Harvard Business School Wants To Know How To Win At Cybersecurity

HBS graduates now running cyberscecuity companies discuss the lessons they have learned  and identify some solutions.

There is evidence of the relative ease of these crimes in the prices that the stolen goods fetch in the underground hacker marketplaces. Credit card numbers—from premium cards, some offered with money-back guarantees if they don’t work—go for as little as $9. That’s just one segment of a booming hacker market: Attempts to knock a particular website offline can cost around $100; “Trojan” software that gives users control of other computers remotely is priced as low as $20.

And business is booming. A PricewaterhouseCoopers survey found that global security incidents rose 38 percent in 2015—the biggest jump in the survey’s 12-year history. Compared with sovereign nations, the cybercrime economy would have ranked 23rd in the world in 2014, besting the likes of Israel and Austria, according to the consulting group Hamilton Place Strategies. It’s not just independent hackers. It’s state-sponsored hackers who put on military uniforms and head off to their hacking desks in the morning. It’s ISIS. It’s the mafia. Every criminal trope imaginable is trying to get a piece of this.

All told, online crime inflicted $445 billion in damage to the global economy in 2014, according to a study by the Center for Strategic and International Studies. A $75 billion cyber-defense market has sprung up in the face of the threat, with analysts predicting it will grow to $170 billion by 2020. (In his proposed fiscal 2017 budget, President Obama requested a $5 billion increase in federal cybersecurity spending, up to $19 billion annually.)

Money is one thing, strategy is another. In an era of Internet-enabled refrigerators, powerful-and-cheap computing, and $20 hacking kits, there is an infinite number of attack points and shrinking barriers to entry for the bad guys.

So how do we win?

We talked to four HBS alumni whose cybersecurity businesses offer them a frontline view of the conflict about how the private and public sectors can tilt the odds back to our favor—and what victory would really look like.

Unite the Fight

On February 13, 2015, President Obama announced an executive order that encouraged the exchange of cyberattack data between private companies and between the private and public sectors. “This has to be a shared mission,” Obama told attendees at the White House Summit on Cybersecurity and Consumer Protection at Stanford University, where he signed the order onstage. “So much of our computer networks and critical infrastructure are in the private sector—which means government cannot do this alone.”

Longtime tech VC Ray Rothrock (MBA 1988) was in attendance at the conference. There are few in the industry who can claim a similar veteran status: Rothrock had recently taken over as CEO of the cybersecurity firm RedSeal after 25 years at Venrock. For 24 of those years, he was focused on tech, launching Venrock’s Internet practice in 1992 and leading early investments in companies like Check Point, one of the first big firewall companies.

Rothrock listened to the speech and thought: “Finally.” As in, at last—the government is waking up to a reality that the tech community realized long ago. “The government has been reticent to open up that way because there is—appropriately—a tension of trusts,” says Rothrock. “Can I trust the government? Should I trust the government? My answer is no, you shouldn’t.” Anonymously sharing attack info, though, is another story. “You make these devices better with that data,” he says. Everybody wins.

Part of the reason why the government took so long to move could have been as simple as structure. “There are lessons to be gleaned from how the war on terrorism played out, post–9/11, where there were all these fiefdoms that sprang up,” says Josh Lefkowitz (MBA 2008), a former intelligence analyst and current CEO of New York City–based cybersecurity firm Flashpoint

Lefkowitz and his cofounder spent “the better part of the 2000s” consulting for federal clients, primarily the Department of Justice, on terrorism investigations before starting Flashpoint in 2010. “There was a lot of dialogue about public-private partnerships, but the coordination was a real challenge—particularly when there was classified information involved.” It’s a broad point, but apply it to cybersecurity, says Lefkowitz, and you see why the National Security Agency might have access to some particularly useful threat intelligence that never, for example, filters down to retailers or health care providers in any useful or timely way.

Info sharing isn’t a new concept in cybersecurity—the venue is just different. “Chief information security officers used to meet once a week for a beer and say, ‘Hey, are you seeing this?’ ” says Anne Bonaparte (MBA 1988), CEO of cybersecurity firm BrightPoint who has previously led security startups acquired by the likes of McAfee and EMC. “Security people recognize they are in the business of pattern recognition. It has happened before, but in a much more human way.”

BrightPoint’s business model is built on sharing. The company makes software platforms that allow organizations to discretely share threat intelligence with each other, helping head off any attack. Bonaparte uses the analogy of a neighborhood watch: Attackers, she says, are rarely after one target; they’ll usually go after a few at a time, and typically within the same industry. BrightPoint’s sharing networks might build connections between, say, a few big hospitals or financial services firms. Think of it as a private LinkedIn group or a Google circle. “Another analogue is a weather map,” says Bonaparte. “We’re allowing you to get ahead of the pattern.”

Sharing is also common among hackers, who often use discrete web forums—found on areas known as the Deep Web (unsearchable) and Dark Web (requiring special software to access)—to exchange tips and hacking tools. “Why are the bad guys so successful?” Bonaparte asked in an essay for the cybersecurity website Infosec Island late last year. “In part because they trade information with each other.”

It’s unfortunate that the bad guys employ best practices. But why not follow the leader?

In the cyberwar analogy, Lefkowitz’s Flashpoint serves as the scout. Its analysts speak a dozen different languages and gain access to discrete hacker forums, collect information on potential threats being discussed by credit card thieves and terrorists alike, and then distribute it to clients. (Flashpoint also provides a threat data stream to Bonaparte’s BrightPoint.) One example: A Fortune 100 company came to Flashpoint after seeing massive spikes in its fraud losses. After some digging, Flashpoint analysts tracked down the hackers responsible, who were boasting about their work and discussing the scheme in granular detail. The affected company shut the necessary doors, saving it an estimated $20 million.

Flashpoint has public sector clients too, including global governments as well as US military and law enforcement agencies. In fall 2014, it launched a Jihadist Threat Intelligence service aimed at these clients, offering terrorist threat info and analysis pulled from the web’s darkest corners. Rothrock’s RedSeal also has a number of federal clients, though he doesn’t necessarily know who they are. Brokered through a government intermediary, they simply show up as Customer One or Customer Two on invoices.

According to government software contractor Deltek, the market for federal spending on private cybersecurity contractors reached $8.6 billion in fiscal year 2015, and is estimated to rise to $11 billion in 2020. Why so much outsourcing? Part of it is simple need and capacity issues, but there’s also the fact that the government just isn’t perceived as a cool place to work. Faced with the opportunity to spend your days in brightly colored offices with video game rooms and bountiful cafeterias, why would young talent choose buttoned-up cubicle life in some Brutalist office building in DC? In a February op-ed in the Wall Street Journal that laid out his cybersecurity plans, President Obama noted the cultural challenge: “We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office.”

“The private sector vendor community has done a great job of attracting that talent,” says Lefkowitz. “You may not want to wear a suit—and maybe you’d have trouble passing a background check, and maybe you want to play video games during your break.”

But even the private sector is facing talent shortages. Anne Bonaparte sees it firsthand in her corporate customers: a lack of frontline security workers. “They’re not developers or data scientists,” she says. The workers they need range from entry level to managerial leaders, all responsible for manning the software systems and scouting the landscape. “People often say, ‘Oh, we need more Harvard PhDs,’ and while that might be great, that’s not really the problem. The problem is we need more individuals entering the security profession.”

A 2015 report by Cisco estimated that there were more than 1 million unfilled cybersecurity jobs worldwide; a study that same year by CareerBuilder found that 89 percent of information security analyst postings went unfilled. “It’s staggering,” says Lefkowitz. “It requires a holistic strategy for fostering individuals who have the skills to slot into cybersecurity. I don’t think we’ve really solved for that as a nation.”

Part of the problem, Bonaparte says, is marketing: “We have to rebrand security.” The trick is not just selling it as cool and exciting, but making that message appeal to a broader audience. “Security is always guys with dark glasses and earbuds or military gear—everything is presented as very male,” she says. “Frankly, in cybersecurity, there’s a lot more to it.” It’s weather maps, it’s puzzles, it’s patterns. It’s thinking about where you can close doors so the bad guys can’t get in. It’s about having a real impact on your country’s well-being. (Bonaparte has suggested a tech security recruiting push aimed at women akin to the “Rosie the Riveter” campaign of World War II.) Bonaparte offers the example of how universities are attempting to attract more women to STEM careers. If a school wanted to promote general interest in Python, a popular programming language, it wouldn’t focus on hosting Mountain Dew–fueled, all-night hackathons, she says. “That’s not appealing to everybody. But if you say, ‘Let’s try to find innovative solutions to bringing lights to rural villages,’ and it happens that you have to use Python programming to do that, you’ve reframed the problem. That’s what needs to happen in cybersecurity.”

Make Life Harder for the Hackers

Ray Rothrock has this condensed history of cybercrime, broken down into eras based on their respective defense strategies. There were the early days of firewalls built to keep out the bad guys, then came protection against viruses and Trojans, then on to data leak detection, and eventually the emergence of
complex defense systems built to ward off multidimensional attacks.

Today, he says, it’s about resilience. That’s what RedSeal promises, offering a FICO-like score that management and board members alike can use to gauge their security preparedness. In practice, the defense looks like this: Some frontline security officer gets an alert that there is suspicious activity on the company’s network—a spike in data flowing out of the system, perhaps. A certain data server has been taken over by a malicious third party. “Push the RedSeal button, and the system says, ‘Ah, we know where that is,’” says Rothrock. “It’s this server right here, and here are the data servers that will be attacked next. Here’s how to fix it.”

Fix it—not burn it down. There’s a big difference. Rothrock, sitting in an HBS conference room in February, points to the ceiling. “It would be like in a big room like this. You’ve got one, two, three fire nozzles in this room.” Using the RedSeal analogy, if there was a fire at his end of the conference room, only the sprinklers above his head would need to be turned on. “The fire is at this end. Why flood the room?”

That’s what Sony Pictures did. When hackers broke into the movie studio’s network in 2014—inflicting a reported $35 million in IT damages—administrators at Sony just shut the whole network down. In Rothrock’s example, the issue would be isolated while the rest of the company chugs along, generating revenue. “Our thinking and our capabilities are just now getting to that point.”

For attackers, better defenses aren’t just a test of their mettle or skills—they’re a drain on time and money. “Bad guys have economics, too. They can’t spend all day trying to burn your house down,” says Rothrock. “They’ll go to the next house and try to burn that one down.”

HBS: http://hbs.me/21mauYc

« Tor’s Developer Leaves After Lurid Sexual Allegations
Human Error Fuels Most Breaches »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Decision Group

Decision Group

Decision Group are a Total Solution Supplier offering Network Forensics and Lawful Interception tools.

Cyber Security Specialists

Cyber Security Specialists

Cyber Security Specialists Limited provide Security services across a wide range of markets, from multi-national Corporate Organisations and Government Agencies, through to smaller Businesses.

Government Communications Security Bureau (GCSB)

Government Communications Security Bureau (GCSB)

GCSB contributes to New Zealand’s national security by providing information assurance and cyber security to the New Zealand Government and critical infrastructure organisations.

EMnify

EMnify

EMnify is a Software-as-a-Service (SaaS) company, revolutionizing cellular Internet of Things (IoT).

In-Sec-M

In-Sec-M

In-Sec-M is a non-profit organization that brings together companies, learning and research institutions, and government actors to increase competitiveness of the Canadian cybersecurity industry.

jobsDB.com

jobsDB.com

jobsDB Singapore is a search engine for jobs throughout Singapore.

Cyemptive Technologies

Cyemptive Technologies

Cyemptive's CyberSlice technology preempts and remove threats before they take hold, in seconds, compared to other’s hours, days, weeks and even months.

Stratejm

Stratejm

Stratejm, a Next Generation Managed Security Services Provider, brings innovation and thought leadership to the fight against cyber criminals.

Valence Security

Valence Security

Valence manages and secures your Business Application Mesh by delivering visibility, reducing unauthorized access and preventing data loss.

Everything Blockchain

Everything Blockchain

Everything Blockchain offer solutions that transform enterprise data-management capabilities. Increased efficiency, super-charged performance and all with government grade security.

SE Ventures

SE Ventures

SE Ventures provides capital to big ideas and bold entrepreneurs who can benefit from Schneider Electric's deep domain expertise, R&D assets, and global customer base.

Sekoia.io

Sekoia.io

Sekoia.io is a European cybersecurity company whose mission is to develop the best protection capabilities against cyber-attacks.

Ceeyu

Ceeyu

Ceeyu is an all-in-one cybersecurity ratings and third party risk management platform.

Mindsprint

Mindsprint

Mindsprint (formerly Olam Technology and Business Services - OTBS) are a leading edge technology and business services firm.

AKS iQ

AKS iQ

AKS iQ leads the RegTech sector with AI, automating regulatory compliance in the banking industry and ensuring paperless TBML and CFT adherence in finance.

IS4IT Kritis

IS4IT Kritis

IS4IT is your partner for the successful planning, introduction and implementation of company-specific information security concepts.