…The well-respected and widely-known NIST Cybersecurity Framework consists of the following five “Functions” — Identify, Protect, Detect, Respond and Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. In the end, these five “Functions” essentially make up both the roadmap and the overall architecture of an organization’s comprehensive Cybersecurity Program.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Charles Denyer.
He is an Austin-based cybersecurity and national security expert who has worked with hundreds of US and international organizations in helping them obtain a true competitive advantage with cybersecurity, data privacy and regulatory compliance. He is a founding member and senior partner in two consulting and compliance firms.
He consults regularly with top political and business leaders throughout the world, including former vice presidents of the United States, White House chiefs of staff, secretaries of state, ambassadors, high-ranking intelligence officials, CEOs, entrepreneurs, civic leaders and others.
Later in 2021, Denyer will be launching the North American Cybersecurity Council (NACC), an industry-first organization aimed at addressing today’s current and emerging information security, cybersecurity, data privacy and regulatory compliance laws and regulations. He is an established author, with multiple titles published, along with forthcoming biographies of three of America’s former Vice Presidents: Dick Cheney, Al Gore and Dan Quayle. In early 2022, Denyer will publish Blindsided, an in-depth examination of today’s growing challenges with cyber-attacks, data breaches, terrorism and social violence.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in North Houston in The Woodlands, Texas, with five siblings and two parents that worked full-time. My father was a physician, and he started one of the first practices in my hometown. Meanwhile, my mother was busy with a number of businesses she founded and ran. I’m proud to say that I was a product of public education, from grade school through undergraduate. Look, with five siblings, you learned very quickly in life the meaning of sharing, but also how to fend for yourself! I’ve been told I am both left-brained and right-brained. I received a Bachelor of Arts in History from the University of Texas at Austin — I loved to write — but also received a Master’s degree in Nuclear Engineering from the University of Tennessee at Knoxville and a Master’s in Information Systems from the Johns Hopkins University as I loved math and computers! Go figure.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
On the morning of September 11, 2001, I was outside the grounds of the Pentagon, and with the horrific attack on our country that morning, it inspired a new mission for me, a personal calling, if you will, to help secure this nation for future generations, and to do all I can to help ensure another 9/11 never happens. I felt I could make an impact with my growing cybersecurity background. Fast forward 20 years later, and I can proudly say that I’ve worked with hundreds of organizations throughout the globe in helping them protect their critical assets.
Can you share the most interesting story that happened to you since you began this fascinating career?
I’ve been extremely fortunate to have the opportunity to work with some of the most recognized, notable brands around the world, and that has allowed me to understand the global business landscape like never before. It has also allowed me to consult with top political and business minds around the world. From CEOs to Prime Ministers, their personal and professional stories are incredibly intriguing and thought-provoking.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Vice President Dick Cheney has had a big — and lasting — impact on my life. The former Vice President was highly instrumental in shaping the Bush administration’s policies on the new global war on terror. As I reflect back, it’s amazing how Vice President Cheney understood the complexities of our enemies, how we had to fight them and the overall gravity of the new age of warfare we were entering. I learned so much about politics, business and the world at large from this enormously consequential figure. Because of the vast amounts of time I’ve spent with him over the years, naturally, he has had a big impact on how I assess and see the world.
When you spend one-on-one time with arguably the most powerful US vice president ever — and one of the world’s most influential political operatives — you learn so much. He is a fascinating man, and I’ve been honored to spend so much time with him.
Are you working on any exciting new projects now? How do you think that will help people?
Yes, I am. In late 2021/early 2022, I plan on launching a nationwide cybersecurity association — the North American Cybersecurity Council (NACC) — something that is really a first in terms of the depth and products/services offerings for such an entity. It’s going to be exciting. My steadfast goal is to make the NACC the nation’s premier organization for cybersecurity. Then I’m also working on a number of publications later this year and beyond. On Thanksgiving Day, November 25, 2021, I will be releasing Vice President Cheney’s authorized biography. As his personal biographer, the book will be a comprehensive portrait of Vice President Cheney, both his personal and political life. I’m also putting together another publication, Blindsided, which will be published in 2022. As a national security and cybersecurity expert, Blindsided really speaks to my professional career, giving readers an in-depth examination of today’s growing challenges with cyber-attacks, data breaches, terrorism and social violence. And if you want to look even further down the road, I’ll be writing two additional biographies for former Vice Presidents Dan Quayle and Al Gore.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Pace yourself. Baby steps. Crawl before you walk. However you want to say it, it’s really quite simple — do not get overwhelmed with the tasks at hand. Break them down into bite-sized projects, and you’ll get them done. I’m often asked how I can write so many books with a full-time career? The answer is simple — I only write 250 words a day — yes, a true statement! But over the course of a year — a year — and — half- that’s a 90,000 to 125,000 word manuscript or a full book!
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The first exciting thing is all the new and incredible technology just on the horizon for fighting the never-ending cybersecurity war. It seems like all we hear about are the bad guys, and how they’re winning the war in cybersecurity. The media loves to portray the dark, shadowy persona of hackers and how they’re causing havoc around the world. But what they don’t always cover are the plethora of security companies that are developing industry-leading, next-generation monitoring and detection tools. Cyber is big business, and big tech knows this, so the R&D is out there, being spent, resulting in sophisticated solutions coming to the market.
Second, finally, and thankfully, cybersecurity, and cybersecurity roles, are now being taken seriously, are respected, and are in demand, big demand! For so many years, cyber experts were not given equal merit, pay, or consideration in the boardroom, well, that’s all changed. The importance of cybersecurity is so apparent now throughout the broader business community. Colleges are offering degrees specific to cybersecurity. Companies are requiring their audit committees and boards to include individuals with cyber expertise. C-level positions are now including formal titles for cyber professionals.
And third, I would have to say that no mention of cybersecurity would be considered complete without a discussion of AI. Artificial Intelligence — simply known as “AI,” is intelligence demonstrated via processing by machines, particularly, computing systems. AI is everywhere, used by almost everyone, every day. By 2021, artificial intelligence (AI) augmentation will create 2.9 trillion dollars of business value and 6.2 billion hours of worker productivity globally, according to Gartner, Inc.
AI is permeating every conceivable industry, and by 2021, estimates are that approximately 75 percent of enterprise applications will use AI. IDC also predicts that by 2021, 15 percent of customer experience applications will be continuously hyper-personalized by combining a variety of data and newer reinforcement learning algorithms.
There are also benefits when it comes to AI and cybersecurity as many of these systems can “learn” and adapt in helping keep organizations safe and secure. Specifically, cybersecurity firms are now front and center in building and configuring AI systems that can detect, identify, quarantine, and ultimately thwart cyber-attacks from both external and internal threats.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The threats are everywhere, both external internal, so many in fact that I could write a book on them! But in terms of the most critical threats, companies need to be aware of the growing insider threat. For years, we all worried about external threats to one’s environment. The DoS and DDoS attacks. The hackers are trying to force their way into networks from thousands of miles away as they typically attack without notice. There are droves of spam that saturate emails with malware links. Well, those threats abound, are alive and well, causing extreme havoc for unsuspecting victims.
Yet what’s also taking shape now — and will continue to grow in 2021, and beyond — are insider threats. Call it the enemy within, which means organizations are now fighting a new kind of war. As a business, you now have to look inside to nefarious employees and contractors who can create just as much damage — often more — than the well-known external threats. As to the types of insider threats, they’re plentiful, and growing by the day in both sophistication and regularity.
And let’s talk about the Internet of Things (IoT), another huge issue for companies. In the broadest sense, IoT encompasses essentially everything that’s connected to the Internet. It’s about devices, networks, data, interconnectivity and more. Think simple sensors, smartphones and more. IoT has become and will continue to grow into an ecosystem of connected devices that knows no end. There are billions of connected devices in use, and billions more on the way. But with great benefits in technology also come great risks, particularly when it comes to security in the IoT landscape. There’s a massive amount of data traversing the world of IoT that’s been collected, analyzed and stored. To the cyberhackers of the world, it’s a new world of opportunities for stealing gigantic amounts of highly sensitive data on consumers.
Here’s a short list of cybersecurity threats currently facing IoT, and will continue to be front and center in 2021 and beyond:
- Overall lack of a “security first” mindset when companies are developing their IoT products. With such a “rush to market” mentality, unfortunately, too many times security becomes an afterthought.
- Lack of security patches and updates.
- Using IoT devices for botnets for attacking networks.
- Insecure communication protocols.
- Use of default passwords and weak authentication protocols.
- External hackers and unauthorized remote access.
- Leaking of personal consumer information and data theft.
- Highly sensitive IoT devices being compromised (such as in healthcare, banking/financial services, energy).
- Sheer volume of devices (more of them, means more threats).
- The potentially dangerous intersection of Artificial Intelligence (AI) and IoT.
- The human factor.
- Growing privacy concerns.
- And there’s always the threat of automation replacing humans, so one has to consider the thought of potential unemployment issues that IoT could create. Is there merit to such issues? Well, it’s hard to know, because if you think about it, for every job that IoT makes more efficient, one could argue it allows for opportunities in other sectors of the economy for that supposedly displaced employee.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I’ve had the unfortunate — and that’s the best word to use — experience of being involved in a cybersecurity breach for some of my clients. But what I can say is that what “fortunately” came out of the incident was that proper planning and execution saved the day. My clients had a well-documented cyber incident response plan in place, and that made all the difference in terms of mitigating the attacks and subsequent breaches of data. The main takeaways — or lessons learned — is that no matter how secure you think you are, a breach can happen at any time, so be prepared. And being prepared means putting in place a comprehensive Incident Response Program, one that includes the following measures for all my programs I develop for my clients around the world:
- Initial Response and Containment
- Security Analysis | Recovery and Repair
- Post Incident Activities and Awareness
- Reporting of Suspected Incidents
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The biggest cybersecurity tool I used is a Virtual Private Network (VPN). In its most simplistic explanation, a VPN lets you go online — anonymously and securely — without having your network compromised or being tracked. I always use a two-factor authentication protocol when accessing my personal gmail.com account. And I practice what I call good cyber hygiene — using anti-virus, not clicking on links that look suspicious –as these are general best practices.
But let’s also talk about what I DON’T use! I don’t use public computers, those at a computer/copy store, those at a hotel business office, or those at a public kiosk. They are often riddled with viruses, and could easily infect any network you try and access while on these systems. If it’s not your computer, don’t use it, plain and simple.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
No matter how much we preach the importance of cybersecurity, for smaller companies, it often comes down to money. They’re in busines to sell a product or service and generate a profit — after all, that’s capitalism! But even with that said, my recommendation is to create a culture around cybersecurity with some very basic measures — these very measures that do not require extensive resources in terms of time, money and staff. Here is what smaller companies should be doing for cybersecurity:
(1). Use a VPN at all times when connecting to the company network. VPN’s are inexpensive, easy-to-use and implement.
(2). Use Two-Factor Authentication. Much like a VPN, two-factor authentication is inexpensive, easy-to-use and implement.
(3). Apply security awareness training. It is so helpful, and once again, inexpensive.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Ransomware is the first and most obvious sign that a breach is either underway, or has already occurred. At that point, you’ll need to notify IT personnel immediately. Also, if you’re receiving a large number of spam emails, that means the hackers could be potentially getting by your network monitoring tools and solutions, with a breach just one bad click away. If you see an uptick in these types of emails, again, notify IT personnel immediately. And lastly, if your laptop is suddenly running slow or bogged down with pop-up ads, you may be infected, meaning, your company’s network could have — or soon will be — infected and a breach may be in the works. Whatever the issue is, speed is the importance — meaning — contact IT immediately.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
First and foremost, stop the bleeding, as the old saying goes. Quarantine the issue, immediately, and as best as possible to further mitigate a compromise of the network, if at all possible. Second, have qualified and competent InfoSec personnel engaged and executing on any number of critical issues for minimizing the damage to the organization. Third, start to think about the impact on your customers, the legal and privacy issues, and how to address these concerns. In today’s litigious world, if there’s a breach that’s unfolded, the lawyers will come swarming, so be prepared. And also, take time to protect your organization’s brand and positioning in the public eye, however that needs to be done.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
Well, they have not only affected my business in terms of having to help organizations in understanding the complexities of these new data privacy laws, but they’ve affected businesses throughout the world in a myriad of ways. The GDPR — and then CCPA — have been a huge wake-up call to the global business community in that data privacy is now a serious issue, and just as important, citizens have rights regarding their data. I really look at the GDPR, CCPA — and other forthcoming privacy laws and regulations — as an individual’s privacy bill of rights. Sure, these laws speak quite a bit about protecting personal data, but they speak heavily about the rights and privileges afforded to an individual, and this is important for businesses to be aware of.
Businesses are going to have to spend considerable time and effort in developing and implementing comprehensive data privacy programs. Specifically, a business will need to fully know, understand — and document — how personal data and information is collected, used, stored, shared, protected, retained and disposed of. These privacy laws are a game-changer, no question about it. A lot of what I do today with the GDPR, CCPA and PIPEDA (Canadian Privacy law) is developing customized data privacy programs from scratch.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Great question. Truth be told, the mistakes that are causing companies problems are often not the sophisticated issues. What I mean by that is the following: Companies often have an adequate set of InfoSec tools, such as firewalls and network monitoring tools, etc. That’s often not the issue. What is the issue is that they often lack the cybersecurity expertise to execute, monitor and “man” these resources! That’s the biggest issue, in my opinion — a lack of cyber talent, and ultimately, the biggest mistake — not taking the time to hire and retain cyber talent. Sure, it’s a tight labor market where good people can be hard to find, but regardless, they’re still out there. The second mistake is that organizations fail to implement a true cybersecurity culture, one that fosters the importance of cybersecurity and how they should be changing many of their business practices. Cybersecurity is not a one-and-done or on-and-off scenario. It’s about authentic cultural change within organizations, something that can be very challenging.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, absolutely, a big uptick as we all work from home now. This new type of teleworking means almost all forms of meetings and communication are happening with the like of Zoom, Webex and other video conferencing platforms. This results in massive amounts of private data being shared with multiple parties on these meetings, making it so easy to screen capture a company’s highly sensitive data. Additionally, companies have failed to enact adequate work-at-home/telecommuting policies and procedures, leaving employees to guess what they think are best practices, or even worse, do whatever they want in terms of working from home.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Developing a comprehensive Cybersecurity Program not only is a best practice every organization should be implementing; it’s become a strict requirement for many of today’s growing security and compliance reporting frameworks. Organizations are under attack like never from both internal and external threats. From hackers stealing data thousands of miles away to malicious employees downloading sensitive files onto USB drives and other portable memory devices, your organization — and your data — are under attack, so now’s the time to fight back.
The most important aspect to developing and launching your very own Cybersecurity Program begins by embracing five essential ingredients — or “Functions” as they’re known in the NIST Cybersecurity Framework — and then implementing them one-by-one.
More specifically, the well-respected and widely-known NIST Cybersecurity Framework consists of the following five “Functions” — Identify, Protect, Detect, Respond and Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. In the end, these five “Functions” essentially make up both the roadmap and the overall architecture of an organization’s comprehensive Cybersecurity Program.
Whatever the industry/business sector: healthcare, financial services, manufacturing, defense, and more — and regardless of your size or location — following this proven roadmap will put you on the path to developing your very own Cybersecurity Program. What’s more, many of the policies, procedures and programs put in place will help suffice for a large number of today’s regulatory compliance reporting requirements. That’s the textbook definition of a WIN-WIN scenario!
The first of five “Functions” to assess when developing a Cybersecurity Program is to “Identify,” which effectively means to develop an organizational understanding to manage one’s cybersecurity risks regarding information systems, people, assets, data, capabilities and more. Remember something very important in the world of cybersecurity — you can’t protect what you don’t know you have. Therefore, the importance of identifying organizational assets — an inventory of one’s information systems if you will — is of the highest priority. The activities in the “Identify” function are essential to laying the groundwork for building and administering a Cybersecurity Program.
The second of five “Functions” to assess when developing a Cybersecurity Program is to “Protect,” which effectively means to develop and enact appropriate safeguards for ensuring the delivery of critical services. The activities in the “Protect” Function are key components for your Cybersecurity Program.
The third of five “Functions” to assess when developing a Cybersecurity Program is to “Detect”, which effectively means to develop and apply appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables the timely discovery of cybersecurity events, and therefore are a critical element of your Cybersecurity Program. Examples of outcome “Categories” within this Function include: Anomalies and Events, Security Continuous Monitoring and Detection Processes.
The fourth of five “Functions” to assess when developing a Cybersecurity Program is to “Respond,” which effectively means to develop and execute appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident, which means developing a comprehensive Incident Response Program.
The last of the five “Functions” to assess when developing a Cybersecurity Program is to “Recover,” which effectively means to develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident, which means having in place an incident response program and a Business Continuity Disaster Recovery Planning/Contingency Planning (BCDRP/CP) program.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Though we’ve been on the topic of cybersecurity, let me shift to something totally different. The youth of America are the future of this exceptional, innovative nation, so why not put in place legislation offering mandated Internet access and computers to the millions of underprivileged children. It may surprise us that a large majority of children in this country have no access — virtually zero — access to the Internet. Denying them this fundamental opportunity puts that at such a disadvantage in their upbringing. We need to change this. As the old saying goes, knowledge is power,so let’s empower our youth so they can attain future success.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!