Greg is a former Department of Homeland Security adviser on cyber security issues in the Obama Administration. He focused on cyber security, counter-terrorism, and community resilience communications.
What’s your take on the WannaCry virus.
It’s one of the worst cyber attacks we have ever seen. Thankfully, it has had much less of an impact in the US. It’s a ransomware attack. Ironically the people who have launched it haven’t made much money, but they have had a massive impact on holding and shutting down information from hospitals and millions of companies and organizations around the world.
This unfortunately won’t be the last. We’re seeing breaches in tech firms, manufacturing, government and banking.
Is a systems/technology failure or a human failure?
It’s both, because you can’t separate the human factor from the systems factor. It has to do with organizations not budgeting for upgrades, management not getting upgrades done in a timely fashion, and users and IT people not knowing what suspicious spear-phishing emails look like and how to keep people from clicking on them.
After a cyber threat or attack, organizations often change the CISO – Chief Information Security Officer. Why?
More often than not the CISO lost their positions not for technical reasons but for not having the right people and communications skills to translate what they know and implement it throughout their enterprise.
What’s the Rx for the CISO?
We need to realize that cyber security is a people problem with a technology component, and not the other way around. We need more people with the ability to take the best practices and translate them for “end users.” Don’t treat end users as the enemy; use them as a potential force to keep your organization safe and secure. It’s not enough to give employees on-line training once a year and treating it like a “check the box” measure. Cyber security is a shared responsibility and all employees need to be engaged.
How should an enterprise tackle the human factors?
In my experience in government and now advising the private sector and non-profits, the disconnect come from the IT and technology departments and the internal communications and HR teams. Those groups don’t always “get” each other. They need to learn to speak each other’s language, work together and build a culture of security that permeates an organization. You can’t hand it down from the top.