Make sure you manage your alerts. The best defenses will occasionally fail. A good cybersecurity program is equipped with many alerts to indicate potential failures. The key is to manage these alerts to the proper sensitivity. A common mistake is to have alerts that are too sensitive, creating many false positives. Not only are false positives expensive to track, but they typically lead to a propensity to ignore or miss alerts tied to real failures. Many post-breach analyses have shown that one or more alerts were triggered very early in the breach, but they were missed or ignored at the time.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Mike Zachman, Chief Security Officer (CSO) at Zebra, where he has global responsibility for enterprise-wide product security, information security, corporate security and business continuity programs. Zachman is an experienced global leader with over 30 years of information security, risk management and information technology expertise. Previously, Zachman was Chief information Security Officer (CISO) at Caterpillar, Ecolab, and Forsythe Technologies. Zachman holds an undergraduate degree in management information systems from Millikin University, and a master’s degree in business administration from Bradley University. He is a Certified Information Security Manager, Certified Internal Auditor and is Certified in the Governance of Enterprise IT. He is also an active volunteer with Junior Achievement and Easter Seals.
Q. Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up the youngest of four kids in central Illinois. All of my relatives were farmers, and we were the “big city” kids living in a town of 80,000. We were a blue-collar family focused on school, church and sports. Computers were not part of my upbringing. We did not even own an Atari video game system! That changed in high school, however, when I was introduced to computers. I was absolutely captivated by computers, and the seemingly limitless opportunities they represented. I fell in love with the Apple IIe and the TRS-80 models. I even competed nationally in a programming contest sponsored by the Data Processing Management Association and finished 4th, which cemented my path. I went to college to work with computers and have never looked back.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
It was about halfway through my career when I made the pivot into cybersecurity. At Caterpillar, I was asked to lead the IT Audit team within Internal Audit. Having served numerous IT roles before, I was not too excited about this. No offense to my friends in Internal Audit, but my first question was “What did I do wrong?” However, my CIO explained to me that Sarbanes-Oxley (SOX) was coming, and Internal Audit was leading the development of SOX controls. He said he trusted my judgment and needed my help. So, I led the development and deployment of Caterpillar’s IT General Controls where I developed my “love” for managing risks and controls.
Can you share the most interesting story that happened to you since you began this fascinating career?
One of the most interesting and demanding events was an Advanced Persistent Threat (APT) attack. “APT” is a term coined by the U.S. military to disguise the fact they were talking about nation-state hackers. Without providing too many details, this event had lots of drama and twists. We played cat-and-mouse with the attackers, trying not to tip our hand that we knew they were in. I recall how hard it was to watch them steal files and not stop them, because we still needed to determine the extent of the infiltration. And I literally mean we “watched them” as we mirrored the screens of internal computers they hacked and saw them clicking away. We even used a codename, Voldemort, for our attackers because we assumed they were monitoring our emails. Harry Potter fans will be able to guess why we picked that name! We ultimately planned a weekend when we literally disconnected our company from the Internet, reformatted many computers, and changed every password in the company before reconnecting to the Internet.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Yes, I’ve been fortunate to have several inspirational leaders and mentors in my career. A key mentor was Jean-Bernard (JB). JB was my manager, and good friend, during my five-year tenure in Belgium and Switzerland for Caterpillar. JB introduced me to “Who Moved My Cheese” by Dr. Spencer Johnson, which is a fantastic read that taught me a great deal about the impact change has on an individual’s work and personal life. He taught me to embrace and champion change; not resist it.
Are you working on any exciting new projects now? How do you think that will help people?
Yes indeed. In cybersecurity, there is a seemingly endless list of projects. Standing still means falling behind. I feel one of the more exciting trends today is the adoption of Zero Trust principles and architectures. Simply put, this is the idea that an employee has the same cyber protections whether they are on the company internal network or not. Due to COVID-19, many people are working from home, outside the protections of their company firewall. This approach helps address that risk.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I’ve always coached people to work in a profession you love. As Confucius said, “Find a job you love and you never have to work a day in your life.” So, if I start from the position that we love our jobs, then I believe the key to avoiding burnout is balance and perspective. Balance involves taking accountability to commit your time and energy according to your priorities. Perspective involves managing those priorities such that work is not always number one. I believe we need to all be aware that having a static list of priorities is usually not practical. We need to be consciously aware of how we are prioritizing our lives, and always questioning ourselves to ensure it is correct for the moment.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The first thing that really excites me about the industry right now is edge computing. As the world continues to become more digital, edge computing devices, such as IoT devices and mobile computers, are playing a larger part in our everyday lives. The potential benefits include faster processing of data, better security by reducing the exposure of data to risk, and bandwidth savings by not having to move data back and forth to the cloud. Cybersecurity plays an important role in edge computing because people must trust these devices and systems for it to succeed.
“Zero trust” security models, which are evolving to support digital transformations as well as remote workforces, are also very exciting right now. Users and devices, as well as applications and data, are moving outside the traditional company network perimeter. Applications and data are often in both on-premise data centers and in the cloud. Users are typically accessing company resources from many different devices and locations. These changes require a re-engineering of many traditional security approaches.
Last, but certainly not least, cybersecurity is a growing profession in desperate need of talent. Recent studies showed the number of unfilled cybersecurity positions grew by 350% since 2013, with a projected 3.5-million-person shortfall in 2021. When I went to college, cybersecurity was not a profession, nor a degree. Today, students can pursue numerous cybersecurity degree programs as well as many very thorough cybersecurity certifications. Cybersecurity is finally attracting needed talent and offering the potential for full, rewarding careers.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
For many companies, the number of remote workers conducting business outside the company network for extended periods of time has exploded. This brings with it many security challenges. For example, how do we ensure all the security controls that exist on the company network are properly applied to people working at home? How do we quickly push patches and updates to large groups who no longer connect to the company network? Are home networks properly secured? And it goes the other way too; how can a company trust the connections coming from all over the world on all sorts of devices, all posing as legitimate employees? I know I connect to our company email from at least three different devices on a regular basis. “Zero Trust” architectures, which I’ve mentioned before, are key solutions for these risks. Trust is no longer granted solely on what device or network you are using. Trust is established in a consistent manner, regardless of the device or network being used.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
The breach I mentioned earlier, the one in which “Voldemort” was inside our network, reinforced several key takeaways.
First, have a documented, rehearsed response plan. This plan should include roles, responsibilities, and action plans. Even then, there will be unanticipated events and decisions that need to be made in real time. Without a good response structure in place, a major breach will simply be overwhelming.
Second, establish relationships before the breach. I can’t stress enough how important this is. Everything works smoother when dealing with people you know. This includes internal resources from legal, public relations, executive leadership and the Board of Directors. It also involves key external partners like forensic partners and law enforcement. When its 11pm and you call the local FBI office, you want to be sure they know you and call you back!
Last, know to plan for a marathon, not a sprint. Extensive breaches can involve months of 24/7 effort. Know how you will surge resources, manage shifts lead the effort and communicate with stakeholders. Breach responses become all-encompassing for those involved. Be ready for a long effort.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
A. Our security team uses a wide portfolio of enterprise-grade security solutions. The main tools include, but are not limited to:
- Endpoint Detection and Response (EDR) — An endpoint-to-the-cloud solution that analyzes user and system behavior to detect and protect against breaches, threats, and malware/ransomware. It’s today’s version of anti-virus software.
- Email Security — A solution that analyzes all inbound and outbound email, blocks and quarantines email based on threat intelligence, protects links in emails, and removes malicious files from user mailboxes.
- Perimeter Network Security — Firewalls to control basic network communication (source, destination, protocol), and intrusion detection/prevention (IPS/IDS) to analyze network traffic, detect attacks, and take preventative actions.
- Security Incident and Event Management (SIEM) — A log collection and analysis tool that collects logs from a wide range of system types (e.g. servers, firewalls) and performs analysis to detect security incidents across the enterprise.
- Vulnerability Management — Performs scans of internal and public-facing assets to determine their security posture through detection of vulnerabilities.
- Cloud Access Security Brokers (CASB) — Places cloud-based security policy enforcement between our users and cloud service providers.
- Identity and Access Management (IAM) — User authentication across the enterprise with single sign on (SSO), and multi-factor authentication (MFA).
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Every company should take a risk-based approach to cybersecurity. Unfortunately, companies of all sizes and in all industries have been attacked. No company is immune. However, the risk is not the same for everyone. The very first step is to understand your risks. How does your company make money? What technology is used? What legal and regulatory environments do you operate in?
The next step is to determine your risk appetite. This is a fancy way of asking how much risk you are willing to live with. Any risks you choose not to accept must be addressed. For each risk you wish to address, you need to determine how — usually this means mitigating the risk by employing one or more of the tools I mentioned above.
In general, if you have even a part-time IT person, then you need to be addressing cybersecurity. For smaller companies, using a third-party consulting firm often makes the most sense. Cybersecurity skills are very perishable, so it’s hard for small companies to properly invest in the training necessary to keep a “one-person show” engaged and effective. In my opinion, if you have an IT department, then you need a Chief Information Security Officer (CISO). Many third parties offer “virtual” CISO services, bringing strategic and operational security leadership to companies that can’t afford a full-time person in the role.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
This is a very important topic. A key tenet of any good security program is: if you see something, say something. It is also often quoted that “most breaches don’t go unnoticed; they go unreported.” This implies that the more people understand how to spot warning signs, the quicker a breach can be addressed. Key signs that something might be amiss include:
- Phishing attacks — Phishing is the criminal practice of sending emails pretending to be from reputable companies in order to obtain information (such as passwords and credit card numbers) or installing malicious software by getting the receiving party to download an attachment or click links. If you think you are being phished, report it.
- Unusual activity on your computer — This could be windows flashing up briefly and then disappearing. This could be a noticeable slowdown. This could be error messages, or missing files. It could be your anti-virus software has been turned off. Report these events and don’t assume things will just get better.
- Locked accounts — If you find yourself locked out from your computer account when you know you did not repeatedly mistype your password, then report it. Chances are someone else is trying to access your account.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Companies must respond quickly and effectively to any security incident or data breach. A good incident response plan is key, and there are several frameworks available. They often use different language, but in my opinion, all response plans should include the following steps:
- Pre-planning — Proper response can only be accomplished with the proper planning. This obviously needs to be done BEFORE any breach. Know your environment and the critical assets. Understand your cyber insurance. Have a third-party on retainer. Train. Train. Train.
- Initiation — Launch the response, assign the resources, and begin formal actions.
- Investigation — Verify information about the event and determine the scope of impact. Define what happened when it happened, and who is impacted.
- Containment — Determine how to contain the breach. Take actions to stop any further impact and confirm the threat is mitigated.
- Recovery — Return the systems back to “normal.” This may involve restoring from backups and rebuilding systems. If data loss involves personal information, offering identity theft protection for impacted persons is not uncommon. If applicable, involve the appropriate governmental agencies to help assist because they may have seen the attack before or the actors and have further guidance.
- Lessons Learned — Conduct root cause analysis to understand why and how the security incident/breach occurred. Provide these learnings to the appropriate teams so they can be actioned to avoid a future breach.
Throughout the response, consideration must be given to breach notification requirements and proper communications with all impacted stakeholders.
Q. How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
A. As a B2B-focused company, we are not the target of these consumer-focused privacy protections, but they absolutely apply to Zebra globally and we take them very seriously. Like all businesses today, data is playing a larger part in our overall strategy and our value proposition to our customers. Concepts like data minimization, privacy-by-design and use of encryption help us navigate constantly changing requirements. We also work closely with our legal and government affairs teams to get visibility to emerging legislation and pay careful attention to proposed legislation that may have unintended consequences for our customers or internal operations.
Q. What are the most common data security and cybersecurity mistakes you have seen companies make?
A. The most common mistake I see companies make is underestimating their cybersecurity risks. They do not believe the risks apply to them or they simply fail to consider the risks. Regardless of why, this results in underinvesting in very basic cybersecurity tasks. Examples of this include unpatched systems, poor passwords, and poor monitoring. Companies like this will inevitably get breached and may never even know it. Another common mistake is trying to protect all systems and all data the same. This is mistakenly assumed to be an easy approach because it avoids the hard work of classifying data but this always results in over-protection of data, under-protection of data, and wasted resources.
Q. Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
A. Unfortunately yes. Two major changes have occurred. First, there is an unprecedented level of fear and uncertainty across the globe related to COVID-19. Cybercriminals have been quick to take advantage of this, rightfully assuming people will be more likely to make a mistake when they are scared. By early March this year, phishing emails were being sent pretending to offer news from the major governmental health organizations. To date, there have been more than 12 fake contact tracing applications designed to steal personal and financial information.
Second, many companies have shifted a significant part of their workforce to work from home. In many of these cases, employees find themselves operating outside the relative safety of their company’s internal network with its firewalls and monitoring systems. Cybercriminals are also taking advantage of the increased vulnerabilities of most people’s home networks to install malware and steal data.
There are many different ways to measure the level of cyberattacks. But, by all accounts, cyberattacks have spiked since COVID-19. For example, the FBI recently reported that the number of complaints about cyberattacks to their Cyber Division is up 400% from what they were seeing pre-coronavirus. Interpol has also reported seeing an “alarming rate of cyberattacks” since COVID-19.
Q. Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
A. First, know your environment. It’s extremely difficult to protect what you do not know you have. This seems very basic, but it is a common issue for companies. Keeping a current list of systems, applications, and devices is a surprisingly difficult task. Knowing which systems are the most important is even harder but having a prioritized inventory of digital assets is the foundation for designing and executing a security program. Imagine it’s your job to keep a group of school kids safe on a field trip, but you don’t have a list of who is going on the trip. That list is probably the first thing you’d ask for before leaving the school.
Second, know your defenses. Based upon your inventory, you need to make sure you have taken appropriate steps to protect your assets. “Appropriate” is an important word, because not all assets should be protected the same. To use a common example, a company’s “Coca Cola recipe” should be highly protected, while its cafeteria menu should not. Constantly look for gaps in your defenses. After all, that’s what the cyber criminals are doing. If you lock 99 out of 100 windows, the criminals will find that one unlocked window. Always be on the lookout for your weakest link so you can strengthen it.
Third, make sure you manage your alerts. The best defenses will occasionally fail. A good cybersecurity program is equipped with many alerts to indicate potential failures. The key is to manage these alerts to the proper sensitivity. A common mistake is to have alerts that are too sensitive, creating many false positives. Not only are false positives expensive to track, but they typically lead to a propensity to ignore or miss alerts tied to real failures. Many post-breach analyses have shown that one or more alerts were triggered very early in the breach, but they were missed or ignored at the time.
Fourth, practice your response. Companies will have a security incident/breach. It is simply a matter of time, so any good cybersecurity program includes effective incident response. As I mentioned earlier, one of the most critical parts of an incident response is the pre-planning efforts that happen in anticipation of a future breach. It is in these pre-planning activities that companies have the best chance of ensuring a rapid and effective response to a security incident/breach. Think about fire drills; the time to figure out evacuation routes is not during a real fire. It’s not enough to have planned those routes; we are required to practice them via fire drills.
Last, communicate well. People equate security with secrecy; and there is some truth behind that. However, good cybersecurity programs need to also be properly transparent. For example, executives need to know and understand the cybersecurity risks facing the company. An effective program does not overstate the risks by spreading FUD (Fear, Uncertainty and Doubt) in the hopes of getting more budget. An effective cybersecurity program also does not understate the risks to get good ratings or avoid difficult conversations. Transparency is paramount when dealing with external stakeholders. The past approaches of denials and “sugar coating” breach disclosures to the public have often proven more harmful to the company than the breach itself. As the adage says, “it’s not the crime, it’s the coverup;” the same is often true with security incidents/breaches. External stakeholders are much savvier than companies may believe; they are able to understand the facts, good and bad, regarding security incidents. In some instances, companies and executives have been found concealing illegal activity from senior executives to cover up major data breaches or other obstruction of justice.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I believe one of the most effective ways to ensure each generation achieves more than former generations is through great education. While four-year undergraduate careers are necessary for several professions, I do think there is merit to other forms of formal education, such as trade schools, certification programs, and apprenticeships. It would be ideal for everyone to obtain the appropriate education for their desired careers without being saddled with crippling debt.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!