An Inside Look at Cybersecurity

We talked with corporate security veteran Mark Marbury who told us a little about what it’s like protecting government secrets.

How did you end up working in security? What about your current role?

Roger Needham, the department chair at Cambridge University and computer security pioneer inspired my early interest in computer security. After 20 years at MITRE, I became Chief Scientist of the United States Air Force, and led a team to create Air Force Cyber Vision 2025, a blueprint for cybersecurity. I returned to MITRE in 2013, as the Chief Technology Officer, and then was named Chief Security Officer. My role is to protect our seven federally funded research and development centers (FFRDCs) and direct America's first National Cybersecurity FFRDC, where we aspire to create a stronger nation and a better world by contributing to breakthroughs in safety and security.

What’s the most significant thing that has changed in the security industry since you started?

In a word: cybersecurity. Increased cyber dependency of our growing digital nation and vulnerability across all sectors means cyber actors threaten business sectors such as energy, finance, transportation, and health as well as new areas such as the Internet of Things (IoT) and even our election system. Commercial industry has become a key defender and innovator, fueled by growing criminal and nation-state threats to intellectual property, systems integrity and public safety. In addition, public private partnerships have evolved to reduce risk by sharing threat and vulnerability information across sectors via information sharing and analysis organizations.

What’s the biggest short-term challenge for early-career security professionals? What about long-term?

Shortages of qualified cyber experts — especially when combined with growing threats, vulnerabilities and ever-increasing dependencies — remains a challenge both in the short and long term. For example, to accelerate solutions for embedded systems and IoT security, there is an incentive of $50,000 for the first company to solve an IoT identity challenge. Also, the knowledge gap between what is taught in college curriculums and what is needed in today’s market can be significant. By encouraging and rewarding the development of solutions to systems challenges, MITRE helps security professionals at all career stages to bring their expertise to the broader community.

What is your definition of a thorough security plan?

A robust cyber defense must be founded on established security principles such as attack surface reduction, least privilege, and imposing costs on adversaries to ensure deterrence. Any comprehensive implementation includes anticipatory threat intelligence, protecting crown jewels, attack prevention through deterrence, and resilient design and proactive response. Approaches must agilely take advantage of rapidly advancing global technology, respect privacy and continuously develop cyber professionals to stay ahead of the threat while protecting civil liberties.

You might think that a small company is a small target for hackers. Think again. Though corporate giants like Amazon and major banks have huge treasure troves of customer data on their networks, they also have massive, lavishly funded cybersecurity programs. As hackers shift their focus to easier prey, small and midsize companies need to get up to speed on cybersecurity.

The growing danger

“Nearly half of small and midsized businesses have been the victim of a cyber attack, and 71 percent of security breaches target small businesses,” says Michael Kaiser, the executive director of the National Cybersecurity Alliance. “As larger companies beef up their defenses, those who wish to steal sensitive data are taking advantage of businesses that lack the knowledge and the resources to keep their digital assets secure.”

Despite this danger, only 20 percent of small and midsize companies have a cybersecurity strategy, according to a 2015 Nationwide survey. Cyber attacks aren’t only more frequent than they used to be — they’re also more devious. For example, phishing used to spam everyone in a company with an email that looks like it’s from a trusted source, then launch malware to hijack the company’s financial data. Today’s “spear-phishing” is sneakier. It targets just one or two employees who have access to essential data — like the HR director, the CFO or even their executive assistant — and then wreak havoc.

Best practices to trust

The good news is that small and midsize companies can take steps to protect themselves against hackers and data thieves. Kaiser suggests following these best practices created by the National Institute of Standards and Technology:

  • Identify: List the “crown jewels” that would be most valuable to hackers. These could be obvious things like employee social security numbers or customer financial data. Or they could be subtler, like the email address of the CFO at a much larger company you partner with — a perfect target for that spear-phishing attack.

  • Protect: Determine what protective measures are needed to provide the best possible defense from a cyber incident.

  • Detect: Establish systems to alert you if a security breach happens.

  • Respond: Plan how to contain an attack and keep your business running.

  • Recover: Plan how to return your business back to normal after a security breach; this includes assessing your company’s legal obligations.

Getting outside help

Not every small or midsize business can implement these best practices on its own. The IT director at your company might do a great job of keeping the computer network humming along. But if he’s not an expert in cybersecurity, you might need to hire a security consulting to ward off threats from hackers.

Robert Herjavec, “Shark Tank” star and cybersecurity expert, advises that companies should keep a few things in mind when looking for a security provider.

True partnership. “It’s important that the enterprise and service provider truly view the relationship that way — as a partnership,” says Herjavec. “This has to be a high-touch, collaborative effort, in order to ensure that a proactive model is built that best suits the enterprise’s security needs.” Agreement on the scope of work. “It's important that the organization and provider understand the scope of the ask and the timing requirements,” Herjavec advises. This means defining the list of assets to be monitored (in other words, the “crown jewels” mentioned above); the types of cyber threats that will be tracked and reported; and all processes and procedures. And lastly, 24/7 support. “Security isn’t a 9-5 job,” Herjavec says. Monitoring of cybersecurity should be happening around the clock, year-round.