Panel: People, processes key to cybersecurity success
A trio of experts told Miami University students that good processes and a passion for the work are important components for anyone working in the cybersecurity field
In a world that somehow manages to become even more internet integrated every day, the importance of cybersecurity and those whose job is to keep systems safe continues to grow. Three experts in the field -- Eileen Brown, Partner/Principal, Technology Consulting - Cybersecurity at EY, Greg Barnett, VP, Head of Global Cyber Defense at FIS, and Terin Williams, Cyber Security Advisor at the Department of Homeland Security-Cybersecurity and Infrastructure Security Agency – came to the Farmer School to talk about cybersecurity.
Brown said that she often works with power and utility companies, which are under a near-constant threat from the outside and inside. “There are national organizations that are constantly trying to penetrate the electrical grid and the operational technology within it,” she said. “I would also say insider threat is huge. That’s definitely risen in the last couple of years, whether its employees that are maybe disgruntled and they want to be able to pull sensitive information outside of the company's four walls. But sometimes, it happens by accident.”
“In terms of attacks, I would say two are tied for probably for what I see most often. One gets a lot of attention because it is kind of ‘sexy,’ and the other one, you never hear about or hardly ever hear about. The sexy one is ransomware, which I think people hear about that every day,” Williams said. “But business email compromise is the one that I would tell you is equally as frequent and pretty much equally destructive in some cases.”
Barnett noted that just having the right people in the right places to prevent the right attacks is a challenge of its own. “Resource allocation is always a challenging endeavor. How do we keep eyes on glass? How do we make sure that we're doing the right things?” he said. “We spend a lot of time and effort shoring up processes so the resources that we have at our disposal, the people, the actual folks who drive the security for the organization, are able to rely on one another to do their jobs.”
Williams pointed out that one danger companies and governments face is having a one-plan-fits-all approach to cybersecurity. “You can't defend against every actor out there, so you really need to use tools that are available to really focus in on the actors that are targeting your particular sector,” she said. “You've got to figure out what's most important to your organization, both data systems and people, and making sure that you put compensating controls in place and more defense around those, versus your entire enterprise. So many times I go into organizations who just defend everything the same, and you just can't do that or you’ll fail.”
Another failure point, Barnett noted, is when security gets _too much_ in the way of doing business. “You need to be able to focus on your partners and enable business to do business, otherwise we're not really going to have jobs. But those partnerships need to be built on collaborative trust. I think that's the challenge that a lot of security organizations fail in, in that they're seen as a roadblock and not an enabler,” he said. “One of the things that I try to coach and counsel and work with executive leadership across my organization is just ‘How do we enable you?’ “My common phrase is, ‘How can I help?’ Let's provide a way forward regardless of the circumstances. And in some of those instances, we have found security events where we wouldn't have otherwise.”
Since the path to operational technology often runs through information technology, Williams said, the cybersecurity teams for both entities need to work together effectively. “If you don't have those two teams working together and really talking, then you're setting yourself up for failure. That's where we're really trying to take it to the next level and get folks out of the shame game,” she said.
Williams said that while a lot of security efforts are focused vertically in a given business sector or function, there’s a lot to be gained by taking the efforts across sectors. “A lot of the threat actors target certain sectors, so those verticals are absolutely necessary. But when you start getting those cross-functional ones, you get out of that group think and you start to look at a problem set or solution a little differently,” she said.
Barnett told students that while prevention is important, reaction is equally so, especially since cyber intrusions are likely to occur even with great security in place. “We are aware of strategic failures that have happened, but ultimately, it sometimes comes down to a single user's multi-factor authorization fatigue that could have hit anybody at any time. How many people have hit the wrong button on accident? The reality is, threat actors know this, they know human behavior, so that's how they're going to target us,” he said, noting the importance of reaction when a third party is helping handle security. “Its how you own it, manage it, and make sure that it's not going to happen again, that helps to drive those relationships.”
For students considering a career in some aspect of cybersecurity, Brown had some recommendations for areas on which to focus. “Operational technology security is huge right now. There's definitely a shortage of people with the kinds of skill sets needed to be able to assess and remediate OT vulnerabilities,” she said. “I would strongly recommend people learn more about cloud storage because cloud security is huge. I think that there's a huge shortage of folks that have the experience to be able to work with and help companies move to the cloud.”
Ultimately, to work in cybersecurity requires someone to be into it for more than the money, Barnett said. “Cybersecurity is something that ultimately is what you make of it. We have a significant deficit not just in people, but in passion,” he said. “The passion in doing this is almost a prerequisite that a lot of people don't recognize. Either you have it or you don't. And it's not just in the forensics, the bits and the bites. It's in the leadership.”
“You don't have to be just a ones-and-zeros person. You can be on the social engineering side, for example,” Williams said. “There's pretty much something for everyone as long as you have passion.”
- EY gift funds Farmer School cybersecurity initiative
- Miami Regionals offers cybersecurity microcredentials
- EY Cybersecurity Symposium looks at ransomware
- Watch: Camille Stewart '08 talks about cybersecurity
- MU Cybersecurity Club growing rapidly