Cybersecurity expert says it all starts with process. The regulations will make it easier for companies to report breaches.
TechRepublic’s Karen Roby spoke with Jennifer Bisceglie, CEO of Interos, about President Joe Biden’s executive order on cybersecurity. The following is an edited version of their conversation.
SEE: Security incident response policy (TechRepublic Premium)
Karen Roby: Go ahead and go over a couple of the main points of the president’s executive order. What really sticks out to you?
Jennifer Bisceglie: It’s a big one, and there are actually five big themes. And they got them all in one executive order, which is actually pretty big for the marketplace. The first one talks about all software that the government purchases needs to meet new cybersecurity standards within six months, so they actually put a timeframe around it, around multi-factor authentication, endpoint detection and response of software. The biggest piece of that is this concept of a software bill of materials, where for the first time ever, in effort to sell software to the government, you’re actually going to have to define the providence of what builds, what code goes into finished goods like Microsoft Office. So, that’s a big deal. The second is the establishment of a cybersecurity safety review board to actually look and investigate incidents, and learn and share from those hacking events. The next is actually, back to the point about sharing, is information sharing at a scale that we’ve never seen before.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
It’s actually requiring IT service providers to notify the government about cyber breaches that could impact the government networks, and SolarWinds was absolutely being used as the example there. The last is a little bit more boring. It’s around standardized playbooks for cybersecurity. It’s process; we don’t have process. We’re treating every incident and every event as the first time it happened, and it’s really not. The last is to have a government-wide cybersecurity detection and response system, which again, falls back on that information sharing. So, a lot around information sharing, active information sharing, but also this SBOM, or software bill of materials, is a really big deal.
Karen Roby: When we talk about information sharing, intel sharing, I mean, this is something that seems obvious. You would think that when we share information of what’s happening here and what’s happening there, that it only helps us all, but is that something we just haven’t done a good job of or just hasn’t been enforced?
SEE: Expert: Intel sharing is key to preventing more infrastructure cyberattacks (TechRepublic)
Jennifer Bisceglie: I think it’s all of that. And unfortunately, Karen, this concept of “Why can’t we all be friends?”—we are a very litigious society. And so much of us are concerned that if we admit to a breach, which I mean, I’m sure you personally have, the listeners have. I get letters from a lot of my service providers saying, “Hey, change your password because we just got hit,” it happens all the time. But we live in a world that people are, and companies are very concerned about their brand and reputation. They’re also very concerned about their contracts being canceled or them being sued. And so, I think forward-leaning on making information sharing actually a requirement hopes to allay some of that fear that says, “If I tell you that I’ve been breached, then you can’t go back and cancel my contract because I haven’t done anything egregious. I actually played fair.”
Karen Roby: When you look at this as a whole, this executive order, how behind are we? I mean, it takes sometimes I think things like SolarWinds, or of course, the Colonial Pipeline now, for things like that to come to the forefront or make it into the news, for people to really realize, “Oh, wow, this is quite scary.” I mean, so we are behind, right, in terms of not being out in front of this enough?
Jennifer Bisceglie: It depends on how you define “behind.” I don’t think anybody’s ahead, if that’s a better way to say it.
I do think, and there was a report that came out, I think, this morning that talked about the pipeline actually is looking back to 2019, and that might’ve been the first experience they had around the breach. And so, these things are still happening. There was a report, I think, yesterday around SolarWinds with a number of companies that have been impacted, and that ripple effect is still being felt and still being figured out. I think that, again, to put a line in the sand that says, “We expect that things will happen, and now we’ve given you permission to share without being concerned about retribution,” I think is really a big deal. And so, here’s a real opportunity for information sharing, whether it be industry to government, whether it be government across trying to share and learn, as I just mentioned, or there’s actually industry associations called ISACs [information sharing and analysis centers] that have been around a while.
So, you have the financial ISAC, healthcare, where industries can actually share within themselves with their peers. So, you get out of this world of, “I don’t want to share with my competition that this occurred,” because then you have ransomware situations where they take down whole industries at the same time. So, lots of little pockets, I think that this is trying to create more of an opportunity, shining some light on this and creating a safe zone for this sharing to occur and for all of us to get ahead of it, because the hits just keep on coming after the last 15 months.
Karen Roby: Oh, yeah. Most definitely. And they’re not going to stop. I mean, that’s just, it is what it is. Talk a little bit about, what we talk a lot about on TechRepublic here and ZDNet is the cybersecurity talent shortage. And we’re seeing a lot of it with cybersecurity, unfortunately. So, how does that play in? I mean, we don’t have enough people to carry a lot of this out.
Jennifer Bisceglie: I think there’s a couple things there. I think the first thing is we have got to start adopting technology faster to enable the people we have. I mean, there’s massive amounts of money being spent on cybersecurity technologies right now, and cash being infused through PE firms and venture firms to get these things to market, there’s a lot of problems to be solved here, and there’s a real opportunity to leverage technology. I think that’s the first thing. The second thing is the education of the workforce. Before I even get to the point, do I have enough people to solve it, I need to get that cyber hygiene, which I never like to talk about, but it’s a real thing.
SEE: STEM and cybersecurity training are critical for the future (TechRepublic)
Seventy-five to 80% of what’s happening from a breach happens just—I don’t know about you, and I hate to talk about my mother in a taping, but she had 24 viruses on her computer at one point in time. It doesn’t just happen to people’s mothers. It’s happening in our workplace. And think about just what happened a year and a half ago, we all went and worked from home. So, the attack vector for cyber just multiplied. It’s the idea of creating a secure environment, and we’ve all heard the stories. Everybody had to reduce their security posture, because everybody had to be able to dial into home to receive access to the business systems. So, now I have a massive attack vector.
The only way to get ahead of that one is to leverage technology and to educate the workforce. And then I need to apply some of the SMEs. And to be very honest with you, Karen, it’s not just happening at the operator level. It’s happening at the C-suite level. It’s happening at the board level. You’re seeing a wholesale shift to getting more subject matter experts spun up at multiple levels within an organization to, as you said, get ahead of the problem. I’m looking at this, just taking advantage of technology that exists, and at least meet the problem where it is today.
Karen Roby: I remember it was about two years ago, two and a half years ago, I remember doing an interview with a guy who was former military. Cybersecurity was his thing. The whole interview was based on this idea that he said, “Boards of large companies, they have to have a cybersecurity expert on there.” It’s not just one tech person. And I remember reading some of the comments on it that people were like, “You don’t need a whole board seat for that,” or whatever. And it’s like, just you realize now, yes, you do. At those high levels, I mean, you’ve got to have it there.
Jennifer Bisceglie: But you do. And to be very honest with you we’d be considered, Interos would be considered a small- to medium-sized business. We actually have a chief information security officer, which was unheard of even a year ago, to have a company our size actually have a CISO.
But you know what? Something’s going to happen, and I just want to know that we did as much as we could to get ahead of it, because it’s going to happen. And so, whether it happens because we didn’t have the right tools in-house, because we have this large attack vector, because everybody’s working from home nationally. I mean, our workforce used to be attached to our Arlington, Virginia, office. Now I have almost half the company not attached to my office. So, everybody’s working from home.
SEE: Cybersecurity: Don’t blame employees—make them feel like part of the solution (TechRepublic)
And that’s not changing. I mean, there’s just so many opportunities right now. And we are a hyper-, hyper-connected global economy. If we didn’t learn that over the last year and a half, I don’t know when you’re going to learn it. And so, to your point, it’s not just getting a part of a SME that comes in part-time and helps you. Companies of all sizes, all industries, every country needs to actually have somebody that’s assigned to this, and the tools and technology that enables them to actually do something about it.
Karen Roby: Like you said, never before have we seen this glaring, in front of us with all of these examples and things that have gone on. Well, wrapping up here, Jennifer, how difficult will it be to adopt all of this? I mean, what timeframe? I know, as you mentioned, the one thing that they did put a time limit on, the six months, what does this adoption look like?
Jennifer Bisceglie: I think it’s human and it’s cultural first. I think, again, this is where people aren’t going away, tools and technologies just enable us to do it better, faster, quicker, if you will. But we really need to see a human leaning in to make sure that when folks come in, and the first couple of times things get reported, everybody’s going to be watching, to say what happens? Do we make sure that Colonial, or whoever’s after Colonial, doesn’t get negative ramifications from their contracts, from the government, what have you, when they actually did what was being asked of them.
The second thing I think to realize, Karen, is that industry can’t do it without government, and the government can’t do it without industry. I think, getting the human aspect, getting that cultural shift, seeing these things funded, executive orders are really great to getting discussions like this going, but are we actually going to put funding behind it to enable some of these processes to be stood up and technologies to be stood up? That’s still yet to be seen. I think the cultural shift, the leadership, as well as the funding to support it, are the next things everybody’s going to be looking for over the next half to a year.