Whether we like it or not, the recent cyber-attacks (see Colonial Pipeline, JBS Meat Packing, and the Nantucket ferry) and U.S. President Biden's Executive Order have brought cybersecurity to the forefront of everyone's minds. Hackers are getting more brazen, and the general public is now more aware than ever about cybersecurity. With the constant barrage of new attacks, it can be hard to keep up with the latest standards, the latest breaches and also communicate to the general public about the impact and downstream effects of these security incidents.
This week's Reimagining Cyber podcast episode, "Smart Cities, Hair Dryers, Cyber Intel Sharing… Oh My!" with guest Michael Echols, CEO of MAX Cybersecurity, LLC and author of "Secure Cyber Life: The Government Is Not Coming To Save You," does a deep dive into the importance of industry standards, cyber threat information sharing (ISAO), and as we move to a more digitized society, how critical it is to educate the masses.
Echols has decades of experience helping government entities and private companies become and remain cyber resilient. Interestingly, he calls cybersecurity a buzzword. Instead, he likens cybersecurity to risk management. Understanding the threats (risks) and making decisions based on those consequences sounds like a good strategy, but without proper parameters or standards in place, everyone is working off of a different starting point.
"This is why government intervention becomes so important. We like to take the word 'standards' and relate it to regulation. And that's when nothing happens," he says. Having a level-set, a standard in place, ensures we're all working off of the same baseline. Echols uses the analogy of a hairdryer to explain the importance of working off the same set of standards.
"Organizations, companies do not want regulation. But in some cases, we have to have standards. If I'm at my house, using my hairdryer, a 110-120 outlet, I can go to your house and plug that same hairdryer. We have to have some levels of standard to ensure that we can get to some place, where when I'm doing my risk assessment to understand the consequences. And you're doing yours. And we are in an interdependent digital society, that we're on the same page. That's what's missing."
Once you have standards in place, one of the next areas to focus on is threat intelligence. Echols has been a staunch advocate for ISAOs for years, encouraging and leading the industry shift into a more open and trusted environment. Based on a layer of trust, the ISAOs are key to staying on top of the latest threats and attacks.
"The ISAO concept allows any group, regardless of what sector they're in,…as long as they trust each other and as long as they're participating in the process of sharing cyberthreat information. If something happens to you, and you're one of my trusted partners, it should not happen to me. That limits cascading effects," he says.
"The way things are set up now with the ISAO, it's very effective and they work across sectors, energy sector, financial sector, telecommunications, etc. What happens is as they are sharing information with each other, they are putting mitigations in place."
In-industry regulations and cross-functional sharing are critical to becoming and remaining cyber resilient, but we need to educate the masses to have even more impact. The "it won't happen to me" and the "That happens over there." It no longer happens "over there," and it "will happen" to you (please see Colonial Pipeline and gas hoarding). Echols' new Smart City initiative in Jacksonville, FL, U2C, is the first pilot in the country where commercial vehicles will not have a driver. Echols has been working with the Jacksonville Transit Authority (JTA) on this project to bring all of the contractors, spanning from electrical companies to those building out the networks to those that paint the road, up to speed on the cybersecurity implications of something of this magnitude. A project like this is an opportunity to educate the local community at large.
"Additionally, it creates an opportunity to train the community. And the goal is to start to develop a culture of cybersecurity, not just for the community that will use the autonomous vehicles, but for the people that work at the transit organization, who now will be responsible. Some of these people have been working in transportation for 2030 years. And the idea is that we have to grow from the bottom up and not the top down the way that we've been trying to do it."
As someone in communications, this episode was really interesting to me. How people interpret the word standard to mean regulation, how communication is so critical in sharing what's working/what's not, and how to increase awareness outside of the tech space about how important cybersecurity is.
Are you a part of an ISAO? Has it helped you craft your strategy? As someone in the cyber space, do you find yourself trying to explain in layman's terms how important cyber is to your everyday life? I know I do! Share in the comments below.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com and CyberResilient.com.