Harvard Business School Wants To Know How To Win At Cybersecurity

HBS graduates now running cyberscecuity companies discuss the lessons they have learned  and identify some solutions.

There is evidence of the relative ease of these crimes in the prices that the stolen goods fetch in the underground hacker marketplaces. Credit card numbers—from premium cards, some offered with money-back guarantees if they don’t work—go for as little as $9. That’s just one segment of a booming hacker market: Attempts to knock a particular website offline can cost around $100; “Trojan” software that gives users control of other computers remotely is priced as low as $20.

And business is booming. A PricewaterhouseCoopers survey found that global security incidents rose 38 percent in 2015—the biggest jump in the survey’s 12-year history. Compared with sovereign nations, the cybercrime economy would have ranked 23rd in the world in 2014, besting the likes of Israel and Austria, according to the consulting group Hamilton Place Strategies. It’s not just independent hackers. It’s state-sponsored hackers who put on military uniforms and head off to their hacking desks in the morning. It’s ISIS. It’s the mafia. Every criminal trope imaginable is trying to get a piece of this.

All told, online crime inflicted $445 billion in damage to the global economy in 2014, according to a study by the Center for Strategic and International Studies. A $75 billion cyber-defense market has sprung up in the face of the threat, with analysts predicting it will grow to $170 billion by 2020. (In his proposed fiscal 2017 budget, President Obama requested a $5 billion increase in federal cybersecurity spending, up to $19 billion annually.)

Money is one thing, strategy is another. In an era of Internet-enabled refrigerators, powerful-and-cheap computing, and $20 hacking kits, there is an infinite number of attack points and shrinking barriers to entry for the bad guys.

So how do we win?

We talked to four HBS alumni whose cybersecurity businesses offer them a frontline view of the conflict about how the private and public sectors can tilt the odds back to our favor—and what victory would really look like.

Unite the Fight

On February 13, 2015, President Obama announced an executive order that encouraged the exchange of cyberattack data between private companies and between the private and public sectors. “This has to be a shared mission,” Obama told attendees at the White House Summit on Cybersecurity and Consumer Protection at Stanford University, where he signed the order onstage. “So much of our computer networks and critical infrastructure are in the private sector—which means government cannot do this alone.”

Longtime tech VC Ray Rothrock (MBA 1988) was in attendance at the conference. There are few in the industry who can claim a similar veteran status: Rothrock had recently taken over as CEO of the cybersecurity firm RedSeal after 25 years at Venrock. For 24 of those years, he was focused on tech, launching Venrock’s Internet practice in 1992 and leading early investments in companies like Check Point, one of the first big firewall companies.

Rothrock listened to the speech and thought: “Finally.” As in, at last—the government is waking up to a reality that the tech community realized long ago. “The government has been reticent to open up that way because there is—appropriately—a tension of trusts,” says Rothrock. “Can I trust the government? Should I trust the government? My answer is no, you shouldn’t.” Anonymously sharing attack info, though, is another story. “You make these devices better with that data,” he says. Everybody wins.

Part of the reason why the government took so long to move could have been as simple as structure. “There are lessons to be gleaned from how the war on terrorism played out, post–9/11, where there were all these fiefdoms that sprang up,” says Josh Lefkowitz (MBA 2008), a former intelligence analyst and current CEO of New York City–based cybersecurity firm Flashpoint

Lefkowitz and his cofounder spent “the better part of the 2000s” consulting for federal clients, primarily the Department of Justice, on terrorism investigations before starting Flashpoint in 2010. “There was a lot of dialogue about public-private partnerships, but the coordination was a real challenge—particularly when there was classified information involved.” It’s a broad point, but apply it to cybersecurity, says Lefkowitz, and you see why the National Security Agency might have access to some particularly useful threat intelligence that never, for example, filters down to retailers or health care providers in any useful or timely way.

Info sharing isn’t a new concept in cybersecurity—the venue is just different. “Chief information security officers used to meet once a week for a beer and say, ‘Hey, are you seeing this?’ ” says Anne Bonaparte (MBA 1988), CEO of cybersecurity firm BrightPoint who has previously led security startups acquired by the likes of McAfee and EMC. “Security people recognize they are in the business of pattern recognition. It has happened before, but in a much more human way.”

BrightPoint’s business model is built on sharing. The company makes software platforms that allow organizations to discretely share threat intelligence with each other, helping head off any attack. Bonaparte uses the analogy of a neighborhood watch: Attackers, she says, are rarely after one target; they’ll usually go after a few at a time, and typically within the same industry. BrightPoint’s sharing networks might build connections between, say, a few big hospitals or financial services firms. Think of it as a private LinkedIn group or a Google circle. “Another analogue is a weather map,” says Bonaparte. “We’re allowing you to get ahead of the pattern.”

Sharing is also common among hackers, who often use discrete web forums—found on areas known as the Deep Web (unsearchable) and Dark Web (requiring special software to access)—to exchange tips and hacking tools. “Why are the bad guys so successful?” Bonaparte asked in an essay for the cybersecurity website Infosec Island late last year. “In part because they trade information with each other.”

It’s unfortunate that the bad guys employ best practices. But why not follow the leader?

In the cyberwar analogy, Lefkowitz’s Flashpoint serves as the scout. Its analysts speak a dozen different languages and gain access to discrete hacker forums, collect information on potential threats being discussed by credit card thieves and terrorists alike, and then distribute it to clients. (Flashpoint also provides a threat data stream to Bonaparte’s BrightPoint.) One example: A Fortune 100 company came to Flashpoint after seeing massive spikes in its fraud losses. After some digging, Flashpoint analysts tracked down the hackers responsible, who were boasting about their work and discussing the scheme in granular detail. The affected company shut the necessary doors, saving it an estimated $20 million.

Flashpoint has public sector clients too, including global governments as well as US military and law enforcement agencies. In fall 2014, it launched a Jihadist Threat Intelligence service aimed at these clients, offering terrorist threat info and analysis pulled from the web’s darkest corners. Rothrock’s RedSeal also has a number of federal clients, though he doesn’t necessarily know who they are. Brokered through a government intermediary, they simply show up as Customer One or Customer Two on invoices.

According to government software contractor Deltek, the market for federal spending on private cybersecurity contractors reached $8.6 billion in fiscal year 2015, and is estimated to rise to $11 billion in 2020. Why so much outsourcing? Part of it is simple need and capacity issues, but there’s also the fact that the government just isn’t perceived as a cool place to work. Faced with the opportunity to spend your days in brightly colored offices with video game rooms and bountiful cafeterias, why would young talent choose buttoned-up cubicle life in some Brutalist office building in DC? In a February op-ed in the Wall Street Journal that laid out his cybersecurity plans, President Obama noted the cultural challenge: “We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office.”

“The private sector vendor community has done a great job of attracting that talent,” says Lefkowitz. “You may not want to wear a suit—and maybe you’d have trouble passing a background check, and maybe you want to play video games during your break.”

But even the private sector is facing talent shortages. Anne Bonaparte sees it firsthand in her corporate customers: a lack of frontline security workers. “They’re not developers or data scientists,” she says. The workers they need range from entry level to managerial leaders, all responsible for manning the software systems and scouting the landscape. “People often say, ‘Oh, we need more Harvard PhDs,’ and while that might be great, that’s not really the problem. The problem is we need more individuals entering the security profession.”

A 2015 report by Cisco estimated that there were more than 1 million unfilled cybersecurity jobs worldwide; a study that same year by CareerBuilder found that 89 percent of information security analyst postings went unfilled. “It’s staggering,” says Lefkowitz. “It requires a holistic strategy for fostering individuals who have the skills to slot into cybersecurity. I don’t think we’ve really solved for that as a nation.”

Part of the problem, Bonaparte says, is marketing: “We have to rebrand security.” The trick is not just selling it as cool and exciting, but making that message appeal to a broader audience. “Security is always guys with dark glasses and earbuds or military gear—everything is presented as very male,” she says. “Frankly, in cybersecurity, there’s a lot more to it.” It’s weather maps, it’s puzzles, it’s patterns. It’s thinking about where you can close doors so the bad guys can’t get in. It’s about having a real impact on your country’s well-being. (Bonaparte has suggested a tech security recruiting push aimed at women akin to the “Rosie the Riveter” campaign of World War II.) Bonaparte offers the example of how universities are attempting to attract more women to STEM careers. If a school wanted to promote general interest in Python, a popular programming language, it wouldn’t focus on hosting Mountain Dew–fueled, all-night hackathons, she says. “That’s not appealing to everybody. But if you say, ‘Let’s try to find innovative solutions to bringing lights to rural villages,’ and it happens that you have to use Python programming to do that, you’ve reframed the problem. That’s what needs to happen in cybersecurity.”

Make Life Harder for the Hackers

Ray Rothrock has this condensed history of cybercrime, broken down into eras based on their respective defense strategies. There were the early days of firewalls built to keep out the bad guys, then came protection against viruses and Trojans, then on to data leak detection, and eventually the emergence of
complex defense systems built to ward off multidimensional attacks.

Today, he says, it’s about resilience. That’s what RedSeal promises, offering a FICO-like score that management and board members alike can use to gauge their security preparedness. In practice, the defense looks like this: Some frontline security officer gets an alert that there is suspicious activity on the company’s network—a spike in data flowing out of the system, perhaps. A certain data server has been taken over by a malicious third party. “Push the RedSeal button, and the system says, ‘Ah, we know where that is,’” says Rothrock. “It’s this server right here, and here are the data servers that will be attacked next. Here’s how to fix it.”

Fix it—not burn it down. There’s a big difference. Rothrock, sitting in an HBS conference room in February, points to the ceiling. “It would be like in a big room like this. You’ve got one, two, three fire nozzles in this room.” Using the RedSeal analogy, if there was a fire at his end of the conference room, only the sprinklers above his head would need to be turned on. “The fire is at this end. Why flood the room?”

That’s what Sony Pictures did. When hackers broke into the movie studio’s network in 2014—inflicting a reported $35 million in IT damages—administrators at Sony just shut the whole network down. In Rothrock’s example, the issue would be isolated while the rest of the company chugs along, generating revenue. “Our thinking and our capabilities are just now getting to that point.”

For attackers, better defenses aren’t just a test of their mettle or skills—they’re a drain on time and money. “Bad guys have economics, too. They can’t spend all day trying to burn your house down,” says Rothrock. “They’ll go to the next house and try to burn that one down.”

HBS: http://hbs.me/21mauYc

« Tor’s Developer Leaves After Lurid Sexual Allegations
Human Error Fuels Most Breaches »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Trusted Computing Group

Trusted Computing Group

TCG was formed to develop, define and promote open, vendor-neutral, global industry standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms.

Athena Forensics

Athena Forensics

Athena Forensics is one of the UK's leading providers of Computer Forensics, Mobile Phone Forensics, Cell Site Analysis and Expert Witness Services.

Gurucul

Gurucul

Gurucul predictive security analytics protects against insider threats, account compromise and data exfiltration on-premises and in the cloud.

MASS

MASS

MASS provides world-class capabilities in electronic warfare operational support, cyber security, information management, support to military operations and law enforcement.

Endian

Endian

Endian’s mission is to provide a secure platform that connects distributed people and things, simplifying the digitalization of businesses.

Cyfirma

Cyfirma

CYFIRMA offers Cyber threat visibility and intelligence suite and services aimed at keeping your organization’s cybersecurity posture up-to-date.

OISTE Foundation

OISTE Foundation

OISTE foundation allows users to control their digital identities using well-understood and secure algorithms that ensure the continued validity of an identity and its claims.

CounterFind

CounterFind

CounterFind is turnkey technology that allows brands to find and remove counterfeit and infringing merchandise from online marketplaces and social media sites.

CyberPeace Foundation

CyberPeace Foundation

CPF is a think tank of cybersecurity and policy experts with the vision of pioneering Cyber Peace Initiatives to build collective resiliency against CyberCrimes and global threats of cyber warfare.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

Arcanna.ai

Arcanna.ai

Using a wide range of out-of-the box integrations, Arcanna.ai continuously learns from existing enterprise cybersecurity experts and scales your team’s capacity to deal with threats.

Parablu

Parablu

Parablu is a leading provider of data security and resiliency solutions for the digital enterprise.

APCERT

APCERT

APCERT cooperates with CERTs and CSIRTs to ensure internet security in the Asia Pacific region, based around genuine information sharing, trust and cooperation.

White Knight Labs

White Knight Labs

White Knight Labs is a cyber security consultancy that specializes in cybersecurity training.

Sensity

Sensity

Sensity is a company that offers an AI-driven solution to detect and verify deepfakes and other forms of identity fraud.

Couno

Couno

Couno is a trusted provider of IT support services throughout the UK and Europe.