With more than 15 years of experience across all areas of security, John Pirc is a noted security intelligence and cybercrime expert having held security leadership positions at companies including NSS Labs, HP, McAfee, IBM and Cisco. His work includes cybersecurity research and development for the Central Intelligence Agency where he received multiple awards for his outstanding contribution to the mission of Information Security. In addition to his work as a noted security executive, John is also an author and speaker on such topics as cybercrime, intrusion prevention and threat forecasting.
Christopher Skroupa: You’ve worked inside high-tech security companies, the Central Intelligence Agency, and in the world’s security research and testing company. Based on your experience, how effective do you believe technology is at preventing costly cyber disruptions?
John Pirc: Cyber security technology is able to prevent what it is designed to combat. The challenge is in the ability to catch the unknown threats. Unfortunately, security vendors are still using legacy detection methods and/or creating feature bloat within their product offering that just ends up reducing the security efficacy. If I were to provide a percentage of security product effectiveness I would give it around 70% and this would apply to the very large legacy security vendors.
Skroupa: Does technology alone combat current cyber threats?
Pirc: Absolutely not! Combating the current cyber threats of today and the future will require investment in innovations focused on the human element. Large corporations spend millions of dollars on security products and services but fail to invest the resources necessary to create an agile organization of well trained and equipped talent.
Recently, I had the opportunity to work a very large and public breach. The security technology they had deployed wouldn’t have been able to detect the attack in the first place. The sad part is they actually purchased more from the same vendor thinking it would reduce their risk profile. However, they wouldn’t have been breached in the first place if they didn’t let their database servers connect via FTP to the Internet. The human element in this example could have played multiple factors in adverting the breach or at the very least discovered it a lot sooner.
Skroupa: Let’s address the importance of the human factor in both company resilience and its ability to thwart attacks. How would you describe the efficacy of non-technology assets in security?
Pirc: The efficacy of non-technology assets within security is low. The majority of the effort within security is really focused on the technology and process with little to no investment in talent and innovation. I think corporations are on full alert that either they are breached and don’t yet know or that the threat is imminent. Approaching security with this mentality will allow corporations to be resilient during an attack. However, to be effective employees need to be involved. Just look at the latest Sony breach and leaked emails. I don’t think the individuals who wrote inappropriate emails would ever imagine that they might be released to the general public.
Skroupa: You mentioned “three pillars of cyber security.” Please describe them and share how they synergize.
Pirc: The concept of the “three pillars of cyber security” isn’t new and can be summed up as basic security 101: people, process and technology. In the security industry we have seen such a focus on process and technology. Today, it’s absolutely imperative that the three pillars of cyber security need to be symbiotic to each other. However, the human element of the three pillars needs to be addressed immediately.
Skroupa: Do companies need to assess their resilience today differently than in the recent past? What’s different now?
Pirc: Yes, because the threat landscape is consistently changing and every single industry vertical that is connected to the Internet is a potential target. They need to assess the current security technologies they have deployed and understand their weaknesses and gaps. They need to clearly understand that having a solid SSP and/or following regulatory compliance to the T doesn’t mean they are impervious to attack. They need to provide training to the corporate citizen that goes above and beyond a yearly checkbox. Lastly, they need to invest more in the individuals who are running the IT infrastructure because security is everyone’s responsibility not just the security team.
If we don’t approach cyber security differently and adopt the mindset that we must remain resilient and focus equally on the three pillars of cyber security you could greatly reduce your risk and potential damage to your brand if you are breached.
Serhat Cicekoglu, Director of Loyola University Chicago Quinlan, Center for Risk Management adds: “Cybersecurity is a very dynamic terrain. It has less to do with technology and more to do with talent and innovation focused on human assets such as hackers, employees of target organizations, members of governments, cybersecurity professionals, and others. One of our core gaps is in applying traditional security capabilities to this realm and expecting them to prevent breaches when we know technology advances have given violators new power. Traditional methods no longer work. Organizations must approach cyber threats through innovation. This includes how employees can help with a different set of tools that enable them to leverage non-technology assets that, when combined, combat cyber breaches. John’s reference to the 30% gap in technology effectiveness calls for a new look at innovation and how to apply talent to this growing threat to company reputation and value.
On January 28th, 2015 , Loyola University Chicago, Quinlan School of Business, Center for Risk Management will host its second Executive Dialogue Series seminarprogram on Innovation: Building Company Resilience. Continue the discussion with John Pirc, Serhat Cicekoglu, Director of Quinlan’s Center for Risk Management, and a select group of 25-35 company executives and internationally renowned experts on innovation and technology. To inquire about attending, contact firstname.lastname@example.org.