Provide security trainings. Encourage “cyber smart” behavior. It can often be the human element that is the weakest link in the security chain, with workers failing to change default passwords or using the same credentials across multiple accounts. This is especially true when no emphasis has been made on security awareness and employee enablement. Often creating a stronger “cyber smart” security culture takes time and lots of education, but under the current circumstances, we all need to play our part more immediately.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Gerald Beuchelt, Chief Information Security Officer at LogMeIn. He is responsible for the company’s overall security, compliance, and technical privacy program. With more than 20 years of experience working in information security, he is a member of the Board of Directors and the IT Sector Chief for the Boston Chapter of Infragard. In his prior role, Gerald was the Chief Security Officer for Demandware, a Salesforce Company. He holds a Master of Science degree in theoretical physics.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up with very limited access to computing technology for the better part of my youth. However, I was super excited about science in general and physics and math in particular. This interest really carried over into my academic career where I completed a master’s degree in mathematical physics. At the same time, I had the opportunity to work evening and night shifts in the university’s data center which really helped me to get up to speed on technology and protecting user resources.
Upon completing my degree, I realized that the technology side of the job provided many more opportunities beyond staying at the university. As I advanced my career, and even today, the very rigorous science and mathematics education I received has helped in tackling hard problems.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
There is not just one story, but several contributing factors that took me on my cybersecurity path. At the beginning of my professional career, I focused my efforts on reviewing UNIX and Linux interoperability with Windows NT 4.0, and later Windows 2000. At that time, one of the greatest challenges was the proprietary Kerberos extensions Microsoft put into Active Directory. Naturally, this challenged me to better understand the overall security architecture of operating systems and the various challenges associated with it.
With the broader availability of SAML-enabled web services and the need to federate identities across multiple providers, I worked on various identity management issues, including the overall development of the OAuth and OpenID ecosystem. I then proceeded further into cybersecurity when I started working on several government projects and took responsibility for securing a large acquisition project. While I loved the mission, the people, and the general subject, I was not too thrilled with the speed of execution in the government space. This factor, ultimately, led me to pursue a career working in the private sector as CISO.
Can you share the most interesting story that happened to you since you began this fascinating career?
I would say that experiencing the need for action during a crisis is always a really interesting and challenging time. With the recent pandemic, we suddenly saw how different parts of organizations got very well aligned and worked hard to get through the crisis as fast and efficiently as possible.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I have had many people inspire me and help me grow in my career. However, one person that had a big influence was Eve Maler, CTO at ForgeRock. She is known as one of the inventors of the Extensible Markup Language, better known as XML and the Security Assertion Markup Language (SAML).
Eve and I worked together for several years when we were both at Sun Microsystems. She helped me understand the intricacies of the open standards community back in the day. I have to say, Eve was one of the most important driving forces in my work life, molding my career journey and my passion for cybersecurity.
Are you working on any exciting new projects now? How do you think that will help people?
Of course! We are constantly improving the overall security and privacy posture of our products for the benefit of our customers and the larger marketplace.
An interesting challenge right now is to address the complexity of privacy. Customers expect their data to be protected from any prying eye, and issues like end-to-end encryption are at the forefront of our thinking. There are many ways to expand the capabilities of our products and make the internet a safer place. In fact, LastPass has been a true trailblazer for “zero-knowledge” SaaS services, so we have plenty of experience to draw from.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The best advice I ever received and the one I think anyone in the security industry should follow is “always follow your passion.” As cliché as that sounds, this advice still rings true for me and has guided me through several career decisions. Your career should mean more to you than just five days a week and a 9 am to 5 pm routine. If you feel passionate about what you do, you will find that you feel more motivated to educate yourself on your own time and build your skillset outside of the office, which will fulfill you and will support your career growth.
Although loving what you do is the first step to avoid burnout, finding an organization that shares your beliefs is very important. Open communication, a strong security culture and leaders that support both your work and growth are as important. Getting the resources you need will make a difference in terms of doing your job right and balancing your personal time.
Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
There are many exciting things in cybersecurity, but one that encompass many others. People are the most interesting thing about security, from customers’ needs to employees and partners’ alignment, all of them make cybersecurity possible.
Security is not being created in a vacuum but fulfill the needs of many to see their personal thoughts and assets protected. Our customers and their many challenging requirements are at the forefront of our thinking and planning. But we can really only achieve our objectives as long as we can get all employees and partners aligned in our mission to protect. So, the challenges to coordinate, teach, and align plans and strategy are real. Finally — perhaps most importantly — the security community is one of the most vibrant group that I have every experienced. Working on a daily basis with incredibly talented and motivated people on a common goal is exhilarating and very fulfilling.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The scale of remote work since the pandemic broke has highlighted the need for security outside the company’s physical perimeter and we are witnessing a paradigm shift where work from home is the rule, not the exception. Given this change in the workforce, secure access from anywhere should be a key priority for all security leaders today.
The threat surface has exponentially expanded through the many remote work locations (each employee’s own home), which results in more potential corporate targets. On top of that, malicious activity is not backing down. We are seeing an increase in volume and speed of attacks, and the tactics threat actors use are capitalizing on recent events. COVID-19 and election-related attacks are happening every hour targeting organizations in different industries.
To mitigate these risks, organizations require a smarter use of resources and further automation of processes while paying special attention to security trainings. Security awareness should be a priority for new spending plans. Educating employees to understand their role in security and be able to identify threats directed at them will create another barrier to block cyber threats.
Cloud migration is also a potential critical risk. Many organizations moved to the cloud looking for fast access and reduced costs; however, the openness of the cloud also brings new threat access points that need to be monitored. The lack of specialized resources increases the chances of being breached. Hiring an expert (internally or externally) and implementing a cloud management platform can help mitigate potential issues and will cost considerably less than waiting to be breached or having to pay ransom to get data back.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Security breaches — once confirmed — are very sensitive events that require highly confidential treatment. It is a common mistake to mis-categorized security incidents or events as “breaches” when the applicable definition is not met. From my involvement in various incidents, the need to be very precise in our definitions of what constitutes a breach, an incident, or simply an investigation is paramount. This clarity of definitions and processes is also critical to successfully navigate major security events. The biggest takeaway for me is active planning. Planning properly will help know in which stage a company might be and how to react.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
In terms of cybersecurity tools, I am a big advocate for keeping the first line of defense properly equipped. So, naturally I take my passwords seriously. I use LastPass password manager to keep my credentials safe. It helps minimize the amount of time and effort I put into remembering and creating strong passwords. The tool is also used within our company and available for all employees which consistently helps them use strong passwords.
I also use LastPass MFA for multifactor authentication on a daily basis. This adds another layer of security onto all of my online accounts and is very simple to use. It’s biometric and contextual factors protect my accounts while also simplifying the login experience.
As we continue to navigate remote work due to the pandemic, these tools have helped streamline workflows for myself, our employees and our security team.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Many smaller organizations don’t have the resources to have a full security team at their disposal. To take care of all security activities, managed security service providers can assist with specific expertise. MSSPs can enhance and take some of the organization’s current activities to the next level when resources are limited. From helping protect services and data, ensuring the protection of endpoints and systems, to securing email as well as enabling web filtering and creating further end-user training, MSSPs and cybersecurity providers are here to keep businesses online and functional.
If outsourcing to a MSSP is not an option, companies should closely evaluate available solutions for their biggest challenges, such as passwords and managing identities. There are complete solutions out there that are built for SMBs and designed to be easy to implement and use. LastPass is an example of a solution that offers a combination of enterprise password management, single sign-on and multifactor authentication for small and medium businesses.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Unfortunately, there is no simple answer to this. Compromised system sometimes become sluggish or display unexpected data, but well-designed attacks are very “quiet”. There is not a short list of problems that you can check for, and even sophisticated network defenders may take weeks or months to detect problems. However, some of the more obvious problems that can occur include quickly draining batteries, a general slowing down of the system, unexpected crashes, or data corruption.
The complexity of restrictions and geographies have a big impact on how organizations stay compliant. We are witnessing more and more fragmentation as different regulations are approved and are not uniformly applied. For example, local businesses can adhere to their state regulation, but if they’d like to expand, they’d have to address other potential regulations in other regions. Nationwide or global companies are likely to adhere to the most restrictive norms, trying to ensure they can maintain compliance everywhere they do business.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Often times the most common security mistakes have to do with the basics — tightening basic IT and security defenses. For example, ensuring IT and security teams have up-to-date firewalls and are deploying the latest patches. These basics are most effective against fending off viruses and other malware and keeping information secure.
In terms of people’s activities, the oversight of the risks related to passwords continues to be a big challenge. From phishing attempts to credential stuffing, malicious actors know this is a weak spot within organizations, yet many businesses still rely on passwords alone to protect their resources.
Shadow IT is another aspect to take into consideration. Those managing remote teams need to be conscious of ‘shadow’ IT which means employees utilizing their own apps and software instead of the company’s sanctioned applications. People often do this because they’re familiar with the app or the company’s option is hard to use, but this presents new vulnerabilities. IT and security teams should be prepared to closely monitor user behavior and network activity while ingesting current threat reporting on COVID-19 scams and threats.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Since the pandemic broke all organizations have been facing different risks and vulnerabilities. However, security has not materially changed in the pandemic, contrary to popular belief. The threat surface has expanded into home offices, but the threat landscape remains largely the same. We are still seeing the same threat actors, using their typical TTPs, but with new eye-catching lures. COVID-19 is the new click-bait du jour. We have seen a spike of threats taking advantage of people’s anxiety over the pandemic.
The issue that is not getting enough attention is the risk of employees at home. The new distributed workforce has created unprecedented network traffic. Employees face new distractions at home and operate with often-outdated network and technology stacks — making them a larger target for attacks and raising threats. The uncertainty of the pandemic and human behavior, in many cases, is facilitating this breakout of attacks.
Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
The balance of privacy and security will continue to be a critical issue over the next few years. Privacy protections have an extremely important role to play in our increasingly digitized and highly traceable society. So, there are a few steps to follow in order to tighten security and data privacy:
- Know what systems and services you have. Asset management. For example, knowing what actual assets you are using is the first step to be able to protect them: you cannot secure what you do not know.
- Patching and vulnerability management. Most “hacks” exploit known vulnerabilities for which patches are available. Keeping your systems up to date and free from vulnerabilities should be very high on the priority list of standard practices.
- Implement an access management tool. This not only helps reduce login potential risks, but also provides the IT team further visibility into who has access to specific resources. Moreover, organization are able to integrate their domain, SaaS applications and even customer applications, ensuring every entry point is secured.
- Think passwordless. Passwords continue to be one of the major frustrations for both IT teams and users. IT teams are spending an average of six hours a week on password-related issues alone, something that can be significantly reduced by implementing single-sign-on or biometric authentication. A passwordless login experience means that while passwords may still exist in the IT infrastructure, the employee will not have to manually enter them. It helps to reduce IT costs by eliminating password-related risks, driving increased productivity amongst employees, and providing stronger security by guarding every access point.
- Provide security trainings. Encourage “cyber smart” behavior. It can often be the human element that is the weakest link in the security chain, with workers failing to change default passwords or using the same credentials across multiple accounts. This is especially true when no emphasis has been made on security awareness and employee enablement. Often creating a stronger “cyber smart” security culture takes time and lots of education, but under the current circumstances, we all need to play our part more immediately.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? Think, simple, fast, effective and something everyone can do!)
Personally, I would strongly encourage a movement to better understand the foundations of free societies: only in a truly free world, people can develop their ideas and realize their dreams. Any abrogation of personal freedom results in less creativity and prosperity. My goal is to help drive all of us to recognize the potential we all have, protect personal freedoms and rights, and support a boundless expression of our abilities.
How can our readers further follow your work online?
I can be found both on Twitter @beuchelt and on LinkedIn. You can also follow what we do at LastPass on our website and check out security recommendations and news on our LastPass Blog. Follow us on Twitter @LastPass and LinkedIn.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!