Tommy McDowell, Celerium’s General Manager, has many years of experience in cybersecurity. In this series of question and answer posts, Tommy shares his thoughts on important cybersecurity issues facing organizations today.
How did you land in the field of cybersecurity?
Beginning with military service in signal intelligence and then after college with the Naval Criminal Investigation Service (NCIS). I also led cyber security within the US Court system and eventually left government service and worked with a company that developed some of the early DoD Certification and Accreditation programs and conducted various assessments with the DoD as well.
After 9/11, I was asked to build a cybersecurity program for national critical infrastructure sites in the western United States, such as the Hoover Dam and other power generation and distribution systems. This led me to work on developing what became NIST 800-82. It was a lot of fun working to secure these sites by breaking in to them so we could learn to secure them.
Is there such a thing as being truly proactive about cybersecurity?
First of all, there’s a baseline set of security practices that are required for business today. Many breaches today could have been prevented by some very simple security practices.
Threat intelligence brings in the next step, as it allows you to identify the types of threats and threat actors that may be targeting you and your industry. A key success factor to a threat intelligence program is knowing your own organization. You must know what assets are critical and the vulnerabilities you have in your system to build a successful intelligence collection plan. Threat intelligence will then help you identify key actors, threats, and concerns so you can map it to your organization’s attack surface. When cyber threat intelligence is deployed effectively, you can detect breaches earlier and minimize any negative impact of the attacks.
It's important to note that you will not detect and stop every attack.. However, if you study the breaches that have happened, the majority of the attacks took advantage of vulnerabilities and exploits we already knew about. There’s a tremendous advantage to be gained by paying attention and implementing cyber threat intelligence and sharing that discussion within your community and supply chain.
What are some of the biggest threats or risks to companies today in cybersecurity? Is there anything they can be doing to prepare?
The thing that concerns me the most is that we don’t know what’s next. What are the next exploit kits and capabilities being developed by threat actors? Cyberattacks are growing more and more complex; we are seeing some very complicated attack methodologies.
Another concern is the supply chain. We’re aware now that, because we’re more interconnected than ever, the supply chain is part of our attack surface. However, we don’t have it well secured in every sector. Are we putting in the effort needed there? Are we looking at it holistically? All organizations should be thinking about this and considering who their critical partners and suppliers are, as well as what would happen if one of those critical partners or suppliers suffered a breach.
Finally, I’m concerned about the skill gap. Not just the lack of cybersecurity skills that we hear about in the news, but real, technical, human skills to code and configure technology. Our human skills are falling far behind, and the availability of qualified staff is not evolving as fast as we need it. This is not a problem we can technology ourselves out of; we simply must invest in people and developing their skills.
If a company was only going to implement one cybersecurity practice, what should it be?
First and foremost, invest in your people. Invest skill and money into the humans who do this work. You can’t just buy a software program or computer system and call yourself secure; you have to do the human legwork.
A common attack vector is still through email, be it malware or phishing or anything else. If you were going to invest in one place to drive down risk, that would be a good place. In many cases, this can be an internal change; shift your paradigm! There are other secure ways to share critical documents than email.