Q&A: Time For “A Technological and Cultural Shift” In Cybersecurity

The “new normal” of remote working has introduced a new focus on cybersecurity awareness and employee behavior, says Thomas Parenty, co-founder of cybersecurity consultants Archefact Group. 

Of course, cybersecurity awareness training, security responsibility and management buy-in were important before the COVID-19 pandemic, says Parenty, who has worked with the National Security Administration and the Clinton White House on cybersecurity issues. But as the past year has shown, changes in the way businesses operate have left them vulnerable to new cybersecurity risks. 

Mimecast spoke to Parenty — who, with Archefact co-founder Jack Domet, co-authored A Leader’s Guide to Cybersecurity: Why Boards Need to Lead — and How to Do It[1] — about the human factor in security, how corporate leaders face increased responsibility for cybersecurity and how they can encourage best practices across their organizations. 

Mimecast: How prepared were organizations around the world to secure remote work during the COVID-19 pandemic?

Thomas Parenty: This was an interesting wake-up call, if you will, on two fronts. One was the dependence that organizations have on the security features of the products they use, and then also the challenges internally to be able to change the way in which they are using computer systems to support a new way of conducting business.

Security vulnerabilities in commercial software is a constant. But if you put that to the side, the major factor that introduces cyber risk is using technology in newer, different ways as a result of changing the way you do business. Going forward, having had this experience of this radical change in business function to remote, [you] should keep in mind that whenever you’re going to change the way in which you conduct business, you need to then look at how the technological implications of that are going to introduce new risks.

Mimecast: Is there a new threshold to prepare against cyberattacks? Does more responsibility now fall to the individual user?

Parenty: The pandemic and the risks associated with remote working have raised awareness, but they haven’t fundamentally changed what it is that we need to do now. What companies need to do is move from generic cybersecurity awareness, whether it’s “choose a strong password” or “don’t click on the link.” They need to look more closely at what individual actions a user could take that could either make an attack more likely or less likely. That depends very, very much on the specific activities they’re involved in and the environment they’re involved in.

One example is that if, as a result of somebody’s working circumstances, they happen to be using public Wi-Fi. Well, that clearly indicates that they need to use a VPN to eliminate the likelihood that their traffic would be intercepted. If you happen to be working at home, you should be trained or know to not let your child play on your work computer or install games because that itself would be a vulnerability. When thinking about how to have meaningful training for individuals, it has to be tied specifically to the actions they’re doing as part of their work.

Mimecast: In your book, A Leader’s Guide to Cybersecurity, you stress that many non-tech dynamics, such as the way frontline employees get work done, factor into cyber defenses. Does leaving oversight to the techies yield only a partial view of what users are doing in your system and the potential risks?

Parenty: It’s important to think about what motivates people and what their incentives are in order to have an understanding of their actions that may be security-relevant. Let’s look at two common motivations: Generally speaking, people want to do their job, and, two, they want to avoid stress at work. In the book, I give an example of an automobile company where, in order to get their job done, a group needed to create a fake employee account for business partners so they could access the systems and they could work together. Their priority was much higher to get their work done than to preserve the security of the company.

That is a message for cybersecurity people: Unless you understand how people work, you are going to create controls that will do one of two things: prevent work from being done or not actually protect the company.

In another real-world example, I look at an individual cybersecurity staff person’s perspective. Making sure that the firewall is properly configured and will protect against outside attacks runs the risk of preventing legitimate applications from being able to work. If that happened, there would be somebody standing in front of their desk yelling at them to fix it immediately. And so from a natural human perspective [they think], “OK, I’ll make the firewall less secure so that I have less stress at work."

These are examples of factors where you could have the best technology, but it’s of no particular use unless you take into account human nature and the incentives of individuals.

IT [staff], due to the nature of their work, are focusing on computers and networks and technical devices. There are certainly risks associated with those, but it is only when you look outside of the IT department and you look at the organization, the company overall, that you really get an idea of the substantive risks to the company. It’s absolutely critical to have business leaders who are identifying the risks that matter most to the company, so that you can then bring in the cybersecurity and IT people to say, “Well, these are the ways in which those risks to the business could materialize as a result of a cyberattack. Now we need to know what we need to focus on from a technical perspective."

Mimecast: Are we seeing more awareness among business line leaders that cybersecurity needs to be part of their responsibilities?

Parenty: Depending on the CEO, depending on the industry, the reluctance or willingness to assume this new cybersecurity responsibility clearly varies. But pretty much everyone knows that they are responsible. We are not yet at the point of liability, as is the case with financial reporting and Sarbanes-Oxley. And given that cybersecurity is a much broader area with many external dependencies, I don’t think that we should have the same kind of liability as for financial reporting. But both CEOs and boards of directors do clearly recognize that even if they are not legally obligated, they are certainly on the hook should there be a major breach of their companies. Those are all things that CEOs are definitely aware of and are increasingly trying to figure out their role in terms of making sure their companies are adequately protected.

Mimecast: How can executives make cybersecurity a priority while at the same time being pulled in so many other directions?

Parenty: From a CEO perspective, there are a small set of things they need to do. First and foremost is to make sure the company organizationally is set up to be able to manage cybersecurity and has a sufficiently staffed and resourced cybersecurity organization. Another element is making sure that the organization is situated within the company so it can actually be effective. For example, you don’t want to have a cybersecurity organization that is buried so deeply within the [greater] organization that nobody listens to them.

What [the cybersecurity organization] needs to do on a continuing basis is ensure the rest of the company understands that cybersecurity is a priority and that the CEO requires being up to date on the status. One simple step is making sure that there is regular reporting on cybersecurity to the CEO and to the executive leadership team.

I was talking to the CEO of a very large European transportation company a couple of weeks ago. When they brought in a new CISO, one of the things they noticed is many of the senior executives refused to meet with the CISO, delegated it to somebody else or shortened the meeting. The CEO went to each of those executives and said, “You’re taking the meeting and you’re taking it for the entire time.” That sent a message that, yes, this is actually important and not something you can simply ignore.

Mimecast: Some of your recommendations touch on the issue of the cyber-talent shortage. Artificial intelligence and automation is being offered as an option, but are professionals becoming too reliant on alerts and missing the big threat picture?

Parenty: Simply having technology and getting a security benefit from it are two radically different concepts. In order to be able to get real benefit from cybersecurity technology, there’s a lot of work that goes into its management and administration. I have been involved with many large corporations, with cybersecurity budgets in the hundreds of millions of dollars, that have absolutely every security product, none of which is actually being used properly. The reliance on technology is one where a lot of companies fall short because, again, it’s not enough to have the technology. The more technology you have, the more alerts you might look at. We have a situation that is a combination of Peter crying Wolf and the haystack getting larger.

While there certainly can be some benefit through more sophisticated automated analysis — AI, machine learning or simply better algorithms — you still have this problem that if you are not focused enough on what you were looking for, then you’re not going to see it. In order to be able to prioritize cybersecurity activities, you need to first start with: What are the most significant business risks to the company that could materialize as a result of the cyberattack? And then focus your technical activities on mitigating those cyberattacks on those supporting systems.

Mimecast: So much technology is now woven into daily operations, not just information but operational management. Is it time to reconsider cybersecurity’s place in business continuity and operational security?

Parenty: Shifting focus to look at the cybersecurity issues associated with critical infrastructure and operational technology is absolutely essential. The stakes are much higher than simply losing some credit card information. Not having clean drinking water, not having electricity — those have much more significant impacts than simply some personal information lost. I don’t mean to diminish the impact of certain personal information being lost, but as compared to, “We have no electricity,” it really doesn’t matter.

One of the things to keep in mind when shifting that focus is the cybersecurity priorities that we have traditionally dealt with, in which confidentiality of information is the priority, are flipped on their head in these operational and IoT environments in which the availability of systems and the integrity of information is much, much more important. You have a cultural and technological shift from the traditional treatment of cybersecurity in an office environment to now in this more operational environment. You need to make sure that the cybersecurity professionals recognize the priorities and the equities are different.

Mimecast: Is information-sharing the biggest challenge we have right now — getting organizations sharing information on attacks and how they happened so everyone can get their defenses up?

Parenty: Within an organization, you may have technical people who are quite willing to informally share information with colleagues. But when you are looking at the formal, official structures for sharing information about vulnerabilities, you run into a number of legal problems. Legal departments of many companies are not at all thrilled with the prospect of their companies sharing information about vulnerabilities because of the liability implications.  You’ve got an issue there.

You also have issues with respect to sharing information with governments. There are some industries, such as electric power in the U.S., in which there is actually very effective sharing of threat information from the government to those companies in a classified environment. That’s something that works very well, but that is not a solution that generally scales. You have issues more broadly with the sharing of information between governments and companies in that the sharing tends to go one way: the company to the government. You never hear anything back. There are, if you will, more organizational and legal impediments to the sharing of information than simply technical ones.

Mimecast: Do you see any interesting emerging trends or threats that we should be keeping an eye on?

Parenty: The thing we should be most concerned about going forward is the closer integration between the digital and physical worlds. Historically, most of the impact of cyberattacks has been essentially on bits and bytes, whether it’s money or information that was stolen. But now we’re looking at impacts that are real in the physical world and have the potential for much greater harm. That is the area cybersecurity professionals and business leaders should be paying most attention. One doesn’t need to be just in critical infrastructure because this also applies more broadly to the internet of things.

[1] A Leader's Guide to Cybersecurity: Why Boards Need to Lead—and How to Do It, by Thomas J. Parenty andJack J. Domet (Harvard Business Review Press, 2019)