Know your attack surface. You should have a good understanding of the different ways that data can get out. This can be an inventory of systems, applications, third parties, users, devices, business processes, or other places where data is stored or used. Considering these facets of your environment will help you determine how to stop data from getting out at each of these points. These can be things like implementing training for your end users, so they don’t get phished, or ensuring that you’re performing assessments on your third parties and ensuring they have an appropriate security posture.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Jonathan Swanson.
Jonathan is a seasoned cybersecurity leader specializing in risk management who currently leads the Client Services function for CyberGRX, a SaaS-based security company and provider of the world’s largest cyber risk exchange. Jonathan has spent more than a decade building security and risk management programs for some of the largest companies in the US. He has advised many companies in the Fortune 500 including firms from the Financial Services, Healthcare, and Manufacturing industries just to name a few. Jonathan’s approach to cybersecurity risk management as a practice includes not only leveraging innovative technical capabilities such as big data analytics, but more importantly focuses on addressing the human element. Jonathan holds a number of certifications including ISC2 CISSP and has a B.S. in Computer Engineering with a minor in Computer Science from the University of Hartford.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Igrew up in a typical suburban city in New England. My interests and hobbies varied widely from playing football and wrestling to singing in choir and jamming in a garage band. Some could call me a bit of a Renaissance man (though, I don’t think anyone did). One thing that remained constant was my interest in technology. I was interested in how things worked and would take things apart I found from around the house (my toys, VCRs, my sister’s stereo and even my dad’s computer) just to put them back together. Sometimes, they’d even still work once I was finished! My parents gave me a ton of freedom to try anything, so I was able to learn a lot from doing and from my mistakes. To this day, that is still really how I learn.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My father was a developer, so we had computers in the house as early as I can remember and that piqued my interest in technology pretty early on in life.
I was never satisfied growing up with the games and apps I had available to me. I’d get bored of them easily and instead, try to access things I wasn’t supposed to — just to see if I could.
When I was in middle school, I got in a lot of trouble for getting into the database where all the student data was stored. Everything from passwords to personal information and even grades was right at my fingertips. I didn’t have to do much to find it –there was no dramatic “hacking the mainframe”, no 007 music, no race against the clock — I just knew where to snoop around. (You’d be surprised how much of ‘hacking’ is just this). I made the mistake of telling my friends about it, which quickly led to the whole school knowing about it and inevitably landing me in the principal’s office. While I was receiving my punishment all I could think to myself was, “If you didn’t want this out there, why did you make it so easy to get to?” I think that experience had a lot to do with how I viewed technology and how it should be protected from misuse.
Can you share the most interesting story that happened to you since you began this fascinating career?
Unfortunately, some of the most interesting things I’ve experienced or been a part of are things that I can’t talk about publicly! But I can tell you some of these stories end with involvement from the FBI.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’d like to thank hackers everywhere. Whether they are prepubescent tweens getting into trouble, like i was, or the black hat professionals looking to do harm. No one has done as much for my job security as they have. In all seriousness, a lot of the time hacking — while hurtful — makes us better at our jobs.
Are you working on any exciting new projects now? How do you think that will help people?
While I can’t talk about any specific projects due to the sensitive nature of my work, I can tell you an overarching theme of a lot of my current work is around privacy. Privacy concerns used to be limited to companies that were processing super-sensitive data like healthcare information. Now more than ever we live in a completely digital world where almost everything we do leaves little traces of personal information behind making it a relevant concern to not just every company, but every individual. There continues to be added awareness around Privacy and it has taken more center stage of my work, which can only help people become more informed on the topic. Each one of us have a responsibility to take ownership of our own privacy, and with most of the products and services that we use on a regular basis, we can. We all just need to be more educated on the topic and the actions that we can take.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The massive work-from-home experiment that we are currently in has really made the burn-out issue much more acute. It’s so easy to get so caught up in your work that the next thing you know you’ve worked a 13-hour day. I think it’s important to make sure that you’re taking breaks throughout the day, and not just to the kitchen to make a sandwich. I really like the idea of the ‘virtual commute’ and have been testing it for the last few months by either going for a walk or just sitting outside and listening to a podcast or music before I start the day. Another important concept is managing up and out. What I really mean by this is not being afraid to say ‘no’ to your boss or colleagues. These people won’t know that you’re overloaded unless you tell them. Don’t be afraid to decline a meeting, or block some ‘free time’ off on your calendar. Just because your calendar says you’re ‘busy’ it doesn’t mean you have to be doing anything at all.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- It’s ubiquitously relevant
This is a great industry to be a generalist in. Not only is it relevant to every part of a business, but it is relevant to all different types of businesses. I really enjoy learning about all the ins-and-outs of an organization, understanding the way they operate, how they make money, and helping them find innovative ways to protect themselves. There is virtually no part of a business where privacy or security isn’t relevant.
2. It’s constantly evolving (and fast)
Since the attackers are always coming up with new ways to infiltrate, we as practitioners need to come up with new ways to stop them. We also must maintain the balance of usability. It’s easy to end up in a situation where you’ve made something so secure that it is functionally unusable.
3. There is essentially an unlimited number of different domains of cybersecurity in which you can practice
The cybersecurity industry needs and employs many different types of professionals. Whether you’re a PhD in math writing cryptographic algorithms, or a designer who creates security training videos, you can find a role in cybersecurity. From a technical standpoint, there are so many different types of technology that you could specialize in, you could spend a lifetime learning them and not know them all.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Connected devices, or the Internet of Things (IoT) can unknowingly cause exposure to a whole slew of different cybersecurity and privacy risks. People have become very trusting of these devices, while not realizing that they can collect unnerving amounts of data and often send it back to the cloud, often with limited protection. They also can create a backdoor for attackers. In one particular incident, there was Wi-Fi-connected television in a cafeteria that was used to display menus. This television was exploited by an attacker to get onto the corporate network. Companies need to be very mindful about understanding what devices they’re using and what types of risk they can expose them to. They should also be very considerate around what sort of devices absolutely need to be connected, or if that connectivity is just a nice to have. Remember: just about anything can be hacked. If it connects to a network that means it can be hacked remotely.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Be careful how you use that word! When you use the word ‘breach’ it means that data was exposed in a way it shouldn’t have been. We like to use terms like ‘cyber event’ or ‘incident’ which are more general and mean that something happened, but it might not necessarily have been bad. Luckily, I have never been a party to a full-fledge breach, though I have led the response to several incidents. In 2014 I was working for a large financial services firm when the ‘heartbleed’ vulnerability hit. For those who are unaware, at the time, this was widely considered as the worst vulnerability ever discovered in terms of potential worldwide impact. It was my job to assess the potential impact to our company and manage the activities to remediate the vulnerability as quickly as possible. This was no small feat. I had to instantly create a team of dozens of individuals across the company, take an inventory on what servers, applications, and business processes were affected, put a plan in place to remediate those; identify which of our thousands of suppliers had sensitive data, find out if they were affected, gather remediation plans for them, put communication plans in place provide updates for executive leadership, and more. And we had to do it all fast since this was now a publicly known vulnerability. There were attackers out there actively using this vulnerability against their targets. Just like us, IT and Security departments across the world were in a frenzy, but we were able to make it out unscathed. Luckily, heartbleed didn’t have the catastrophic impact it could have, were it to be discovered by the wrong person. It was amazing and humbling to see the vast and sprawling impact that one single software vulnerability could have on the world, and this one wasn’t widely exploited.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Companies today are sharing more and more sensitive data with other, outside organizations just in the normal course business. Whether that be handling HR through a third party, utilizing a benefits platform, a payroll app, payment processing software, or leveraging any cloud software. My current focus is helping organizations minimize the cyber risk of engaging with these third-party service providers. The goal is to be sure that these companies have appropriate privacy and security controls in place to protect their customer and employee data, and themselves. To do this we perform different types of assessments on those companies, and we use tools to perform those assessments. The one I use primarily is called CyberGRX, which is the world’s first and largest global cyber risk exchange. This tool uses various types of advanced analytics to determine the security posture of an organization and identify any gaps that they have in their environment that could expose them to a cyber event.
Trying to explain in the least technical way I can, the analytics engine uses data on cyber-attacks happening in the real-world to say “We see this type of attack happening a lot in the wild. This attack can be thwarted by implementing this control. Your payment processor doesn’t have this control, and it puts you at risk.”
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Just like the rest of the technology industry, security is being “consumerized.” Inclusive of CyberGRX, , many security technology offerings are SaaS (software as a service) based meaning you don’t need a data center or your own server to install them on, and they can be consumed on a pay as you go model. This makes them really accessible to organizations of all sizes, meaning you don’t need a huge engineering team to implement a few core security controls anymore. That being said, to determine your security needs, you really should think about your risk of experiencing a cyber event or breach and ask yourself some questions such as:
- Am I a likely target?
- Do I store or process large amounts of sensitive data that is worth something to someone on the dark web or some other adversary?
- Do I have some sort of intellectual property that someone would want to get their hands on?
- What is the impact if I did get breached?
- Would there be regulatory fines?
- Does my company lose its competitive advantage?
- What would be the reputational impact?
It’s often hard to quantify, but generally the amount you spend on security should be relative to your risk and the size of your organization. One thing that is certain is that you should always have someone who is responsible for security, even if that is just part of their role.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
For people and organizations that don’t have a security team, it’s important to pick reputable technology service providers and rely on them. Most of the companies that offer the popular services that individuals are using — Google, Apple, Amazon — are pretty good at letting you know when something is going awry. We’ve all gotten those “was this you logging in?” or “did you just change your password?” emails. Keep an eye on those! Organizations like these use analytics and artificial intelligence to predict if those logins are actually you, and they’re pretty darn good at predicting it. If you’re getting notified logins or password changes that aren’t you, that is a critical indicator that someone is trying to get into your account. The unfortunate reality is that for the average person, it’s hard to know that you’ve breached unless it’s right in your face — like a fraudulent charge on your credit card or a hit to your credit report.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Depending on what type of data is breached, you may want to contact a lawyer to determine if you have any obligations to report that breach, whether it be to the individuals whose data was exposed or any regulatory authorities. A lot of these new privacy laws are prescriptive about the actions you have to take after a breach. Aside from that, the nature of the breach is going to dictate your next steps. You have to understand what caused the breach and remediate the issue that caused it. This may include updating systems, resetting passwords, or shutting down user accounts. If it was a person that caused the breach, you may need to provide them with training on how to handle that situation in the future, or if it was in malice, contact the authorities.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
I consult business on data privacy matters on a regular basis, so I’ve definitely seen an uptick in organizations being concerned about how they can comply with these regulations, and how they can ensure that their third parties are compliant as well. Overall this is, hopefully for the better, going to cause companies to be more mindful about what sort of data they collect and what they do with it. Will it be more work? For most organizations, yes. But, many of the things that are being required in these regulations are activities that have been considered good privacy and security practice for years.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The simple stuff! Turn on multi-factor authentication for all the services you use that offer it. Don’t reuse passwords and use a password manager. Don’t use secret questions and answers that can be easily guessed (I can look up your mother’s maiden name). Educate yourself and your employees. CISOs continually agree that one of the top risks are the employees themselves. Security training can be found for cheap or even free and can help stop the most common attacks like phishing.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Absolutely. Aside from not properly protecting your conference calls and potentially getting ‘Zoom-bombed’, a completely remote workforce can lead to what industry professionals refer to as ‘data leakage’. One of the ways this can manifest is when employees access services or data on unauthorized devices like their own personal computer or tablet. Sometimes this is ok, like when your company IT department puts special software or controls on your devices to make sure they aren’t vulnerable to attack. But sometimes this isn’t the case. With cloud software that can be accessed from anywhere on any device, if these services aren’t properly protected by restricting where they can be accessed from or how the data can be downloaded, this can leave organizations exposed if their employees access data from an at-risk device.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Know your risk
When considering your strategy to privacy and security, you need to have a good idea of the likelihood of you being a target of an attack or potential for a breach, and what the impact of that attack or breach could be. This is essentially the first step in establishing a risk-based approach. If you have a lot of very valuable data that an attacker would be willing to spend a lot of time and money in trying to get, and the exposure of that data would be critically detrimental to your existence as a business, you need to have a security program and strategy commensurate with that level of risk.
2. Know your data (and how it’s used)
This is more relevant to the privacy side of things but knowing this information will help you with security as well. Understanding what data you have, how it is relevant to your business, where it’s going, and what you’re doing with it is going to give you a leg up in compliance with privacy regulations. It’s also going to help you understand if you are frivolously sharing sensitive data in situations where it doesn’t necessarily need to be shared. Understanding what data you have also helps you understand which privacy regulations you might be subject to.
3. Know your attack surface
You should have a good understanding of the different ways that data can get out. This can be an inventory of systems, applications, third parties, users, devices, business processes, or other places where data is stored or used. Considering these facets of your environment will help you determine how to stop data from getting out at each of these points. These can be things like implementing training for your end users, so they don’t get phished, or ensuring that you’re performing assessments on your third parties and ensuring they have an appropriate security posture.
4. Know your plan
What will you do if you have a privacy or security incident? The right time to figure this out is before it happens. You should consider the different types of data that you have and how you might act based on the type of data breached. Another consideration is what you do if you experience an outage due to a cyber event. Are your systems critical to your business? How do you serve your customers if these systems are down? Do your employees know who to call or who to alert if they know of a breach? These things should all be considered, documented, and shared with those who may be affected.
5. Know that you will be breached
One common saying that you’ll hear from security professionals is “It’s not if you’ll be breached, it’s when you’ll be breached.” This is just the unfortunate truth. Threat actors are constantly evolving their attack methods to get in. There will always be breaches that are a product of some insider or employee whether it’s in error or malice. This you can’t stop, but what you can do is take actions as I’ve mentioned here to reduce the likelihood and impact of a breach, and ensure you have a plan to take action when it does happen.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Be a good person! Doesn’t get any simpler than that!
How can our readers further follow your work online?