21 Aug Cybersecurity Executive Bob Gourley on Trends, Due Diligence, and the Software Defined Perimeter
When it comes to sharing knowledge about cybersecurity, Bob Gourley may well rank among the most prolific. His publication, the Threat Brief, is a must-read daily and he also publishes CTOvison.com, helps with OODA Loop, and is fairly active on the LinkedIn platform called Pulse.
He’s got a lot to offer too.
After serving as a Naval intelligence officer for 20 years, he went on to work in a variety of related roles in government and corporations alike. Today he also runs a due diligence firm called Crucial Point, LLC, which examines the veracity of security products for enterprise clients – in addition to his publishing endeavors.
Even amid all his accomplishments and work tempo, Mr. Gourley is approachable and gracious with his time. We had the opportunity to catch up with him for a question and answer (Q&A) session to get his take on some of the trends in the cybersecurity space.
1) How would you characterize the state of cybersecurity?
BG: Dynamic. Cybersecurity has to be dynamic because the adversaries are dynamic. Adversaries are always changing, so our defenses have to always be changing. That’s something we’ve seen all throughout history. When an adversary wants something badly, they are going to keep fighting for it. In cybersecurity, that means they keep looking for the next vulnerability and trying to find ways to trick users to get what they want.
2) In thinking about how the threats change, what would you say are the top challenges right now for the enterprise clients that you serve?
BG: For the enterprise executive, whether it’s a CIO, CTO or CISO, their key challenges are always about how do they apply a limited budget to make sure their organization is secure and that it doesn’t impact the business. This applies no matter the industry.
The business of most companies is to innovate and deliver products or services to others. Unless you are a security company, the purpose of the business is not security, it’s to make, for example, chemicals that cure cancer, or develop rockets that go to Mars, or design aircraft that are faster, more economical and carry more people. As such, security is always something of an afterthought.
Generally, that’s the way we want it. We want companies that are investing their brainpower to cure cancer, to cure cancer, and we don’t want security to get in the way of that. So, the challenge of the CTO or the CISO in that environment is how to be secure enough to keep the bad guys out without interfering with your innovators?
3) What are some of the other security challenges they have?
BG: It’s really just the way you execute against that first challenge. The most efficient way to do this is to automate everything you can in the security world: automate monitoring, detection, alerts, and then automate what you can in response to an incident and network controls. If you can automate in smart ways, you can reduce the risk to your enterprise without slowing down your innovation.
4) What is it about cybersecurity that makes it so hard?
BG: It gets back to that word dynamic. You can read lessons learned and best practices, and you can get experienced people to help you put in a good security program and then the bad actors change a tactic and you have to relook everything.
It’s hard because the adversary is always changing and there’s no way around it. It means you have to stay busy. It’s like doing the laundry. There’s always something that has to be done.
The best approach is understanding that that’s the reality. You’re going to have to be agile. You’re going to have to automate everything you can. You’re going to raise your defenses by encrypting your most important data. You’re going to use two-factor authentication. You’re going to have an incident response team, but whatever happens, you must understand the adversaries are going to be changing.
5) You are involved in many different things in cybersecurity and one of those things is running a business which performs due diligence on security tools on behalf of clients. What does it mean to perform due diligence on a security vendor?
BG: A due diligence assessment is usually for a company that wants to study another company. That’s the short way to put it. A company that wants to study another company might want to invest in it, acquire the company or just buy their technology.
My expertise is in evaluating what security technologies do. While every scenario is different a typical customer might say, “We’ve heard that a technology does something – can you confirm that for us?”
Then I make sure the technology performs as reported and depending on the engagement, I might look at the documentation, or the software itself and tell the customer how it’s different or similar from other technologies.
6) What are some of the mistakes you see businesses or organizations make either in the due diligence process or in the procurement of cybersecurity tools?
BG: The market is now flooded with companies that are innovating in cybersecurity, so it’s hard for anybody to assess. At the RSA conference, for example, there are 500 vendors with different technologies on the floor. It’s just physically impossible to visit them all. If you want to study the technology landscape, this is an overwhelming number of companies and that presents a big challenge.
One of the things we advise clients to do is always start with a clear understanding of your requirements and your gaps. Then you can focus and narrow the field down before you do your market assessment and find those that are proven to address your requirements.
If you can narrow the number of firms from 500 down to 10 and then study those, and perhaps bring in three in for a demo, it’s a much better process. That’s all in the category of a market assessment which is part of the due diligence activity.
7) Are there any cybersecurity trends out there that you find particularly exciting?
BG: One of the trends I’m interested in is security for cloud computing, and there’s a new concept called the software defined perimeter (SDP). The SDP concept stems from the defense and intelligence community, and it’s a comprehensive way to secure an enterprise cloud environment.
Traditionally, to connect to a network, a device had to be plugged in before it could be assigned an IP address. In other words, the device sees the network and then gets logged on. SDP flips this on its head. It’s a zero-trust model where the identity of a machine must be verified before it can even see any part of the network. It’s a way to keep unauthorized devices out of a network and it has the backing of the Cloud Security Alliance, which has 300,000 members.
8) You publish, or help to publish, several resources related to cybersecurity. Can tell us about a few of these and what these try to achieve?
BG: Yes, here are three:
- CTOvison.com is written for the enterprise leader – the CTO, CIO, CISO and chief data officer that needs advanced warning of what’s happening just over the horizon. It helps those leaders focus their attention. It publishes daily and also offers tailored weekly products.
- The Threat Brief is a daily publication for any executive that needs to understand the cyber threat environment. It’s an easy-to-read digest of the most important security news that the average person can get through in just eight minutes.
- OODA Loop was created and is published by an icon of the risk community: Matt Devost. The name comes from the famous John Boyd construct of observe, orient, decide and act. The site provides analysis and insight on global security, technology, and business issues.
9) Here’s a lightning round of questions to close out this interview:
- One security expert you recommend following is… (BG) Matt Devost.
- If your clients suddenly got 10% more budget to spend on cybersecurity, you’d recommend they spend it on… (BG) training and awareness for the end users.
- If you could only attend one event in security, it would be… (BG) Future Proof which is an invite-only conference that’s yet to be announced.
- If you weren’t working in cybersecurity you’d be… (BG) doing intel analysis – both require thinking about the adversary.
* * *
If you enjoyed this post, you might also like:
Healthcare Security Expert: The Top Cyberthreat in Healthcare is Finance