The New Top Ten in Cybersecurity: Things Have Changed Dramatically.
BLACKOPS Chairman and CEO Casey Fleming lays out the Top Ten facts about Cybersecuirty that boards are missing.
1. FORGET WHAT YOU THINK YOU KNOW ABOUT CYBERSECURITY.
The Internet was initially developed only as an electronic communication method. Security did not become a concern until many years later, as the Internet matured. As threats mounted, the industry’s answer was to develop new software and hardware products to defend the perimeter of the network. Each of these products, which is developed, con gured, and managed by humans, is inherently fallible. Fast forward to the current day and we have accelerated globalization, digital transformation, the cloud, Big Data, mobile access and apps (BYOD), social media, Internet of Things (IoT) – all which have rapidly disintegrated the perimeter while exponentially increasing the threat of theft of sensitive data in massive amounts.
2. CYBERSECURITY IS FUNDAMENTALLY BROKEN.
We all have been looking through the wrong end of the telescope at cybersecurity. Many organizations and staff stay very busy following the 1990s playbook of protecting the obsolete perimeter, with some hybrid point solutions. To make matters worse, the venture capital community has created a large bubble over the past several years by minting a new cybersecurity company nearly every day, each promising to be the “next big thing.” They are all chasing the $1 trillion to be spent on cybersecurity by 2021.1 Most of these products are less than marginally effective and continue to add to the signi cant confusion and lack of concrete action in the cybersecurity space. When over 95% of all data breaches involve some type of human intervention, and when one insider threat can render all cyber defenses useless, we have no choice but to change our outdated strategy.2 Our new approach must be critically focused around the human element and sensitive data, with cybersecurity as an important layer. CIOs and CEOs are looking for the “killer cybersecurity app” to make their defenses airtight, but it doesn’t exist and won’t. We all must move on from focusing solely on cybersecurity and instead embrace a new concept: guarding data. This concept forces a new paradigm of focusing on both a defensive and offensive strategy with a set of tactics based on preserving the lifeblood of the organization.
3. YOU ARE IN A FULL-ON ECONOMIC WAR.
Like it or not, you, your family, your friends, and your organization are engaged in a full-on economic war. This includes all persons and their business, government, military and academia organizations. The U.S. economy is built on innovation, yet loses over $500 billion each year to economic espionage and theft.3 When you factor in the sensitive data or R&D that was to power your organization, along with lost jobs, revenue, and pro ts, we lose over $5 trillion, or 1/3 of the U.S. GDP each year.4 Adding insult to injury, our adversaries use your stolen data to develop your product with zero R&D cost, and build their economies by selling it back to your customers at less than 50 cents on the dollar.5 That is by de nition an economic war, and a matter of national security.6
Over the last 30 years, China has matured its Program 863 to steal the West’s innovation. Their approach to economic war is “death by a thousand cuts,” and espionage is “a thousand grains of sand.”7 You and your family and organization are constantly being mapped, tracked, and breached by numerous forms of insider threats, compromised employees, and cyber spies. There are over 100,000 estimated insider spies in U.S. organizations, over 300,000 Chinese student “spies” under education visas at U.S. universities, and over 200,000 cyber soldiers in China hacking at the West.8 While China is the largest aggressor by far, Russia, Iran, North Korea, and others remain active.
4. THE AMERICAN DREAM IS FACING EXTINCTION.
Economic war is part of a larger unrestricted war or asymmetrical hybrid war where there are no rules. The intent is to purchase and control the critical transactions or intermediaries required to conduct business both globally and locally. By owning or disrupting transactions, an adversary controls the economic outcome of and thereby reduces the in uence of their target. Be wary of adversaries purchasing assets or companies or partnering on infrastructure projects where they can own the transaction or embed espionage. As this war continues, the American Dream is vanishing for our children and grandchildren. It’s time to smartly defend our hard work and our future.
5. GUARDING DATA IS BOTH A TEAM AND A SPECTATOR SPORT.
Protecting sensitive data is no longer just an IT function: it has become everyone’s duty. Every employee, intern, contractor, vendor, supplier, and law rm must own data guarding and become personally vigilant. IT and cybersecurity should be treated as one protective layer.
6. KNOW YOUR ADVERSARIES BETTER THAN YOURSELF.
You cannot have an effective data guarding plan if you don’t understand your adversaries and their motivations, methods, commitment, and backing. Any cybersecurity or data guarding plan without ongoing intelligence of your adversaries and a uid plan to provide countermeasures are futile. You need to learn to think like a spy and a hacker.
7. RETHINK YOUR PLAN AND ACT ON IT IMMEDIATELY.
Your new data guarding plan must be focused on proactive data guarding, with a laser focus on the human element and insider threat. Cybersecurity is a layer; the plan must be user-centric. This is a critical reversal of today’s typical cybersecurity strategy, in which IT is expected to be the sole protector from all data breaches. This is not to say we reduce our efforts in cybersecurity – in fact, we must double down – but we need to be smarter. The plan must be driven by business and not IT. The plan must hold everyone accountable. It’s an economic war now.
8. AGGRESSIVELY SUPPORT A TOP-DOWN GUARDING CULTURE.
The only way a data guarding plan can truly be effective is if it is practiced and driven by the senior leadership of your organization. In the business sector, it’s the board of directors, with the CEO carrying the ag. In government, it’s the agency director. In the military, it’s the command leadership. In academia, it’s the board of regents. Senior leadership requires urgent help in accurately understanding the true threats and how to mitigate them with a new approach, and leading the way towards forming a new guardian culture that extends through the supply chain.,/p>
9. PROTECT AND PRACTICE.
Identify your organization’s sensitive data. Classify it into tiers, with the crown jewels occupying tier one. Secure each tier and limit both physical and electronic access. Continuously manage and vet access. Update your data breach exercise plan annually from the viewpoint of regulators and prosecutors, and include all vendors and third parties in your planning. Practice data breach exercises at least annually, with an unbiased third party as facilitator. If you have sensitive data, your adversaries are determined to get it.
10. IT’S ALL ABOUT YOU.
Data guarding and cyber hygiene begins with each person, and extends to family, friends, and the organization. Remember, you are at war. Stay current. Be an evangelist, lightning rod, and champion. Hold yourself and others personally accountable for the protection of all sensitive data, both personal and organizational. Send this article to your colleagues, staff, and leadership. What you’ve been doing isn’t working. What will you do differently from now on? The time to act is today.
This was also published in United States Cybersecurity Magazine.