See Yourself in Cyber: Q&A with Deepwatch CISO David Stoicescu
While we at Deepwatch celebrate cybersecurity awareness every single day of the year, each October we are excited to celebrate Cybersecurity Awareness Month! Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace.
Throughout the month, the Cybersecurity and Infrastructure Security Agency (CISA) will be sharing helpful resources under this year’s theme of “See Yourself in Cyber,” highlighting the actions that all Americans can take to raise the baseline for cybersecurity across the country.
While we in the security industry think about “Cyber” everyday, this month is an opportunity to continue informing and mobilizing the rest of our friends, family and colleagues to practice good cybersecurity hygiene. For additional perspective, we’ve asked our chief information security officer (CISO) David Stoicescu how he’s thinking about Cybersecurity Awareness Month this year. Read this Q&A with David to see what this year’s theme of “See Yourself in Cyber” means to him, as well as additional tips and insights for spreading cybersecurity awareness.
Q: What do you think about this year’s Cybersecurity Awareness Month Theme: “See Yourself in Cyber”?
A: I think we hear quite a bit about the talent shortage, really from everywhere these days. Honestly speaking, I have a hard time coming to grips with some of these numbers. I feel as if every time I turn on the TV, there’s some tens of thousands of open opportunities in Cyber alone, and not enough people to fill the need.
I’ve been doing some hiring of my own recently, as we put a major emphasis on having a strong and capable InfoSec team that scales with our business demand and complexity. I’ve noticed that it’s taking longer to find qualified candidates, at increasingly elevated salaries. In my opinion, this challenge and its impact on a business’s ability to maintain efficient and secure operations is why more CISOs and CIOs are looking to service providers.
These challenges further underscore the need to promote from within and hire people who have the traits and skills needed to be successful in the role, as opposed to experience with a certain piece of software or a specific certification or degree.
Here’s what I’ll tell you, alongside everyone I’ve ever coached through becoming an InfoSec professional: if you’ve got the drive and passion for solving problems, and are curious about how you can get at the root of a cyber event, then this career is something you should most definitely explore. There’s an abundance of security books and online courses available, free of charge. Listen, a degree or certification is great. What’s even more valuable and what I look for in any candidate, is drive and passion. Have you used available resources to learn? Have you set up a lab to experiment? What streams of content are you subscribed to, so you can learn about the latest cyber events?
I really hope that by spreading awareness, and awareness of the types of job opportunities that value drive, passion and commitment, beyond just technical requirements, that more people can see themselves in cyber, and take those early steps to get started in the field.
Q: How do you help friends and family outside of work stay aware and vigilant about cybersecurity?
A: To be brutally honest, most people don’t think about cyber security – even after hearing about breaches in the news weekly. The general population is becoming desensitized to cyber security breaches and it can make us feel a bit hopeless about what we can do to move the needle even a little bit. But we can all take actions to improve our security postures, personally, at work, at school, and as a country.
Friends and family, focus on the basics!
- Lots of people will tell you to not use the same password for all of your accounts. Most of us do, because it’s convenient. Consider this, if you use the same password for 10 different accounts and one is breached, that password is now likely on a list that’s distributed amongst threat actors. It’s quite simple to pull up a list of someone’s name, and all associated passwords in past breaches. An attacker uses this information to attempt login into various accounts. So, use long passwords for all of your accounts, and make them unique. Consider the following tools to make this process easier and simpler to manage: 1Password, LastPass, or Apple’s built in password management on iOS and macOS
- This should be a continuation of the first item on the list, but I feel like it really deserves its own piece of the pie. Multi-Factor Authentication (MFA). Most applications will now support MFA, but it’s optional. MFA is another factor of authentication layered on top of your password. For instance, when logging into your bank account, you may be asked for a PIN delivered via SMS message. This is an example of MFA authentication. Most applications don’t make enabling MFA obvious, so check your account security settings to see if it’s something you can enable.
- If you get a text, call or email from your bank, a major retailer you shop with or otherwise, assume it’s a fraud attempt. Hang up, search the web for the Customer Service number for whoever called, and verify the information yourself. Never click on links or call phone numbers included in emails, voicemails or SMS calls. Threat actors have all types of information about you available at their fingertips, courtesy of free services we sign up for use everyday. I always tell my friends and family, anything free just means you’re selling them your data in exchange. Data attackers sometimes obtain and use it to perform fraud or other malicious activities.
- Lock your credit bureau accounts. Experian, Equifax and TransUnion all offer free credit locking capabilities, and monitoring for a fee. If your financial information is stolen, locking your credit will make it that much harder for them to obtain credit accounts in your name. Unfortunately, if this does happen to you, there’s little recourse in fixing your credit worthiness. Frankly, I’d love to see this change.
Q: CISA’s primary guidance for Cyber Security Awareness Month includes MFA, strong passwords, recognizing and reporting phishing, and updating software regularly. How should people prioritize these? Do you have any other other tips?
A: As stated previously, all of those are very good measures to take. Strong passwords, MFA and password managers are by far the most important. If you can, buy an external hard drive for backup purposes or use a cloud backup service to keep copies of important files and photos. There’s been a massive increase in ransomware attacks in the last couple of years. If you or your business is hit with ransomware, recourse could be expensive. When this happens to an average Joe, attackers usually don’t unencrypt your data after being paid, it’s simply too much work for them, as they’re hitting tens of thousands of computers at once. Do yourself a favor, backup what’s important. The most secure way to do so is offline backups to your external hard drive. Alternatively, a cloud backup service such as OneDrive or iCloud is critical.
Q: How do you enable cyber security awareness and operationalize it in the workplace?
A: In my travels, I’ve found security to be of least concern for some companies until they experience a cyber event. All of the sudden, there’s an influx of cash and awareness to solve the problem. This approach could work for you, but I’ll go out on a limb and say that it’s not what the majority of shareholders want to see.
A cyber event could adversely impact you monetarily, but most critically, it’ll impact your reputation and ability to create strong relationships with prospects, there’s a lack of trust. If you’re a publicly traded company, you now have to disclose cyber security incidents to the government; this has a lot of people thinking about their program and ability to demonstrate that they’re doing everything they can to safeguard and protect customer and employee data.
You may not have a CISO, that’s OK. Having a security function somewhere in the organization, even if it’s a part of someone’s job in IT, is critical. If you’re constrained by resources, consider an MDR provider to help you on that journey. Here’s the bottom line, something is better than nothing. At a minimum, you should have MFA enabled on your organization, strong passwords, as password manager, phishing awareness and training (not coincidentally the same principles for Cyber Security Awareness Month!), and a strong Endpoint, Detection and Response solution. The final component is someone to look at the telemetry from those systems, perform investigations and respond as needed. This could be someone you hire, or outsource to an MDR.
Q: What is one final takeaway for this year’s Cyber Security Awareness Month?
A: At the end of the day, you’re as strong and capable as your weakest link. Period, hard stop.
Everyone needs to take responsibility for their part in keeping an organization safe. An event of any size could adversely impact your company and this has a real impact on you and your coworkers, and shareholders of course. The majority of cyber events, otherwise known as “Insider Threats” actually happen from within an organization, by unsuspecting employees doing their job.
The vast majority of breaches happen through phishing, or spear-phishing. This activity involves an attacker sending you an email, designed to solicit engagement from you. This usually results in downloading something that ultimately gets a foothold on your computer, and spread to other computers in the business.
So what do I recommend? Assume all emails are malicious, and think twice before clicking on links or files within them, especially if they’re not expected. If you see something that looks funny, it likely is. Report it to your Information Security team, this helps reduce the likelihood of your teammates being challenged and falling victim to the same email.
Happy National Cybersecurity Awareness month! Please visit CISA’s Cybersecurity Awareness Month website and NCA’s Cybersecurity Awareness Month website, to get more information on how to get involved, as well as tools and resources you can use to help promote cybersecurity through October.
We hope to see a lot more folks throughout the month “seeing themselves in cyber” to address the workforce challenges and rising threats. In the meantime, if your organization is feeling constrained on resources needed to maintain effective security operations, check out Deepwatch’s eBook on “Cost-Effective Solutions to Address the Cybersecurity Skills Gap” here: https://go.deepwatch.com/cybersecurity-skills-gap-budget-deepwatch.