The #CyberAvengers are: Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma & Christophe Veltsos
Pick your story regarding the most recent data breach. Tens of millions of records lost here, hundreds of millions of records lost there. No real clear rules of the road. It’s almost as though we have reached a fatigue point, in essence, succumbing to this new normalisation: data loss is ubiquitous to all of our personal and professional affairs.
This normalisation, partially excused by the ‘I’m sorry’ or ‘we could have done better’ comments of executives, has not really jump-started any serious change in how we protect data. Granted, some of the publicly listed companies have felt some heat on the stock exchanges, a few million here, a few billion there, but at time of writing, we have not seen a seismic shift in how businesses in the US operate when it comes to data protection. And as a result, we continue the normalisation of data loss.
If this situation holds true, we should be scared because we further drift into unknown waters. You see, the effects of ubiquitous data loss to a society and transactional business
are unknown and, in all likelihood, are not linear. Not only are the individual risk profiles for each party amorphous, but the risk profiles are influenced by relationships between parties, precisely as each party, independently, builds more risk into their own profile. In other words, we are not adding risk as it relates to data loss; rather, we are multiplying risk. How will this impact how we do business? How will it impact how we live?
As our risk profile moves us towards greater fragility, we are left wondering which business model will be left standing: the one where data loss is universally ubiquitous and accepted as a normal cost of business or the one where data protection is not only paramount, but absolutely necessary for successful business? Our preference is certainly for the latter, but short of that seismic shift we spoke about before, we’re not sure how we get there if
current conditions hold constant. Because all of our future depends on turning this around, we have to find a way and that begins with a shift in thinking.
“Let’s face it: we are data hogs. If we’re not producing data, we’re consuming it. It’s almost as though we are addicted to data and it’s no wonder why”
The #CyberAvengers work closely with and understand the needs of business. We understand that, for a company, one of its paramount needs is to stay in business. Few, if any, companies will be very concerned with the ethics of producing, consuming and holding too much data if they can no longer remain in business. We get that. We also get that just a few years ago, many companies did not even want to discuss things such as cybersecurity and data protection, much less devote resources to them. Since then we have seen some progress and companies are now willing to commit some resources to cybersecurity and data privacy, but they still think that minimal resources and minimal effort is enough and only if it is not too inconvenient. We need more progress. Companies must understand that the seriousness of these threats requires serious commitment. They must change the current mindset and stop expecting that security will be quick, easy and cheap – they must understand that it takes commitment and resources, but it is worth it because, in the end, good security and data protection practices are not only good ethics, but also good business. A guiding principle of cybersecurity and data protection is that you do not have to protect what does not exist. And that brings us right back to the ethics and risks of producing, consuming and holding too much data.
The big issue
Let’s face it: we are data hogs. If we’re not producing data, we’re consuming it. It’s almost as though we are addicted to data and it’s no wonder why. Data can be very valuable, with some recently calling it the ‘new oil.’ And that begs the two questions: how much is too much?; and what responsibilities do we have, both while we produce and consume data?
Consider for a moment that some time in 2016 we entered the ‘zettabyte era’. We need to show some numbers to demonstrate how profound that number is. 128 GB, the size of an average USB stick these days, converts to 128,000,000,000 bytes. 1.28 ZB, the estimated amount of global IP traffic in 2016, converts to 1,280,000,000,000,000,000,000 bytes. The orders of magnitude are well beyond what we mere mortals are able to comprehend on a daily basis. It’s like comparing a $20 bill to the $20trillion in US federal debt.
Here’s the first problem with so much data: processing, analysing and reacting to all this data is well beyond mere mortal capability, which is why the artificial intelligence (AI)race is the new space race. The #CyberAvengers, it’s safe to say we have a non-homogenous view on AI, except for this point, where we are all in agreement: AI is great if used as a precision, surgical tool designed to identify, prevent and respond to network attacks. Not only is it great, it’s absolutely necessary simply because of the sheer amount of data that is flowing.
Beyond that use is where the waters begin to get murky, as AI is also used to determine preferences, habits and so on, all issues that cross into privacy and behavioural discussions. And that’s where the ethics argument begins to take greater hold, simply as a matter of practicality.
The circular argument starts to take form
We need more data to conduct business, whatever your reasons: optimisation, efficiency, better customer experience, you name it. We need more technology to process this data. We need more data to make the technology run more efficiently. We need more data to help the technology become more secure.
Under this model, there is no conceivable way to protect less data, only more. And, so far, businesses have demonstrated that they are not very good at protecting data and that it is not much of a priority to them.
As a result, this model leads really to only one of two conclusions: greater dependence on technology to protect our data, something that makes the system more fragile as we add unproven pieces of technology to an already inherently vulnerable system, resulting in an increased risk profile from a data loss perspective; or become more selective of the data we produce, consume and hold onto, resulting in a decreased risk profile from a data loss perspective.
In today’s environment, data equals risk and more data means more risk. It’s simple really: the less I produce, consume and hold on to, the less I have to worry about. But, regardless of how simple it may be, the allure of data always seems to prevail, and we fall back into the old ‘more data’ habits, conditioning ourselves into believing that, without this data, we cannot operate or be successful.
This statement should only hold true for companies whose primary business role is to collect data. With a quick review of the recent news headlines, it won’t take you long to figure out which types of companies those are. But for everybody else, ‘more data’ should not be the answer. The answer should be ‘enough data to get my job done, well protected and not one byte more’.
Applying the silver rule to data
The golden rule, or some variation of it, is generally known throughout the world’s cultures. A lesser known rule is the silver rule, ‘do not do unto others as you would not have them do unto you’. If we could apply this rule to how we handle data, our feeling is that we would take a giant step forward in our data protection practices.
Upcoming events may have an impact. We do see that some people and some regulators are legitimately caring about their privacy and personal data. And if this feeling picks up steam, it will be a market-driving force. Furthermore, in May 2018, the European Union’s General Data Protection Regulation comes into effect and it will be interesting to see how the citizens of the EU react, given that the regulators have been given the equivalent of Thor’s hammer against those seen to be violating the rules.
It’s the losses that motivate us to change, losses that come in the form of assets, customers and reputation. We appreciate that it is hard to slow down a product release when the market is demanding it, but we are at the point that we need to consider longer term costs, because one class action lawsuit ruled against your company could be the end of your doing business. This is what board members need to worry about.
Hold on to what you need and nothing more
If you’re in the business of collecting data and repackaging it to sell advertisements, you’re in a special category and you can expect your business models to come under question as people come to realise that they are not really the consumer, but rather the product. For everybody else, though, we have some very quick tips to help you get ahead of the curve.
Do an audit of your data and ask yourself: do I really need all of it? Understand, the more data that you hold on to, the more you put somebody at risk. And the more you put somebody at risk, the more liability you take on. Yes, you can have too much data, so dump what you don’t need. You don’t want that liability on your hands.
Be responsible custodians of data. That means creating an emotional connection to your customer’s data. Of course, that is easier said than done, especially when your small company has grown to become a large multinational corporation. We get that, but you still have to apply the silver rule. Rid yourself of the thought that there is such a thing as ‘efficient’ security and understand that security requires a commitment, resources and some inconvenience, but it is worth it. Security can be cost-effective, especially over time, if you take prudent steps to protect your data, such as employee training, instituting security-by-design methodologies and following established frameworks, such as the NIST Cybersecurity Framework. Cybersecurity costs – and all security costs really – are a tax on your business. There is only one case where cybersecurity costs can make you money: if you can prove to your customers that you are good at it. Your customers will pay for that intangible value if they can see that it is genuine.
In closing, the world view on data that prevails is what will determine the nature of data protection. If it’s the world view that ubiquitous data loss is an accepted part of our daily lives and it wins, we’ll look back and say, not only have all our cybersecurity efforts been in vain, but the billions upon billions spent were a galactic waste of money. It will also demonstrate the inefficiencies of the cybersecurity industry.
But if another world view prevails, one that takes data loss seriously and does not believe data loss should be ubiquitous and actually puts limits on how we produce, consume and hold data, then perhaps we can chalk up this Wild West period to growing pains, really painful growing pains.
About the #CyberAvengers
Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Mr. Ferrillo regularly counsels clients on cyber-governance best practices (using as a base the NIST cybersecurity framework), third-party vendor due diligence issues, cybersecurity regulatory compliance issues for private equity, hedge funds, and financial institutions that have been promulgated by the SEC, FINRA, the FTC, and the FDIC/OCC, the preparation and practicing of cybersecurity incident response plans, as well as evaluating and procuring cyber-liability insurance to protect against losses suffered by companies as a result of the theft of consumer or personally identifiable information, or as a result of the destruction of servers and corporate infrastructure.
Chuck Brooks is Vice President of Government Relations & Marketing for Sutherland Government Solutions. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 500 million members. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, and as a member of The AFCEA Cybersecurity Committee. In government, Chuck has served at The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill.
Driven by an intense passion for technology and innovation, Kenneth Holley launched Information Systems Integration (ISI), a Washington, DC-based information technology (IT) services and consulting firm in 1993. Serving as ISI President and CEO for the past 23 years, Kenneth has provided IT consulting services to firms across the United States, with a particular focus on infrastructure security and data analytics. In recent years Kenneth has assisted many clients, including foreign sovereigns, ensure brand and profile security as well as building engaged communities within the social media realm.
For over 15 years George Platsis has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs. Professionally, he has worked on projects related to business development, risk/crisis management, resilience, cyber and information security, and cultural relations. He also creates custom-designed educational products and workshops, has been published, is a regular commentator, and public speaker. Currently, his professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas. Some of the issues he tackles include: business continuity, resilience strategies, social engineering, insider threats, psychological warfare, data manipulation and integrity and information dominance. He is a team member of SDI Cyber, based in Washington, DC.
George Thomas is President of Three Hill Shoals, a firm that provides strategic advisory services to firms with a particular focus on addressing cybersecurity as a corporate governance issue. Over his twenty-five year professional career, Mr. Thomas has held a series of positions in banking, trading, asset management and auditing at a broad range of the financial services firms including General Electric, Citigroup, State Street Global Advisors, Instinet, and Nomura Securities International in New York, Boston and Tokyo, Japan. George currently splits time between New York, Boston and Bermuda, the risk capital of the world, and has a keen interest in real world implementations of next generation technologies including: blockchain, quantum computing, machine learning and artificial intelligence.
Shawn Tuma is passionate about serving his clients. He honors the trust they place in him by working hard to achieve their objectives as effectively and efficiently as possible. His integrity, intensity, and drive for excellence have helped him become an internationally recognized attorney and thought-leader in cybersecurity, computer fraud, and data privacy law, areas in which he has practiced for nearly two decades. He was a Partner at Scheef & Stone, LLP and General Counsel and Director for the Cyber Future Foundation. Shawn frequently assists clients with cybersecurity and data breach related incidents, both as cyber insurance panel counsel and direct engagements. For proactive companies, an ideal role for him is to serve as a member of their team as outside cybersecurity counsel to help them prepare for and minimize the risks of doing business in today’s cyber risk-laden business world. Then, if a problem does arise, he is there to guide them through resolving those issues as well. He has worked his entire career as both a cyber lawyer and a complex business trial lawyer, a combination of experience that equips him with unique skills for helping businesses assess, avoid, and resolve problems in a very expeditious manner.
Chris Veltsos, aka Dr.InfoSec, is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people. Whether performing information security risk assessments, working alongside CIOs & CISOs to set and communicate strategic security priorities, or advising board members on effective governance of cyber risks, Chris enjoys working with business leaders to improve their organization’s cyber risk posture. As a faculty member at Minnesota State University, Mankato, Chris is Graduate Program Director for the Professional Science Masters degree in Information Security and Risk Management (ISRM PSM) launched in Fall 2015. Chris has written over 45 articles for IBM’s SecurityIntelligence.com blog on cyber topics such as the relationship between CISOs and board directors, effective security awareness, cyber resilience, and the communication and governance of cyber risks