Every month ThreatSwitch hosts a webinar on a topic of interest to the security and compliance community. Thousands of security leaders and practitioners have attended these webinars, but not everyone has an hour to spare. That's why we'll be sharing our CEO's lessons-learned each month right here on the ThreatSwitch blog.
“You have to exercise your plans before you actually have to execute a plan.” -Karen Evans
It would take a long time to discuss all the credits Karen has to her name and to dive into all the roles she’s played in the security space as a whole.
But what I really want you to know is the wealth of knowledge she shared with me during our latest webinar. There’s a lot to talk about, so make sure you check out the full webinar here! (You can also read the transcript below.)
Here are a few highlights from our informative conversation.
1. Government & industry need to work together
From an industry standpoint, when regulations come down from the top, sometimes the initial reaction is to attempt to wait it out and assume/hope nothing is actually enforced.
Karen says that’s not a viable option because the problem isn’t “IF it happens to me,” it’s “WHEN it happens to me.” It’s important to do your due diligence.
2. Be prepared
This goes back to Karen’s statement that was quoted at the beginning: “You have to exercise your plans before you actually have to execute a plan.”
It’s not enough to just have a plan.
Make sure everyone knows what their role is – before there’s a crisis. This must be an integrated team project or there will be security vulnerabilities.
3. The difference between security and compliance
They’re not the same, but they are equally important. And a huge risk comes when you prioritize one over the other.
Your organization can be 100% compliant and still not be adequately secure. This idea has escaped many CEOs who have been completely shocked when they’ve been hacked.
It’s critical to understand the risks – no matter how compliant you are – or your organization will still be vulnerable.4. Learn to recognize patterns
The Colonial Pipeline incident got everyone’s attention because it affected the ability to get gasoline.
But there are plenty of other attacks that don’t make National news. Part of an effective strategy for preventing hacks and other nefarious security events is recognizing patterns.
First, you need to have a framework in place and an understanding of the threat landscape. You also have to have a handle on what your highest value assets are, and you have to know what the most critical thing that could happen to you is.
Full Webinar Transcript
Speakers: John Dillard, Karen Evans
John Dillard 04:03
Good afternoon, everyone. Thank you for joining us for this month's threat switch webinar. I am very excited to welcome Karen Evans, former CIO of the Department of Homeland Security. And we're going to have a conversation about the relationship between government and industry and how to bridge that divide. As many of you know, I’m John Dillard, I'm the founder and CEO of ThreatSwitch. And as most of you have learned by now, ThreatSwitch provides software that helps companies deal with security compliance obligations. So with that, I want to jump in to a few pre show notes just to let you guys know before I introduce Karen, how this is going to work. As you know, you can submit questions throughout the session and please use the q&a button in the zoom webinar interface to submit those questions and then we will tackle those in the back half of the webinar. If we can't get to all of them, we will do our best to follow up with the response afterward. And as always, we'll provide the slides recording transcript, as well as any resources we mentioned along the way, in a, you know, show recap, that you'll be able to get to after the webinar. So with that, I want to introduce Karen. As I mentioned, Karen is a former CIO of DHS, which is a pretty hairy job over the last couple of years. So she's been in some very interesting situations. So that's going to be helpful for all of us. And she also served as the first Assistant Secretary for Cyber Security, Energy Security and Emergency Response. I got all the words in at USDA UI. So she's worked on the energy side of the house, and really as part of a long career in Government Information Technology and cybersecurity. So, three presidential appointed positions in a couple different administrations establish U.S. Cyber Challenge to help develop talent in our national infrastructure universities, or for cybersecurity, currently serving on the board for National Cybersecurity Center and a variety of others advisory boards. So welcome, Karen. I probably could have introduced you for another five minutes, but you did a lot of stuff.
Karen Evans 06:16
Oh, thanks. Yeah, it's kind of the Caesar job is really a good one. When you get that one out. That's hard to fit on the business card, too.
John Dillard 06:28
I mentioned the ink bill must have been out of hand for that one.
Karen Evans 06:32
Yeah, yeah. Yeah. But the acronym is really cool. Because we call it Cesar. And so like, people would joke around, you know, I would go, I went to one of the for all this stuff, you know, went to a big energy place. Meeting, and it was held in Las Vegas, and several of them were standing at Caesar's Palace, right? We're walking through and they're like All Hail Caesar. But the Caesar acronym is a little bit different than that Caesar. It was really crazy. But they were very excited that that position and that focus had been established.
John Dillard 07:07
Great. Well, we're gonna get into a number of the things that you've worked on here. But what I love to open with, for everybody, is just a little bit of how you ended up here in the first place. I mean, if I read, right, you have a chemistry degree. So how do we get from undergrad in chemistry? To CIO, DHS? How'd you get roped into the security stuff?
Karen Evans 07:30
So there it is an interesting story. I started my federal career as a GS two, and worked my way up through the Career Service and achieved career SES, which is Senior Executive Service, which usually is that's the pinnacle to, you know, a career employee’s achievement, right. And that was as the DOV CIO, I achieved that position. And from there is when I went to the Office of Management and Budget during the Bush administration. But as a chemistry major, I had a couple supervisors along the way, who said, if you can graduate with chemistry, you must be pretty smart. And gave me a hand. Well, my dad, that's a whole other story to talk to you about. But my dad was like, Hey, you have to get a full time job, which is the reason why I went into government service, it was only going to be temporary. But I had supervisors who really gave me opportunities to work on projects and to work on things as they were evolving. So my career really evolves with the evolution of the internet. Like one I remember, one of the first major projects I was working on was the implementation of a GUI based personal PC because we were changing from, you know, dos 3.1, or whatever to Windows. And one of the things that we were using to get people to do this was traffic and weather in the Washington DC area, we put little buttons on the computer. And I do remember, like demonstrating this for the administrator of an agency that no longer exists and the whole computer died, the whole Microsoft computer died right in the middle of the demonstration and everybody's looking at me like holy smokes, we're going to do and I hit the reset button. I said, Boy, isn't Microsoft so clever? They put the reset button on the front now instead of you trying to have to figure out where it is on the back of the computer, and then it like rebooted. And we went on with the rest of the demonstration but um, you know, we were I worked on that I had to bring internet connectivity when I was at Department of Justice down to every desktop in the department because at that point, Attorney General Janet Reno wanted to send an email, she wanted to send a note out to every employee within the Department of Justice and one thing I found out is if you Ask a lot of questions. A lot of attorneys get involved in that like, because imagine exactly right. And so one of the questions I asked was what happens if somebody answers her email back? That took another that added another six months on to the project? I'll never forget that because we had to work out how this was going to work. You know, now, is it official correspondence? Does it go into exec sec, what is the actual process, I mean, was really pretty fascinating. And during the tenure, that is when I also had the dubious honor of being one of the first civilian agency websites to be hacked. And so that was in 1996. It still lives out there. If you go out and look at some things like the Way back machines and those stuff. You can see the naked body of Jennifer Aniston on the head of attorney Janet Reno, I thought it was due to Waco, but actually what was happening at that time, when you read it, and I read it in a history book of all places, and the internet was that anti-trust division. And the tax division was looking to see how they could do taxes for services on the internet. And they were going to issue a ruling as it related to taxing services on the internet. And so the Department of Justice, like hacked, so the happiest day of my life is two weeks later, because the CIA website got hacked. And so we learned a lot about the construction of what was happening. And what was even funnier is those lessons today, are still the same lessons and the same best practices that you have to put in place. Just the time like the time is accelerated to 24 by seven, the Fred landscape, our adversaries. I mean, it has really changed, but those lessons learned and how to respond to an incident, you know, are still the same. So, you know, fast forward, I was the CIO at DHS and thought I was gonna hand off transition to the Biden administration. And in December, I got contacted and said, Hey, Karen, like we need to talk to Microsoft needs to talk to you. We were one of the agencies that were affected by solar winds.
John Dillard 12:25
Yeah, yeah. Which is the stakes get a little higher from posting embarrassing photos of Janet Reno to solar winds. That's, that sounds like that the bad part of the advancement of technology.
Karen Evans 12:38
Yeah, the stakes have gotten higher, but what you learn is those skill sets on how to respond to an incident, they never go away, it's kind of like riding a bike, you know, and then the scale right is huge. And, and the impact because it's DHS, and how we had to brief a week, we still back in the day, 1996, we still had to brief Congress on what was going on. So like, none of those things have changed. Just the knowledge base of everyone has increased, which is a good thing. But it's also, you know, a double edged sword as you go forward.
John Dillard 13:18
So I'm in the process of really living through how things have changed, especially in the government response side. If you think about the issues, or the areas that, gosh, these are the three or four things that I'm most passionate about. Now, if I had to pick two or three things that are most important for this community, and I know you're involved in a lot of them ranging from talent to incident response, I mean, what are those things that are the passion spots for you in this area?
Karen Evans 13:45
So the passion area, you know, it still comes back down to the people? And when you really take a look at it, you know, do you have good plans in place? Or what is the technology? Or am I doing compliance? Or have I done this? Or have I thought about that? It really comes down to risk management. Do I really understand the risk that I'm facing for the services that I'm providing? And then coupled with that, Do I really have a staff that can really handle that and partner both with industry as well as internally like in the case of DHS, all the component organizations? Because that's a lot of moving pieces within an organization.
John Dillard 14:31
Yeah, well, and the relationship between industry and government, which I know is really a big focus of a lot of things we're going to talk about today. A lot of the conversations that we have in our community, on the industry side, the industry does things because the government tells them they have to a lot of the time, which is the compliance or the problem. And you and I talked before the session about security and compliance and how they are very different things and I just wanted to get Our audience to hear your perspective on that issue. But the difference between security and compliance, why they're not the same thing, why they're both necessary and maybe what the risks are focusing on one more than the other.
Karen Evans 15:12
Yeah, we could go the whole session on talking about compliance and risk management and security like, and I believe, and the way that I really look at this is you can be 100% compliant, you can do everything that the government regulations tell you to do. And you can produce all the reports and all the artifacts that you need to have there. And it's costly. I mean, as a person who was responsible for the Federal Information Security Management Act, which is now the Federal Information Security Modernization, I, there's a lot of unintended consequences that come from that.So you’d be 100% compliant, and yet have absolutely no security whatsoever in an organization. And the reason you know that you say that is that you crank out these things, right? And when I had to really look at the government as a whole as an enterprise, you know, you're reliant on the parts and the pieces, and do they really understand what they're managing on the parts and the pieces. And then what you have to do is, say, as reported by a department or as reported by an agency, and then how, how do you really measure that maturity? And so the idea was, well, if you pick a few key processes, those processes would really indicate the maturity of an organization, and that maturity of an organization would really indicate Do they understand the risk facing them? And do they have the right things in place to be able to manage that risk? And that's not what compliance does a compliance mindset is, hey, Sarbanes Oxley is saying, I've got to have XYZ and I have to have these types of controls in place. So there, there's got to be compliance is better than nothing. That is the easiest way to say it raises the bar somewhat. But if you're just focused on compliance, and really don't understand the risks, then that's when CEOs get shocked when they get hacked.
John Dillard 17:22
Yeah, yeah. And well, and there are certainly some companies who feel like, that's an acceptable worst case scenario where they, they sort of calculate the risk of their organization of checking the boxes, and does that give them liability coverage for being able to say that they tried hard, which seems to not get companies where they need to get?
Karen Evans 17:45
Well, and and there's something to be said about that. Right? If, and I'm gonna do a big if here is because also prior to going into this administration set as an independent director on several boards, publicly traded companies, and sat on the audit committee, because in which, you know, people get a little crazy like, well, what's the audit committee, but depending on how an organization is organized, that's where risk is looked at. And they look at the risk of, you know, financial transactions? Where are the internal controls are, right? Like, how, how are you managing that part? As it relates to the financial health? Right? Well, you're using technology in order to do a lot of those things. So you really have to, as a group, as a board, as an independent director, really highlight? Hey, have you guys thought about this? As you know, the file is traversing around the network? Have you thought about this? Are you encrypting that? Are you doing this? And when they look at you like, Well, why would I do that? Or the other thing that a lot of times happens on some smaller companies, right, small and mid sized companies as I don't have any information than anybody would be interested in. So therefore, it you know, I don't need to secure that stuff. I can invest more over here. If, if that is really how they go about analyzing it, and you can show that you've done due diligence, then then you do right, you know, reach that bar, but I think what most companies are going to find out is somewhere along the line, you're somehow involved in a supply chain, that you know, then you're hooked on to somebody else, or you're doing something electronically because that is going to make it Oh, I get paid faster or something along the lines. And that's why you're seeing this explosion of ransomware because people aren't are thinking well, it's not me, but you know, I'm hooked to company a company a gets, you know, an issue and now they get to me through Company A and now I'm a victim of ransomware I know I can't get to my account so I can't get to my clients. That's a problem.
John Dillard 19:57
Yeah, well, and you mentioned supply chain, I want to pull Rather than because you mentioned solar winds at the beginning of the conversation, and, you know, I think our folks would love to hear that story in the context of supply chain as a vulnerability area for really our entire economy to say nothing of national security. And really what your role is, was in that entire thing. I mean, I just the story is fascinating to me. And what you learn from this, I mean, pretty, maybe one of the worst, if not the worst attacks of its kind, that we've had to deal with, and you were in the middle of it.
Karen Evans 20:32
So um, yeah, so it's a fascinating story, right? Because you're the CIO of DHS, so you provide the services, one of your component organizations happens to be Cisco, who is also now responding to the nation, right. And so you're the service provider for that component organization. So it's really fascinating. And I would say one of the biggest things that happened with solar winds is how do you really do communications when your network is compromised? Right. And so the government has different types of communications that are available, which, you know, coming up on the anniversary of 911, we had a lot of lessons learned about our ability to communicate when telecommunications goes down, right? And you have different priorities. And you know, how you get through the public telecommunications system and who gets priorities, and we have these things called gets cards and all these other great stuff. But when you have an incident such as this, this is a little bit different, because your network and your network resources are compromised, but you don't know to the extent because you're in the process of investigating how extensive is this? And how much they actually really move laterally? And what assets are really can you trust? So a lot of it? And then because you have a lot of industry partners, right? And a lot of different things are along the lines, like, Okay, how are those connections with the industry partners? What services so this gets into your high value assets? and assessing those quickly, to really figure out how can I restore trust back into the network. But now I have to communicate with those senior leadership. And oh, by the way, this stuff isn't really classified, but it's an ongoing investigation. So how do you then communicate, I mean, we had to put together a whole alternative way of communicating with a small group of people that took into consideration what the government rules are knowing that you would eventually get for you. And you would have to produce all these records for Congress and everyone else, and then deal with the Records Act, right. So and on top of that, there was a small amount of boxes, email boxes that were being looked at, and mine was one of them. And I'm directing the resources, right. So
John Dillard 23:02
so it's like sweeping the firing range while everybody's shooting at you.
Karen Evans 23:05
Exactly. And so it was, um, it was interesting. There it was it, you know, it was really very eye opening, because, you know, what really rises to a level of a National Incident similar to like, 911, as it relates to communications. Now, I will say, for people who are participating that are in the energy sector, Congress did think about this. So in the energy sector, we were exercising this because the Secretary of Energy actually has authority to make a recommendation to the president to be able to declare a grid security emergency. And when that happens, it's very similar to when the Stafford Act goes in place, right? And that's when the military can be called in, you can do different things associated with resources, how you partner with private industry, how you do certain things. But again, that question comes to what constitutes a grid security emergency, what's the level? What's the tolerance, the way that the grid is set up? You know, it is segmented. And you saw some of that. Now, the good news is we exercise a lot of that and the other pieces, when you ask what's important, that's why I'm bad to people education, your plans and exercising, like you have to exercise your plans before you actually have to execute a plan. Because if you're executing a plan that you've never exercised, that's not the time in the middle of the crisis to find out, whoo, I need to update this plan. Like we didn't think about this whole piece here. Right. And so all of that comes down to the people in the planning aspect of how you manage your enterprise and how you manage your services. So that was a long answered. Oh,
John Dillard 25:00
that's, that's, that's another one we could spend a whole hour on. If we wanted to close the loop on solar winds. I am curious for the decision makers on both the government and the industry side, to what extent do you feel like it was a wake up call? Do you? Do you think that it materially is changing the behavior and focus on either government or industry? Or both? And how can we think about those kinds of threats? You know, aside from the ransomware thing, which we'll talk about in a second, but this kind of attack?
Karen Evans 25:32
Yeah, so that kind of attack I do think was very different. I think, what you heard fire eye talk about and what you heard Microsoft talk about at congressional hearings, it was very different. What happened in that particular case was the adversary really abused trust or relationships. And so that's really what comes down to in supply chain, right? Especially in the cyber world, a lot of this, like, you know, if we let's go all the way back to compliance, one of the things auditors and you know, people who do evaluations, but they look at is, do you have automated patching in place, right, like, to what extent Have you automated those processes? Well, that's exactly what got exploited, because you have to have a trust relationship between your vendor and your enterprise, if you're going to automate and automatically update certain things and that relationship and how that, you know, got called is what got abused. Now, there are companies that were pivoting, right, because they were already at the point of looking at endpoint detection, right, and how they endpoint EDR solutions were working, and there really isn't a perimeter. And so every device is a sensor. And, and so some of those companies that were innovating in that direction, actually could stop and thwart some of this stuff that happened with solar wind, right, because they have been putting in some of those types of things. But some organizations such as ourselves, and how we worked with our industry partners in maintaining how we move to the cloud, and how we had, you know, a mixture of on prem and off Prem solutions, those relationships are trusted in order to maintain those operations. And that's very different from what happened in the colonial pipeline.
John Dillard 27:33
Right? Well, and let's talk about colonial pipeline a little bit, it's it mean, totally different kind of an attack dope, totally different kind of motivations, right? depending on your perspective, either better or worse. They felt like they weren't really doing anything all that bad. They just want a little bit of money. Right? Well, right. Yeah.
Karen Evans 27:51
But what if phase so then when you say, Well, if that's a wake up call, is one thing on the side, where people are saying Holy smokes, you know, it's gonna be a cyber Pearl Harbor, 911, or whatever. But when there's lines at a gas station, because now people can't make deliveries, or you can't schedule stuff, or they have to turn off some of the industrial control systems, because they're not in theory, they're supposed to be air gapped, but the more efficient, several of these companies become right, then then that gap gets smaller and smaller, which is part of the challenge. But in the case of colonial pipeline, when that CEO testified, you know, that's back to do. I know my assets. So we're back to a compliance type of thing. And then did I put on multi factor authentication. He didn't have multi First off, he didn't realize it was an old, it was an old system that they had that still allowed dialog capabilities. But he did tell Congress, it had a strong password. Well, okay. It had a strong password. But one, you're not really you didn't really know this asset was in your inventory. And you didn't have multi factor authentication. Okay, that's a level one type of cyber hygiene types of things that, you know, a good compliance type of regimen is supposed to highlight. And it did.
John Dillard 29:18
Yeah, yeah. And well, what other I mean, we talked about guest saying briefly before the call, how are these kind of what are the patterns that you see? I mean, colonial pipeline is the is the big one, because we all got our attention, because we couldn't get gas. But there are lots of other ones and what are the patterns in those kinds of attacks that companies should be aware of, in terms of how they think about detecting and responding
Karen Evans 29:42
well, and see a lot of this, you know, it goes back to National Institute of Standards and Technology, the framework, right, if you really take a look at the framework, because I think what has happened in the past is there's a lot of quote unquote religion around what standard to follow. I'm like, Look, you just have to really understand the threat landscape, what services? And what are your high value assets? You know, if you don't do anything else, what is the most critical thing that is going to happen to you, you know, for a CEO to have a bad day, there is some work that's done by Idaho national labs, called it's called, it's cyber consequence, engineering CCE. And what it really does is you and they have a book out too, so I can send you the link. But what it really does is have people think, like, especially your leadership, like, you know, if you're publicly traded, you know, the CEO, what does a really bad day look like? Like, you know, colonial pipeline CEO that I was bad couple days. Okay, that is really that and the decisions that they had to make? And then do you put the right, you know, you pull the thread within your organization? And then what you do is, do you have the right protections in place for that for is some kind of cyber, you know, piece comes, but what, what you're really seeing is, is we’re a nation who is totally dependent on technology, and our adversaries know that. And so, you know, like, what happens to a hospital when they lose all their patient data? If the person has backed up all the patient data, right? And then, and now I'm back to have you really involved everybody in the plan? Or are you just the technologists on the back end, working on the plan? So if this goes down, you know what you're supposed to do, but oh, by the way, we have a whole communications or we have a whole legal arm, right? Like, it's got to be an integrated project team. And that integrated project team has to include communications, legal rights, senior leadership, so that this gets quickly escalated, and people know their roles. it a lot, you know, you need to know your role before there's a crisis.
John Dillard 32:06
And this gets to Incident Management, right? So what the role when these things, these things are going to occur like that. It's not the idea that we're going to stop on any, any company that says they're going to stop an attack, probably not really being honest with themselves, their customers, they're going to happen. So when companies have to deal with it, in the car, it can be either, you know, sort of a nation state afterwards, the ransomware kind of thing. What are the ingredients? You mentioned? No. enrols? Clear, right? And involving a lot of folks, what are some of the other critical ingredients of effective incident management that companies need to be thinking about?
Karen Evans 32:43
Well, they do need to think about their high value assets. And when I say that, for example, I was working with a mid sized company, who brews beer. Okay. Now to me, that's critical infrastructure. I don't Okay, so I may I, you know, I just say it. And so I mean, the question that I asked them when I first started talking to them was what happens if you lose the recipe for the beer, like, you know, for this special beer, and they talked about how they did certain things, like with a merger acquisitions, how they protected this recipe of beer, and I said, and no one has an automated copy of it anywhere. Nobody wrote in anywhere. And then they all kind of looked at each other, and they weren't 100% Sure. Like, they had a physical protection around it. Like people can think about guns, gates and guards in a save all this. But the minute that something gets automated, they weren't 100% Sure. And so they said, well, like we have to really go and check on that. And so I mean, cuz that's the biggest thing. What happens if you lose your data, or the network is down? Or, you know, like, we couldn't communicate where we could, but we didn't necessarily want to communicate a lot of specificity over a network until we could restore trust back in the network, right? And so like, what do you do? And how, how, how are you going to manage that? And, you know, you saw a lot of ransomware heading in the healthcare sector, right? Because hospitals, they're disparate, but now there's a lot of consolidation that's happening around hospitals, and how that works. But what's really key? It's, you know, can I access services? And what about the health records of those individuals when a patient comes in? And you know, can I give service without having access to the records? I mean, I'm sure doctors could, but now think about, oh, if I don't record it properly, or if this date is on so it all comes down to me is the data and how is the data used for your business process? And then how does the data move around in your enterprise, and if you have any gaps in that knowledge, that is what is going to get exploited.
John Dillard 35:08
Got it. Good advice. There we go. Now for large enterprises, especially anything that comes close to critical infrastructure, and, you know, you, you were right in the thick of this working with fire eye, and Microsoft and some of the stuff that you had to get involved with, what are the things that large enterprises need to know about working with the government in incident response? That they miss? What is what is the thing that is often overlooked? When you're the CEO in a place like fire eye? Or a software provider like Microsoft, or a colonial pipeline CEO? Who the front, what are the phone calls that need to be made? What's the level of transparency? What are the things they need to be thinking about?
Karen Evans 35:46
Oh, that's a great question. Um, the phone calls that a CEO would make are a little bit different than the people on the front line. So think of it as the first responders, right? And so how do you do first responders? And what's the triage associated with that? In the case of colonial pipeline, and what happens is that we have especially critical infrastructure, there are sector specific agencies. So in the case of colonial pipeline, that CEO would call into my former office, right, and they would talk to me or my predecessor, and we would then kick off the whole response that would have to happen within the government, right? Like, there is a whole escalation process, how we work with DHS, how you get the whole government response. And I think colonial pipeline really demonstrated that's a whole nation response that has to happen, right, because they need their industry partners, the way the energy sector set is set up. And you see this in hurricanes as well. And you're seeing this down in Louisiana is the reconstitution of services, they have mutual assistance agreements in place in cyber is just another piece that they have added to that so that they can help each other to reconstitute services. So that's a little different now, when an industry partner like in the case of Microsoft and fire eye, right, detects that something's going on. And it's big, because that was big. They're actually working directly with DHS, the CISA group, critical infrastructure security agency, so they work directly with them. And then that is the conduit because I got my call from Cissa. On solar wind, so they called me. So they're there. It's very multi dimensional. But the other part of it is fire is also one of our contractors, and Microsoft is also one of our contractors. So there was this other information sharing piece, and we made sure, you know, it happened. And the response teams were integrated as we were moving forward with Cissa. Right, and their threat hunting team with the FBI with Secret Service. I mean, DHS is kind of uniquely positioned because of the law enforcement resources that we could also tap into. If you're a private industry company, and you're in a critical infrastructure group, there are different designations, but that that the CEOs already know if their section nine or those types of things, and there is an escalation process that they have to do the complexity of this, and I think you're seeing it play out right now is how far does notification go? Because if I'm publicly traded, I have to do disclosures. And now Congress is looking at is it 24 hour disclosure? Is it 72 hour disclosure? Do you publicly disclose, you know, how, how are you doing this? And, you know, there's a lot of ramifications on a publicly traded company as they move forward with the disclosures?
John Dillard 39:05
Well, and it's a little bit related to the conversation we had on security versus compliance, because companies seem to have maybe both, but either one or the other, more often respond to these kind of situations. One of them is a compliance and liability kind of thing where it's like, oh, crap, something bad happened. I need to get my ducks in the road before I tell anybody so that I don't get sued. And I minimize my losses, which acts in completely opposite interests of the national interest of addressing the incident management problem. So I'm curious what your thoughts are on how companies can bridge that gap between the compliance in line and legal team in their companies that kind of want to make sure that they're doing things in a way that protects the company from liability and compliance lapses versus the absolute critical need to protect, you know, national security, critical infrastructure and you know, the public find whatever bad thing is happening.
Karen Evans 39:58
So, so I think you seeing some of that play out right now, right. And the delicate balance of how that worked was with fire eye. And fire eyes disclosure. And I think you're gonna see more and more like, I think I just saw where Brad Smith updated three chapters in his book, to relate to the solar wind since then. And then you also saw Microsoft come out and publicly disclose certain things. But the challenge for a lot of companies as well as federal agencies, because you know, when you're buying these services, is to really understand the terms and conditions that you put in contract. And the other part is, you have to really make sure that based on those terms and conditions that you put in the contract that you're actually informed in, you know, enforcing your own terms and conditions that are in contract. I mean, it's one thing to have them in the contract. It's another thing to actually follow through and enforce them. And I think that's, that's part of what you're seeing happening right now, with the Federal Acquisition Security Council that is in its like, second here going forward. Some of the things that happened were Congress actually banned certain products and companies from going into federal networks and federal space, which then has a cascading effect down on our industry partners and their ability to provide those services. And then you're also seeing some of this evolution as it relates to what do you do is attempting to do with steam and seeing the Accreditation Board? Right. And, and then what is happening with bedrooms? So they think that delicate balancing was done and fire it looks like a hero. Right? And but what was great with the fact that fire eye is there, the quintessential group, right between fire eye you know, the Mandaean part of that crowd stray, you know, Palo Alto, like, you know, who the go to people are raised when something happens. And if it can happen to them, you know, some of us are like, okay, like it happened to them. And so the minute we saw that article when they disclosed it, and then they said, Oh, and we lost, they had access to some of our red team tools. We were like, holy crap, Ola. And then when we saw the fact that they had Microsoft in there responding with them, we said, Oh, okay, we're Microsoft in the cloud. And we have firearms. So we went on a heightened sense of awareness. And we outreach to both of them and said, Hey, we need to know what's going on. Because we use both of you guys. And, and it was a matter of like, they, they were, you know, reaching out to their clients at the same time, which, you know, so. So it was a pretty proactive approach. But you know, like, you got to be up on your current events and read the puzzle, too, because I don't know that they're necessarily going to say, Hey, you know, hey, look over here. Okay, so, john, you're on mute?
John Dillard 43:04
Yes, I am. Thank you. Okay. I got it. You know, I heard a dog work, which happens on these calls from time to time. So that's the downside of me. But, um, one more question for you before we jump into some audience questions. And that is, and you're touching on it in your last comments. And that's how government and industry work together or, or in some cases, you know, it can be a little bit contentious or in conflict. If you're advising industry right now, especially large companies, what should they be expecting from government, obviously, you got Siemens c coming, which is, you know, branded sort of the DOD thing, but likely it will spread. You have an executive order that just recently dropped. Sometimes companies feel like they can wait these things out a little bit. And it's that they'll get tired and trying to enforce that. What are your thoughts? If you had to tell the CEOs of large companies, here's what you can expect from government in terms of their attention, behavior, regulatory concerns and partnership? What What should they expect?
Karen Evans 44:07
Well, I don't think that they can wait it out. That would be the first thing. Okay. Because I think you said it very clearly that it's only a matter of time. It's not, you know, it's never going to happen to me, it's really going to be when it happens to me, here is how I am going to respond. And I'm gonna have to show that I've done due diligence. I think you're seeing the market evolve, like cyber insurance, right? Like if you don't do some things with due diligence, it doesn't matter if you have cyber insurance, because if you can drive a truck through cyber insurance, right, the minute that you don't do certain things. I think regulation is going to play its way out on certain things. I think Congress is expecting that industry should be better at some of these things than they are. Which I think is pretty fascinating. You have a whole market that is developed all around this. I mean, sometimes I'm facetious, saying people really don't want the problem to be solved. Because, you know, there's millions and millions of dollars. I mean, I'm capitalist too, right. And so there's millions and millions of dollars to be made, but it just like, it's not going to go away, it's going to accelerate, and, and you're going to see different types of things that are going to happen. I think part of the challenge is that if you when you are a company, and what services you provide, if you want to be in the federal space, then you're really going to have to comply with a lot of these different types of roles, right? Because they are in statute, things are not going away. You know, you've got the Federal Acquisition Security Council, I mean, it's a big market, if you choose to play in the federal government, but it's not an entitlement. So they're not going to say, Well, okay, just because john really doesn't want to do this stuff, we're just going to go ahead and award a contract with him anyway, what's gonna happen is, John's company's going to be disqualified because they don't meet the certain thresholds that they need to meet. And so you're gonna lose business. So that that's going to be on the technical merits of solutions that you're putting in place or your ability to protect government information. And that's what the control but unclassified information pieces about right? And so you truly are a partner, because you are getting government information and providing that service. So how are you protecting that government information? And how are you doing your part? So it's not going to go away think it's going to accelerate it is going to evolve? And so that part, and then is it costly right now? Yes. So that's why you have to really look at solutions so that it doesn't become a barrier for entry for small and midsize businesses as well, because there's a lot of innovation that happens at small and midsize businesses and they have to be able to participate so that you can bring those solutions in.
John Dillard 47:17
Awesome. All right. Well, I want to shift gears a little bit and take some audience questions. So if everybody could type their questions into the q&a box, and we will get to those while you are typing as usual on the webinar, we asked a quick poll question. If you want to hear from thread switching any point we're gonna launch that now. While you look at that lovely question, you can type your questions in for Karen. And we will answer them turn. So I'll give you about 30 seconds. Imagine that there's Jeopardy Music Playing while you collect your thoughts. And we'll jump in have a couple good ones teed up. And I have one too. I have a couple. But I'll get the audience was first.
Karen Evans 48:03
John Dillard 48:04
I think we've just about got everybody so we can close the poll. And let's jump in. So the first one that is here. So it has to do with industry in its incident response capability, specifically, aligning cybersecurity education, which I know is a passion of yours, because you've been involved with all those things. What specific actions does industry need to take to sharpen cybersecurity education with market needs? Or maybe the broader question is really whole of society needs or partnership with government needs?
Karen Evans 48:38
Okay, so I'm actually participating in another study as it relates to this. So when you really look at the education, right, it depends on the mix that you're looking for. And there really is a lot of debate between a four year degree and Community College hands on, you know, versus theoretical. So, you know, like education, the ability to think, versus the ability to demonstrate, so I'm going to go all the way back to the initial Hey, Karen, you're a chemistry major. I'm also an applied science major. And so when you look at chemistry, the applied pieces, the lab, and so if you think about if my education came out with I had to do lab experiences, so that I could really understand, you know, the impact of mixing chemicals and what does you know, copper look like and how does this work? I think that's the big debate that you're seeing right now is, um, you know, when people graduate, especially sometimes in some of these colleges, they're taught to really understand the CISSP certification, right, because that's the quintessential certification, working with certifying bodies, so the HR people don't have to reinvent the wheel and they can look resumes is how do you reinvent some of these certifications so that the certification is actually testing the right things. So that when you bring those people on board, and they have the letters after their names, you know that they've demonstrated those capabilities so that when they're put in that work situation, they lease time, those skill sets. And then they can learn within your environment and your culture. So a lot of work continues to go along in those path, pathways, and also to update curriculum of what's happening in the four year degrees. But the other part, which I'm seeing now, and I actively participate in and pushed on are things that are happening at the four year colleges that are giving you joint majors, like where you, you know, you, you're, you have a computer science degree, but then you also if you stay an extra two semesters, you end up with a master's in cyber security so that you actually understand business and business risk associated with computer science, or so these joint degrees of making, like doctors cyber aware, they're not cyber security specialists, but they're cyber aware because of the impact of all the different types of equipment that they use, and how it's affected the network and how it can impact them as a professional.
John Dillard 51:22
Well, as a follow up to that, and this is my question, given how quickly the threat label changes, right? It used to be maybe every couple years, it materially changes. Now, it's like every three months, if that? How do you maintain a level of awareness, especially for the non professional classes? When you know, you know, a couple years ago, folks were told that if I had a strong password, they were probably okay. And if it had a letter a number, they were all right, which is probably not good at gardens anymore. And so how do you keep both subscribed professional, certainly, but also the sort of rank and file folks? How do you keep them aware, given the rapid rapidity of the changing threat playbook?
Karen Evans 52:03
Well, in theory, that's your cybersecurity education that, you know, every government employee has to take it every year, right in October, Cybersecurity Awareness Month, and you go through a bunch of this a, but a lot of this is education. And, and you're hitting on, what are the basic fundamentals right. And one of the easiest things is, and especially when I talk, you know, to folks is, the easier you make it for yourself, the easier you make it for a criminal or for your adversary, like the, you know, the more you consolidate things, it is easy, it makes it easy. You know, like Microsoft used to ask, Hey, do you want me to store this password for Yeah, and I'm like, No, no, it's not, like following me around everywhere we go, right. But people are like, yes, yes. Because I don't want to remember all my passwords, right. And so, you know, again, if I understand the risk associated with that, like, I don't do banking online, you know, I don't spend doing banking online, but the world has changed as a relates to credit cards online because of the consumer protection piece. So there's a lot more protection. So if my car gets messed up, you know, the bank is supportive, where they used to not be and then you can challenge those, right? So society has moved with some of these things. But if you're managing a big enterprise, again, this gets to the maturity of these processes, and the communications and roles and responsibilities. And so if your leader, you know, like a CIO, you know, Vice President and whatever, can really articulate that and not do death by PowerPoint to the CEO, then the CEO has the information to make those trade off decisions as it relates to risk.
John Dillard 53:56
Got it? All right. Another one here, this one's on it. Actually, I think you touched on this a little bit. The not just the companies are delivering services and federal government, that might be fairly straightforward. But for companies that are delivering software, what is the product liability for those companies shouldn't be different should be regulating that product liability differently? Specifically, you know, is there some mechanism by which companies can be held accountable for the quality of their product, the same way that they are in other industries?
Karen Evans 54:28
Yeah, that's a great question. And actually, that really is something that's really being looked at. And when we talk, we briefly talk a little bit about this as it relates to the executive order. So m nest who we talked about earlier, has actually issued guidance on critical software, and then the tenants associated with the production of critical software. So say for example, you know, government really isn't one of your clients, but you're dealing with backup, like you're a backup company, you know, backup software types of things. The the general practice and how you should be developing that code and what your business practices are, you know, within your company, because this is critical software, which kind of gets back to the whole solar winds, the way the software was developed and how, you know, even though they did signing, they forwarded the signing and a bunch of different things, right. And so like, how are you managing that process? That is now outlined in in this guidance document? I think what you're going to see is it's laying the foundation to be able to really answer the question about how much product liability Do I really have. Because if I haven't really done due diligence in my software development, you know, the end, I want to go and do an IPO, and then I have a whole big issue, then, you know, maybe the company should crash and burn, right? Because they're critical, they're providing a critical piece, it's not like the National Institute of Standards didn't outline what this should be. And, you know, this is how you should be this is how you can demonstrate due diligence, you're seeing a lot of that foundation come out now, like those documents have just been released through the summer. And the government's going to require that within the contractors who are providing those services within the government. But you can see we're industry always uses NIST standards anyway, and so does the world, which means it's going to lay that foundation.
John Dillard 56:31
Got it. Have another one here on mssp. Specifically, the question is a lot of even large companies rely on mssps. Is that model broken? And we're maybe you know, going a little further editorializing? Does company reliance on mssps presents some systemic risk in our economy? Are we doing it right? How is that model working? And do we need to worry about it?
Karen Evans 56:57
So I am going to say yes, we need to worry about it. But know the model, we should not revert back to on prem solutions, okay. And so, um, and the reason why I say that is, is because they are very focused on key things. So like in DHS, there is no way in heck that we can understand all those different operating environments, right, and be able to manage at scale the way that the cloud service providers can do. And so what the cloud service providers as a managed service provider can do is actually provide that security that needs to be there. But now I'm back to that information sharing and the terms and conditions that you put in your contract. So you have to be clear about what your expectations are in your relationship with Ms. P, right? And then you have to be able to enforce it, because you're relying on them. And, you know, where is that line of demarcation? And this gets to that same question that we were previously answering about where do the liabilities start, and where do the liabilities end. And, and that's what you're seeing play out a lot, right with Microsoft, as a cloud provider, but I would, I would strongly, strongly argue against people trying to bring things back on prem, because we just don't have the workforce and the skill sets. And now I'm tying in all the other pieces for you to go along. You can't go it alone, you have to work with these other people, because we're interconnected. And you can build this island as much as you think that you can, because you need the services in order for your company to be successful. Got it.
John Dillard 58:43
Alright, I think we have time for one more, this one actually ties in the New Orleans hurricane thing. Speaking of incident response, you've got most people who are still without power in New Orleans. And I think that the questioner here is you're looking at a situation, it could have been an attack on the grid, it happened to be a natural attack on the grid. But there's a long lapse in the ability to recover it when we see these kind of things. And we feel like the response is not rapid enough, or gas lines are getting long, or whatever it is the case of colonial pipeline, is that typically an indication of something that, you know, was a poor preparation, or exercise of their incident management skills? Or is this just something we have to kind of get used to because of the complexity of systems we use?
Karen Evans 59:30
So as probably yes to everything that you just said, or, or right? I mean, you can give another example of anybody who's on this call that was in Texas, when this past winter when things happened in Texas, like and now they've replaced that whole board. So when you're talking about are you going to be held accountable and how certain things are going to be done. You know, that that decision and some of the things that happened with renewables like Dude, we don't have good long term storage. energy solutions. That's what has to be reinvented when you're looking at so that that this those particular things like Louisiana where the grid is, you know, the power is so critical to everything that everybody does, right. And so people who live in rural America, like I have a generator, you know, like there used to be without power up to a certain time period, and then it becomes Oh, okay, now there's problem, right? And so, you know, those types of things have to be looked at, I think some of the infrastructure issues are really being called into question with that particular company, and then looking at how do you then invest? Because when you're really you get down into some of the communities, and some of these things like the rate structure and the power industry and how they're regulated at a local area constricts the way that investment can happen for capital improvements, because you don't want your power bill to go up. And so you have to balance what is happening with the consumer versus, you know, how much can be reflected in a rate versus, you know, how do we do stuff? And then when these incidences happen, like Texas, now Louisiana, it highlights, you know, that intricacy? And then where do you get the relief in order to do the capital improvement to the benefit of the consumer?
John Dillard 1:01:30
Awesome. Um, final question for me. And really, this is an opportunity for you to share your final thoughts, I love to ask the folks who are guests what their one takeaway is, for people who are looking to be successful leaders in security, what's the one thing that they need to know. And with that, I'll let you share your final thoughts with
Karen Evans 1:01:49
how to be a successful leader in cyber security. I, so I would say I've been hitting on different pieces of it. But my most critical thing is being able to talk about it in a business sense that resonates with your business partners. You know, regardless of whether you're in government, or regardless of whether you're in private industry, you have to be able to talk about the risk in a way that resonates with your business partners, because it is all about partnership, you will be successful when you have successful partnerships within your organization across your organization outside your organization.
John Dillard 1:02:34
Perfect. That is a great way to wrap up on. Thank you so much, Karen, it was a delight chatting with you. This is an incredibly important topic and was glad to have you on the on the webinar with us as a reminder to everybody, we will be posting a recording transcript. Karen mentioned a bunch of really useful sources of info that we will link in that as well. So you'll have access to an effort. And for those of you who like these things, we're doing another one in November. So we're gonna have Todd Stevens, who is a partner at Armstrong Teasdale. He is a lawyer, but he is the most hilarious lawyer I've ever heard. He's a fantastic speaker. And we're going to talk about some specific regulatory developments related to the general security compliance and cybersecurity compliance CMMC among them. So with that, thank you very much. Thank you, Karen. was great to have you and everyone have a wonderful weekend. Thank you.
Topics from this blog: Industrial Security