Ask the Expert: Brian Lane

1. What Cyber Intelligence / Cyber Security items keeps you up at night?

Probably vulnerabilities to US critical infrastructure. Water, Power, Gas, and transportation (land, rail, and sea) are prime targets to cause disruption to the US economy. In addition, secondary effects include civil unrest, famine, agricultural failures, and a multitude of other issues for both government and private sectors.

2. What are the three top changes that are vital for (org, gov, citizen) to make in the next two years to shrink their risk of attack?

Top three in no order would be to harden critical infrastructure, create analog (or isolated digital) redundancies, and a much more aggressive preemptive capability to respond to potential or imminent attack.

3. What specific skillset do you hire for (or recommend others hire for) to stay ahead of Cyber threats?

It depends on the position, but I would submit that subject matter expertise is far more valuable to specific problem sets. Many organizations tend to hire generalists or folks without specific cyber skills (i.e. Analysts, Intelligence Officers, etc.) with the intent to create subject matter experts from the ground up. In my experience, it is easier to train a cyber expert to do analysis than it is to train an analyst to become a cyber expert. While this seems like common sense, many government organizations would prefer to hire 3 unskilled folks as opposed to hiring one expert. The realization that this strategy is grossly inefficient is quickly becoming apparent in government. The private sector tends to operate more this way.

4. Like any insurance, investment in security can be viewed as money wasted because it only pays for itself if a breach is attempted. How do you explain to your management why it is worth the investment?

It depends on the sector. In some shipping companies, management believes that resilience of infrastructure and low visibility will make them unattractive cyber targets.

I tend to point out that the cost of recovering from an attack are staggeringly high. Not just in terms of restoring systems/replacing hardware, but in the court of public opinion. Customers tend to shy away from doing business with entities where their confidential data is at risk. The cost of halting operations for an undetermined amount of time is also substantial. Think of the financial impact to the recent Maersk Lines attack.

5. How do you create a culture where security is a priority not an afterthought?

Creating a culture where security is a priority is the sole responsibility of management. When good cyber hygiene is emphasized and continually addressed by leadership, it flows down into the workforce. In addition, demonstrating a commitment to security through regular training, drills, and investment in tools in essential.

Building robust security procedures and adhering to them is also a demonstrable activity that employees and customers can see and feel.    

6. What metrics should be used to determine an organization’s risk profile that all leaders should be tracking today?

Any risk metrics should be informed by up to date assessments of threat actors, tactics, techniques, procedures, current events, and a multitude of other factors. If possible, these assessments should be completed by trained individuals with appropriate subject matter expertise (not just in threats, but in threats and the sector the organization operates in).

While it may be cost prohibitive to constantly evaluate these metric and assessments, an annual or semi-annual update is imperative to keep management current, and allow employees to monitor and respond to potential threats.

7. How important is incident response planning and how often should an organization’s plan be updated?

Incident response is essential for responding to an incident. This creates a consistent and measured response to predictable events. When incidents occur that fall outside pre planned responses, a generic model allows for some level of response until the details of the incident are fully understood.

These plans should be updated regularly to include evolving and emerging threats, with a comprehensive review at a set interval.

Brian Lane is recognized across the U.S. Intelligence Community for extensive finished intelligence production as a Subject Matter Expert on Maritime issues. As a founding member of the ONI Civil Maritime Analysis Team, he personally shaped the team’s focus areas, production schedule, and analytical methodologies which are still in use today. He has extensive experience briefing senior policy-makers in both the Executive and Legislative branches of the government and has worked extensively with other IC agencies as a task force member on multiple occasions. His education includes a B.S. in Marine Transportation/Global Logistics from the California Maritime Academy, and an M.S. in terrorism/counterterrorism studies from Henley-Putnam University.