The Fog of War
Reflections on a conversation with cybersecurity policy expert Jane Holl Lute
Over the Summer I had the opportunity to meet Jane Holl Lute. Who’s that you say? She was the Deputy Secretary of Homeland Security from 2009 to 2013 and is now the CEO of the Council on Cybersecurity. The Council’s mission is to “accelerate the widespread availability and adoption of effective cybersecurity measures, practice, and policy.”
I sort of happened upon meeting Jane. We had a lunch event and while looking for an open table I spotted her sitting alone. My gallantry was rewarded in the form of some face time with a security visionary. At one point Jane managed over 500,000 people as Chief Operating Officer of the DHS. And no question she is a person that gets things done; give her a problem and she positions solutions that work.
I told Jane that the biggest problem in the security industry, at least in my opinion, is the abundance of different companies offering products that ostensibly solve the same problems. At the RSA Conference I was shocked by the claims being made by software companies—everyone was claiming to do the same thing.
What we have today is an ambiguous threat. The cyber threat is out there, we all know it exists, executives and corporate boards are all talking about it, but nobody knows what to do exactly and nobody knows what to buy or who to even trust.
I said all this to Jane and she looked at me and said, “It’s The Fog of War.” I’m still stunned by her precision and depth of history. She nailed it. That’s exactly what’s going on here. People are scared, they have no idea what to do, and they don’t know who to trust.
In her RSA Conference keynote from earlier this year, Jane recommended 5 things you can do to prevent over 80% of attacks on your systems. All of them are based on trust between the company and employees. The fact is, according to Jane, we live in a competitive world. We need to know and demonstrate that our information is safe. And trust isn’t automatic: “Trust is a negotiation, trust sprints from reliance.”
Jane recommends that if you implement an extensive monitoring program, call your people in. Tell them why you’re doing it and explain what kind of data is being collected and why. Her common sense is tremendous!
She says we need to focus on “cyber wellness.” Think in terms of brushing and flossing. Why do we brush and floss every day? Because the American Dental Association says if you do this you’ll reduce your risk of gum disease by 80% to 90%. This is not a law or regulation, but people do it. We need to focus on the science of prevention, to carefully test and implement tools and practices that prevent these problems.
So what can you do? What’s practical and what works? It’s not complicated but the right tools are needed. And those tools are available. To stop more than 80% of all attacks you need to be able to answer the following questions:
- Do you know what’s connected to your network?
- Do you know what applications are running on your systems?
- Do you know who has administrative access?
- Do you receive alerts if there are anomalies?
- How can you demonstrate this to your stakeholders?
People don’t think like this today because we’re in the process of making an historic transition to the online world. In 1995 there were 16 million people online. Today there’s over 3 billion. New threats to our security have evolved with this explosive growth and organizations aren’t keeping up.
Jane says she can predict the future success of any company based on their cyber security stance. Yet the vast majority of executives believe attacks are just a nuisance. They focus on getting systems back online instead of fixing the holes in their security posture. Jane says people think in terms of, “I don’t care what’s wrong, just get our systems back online.” The “I don’t care” part is the real issue here.
There’s no going back to the pre-Internet days. Company executives know they rely on information to do their jobs. So what happens if this information is lost, or held hostage? Do executives even know where this information is stored? Does it live in the cloud, is it protected?
You need to see what’s happening in your enterprise, you need to be able to answer the 5 questions above. When that’s done the fog will lift.