Spotlight Series: Cybersecurity: A Strategic Perspective
Ken Forster
This series highlights the key insights and lessons from our Digital Leadership series of podcasts. We spotlight the important takeaways from our interviews in an accessible format. The following insights come from Heather Engel, Managing Partner at Strategic Cyber Partners. Stay tuned for the full podcast interview with Heather, in the meantime, take a look at our full library of podcasts.
Welcome Heather. Please start by sharing with our audience a little of your background and how you became a trusted adviser in the cyber arena.
Hi Leif. Thank you very much and thanks for having me on the podcast today. I’ll start just by telling you a little bit about myself, I have been doing cybersecurity for close to 20 years now, even before we called it security, back then it was just IT and locking down different types of information systems. I actually started with getting an advertising degree from Penn State of all things, and very quickly realized that information technology and databases and programming was an area of interest. I went back to school, got a little more training, then I was placed on a contract working for the Department of Defense. As I was working with the DOD, I got to see some really amazing things in my career, I did that in various capacities everything from exercises and training, to certification and compliance.
Over the course of my time with the DOD, in various capacities I worked with all branches of the service, was very fortunate to work with some really amazing people as I was doing that, then came out and started working in the commercial world. What I found when I transitioned to working in cybersecurity in the commercial space was that in the government, there are a lot of regulations. We make jokes about government red tape, but in terms of security, standards, and configuration management, there was a lot that the government required of their systems and networks, that just wasn’t being done in the private sector.
What do you think has changed in cybersecurity since you started? You mentioned that back then, at the beginning, it wasn’t even referred to as cybersecurity, but I know there have been fundamental changes over the course of your career. Maybe share a little bit about what you think has changed.
When I went back and started to really get my hands into IT, the focus was truly on understanding networks, how they communicated. The focus was on creating and working with some of the programming languages, that’s how we make everything talk to each other, and we didn’t call it cybersecurity.
We were doing things to configure our workstations, and configure our servers, in a way so as to make them a little bit more secure, but we really were focusing on the lockdown piece of it, we did defense, we didn’t do a lot of offense. Obviously, since then, the number of devices that we’ve had to secure, and the type of devices that we have to secure are exponentially larger. I think to some extent we don’t fully understand the impacts of all the things that are now coming online, and we call this the Internet of Things where everything has an internet connection, and we don’t fully understand the impact of what that means for how IT is going to change, and how cybersecurity is going to change in the future.
One of the other really big changes is when I first started, all of this was considered an IT problem. It was someone at the helpdesk, or it was a network administrator, or a systems administrator who was working to secure these devices. Now what we’ve started to see, and where we’re really making progress is, we’ve elevated cybersecurity to be more of a risk management problem, and it’s gotten the attention of the executive level, and that’s really where it has to be.
There’s been a lot of talk over the years of the difference between information technology and operational technology, and I’m sure there are differences in terms of how you approach each from a cybersecurity perspective. Can you comment on those differences, and how cybersecurity varies depending on whether it’s an IT domain versus an OT domain?
For sure, and this is something that in order to really talk about, we need to understand the difference between IT, which is information technology, and OT which is operational technology. In very simplistic terms, IT deals with information, and we can almost think of that like a service. Operational technology deals with machines that create products typically, whether that product is energy that supplies a city or a town, or whether that project is a widget that’s being manufactured.
When we look at operational technology, and I talked a little bit already about the massive amounts of data that are generated, operational technology is simply a field that we’re just really starting to tap into with the amounts of data that are being generated, and that’s where we’re starting to see some of the really forward thinking organizations starting to move towards digital transformation. What that’s doing then is, the digital transformation aspect is really starting to create this dovetail, this cross-over between the information as a service, and the machines as a product. We’re finding now that we can take information that’s generated by these operational technology systems, and we can monetize it, we can use it to trouble shoot, we can use it to transform the way organizations do business, and even create new product sets or new services that we can then turn around and offer to our customers.
The other duality that I’d like to explore with you, is the relationship between cybersecurity and physical security. They’re often viewed as independent of each other, but as we know from some cybersecurity incidents that the problem got into the system due to a breakdown in physical security. What are your thoughts on that? How does that play out? How should companies approach that relationship?
A lot of the work that I do with my clients is helping them understand how their security needs to be applied in the context of, let’s say regulatory compliance. I work with a lot of clients particularly in the manufacturing space who are making things for the United States government. They have very specific compliance mandates in their contracts that they have to adhere to. Part of those mandates, and we can look across the domain of cybersecurity risk management, and we can find physical requirements, or physical security requirements, as part of just about every compliance mandate out there. Whether you’re looking at payment card industry of the data security standards, whether you’re looking at NIST, they all include a section on physical security.
However, we can also flip that around and say, when we’re doing our physical security, there is absolutely a cyber component to that, so they both impact the other. I would say that in many situations they’re almost equal in terms of one doesn’t overrule the other. I’ll give you an example; if you’re talking about an access control system, so if I go into my company’s headquarters, we have a badge reader that I have to swipe my badge before I get access to the spaces. Well, that’s a cyber system, or that’s an IT system that controls my physical security.
I don’t know what the stats are, but I have to think based on my own experience that a lot of companies still treat these things differently, physical security and cybersecurity, IT/OT. When you go in and advise executives, what do you tell them in terms of how they should approach it? How do you bring everybody together to make sure that everybody’s in sync, that the strategy is in sync and effective?
This is a really great question because I’ve worked with clients before, and when we start to look at the physical security, or some of the other aspects even of personnel security, because personnel security in a lot of ways impacts the physical security. You have someone leave your organization, whether by choice or whether they’ve been let go for some reason, and you don’t have the proper personnel security controls in place to even do things like collect that persons badge, or collect their keys, then you’ve created a physical security vulnerability, because that person could walk right back in at any time.
It’s really interesting because I’ve worked with some clients who when you finally get all these people in the room, you get the person who’s in charge of HR, you get the person who’s in charge of physical security, along with the IT teams, and maybe some executive leadership. I’ve been in rooms before where they’re introducing themselves to each other, and saying hello for the first time, and that’s really a challenge. The way that we approach that is different for every organization.
It’s not one size fits all anymore, we can’t just take a compliance checklist and say, ‘Well, you have to apply this no matter what’, you’ve got to really start at the organizational level, look at the threats to that organization, look at what they’re doing, why are they in business?
What are the characteristics of an organization with a good cybersecurity strategy? Maybe it’s broader than that, maybe it’s a good risk management strategy that encompasses cybersecurity.
Yes, we touched on this a little bit already, but one of the characteristics of an organization with a good cybersecurity strategy, is that they have not just tried to check boxes. Most organization’s now have some sort of compliance mandate that they have to adhere to, whether it’s payment card industry, whether it’s NERC CIP, whether we’re talking about NIST, and these are things that have grown and changed even just since I’ve been doing commercial work for the last six or seven years, where there were a lot of organization and industries when I started, that really didn’t have any cybersecurity mandates that applied to them. So, to your question about what the characteristics of an organization with a good cybersecurity strategy is, a good cybersecurity strategy is part of an overall business and risk management strategy.
Some of the other characteristics would be, you absolutely have to have your executive buy-in. Culturally this is something that you cannot do alone, you can’t do it just with IT, you can’t even do it just with a risk-management team, and in some cases the legal team is really leading the charge of securing infrastructure, because they recognize the impact that a loss of data will have on the organization. You have to have executive level buy-in across the organization, in order to create that maturity. And when I say buy-in, I don’t mean just the executive team saying, “Yeah, good job, go get ‘em”, they’ve also got to be willing to sign the checks that are going to assign resources, and allow the different teams within the organization to procure the resources that they need.
Where do we go from here? The world is changing so fast, and it’s changed, of course, over your career so you know it’s going to continue change. Of course, one of the changes is that more and more data is going in the cloud for a variety of reason, so what are the implications for cybersecurity? How does it change going forward, is it more of the same, just that we’ve got to be more rigorous about it, or is there some fundamental change that’s going to have to happen in the future?
I think when we look at how things are going to change in the future, there’s a couple of things that we can look at that are happening right now. For the last however many years we’ve gone online, we’ve provided our information to all of these free services and social media. Most people I would venture, have never read a single privacy policy that says, “Here’s what we’re going to do with your data”. That’s starting to change, we’re starting to see a push at the regulatory level to change what companies can do with your data.
When we look at how all this data is going to change the way we do things going forward, I think some of it will be driven by consumers, and how much they decide that they’re going to care about what they share online. You mentioned cloud services, that’s another really interesting problem, because there are many companies who don’t have the resources, and we hear all the time about the cybersecurity labor shortage, it’s very hard to hire people who can secure your systems.
Cybersecurity is such a very disciplined field, that anyone who claims to be an expert in all of it, is probably not an expert in anything, and may not be someone that you want to hire. Which means that in order to manage our cloud systems, we need a different type of skillset than we do to help oversee and drive our risk management strategy. We need a different type of skillset if we’re going to be programming applications or creating APIs that allow systems to talk to each other than if we’re building out a new network architecture. I think a lot of the time cybersecurity gets lumped into this one big job field, and it really is a multi-varied discipline.
Momenta Partners encompasses leading Strategic Advisory, Talent, and Investment practices. We’re the guiding hand behind leading industrials’ IoT strategies, over 200+ IoT leadership placements, and 25+ young IoT disruptors. Schedule a free consultation to learn more about our Connected Industry practice.