You wouldn't hire a person to design your advertisements, if they don't know anything about advertising. Similarly, you shouldn't hire a person on your team if they don't have a basic cyber understanding. TechRepublic's Dan Patterson spoke with RedSeal CEO Ray Rothrock to discuss how schools and companies can help close the cyberskills gap. Below is a transcript of the interview.
Patterson: The cybersecurity skills gap might be one of the best ways for companies to become more cybersecure. Often we look at technological solutions and those solutions work really well, but training and education of workers and of employees remains one of the most effective tactics.
For TechRepublic and ZDNet, I'm Dan Patterson and it's a pleasure today to speak with Ray Rothrock, he is the CEO at RedSeal. Ray, you have advised some companies, in fact some business schools, that they need to evolve. In what ways can business schools evolve to help teach even non-tech students to become more tech savvy and more cybersavvy?
Rothrock: Hello, good morning Dan, thanks for having me on. The evolution of business schools, and I went to one about 30 years ago, business schools teach basis strategy. Strategy includes competition, friend and foe, and what advantages you can have. They're always trying to tilt the table towards you as an owner of a business, a CO of a business. One of the things that needs to be part of the conversation now is about cyber, and what is cyber?
Cyber used to be sort of relegated to the corner of IT, a little tiny sort of ... It was the engineering problem, even the CIO didn't much care about it. Well, that's no longer the case as we all are well aware from all the headlines and the events that we read about in the news and the continuing of this saga. If you don't get ahead of it cyber becomes a tax on your business and that's a bad thing. I'm talking about money tax.
Just to spend money on these technological solutions that you suggested is only a part of the solution. The real part of the solution is to become aware of it, train your people, and then test your people. You just have to. It's like you wouldn't hire someone to be your head of marketing if they've never done marketing. You'd never hire an engineer if they didn't have an engineering degree probably, so you really shouldn't hire anyone that doesn't have basic cyber understanding because about 95% of all the successful infiltrations and exports of data as a result of a human being making a mistake.
It even happens in my company, we just had one last week and it's just the way of the business. If you don't get ahead of it it'll be taxed to death and if you get taxed to death then you don't have cash, you don't have cash to invest in new products and your business suffers.
Patterson: I imagine this varies business to business and some of the basic tactics like pen testing and just keeping an eye out for those phishing tactics, I think most people can kind of register and say, "Okay, I know what to do." When you're training people, especially experts in business school, how do you teach them more sophisticated and nuance methods of cyberdefense?
Rothrock: Well, that's a good question. Cyber, it's not products per se. Products are part of it and people are part of it, but there's a strategy about it. The strategy is having the best products, having policies, compliance information, not just regulatory things that the law says you have to do. Like you said, every business is a little bit different. If you're completely online then obviously you have one set of criteria, if you're completely offline you have another, but you have cyber issues.
The strategy would include for example, my company sells a network modeling capability so we understand your networks at the most goriest detail, the most deepest detail. If you say, for example, run it every two weeks you can get an update of your network so that if you're attacked you could then be prepared to deal with it. Technology solutions are only part of the answer, you have to have people who understand what to do if you're under attack. It has to be a board level. It has to be probably in the audit committee if not a separate committee. You have to have measures, are we gaining on it, are we not gaining on it?
Part of what I do and many of the other companies, we score things, we make it possible for you to know if you're making it better. If your CIO walks in and wants $100 million to invest in cybersecurity, that's a lot of money no matter who you are. It's like, "Well, can you prove to me that you made it better?" Part of your strategy, you need to involve this kind of thinking where you have, just like anything, you invest money, you expect a return. You invest money you expect other products, you money in cyber you expect better protection. That's just part of the thinking that's got to go into it.
I can imagine some great business cases that could be talked about now but the question is, what could they have done differently or what could they do better in the future?
SEE: Cybersecurity in 2018: A roundup of predictions (Tech Pro Research)
Patterson: I think actually as the answer to the question, because different hacking tactics and different defensive mechanisms will shift as technologies shift. How do you teach leaders to hire the right people who can manage the faster shifts and trends that happen in cybersecurity. Then, how do you teach those people to communicate upwards to their management so that issues of real concern or imminent danger get communicated to the right people at the right times.
Rothrock: Communication can be really hard because cyber's full of what I call gobbly-gook language. First of all, I think management has to acknowledge that there's no perfect technological solution and that people will make mistakes. Once you teach that and ingrain that in your DNA of your culture then you're much better prepared and you'll hire people who are prepared. You'll hire firemen, for example. When they show up they're not firemen to start with, they go through training processes, they learn how to put a fire out.
Do we expect buildings to catch on fire? Well, not really, I mean your home, I can see a sprinkler on the wall right back there. The building I'm in also has sprinklers, but a fire could happen and these firemen know what to do. They have picked people who have passed aptitude and exams that have an attitude of technology's not perfect, people aren't perfect so what do I have to do? They know how to think about that.
I'm going to make an awkward reference. I was a nuclear engineer about 30 years ago, 35 years ago, at a nuclear power plant we think this concept called defense and death, which may or may not be cool, but it's thinking what could go wrong? If it went wrong what would you do to mitigate? That's the kind of mentality that management has to have at the most senior level. You know, the Equifax test—If our database is stolen what do we do? How do we respond to that? How do we prepare for that?
That just seems to me actually better today to be a CEO of any data rich company. You have to be thinking, "It could happen and what would I do about it?"
Patterson: Ray Rothrock, he is the CEO of RedSeal. Ray, that's great advice. I wonder if you could leave us with some advice going forward into 2018 and beyond. The cyber landscape is shifting very rapidly. How should companies in the short term communicate the needs, the particular needs to their team, to their staff members? Then, how should they find good ways to incentivize their employees to communicate cyber needs up the chain?
Rothrock: Yeah. I would set up a recurring training program. There's plenty online, they're easy to do, they test people, you should do that. Look, 2018 and beyond the threats are changing, and they are, and technology cannot keep up so it's first about people, second about technology. Second thing you do is be a little skeptical. You just got to, if you see this note from from the CO that says wire money to so and so you just got to think twice before you just say, "Okay!"
People have to have a little sensitivity to this and unfortunately in the email age or the text age or whatever we think it's total authority and it's not. I think this, the communication, how do you communicate up? Well look, your employees are your best source of information. If people read and understand. They read technical things, some people read process. I've written several articles about questions you can ask.
If you have a channel by which that can go up to the CIO or some other executive so that they can hear all these choices, because no one person can come up with it all, it truly takes a village to keep it all together. At my regular weekly staff meetings, we'll come in and someone will say something nobody heard of. That threat that we read ... It's like, "Oh my gosh, who knew?'
I've got one guy in the field, that's all he does. He sits there and sniffs out all this stuff and when something happens he immediately publishes how to beat it with our software. There's just people who do that, you need to have those people on your team. You need to find them, you need to reward them with 'atta boys and 'atta girls and whatever motivates people. It's not always money, I'll tell you, sometimes just standing up and getting a medal, literally sticking a medal on people makes a difference.
- 42% of the most popular websites are vulnerable to cyberattacks (TechRepublic)
- Report: Email attacks increasing, but none as much as impersonation phishing (TechRepublic)
- Why automation is the only way to close the cybersecurity skills gap (TechRepublic)
- IT leader's guide to the threat of cyberwarfare(Tech Pro Research)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.