Despite widely publicized data breaches in recent years, many companies still don’t have a culture of security that measures up to today’s cybersecurity threats, says CenturyLink Chief Security Officer R. David (Dave) Mahon.
In particular, at midsize companies and those in less regulated industries, there is less preparedness and greater risk. On the other hand, he believes large companies in well-regulated industries such as financial services, healthcare, and defense contracting “are relatively mature in their internal cyber programs.” But even more prepared organizations often have room to grow in evaluating their supply chain risks.
Who has access to the network?
“If you look at supply chains like CenturyLink’s, we have thousands of vendors, and I have to evaluate each and every one of those if they are going to get access to our network,” says Mahon, a former FBI special agent for 30 years, whose role at the third-largest telecommunications provider in the U.S. spans information security, cyber defense, critical infrastructure protection, physical security, network fraud, and industrial security.
When meeting with customers — typically either when a company has suffered a breach or a board of directors has had occasion to question cybersecurity preparedness — he explains the need to develop a cybersecurity strategy for the entire enterprise ecosystem and gain a full understanding of the enterprise’s network. “There is the network you think you have and then there is the network you actually have,” he says.
The bad actors
There are many threats to be aware of from what Mahon refers to as the “five bad actors” of cyberthreats:
- Nation states, such as China, Russia and Iran
- Large-scale criminal enterprises
- Terrorists
- Hacktivist communities, such as Anonymous and LulzSec
- Insider threats
To understand how to prioritize those threats, he says, “you have to know and be able to explain who you are as a company, what data you have, and really understand what each of the bad actors would be after in your organization. Then map your controls accordingly.”
Chinese, Russian and Iranian intelligence agencies, he notes, are constantly monitoring trade journals and web sites to spot government-related contracts, for example. “If they are trying to compromise technology, they want to get it in the incubation development stage before it gets transferred into the government network.”
Mahon offers up some tips for companies in reviewing cybersecurity strategies:
1. Be aware of everyone connecting to your networks. With multiple vendors providing multiple pieces of the computing ecosystem and with no orchestration of the entire security challenge, “Companies often don’t even know their vendor is holding critical data.”
2. Develop annual initiatives. Be able to explain them in layman’s terms so that top executives and boards of directors can say, "I understand and I have a reasonably developed cybersecurity strategy" designed and implemented to keep the network safe and assets protected.
3. Don’t get caught up in infrastructure investment paralysis. “With the managed security services that are offered today you can literally go out and get what I call the corporate bundle – platforms and applications that may actually be faster, cheaper and smarter for you.”
4. Boards of directors, take note. Ultimately, boards of directors will be increasingly attuned to cybersecurity issues. “They’ve watched boards of directors facing litigation for negligence; they also understand they’re going to need cybersecurity insurance and the brokers and underwriters are asking more detailed questions,” he says.