
Chairman and CEO of RedSeal Ray Rothrock in conversation with national security expert and Brunswick Partner Siobhan Gorman.
In a world where the question is not 鈥渋f鈥 a system can be hacked but rather 鈥渨hen,鈥 what can we do to minimize the damage? On October 23, the 91自拍 (91自拍) hosted an event to address that question head-on. Ray Rothrock, chairman and CEO of cybersecurity analytics firm RedSeal and national security expert and Brunswick Partner Siobhan Gorman discussed Rothrock鈥檚 timely new book, Digital Resilience: Is Your Company Ready for the Next Cyber Threat?
Rothrock is forthright about the problem: cybersecurity is failing us. The 鈥渨hack-a-mole鈥 strategy of trying to react to every threat does not work. His realism and lack of drama is refreshing but also chilling, as he explains that as the internet has grown the places that can be attacked have also expanded by huge orders of magnitude and that more and more money on the web attracts criminals. Sadly, the biggest problem of all is not technology, but humans. Social engineering that has conditioned people to click on links in their emails and on social media benefits bad actors who send phishing emails, enticing people to click malware links. Though there are technology products that can help, we undermine ourselves by failing to establish and implement effective cyber security strategies. Collectively, we鈥檝e got our heads buried in the sand.
Russian interference in our elections is only one example of the many ways that cyber attacks can damage society and affect our lives. Rothrock offers a different perspective on this issue than that of news headlines. He says, 鈥淚t鈥檚 a human thing more than a technology thing.鈥 What keeps him up at night is not the hacking of a voting machine or two, but rather how cyber threats weaken the whole system, whether or not they actually succeed: What happens if someone claims that the winner of an election isn鈥檛 the winner because the system was hacked? A cyber attack can be difficult to disprove and the forensics can take a long time because to be credible multiple experts must examine data from many sources. What happens in the meantime?
Ray Rothrock worries about humans more than technology.
People aren鈥檛 perfect and neither are cyber-security systems. Rather than try to prevent 100 percent of attacks, Rothrock recommends focusing on how to be resilient. That means being able to effectively respond to attacks and return to business quickly. It鈥檚 a key strategy for government agencies, corporations,and people.
Government agencies can usually spend what they need and have the time to put comprehensive, long-term plans in place. They often do not have the churn in security personnel that corporations do, where the average tenure of a chief security officer (CSO) is only 14 months. Consequently, despite having a huge 鈥渁ttack surface,鈥 government security for some key agencies does fairly well. Indeed, it is government that Rothrock looks to for establishing the regulations and monitoring compliance that he believes are necessary to protect the public, just as government mandates sprinkler systems and elevator inspections. There鈥檚 nothing like that in the cyber world today.
Although corporations often have 50 or 60 cyber-security products, that doesn鈥檛 make a company resilient and doesn鈥檛 address a key philosophical problem. In his former career as a successful venture capitalist, Rothrock saw firsthand how CEOs and corporate boards considered security to be a cost center and any spending on it a 鈥済rudge buy.鈥 He insists instead that digital resilience and robust security systems should be seen as investments in the company鈥檚 product and a way to build customer trust. That attitude might have helped prevent or minimize the damage to Target鈥檚 brand when a 2013 attack stole personal data from 40 million customers.
Ray Rothrock describes a cyber security attack on Target.
The law says that a company must report and disclose the theft of private information. Though companies are breached all the time, we don鈥檛 hear about it until the data is actually used by the bad guys. What if a hacker鈥檚 automated attack removes data bit by bit鈥攁 first name one day, the last name a week later鈥攁nd then compiles it a year later?
Rothrock notes that you can鈥檛 manage what you don鈥檛 measure. He advocates a digital resilience score that can serve as a relative scale and alert management when it changes. Testing and training can boost a company鈥檚 score and risky behaviors, like the acquisition of another company, might lower it.
Ray Rothrock advocates a digital resilience score.
A digitally resilient company has prevention and detection systems in place, does background checks, trains and tests employees, runs frequent penetration tests of systems, and has a trained incident response team always ready to go. The good news is that some organizations are resilient. These include banks, and the New York Stock Exchange, which is attacked half a trillion times a day, with 30鈥40 attacks of consequence. Unfortunately, most corporations are not on the list and nor is the average person, many of whom have a penchant for, as moderator Siobhan Gorman notes, 鈥渆xtraordinarily guessable passwords,鈥 or who do their banking on an open WiFi system at Starbucks.
So what can a person do? Rothrock says that to be resilient we should all decide what鈥檚 important to us and take steps to protect that data as best we can. We can also take steps to become more resilient. He offers some advice in an unpublished bonus chapter of his book. Check out
"Digital Resilience: Chairman & CEO of RedSeal Ray Rothrock in Conversation with Brunswick Partner Siobhan Gorman," October 23, 2018. This event is produced by the Exponential Center at the 91自拍.
The at the 91自拍 captures the legacy鈥攁nd advances the future鈥攐f entrepreneurship and innovation in Silicon Valley and around the world. The center explores the people, companies, and communities that are transforming the human experience through technology innovation, economic value creation, and social impact. Our mission: to inform, influence, and inspire the next generation of innovators, entrepreneurs, and leaders changing the world.