Good management of fundamentals. I can’t emphasize enough how important it is to protect laptops, especially now in the COVID world with everything dispersed. Make sure that everything is encrypted in transit and at rest. If you can make your laptops ephemeral, do it. Ephemeral means the critical data that they’re working on is not actually on the laptop; it’s somewhere else. It’s just a conduit.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dale Wilhelm, information security and compliance executive with over 20 years of experience driving diverse technology teams, strategies, and programs. He currently serves as the Vice President of Information Security, Compliance and IT at Accela, where he takes a focused approach towards continued improvement of existing systems while developing security initiatives, policies, standards, and awareness programs along with maintaining a proactive security posture, comprehensive governance plan, balanced risk program, and mature security service. He is seasoned in collaborating with leadership and stakeholders to establish effective partnerships supporting evolving business strategy and corporate goals. Previously, he held numerous executive-level information security positions at Launch Technology Solutions, Good Money, Recurly, Kixeye, and Peak Hosting.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up around a lot of technology. When I was young my father worked for Bechtel Corporation and he would often take me to his office to show me what he worked on. He used to print out these massive maps of the United States and other simple designs on a dot matrix printer, which took about three hours to complete. I was fascinated! He would also let me chat with his friends from New York from time to time. So at a very young age, I was like that kid in the movie WarGames using analog modems to chat with people except that I didn’t potentially start any catastrophic wars. I was also the kid who took apart the TV, radio, or any electronics when my parents weren’t home and put it back together before they knew it, which got me into trouble sometimes. I had exposure to many different things growing up — mainly technology, but music was a significant influence in my life, too.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
One of the first technology jobs I had was with Alexa Internet back in the mid-‘90s. I worked with this brilliant guy named Brewster Kahle, who at the time believed the internet should be free and open to everyone all the time. This was a world before firewalls — everything was just out there without the security protections we have now. Looking back to the start of my career to where I am now, it’s almost like everything has moved in the opposite direction. A complete 180 from where I began. What led me in this particular direction was having to work through and adapt to what happened in the industry from a security perspective. Witnessing the exponential growth and evolution of security over the years has been uniquely inspiring to me. I continue to see tremendous opportunity and look forward to being part of it.
Can you share the most interesting story that happened to you since you began this fascinating career?
There was one incident at a past company where a critical system had been hacked. We had an attack that began on a developer’s laptop who had access open to production, and an attacker got in. The attacker went from just a single endpoint all the way into our database — to where he had full control — and nobody knew what to do. The interesting thing about it was the person behind the attack didn’t have any malicious intent. He just wanted to get some free stuff because he liked the app so much. Looking back at that moment, a difference in attitude could’ve changed that entire outcome of that day. If he would’ve decided, “Well, I don’t like you guys anymore,” the next thing you know, our databases are deleted, or data is corrupted. We were really lucky, and everyone had a little bit of a facepalm moment. It was a wakeup call for everyone. It was at this time where my focus on security became a priority.
None of us can achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
This really goes back to my first days working in technology. I was working at Alexa Internet and there was one guy there who was a mentor for me named Tim Pozar. Tim had been around technology for a long time and he took me under his wing a bit. When I was debating between a career in music and a career in technology, he showed me the ropes and what was possible. It was an easy choice for me at the time because of his help in making an informed decision. I’ve always been grateful for the time he took to show me another path and made sure I didn’t miss the opportunity in front of me.
Are you working on any exciting new projects now? How do you think that will help people?
The biggest emphasis for me right now is focusing on the partnership area around security. I’ve always felt that partnering with the people around you is a really important way to emphasize the functionality of what you do, get people and teams involved, and help them understand what security is and its importance. It’s a significant initiative for Accela right now to develop partnerships and engage with our government agency customers.
I also believe diversity is hugely important. There is a lot of growth from an inclusion perspective that needs to be done to get other people involved in this industry. I’ve seen some diversity in certain areas, and I would love to see more. I’ve always said, “computers don’t care whether it’s a holiday or who you are, so why should we?” That’s something that has always stuck with me and something that I lean into a lot. There are way too many jobs out there and not enough people qualified to fill them. We need to do whatever we can to include everyone in this industry.
What advice would you give to your colleagues to help them thrive and not “burn out”?
Don’t take on too much and take on things that you can achieve. Be smart about your road maps and what is really achievable. It is imperative to work with the teams around you because you can’t do everything by yourself. Security should never be force-fed. Security should be inclusive with everybody around you because, by nature, it’s a cross-team functionality. I think a lot of people and a lot of teams run into trouble when they forget that. In security, whatever you’re implementing is going to impact something else, so the more you foster relationships with those around you, the easier and more efficient those implementations will be.
Okay super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the three things that most excite you about the Cybersecurity industry? Can you explain?
When I first got into security, there were a lot of silos that didn’t need to be there. There’s better integration now than there’s ever been, and I think that’s only going to continue. As we start to see new, more sophisticated threats coming out, we’re also seeing innovation evolve alongside it. Second, I think there is a better understanding of what security is for people and organizations now since it’s become such a hot topic. It’s an industry now that’s understood as essential for every company, which has sharpened focus on the space and helped elevate the industry. Lastly, as a result, we are seeing security become an integral part of the value proposition for companies. This is quite exciting and an exciting time to be in security.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Simple answer: ransomware… Ransomware has been around for some time but it’s grown exponentially over the last few years, especially for government agencies and municipalities. It used to be when you about ransomware, it was somebody’s laptop that had been compromised. Now, whole companies and agencies are routinely attacked along with individuals, with the costs growing exponentially. Often the mitigation and remediation efforts are far more costly than the attack. Ensure ransomware is part of your security plan and the right tools are in place. Preparation is key for security teams to ensure the impact is minimal.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Well, I’ve seen some pretty bad ones, but the story I told earlier about the breach where the guy just ended up wanting free stuff was pretty striking. The outcome and amount of effort it took that company to mitigate that issue, remediate, and then stand up a security program at times was overwhelming. For me the takeaway was simple; you are only as secure as your security program and plan. Spending the time to foster and maintain a healthy security program is vital. When you look at the enormity of what it takes to operate securely a lot of companies struggle to meet the demands or they opt not to.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
- A SIEM — we need to have proper event management when it comes to security. This is also an area where I think significant innovation can still occur. Having event management around security is critical for cutting out the signal to noise ratio. When that one moment happens, you have to be able to see it, and I’ve witnessed how powerful a working SIEM can be in those cases. Be sure to take the time to find the right SIEM solution for your environment. They can be costly, take some time, and effort to set up along with some general ongoing maintenance, but it’s well worth the investment.
- Azure Security Center — We are currently using this at Accela, and it is one of the more complete cloud-based security tools out there. It allows us to look at our instances as they scale in and out from a security perspective, get an excellent top-level view on how to approach issues, target security fixes, and just get a sense of the general security health of the environment. Honorable mention should also go to Azure’s additional security tools like their File Integrity Monitoring and Advanced Threat Protection services. Utilizing these tools offers a great advantage for cloud based security.
- JAMF — One of my other favorite tools for endpoint management. I am one of those people who prescribe that there is major vulnerability in your endpoints. You should be focusing a lot of energy on making sure that your laptops, desktops, and other tools are in a secure environment. JAMF is a great tool to help make your endpoints as ephemeral as possible, so if a laptop gets compromised, critical data is not compromised with it.
- Cloudflare — As security services go, Cloudflare is a must! While continuing to grow its services from DDOS mitigation, WAF, secure DNS, secure access, etc a huge benefit is allowing companies to effectively move security services out to to edge while reducing their overall security footprint. Having the ability to securely route traffic through a service built to withstand large scale attacks offers a critical advantage.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Every company has to answer a lot of this question themselves. That being said, security needs leadership and ownership, and it needs it very early on. The table stakes for security and for companies as a whole are so high, it is very hard and disruptive to adopt this later. The result is that you will spend way too much time reacting to security when you need to be more proactive. There should be someone who owns that piece as early as possible — I will always advocate for executive level leadership early on, it doesn’t necessarily need to have an executive-level chief associated with it. It is important to work with your executive team to decide the right time to bring in a CISO to the organization.
From a toolset perspective, there are many options that should be continually explored and evaluated. There’s a lot of great open-source solutions out there to help balance out the myriad of vendors but you have to assess those tools against your environment. Once you have an understanding of your risk and security posture and have your toolset in place you’re going to start to see the path ahead more clearly and where to focus efforts.
As you know, breaches or hacks can occur even for those best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate something might be “amiss”?
First, know your security systems, and second, trust your gut. If you have your tooling set up and you think something’s wrong, chances are something is. I’ve never been at a place where I didn’t suspect something or I didn’t have one of those, “I told you so” moments. They’re always there. The critical thing for me is to make sure that you have your tooling set up and get it to the point where you can trust it. When you have this trust, you can holistically look at something and have your fingers on the pulse of the company.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
You need to have a good incident response plan in place, and it has to be maintained and utilized. Every team should know what to do if there is a breach and what to do to get it back to a safe place. You need to have strong lines of communication with those who are using your systems. I think that in the moments where security issues happen, partnership becomes most important. Having that partnership in place for when those bad times come so you guys can work together to get through it is the mark of a strong technology team.
For me, some of these measures have come too late. I think we’ve had way too many high-profile breaches and we could have done more earlier on. My concern is that we’re going to have multiple privacy policies per state and region. I would love to see a federal privacy program in place at some point.
CCPA has its strengths and has its weaknesses. Having California be the first to implement such a thorough privacy program is smart because so many technology companies are based out of California. If CCPA is implemented correctly in California, I think it leads the way for other states to follow and hopefully move towards a federal solution.
I also think it’s time for more agencies and companies to recognize that privacy is a big deal. We keep seeing breaches happen, and every one of them has a reactive feel to it. We’re collecting a lot of people’s personal data, and they’re entrusting us with it. I believe it is the responsibility of companies who are taking that data to educate customers and ensure that their information is safe.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Not having the right toolset, not trusting it, not spending the time, and not putting security first. When you’re talking about rolling out a feature, security should always be part of that discussion. Products and security should all be walking hand-in-hand, and we’re getting better at that as an industry. A lot of mistakes happen because you go through the iteration of rolling something out without security in mind. You put out a new application, it comes back with holes, and now you’re redoing everything. Security is on its back foot trying to keep pace. But if everybody starts at the same place and works together to reach certain goals at the same time, you don’t have to go back and repeat, rework, or, worst case scenario, react to an incident or data breach.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
I have not personally, but I have seen concern over it. Nobody could have seen COVID coming, but Accela was well-positioned to navigate these uncharted waters when the pandemic hit. We were able to rely on the work that we’ve done over the few years to support a global infrastructure and ensure our technology was scalable, stable, and secure. It was of utmost importance that we keep our government customers up and running without skipping a beat and protect their security in this new remote work environment, and I’m proud to say that our technology was up to the challenge.
Okay, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Staying on top of privacy laws.
2. Expand your parameters.
This goes back to my fear of ransomware. Having more layers in front of you and extending your border out as much as you can so any impact doesn’t reach the heart and soul of what you’re doing is an important area to focus on with security initiatives. Utilizing tools like Cloudflare and Azure smartly and securely is a great way to improve your security footprint and create a safe place for your data to reside.
3. Expand on your monitoring and alerting
Have a good system in place to see what’s going on in your environment, get it to a place where you can trust it, and get it there as soon as possible. As a security professional, if you can’t look at your environment and say, “I trust what I’m seeing,” and when something is amiss and you need to dive into it.. This doesn’t take large teams to do this, either. You just have to take some initiative and own it.
4. Good management of fundamentals
I can’t emphasize enough how important it is to protect laptops, especially now in the COVID world with everything dispersed. Make sure that everything is encrypted in transit and at rest. If you can make your laptops ephemeral, do it. Ephemeral means the critical data that they’re working on is not actually on the laptop; it’s somewhere else. It’s just a conduit.
5. Improve communication and build partnerships
Every company needs to approach internal and external communication to focus on security in a way that has not been done in the past. Be open to partnership and working with your teams and stakeholders to make security problems everyone’s problem to get all teams involved. For me, security wins are never the security people who beat them; it’s the company that wins them together.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective, and something everyone can do!)
I think it’s poignant, especially right now in our society, to think about increasing inclusion and diversity in this industry. I want to make a push to get as many people involved as possible. I remember when I first got into this industry back in the ‘90’s and thinking, “I’m so late to the game.” Looking back — how quaint of me. There are so many opportunities for people to get involved, no matter where they are in their careers. I want to make more people aware of this industry and opportunities and that it is available to absolutely everyone. So that’s my movement, and I want to make sure that happens.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!