DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, and Michael A. Echols, CEO of MAX Cybersecurity and senior cybersecurity executive/critical infrastructure protection strategist, discuss the latest views on data security, and government security. The podcast can be listened to in it's entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is Mike Echols, a former DHS cyber director, point person for the development and rollout of the information sharing and analysis organization concept under the Obama administration, and author of the recently published book "Secure Cyber Life, The Government Is Not Coming To Save You". Mike was a designated federal official for the President's NSTAC and also chaired the Communication Sector International Network Security Information Exchange. Welcome, Mike. It's great to have you with us today.
Q: So let's discuss building cybersecurity capacity and increasing capability. Firstly, why is it so important for government and private sector organizations to make a cybersecurity investment now?
A: The world is becoming more digitized and many of the advancements that we have here in the United States are based on our ability to move data faster, and then move more data to the right people at the right time. This becomes a value add for any organization, business and even individuals. Think of our ability to use our smartphones. It also becomes a liability. And so, as we're developing technology, we have to very quickly mature cybersecurity to protect those investments that we're making in technology right now.
Q: And so what is the role of government?
A: So one of the greatest issues we have in the nation is trying to convince people that they are personally responsible for cybersecurity in their environments. And the issue is that most people don't understand the role of government. The government is essentially there to protect the government, but also to help build capacity across the nation, as well as capabilities.
So many of the government programs you will see are not designed to actually protect individual company networks or local community, so I mean municipalities. The Federal Government is designing those programs to help those communities to stand on their own two feet.
The Federal Government provides the facilitation and the mechanism to bring companies together so that they work towards reducing risk. The Federal Government creates the national programs, based on the greatest risk to those systems to help lower the risk. The issue is that when those municipalities, companies and individuals begin to believe that the Federal Government is protecting them, that means that those entities are not doing everything that they can do to lower risk.
Q: And what's at stake for the average American with the increase of cyber attacks?
A: At a minimum — their identity. And seeing these major cyber attacks, we often think "that company" is the victim. The reality is that when data and information is stolen from a major hotel chain or department store chain, the victims are typically those customers. Those customers have no understanding that somewhere down the line, that information is going to be used against them.
What's at stake here is when those identities are corrupted, many of those individuals have no recourse. There is no cybersecurity administration as a safety net for cybersecurity. There is no FEMA for response to cyber disaster. And so this means people have to be focused and aware that, the government is not coming to save them. And that applies to small businesses, major businesses, and local municipalities.
Q: And so how can companies immediately increase cyber capability?
A: So the first thing that every organization needs to do is to understand their risk. This is done through something that sounds really simple but most companies have not done it. They need to understand what all of their assets are and how those assets in an IT environment actually connect. Who they talk to and who's talking to them, and then they need to understand the threats that threats, this year, and not the same threats from three years ago.
But oh, by the way — some of the exploits that were being used against organizations eight years ago are still relevant if the vulnerability was not patched. And then, a company needs to understand what happens in their environment, on a daily basis. Meaning that if there is a change in their environment or in the controls that they have in place, there has to be a mechanism that tells them that an unauthorized change has occurred. Just by taking these steps an organization will lower their risk significantly.
Q: And so why does the government appear slow to act and demand meaningful outcomes when it comes to cybersecurity?
A: So the Federal Government understands their role because they've decided through their policies how they're going to interact with the private sector. In most cases the Federal Government protects that .gov and they assist to protect that .com. The internet is not regulated.
Most software and most hardware is not regulated, we have the option to integrate systems, as we see fit to be innovative, as US companies. The Federal Government is producing risk assessments. They're producing cyber training, they are producing opportunities for companies to collaborate. There are 26 million small and midsize businesses, there are millions of larger businesses.
And, in most cases those businesses and organizations do not know where to find the information that the Federal Government is producing. So in a lot of cases, the Federal Government is taking action and they are doing things to help the nation lower risk. The Federal Government just needs to find its way to those end users and the end users need to find their way to the information that's being produced. So there is a gap or delta that exists between the government and private sector.
Q: Right. Well, thank you so much for joining us today Mike.
A: Thank you for having me.
