Consider the Zero Trust model. This model says not to trust anything either inside or outside your network perimeter, and that you must verify everything before granting access to resources. Too often people think, “It’s inside my network so it must be okay,” and the consequences are significant. This may appear to be overkill, but the raw truth is there are already threats inside your network perimeter. The Zero Trust model eliminates guessing that everything is okay.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Timothy Carlisle who started working in the cybersecurity space before the internet, in the military. While serving in the Submarine Service, he co-wrote many of the instructions for protecting data and computers in sensitive installations, and at one point saved the Navy 23 million dollars in today’s dollars by writing a manual describing the detailed operation of a highly classified system. He also managed a project that would be 450 million dollars in today’s dollars.
Timothy has worked as a cybersecurity expert in the public sector and as a consultant. His consulting engagements included eBay, Starbucks, Sutter Health, and large organizations. He is certified as a CISSP and PMP, both gold-standard certifications in Cybersecurity and Project Management,
He has earned 4 degrees: two Bachelor’s — in Technology, and Operations Management from Excelsior College; Master’s Certificate in IT Project Management George from Washington University, and Masters in Technology Management (Information Security with Distinction) from Capella University.
He has received a number of awards, including a Jefferson Award for Public Service, the Robert Link National Commander’s Award from the U.S. Submarine Veterans Inc., the Excelsior College C. Wayne Williams Award for Public Service and Community Involvement, National Cybersecurity Institute at Excelsior College Fellow, a California Legislature Proclamation for feed homeless and needy children, and California’s first National PTA award for the academic program he led at Mare Island Elementary School. He has also earned two Distinguished Toastmasters designations.
The opinions given here are his own.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a small town named Jonesboro Indiana. I was always curious as to how things worked, and computers — which were not available in homes at the time, were a source of deep fascination. I was a pretty good student but realized based on the economy, my options were college, then factory work or the military.
At the time cybersecurity wasn’t even a word. Due to a recession and poor employment opportunities, I entered the U.S. Navy straight out of high school and joined the Submarine Service in 1986. The Submarine Service gave me a unique perspective on the ways things work, the knowledge one needs to excel, and a strong understanding of the human condition under stress.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
After leaving the Navy in 2000, I had planned to finish an Industrial Technology degree — there was no distance learning at that time. I re-thought that decision since I had always worked in IT, and instead finished a B.S. degree in Computer Technology, and added three additional degrees for good measure. While doing all this, and working full-time I also completed the Certified Information System Security Professional (CISSP) and Project Management Professional (PMP) certifications — both gold standards in their respective fields. I had grown up in a culture of security in the Submarine Service, and cybersecurity seemed a natural fit.
Can you share the most interesting story that happened to you since you began this fascinating career?
While under the Arctic ice in a submarine, multiple issues caused the power to our computer and navigation systems to abruptly turn off. I was the only person onboard trained to repair the computer systems, and I worked around the clock for several days to repair them. Thanks to the combination of a radio message, a program I was supposed to get rid of but didn’t, and a couple of other factors, we were finally able to get everything up and running at full operating capacity. It was also the first time I had ever been ordered to go to sleep until I wanted to get up!
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are a host of people I would need to thank — the experienced Chief Information Security Officers and leaders I have worked for, my friends Jeana P., Ed W. and Tom L. who have mentored me in ways beyond measure, especially when times were challenging. In the military, retired Admirals Mies, Richardson, Bird, Wachendorf and Foggo all were great role models — and certainly were motivating. Motivation can come in all sorts of ways, and a quote I saw the other day sums it up pretty well: “If your path is difficult it is because your purpose is bigger than you thought.” — Unknown
Are you working on any exciting new projects now? How do you think that will help people?
My non-profit work is especially exciting. I’m currently the elected Program Quality Director for the Toastmasters District that covers San Francisco to Palo Alto, California. We support 122 programs and over 3000 members. As Program Quality Director I oversee all the learning paths and opportunities and leadership education.
I’m President of U.S. Submarine Veterans Mare Island Chapter in the Bay Area. I really enjoy providing out of the box thinking to solve challenging problems. The Submarine Service certainly taught me how to find a way to win, despite tremendous uncertainty on whether out of the box thinking was going to work. In the Service you look at all the angles and possibilities, the risks, make a decision and move forward.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
This is a great question. To thrive, do something that makes your heart sing. Our industry is rife with folks who burn out. Figure out how to pace yourself. Make sure you document your positions regarding risk to the enterprise. The sad truth is that if you don’t do that you may be blamed by others who are trying to protect their own skin. Beware of the many poseurs out there who claim to be experts, but once you get below the surface it doesn’t take long to see they’re faking it.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- There is more opportunity today than ever. Due to all of the highly publicized breaches, a plethora of cottage industries have sprung up. While teaching a junior college class in 2014, I brought in a guest speaker. A student’s eyes bugged out when the speaker told the class that with a BS degree and a good understanding of encryption, they could easily make 150,000 dollars per year.
- The training gets better and better. Well-trained professionals is an absolute necessity to successfully protect the enterprise. We still need to improve education, but it still is considerably better than ten years ago.
- People now express direct interest in cybersecurity. In the past most came from somewhere in IT. Now we have young people who are starting out with cybersecurity as their primary interest. We really need that.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The most critical threat is people. We simply aren’t producing professionals at a high enough rate. A New York Times article cited a study that we will be short 3.5 million people by 2021. This will drive up bidding wars for experienced professionals, who if unsatisfied with the company culture or their trajectory will exit stage left sooner rather than later. This exodus will cause significant gaps in knowledge and requires people to work harder. Plus it takes as a minimum of 8 months to fill that vacant position. Think of it as not having enough bomb technicians to disarm a ticking time bomb.
Another threat is the prevalence of cybercriminal gangs, whose only goal is to make money. The ransomware attacks and phishing emails that lead to those attacks, will become more sophisticated. This has proven true especially during the pandemic. The significant number of people working from home is the likely cause of increased attacks, [not to mention the increased size of the attack surface, or the sum of the different points where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment. New strategies are required to deal with this new phenomenon, not to mention critical thinking skills
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Because of the sensitive nature of breaches I offer these takeaways, as they are true for any breach:
- Make certain it is an actual breach first and foremost.
- Always take phone calls after work. In at least two cases, answering these calls led to the initial indicator of potential compromises.
- Always file a report after the breach is resolved and host a lessons learned meeting where everyone is completely candid. If you’re not candid, you increase the likelihood of a repeat event.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
For the enterprise environment I would recommend:
- Full disk encryption — A laptop is stolen every 53 seconds, and 56% of the time it results in a data breach if company owned. This limits the risk significantly.
- Next generation endpoint protection — Many products have the capability of isolating a computer on a network (see #3).
- Managed security services — Professionals who can watch data coming in and out of your organization — and potentially help stop data exfiltration or a ransomware payload download.
- I also think that using a scanning tool to look at vulnerabilities is key — sixty percent of breaches are caused by systems that are not fully patched.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
A large team is not necessary, but finding the right team is. Depending on your company size, assets you need to protect, and the damage a breach would do to your company if you lost your data or intellectual property are critical factors.
When using the term “over the counter software” — this means Microsoft and Apple products, and likely the cloud. The thing about the cloud: a major vendor gives you all of the parts and pieces to be extremely secure, but you need to pay someone to configure it properly. There are many companies that suffered breaches because they failed to properly configure their cloud software, so it pays to hire an expert.
When hiring an organization to examine your cybersecurity needs, the first item is to conduct a cybersecurity assessment with the following:
- What is your current cybersecurity maturity now?
- Verification of your actual cybersecurity maturity via technical means, based on a risk-based process; or what is the likelihood of the risks that could affect your enterprise.
- Once determined, what will be needed to reach the next level of maturity in the next 12 months?
This process will help you determine what resources will be needed and the report will give you the ammunition to go request additional resources to achieve your organization’s goals.
Regarding Chief Information Security Officers (CISOs) — there are now professionals from whom you can rent time as Virtual (or fractional) CISOs. They are not onsite all the time or working from home (WFH), but they can save you money and provide excellent advice. I suggest checking out their credentials carefully. Or hire one fulltime if warranted. While these are wonderful resources, remember that to have an impact, the entire leadership team has a stake in cybersecurity and all must work together to safeguard the organization.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Here are some signs or oddities that signal something is amiss:
- If you click on something that may or may not be a phishing or suspicious email, let someone in IT (Help Desk, or technician) know right away. Many times this is what starts it all: you click on the wrong link which connects you to a website that downloads a small piece of code, which leads to the download of ransomware.
- If you think something is wrong it probably is. Quite a number of times I and others have had that feeling — the gut feeling or hunch is usually right.
- Getting weird bounce back emails you didn’t send is also a clue — sometimes the bad actors will pretend to “spoof” your email, or maybe actually use your email and mistype the addressee
- Seeing either a slow data leak or a large amount of data leaving your network are also big red flags (this is likely to be seen by your network or firewall team).
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
- Notify all parties about the breach as soon as possible. Be upfront, direct and to the point with your messaging.
- Bring in a reputable cybersecurity consulting firm to investigate. An independent third party will also make recommendations for how to prevent this kind of breach in the future. You also may need to hire a crisis communications firm with experience in this area.
- When you have determined what happened, put a robust audit program and/or security controls in place to ensure it doesn’t happen again. Conducting penetration testing once a year is also a good practice.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
I think we have seen that GDPR fines are significant — the top 5 are over 10m Euros and Top 3 are over 50 Euros. This is real money to these companies and should serve as a wakeup call — both the EU and California are serious about it. Many entities are not taking this seriously. They should, because when the next large fine comes out you don’t want your organization’s name to be on fine. The CCPA is similar to the GPDR. More importantly, the CPRA provides an enforcement arm as well as making privacy legislation even stricter.
What are the most common data security and cybersecurity mistakes you have seen companies make?
- Thinking “I am too small to get hacked.” Wrong! According to Cybercrime magazine, sixty percent of small businesses that are breached close within 6 months.
- Lack of staff training. They are your first line of defense. Provide extra training for your financial people and executives. Remember: it’s all about the money for cyber criminals.
- Not having vendor risk programs. The Target breach was enabled by an air conditioning contractor with a weak password. Understanding that your vendors can add risk to your enterprise is key to your success and safety.
- Taking a cavalier attitude that “this won’t happen to us,” along with not allocating sufficient resources in both money and hiring qualified and experienced staff.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
It appears many previous phishing emails one could recognize through the stilted English wording or unfamiliarity with certain aspects of organizations, are gone, replaced by emails written by a native English speaker. A great example of this was a supposed email from me directing someone to purchase some gift cards for a specific purpose. Thanks goodness they contacted me before completing the task — we were able to not incur any costs.
Working from home has also brought new opportunities for mischief. We’re seeing increasing numbers of Covid-19 related phishing emails and other topics that can cause havoc in the enterprise. One example is the flood of Apple, Netflix, Yahoo, What’s App and Paypal phishing emails — the five most popular types. Texting is also becoming a way to infect mobile devices — which effectively can do the same thing. Training your employees to be alert for these scams is more important now than ever.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Conduct a privacy impact assessment (PIA). This will identify where your privacy information gaps are (think business impact assessment for privacy). The PIA will be helpful to firms concerned with the GDPR, and will likewise help with the CCPA and CPRA. If you don’t know how to do this hire someone who does. Better an ounce of prevention than a pound of cure. Using the report resolve the findings. Taking an individual’s privacy into consideration will be new to some people (this was introduced when GDPR was first rolled out).
- Conduct a penetration test from a reputable firm annually. This can be extremely useful in providing an annual benchmark on how you are doing. I have dealt with reputable and less than reputable firms, and advise you to give clear guidance regarding what is in bounds and out of bounds. You may find something on the network that shows up as a computer that’s actually n industrial control device or some other type of device, and that’s okay. Make certain your IP address management system can quickly identify each item of concern. You should be able to show clear progress in improvements over time — this is also an opportunity to check your network defenses to see whether you can detect the tester’s entry or movement laterally throughout the network.
- Use common sense when purchasing cybersecurity tools. You can have all the tools in the world, but if they aren’t implemented or used as part of an overall strategy, you have just wasted a lot of money and will still have the same problems. Think about how to mitigate risk to an acceptable level, plus how the tools will work together to protect your data and intellectual property.
- Training, Training, Training. The sources and methods of compromise are always changing. Unlike the rest of IT that has more certainty, cybersecurity teams need constant training throughout the year. It is tough enough to play whack-a-mole (my idea of keeping bad actors outside of your network), but when you don’t train your people, they fall further and further behind in their ability to protect your business. Your employees are the first line of defense; your IT department the second line of defense; and the Cybersecurity team, vendors and others who interact with your company are the final line of defense. Funding now pays great dividends down the line.
- Consider the Zero Trust model. This model says not to trust anything either inside or outside your network perimeter, and that you must verify everything before granting access to resources. Too often people think, “It’s inside my network so it must be okay,” and the consequences are significant. This may appear to be overkill, but the raw truth is there are already threats inside your network perimeter. The Zero Trust model eliminates guessing that everything is okay.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Simply using Apple device encryption, Windows Bitlocker and strong passwords will help eliminate many of the breaches in the world today, whether to corporate devices or personal ones (think smart phones). This would put a major dent in the cost recovery model used by many cybercriminal organizations, and isn’t that hard to implement. If you’re uncertain how to do this, check with your IT professional. While some companies consider passwords a thing of the past — and there are companies developing password-less systems — I believe this is still a work in progress. For the foreseeable future: stick with passwords, two factor authentication and device encryption.
How can our readers further follow your work online?
I blog at http://www.timothywcarlisle.com where I talk about my three passions: Cybersecurity, Toastmasters and submarines, although not always in that order.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!