By: Terry Dear, program chair for WITI OC and VP of software development for BMS, Inc.
In recognition that October is National Cyber Security month, WITI Orange County hosted a 'Cyber Security and Privacy' event on October 20, 2016. We were honored to have Haiyan Song, senior vice president for Spunk's Security Markets, and Sheryl A. Hanchar, vice president and CISO for HireRight, as panelists. Moderating this event was Lenka Vanek, senior director of SW Development for Dell.
We knew the evening was going to be impactful with these high-powered women. Haiyan was recently recognized as one of National Diversity Council's 50 Most Powerful Women in Technology 2016. Sheryl started hacking at eight years old and got kicked out of college when she publicly distributed PII information (name, address) of every student at her college. Note: Sheryl did go on to join the United States Navy and then graduate school.
A special callout and thank you to our premier sponsor, Splunk
, known as the 'google' for IT Operations turning machine data into insights; and sponsor Cyphort
, a startup company offering an adaptive detection fabric closing the network security gap. Both companies provide tools used for monitoring and analyzing the cybersecurity space.
If you are looking for a career opportunity, now is the time to join the cybersecurity team. It is a growth area for corporate America as the number of experienced cyber security personnel is limited. You do not have to be an extreme coder to be part of the cybersecurity team. When you think security, one thinks about physical security (guns, large physical bodies, etc.).
Cybersecurity is not that. It is about risk management, regulatory compliance, and securing the crown jewels (in this case, data). Women are better suited for the security team as they are better at pattern recognition and finding the anomalies, spotting potential penetration breaches before they occur. They also like to document.
Unfortunately, Security=COST, while Hackers=PROFIT. Corporations must identify the crown jewels and build the appropriate controls around that which is important. Sheryl stated: 'It is not rocket science. Just put in enough tripwires.' Busting hackers does not have to break your budget.
Constantly review and test new tools with Proof of Concepts. The security market has several startup companies introducing better mousetraps. Hackers do not sit idle. Need to get funding?
Consider the 'loss of potential revenue' angle as customers now look to cybersecurity for credibility and confidence of doing business over the Internet. Statistically, one big company gets hacked every week. If your company gets hacked, will your customers continue to do business with you? When you do get hacked, it is about survivability. Counter-intuitively, segregate crown jewels and break up losses. Consider planting a 'honeypot.' A fake folder containing perceived valuable information like SSNs. Hide the real data in another folder (e.g., recipes). Don't forget to monitor the honeypot.
Did you know that hackers have personalities? They are not all the same. China is slow and methodical. They gather intelligence information and go through stages before moving forward. They are considered to be nation-sponsored. Russia, on the other hand, is completely focused on the theft of financial resources. There is no shame and no laws. It is completely acceptable to be a hacker. Amateurs attack systems. Professionals attack people. The best defense is to look at anomalies. Don't drown focusing on the alerts. Detect and remediate. Look at user behavior patterns. Why is Mary Jane's account accessing a computer she normally does not access?
To tackle hackers, it takes a village. It is not a one-person job nor one corporation. There is no single solution. We need to create industry sharing spaces and cybersecurity frameworks for defense, health services, financial services, etc. Defense is ahead of everyone else where the large defense corporations (e.g., Boeing, Lockheed Martin, etc.,) developed an industry sharing portal.
Privacy? What is that? For Millennials raised during the Facebook rise, it is nonexistent. Our behavior is the product for all the free software apps that we use. Did you know that there are two Sheryl Hanchars in the world? One is a CISO. The other is a drug addict. Which one are you talking to? Haiyan grew up in China where everything is monitored, and you assumed no privacy. With today's mentality, be mindful of what you share. Your name and address is public information, but you do not have to post everything about yourself. All system interfaces should have multi-factor authentication.
The interaction between the audience and panelists was quite engaging. We talked about politics, emails, European laws, stolen SSNs, DEFCON for kids, the real estate (and mortgage) industry needing to get their security act together, surviving the Sony fallout nuclear program, and colleges informing parents not to google their freshman child's roommates. You had to be there.
Signing off, Mission Impossible 1966 style: "As always, should you or any of your WITI Force be caught attending, the secretary will disavow any knowledge of your actions. This recap will self-destruct in five seconds. Good luck, Jane."
WITI Orange County provides a local forum for women to network with each other, forge connections, share resources and discover opportunities in the technology industry.