Cyber security is currently dominating headlines for mostly the wrong reasons. It is a space that is undergoing significant transformation in trying to gain the upper hand on cyber criminals, and is under a constant barrage of scrutiny.
Parts of the American presidential election were dominated by the issue of cyber security and even it’s outcome may have been influenced by the very flaws exposed in global corporations.
Kirsten Bay is well positioned to discuss these topics. She leverages more than 25 years of experience in this space, leading her team with risk intelligence, information management, and policy expertise across a variety of sectors. Bay has provided counsel to the White House and the EU for many years on how to protect their infrastructure..
Throughout her career, she was also appointed to a congressional committee developing cyber policies, initiatives and recommendations for the intelligence community and believes Trump’s four-part cyber security strategy isn’t nearly comprehensive enough to solve the challenges that sophisticated and motivated cyber adversaries present.
As president and CEO of Cyber adAPT, a mobile cyber security company, she finds herself in the somewhat unusual position of being a female leader in the technology space.
As the reader will know there is a gender gap that pervades the tech industry, especially at the executive level. In the interview she discussed why this is the case and what needs to be done to help solve the problem.
What does Cyber adAPT do?
Cyber adAPT, in a nutshell, identifies when an adversary is trying to move laterally across a network. That means, either through an endpoint device – a laptop, a tablet or a phone – or from inside a network.
We use behaviour anomaly detection to determine if that is the case by watching everything in the network traffic. Then we alert the security team to let them know what the problem is, which will give them context.
So, it’s a threat-led, threat-centric approach that helps identify around the indicator of compromise and offers a remediation strategy. It provides detection, then notification and protection for endpoints.
What has been your security advice to institutions like the White House and EU?
Today really is a crazy environment. So, we’ve been discussing the really impactful things that are taking place from an attack perspective.
The primary threat comes from ransomware and the increasingly common nation sponsored hacking. But, it really all surrounds this movement towards the endpoint. I think that one of the greatest threats or vulnerabilities stems from ransomware on the mobile device.
Ransomware is a really significant trend in this industry and it is something that is impacting people more than most other threats.
>See also: The Trojan horse: 2017 cyber security trends
It certainly is an area where we have to have a lot of focus. It’s generally a phishing attack where someone has clicked on a bad link.
It’s great to say secure all the endpoints, but the reality we have to get organisations to focus on the basics of people getting used to technology.
Training in best practices is crucial. One of my big concerns is that people are shifting so rapidly to technology as a solution that they are not well equipped enough to deal with the dangers. I would really advise to put new, more up-to-date policies in place, considering how much the world has changed.
Organisations should not implement a technology until they can review all the acceptable use policies, all the policies in which they actually leverage the technology – to ensure that they catch up with how much the world of technology, for end users, has changed in the time that a lot of these policies were put in place.
It sounds very mundane, but the problem is people and businesses are trying to ‘technology their way’ out of problems, as opposed to relying on training, enforcement and the basics of blocking attacks.
This should be impacting how organisations and governments are looking at data protection and cyber security at large.
What are your thoughts on Trump’s cyber security strategy? Could more be done?
I would say at this level what he has proposed isn’t enough. The challenge is that his policies don’t vary substantially from anyone else’s.
They are fairly broad in terms of what they look like and how you can really implement a solution. Just by the government stating that these are the new ways corporations are being compromised in the cyber environment, they can use it as a leadership opportunity.
I think it is really important for them to publicly state how they are going to tackle the current issue and set the example. It really is a top-down strategy.
There’s also the investment and education element that I think really needs to have a lot of focus in this administration’s policy, but I have not seen it.
But, I haven’t seen it in other administrations either. My concern in thinking about this in the last couple of days is that the issue is slowly fading into the backdrop, because of everything else going on in the world.
I’m worried because it is having a significant impact on our economy as well as our national security, and we need to get ahead of it. I’m not seeing much from this current policy that will be effective moving forward.
Do you think the cyber security industry going through a period of transformation at the moment?
I do, and it’s a blessing and a curse. If you use the RSA conference as an example – the largest security conference in the world – where 43,000 people came. I was told at that there were 8,000 cyber security startups at that event, which is significantly different to when I started out in this industry 11 years ago.
This is a good thing. People are seeing that it is important and relevant. It has an upside potential from an investment perspective, which is something I think the government can get more involved with.
However, the fact that you have all these small companies and all the larger companies trying to keep them out of the space, means that our space is very noisy and swirly at the moment.
Trying to get people to implement certain technologies to look at new ways of doing things is a big challenge right now. The situation makes the environment hard to bring new technologies forward.
It is a combination of a lack of policy on the government side, noise on the corporate side and the lack of people with the necessary skills – the poor education side of things. So, it really is that three-legged stool.
What does the balance look like between cyber security and cybercrime?
I think the hackers are little bit ahead right now and the reason primarily is because if you look at the means by which they can get at someone, and use any particular device or network to move to a different location – there are so many endpoints. Or, so many vectors of attack and so many different opportunities for them to leverage a person, or business.
>See also: Busting the 7 myths of cyber security
People are attached to LinkedIn, Facebook, Twitter – to name a few – not to mention phishing emails, brute force attacks on firewalls, misconfiguration of firewalls, and the list goes on and on.
The number of opportunities is expanding and then you have the other elements of a lack of training and education where people are clicking on things that they shouldn’t.
This, coupled with the fact you can now buy a DDoS attack – you can get DDos-as-a-service – and you can buy government-grade route kits on the Dark Web.
The combination of those three actually makes it much easier for the adversary to just launch – what I call – a range of opportunity attacks. Some are targeted specifically, but generally they have ways to automate these attacks against huge amounts of users.
Given the current gender imbalance in the technology industry, the position you are in is somewhat of a rarity. Can you tell me how you got to where you are now and what challenges you faced in becoming CEO of Cyber adAPT?
I have been fortunate to be in an executive role for a lot of my career and so it felt very natural. But, the combination of being on the policy side and a very different background – I came from a finance and econometrics. I have a whole different view of looking at things in cyber security and that has helped me get my foothold.
But I did notice that I was kind of an anomaly. What also struck me was how competitive it is between the few women in this industry as opposed to the men, but we all have our challenges and different personalities.
I would say that the most important element of this is for women to champion younger women and women in general in this industry: to help them to move forward.
But it is a pretty mean environment out there and it’s unfortunate. I think in our industry especially it is absolutely essential for women to help women.
That’s one element and I think encouragement of science and STEM subjects at school is also important. But ultimately, having female role models and leadership is the most important in making it part of the social norm.