Please tell us how you got to where you are now.
I’ve often admired the entrepreneurs and innovators of the 70’s and early 80’s as they pioneered so many life-changing technologies that have formed the building blocks of our modern technological landscape. Microsoft, Apple, Xerox, and researchers at Berkley, Caltech, and many other universities inspired me. I often wondered what I could have created if I was born at their time.
However, when I look back at my life, I realize that, just like them, I was born at a time of great technological advancement and opportunity. I am fortunate enough to have seized some of those opportunities. Those reading my story may wish that they were at the same time and place so that they could do the same or better. Hindsight being what it is, we view the past with the knowledge of the present and can often visualize better courses for our lives of those of others. Yet, each of us resides in our own unique time and place. I have strived to do the best I can with the opportunities afforded me, and I thank God for the successes and failures he has provided for they have shaped me into who I am.
So who am I and where should I begin? I have always been attracted to self-tests. A few years ago, we had everyone at my company take a culture test to help them better understand themselves. Mine labeled me a visionary. According to the Myers-Briggs, I am an INTJ, an imaginative, curious person who is also decisive and ambitious. I think both of these begin to describe my personality and they can serve as a reasonably good start. My mind has always been full of ideas. I love to plan, design, and create new things. I am less enthusiastic when the innovative becomes routine, so my life has been full of frequent changes as I search for new things to create or new problems to solve.
After completing my MBA, I yearned for something new, so I decided to travel to Japan to gain a new perspective. I had been studying the language for several years and was very interested in Japanese culture. I found a job doing translation and teaching English to wealthy Japanese clients and spent as much time as possible, traveling the country, talking to people, and seeing how the Japanese approached technology and life from a different perspective. At that time, I started a blog to chronicle my discoveries there and to keep my friends and family back home updated.
I returned home for Christmas and was offered the opportunity to start a brand new computer program at a local college. This was unique and different so I sent my regrets to my colleagues and friends in Japan and enthusiastically began crafting a curriculum. I had a vision for the program, and our classes were soon swelling with students. I spent almost two years teaching newly-designed courses and then hiring instructors to teach the course after me. All the while, I continued to blog and publish articles in magazines and other publications.
I received an offer to join JURINNOV in 2006 to establish a cybersecurity consulting division. I had previously done technology consulting, and I remembered how much the role interested me since each engagement brought a unique problem to solve. I was not disappointed. I have had the pleasure of working with companies around the world in cybersecurity assessments, training, incident response, penetration testing, and investigations. Later, JURINNOV became part of TCDI, and our cybersecurity consulting division was given even greater opportunities for growth.
Social media was relatively new when I joined JURINNOV. MySpace was the dominant platform, but this quickly changed. I began using social media in addition to my blog to share knowledge and learn from others. Social media has brought other opportunities to work on research and other collaboration with some of the biggest companies in the world. I continued to write and have now published three books and a host of articles. I have been very blessed to have so many opportunities and I know there will be many more in the road ahead.
To give a short personal impression: let us know what are your top 3 books everyone today needs to read.
My reading interests are quite varied, so my book recommendations are varied and broad. Here is what I would recommend:
- Read a science fiction novel from one of the classic science fiction writers such as Arthur C. Clarke, Isaac Asimov, or Frederik Pohl. These authors looked far into the future and saw some amazing things. Some of what they saw has come true, and other technologies have evolved differently. You can see clearly in their writing how the emergence of some technologies fundamentally changes the way humans interact with their world and others. We can learn a lot from how their characters dealt with such changes and other technological problems they faced.
- I am frequently inspired by the writings of Frank W. Boreham. Boreham’s books are collections of essays he published in local papers. He wrote in the 1800’s on into the mid-1900’s, in a time much different from ours. It was a simpler time, and Boreham often draws life lessons out of the things around him such as pockets, open gates, stars, and interesting people. Technology and our fast-paced society can cause us to miss out on some of the most beautiful and wonderful things in life if we are not careful. Boreham helps me remember that and cherish the simpler things in life.
- I would be remiss if I did not mention some of my own books on storage and the cloud. You can find them on my Amazon author page.
What are the top 3 tech gadgets one needs to have?
The most essential gadget is the one most of us already have – the mobile phone. Mobile phones are digital pocket knives with apps for almost any occasion. There is GPS when you are lost, communication tools to connect us, augmented reality to bring context to physical things, fitness trackers, cameras, alarm clocks, and so much more. The mobile phone has assumed so many responsibilities that we hardly need other gadgets. Still, I do love my toys so I will mention a few others.
The next gadget that I would recommend would be a set of good quality headphones. I love my Sennheiser Momentum and Audio Technica headphones. You will get so much more enjoyment out of the media you consume with good, comfortable headphones.
The last essential gadget is a media streaming device or a TV with access to a wide variety of streaming apps. Content is fun to consume on a phone but far better on a big-screen TV or even a projector. Streaming devices have access to thousands of apps to stream your favorite programs and watch media on demand. As a bonus, there is a large amount of free content available for the cost-conscious consumer.
You are one of the most known influencers on social media on cybersecurity. What makes you so successful and what kind of secret tips are you able to share?
I am a long-time blogger and very outspoken about technology and security, so social media has offered an excellent medium for sharing knowledge, learning from others, and collaborating. I believe that social media is not just about consuming content. Rather, it makes us all content producers.
When I produce content, my goal is to contextualize the technology landscape through metaphor or allegory. I do this often in the articles I publish or on my blog. This often involves attempting to organize information in unique and meaningful ways. My readers have expressed their appreciation for this approach and my following has slowly grown over a number of years.
Social media has also provided a great place for me to build on the ideas of others such as Dez Blanchfield, Evan Kirstel, Kevin Jackson, Jo Peterson, and Bob Carver. Such conversations continue to evolve the ongoing discussion on how to best protect against digital threats, use technology more effectively, or stay safe. I love being able to interface with so many great minds over social media.
Over 130,000 people follow you on Twitter alone - how do you manage all those fans?
130,000 sounds large, but this following has been growing over the larger part of a decade. My social network is one that has been cultivated by consistently producing content that resonates with my followers, being receptive to feedback, and staying focused on my core areas of technology and security, not the myriad other things that could distract or detract from a single never-ending conversation that ever evolves and grows with advances in technology and the innovative/transformative or sinister/destructive uses for it.
What is your analysis of the cybersecurity ecosystem in the US? What kind of trends and new use cases do you see?
We used to interact with computers on an as-needed basis. You might go to a computer to write a paper or search for information and then the computer was put away. However, today technology is more intimately involved in our lives. We have so many ways to communicate and most of them are electronic. It has been over a decade since texting became more popular than phone calls and this trend towards the digitalization of our lives continues. We have attired ourselves in technology, with the average person carrying several electronic devices with them.
Our intimate use of technology makes us more vulnerable to its misuse. Criminals can discover our location or other personal information from our devices or subvert our digital identities. The loss of such identifies as social media, email, or gaming personas can harm us even more because of our reliance upon them. Furthermore, our digital identities form a large part of our reputation. Our personal lives, methods of staying connected with one another, and reputations have never been so fragile as they are today. This is why cybersecurity is of paramount importance.
Cybersecurity cannot be decoupled from our lives any more than technology can. Rather, it must be incorporated into solutions in a robust, cohesive, and seamless way so that it actively protects us while not overburdening us along the way. Cybersecurity must continuously improve without requiring much direct interaction with those it protects. The cloud, AI, biometrics, and IoT are improving the entire lifecycle of cybersecurity.
However, our technological ecosystem is complex and delicate. If we liken it to an aquarium, our data would be the fish. The aquarium must be regularly maintained for the fish to survive. This includes ensuring proper water quality, filtration, and temperature. Cybersecurity uses antivirus, spam, and web filtering to sanitize the content we see. Aquariums also must be monitored for changes that could harm the fish such as algae buildup, aggressive behavior, or signs of illness. Cybersecurity uses SIEM, IDS, and other monitoring solutions to detect and protect against anomalies. Still, the average aquarium owner has medicine for various illnesses, isolation chambers or other tanks for overly aggressive fish, and tools to eliminate harmful levels of algae. Cybersecurity likewise has robust incident response plans, tools, and personnel to rapidly respond to cybersecurity events.
As more and more data is placed into our digital ecosystem, cybersecurity will need to be able to classify, scan, and protect that data. Similarly, improvements in computing speed require an even more rapid response from cybersecurity teams. Humans are frequently now the bottleneck in such scenarios so AI and complex response orchestration are being developed to act in the required timeframe. The future will see even greater human-machine partnerships in delivering the next generation of cybersecurity solutions.
What are the biggest threats to cybersecurity for private persons, small and midsize businesses and large corporations?
This is a great question because the threats are not the same for these groups. I would say that individuals are greatest threatened by a loss of personal privacy. It can be easy to discount privacy in an age where it is largely forgotten in some segments, but it is still of paramount importance. Privacy is a crucial element of freedom because a lack of privacy results in a loss of control. Loss of privacy can make it unsafe to perform some actions like going on vacation or attending a party. It should be each person’s individual choice on what they want to share with others.
Small and medium businesses are often targets of opportunity or used as a gateway into larger companies they may have a relationship with. This is why many of the larger companies send out questionnaires to their vendors to assess the steps the company has taken to protect the data they work with. The biggest threat to small and medium businesses is staying focused on cybersecurity when they do not have the resources to employ a dedicated person or team. Small and medium businesses struggle to ensure that security is implemented consistently and maintained at a level consistent with the organization’s risk tolerance level.
Large corporations are enticing targets for cybercriminals, nation-states, and hacktivists because of the vast amount of data they retain as well as their unique intellectual property. The attacks large companies face are often more sophisticated than those against smaller companies. Large companies must defend against groups that are well-funded, experienced, and tenacious.
What actions do you recommend to those three groups to increase cybersecurity?
Individuals should take an active role in protecting their privacy. Ensure that you understand what each online interaction costs you. Consider the information do you need to give up to use an app, enter a contest, or use a website and then make a value choice on whether a service provides equivalent value. Avoid interactions that do not produce a net positive result, and, when possible, remove your information from such services. GDPR is allowing consumers more insight and control in how their information is used, and it has fostered greater debate on privacy. Take part in the discussion and let your voice be heard.
Small businesses should consider where their core competency lies. Outsource some services or use the cloud. However, small businesses should make sure they have a resource to help them understand how their data and that of their customers or partners will be protected. Due diligence is required in selecting the right mix of managed services, clouds, and technologies so that security is implemented consistent with organizational risk tolerance as well as contractual and regulatory obligations. They will still need someone, whether that person is an employee, or a third party, who can speak to the controls that are in place, and how the company approached the selection of software, cloud services, or security controls.
Large companies often need a culture change. Their size and age are both elements that make culture change difficult and yet this is essential to ensure that the company as a whole is responsive and committed to security. The next thing to do is refine the incident response pipeline. Automation and integration can greatly streamline incident response processes by taking information from multiple systems and making that information available to those who need it when they need it. For example, the IR team should be able to review the data from in-scope machines as soon as an event is triggered. They should not have to conduct searches and gather the data; it should be presented to them. Each incident response is an opportunity to improve. Look at what activities could be automated. If decisions would be the same next time, consider how those decisions can be programmed into the system and automated to eliminate the human bottleneck.
What do you think about cyber insurance?
Cyber insurance is one component of a multifaceted cybersecurity strategy that must be paired with risk analysis, security controls, training, and governance. For example, we buy car insurance, but we don’t suddenly start driving on the wrong side of the road or stop wearing seat belts just because we have insurance. Similarly, cyber insurance is not a substitute for other strategic elements, yet it shouldn’t be ignored either.
An organization accepts some level of risk simply by being a part of the digital economy just like a driver accepts some level of risk that they might get into an accident when he or she gets behind the wheel. A company, just like that driver, will minimize that risk to the best of their ability but will use insurance to reduce the financial damages of such an occurrence. Cyber insurance helps ensure that resources will be available to respond to an incident and resume business operations without a catastrophic impact to the organization’s bottom line. Essentially, cybersecurity insurance needs to be balanced with the rest of the strategy.
A lot of traditional companies are struggling to adapt to the rapid changes we witness today. In your opinion, what do you think are the biggest opportunities for traditional companies to use the digital transformation?
Traditional companies have the advantage of a brand or service that is often mature and relatively well known, but the opportunities for growth are often limited. However, digital transformation offers these companies the opportunity to take that product or service to the next level and interface with customers in new and exciting ways. Innovative process and operational enhancements can make traditional products or services more profitable or more competitive as the cost of offering that service or creating the product goes down and as traditional services are delivered on demand or through self-service functionality.
Customers are eager to utilize the services and brands they are familiar with in the new digital economy. To do this, companies need to establish an entirely new way of doing things because digital transformation moves much faster than traditional companies have moved in the past.
What are the biggest hurdles traditional companies face to digital transformation and how should they overcome them?
Some traditional companies are trying to do too much on their own. The complexity of the modern technology ecosystem is too much for even the largest companies to handle on their own. The total cost of ownership on custom software today is much higher than ever before because of cybersecurity burdens.
Companies should ask themselves what their core competency is and how they differentiate themselves. They should then focus their attention and resources on improving in these areas and in identifying the most ideal cloud services or third parties for other services. This reduces the cost of delivering on their core competency and frees companies to pursue their original vision.
What would you recommend to young people that start their career in cybersecurity today?
This is an excellent time to start a career in cybersecurity. There is a large cybersecurity skill gap and companies are very competitive in recruiting talent. Those starting in cybersecurity today will see far different opportunities that were offered to me because the industry is much more mature. It is often hard to know what lies ahead, but the worst thing you can do is to stay idle waiting for that chance of a lifetime. Weigh the opportunities ahead of you and jump in. Use each opportunity to grow your competencies and connections. Recognize that there is always something you can learn and don’t be afraid to try something completely new and different. Each generation has its pioneers who are willing to step out and take a chance.
Thank you Eric.