Compare data silos — everyone has organizational silos, and they always disagree. I used to think this was a barrier to get over before moving on to more important analysis, but CISOs taught me that I had it backwards. It’s a primary security signal to realize that for example, your scanning team don’t see the world as the same shape and size as the networking team. Only security is obsessed with a complete picture of everything. They can bring value to the other teams and solve their own problems (see point 1) by doing gap analysis between data silos.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dr. Mike Lloyd. He has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before joining RedSeal, Mike Lloyd was Chief Technology Officer at RouteScience Technologies (acquired by Avaya), where he pioneered self-optimizing networks. Mike served as principal architect at Cisco on the technology used to overlay MPLS VPN services across service provider backbones. He joined Cisco through the acquisition of Netsys Technologies, where he was the senior network modeling engineer.
Dr. Mike Lloyd holds a degree in mathematics from Trinity College, Dublin, Ireland, and a PhD in stochastic epidemic modeling from Heriot-Watt University, Edinburgh, Scotland.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in England, although I grew up in Ireland, got a degree in Scotland, and going way back, my name is Welsh. So, when people ask where I’m from, I say “those islands.” I’ve been living in America for about thirty years now — I’m a dual citizen.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Back in the 1980’s, I was an epidemiologist pursuing a PhD in the spread of disease across networks of human contact. I guess you could say I got “infected” with those ideas and have been applying them to different fields ever since. I’ve considered looking for a new problem to work on, but this one keeps pulling me back in. In the 90s after I got my PhD, I realized I could apply epidemic models to computer networks — they work in remarkably similar ways (I also realized I could make a lot more money commercially than I ever would inside a university). During the 00s, I focused on controlling networks to make them work better, then in the 10s and now the 20s, I’ve been applying the same ideas to cybersecurity. This stage is the best yet — our networks are so complex and so hard to think about, that my obsessive pursuit of computer-based network models has proven really useful. I’ve learned that we can create systems far more complex than we can understand. We need help untangling all the tricky interactions we’ve built up. That’s what network modeling is for: helping us understand the complexity we build, because we’re so bad at doing it ourselves.
Can you share the most interesting story that happened to you since you began this fascinating career?
There are too many stories! I remember one financial organization who looked at our security model of their network, then told us “we can’t use this — it’s too accurate!” They meant they’d never make it through another audit if an auditor saw what we had easily found. That bank is no longer in business.
I’ve also gotten used to showing someone a detailed model of their environment, having them stop me at some point, saying, “can you hang on a minute?” and leaving for a while. The first few times it happened, I figured they just had an interruption they couldn’t avoid. What I learned was they would stop me as soon as they saw something in the model that was so appallingly, egregiously wrong, they would get up, close the door, yell at people to go fix what we found, then come back once they knew it was getting fixed. I learned that if you can get someone to leave the meeting, it means you’ve got a sale!
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I know I’ll never repay the debt of inspiration I took from the great teachers I’ve met along the way. Professor Antony Unwin probably had the most profound effect on me — he was my first PhD supervisor. He encouraged my interest in making complex systems understandable by making visuals out of them and using simulation to watch how they behave. This was creative, but it’s an approach that lacks any well-defined academic home. What I was interested in fell between departments — I started out in Mathematics, then Statistics, and ended up doing Epidemiology in an Actuarial department — but what I was after didn’t fit any of them well. Professor Unwin didn’t mind, and he helped me understand that all that mattered was good work on interesting problems. He also taught me how to be creative about funding, since when you follow your idiosyncratic dreams, you often won’t fit the pigeonholes people have set out for you. If I look back, I think I can say I haven’t followed any standard career pathway since I worked with him.
Are you working on any exciting new projects now? How do you think that will help people?
In today’s world, the topic of Machine Learning has been wildly over-hyped and misunderstood. Specialists can tell you that we’ve been the same “10 years or so” away from general computer intelligence since Alan Turning first mused about it in the 1940s. Movies make it seem like malicious and superior robots are just around the corner, but the reality is software remains rugged but dumb — powerful, but incapable of explaining itself. What fascinates me is how humans and computers can work together as teams. The payoff can be immense; like a highly compatible couple, computers are strong where we are weak, and vice versa. But the marriage faces challenges. Humans won’t trust an inscrutable black box that just pronounces answers, but we often can’t understand where those answers came from. We could be much more efficient and effective if humans and computers could figure out our differences. In my day job, I see that we could build far better networks, with resilience and security. Since we use networks in all aspects of our lives, that could change everything. Our fragile networks hold us all back, and, they are fragile because we don’t understand them.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
There’s an old remark about “do what you love, and you’ll never work a day in your life.” That’s along the right lines, although if we’re honest, none of us ever wakes up loving the idea of doing our job every single day. I find patience is essential — it’s a marathon, not a sprint. I know I’ll have periods where I get distracted or unproductive. Any time I’ve fallen off, I find the best way to get back up on the surfboard again is to meet with customers. There’s nothing like the thrill of knowing you helped someone else get something done that they needed and valued.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Only half joking, security must be the most future-proof job out there! The work I do would no longer be necessary if the world were to convert to radical simplicity instead of building ever more complex systems. I’m not expecting that to happen.
Cybersecurity is also an endeavor that touches everyone who has any kind of online presence. That’s essentially everyone in the world, apart from a few uncontacted tribes. We’ve rushed headlong into uncharted networked territory, and the rate of innovation is showing no signs of slowing down. This is both terrifying and thrilling — the future of how we integrate networks into our lives will depend on how much we can trust them.
More personally, I love hard problems, and cybersecurity is what military people call a “target rich environment.” There’s an ancient Greek idea that happiness comes not from idle rest, but from success in overcoming resistance. Cybersecurity is a great field if you see life this way — the number of tractable problems in need of attention is so large that anyone can find something they can work on and make a contribution.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
People are always the weakest link — we are easy to fool, and we depend on mutual trust for our social interactions. Bad guys know this and are always finding clever ways to exploit our trusting nature. We do slowly learn, and by now many people know not to click on links in unexpected emails. But email is relatively easy to evaluate dispassionately once you get the knack. The next stage is likely to be deepfakes — convincing visual evidence (photos or apparent video) of people we know and trust, telling us to do things that are not in our interest. It’s not going to be easy to get people to adapt to a world where realistic footage can’t be trusted any more.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
There was an incident with a large bank, where we built a model of their entire network. It was vast, complex, and inter-related in an impenetrable tangle. We searched for the highest priority problem we could, and the software pointed to a single letter typo in an obscure corner full of their external links to outside banks. How could a single letter, in this one corner, be so important? Well, the device in question had a carefully written security policy on it, which had been audited and checked out, but the typo (which got a name wrong, by one letter) meant the policy wasn’t applied. The device was left wide open to a bank with ties to the Chinese government. Anyone could come over that link and go anywhere they wanted in the bank’s network.
The takeaway was that mistakes can hide in plain sight. No human audit over the years had caught this. The only way to find it was to ask holistically “what can get into my network from outside?” This a simple question, but not one humans can answer without computer-based help. There are simply too many details and interactions to check.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
In real estate, they say the top 3 things are “location, location, location.” In security, it’s “inventory, inventory, inventory” — you cannot secure what you don’t know you have. The trouble is, it’s extremely hard to gather a complete inventory. My advice to anyone responsible for security is to go back and make one more step in inventory every time you take a step in any other more advanced project — it’s that important. My top choices for tools follow this idea — start with catalogs built up by other teams (often in spreadsheets). Find servers, find cloud data centers, find laptops, find network equipment. Every one of these needs a different approach. Cloud doesn’t work the same way as legacy data centers, and now that we are all working from home, you can’t find laptops by scanning the corporate office anymore.
The next stage is to compare the different inventory sources to each other. I use my own software (RedSeal) to do this, but you can make a monster gap-finder spreadsheet yourself if that’s easier. The trick is to compare data across silos — this is the best technique I’ve ever found to fix gaps in any one of the silos.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Every security team is short staffed — it’s not just small organizations. We’ve drained the talent pool — there are more jobs for security professionals than the world can produce in a year. None of us have the number of skilled specialists we wish we had. The first step is to assign responsibility for the question, “Have we done what we can?” Even if you don’t have a full time CISO, someone has to be able to assert to the board that the basic dotting of I’s and crossing of T’s in cybersecurity has happened. Trying to make do with some off the shelf products, without having any idea how to perform a basic risk assessment of your business, is like setting up your factory in a flood plain where land is cheap, and just assuming the flood won’t come. It surely will, and you need to be prepared.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
It’s important to realize that attackers are people too, with their own motivations and goals. They don’t want to be found, and they are very good at hiding (This goes back to why inventory is so important — if you have any parts of your network you can’t see, then both the highly skilled attackers and the simply lucky ones will gravitate there).
There’s an observation from my background in infectious disease that, interestingly, diseases evolve to be less and less fatal over time. This is the opposite of what our fears would suggest, so why does it happen? It’s because the disease is less successful in the long term if it kills its host. From its point of view, the best strategy is to keep you alive, especially if you can continue to spread disease genes. Likewise, cyber-attacks will sometimes be shocking and newsworthy, but most will become more like parasites who can make a living off our networks without damaging anything too vital. There are creepy crawlies who have evolved to inject mild anesthetic when they bite us, so that we are less likely to notice them, and cyber-attacks are evolving the same way.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The worst thing is to plan your response after you learn that you’ve been breached. Sadly, in today’s world, breaches are all but inevitable. Businesses know how to plan for bad events — succession planning for leaders, or natural disasters. Cyber-attacks should be treated similarly. The best organizations don’t just acknowledge that it’s a scary world out there on the Internet, they plan for a breach. They practice scenarios, so that people in IT get to know the people in media relations and crisis management, and all the various teams that have to work together when the organization is suddenly front page news.
There’s no question that privacy is the next frontier in cybersecurity. What’s interesting is the way it inverts the model of who we assume might not be trustworthy. Traditional security thinking assumes the company is the victim, whether attacked from outside or from the unusual malicious insider. Privacy regulations invert this, asking how we can empower individuals to push back on corporations who, whether they intend to or not, threaten their individual privacy interests. Like any kind of safety regulation — for example, fire codes — there will be people who complain that they can’t make enough profit if we demand they make fireproof buildings. But we have to get past that — there is a legitimate need to prevent the next great fire of London or Chicago, even if it drives up costs for everyone, and there is a legitimate need to protect the information about individuals, even if it makes some marginal businesses unprofitable.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The companies who mis-handled breaches are those who took too long, tried to cover up the issue, or mis-communicated what happened. This reaction can be understandable — there’s a lot of fear, uncertainty, and doubt to get through. It is always a surprise when you realize someone has broken in, but the better you know your own organization, the faster you can respond. It’s critical to have a working map of your business and infrastructure so you know where critical assets are and what depends on what. Things won’t go well if you have to figure this out live, while you’re trying to update the press, the public markets, and your regulators.
Perhaps the most persistent and oldest mistake in security is “checklist thinking” — imagining that if we just check each resource we use against some hardening rules, we’ll be fine. This fallacy is like assuming that a house built out of individually solid bricks must be a solid structure. Of course, this is nonsense — houses are complex interacting systems, and our networks are far more complex. Checklists are necessary. I’m a pilot in my spare time, and I use checklists every time I fly. However, checklists alone don’t guarantee a safe outcome for a flight — that only comes from a flexible and intelligent response to a dynamic, evolving flight environment. The same is true in our networks.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
What’s remarkable about the pandemic is how well our businesses have adapted. It turns out people are quite productive when they can only meet online! If we’d known in early 2020 how long this event would last, some would have predicted a great cybersecurity conflagration caused by the final loss of the hard corporate network perimeter. But those in the know knew that “hard shell” around a company had become porous years ago.
Of course, we do see charlatans and tricksters trying to exploit whatever emotive topics they can — election year politics, stock market shifts, and yes, the pandemic too. Sadly, this technique works, because we are still the naked apes who evolved on the savannah, where fast and fearful reactions to anything that might be a predator were a better survival strategy than naïve optimism. So the pandemic is exploited, but if it hadn’t happened at all, the bad guys would have found something else to trick us with.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Five? Wow. Well, as noted before, I could make the first three all say “inventory,” but I’ll keep it to just one:
- Inventory — I’ve never found an organization larger than 100 people who had a complete inventory of their network and all the assets they have. Bad guys will hide wherever you cannot see, so fixing this first is essential.
- Compare data silos — everyone has organizational silos, and they always disagree. I used to think this was a barrier to get over before moving on to more important analysis, but CISOs taught me that I had it backwards. It’s a primary security signal to realize that for example, your scanning team don’t see the world as the same shape and size as the networking team. Only security is obsessed with a complete picture of everything. They can bring value to the other teams and solve their own problems (see point 1) by doing gap analysis between data silos.
- Map it all — building a complete inventory would be great, but then what? It’s just a data mountain, and it’s going to need data mountaineers. Your data lake won’t just analyze itself. To get started, think visually — map your network, both in the cloud and on prem, and draw out every business flow that you know about. (Software can be a big help getting the picture right and showing more gaps).
- Harden the elements — “checklist thinking” has its limits, but you wouldn’t go to war with faulty tanks and unreliable planes if you could possibly avoid it. Basic hygiene really matters, in cyber security just as much as in a pandemic. It’s tough, because cyber hardening guidelines keep changing — what used to be secure enough yesterday is weak tomorrow — and because there are so many elements to check. Automation of this level is the only practical way to get to high levels of compliance.
- Run wargames — you know an attack will land sooner or later, so it pays to prepare. You can prioritize your defensive spend and practice your response to truly devastating events by running wargames against both your people and your technology. Software can be used to analyze your defensive posture, but people will also need to practice their incident response drills so that you’re not caught flat-footed when the FBI, or worse, journalists suddenly start calling to tell you about a breach you didn’t detect yourself.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
For truly global impact — the greatest amount of good to the greatest number of people — you’d have trouble beating the microcredit revolution, where tiny loans at low interest to enterprising people in impoverished parts of the world bring such great benefits. The Internet connects people together regardless of distance, but it still runs out of reach when we talk about the people who live where microloans can make all the difference. If we could extend the network’s reach, so that anyone with a few dollars to spare could get involved in helping someone from a totally different environment get ahead in the world, it could really change how we see the world, and all the people in it.
How can our readers further follow your work online?
I write quite a lot, but one new series of podcasts I’m quite excited about is called “Lloyd vs Lloyd” — it’s a series of discussions between me and RedSeal’s Federal CTO, Wayne Lloyd. (We’re unrelated, so far as we know.) You can find it here: https://www.redseal.net/lloyd-vs-lloyd/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!