Jake Olcott is VP of Business Development at BitSight Technologies. He previously managed a cybersecurity consulting practice at Good Harbor Security Risk Management. He also served as cybersecurity attorney to the Senate Commerce Committee and House Homeland Security Committee. He is an adjunct professor at Georgetown University. He holds degrees from the University of Texas at Austin and the University of Virginia School of Law.
Christopher Skroupa: We know that companies are going to get hit by cyber breaches. What are some of the more latent threats of cyber breaches? Is it management feeling incapable of solving the problem, and do you feel companies are not fully looking at the issue?
Jake Olcott: We focus too much on the threat actors and we talk a lot less about the value of the data. When I know the value of my data to my organization – whether it is customer data, R&D information, PII, financial records, etc. – I can go about protecting it in a sensible way. For too many years, organizations have only been focused on a very narrow sliver of data that has traditionally been the data that they’re legally obligated to protect, and that looked like health care records and credit card numbers. But when you think about reputational harm, medium to long-term business risk and business harm, you’re talking about the loss or compromise of trade secrets or intellectual property that is the lifeblood of your organization.
Skroupa: Do you feel that companies may be trying to protect everything at the expense of anything? Or do you see a need to move a process of prioritization into effect and then manage resources and how you allocate them from there?
Olcott: As a consultant, we used to always say, “Focus on material cyber risk” – those cyber risks that are so important to the organization because of the financial, legal, or reputational harm. Organizations are trying to defend everything with the same value, and of course when you’re defending everything, you’re defending nothing. Because most organizations are so highly interconnected, an incident that takes place on one side of the network that involves what you would consider unimportant data or information can sometimes easily spread to everything else. That’s why people advocate for segmentation and say, “When I identify my crown jewels I need to locate them, wall those things off, scrutinize them,and completely reduce access and privileges to that information.”
Skroupa: The interconnectivity of systems has become a big issue. Tell us why that changes the war game.
Olcott: In an interconnected world, you’re only as secure as your weakest link. Imagine your house, where you’ve kept every single item that has ever been important or valuable to you, as well as all of your cash. Once somebody breaks into the house, they can steal anything that’s in the house – unless you’ve locked off certain rooms and put double bolts on the doors so that you can keep cash in one room. When you break in there, you can basically get access to everything.