Welcome to Prove It – a roundtable where Acceleration Economy analysts discuss, debate, and define pressing issues. In this episode, hosted by Senior Analyst Aaron Back, Analyst Chris Hughes tackles the subject of cybersecurity with guests Dave Harris and Matt Hudson, who share their experience and expertise.
00:47 – Aaron introduces this episode’s topic: cybersecurity.
Meet the Analysts
01:18 – Dave Harris is a cybersecurity architect at IT Value Acceleration Inc. He has a background in compliance, specifically data science, security, and cyber architecture. He also has 20 years of experience as a defense contractor.
01:34 – Matt Hudson is the founder and CEO of TC Engine. He describes his career as being at the intersection of global commerce, trade regulations, and IT. Matt works within the defense industrial base, helping companies identify, control, and track their regulated information.
01:53 – Chris Hughes is the CISO and co-founder of Aquia. With nearly 20 years of experience in cybersecurity, Chris is also a Cybersecurity Analyst. He has been involved as an active-duty military service member as well as a government civilian. He has further industry involvement with both the federal civilian side and the Department of Defense.
Ensuring Password Protection Strength
02:19 – SolarWinds blamed an intern for a password leak. But why are companies and individuals still using easy-to-guess passwords, especially to protect sensitive data and information?
03:30 – Leadership and governance structure are necessary when it comes to cybersecurity. Who is responsible for passwords and security? Employees need to be made aware of the importance of the access they have to certain resources.
04:18 – While identifying the source of a problem is important, it’s also challenging to establish a culture of security. Vulnerability analysis and security controls should have caught the lack of password strength and enforced a stronger password requirement.
05:52 – This situation is symptomatic of the broader issues faced within the defense industrial base and beyond. Many don’t value security or compliance as part of the culture. Although password requirements are basic cyber-hygiene, it’s still something that the industry is struggling with.
Potential Outcomes of Cybersecurity Attacks
06:26 – What type of infrastructure are you protecting? This issue is also impacting service providers and the supply chain.
07:33 – Potential outcomes include legislation and policy. For example, there’s the Cybersecurity Executive Order, which heavily emphasizes supply chain security. Also, there’s a big push for a Software Bill of Materials.
07:58 – Although smaller organizations are looking to external partners to fill their IT and cybersecurity gaps, they are still being targeted.
Regulatory Compliance & Culture
09:00 – Regulatory compliance among other factors has a big impact on cybersecurity and defense. For instance, a recent report showed that the defense industrial base has shrunk by 18%.
10:06 – While compliance can help drive change, it can also lead to a culture that just meets minimum requirements. Also, there’s evidence of compliance fatigue happening within the industry.
12:14 – According to the World Economic Forum, approximately 65% of GDP by 2024 will be tied to digital platforms. How will that have an impact from an adversarial perspective?
13:06 – As technology grows, the attack surface is growing as well.
14:48 – We have multiple compliance, jurisdictions, domains, assessments with underlying commonalities yet different organizations in the enterprise. Security is only as good as the weakest link. How do the smaller organizations survive?
The Citizen Base & Cybersecurity Awareness
17:39 – Looking at vulnerabilities in two ways: unintentional vulnerability and intentional vulnerability. This leads to internal and external zero trust.
20:18 – There’s an increase in vulnerabilities when individuals don’t understand what ‘passwordless’ means. There could be a misunderstanding around the implications of not setting something up correctly or not fully understanding something.
21:46 – With cybersecurity being a complex industry, it challenges manufacturers to meet more requirements. We’re still a long way from the entire citizen base becoming cyber aware.
Cybersecurity on the Edge & in the Cloud
23:44 – When implementing security, we also need to consider edge computing and the cloud. There are consequences to leaving devices on default settings.
25:03 – People are getting smarter around the shared responsibility model. However, there’s still a misperception around the cloud provider doing everything. Individuals have cloud modernization and migration plans, but they don’t always calculate security into that.
26:02 – When moving to the cloud, people are quick to adopt technology but don’t really consider security. The lag time between technical innovation and legislation is never going to disappear.
Proper Attribution of Data
26:30 – Looking at export-controlled information and focusing on the capabilities that we need to identify, control, and track data.
28:18 – A lot of the people that are creating this data aren’t fully aware of security and data classification. It becomes challenging when people aren’t marking it appropriately. How can you expect someone to protect something if they don’t even know exactly what they need to be protecting?
29:30 – It’s all about the attributes of your data. Furthermore, those attributes must be machine-readable and actionable. Users must be able to leverage AI and apply those identifiers.
Challenges with Mergers & Acquisitions
31:37 – Mergers and acquisitions can be a huge issue when a company brings together different security models.
32:29 – If you’re the acquirer, what do you do when the individual that you’ve acquired has more expertise and experience than you do in certain areas?
34:04 – There are two ways to look at these opportunities. First, there’s the internal opportunity to make things right. Depending on the changes that are impacting your security, an internal opportunity gives you a chance to re-evaluate what’s going on. Second, there are external opportunities. These can impact your business opportunities because it creates a sense of trust with your customers.
34:58 – If you have a cyber insurance policy and you’re acquired by someone else, the evaluation process that was done when you were your own entity is very different compared to how it is for the new one. Dave references a paper about cyber insurance from Object Management Group.
35:49 – When talking about merging frameworks and architectures, what information do we need to make accurate, timely, and compliant decisions?