Harvard Business School Wants To Know How To Win At Cybersecurity

HBS graduates now running cyberscecuity companies discuss the lessons they have learned  and identify some solutions.

There is evidence of the relative ease of these crimes in the prices that the stolen goods fetch in the underground hacker marketplaces. Credit card numbers—from premium cards, some offered with money-back guarantees if they don’t work—go for as little as $9. That’s just one segment of a booming hacker market: Attempts to knock a particular website offline can cost around $100; “Trojan” software that gives users control of other computers remotely is priced as low as $20.

And business is booming. A PricewaterhouseCoopers survey found that global security incidents rose 38 percent in 2015—the biggest jump in the survey’s 12-year history. Compared with sovereign nations, the cybercrime economy would have ranked 23rd in the world in 2014, besting the likes of Israel and Austria, according to the consulting group Hamilton Place Strategies. It’s not just independent hackers. It’s state-sponsored hackers who put on military uniforms and head off to their hacking desks in the morning. It’s ISIS. It’s the mafia. Every criminal trope imaginable is trying to get a piece of this.

All told, online crime inflicted $445 billion in damage to the global economy in 2014, according to a study by the Center for Strategic and International Studies. A $75 billion cyber-defense market has sprung up in the face of the threat, with analysts predicting it will grow to $170 billion by 2020. (In his proposed fiscal 2017 budget, President Obama requested a $5 billion increase in federal cybersecurity spending, up to $19 billion annually.)

Money is one thing, strategy is another. In an era of Internet-enabled refrigerators, powerful-and-cheap computing, and $20 hacking kits, there is an infinite number of attack points and shrinking barriers to entry for the bad guys.

So how do we win?

We talked to four HBS alumni whose cybersecurity businesses offer them a frontline view of the conflict about how the private and public sectors can tilt the odds back to our favor—and what victory would really look like.

Unite the Fight

On February 13, 2015, President Obama announced an executive order that encouraged the exchange of cyberattack data between private companies and between the private and public sectors. “This has to be a shared mission,” Obama told attendees at the White House Summit on Cybersecurity and Consumer Protection at Stanford University, where he signed the order onstage. “So much of our computer networks and critical infrastructure are in the private sector—which means government cannot do this alone.”

Longtime tech VC Ray Rothrock (MBA 1988) was in attendance at the conference. There are few in the industry who can claim a similar veteran status: Rothrock had recently taken over as CEO of the cybersecurity firm RedSeal after 25 years at Venrock. For 24 of those years, he was focused on tech, launching Venrock’s Internet practice in 1992 and leading early investments in companies like Check Point, one of the first big firewall companies.

Rothrock listened to the speech and thought: “Finally.” As in, at last—the government is waking up to a reality that the tech community realized long ago. “The government has been reticent to open up that way because there is—appropriately—a tension of trusts,” says Rothrock. “Can I trust the government? Should I trust the government? My answer is no, you shouldn’t.” Anonymously sharing attack info, though, is another story. “You make these devices better with that data,” he says. Everybody wins.

Part of the reason why the government took so long to move could have been as simple as structure. “There are lessons to be gleaned from how the war on terrorism played out, post–9/11, where there were all these fiefdoms that sprang up,” says Josh Lefkowitz (MBA 2008), a former intelligence analyst and current CEO of New York City–based cybersecurity firm Flashpoint

Lefkowitz and his cofounder spent “the better part of the 2000s” consulting for federal clients, primarily the Department of Justice, on terrorism investigations before starting Flashpoint in 2010. “There was a lot of dialogue about public-private partnerships, but the coordination was a real challenge—particularly when there was classified information involved.” It’s a broad point, but apply it to cybersecurity, says Lefkowitz, and you see why the National Security Agency might have access to some particularly useful threat intelligence that never, for example, filters down to retailers or health care providers in any useful or timely way.

Info sharing isn’t a new concept in cybersecurity—the venue is just different. “Chief information security officers used to meet once a week for a beer and say, ‘Hey, are you seeing this?’ ” says Anne Bonaparte (MBA 1988), CEO of cybersecurity firm BrightPoint who has previously led security startups acquired by the likes of McAfee and EMC. “Security people recognize they are in the business of pattern recognition. It has happened before, but in a much more human way.”

BrightPoint’s business model is built on sharing. The company makes software platforms that allow organizations to discretely share threat intelligence with each other, helping head off any attack. Bonaparte uses the analogy of a neighborhood watch: Attackers, she says, are rarely after one target; they’ll usually go after a few at a time, and typically within the same industry. BrightPoint’s sharing networks might build connections between, say, a few big hospitals or financial services firms. Think of it as a private LinkedIn group or a Google circle. “Another analogue is a weather map,” says Bonaparte. “We’re allowing you to get ahead of the pattern.”

Sharing is also common among hackers, who often use discrete web forums—found on areas known as the Deep Web (unsearchable) and Dark Web (requiring special software to access)—to exchange tips and hacking tools. “Why are the bad guys so successful?” Bonaparte asked in an essay for the cybersecurity website Infosec Island late last year. “In part because they trade information with each other.”

It’s unfortunate that the bad guys employ best practices. But why not follow the leader?

In the cyberwar analogy, Lefkowitz’s Flashpoint serves as the scout. Its analysts speak a dozen different languages and gain access to discrete hacker forums, collect information on potential threats being discussed by credit card thieves and terrorists alike, and then distribute it to clients. (Flashpoint also provides a threat data stream to Bonaparte’s BrightPoint.) One example: A Fortune 100 company came to Flashpoint after seeing massive spikes in its fraud losses. After some digging, Flashpoint analysts tracked down the hackers responsible, who were boasting about their work and discussing the scheme in granular detail. The affected company shut the necessary doors, saving it an estimated $20 million.

Flashpoint has public sector clients too, including global governments as well as US military and law enforcement agencies. In fall 2014, it launched a Jihadist Threat Intelligence service aimed at these clients, offering terrorist threat info and analysis pulled from the web’s darkest corners. Rothrock’s RedSeal also has a number of federal clients, though he doesn’t necessarily know who they are. Brokered through a government intermediary, they simply show up as Customer One or Customer Two on invoices.

According to government software contractor Deltek, the market for federal spending on private cybersecurity contractors reached $8.6 billion in fiscal year 2015, and is estimated to rise to $11 billion in 2020. Why so much outsourcing? Part of it is simple need and capacity issues, but there’s also the fact that the government just isn’t perceived as a cool place to work. Faced with the opportunity to spend your days in brightly colored offices with video game rooms and bountiful cafeterias, why would young talent choose buttoned-up cubicle life in some Brutalist office building in DC? In a February op-ed in the Wall Street Journal that laid out his cybersecurity plans, President Obama noted the cultural challenge: “We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office.”

“The private sector vendor community has done a great job of attracting that talent,” says Lefkowitz. “You may not want to wear a suit—and maybe you’d have trouble passing a background check, and maybe you want to play video games during your break.”

But even the private sector is facing talent shortages. Anne Bonaparte sees it firsthand in her corporate customers: a lack of frontline security workers. “They’re not developers or data scientists,” she says. The workers they need range from entry level to managerial leaders, all responsible for manning the software systems and scouting the landscape. “People often say, ‘Oh, we need more Harvard PhDs,’ and while that might be great, that’s not really the problem. The problem is we need more individuals entering the security profession.”

A 2015 report by Cisco estimated that there were more than 1 million unfilled cybersecurity jobs worldwide; a study that same year by CareerBuilder found that 89 percent of information security analyst postings went unfilled. “It’s staggering,” says Lefkowitz. “It requires a holistic strategy for fostering individuals who have the skills to slot into cybersecurity. I don’t think we’ve really solved for that as a nation.”

Part of the problem, Bonaparte says, is marketing: “We have to rebrand security.” The trick is not just selling it as cool and exciting, but making that message appeal to a broader audience. “Security is always guys with dark glasses and earbuds or military gear—everything is presented as very male,” she says. “Frankly, in cybersecurity, there’s a lot more to it.” It’s weather maps, it’s puzzles, it’s patterns. It’s thinking about where you can close doors so the bad guys can’t get in. It’s about having a real impact on your country’s well-being. (Bonaparte has suggested a tech security recruiting push aimed at women akin to the “Rosie the Riveter” campaign of World War II.) Bonaparte offers the example of how universities are attempting to attract more women to STEM careers. If a school wanted to promote general interest in Python, a popular programming language, it wouldn’t focus on hosting Mountain Dew–fueled, all-night hackathons, she says. “That’s not appealing to everybody. But if you say, ‘Let’s try to find innovative solutions to bringing lights to rural villages,’ and it happens that you have to use Python programming to do that, you’ve reframed the problem. That’s what needs to happen in cybersecurity.”

Make Life Harder for the Hackers

Ray Rothrock has this condensed history of cybercrime, broken down into eras based on their respective defense strategies. There were the early days of firewalls built to keep out the bad guys, then came protection against viruses and Trojans, then on to data leak detection, and eventually the emergence of
complex defense systems built to ward off multidimensional attacks.

Today, he says, it’s about resilience. That’s what RedSeal promises, offering a FICO-like score that management and board members alike can use to gauge their security preparedness. In practice, the defense looks like this: Some frontline security officer gets an alert that there is suspicious activity on the company’s network—a spike in data flowing out of the system, perhaps. A certain data server has been taken over by a malicious third party. “Push the RedSeal button, and the system says, ‘Ah, we know where that is,’” says Rothrock. “It’s this server right here, and here are the data servers that will be attacked next. Here’s how to fix it.”

Fix it—not burn it down. There’s a big difference. Rothrock, sitting in an HBS conference room in February, points to the ceiling. “It would be like in a big room like this. You’ve got one, two, three fire nozzles in this room.” Using the RedSeal analogy, if there was a fire at his end of the conference room, only the sprinklers above his head would need to be turned on. “The fire is at this end. Why flood the room?”

That’s what Sony Pictures did. When hackers broke into the movie studio’s network in 2014—inflicting a reported $35 million in IT damages—administrators at Sony just shut the whole network down. In Rothrock’s example, the issue would be isolated while the rest of the company chugs along, generating revenue. “Our thinking and our capabilities are just now getting to that point.”

For attackers, better defenses aren’t just a test of their mettle or skills—they’re a drain on time and money. “Bad guys have economics, too. They can’t spend all day trying to burn your house down,” says Rothrock. “They’ll go to the next house and try to burn that one down.”

HBS: http://hbs.me/21mauYc

« Tor’s Developer Leaves After Lurid Sexual Allegations
Human Error Fuels Most Breaches »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CloudInsure

CloudInsure

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment.

SI-CERT

SI-CERT

SI-CERT (Slovenian Computer Emergency Response Team) is the national cyber scurity incident response center for Slovenia.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

Aviva

Aviva

Aviva provides Cyber Liability cover for small to mid-market customers to help combat the threat of data and privacy breach.

Spanish Network of Excellence on Cybersecurity Research (RENIC)

Spanish Network of Excellence on Cybersecurity Research (RENIC)

RENIC is a membership based sectoral association that includes research centers and other agents of the research cybersecurity ecosystem in Spain.

DeviceAssure

DeviceAssure

DeviceAssure enables organizations to reliably identify counterfeit and non-standard devices with a real-time check on a device's authenticity.

BI.ZONE

BI.ZONE

BI.ZONE creates high-tech products and solutions to protect IT infrastructures and applications, and provides services from cyber intelligence and proactive defence to cybercrime investigation.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

TriagingX

TriagingX

TriagingX successfully created the first generation malware sandbox that is being used by many Fortune 500 companies for daily malware analysis.

EVOKE

EVOKE

EVOKE is an award-winning Digital Transformation company that partners with its clients to build digital workplace solutions for organizational challenges.

Etonwood

Etonwood

Etonwood specialises in infrastructure and vendor technology recruitment in areas including cloud platforms, cyber security and service management.

Kordia

Kordia

Kordia is a leading provider of mission-critical technology solutions throughout Australasia. We have the most comprehensive cyber security offering in New Zealand.

FiVerity

FiVerity

FiVerity provides financial institutions with cyber fraud defense to combat a dangerous and growing threat - the convergence of fraud-related theft with sophisticated, high-volume cyber attacks.

Armo

Armo

Armo technology enhances any Kubernetes deployment with security, visibility, and control from the CI/CD pipeline through production.

Cybercentry

Cybercentry

Cybercentry is a specialist information security, data protection and cyber security consultancy.

ARC Risk and Compliance

ARC Risk and Compliance

ARC Risk and Compliance is a consulting company comprised of a team of AML Specialists completely focused on anti-money laundering compliance and the technologies used to support compliance programs.