right one.

Yeah, great point. So, tell me, we’ve touched on this in a number of different ways, but what are the characteristics of an organization with a good cybersecurity strategy? Maybe it’s broader than that, maybe it’s a good risk management strategy that encompasses cybersecurity. Also, if you can share any examples, that would be great; of course, I understand that you have confidentiality agreements with your clients, so maybe in generality if you could share some examples.

Yes, we touched on this a little bit already, but one of the characteristics of an organization with a good cybersecurity strategy, is that they have not just tried to check boxes. Most organization’s now have some sort of compliance mandate that they have to adhere to, whether it’s payment card industry, whether it’s NERC CIP, whether we’re talking about NIST, and these are things that have grown and changed even just since I’ve been doing commercial work for the last six or seven years, where there were a lot of organization and industries when I started, that really didn’t have any cybersecurity mandates that applied to them. So, your question about what the characteristics of an organization with a good cybersecurity strategy is, a good cybersecurity strategy is part of an overall business and risk management strategy. So, I say business first, risk management is second, we’ve already talked about we have to know and understand what the mission of our business is, in order to then start to evaluate the risk.

As you’re starting to implement your cybersecurity strategy, especially if you have a new mandate that you have to comply with. There is a real tendency to just go to the checklist and start working through it, and in most cases that is going to cause your folks who are trying to work through that, to just start pulling out their hair, because if you’re not looking at it in the context of risk tolerance for your organization, it’s going to be very difficult to make decisions about what does our network boundary need to look like, or what kind of access controls do we need to have in place? Well, until we understand the risks and the threats to our particular industry, and our particular business, it’s very hard to make those decisions.

Some organizations may be required to have multifactor authentication. Multifactor authentication means that we start to move away from using passwords, and we use other ways to access our systems. For the record this is the best practice, I highly recommend it, but in a lot of organization’s that’s just not going to work across their entire networks. So, an example would be a manufacturing company, you may be able to apply multifactor authentication to the IT side, so your business team, your finance team, the folks who are logging in and sitting at a desk and managing information, yes you can very easily implement multifactor authentication, and its highly recommended that you do. But on the operational technology side, that same company that’s a manufacturing company, very often they’re running manufacturing systems using an account that is attributed to the machine, versus to a specific person, and that’s going to be more difficult to implement multifactor authentication.

Some of the other characteristic would be, you absolutely have to have your executive buy-in, culturally this is something that you cannot do alone, you can’t do it just with IT, you can’t even do it just with a risk-management team, and in some cases the legal team is really leading the charge of securing infrastructure, because they recognize the impact that a loss of data will have on the organization. So, you have to have executive level buy-in across the organization, in order to create that maturity. And when I say buy-in, I don’t mean just the executive team saying, ‘Yeah, good job, go get ‘em’, they’ve also got to be willing to sign the cheques that are going to assign resources, and allow the different teams within the organization to procure the resources that they need.

Once you can understand how cybersecurity works with your business goals, it becomes much easier to create this level of maturity. But remember, it goes back to the risk of the organization, and remembering that cybersecurity is just one risk that we have to manage. I think the data plays a big role too, looking at the type of information that we have, and the amount of information that we have. One of the easiest ways in a lot of organization to reduce risk is to simply have a data retention policy and follow it, so if our data attention policy says we don’t need to keep information easily accessible and online for longer than a year, or two years, removing that data, maybe archiving it. You don’t have to get rid of it, but you take it offline where it becomes less honorable, and so things like this are all examples of what makes a good cybersecurity strategy.

That’s interesting, and it also begs another question which is, when you talk about it depends on the data, and you mentioned one example, but are there also examples of data that it just doesn’t matter?

Absolutely.

Sometimes we say, ‘Oh, we’ve got to secure all data’, that creates a massive cost for us, when in fact there’s portions of that data which really doesn’t matter, let it be free so to speak.

Yeah, absolutely! Some of the most mature organizations that I’ve worked with, will have what’s sometimes called a data confidentiality strategy. Essentially what they’ve done is, they’ve classified their data, and the best example of this is the United States government. We have unclassified data that is free to access, we’ve got unclassified data that might be for official use, and then we have varying levels of classification that go up, from secret all the way to compartmented information.

That’s a great example there, but that’s not to say you have to be the size, scope, and have the level of critical data that the United States government has. Within your organization you might have data on employees that is protected health information, you will have personally identifiable information. If you’re a research company, I’ve worked with a number of universities on this, they’re performing research that make no mistake about it, foreign nations want to get their hands on that type of information. So, we may protect that information a little bit differently than we would for example, a press release about what the university is doing for a football weekend.

So, there are absolutely different types of data, and your data classification system doesn’t have to be complicated, it can be as simple as publicly releasable, protected, and then need to know type of information where only the people who are required to have access to that information, have access to it. Though if I work in human resources, I probably will need access to employees’ personally identifiable information, and maybe even protected health information to put their benefits plan together. But someone like me who is a business analyst, or someone sitting in the IT group, they don’t need access to that type of data on employees across the organization. I think when we look at security, and we look at maturity specifically, it really starts with the data.

This kind of brings our conversation almost full-circle, because we started out by talking about how much data is being generated now with every device; every time you touch a device that is inter-connected you’re generating data, even if you have one of those smart refrigerators in your home, every time you open the door, every time you touch the screen and ask it to do something your generating data. So, our security maturity really does go back to what type of data we have, how we classify it, and you’re absolutely right when you say we don’t protect everything the same way.

That also raises some good points, and also raises some additional points, which is when you talk about that connected refrigerator, lots of people want to get that data. Your local grocery store wants to get it, the refrigerator manufacturer wants to get it, maybe your utility wants to get it, know how much energy that is. And so, my question is, where do we go from here? The world is changing so fast, and it’s changed of course over your very career, so you know it’s going to continue change. Of course, one of the changes is that more and more data is going in the cloud for a variety of reason, so what are the implications for cybersecurity? How does it change going forward, is it more of the same, just we’ve got to be more rigorous about it, or is there some fundamental change that’s going to have to happen in the future?

Yeah, this is almost a philosophical question isn’t it? I think when we look at how things are going to change in the future, there’s a couple of things that we can look at that are happening right now. So, for the last however many years we’ve gone online, we’ve provided our information to all of these free services and social media. Most people I would venture, have never read a single privacy policy that says, ‘Here’s what we’re going to do with your data’. That’s starting to change, we’re starting to see a push at the regulatory level to change what companies can do with your data, because you’re absolutely right when you say the utility company wants to know how you’re using your heating and your air conditioning system, because that’s what they’re going to use to create their digital transformation strategy. So, I think they’re starting to be a lot more consumer-awareness of what’s being done with their data, and in a lot of cases now we’re starting to question a little bit more of what that data is being used for. We saw great examples of that with Facebook kind of being raked over the coals in the last couple of years, for a number of different incidents stemming from privacy and what they did with user data.

We’ve seen the California Consumer Privacy Act get closer and closer, and we’re going to see implementation of that, I believe it’s the end of this year. Nevada and Vermont have similar laws. CCPA is really the one that has garnered the most attention, but there are states that are starting to do similar things with data. So, when we look at how all this data is going to change the way we do things going forward, I think some of it will be driven by consumers, and how much they decide that they’re going to care about what they share online. You mentioned cloud services, that’s another really interesting problem, because there are many companies who don’t have the resources, and we hear all the time about the cybersecurity labor shortage, it’s very hard to hire people who can secure your systems.

Cybersecurity is such a very disciplined field, that anyone who claims to be an expert in all of it, is probably not an expert in anything, and may not be someone that you want to hire. Which means that in order to manage our cloud systems we need a different type of skillset, than we do to help oversee and drive our risk management strategy. We need a different type of skillset if we’re going to be programming applications or, creating APIs that allow systems to talk to each other, then if we’re building out a new network architecture. I think a lot of the time cybersecurity gets lumped into this one big job field, and it really is a multi-varied discipline.

So, to circle back to the problem of cloud, just because something is in Amazon web services, or it’s in the Microsoft cloud, doesn’t mean that its properly secured. This is a kind of pet peeve for me when I’m looking at the security of different systems, and different applications, if it just says, ‘We’re secure because we sit in Amazon webservices, well that to me doesn’t tell me anything about your security, except for the fact that you don’t really know what you’re talking about. If I’m going to put something in Amazon webservices, yes the capability for it to be very secure is there, but we’ve seen numerous cases over even just the last 18-months of systems that have been sitting in Amazon webservices, and they’ve been misconfigured and they’re leaking data. So, just by the nature of having part of your infrastructure in the cloud, doesn’t make it more secure.

Now, that said, one of the reasons to go to the cloud is because of what I just said about cybersecurity talent. It’s difficult to find someone who can do all of the things, so we’ll outsource in a lot of cases to manage security service provider, or just a manage service provider, or we outsource by putting some of our data in the cloud, in the hopes that the company providing that service offering has the experts, and they’re going to help you secure that data in a way that maybe you wouldn’t be able to, because of resource constraints.

It’s interesting and I think what you’re saying, but correct me if I’m wrong, is that the cloud can be a way particularly with the right service provider, one that has the resources, can be a way to create a higher-level security level for your data, than you could do yourself because of limited resources, but that doesn’t mean you abdicate any responsibility for that security.

Absolutely, and that’s a mistake that so many companies make, is they think that we’ve just shoved everything to the cloud and now it’s the service providers problem, and in most cases it’s not. They’re going to write a contract that favors their business, and so it’s up to the company to look at the terms and conditions of the contract, and to look at and understand things like,

  • What happens to my data if I want to change cloud service providers?
  • What happens if I want to move it, is this company obligated to help me move it, or am I totally on my own for that transition?
  • What are my uptime guarantees?
  • What happens if the company has a breach?
  • What happens if the cloud service provider has a breach?’

These are things we find when we look at some of these contracts, they’re not very well defined. So, a company may think they’re really well protected, when in fact they’re not protected at all, and they don’t have the resources that they think they’re going to in the event of a data breach.

Yes, that’s interesting, this has been a very enlightening conversation. Do you have any closing thoughts, and also we like to ask our guests what they’ve been reading recently, what do they think is an interesting book that they could share with the audience? It doesn’t have to be in cybersecurity, whatever has peaked your interest recently. So, some closing thoughts, and maybe a thought on some good reading.

Well I mentioned earlier in the conversation that my background and my degree is in advertising, and that I’ve gone on to do numerous certifications and things in the technology field, but I feel like one element of a good cyber strategist is, a multidisciplined approach. So, none of the reading material that I’m going to recommend really has anything to do with cybersecurity, but it does have a lot to do with extending your horizons a little bit.

There’s a book that I finished recently called, Essentialism: The Disciplined Pursuit of Less, and it’s by Greg McKeown, and really just a great book, and very relevant when you’re looking at Cybersecurity and what we talked about today; because it talks about really identifying what’s essential to happiness, what’s essential to the goal that you’re trying to accomplish, and then what happens to all of the other noise and some of the arbitrary things, and how those can really distract you from meeting your goal, so I really like that one.

Another one I’m working my way through right now is, Emotional Intelligence 2.0 by Jean Greaves. I’m enjoying that book immensely, and I haven’t finished it yet, so I can’t talk too much about it. Suffice to say, a lot of what we do in cybersecurity and in this risk management field doesn’t have to be strictly technical, a lot of it is really just understanding what the problem is that my client is trying to solve, and what are the challenges that they’ve had. A lot of that I think goes back to what we know as EQ versus IQ.

Perfect, that’s probably one I should read! This has been wonderful Heather, so thanks for sharing your insights.

This has been Leif Eriksen, Insights Partner at Momenta, and our guest has been Heather Engel Managing Partner at Strategic Cyber Partners. Thank you again Heather.

Thank you.

[End]