The landscape of cyber threats is evolving with each passing minute. Businesses and individuals relying on digital systems and networks are hit by sophisticated cyber challenges. The emerging challenges of cyber security have reached a critical juncture, demanding the attention of organizations, governments and individuals.
The digital ecosystem is expanding, so does the attack surface. The rise of 5G networks, cloud computing, and artificial intelligence brings with it new opportunities for malicious actors to exploit loopholes and leftover vulnerabilities.
Today, we have talked to Dan Lohrmann about the emerging trends in cyber security and the role of leadership, a cyber security professional has. Dan Lohrmann is a cybersecurity expert and author. He is the founder and CEO of CyberSeek and the author of the book “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions.”
Lohrmann speaks about cyber security in conferences, blogs and publications. He is passionate about round the clock training and development about cyber security and its role in the digital world.
Q1: Hi Dan, we would first like to ask what pushed you to have a career in cyber security? Was it the thing you always wanted to do or did you come across any event that made it your passion?
Dan: My oldest brother Steve was a very successful computer salesman, and he convinced me that technology was the going to be the future – back in the early 80s. I majored in computer science at Valparaiso University, and my first job after college was at the National Security Agency (NSA).
I was very blessed to learn cutting-edge technology through the eyes of an agency where security was their middle name – literally. My first government roles were in interoperability between different networks and protocols, but everything we did was also about security and ensuring cutting edge technology was implemented in secure ways. The culture and training at NSA set the stage for my career and passion in the cybersecurity industry.
As my career progressed, I learned more about many different technology roles and leadership through the eyes of an agency CIO in Michigan State Government. But when terrorism hit on September 11, 2001 the USA focus both offline and online changed. I was perfectly positioned to become the State of Michigan’s first Chief Information Security Officer (CISO) – and the first enterprise-wide CISO for all 50 state governments.
I loved that role and building teams to do much more than I could do alone. That passion has only grown in the past 20 years.
Q2: Your book is about the leadership role in cyber space management, so what do you think is the most critical asset that needs protection? Either it is technology, man-power or anything else?
Dan: It is hard to pick just one, but people always come first. Processes and technology support people. Protecting critical data, privacy regulations, bank policy compliance or ensuring government regulations are followed are just the implementation details to enable people to live better lives.
Nevertheless, cyberthreats against critical infrastructure, such as the electric grid, are very serious and growing in priority. Obviously, if we lose power for an extended period, or healthcare at a hospital is disabled via a ransomware attack, that also impact people in serious ways.
Q3: In your opinion, how often are security assessment and penetration tests conducted in organizations? Are they really doing so or is it just in the books?
Dan: It really varies by industry and organization. I like to say that we always will have leaders, followers and laggards.
Leading organizations are constantly running pen tests, and they have both informal and formal process that basically make these a continuous process. They also use process like bug bounties and hackathons to encourage constant assessments.
Many others are doing much less – from semi-annual or annual assessments to (as you mention) checking the box with a few random pen tests when the auditors are coming.
This also varies by size of organization and industry compliance regulations and overall peer expectations – with banks and financial institutions leading in most circumstances. Smaller companies, non-profits and local governments are often behind in these areas – or perform assessments in ad hoc ways. Nevertheless, there are some local governments that are true leaders in this space, and many US local governments are doing more assessments now – given new federal grant dollars.
Q4: What is the first thing one must do being an incident response manager, in case of a cyber attack?
Dan: It depends. (I know, a good lawyer answer, but it does vary based on your prior preparation), as I highlight in my book Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions. How you found out about the attack, the scope and type of cyberattack, escalation procedures, and severity determinations all come into play.
Hopefully, you have a tested incident response plan, and you activate and execute that plan. In this case, if it is a impactful incident that effects operations, you will have a lot of communication ongoing between the cybersecurity team, legal counsel, C-suite executives, cyber insurance company, law enforcement, finance, business partners, clients and more.
Early in an incident, time is of the essence. You will have different people doing different things, but someone will be leading the technology / cybersecurity efforts, including detecting the attack, assessing the impact, isolating impacting devices / systems, and even communicating with the bad actors in the case of ransomware.
I would be remiss if I did not mention the importance of having immutable (unchangeable) backups that are available quickly in the event of a ransomware attack. Your ability to recover will be directly impacted by how well you practice with tabletop exercises and also your ability to be resilient and restore system operations quickly.
Q5: Do we have cyber security awareness programs that actually work? Is there any reinforcement once the program has been introduced to employees?
Dan: With many companies, I would say yes – security awareness programs can work if done well. But again, organizations are all over the map. I have written extensively on this topic, and here is one excellent article to dive deeper.
Build a cyber security awareness program that is brief, frequent and focused on real security issues that matter. As I have written many times, general-purpose videos or “Death-by-PowerPoint” slides that are repeated over and over and only “check the compliance box” are a waste of time.
In addition, awareness programs should not focus on punishing employees who make mistakes. In a healthy security culture, all front-line staff are proactively well trained on information and physical security, know what to do (and not do), where to report incidents, when to ask for help, who to contact and how to work together effectively. Staff have a good relationship with the security team — because the cyberpros are helpful. There is not an “us vs. them” problem.
Offer meaningful, customized to the business, security content that is constantly updated in positive ways to meet (and enhance) the security culture. Understanding risk (by all staff) in various scenarios is an important component of this security relationship. The security awareness training can be a positive bridge to start meaningful conversations to enhance business projects, integrate streamlined processes and apply appropriate technology.
Q6: What are the emerging technologies that you think will be a breakthrough in cyber security?
Dan:
As I mention in articles on this topic, the bad actors are (and will) also use AI against us, so those who do use these next-generation tools will be even more at risk.
I also think quantum encryption, and related technologies, will be in the headlines in the decade ahead.
Q7: Do you think cyber security can be taught to students in university curriculum as a productive subject? Because, they might not be exposed to real threats and the subject could be boring too.
Dan: It must be. The importance of this topic cannot be overstated. Whether you training to become a doctor, lawyer, banker or something else, cybersecurity will a big part of your life for decades to come.
But it must be done in more interesting, relevant ways – by audience. (Se my answer to question #5).
Q8: What is the average budget organizations have for cyber security and is it sufficient to address the risk profile?
Dan: Another lawyer answer – it depends. In some industries, such as banking, they are spending 15% or more of their IT budgets on cybersecurity. (Note: It also depends on what you include under the cybersecurity label.)
In other industries, the budget is 1-2% of their IT spend. Again, as in other areas, there are leaders followers and laggards. My recommendation is to benchmark you organization against your peers that you respect or compete against to see the numbers in your industry – as well as best practices globally.
Q9: What are the most reliable data encryption and protection methods according to you, when it comes to securing sensitive information?
Dan: There are entire books on this topic, but it starts with ensuring that your data is being encrypted both at rest and in transit. The level of encryption will depend on the
There are debates over whether 128-bit encryption is enough – based on different data sets.
Nevertheless, companies should be migrating their network architecture to quantum-resistant cryptography and methods.
Q10: What are the traits a leader must have when it comes to crisis management, especially when they hear that ‘you have been hacked?’
Dan: The top trait that most organizations are looking for is experience. Experience in successfully navigating real-life emergencies – and knowing when an incident is just a routine operational action versus when escalation is needed. Experience practicing tabletop and full-scale exercises as a leader who other like to follow on your team. Experience shown in relationships that cut across the various internal and external teams mentioned in question 4.
While leaders need to be smart, technically competent, good communicators, understand the business, knows their team’s skillsets and weaknesses, knows the cyberthreats and more, the other major trait I look for is trust. Do the staff, peers, organization’s management, board, vendor partners, clients, and others who will be working with the leader, trust him or her?
You are seeking a trusted advisor. That takes time to develop and the worst situation is when people are meeting for the first time during a major incident where they have been hacked.
A good book to read on this trust topic is “The Speed of Trust” by Stephen M. R. Covey.
Anas Hasan
August 30, 2023
9 months ago
