The Need for a New Cybersecurity AgendaInsights from Jim Anderson, BAE Systems Applied Intelligence
The threat landscape has changed dramatically, and so must organizations' approach to cybersecurity. Jim Anderson of BAE Systems Applied Intelligence lays out the elements of the new cybersecurity agenda.
In an interview recorded at RSA Conference 2015, Anderson discusses:
- What's wrong with our current approach;
- How we shift to a mindset of business risk;
- What the board needs to know about security.
Anderson is responsible for the design and execution of BAE System Applied Intelligence's cyber and financial crime business across the Americas. Before joining BAE Systems last year, he held senior sales positions at Cisco, Dell and Hewlett-Packard. Anderson holds an MBA in marketing from the University of Pennsylvania's Wharton School of Business and a bachelor of science degree in electrical engineering and computer science from Princeton University. He also completed Northwestern University's Kellogg School of Management Global Executive Management program.
TOM FIELD: So the cybersecurity agenda is sort of your big platform, and I'm going to push a little bit on that and say what's wrong with the way that we're practicing cybersecurity now?
JIM ANDERSON: Well, I think we've got to start with the premise that it's not a matter of if they get in; it's a matter of when they get in, and [we need to] build a defense parameter around that. When you have to look at the environment today with all the attack vectors out there, the growth of the internet of things, of cloud, and mobility, we can't assume that we'll be able to prevent everyone from getting into our network. So, I think that is the first premise.
The second thing is, we have to move away from simply investing purely in perimeter technologies and start investing in technologies that actually monitor the network, look for anomalies inside the network. Once again, what happens when they get inside the network? How do we detect them, and how do we reduce what I call the lag time between when they get in and start leaving with the stuff that is important to us?
Changing LandscapeFIELD: It strikes me that a year ago we would have been talking about Target still. We would have been talking about the point of sale breaches, a lot of retail. Since then, we've seen Heartbleed, we've seen JP Morgan Chase, we've seen Sony. How have you seen the threat landscape change in the past year in between all these incidents that we've witnessed?
ANDERSON: Well, I think in general what we see is an increased sophistication of the attackers. I like to say the bad actors. There was an incident report from Rand that talked about - today they estimate around 80% of the bad actors are part of organized crime, versus 20% independent. That's almost a flip from some reports that came from companies like Juniper a year ago. So we see the sophistication increasing, and once again this has put a lot of pressure on the companies that we deal with.
The Business PerspectiveFIELD: Now it's clear that cybersecurity has become a business issue. We see it more in the business press, even. How have business leaders' perceptions of the threat landscape changed in the past year?
ANDERSON: I think we've all learned cybersecurity is not just IT risk anymore; it's a business risk. When you look at the market reputation issues associated with it, the legal cost associated with it. It's something that all the boards are concerned about, and so are the C-suite executives out there. So definitely people realize it's much more than just someone hacking into my network to prove something. There is a lot of business risk associated with this, and thereby we had to look at it in a much holistic or bigger holistic approach.
Security GapsFIELD: Now it's good to talk to you because you have the opportunity to see lots of different organizations, lots of different industries. Where do you see the biggest security gaps?
ANDERSON: Well, I think there are a couple of things. First, it's with regards to, like I said, the investment. You've got to invest in the people, process and technology and start investing in things that will happen once they get inside the network. So that's a big gap right there. Second, it has to be a top-down approach. You have to want to continue to educate the organization out there and have buy-in from the C-suite as to what your defense is going to be and start to prepare for incident response, understand how you will respond if something does happen so you're not caught off guard with that. And continually monitor your networks and practice that. I see a lot of people looking on vulnerability assessments and red teams and those types of things doing a lot more of that to understand their weaknesses and how they will respond if something happens.
Business RiskFIELD: Jim, you and I have had the chance to speak outside of here, and you've talked about how organizations need to shift from thinking about risk as operational to business. How do we push organizations in that direction?
ANDERSON: Well, I think first you've got to get them to realize we have to break down the silos associated with risk across the organization. If you look at things like cyber, we just talked about the market reputation risk, the legal risk associated, along with losing assets and those types of things. That's many different parts of the organization, so you've got to get those organizations to start working together, understand all those risks, and aggregate them to understand how they will respond and really mitigate them across the board. So a lot of it is about education. That is at least what we're seeing, and it's about helping people understand okay these are the things that we have as operational risks, here are the tradeoffs that we're making associated with that operational risk and this is what can happen.
FIELD: When you look at organizations, where do they need to evolve to get to that level of viewing it as operational risk and to be prepared to adopt this new cybersecurity agenda?
ANDERSON: Well, I think it starts with the realization that, hey this can happen to me. It's just not the other people out there that this can happen to. I think anything we've learned over really the past year is that major corporations are at risk, and no matter how much you invest with regards to technology, you're still at risk because you can't stop all the bad actors if they are really determined to get into your environment So if you start with that premise, then you start building up processes and educating people what to do about it and that's what we see more and more.
How to Engage the BoardFIELD: The other thing we see more and more, boards of directors asking pretty significant questions about security. What do they need to know about security and how should security organizations best engage their boards?
ANDERSON: Well I think what they need to know is understand once again how this can affect their overall operation. What is the operational risk of protecting my assets, because security is about protecting your assets? What you're really trying to do is prevent people from leaving with what's most important to you. So if you help the board to understand that, then they can master and correlate that with their fiduciary responsibility to protect and grow the company. So, that's really where we start with, and you do that best by educating and going 'Hey, here is where we are at risk, here is what we're doing to respond to that risk, and this is what we monitor in our constant day to day business, leveraging intelligence and those types of things.'
FIELD: When you get into the practice of communicating with the board, what are some best practices you might recommend?
ANDERSON: Well, I think you've got to once again think about the board and what they are chartered with. And start with a high level approach of 'here is the business risk we're talking about.' And based on that business risk, here is where you know we have some issues as an organization; here is what can happen associated with that as an organization; and here's how we plan to respond. And really keep it at the high level. I don't think the board really cares about the particular technology associated with it, but what they care about is 'hey, can what happened over there happen to me and if so, what will we do once that happens?'
FIELD: What is that first step that organizations need to take to get headed in that direction?
ANDERSON: Well, I think it is assessing where you are. Because once you baseline and understand where you are, then you can talk about where you want to go. What we find is a lot of organizations are now looking to partners who have the experience, that have been doing this for a while. I tell people, 'what do you do well? How can you protect your assets? Then what should you partner with to help you protect behind that?' And we see a lot more collaboration going on in the industry between public and private, between companies and the partners they deal with. We're looking for security partnerships, not necessarily a transaction based on a too, and I think that's where you have to go.