The Prescience Challenge in Cybersecurity [PART 2] - Ep. 127
In this part 2 edition, we catch up with SC Media Editor-in-Chief Jill Aitoro for a two-part discussion on the latest hot cybersecurity news drivers. Such as the continuing Microsoft Exchange hacker feeding frenzy and continuing discoveries from the SolarWinds supply chain attack. Both of which raise more questions than answers in how we collectively solve these security challenges.
Including pathways such as legal requirements for notifications, who do you notify and who is notified first. Security rating systems for software suppliers and businesses. Managing such a system on a global scale across organizations small and large. We also explore the role of super admins. Where the line of offensive strategies against nation-state attackers should be drawn for enterprises.
In celebration of March 2021 as Women’s History Month, we discuss the path forward for enabling future female business leaders in security. The power of mentoring and advocacy for the up-and-coming generation of diverse leaders and thinkers across the industry. To solve what is admittedly one of the most significant challenges of the modern era – cybersecurity.
Episode Table of Contents
- [00:58] All the Keys to the Castle
- [07:22] Women in IT Security Packages
- [13:37] Step One Towards Change
- [19:25] What Moves the Needle Makes a Difference
- [24:48] So Many Talented Women in the Industry
- About Our Guest
All the Keys to the Castle
Rachael: We pick up with part two of our discussion with SC Media editor in chief, Jill Aitoro. We haven't really talked about the super admin yet. You look at the Verkada, the surveillance video, and that was a big factor of it. There was a weak password or password that was readily found online somewhere. I don't know if it was the GitHub account. Should one person have all the keys to the castle? That seems pretty big.
Eric: Set that up a little bit for our listeners, that's pretty recent.
Jill: About 150,000 internet-connected cameras from Verkada, a company that is utilized across all different industries, were compromised. A hacking collective managed to get access to both the live and archived video feeds across all sorts of organizations. Tesla was in there, I believe police law enforcement agencies were in it.
Jill: It was a matter of there being multiple security issues that came out of it. They confirmed that the attackers got illegal access via a server that was used by the support team to perform bulk maintenance operations on customer cameras. It ended up going on through there because of the admin access and capabilities. That super admin provides top-level access across everything.
Jill: It’s an interesting scenario in part because of the type of information they were getting at. Normally you say others risk data exposure, personal identifiable information. They had a video where they were looking into a Tesla warehouse. This introduces physical risk. They had video where they were seeing when people opened and closed, who was there and who was not.
The Hacking Collective
Eric: The patterns.
Jill: That's where there's that merger of physical security and IT that introduces.
Eric: The cloud. It wasn't on-prem.
Rachael: The hacking collective, I think it was a person named Tilly. We wanted to identify this and for various reasons, white-hat hacker ish, if you will. Then over the weekend, this person was rated ostensibly for prior initiatives they executed. But it also opens up the question then, what happens to these, not whistleblowers.
Rachael: These people that open the kimono a little bit to some things that we should be asking questions about. But then, I'm going to go to jail. So why do I keep doing that? It gets more and more complex here, which is fascinating.
Eric: Or even worse, my buddies are going to get on me because they can't sell offensive tools. There are a whole lot of reasons that people do what they do or don't in the space.
Jill: That brings up an interesting point that we've talked about a lot too on my editorial team. What is the role of potential offensive tactics for an enterprise? Most say oh, we can't go there. But is there a means for them to better protect their network? Maybe by pushing back against the adversary, even though it might be risky.
Eric: That gets comments, that's difficult. How do you have a flourish shop go up against a nation-state? Even if you're Microsoft, what do you do? Maybe you restrict what you sell and where you sell it, your partnerships. If you're a Microsoft, obviously the flourish isn't going to have any impact whatsoever.
Where Diplomacy Comes Into Play
Eric: I think that's where diplomacy comes into play. That needs to be the role of the national governments of countries. I personally wouldn't argue that organizations should have the ability to pack back if you will. Some people would.
Jill: It goes back and forth, but it's risky.
Eric: It would feel so good to get even. It's not going to happen though.
Rachael: They're so aggressive right now. They just rapid-fire at you and try to cast this huge net and see what they can get. Then they start going after the high-value targets. Why can I get a little bit ahead of that? I mean, we talk to the next five years, we could be ahead of this thing. Maybe that's part of that strategy. I'm from Texas, we like to get ahead of things like that, but what can I say?
Eric: Even Texas should not go up against a nation-state. That's my professional and personal opinion on the record. Don't mess with Texas, but sometimes they need a little help.
Rachael: Speaking of help, I’d love to segway into the diversity, women, and technology. If we’re going to crack the proverbial security challenge knot, we need a lot of great minds. A lot of different points of view getting there, I want your perspective on what's happening there. What's going to happen in the next five years, what we're going to see.
Jill: We just passed international women's day. We’re in women's history month, so we can start there. Progress is being made. I had an interesting conversation with a couple of women in our field recently, and we're getting there.
Women in IT Security Packages
Jill: There's still a lot of work to do. We put out at the end of last year, women in IT security packages, and kind of honored certain women. But we also just focused on the challenges. A lot of it has to do with women not necessarily being provided the same opportunities in those technical roles.
Jill: We're actually seeing them emerge where there's the need for those softer skills and so forth. But, it's taking time for them to get into the more technical side of cybersecurity opportunities. I did an editorial when I was at defense news that looked at this for the aerospace industry.
Jill: It's really great when we see women at the top, when we see them in a CISO position or a CEO position. Where it's really consequential is when there's really the theater opportunities going up in organization. That's where we really need to work.
Jill: Enable women to work their way up in an organization in the same way that men do. When they reach a certain level, we have a nice diverse playing field going for these opportunities of leadership. The presence on boards is a similar scenario that also factors into these sorts of situations. There's progress, but we have ways to go to pull women in.
Eric: I'm interested in how the two of you you feel when you see women on the board or a woman CEO. What changes inside? How does that make you feel? Why is that important?
Jill: It's encouraging because you feel like there's progress. It sometimes can be discouraging though, because it's celebrated in a way where it's like wow, look. I refer to my past experience in defense and aerospace.
The Number One Company Is Led by a Woman
Jill: We used to put out the top 100 companies of the biggest companies in that space. People were saying, "Look, the number one company is led by a woman." At that point, it was Lockheed Martin and the CEO was a woman. But I was like, look at all 100, I think there's four.
Eric: Look at the other 96.
Jill: Has a tendency to say, "Wow look at the success. We've done it." That is all that concerns me.
Eric: If we get to the moon, we don't need to go back for another 60 years or so.
Jill: That's what I meant about having that feeder pool. It's wonderful to see the really high-profile success stories, which are usually at the very top rung. But for there to be systematic change, it needs to go beyond just that top rung. Someone had said to me recently in that recent conversation,
Jill: Women seem to get to the top by staying with a single organization for decades. Getting promoted and working their way up. Whereas men often get locked and placed at the top. You don't see that as often with women, at least you haven't. It's starting to improve a little bit.
Jill: But it's almost like this need to prove yourself. Prove that you have a right to be there a little bit more than men perhaps have to do. So I am definitely always encouraged, but I always follow it up with we're not done yet scenario.
Rachael: A hundred percent. Especially when you look at the population breakdown, there are more women than men in the population.
Eric: That's like 51/49.
Rachael: Why don't we see more of that at the top of corporations? You read on the smaller company side or entrepreneurs like these women-led entrepreneurs. They tend to actually perform better from a revenue perspective and longevity, which is also a fascinating thing.
Rachael: When you start looking at all of these value propositions of why it makes sense. Why aren't we doing more of this? I don't understand why it's not accelerating further, but I mean it's great to see progress. But it shouldn't be like oh, cool. We got one more in the club. It shouldn't be a novelty at all.
Eric: Do we ever get to the point where we don't see gender in business?
Rachael: I would love that.
Eric: I think many of us would, but do we ever get there?
Jill: I'd like to think we would. If you think about technology specifically, as discouraging as it may seem. It hasn't been that long that we've been talking about it. Really in the grand scheme of things, it feels like it's been a long time.
Jill: But these sorts of changes, not only women, I should stay the same for minorities and across the board. It's gradual progress. I do think we'll get there. The MeToo movement among other areas is specific that national conversations really play a part.
Jill: There's a little bit right now of a tendency for companies to say, "Gosh! We will look bad if we don't work harder at this." As much as you don't want them to be inspired to make this sort of change because of publicity. Whatever works as far as I'm concerned.
Eric: It's almost a form of affirmative action in some way to change a wrong.
Step One Towards Change
Jill: There are certain companies that are getting a little shamed if they don't have some degree of acceptable diversity. They may be able to use a little bit more of it. But, it's not quite as acceptable as it used to be. That's step one towards change.
Jill: Because then, there's a little bit of a pressure point for companies to really bring that in. They're hearing about it from their boards, investors. Something that's worth noting too. We did a really interesting feature as part of that women in IT security package that looked at women as investors.
Jill: They are dramatically under-represented in the investor community. Unfortunately, people tend to invest with what they're familiar with. In people that they're familiar with and have things in common with. It is a perpetual systematic problem. If you don't have women within these venture capitalist groups that are funneling money into companies.
Jill: It’s a bunch of men. They're going to probably invest in more men. We need to across the board, get a better representation of all minority groups within these influencer bubbles. There's the investor community, there's the board community, and then of course there's the executive level.
Eric: The boards and executives, are they doing it because of the look? Or do they really realize like hey, there's a whole population out here? We need the best, most diverse population we can have, working for this organization for shareholder success.
Jill: I think many of them are doing it because they will look bad if they don't. The positive spin on that is the realization that there's a lot of women that are very skilled, very capable. They’ve been completely missing the boat by not acknowledging that fact, enabling these women from the get-go.
Diversity of Thought
Eric: So we'll still get the end result.
Rachael: A hundred percent. However we need to start getting there, that's half the battle. Let's get the ball rolling. Once we start seeing all of these great value proposition metrics and the consistency of those. The light bulb goes off oh, snap. We are actually onto something.
Rachael: We need to start tapping into this very quickly for our benefit. After all, if you're publicly traded, you want to squeeze out that extra dollar for your shareholders. If you start seeing that come about, you're going to invest more in that. I'm excited for that time and I hope it's in the next five years or 10.
Eric: I want to take it back to cybersecurity, we definitely need the help. We need diversity of thought. I have seen tremendous gains from artists. From people who have no cybersecurity background really, that came into the business. Mathematicians and you can argue he had a cryptologist.
Eric: People who have a very diverse background, gender, and race diversity is a similar type of diversity that makes us better. I do believe one we'll fill the ranks with people because we're so far behind on talent acquisition. But that diversity will give us better thought too. Jill, I hope you're writing an article a decade from now that doesn't even touch on this.
Jill: Yes. Exactly.
Eric: Just wow, we have done X, Y, and Z because we thought differently. Breaking down those biases.
Jill: And to your point, are they doing it because they recognize the need? What I hear from women over and over is mentoring doesn't really work but advocacy does.
Eric: Just to make sure we're clear for all of our listeners, what do you mean?
You Need a Mentor
Jill: If you look at historically, as a woman, I was told you need a mentor. You need someone to guide you through your career.
Eric: Everybody should have mentors, more than one.
Jill: There's a benefit to that.
Jill: What I'm hearing more recently and I could understand is mentors are great, but you need an advocate. You need someone with a certain degree of seniority in an organization that’s going to advocate for you. Say, not only here's what you should do as a female person, but also Hey, executive board! This person is amazing and they should be considered for that thing.
Eric: They're ready. Let's look at them for this position.
Jill: Get them training.
Eric: If you're a young woman entering the technology workforce today, what I'm hearing you say guidance-wise is, Hey, you need to go out there and get a sponsor, an advocate.
Eric: You need to get someone that you can work for. Someone who’s going to tell you the things that you need to hear, whether you like it or not. But they're also going to advocate for you. They're going to look out for you both where you are now in your career, but hopefully in the future. Seek that type of person out.
Jill: It doesn't have to be another woman, it could be a man. In this situation, because it's a little off-kilter in terms of the numbers. As long as we can get men and men to be willing to stand up and truly advocate for talented women. This is the scenario where they need to make sure their name is mentioned.
What Moves the Needle Makes a Difference
Jill: They need to make sure they get recognition internally for jobs well done. That’s really what many people are saying, what will move the needle makes a difference. Because that's what leads to people rising up and finding new opportunities. It's all about advocacy and networking.
Jill: There's not as many women in these organizations, the natural advocates are not there as prevalent. This needs to be someone you look for, you talk to them, actually ask. I'm looking for someone to mentor me, but I need someone else to be my advocate. Assuming I proved myself worthy of that. That really will make a big difference.
Eric: To those mentors and advocates out there, have an open dialogue early and often with women that you're mentoring or you're advocating for, where do you want to go? How soon do you want to get there? What do you want to do, what are you passionate about? How can I help you?
Jill: What do you need to get that done? It's advocating for opportunities, but it's advocating training. Is there a gap in terms of the skill sets that you weren't able to get moving up? One that you really think would make a big difference? How can I help you get that? Can I convince a company to pay for the training you need?
Jill: You will be a more skilled asset within our organization. Can I put you in touch with the sands or some other institutes? I can offer the training that you need and introduce you to the people that can get you there. That will be consequential for women, young women across the board that is trying to make it into an organization.
It Always Comes Full Circle
Rachael: Cyber is such a small industry and you think of all the people that you helped come up along the way. Hey, at some point you may be knocking on their door when they're in that executive position. Saying, "Hey, could you need my skill set too?" It always comes full circle as well. When you give, it comes back too.
Eric: As a leader in a business, your role, your primary function is to find the best possible people. The most qualified candidates, put them in the role and put them in a position to succeed. Gender, race, belief, take it off the table for a second.
Eric: That doesn't happen in most cases. But your primary role is to put good people in a position and enable them. You don't need to think about how it may help you in the future. That's your job right now.
Rachael: When you think about it holistically, obviously you don't go into it for payback at all. But again it's a small industry. Why can't we help each other? It's like threat intelligence sharing.
Eric: No, we should. Fair enough.
Rachael: In the end, we all win at the end of the day. So why not? There's nothing to lose.
Jill: That does continue to the point that what will get you to the point where that pool of talented people is diverse. People having advocates when they're first entering and by creating again that theater pool.
Jill: Where they are coming in and they have advocates and they're getting the skills they need. That suddenly they're filtering up the ranks. When you have an opening for a very high-level security individual, you happen to have five qualified people.
What We Can Win On
Jill: A couple of them may be women, one may be a minority. You get to choose whoever is most skilled for that opportunity because they were brought up. That's the goal. That's where we want to get.
Eric: The cybersecurity InfoSec stuff, we can't win there it seems. But on this one, this is a topic we can win on. We can all be better at this.
Jill: I love it. Actually, we are right now doing our SE awards. It will be announced in the first week of May, and we already closed judging. I'm looking and seeing, we do have women in IT security where we recognize women only. This is for everyone.
Jill: I'm looking to see okay, just out of curiosity, do we have women as entrance? First of all, did we get enough women that submitted either themselves or their colleagues submitted for them? On top of it, did they rise to the top?
Jill: We don't want the judges necessarily to pick based on status, so that's been interesting to look at. When we don't need to have women in IT security as a separate package. There are just as many women being recognized as men in our other programs, that'll be a sign.
Jill: I want to statistically track how we're doing in terms of the number of women that are getting up there. But it's important and like the final thought on that again. At my prior role with Defense News, we had a conference and we got dinged for it. This is the editorial that I wrote.
So Many Talented Women in the Industry
Jill: We got dinged because at our conference, we had all day conference panels, keynotes. We had two women that were speaking, both were from the industry if I remember correctly. A women's group in the aerospace community came out and criticized us for it.
Jill: They said, "What is this? There's so many talented women in this industry. Why are they not up there?" I acknowledged we should have tried harder. At the same time, just like cyber security, people come to these events looking to hear from the top rung.
Jill: Looking to hear from the decision-makers. We're in a situation that all of those decision-makers were men. We'd request a woman and they turn around and give us the men. This person is more qualified to speak. So it is hard to change the dialogue. And I think that's on everyone.
Jill: As we put out events, it's on us. We make a big effort in our own events at SC media and across. To say, "Okay. This person would be great. Here's a woman that would be fantastic. I want her to come and speak." Right now, we do need to make sure we give it thought. That there's an acknowledgment in our brains that this has to be top of mind.
Eric: We're living in a time where we've had women leaders of nations. We have a woman vice president in the United States, women senators, Congresswomen. There are a lot of qualified people out there.
Jill: All the markets have to get there, all the industries need to finally get there. We're getting closer. I would say that.
We Need to Shore up Security
Eric: We're making progress. I'd love to end this with a quote from your article on Sunburst. It was a December 22nd or so article, you talk about the power that comes from humility. Similar to 9-11. We need to shore up security, but to improve collaboration.
Eric: The line I love that you ended it with was, “Yes America, we've been humbled.” You're talking about SolarWinds. To apply probably to the latter part of the discussion, we just had on women in the workforce in cybersecurity. But you ended with. “What matters most, however, is what we do now.” What a great ending.
Jill: Thank you. I appreciate that. I was proud of that one. It was an important topic.
Eric: It does matter what we do now. That's what matters.
Jill: We should talk in six months or maybe sooner and say, what did we do?
Eric: Do you want to do six months? I think we may need six years. Hack your interview with Kevin. You needed eight years and we still haven't made progress. Let's be optimistic though. We have an opportunity to excel. The question is, will we? Will we take that challenge up?
Rachael: Thank you so much for joining us. Another great episode of, To The Point, we'll see you next week. Until then be sure to subscribe so you can get a fresh episode delivered right to your inbox every week on Tuesday.
About Our Guest
Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business, and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. She’s interviewed executives from Fortune 500 companies and government officials from around the globe. Jill is a regular speaker at conferences and on network and cable news outlets.
Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. Guiding and developing the editorial strategy for Defense News, Federal Times, C4ISRNET, and the cyber brand Fifth Domain. She previously worked at Washington Business Journal and Nextgov.
Jill covered federal technology, contracting, and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News. She received multiple award honors for her reporting, editorial writing, and multimedia editorial projects. Jill holds a master’s degree and bachelor’s degree in journalism, from the University of North Carolina at Chapel Hill, and in Ohio University. She lives with her family in Northern Virginia.