Richard Rushing, CISO at Motorola Mobility, described current security threats and how companies aren’t responding adequately.
At the outset of his keynote presentation at the 2016 Chief Information Security Officer Leadership Forum held on June 22 in Chicago, Rushing announced, “Cybercrime is on the rise. We have to do something. We’re trying, but the criminals have a huge head start,” he said. “We came from a policy approach, but that’s passé. Now we’re firefighters. We run into burning buildings and save people. It’s time to reboot and think differently, or the bad guys are going to win.”
Rushing pointed out that vulnerabilities didn’t just appear five years ago; it’s just that today they’re being exploited more often and in more sophisticated ways. “We still use passwords, even though we tell users that passwords are a huge vulnerability. There are plenty of solutions to passwords, but they aren’t implemented until something really bad happens.”
Current trends in security:
• Technologies that follow where the business is trying to go, rather than leading the business.
• Big Data, which we’re told is the key to everything. Not necessarily. “We don’t build in refinement. It’s a one-size-fits-all.”
• Buzzword bingo, in which “new” technology is actually old technology rebranded. “There are threat intelligence products that have nothing to do with threat intelligence or importing threat intelligence. The product needs to claim it addresses ‘threat intelligence’ so that box on the bingo card can be checked off,” said Rushing.
Current trends in threats:
• The bad guys will win. “They have unlimited time, and they have to be correct less often than we do,” observed Rushing. “They only need to have one person—the right person, or, sometimes, even the wrong person—open a phishing email, and you’ve got a problem.”
• The threat actors are criminals now, not just hackers. “In the past, you could hand a hacker a list of credit card numbers and they wouldn’t know how to monetize those numbers. Now they know the value of all company information and who to sell it to,” noted Rushing. “Your information is a commodity.”
• The attack curve is getting steeper. “The growth rate for attacks increases 20% to 25% every year. Nothing is telling us this is going to get better going forward, and management needs to understand there’s no one-time fix,” said Rushing.
“The growth rate for attacks increases 20% to 25% every year. Nothing is telling us this is going to get better going forward, and management needs to understand there’s no one-time fix.”
“We usually innovate around technology,” said Rushing, “because it’s hard to innovate around people or process, but this needs to change. We need to sit down and talk to our employees for five minutes, not subject them to hour-long PowerPoint presentations. We need to customize our processes to make them more effective.”
Rushing observed, “No company has a big enough budget, and a lot of solutions are 1% solutions—solutions for a 1% use case. You have to determine if this is a reasonable solution for your company. Sometimes it might be. In addition, most of the products and solutions we employ operate at only about 70% and 80% efficiency. This can be increased by learning how to turn the right knobs, and this may save you from buying another product.”
Rushing continued: “100% isn’t the norm anymore. Be progressive—follow the badness, follow the money, follow the malware. If an employee is infected once, there’s a 95% chance that user will be infected again. User behavior must be addressed and, if necessary, punitive measures taken.”
In closing, Rushing noted, “It doesn’t take money to be successful at security. “It takes hard work and people. Check in with your people, your colleagues, and your peers to find out what works, what doesn’t, what they don’t like, and what they do.”
“It doesn’t take money to be successful at security. It takes hard work and people.”
“Remember, war is at the endpoint,” said Rushing. “Attackers want to get to your endpoint, because that will give them everything they need to get to the rest of the systems.”
Visit Argyle Executive Forum's 2019 CISO Leadership Forum: Security 3.0 – Shifting to Automation in New York, NY on Nov 13, 2019