Harvard Business School Wants To Know How To Win At Cybersecurity

HBS graduates now running cyberscecuity companies discuss the lessons they have learned  and identify some solutions.

There is evidence of the relative ease of these crimes in the prices that the stolen goods fetch in the underground hacker marketplaces. Credit card numbers—from premium cards, some offered with money-back guarantees if they don’t work—go for as little as $9. That’s just one segment of a booming hacker market: Attempts to knock a particular website offline can cost around $100; “Trojan” software that gives users control of other computers remotely is priced as low as $20.

And business is booming. A PricewaterhouseCoopers survey found that global security incidents rose 38 percent in 2015—the biggest jump in the survey’s 12-year history. Compared with sovereign nations, the cybercrime economy would have ranked 23rd in the world in 2014, besting the likes of Israel and Austria, according to the consulting group Hamilton Place Strategies. It’s not just independent hackers. It’s state-sponsored hackers who put on military uniforms and head off to their hacking desks in the morning. It’s ISIS. It’s the mafia. Every criminal trope imaginable is trying to get a piece of this.

All told, online crime inflicted $445 billion in damage to the global economy in 2014, according to a study by the Center for Strategic and International Studies. A $75 billion cyber-defense market has sprung up in the face of the threat, with analysts predicting it will grow to $170 billion by 2020. (In his proposed fiscal 2017 budget, President Obama requested a $5 billion increase in federal cybersecurity spending, up to $19 billion annually.)

Money is one thing, strategy is another. In an era of Internet-enabled refrigerators, powerful-and-cheap computing, and $20 hacking kits, there is an infinite number of attack points and shrinking barriers to entry for the bad guys.

So how do we win?

We talked to four HBS alumni whose cybersecurity businesses offer them a frontline view of the conflict about how the private and public sectors can tilt the odds back to our favor—and what victory would really look like.

Unite the Fight

On February 13, 2015, President Obama announced an executive order that encouraged the exchange of cyberattack data between private companies and between the private and public sectors. “This has to be a shared mission,” Obama told attendees at the White House Summit on Cybersecurity and Consumer Protection at Stanford University, where he signed the order onstage. “So much of our computer networks and critical infrastructure are in the private sector—which means government cannot do this alone.”

Longtime tech VC Ray Rothrock (MBA 1988) was in attendance at the conference. There are few in the industry who can claim a similar veteran status: Rothrock had recently taken over as CEO of the cybersecurity firm RedSeal after 25 years at Venrock. For 24 of those years, he was focused on tech, launching Venrock’s Internet practice in 1992 and leading early investments in companies like Check Point, one of the first big firewall companies.

Rothrock listened to the speech and thought: “Finally.” As in, at last—the government is waking up to a reality that the tech community realized long ago. “The government has been reticent to open up that way because there is—appropriately—a tension of trusts,” says Rothrock. “Can I trust the government? Should I trust the government? My answer is no, you shouldn’t.” Anonymously sharing attack info, though, is another story. “You make these devices better with that data,” he says. Everybody wins.

Part of the reason why the government took so long to move could have been as simple as structure. “There are lessons to be gleaned from how the war on terrorism played out, post–9/11, where there were all these fiefdoms that sprang up,” says Josh Lefkowitz (MBA 2008), a former intelligence analyst and current CEO of New York City–based cybersecurity firm Flashpoint

Lefkowitz and his cofounder spent “the better part of the 2000s” consulting for federal clients, primarily the Department of Justice, on terrorism investigations before starting Flashpoint in 2010. “There was a lot of dialogue about public-private partnerships, but the coordination was a real challenge—particularly when there was classified information involved.” It’s a broad point, but apply it to cybersecurity, says Lefkowitz, and you see why the National Security Agency might have access to some particularly useful threat intelligence that never, for example, filters down to retailers or health care providers in any useful or timely way.

Info sharing isn’t a new concept in cybersecurity—the venue is just different. “Chief information security officers used to meet once a week for a beer and say, ‘Hey, are you seeing this?’ ” says Anne Bonaparte (MBA 1988), CEO of cybersecurity firm BrightPoint who has previously led security startups acquired by the likes of McAfee and EMC. “Security people recognize they are in the business of pattern recognition. It has happened before, but in a much more human way.”

BrightPoint’s business model is built on sharing. The company makes software platforms that allow organizations to discretely share threat intelligence with each other, helping head off any attack. Bonaparte uses the analogy of a neighborhood watch: Attackers, she says, are rarely after one target; they’ll usually go after a few at a time, and typically within the same industry. BrightPoint’s sharing networks might build connections between, say, a few big hospitals or financial services firms. Think of it as a private LinkedIn group or a Google circle. “Another analogue is a weather map,” says Bonaparte. “We’re allowing you to get ahead of the pattern.”

Sharing is also common among hackers, who often use discrete web forums—found on areas known as the Deep Web (unsearchable) and Dark Web (requiring special software to access)—to exchange tips and hacking tools. “Why are the bad guys so successful?” Bonaparte asked in an essay for the cybersecurity website Infosec Island late last year. “In part because they trade information with each other.”

It’s unfortunate that the bad guys employ best practices. But why not follow the leader?

In the cyberwar analogy, Lefkowitz’s Flashpoint serves as the scout. Its analysts speak a dozen different languages and gain access to discrete hacker forums, collect information on potential threats being discussed by credit card thieves and terrorists alike, and then distribute it to clients. (Flashpoint also provides a threat data stream to Bonaparte’s BrightPoint.) One example: A Fortune 100 company came to Flashpoint after seeing massive spikes in its fraud losses. After some digging, Flashpoint analysts tracked down the hackers responsible, who were boasting about their work and discussing the scheme in granular detail. The affected company shut the necessary doors, saving it an estimated $20 million.

Flashpoint has public sector clients too, including global governments as well as US military and law enforcement agencies. In fall 2014, it launched a Jihadist Threat Intelligence service aimed at these clients, offering terrorist threat info and analysis pulled from the web’s darkest corners. Rothrock’s RedSeal also has a number of federal clients, though he doesn’t necessarily know who they are. Brokered through a government intermediary, they simply show up as Customer One or Customer Two on invoices.

According to government software contractor Deltek, the market for federal spending on private cybersecurity contractors reached $8.6 billion in fiscal year 2015, and is estimated to rise to $11 billion in 2020. Why so much outsourcing? Part of it is simple need and capacity issues, but there’s also the fact that the government just isn’t perceived as a cool place to work. Faced with the opportunity to spend your days in brightly colored offices with video game rooms and bountiful cafeterias, why would young talent choose buttoned-up cubicle life in some Brutalist office building in DC? In a February op-ed in the Wall Street Journal that laid out his cybersecurity plans, President Obama noted the cultural challenge: “We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office.”

“The private sector vendor community has done a great job of attracting that talent,” says Lefkowitz. “You may not want to wear a suit—and maybe you’d have trouble passing a background check, and maybe you want to play video games during your break.”

But even the private sector is facing talent shortages. Anne Bonaparte sees it firsthand in her corporate customers: a lack of frontline security workers. “They’re not developers or data scientists,” she says. The workers they need range from entry level to managerial leaders, all responsible for manning the software systems and scouting the landscape. “People often say, ‘Oh, we need more Harvard PhDs,’ and while that might be great, that’s not really the problem. The problem is we need more individuals entering the security profession.”

A 2015 report by Cisco estimated that there were more than 1 million unfilled cybersecurity jobs worldwide; a study that same year by CareerBuilder found that 89 percent of information security analyst postings went unfilled. “It’s staggering,” says Lefkowitz. “It requires a holistic strategy for fostering individuals who have the skills to slot into cybersecurity. I don’t think we’ve really solved for that as a nation.”

Part of the problem, Bonaparte says, is marketing: “We have to rebrand security.” The trick is not just selling it as cool and exciting, but making that message appeal to a broader audience. “Security is always guys with dark glasses and earbuds or military gear—everything is presented as very male,” she says. “Frankly, in cybersecurity, there’s a lot more to it.” It’s weather maps, it’s puzzles, it’s patterns. It’s thinking about where you can close doors so the bad guys can’t get in. It’s about having a real impact on your country’s well-being. (Bonaparte has suggested a tech security recruiting push aimed at women akin to the “Rosie the Riveter” campaign of World War II.) Bonaparte offers the example of how universities are attempting to attract more women to STEM careers. If a school wanted to promote general interest in Python, a popular programming language, it wouldn’t focus on hosting Mountain Dew–fueled, all-night hackathons, she says. “That’s not appealing to everybody. But if you say, ‘Let’s try to find innovative solutions to bringing lights to rural villages,’ and it happens that you have to use Python programming to do that, you’ve reframed the problem. That’s what needs to happen in cybersecurity.”

Make Life Harder for the Hackers

Ray Rothrock has this condensed history of cybercrime, broken down into eras based on their respective defense strategies. There were the early days of firewalls built to keep out the bad guys, then came protection against viruses and Trojans, then on to data leak detection, and eventually the emergence of
complex defense systems built to ward off multidimensional attacks.

Today, he says, it’s about resilience. That’s what RedSeal promises, offering a FICO-like score that management and board members alike can use to gauge their security preparedness. In practice, the defense looks like this: Some frontline security officer gets an alert that there is suspicious activity on the company’s network—a spike in data flowing out of the system, perhaps. A certain data server has been taken over by a malicious third party. “Push the RedSeal button, and the system says, ‘Ah, we know where that is,’” says Rothrock. “It’s this server right here, and here are the data servers that will be attacked next. Here’s how to fix it.”

Fix it—not burn it down. There’s a big difference. Rothrock, sitting in an HBS conference room in February, points to the ceiling. “It would be like in a big room like this. You’ve got one, two, three fire nozzles in this room.” Using the RedSeal analogy, if there was a fire at his end of the conference room, only the sprinklers above his head would need to be turned on. “The fire is at this end. Why flood the room?”

That’s what Sony Pictures did. When hackers broke into the movie studio’s network in 2014—inflicting a reported $35 million in IT damages—administrators at Sony just shut the whole network down. In Rothrock’s example, the issue would be isolated while the rest of the company chugs along, generating revenue. “Our thinking and our capabilities are just now getting to that point.”

For attackers, better defenses aren’t just a test of their mettle or skills—they’re a drain on time and money. “Bad guys have economics, too. They can’t spend all day trying to burn your house down,” says Rothrock. “They’ll go to the next house and try to burn that one down.”

HBS: http://hbs.me/21mauYc

« Tor’s Developer Leaves After Lurid Sexual Allegations
Human Error Fuels Most Breaches »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Becrypt

Becrypt

Becrypt is a trusted provider of endpoint cybersecurity software solutions. We help the most security conscious organisations to protect their customer, employee and intellectual property data.

Maverick Technologies

Maverick Technologies

Maverick is an industrial automation, enterprise integration and operational consulting company. Services include industrial cyber security.

qSkills

qSkills

QSkills is an independent training provider specialized high-quality IT and IT management training courses including IT security.

Cyber Security Expo

Cyber Security Expo

Cyber Security EXPO is a unique one day recruitment event for the cyber security industry.

Secura

Secura

The Secura Cyber Security and Intelligence system predicts and prevents security threats by discovering hidden patterns through the meticulous analysis of large amounts of data.

FraudHunt

FraudHunt

FraudHunt protects your website from account fraud, ad fraud, fraud clicks, and malicious bots.

Practical Assurance

Practical Assurance

Practical Assurance helps companies navigate the rough terrain of information security compliance.

Y-PARC

Y-PARC

Y-PARC is a center of excellence for cybersecurity, precision industries and medtech, fostering innovation and development and support for startups.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

AB Handshake

AB Handshake

AB Handshake offers a game-changing solution for telecom service providers that eliminates fraud on inbound and outbound voice traffic.

Rausch Advisory Services

Rausch Advisory Services

Rausch delivers solutions that address compliance, enterprise risk, information technology and human resource capital.

SpireTec Solutions

SpireTec Solutions

SpireTec Solutions is an IT management training company offering 1500+ courses with state of art training facilities backed by a team of industry experts in various domains including cybersecurity.

Eventus Security

Eventus Security

Eventus, are a team of highly skilled professionals who are committed to deliver excellence in next generation cyber security services and customized solutions for your enterprise.

Telit Cinterion

Telit Cinterion

Telit Cinterion is a global enabler of the intelligent edge providing highly secure IoT solutions, modules and services.

Antivirus Tales

Antivirus Tales

Antivirus Tales offers a platform to resolve all types of antivirus-related issues. The platform also provide various blog articles and informative guides to fix antivirus software errors.

GIS Consulting (GISPL)

GIS Consulting (GISPL)

From General Data Protection Regulations to advanced Network Infrastructure Audits, GIS Consulting has established a reputation as one the leading cyber security companies in the industry.