How do you build cyber resilience? How serious is the threat of cyber warfare? What’s new in cybersecurity training? These are things all business owners – large or small – need to know to keep their data safe.
We recently asked about these issues and more with Matthew Butkovic, technical director – cyber risk and resilience at the CERT Division of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.
How do you mitigate cyber risk if you’re a mid-size business?
Butkovic said it’s all about the mission. “From a kind of fundamental risk perspective, the question is, what can jeopardize that mission? What can make you less resilient?” he said. “Organizations are going to have disruptive events, and we know that we can’t get risk to zero. I think the key differentiation is if you’re a government agency, or the Department of Defense, you’re subject to a set of threat actors that may have different motivations than those that are attacking immediate middle-market manufacturing.”
Butkovic talked about prioritizing the “critical few”: “And how do you decide the criticality of something? Well, you have to understand what they do. I would argue all organizations, whether you’re Fortune 50, or a startup, or seven people making things for Etsy, and you have a web presence, you should start with, ‘Here are the key things we do, prioritize those things.’”
How do you approach building resilience?
Butkovic suggested building on those priorities. “Once you understand the assets and the services, the things that you do, you then have to make some decisions around how critical those things are in relation to some timescale. ‘So how long can I be without the clearing and settlement function?’ And I think that in my profession, we tend to gloss over this,” Butkovic said. “When I was in industry, I spent a lot of time doing business impact assessments. I think the value of that can’t be overstated. You need to think about ways to quantify the risk. So, if I say, ‘clearing and settlement represents X percent of our business, and we will lose Y dollars at a specific point,’ you’re now calculating the recovery time objective for a system. So that’s some tolerable downtime. It’s not just for banks or manufacturing: You can have a pizza shop and do the same. And the question then is, ‘Well, what are the things that endanger that asset? What are the cyber threats?’ And once you start ticking those off, you can start deciding where to prioritize investment in defenses and also in the capability to recover it.”
How much of a threat is cyber warfare? How real is it?
Cyberwar is real, Butkovic said. “Richard Clark says in his book, ‘Cyber War: The Next Threat to National Security and What to Do About It,’ what’s the dividing line between preparing the battlefield and being engaged in some aggressive offensive activity? It’s really blurry. And J.C. Healy makes this point in his book, ‘A Fierce Domain: Conflict in Cyberspace 1986 to 2012,’ that the nature of conflict is changing. Or maybe the better way to put it is that traditional notions about conflict are difficult to square with cyber.”
Today’s events are no exception: “I think that there’s a lot of geopolitical events that are potentially destabilizing in cyberspace. The Russian invasion of Ukraine, tensions around Taiwan, all of these things, the perpetual North Korean situation. All of these things are stressors in that system. Will nations be prone to use their cyber weapons differently than they would other weapons of mass destruction? We don’t know. But the theory is there’s a lack of deterrence in cyber war.”
How do you manage training cybersecurity experts from multi-disciplinary backgrounds?
Butkovic said diverse backgrounds are key: “Most cyber practitioners come through the ranks as technologists. That’s both good and bad. I have the opportunity to do executive education for the Heinz College here at Carnegie Mellon. One of the things that I like to say to our CISO students is that, in my opinion, the skills that the next generation of CISOs need are quite different. The business acumen is key,” he said.
“I would argue that someone with a law degree that understands service-level agreements and contracts is as valuable as someone that knows how to code in Python, maybe more valuable. In our work in insider threat risk here at CERT, we have behavioral scientists, criminologists, people that understand human motivation.”
What themes do you see emerging in cybersecurity training?
He said gamification of training is a great new approach. “We find this is especially effective with younger folks, ‘I want to get the high score,’ not ‘I’ve got to get an 80 to get my certificate so my boss can check me off the list.’” Butkovic also mentioned virtual reality and cell phone gaming as training trends.
What can people do to protect their privacy?
Butkovic mentioned that the United States has only a patchwork of data privacy laws, while Europe is much more strict on privacy protection. “I also have to teach graduate students here at CMU, and in the course on information security, governance and policy. … Students from the U.S. and Canada are really uncomfortable with the government having their data, while students in Europe are more uncomfortable with industry having their data. And then students from authoritarian regimes are like, ‘Well, no, that data is not mine in the first place.’”
Cybersecurity concepts aren’t complicated, Butkovic said. “The truth is, this isn’t beyond any organization or anyone, that if you start with the basics and focus on the fundamentals that will see it through. And I guess the other thing I’d offer is, you know, be smart consumers of technology, don’t believe that the next generation of magic box with blinky lights is going to save you. We need to get out of that mindset.”
Butkovic offers plenty more skills and advice in the full interview: