Ask our Cyber Experts: Dean Lane

What Cyber Intelligence / Cyber Security items keeps you up at night?

Any port left open can compromise the entire system.  Most STEM (Science, Technology, Engineering, Math) people do not have the “big picture,” and management knows little to nothing about cyber.  Therefore, many organizations lack any kind of a coordinated plan, let alone a long-term strategy.  And, if they tell you that they have one, just ask if it includes their suppliers, their supplier’s supplier, and the rest of the supply chain.

What are the three top changes that are vital for (org, gov, citizen) to make in the next two years to shrink their risk of attack?

Build an intellectual property hierarchy for their organization (what is important to protect). Next, they need to determine who or what firm could be a possible threat and what are their capabilities.  Put it together, and execute an overall strategy and plan that has milestones and effectiveness measurements. Execute the plan!

What specific skillset do you hire for (or recommend others hire for) to stay ahead of Cyber threats?

The skillset will depend on whether we are talking about STEM people or supervisory personnel.

• STEM: Some form of formalized training (degree) and also capability gained from project work or a job. Integrity is also a requirement.
• SUPERVISORY: Experience, Experience, Experience, and knowing how to manage people. Must have been there and done that. Integrity here as well.

Like any insurance, investment in security can be viewed as money wasted because it only pays for itself if a breach is attempted. How do you explain to your management why it is worth the investment?

Someone, somewhere needs to put together a slew of cyber disaster examples. Preferably, these examples would be by vertical, so that banks would be looking at bank examples, retail looking at retail examples, etc.  The more disastrous the examples, the better.

How do you create a culture where security is a priority not an afterthought?

Creating any culture takes time.  That said, at Symantec, there was a competition between the regions.  Each quarter, an evaluation was completed, and the leader of the winning region received a bottle of fine wine (we weren’t far from Napa).

Outside of the technical people, there needs to be a continuous awareness campaign.

What metrics should be used to determine an organization’s risk profile that all leaders should be tracking today?

Monitoring software exists and can provide many measurements (e.g., what is the strength of passwords and when were they last changed). Another metric would be when was the last backup completed and when was the last restore done – were they successful? That said, operating to a plan and measuring against that plan is the best way to track the most important items.

How important is incident response planning, and how often should an organization’s plan be updated?

Incidents come in levels of severity.  SEV-1 means the system is down or to the point where people cannot do their job(s), SEV-2 is where major functionality is severely impaired, but operations can continue in a restricted fashion, SEV-3 is impaired operations of some components, but allows the user to continue using the system, and SEV-4 are general usage questions, cosmetic changes and possible errors in the documentation.

There should be an incident drill at least twice a year, and the team should not be told it is coming, although they should be told it is a drill at the beginning of the exercise. If everyone knows it is coming, they can prepare (e.g. postpone the trip to the beach house, not buy concert tickets, etc.).