A More Holistic Approach to Enhancing Cybersecurity, with Randy Sandone Executive Director of the Critical Infrastructure Resilience Institute (CIRI) - Ep. 67
Randall (Randy) Sandone, CCISO, CIRI Executive Director a Department of Homeland Security Center of Excellence discusses how CIRI is helping improve the security and resilience of our Nation’s critical infrastructure.
Episode Table of Contents
- [01:11] Introducing the Role of CIRI in Enhancing Cybersecurity
- [07:49] The Bigger Challenge in Enhancing Cybersecurity
- [13:40] Enhancing Cybersecurity by Cyber Risk Management
- [19:42] Silo Mentality and Its Impact in Enhancing Cybersecurity
- [21:48] Enhancing Cybersecurity With Three P's: Process, People and Products
- About Our Guest
Introducing the Role of CIRI in Enhancing Cybersecurity
Carolyn: Hi, welcome back to, To the Point Cybersecurity. This is Carolyn Ford standing in for Arika Pierce this week and I'm joined by Eric Trexler. How are you doing, Eric?
Eric: I'm doing great, Carolyn. Good to have you back.
Carolyn: This week, we're joined by Randy Sandone and he is the executive director of the Critical Infrastructure Resilience Institute, or CIRI. It is the Department of Homeland Security Center of Excellence. Welcome to the show, Randy. Thanks for being here.
Randy: Thank you very much. I'm delighted for the opportunity.
Eric: Randy, tell us, what is CIRI?
Randy: CIRI is Department of Homeland Security Center of Excellence. We are funded out of the Science and Technology Directorate, specifically the Office of University programs. There's a constellation of Centers of Excellence around the country. They do academic research on behalf of DHS and its various components.
Randy: We're one of those focused on critical infrastructure resilience. We're led here by the University of Illinois at Urbana Champaign where our team resides. As a Center of Excellence, we're really an evolving confederation of world-class academic institutions and private sector companies.
Randy: We reach out to the best minds in the business that we can find to conduct our research and develop our solution. It's not just a static team. We're in our fifth year of operation and we have three primary missions here. The first is to conduct innovative outputs oriented research.
Randy: I stress outputs oriented because that differentiates us from typical academic research organizations.
How Academic Research Helps in Enhancing Cybersecurity
Randy: DHS is perfectly happy and they encourage us as academic researchers to publish our academic research in journals. We educate grad students and so forth to follow our academic mission, but only do they sent that we are delivering something meaningful. Some output that gets out and transitions to you.
Carolyn: The research that you guys do, are you looking to the future of technology? Where it's headed specifically with cybersecurity and cyber, what the coming trends are? And when you say research, define that a little bit more.
Randy: Yes. We are. But there's a sense of urgency on the part of the Department of Homeland Security because the issues are today, the threats are today, the challenges are today, but we also have to think into the future. So our research really kind of spans that spectrum.
Randy: We look at current challenges that are facing critical infrastructure and we try to extrapolate and understand. We bring our understanding of where the technology is trending and what we anticipate in the future as we develop solutions for those particular challenges. So they don't just address the issues of today, but will have some sustainability going forward.
Eric: I'm hearing you say it's more practical than theoretical.
Randy: That is absolutely correct.
Eric: Can you give us an example or two?
Randy: For instance, in a space of a cybersecurity, one of the challenges that businesses have, particularly the smaller and medium size businesses is with all of the threats and all the vulnerabilities that are out there. One, how do they identify those vulnerabilities and two, come up with a prioritized mitigation strategy. They can't address all of the problems right away.
Enhancing Cybersecurity Through Cyber Risk Scoring and Mitigation Tool
Randy: We've developed through the Old Dominion University, a product called CRISM, Cyber Risk Scoring and Mitigation tool. It scans a network of systems, identifies vulnerabilities. That in and of itself is not rocket science. But it goes a step further and it looks at those vulnerabilities and then through its algorithms. Assesses the exploitability of those particular vulnerabilities and then ranks them and delivers a prioritized risk mitigation strategy.
Randy: It does this all in an automated way, easing the burden on the part of businesses. So then they have a prioritized mitigation plan that will be optimized for their cyber risk reduction. That's just one example.
Eric: How does that differ from the network and endpoint vulnerability scanners that are out there today? The tenables of the world and everybody else who've been doing this for a couple of decades now?
Randy: It differentiates itself in the sense of being able to, in real time, collect all of the vulnerability. But its algorithm allows the understanding of the potential attack paths that an attacker might take based on those vulnerabilities. It ranks them based on it's Bayesian algorithm to then identify the potential exploitability of the various vulnerabilities.
Randy: Vulnerability in and of itself, what's important about it is a way vulnerability might lead to the ability to exploit that vulnerability but the exploitation would have very minimal impact. On the other hand, another vulnerability, might be exploited to much greater effect.
Carolyn: What would you say the biggest vulnerability or one of the biggest vulnerabilities we have with critical infrastructure?
The Bigger Challenge in Enhancing Cybersecurity
Randy: At a higher level, on a technical level, we look at critical infrastructure. The good news for us is it's a very broad aperture. The bad news for us is it's a very broad aperture and critical infrastructure is highly interdependent.
Randy: One of the bigger challenges at a macro level is in the interdependencies of the various critical infrastructure because the different infrastructure sectors tend to be siloed in the sense the electric grid is responsible for itself. The transportation guys are responsible for transportation, et cetera, et cetera.
Randy: But it's the interdependency that can and is too often gets left on the cutting room floor. Somebody has to address the interdependencies. I think just sort of cybersecurity wide and even in companies, the government across the board, I think one of our primary vulnerabilities out there is people.
Eric: So when you're working with DHS, are they guiding you in the direction that they want you to take? Are you going to them with research ideas saying, "Hey, this is an area we can spend some time in and really move the needle"? How does that all work?
Randy: It's a combination of those two. DHS will collect art out of the University of Program's Office. They will collect challenges, research challenges from the various components. Whether that's CSO or FEMA or the coast guard or what have you. And they might feed those challenges to the various Centers of Excellence that are dealing with that particular domain. So they will present challenges to us to address.
The Biggest Threat Being the Biggest Asset
Randy: They expect us, as academic researchers, to come to them with areas where we think we need to expend some intellectual capital and some of DHS's capital. It's a managed research portfolio that combines inputs from Department of Homeland Security and their various components. As well as inputs from academia itself and our team as we look at the results from our various research programs.
Eric: You mentioned people are the biggest threat. I think I'd agree and disagree. They're the biggest threat, they're the biggest asset. But what type of work specifically are you doing to solve that problem? How do we, as an industry, solve that problem? How do we as a community? I agree with you and I think most people would agree there's a human capital problem here as it relates to cybersecurity to a great extent.
Randy: We can devote an entire podcast to that topic alone. Eric, I'm sure you would agree. In terms of the human capital, we think it's a very, very important area of study and focus for us. For instance, we know that it's been widely reported. There's a severe shortage of what I'll say, "qualified cybersecurity professionals." and it's getting worse.
Eric: Yes, next year, it'll be over 2 million people short.
Randy: We should be discussing it and working on solutions to address that shortage. However, I think the issue raises a couple of concerns, that particular issue raises a couple of concerns for me. I think, unfortunately, far too often when people think of the term, "qualified cybersecurity professionals," they're only talking about technical cybersecurity types.
A Dangerous Mindset That Hinders Enhancing Cybersecurity
Randy: The software engineers and programmers, the systems and security administrators, the folks that work in the security operations center. That's a dangerous mindset because it tends to perpetuate the belief that cybersecurity is the sole responsibility of the techies.
Randy: What it can also do is cause some business managers and government leaders to throw up their hands in frustration believing that shortage is the root of all of their cyber security issues. If they could only hire enough technically qualified people, they'd solve all their problems.
Eric: Yes, it still doesn't work. The workforce is a problem. We've had several guests on the podcast and I think the consensus is we need to train the workforce more. But no matter what we do, we're still going to have problems. People are still going to click on phishing links.
Eric: I forget the data at this point, the statistic, but the majority of the attacks these days are, or maybe it was ransomware attacks, they're led by phishing email.
Carolyn: 90% because that brings you back to your point, Randy, that it really is the people. Because there's so many of us and if 90% of the breaches are happening by simple phishing, by social engineering basically, it's not that sophisticated.
Eric: I think the other problem that we don't address as an industry well enough is it only takes one mistake. Out of a million people, you can train 999,999 to perfection. But if one person makes a mistake, you could be doomed anyway.
Enhancing Cybersecurity by Cyber Risk Management
Randy: Yes, that's true. I think a sober assessment of the situation is we have to recognize that there really is no such thing. I think this is a healthy thing to understand. There is no such thing as, "solving our cybersecurity problems." We'll never solve our cybersecurity problems. All we can do is manage them. So we focus on cyber risk management.
Randy: What can we do? What tools can we develop and transition to market that will help companies and government agencies reduce their cyber risk to a manageable level? In the private sector, particularly, what we're trying to do is help reduce that risk to the point where the insurance industry. The cyber insurance industry can better understand and assess the risk of these various companies so that the cyber insurance market can appropriately mature.
Randy: Right now, the insurance industry is smacking your lips at the possibility of this huge potential market in cyber insurance. The problem is it's very difficult for them to assess their underwriting risk, particularly if they try to go to each and every company that wants to be and try to assess their own homegrown, do it yourself cyber risk management processes and security approach. It just can't be done.
Randy: We think it's a very important problem to address because the function of insurance in the marketplace, we obviously understand we can't function in business without insurance. Its function is risk transfer. We'd like to get to a point where we employ the mechanisms and the policies and procedures and tools necessary to reduce the risk at the company.
Assessing the Risks of Enhancing Cybersecurity
Randy: So that residual risk that needs to be transferred through insurance is minimized. And the insurance industry has a solid ability to assess that risk across the potential insured, which will lower premiums and reduce the number of exclusions that they demand.
Eric: Carolyn, I personally think that is one of the biggest areas where we can move the needle. I don't know how you feel, but we can assess risk. We can hold people somewhat accountable through the financial means. There are definitely challenges. It's early on. How do you assess the risk? How do you keep things up to date? But I agree, I think that's a big area we should push on.
Carolyn: Yes, and it is that part of your mission mandated by DHS, Randy, to work with these private insurance companies?
Randy: We've been doing research in the insurance space for quite some time, actually since the beginning of our center. Here's the reality, I mentioned the broad aperture of critical infrastructure. It also has to be said that the vast majority of the critical infrastructure in this country's owned and operated by the private sector.
Randy: That's clear. If we're going to have an impact, if we're going to move the needle as you say, Eric, we have to do that with the private sector. The private sector runs on business incentives, the business case. One of our goals is to help facilitate the creation of the business case. To get businesses to open their wallets, their checkbooks and to expend intellectual and financial capital on enhancing security and resilience of their enterprises.
Who Is in Charge in Enhancing Cybersecurity
Randy: You do that through business incentives and one of the strongest business incentives in the marketplace is insurance. So it was logical that we would go there and we've really developed some very keen insights. I couldn't agree with you more, Eric. It's a very important area for us, as a nation, to focus attention on.
Eric: In critical infrastructure specifically, I've been caught too many times in cases where we had DHS. We had NSA, we had the commercial organization. If it was power or generation transmission, you'd probably have Department of Energy in there. I'm not just talking breaches, but what should we do and how do we do it? And the problem is nobody's in charge.
Eric: If somebody puts an aircraft over US airspace, it's pretty clear that the air force is in charge of dealing with that potential risk. Cybersecurity though, if somebody attacks a power generation plant, the commercial power generation plant has a problem to deal with. But what is DHS's role? What is NSA's role? The Department of Energy's role? And what is CIRI's role potentially?
Eric: I think that delineation isn't there. I do believe that private insurance will bring everybody up to a level and will definitely help in the problem. I don't know if you agree or disagree on that one, Randy.
Randy: I do agree with your overall assessment. That is clearly one of the biggest challenges that we face and DHS's faces as well is that this is a huge, huge economy. When you talk about the nation's critical infrastructure, you're talking about thousands and thousands of companies. Millions of people are involved, all interdependent with one another.
Silo Mentality and Its Impact on Enhancing Cybersecurity
Randy: You're right, this sort of silo mentality, I'm only responsible for my sector. But a breach in some other sector can have cascading effects on me. DHS is struggling with that. We're struggling with it as well. That's why we're focusing a lot on the interdependencies of these different critical infrastructure sectors.
Randy: DHS has modified some of their thinking and I think it was very wise for them to do. They went from the notion of 16 critical infrastructure sectors to parsing it on the basis of national critical functions.
Randy: When you focus more on a critical function, like providing air travel for people and you need to keep that function operating, that by definition takes into account all of the different interdependent infrastructures. So they're moving in the right direction. It's a huge, huge problem and it's going to take years for us collectively to address it.
Eric: Where do we end up in 2025, 2030? What does the future look like in your opinion? The things your studying? What are you seeing?
Randy: 2025 will show some progress in numbers. I'll talk about that. But I think that we're already seeing a whole new spectrum of threats and vulnerabilities. Where I think we'll see progress is we're beginning to see this push on the boards of directors. In the case of the Department of Defense, government agencies, prime contractors, supply chain heads, to insist on more responsible cyber hygiene on the part of their partners. In the case of boards of directors and on the part of their companies.
Enhancing Cybersecurity With Three P's: Process, People and Products
Randy: I think these forces, these business forces, market forces are going to force a greater sense of responsibility and a push more towards what we call a more holistic approach to cybersecurity. That holistic approach in my view is necessary because I think I've been at this cybersecurity business for 30 years and for 30 years, we've been throwing technical products at the problem and there's thousands and thousands and thousands of products out there. Many, if not, most of them do very good things.
But the notion that we can simply solve our cybersecurity problems by throwing products at the problem I think is misguided. We talk about the three P's: process, people and products. We need to have standardized processes that the entire supply chain understands and on a common language, common metrics. We need to address the people issue as we discussed earlier. Then we obviously need products as well, no question about it.
But what we need to do is we need to understand what products we need, why we need them, how we're going to deploy them, who's going to be maintaining them and matching the competencies of those people to the roles that they fulfill? That's a big issue but I think we're making, and over the next so many years, we'll make good progress there. Where I think we're going to see widening challenges in the whole area of 5G, IOT and the increasing use of those technologies in wireless communications and so forth. It just significantly broadens the aperture.
It increases the interdependency. It's very clear and we've all heard and read the reports about the concerns that the federal government has with Huawei. It's pretty simple. In so many years, 5G is going to be fundamental to our national economy and we don't want to be able to get a phone call from somebody and say, "You want me to bring down your economy."
Randy: We're doing research right now and looking at 5G and the potential vulnerabilities of the architecture. We're looking at the supply chain of 5G. We're looking at the emergency communication systems in this country, which is moving to 5G and next-generation 9-1-1. Going back to Carolyn's earlier question, we're looking forward to that.
Randy: We've spurred to do that by DHS. I think that will be a challenge. At least we're one player that's taking a look in advance of where those threats might be emanating and see if we can't get ahead of the problem.
Carolyn: Randy, time is beating us, but you brought up some things, especially 5G. I've thought about that a lot this year because it's been a big topic. I would love to have you back and talk more about some of the other things that you've brought up.
Carolyn: This conversation's been interesting and honestly, a little terrifying to me. Especially as we start thinking about the critical infrastructure. Thank you very much for being on the podcast and we'd love to have you back.
About Our Guest
Randall J. Sandone, a Certified Chief Information Security Officer, is the Executive Director of the Critical Infrastructure Resilience Institute (CIRI) which is a Department of Homeland Security, Center of Excellence. In this position Mr. Sandone is responsible for the operational, administrative and financial management of the Institute. Since joining CIRI he has guided research, technology transition, education and workforce development. These resulted to a portfolio of impactful cybersecurity solutions for both the public and private sector.
Mr. Sandone has a comprehensive career leading research and technology projects in environments ranging from start-ups to Fortune 100 companies. His strengths lie in strategy development, business development and project management with a strong emphasis on cybersecurity. He has managed the development, testing and certification of numerous cybersecurity products used by customers. They range from the U.S. Department of Defense, the Intelligence Community and other Federal agencies to private sector companies worldwide. In his current role, and in other executive leadership positions, he was responsible for technology transition and licensing, commercialization, product development and financial management.
Mr. Sandone is a former member of the University of Illinois College of Engineering Advisory Board. He’s a member of the Strategic Advisory Board of the Maritime and Port Security Information Sharing and Analysis Organization. He was a finalist for Ernst & Young’s “Entrepreneur of the Year for Illinois and Northern Indiana” and a finalist for KPMG’s “Illinois Technology Award.” Mr. Sandone began his professional career in the U.S. Army as an Airborne-Ranger Infantry Officer. He was part of the 82nd Airborne Division and in the Air Cavalry as a helicopter gunship pilot. He is a frequent speaker at security conferences throughout the United States.