In his 30+ years with DuPont, security veteran Larry Brock has seen many changes. Now the former CISO at DuPont, Brock has launched his own venture consulting on information security and intellectual property protection from insider and advanced cyber threats.
1. What are the most noteworthy changes you've seen in the job of the CISO over the past couple of years?
The job has changed in many aspects, but one way is that a lot of CISOs have traditionally been very technical. And that is not a bad thing, but it's very important to grow beyond your technical abilities to be able to work with senior managers so that you collectively own information protection together. I can't stress enough the importance of forming partnerships with the senior level team -- the heads of legal, auditing, R&D, manufacturing, etc. This involves an expanded skill set of collaboration in order to be successful, and many companies are searching for these types of professionals. At many companies -- not just DuPont, but of all sizes -- there are persistent and advanced threats against trade information and if a company loses even a few of those secrets they will be faced with strong competition that can pose a real threat to the business. I have seen this happen where me-too products resulting from stolen key trade secrets to Asia were able to take away significant market share. I've seen organized groups go after proprietary information in a way that is truly espionage. In one case, a Chinese company went after retirees to get trade information; in another, an insider stole proprietary and technical information for great financial gain. In the past, companies worried about what would happen if an event took down the production of the company. Now the interest at the management and board level is or should be on theft of trade secrets. This has elevated the position of the CISO as a key leader who can help understand the risks and work with corporate, business and functional leadership to build a sustainable program to effectively manage them.
2. What do you think remains the biggest risk for companies with trade secrets and other IP to protect?
Most companies don't understand the risk; therefore, they are not taking appropriate actions to protect themselves. Part of the problem is building awareness and knowing the capabilities of the adversaries. On the technology side, the IT industry is evolving very quickly with two major shifts: the movement to cloud services and the proliferation of mobile devices. The challenge to companies lies in protecting their IP as they move to lower cost computing via these environments. There must be a willingness to protect IP. I've seen companies move some pretty sensitive information to CRM and office services. This means they are trusting their trade secrets to someone else. These environments are rich targets for adversaries. One fact is clear, no matter how good they get at protecting these environments, the adversaries will be better, with more tools, more resources, more zero-day type attacks. It behooves companies to seriously think about this as they move to the cloud, but also, the movement to mobile devices is just as risky. DLP with encryption capabilities is a key solution in protecting information as it moves to mobile devices. Solutions that protect information from being stored in cloud services while maintaining full functionality such as searching and sorting are also key.
3. What advice do you give companies attempting to protect data through their supply chain of contractors, vendors and other partners?
This is a very difficult challenge. The key is to start with strong legal agreements and sourcing teams who are fully on board regarding what is required from partners and suppliers. This took us a long time to understand how to develop a structured way to approach requirements using templates, etc. and how to go about vetting suppliers and their security teams. The big challenge is, even if you do a stellar job vetting the supplier or partner, you need to ask whether they ought to be trusted with your crown jewels. Unless you are capable of implementing DRM and DLP in a way that can assure control, you may simply want to not allow it. In some cases, you may want to break up parts of proprietary or trade secret information into pieces, black box some, etc., so that design portions that are sensitive are not part of the mix. You need to recognize that third parties are not as monetized to protect IP as you are, unless there are specific financial and legal penalties involved. I have been involved in cases where we specified that liability could be unlimited if a party allowed its environment to be compromised and impact our company.
4. Can private companies really hope to be in control of defending their sensitive data against persistent and advanced cyber attack? What about our most critical operations like power companies, water plants - are we taking enough concrete steps?
A private company acting alone has an increasingly difficult chance of being in control of their sensitive data, particularly against a nation-state sponsored attack. I call it an unfair fight. Even if the company has 100 security people, the PLA or other espionage-related cyber criminals are going to be building tools to stay one or several steps ahead. Many companies are also not willing to modify their business practices or spend the necessary money. I believe one of the keys to effective defense lies in collaborating with people in industry groups, government groups like the DoD, or a group like the Defensive Security Information Exchange (DSEI). There are other small sharing groups, and there is an opportunity to develop partnerships with trusted companies and those who are leading with mature programs. I have learned a lot through these collaborations, benefiting from early indicators of issues, best practices on how peer companies in the industry are responding. The ability to obtain actionable items can really made a difference. I think it is potentially a great role for the government to help companies in this capacity -- not as a regulator, but as a collaborator to foster sharing of information on a scale like DSIE and others have done.
The same model is applicable to protecting our critical infrastructure against attacks. A good example of how this collaboration is already working is Idaho National Laboratory's strong program for industry collaboration and partnership to secure electric grid against cybersecurity. Are we doing enough? I don’t know, I don’t think anyone does, but we have seen the clear value of people working together to become contributors of intelligence.
5. Every vendor says they can detect malware and other cyber threats better than the next. What is the truth?
The serious threats we see today are ones that we have not seen before, with indicators not publicized, which means that anti-virus and other tools do not have signatures for them. The vendors that detect threats based on behavior and can decipher bad behavior from normal behavior -- which is very hard to do -- are at a far great advantage. Attackers are getting very good at blending in, so it's important to know that abnormal behavior can look like standard traffic and vice versa. Some use very standard communications tools like twitter and most vendors cannot identify the difference. There are some vendors that are getting good at deciphering suspicious code. One is especially effective at applying controls in the early detection phase. This works by executing suspicious code and holding it in a sandbox. The problem is, adversaries know how this works and they know that people take home laptops and other devices and connect freely through home ISPs. I know very few companies where this practice is not allowed. So it's critical to have tools to protect the endpoint by detecting malware behavior and blocking malware actions to prevent data compromise on the endpoint whether it is on the corporate network or not.