Security is on everyone's mind today, so corporations and the government must consider how to create secure systems while maintaining usability and customer experience. For this episode, we talk with Tom Patterson, Chief Trust Officer at Unisys, to learn strategies for secure computing. Their operating system, ClearPath, has never been hacked so Tom will explain how Unisys has achieved that goal.
Security is on everyone's mind today, so corporations and the government must consider how to create secure systems while maintaining usability and customer experience. For this episode, we talk with Tom Patterson, Chief Trust Officer at Unisys, to learn strategies for secure computing. Their operating system, ClearPath, has never been hacked so Tom will explain how Unisys has achieved that goal.
Tom Patterson is the Unisys Chief Trust Officer and Vice President of the Global Security business. He brings more than 30 years of leading-edge security experience, expertise, and innovation helping commercial and public sector clients tackle some of their most complex security challenges. In his role at Unisys, he leads the development and delivery of advanced security products, consulting and managed services.
Recognized by Trust! Magazine as a 2017 global thought leader on trust, Tom combines his immersion in all facets of security with his dynamic Silicon Valley approach and executive experience with government organizations and big-four and other companies to improve businesses around the world. Having served as a CSO (MCC), partner (Deloitte), chief eCommerce strategist (IBM), and a founder of a tech startup backed by the Carlyle Group, Tom thrives on delivering real security value that earns client trust and grows businesses.
Michael Krigsman: Welcome to Episode #238 of CxOTalk. I'm Michael Krigsman, industry analyst, and your host. I want to thank Livestream for being our video streaming partner because those guys are great. And if you go to Livestream.com/CxOTalk, they will give you a discount.
Today on CxOTalk, we are speaking about one of the most important topics in technology, bar-none. You know, actually, in today’s world, it’s one of the most important topics probably in the world. And that topic is security. Our guest today, Tom Patterson, is the Chief Trust Officer at Unisys. He is one of the world’s experts on this topic. And, let me introduce Tom. He’ll tell you about his background and stick around. Join us on Twitter with the hashtag #cxotalk. There’s a tweet chat going on right now. You can ask your questions, jump in, and join the conversation.
Tom Patterson, how are you?
Tom Patterson: Michael, it’s so great to be here on CxOTalk with you! I’m thrilled. As you mentioned, security is first and foremost everybody’s topic, not just technology anymore, but the boardrooms and the governments all around the world, everyone’s focused on this, and I think it’s a great topic for your show. I’m thrilled to be here.
Michael Krigsman: Well, thank you so much! We have a lot to talk about. So Tom, please tell us about Unisys, and tell us about your role as Chief Trust Officer.
Tom Patterson: Sure, Michael. You know, Unisys is a name probably a lot of people are familiar with. It’s a company that’s been around for over a century, and it’s really worked at the forefront of a lot of the big, technological changes of the different parts of the era of the last century. What they’ve recognized now is that security is the new enabler for everything they want to do. And they want to go digital with their businesses, they want to go global with their businesses, and we need to be resilient with their businesses. They’re finding that security is the great enabler for that.
So, Unisys provides full systems support that is differentiated by industry-leading security. So we operate systems that protect borders for entire countries, and we operate systems that issue national IDs for whole countries, managed jails, air cargo. You know, 20% of the world’s air cargo is managed by Unisys. So, a lot of the critical infrastructures of the world are the natural Unisys clients.
So, we really take security seriously because our clients take security so seriously. And so, we’ve created this role with the Chief Trust Officer, and I imagine I’m the first Chief Trust Officer you’ve had on CxOTalk, and I get that a lot. But, we’ve established this role in recognition that security is more than an IT issue, anymore. It used to be. It used to be bits and bytes and routers and firewalls. Now, it’s boardroom decisions, and what should we do about an M&A? How should we go into a merger? How should we partner in this country or that country?
These are all business decisions. And the threats are dramatic. There's not only the threat of being shut down or having all the information that you are entrusted with taken from you but also there's regulatory compliance now that is new regulations coming that stars next year where the fines start at $20 million dollars and go up from there.
So, it's suddenly, you know, it's an issue that goes well beyond the technology. And that's what the Chief Trust Officer role works with here. We're a coordination point for privacy, for physical security, for business security issues. And we're able to take the advocacy point for our clients so that we make sure that we become that trusted partner that they need in order to take their business to the next level.
Michael Krigsman: So, you described earlier some of the projects that Unisys is involved with. And these are very large, critical infrastructure projects. And, so maybe let’s begin with some discussion. Give us some insight into the security, the computer security thinking that goes into critical infrastructure because you’re so deeply involved there.
Tom Patterson: I’ll give you a great example. One of our clients in the power company for their entire country. If they have a problem, the lights go out in an entire country. So they take their security very, very importantly. So we put in a program with them. We worked with them for a long time. We put in a program to shift them away from the concept of security into the concept of resiliency. And resiliency is a key word in 2017. They UN is focused on that. A lot of the big, global organizations are trying to shift the focus because security you have to be perfect to be any good at all. Resilienc-... and "perfect" is really difficult in this day and age. Even the best systems are getting attacked successfully these days because something breaks down somewhere.
So, we’re focused on resiliency. So, assume that someone at that power company will click on the wrong thing in their email, or they will leave their laptop on the train with the password taped to the top. They will lend their laptop to their kid who clicks on the wrong website at home one night. Those things happen. That’s part of life. What the concept of resiliency is all about that Unisys really stresses with their clients is that's going to happen. Don't let it shut off the lights for an entire country. So, we deploy all sorts of countermeasures within the organization that makes sure that when something happens, we can limit it. And that started out by just segmenting off different parts so if one part of the power system was corrupted, the rest would not be.
But now, we’ve been able to implement really cool things, like predictive analytics. So, if we look at so many data points within the organization and around the world, and we use artificial intelligence to analyze that, we can actually predict the threats that are forming on their borders that are looking like they’re going to go to attack. And at the same time, we now have machine-to-machine defenses that can automatically reconfigure themselves, go into a more defensive posture, when they see these threats that are predicted starting to form.
That’s the future of what critical infrastructure really needs. They need it not only in power, they need it in transportation, they need it in banking, and they need it … There are 18 critical infrastructure sectors around the world, and I would venture to say most of your viewers work in one or two of those already, or have.
So, these are things … Critical infrastructure … There are organizations privately held that need to exist in order to keep your way of life going. And so, it’s not just the governments, which are fairly well-hardened, but now, if your power goes out, that really messes with you. There’s no food in your grocery store. That really messes with life. You can’t get your money out of your banks. These are all things that really can dramatically hurt a nation and the people of a nation. And, that critical infrastructure, therefore, needs to be protected.
That’s the reason I came to Unisys in the first place because their reach is so broad. They actually operate and design and operate a lot of this critical infrastructure and a lot of these … You know, in healthcare, in banking, and energy around the world. So by coming here, we’re actually able to raise the bar really elevate the security posture at a wide variety of clients around the world.
Michael Krigsman: When you talk about segmentation, there’s now also the concept of microsegmentation. And so … please.
Tom Patterson: Beautiful. Yeah, no. Michael, it’s a great point to raise. It’s hard. Security people have known for a long time that it’s better to segment their network. So, if one part gets broken into, the other parts won’t get broken into. It’s a concept called “east-west collateral movements,” and you want to stop those. And so, the way they used to do that was with the tools at hand in the olden days, which were firewalls. They would put a firewall between this building or that building, or between this giant network or that giant network. That’s how they went ahead and segmented their networks.
Well, we have gone to clients that had over 100,000 individual rules on one firewall. No one can keep up with that! They don’t know what rules are there, who wrote them, what they’re for, so they don’t touch them. So now, in those old days, it was so expensive to segment off that people have started to stop doing it. Even though they know they should in order to keep business flowing, they’ve stopped segmenting the network, so they’ve done it at such a gross level, that it’s not really that well-segmented.
Enter a new concept, a new technology called “microsegmentation.” You know, we’ve been working on it for over five years with individual clients, but it’s now a generally available commercial product called “Stealth,” that is able to be woven into any existing network to allow you to create little, tiny microsegments, completely transparent to the users, that don’t require any firewall rules. They’re all managed by what group you’re in. If you’re in accounting, you get to see the accounting resources and nothing else. If you’re in marketing, you can see the marketing resources and nothing else.
And even though all the networks are still interconnected, the packets are locked into these little, tiny microsegments, and that makes is so much easier to protect the network, to deliver the resilience that’s necessary so someone still might click on the wrong thing, but that attack is going to be limited to their little group. All the accounting people and Poughkeepsie might be affected but not the rest of the world. It won’t turn off the lights. And that’s what we’re really trying to get to with microsegments. The more you put in and layer onto your existing network, the more secure you are.
And when you design it correctly… And we now use artificial intelligence to actually create the whole mapping of … When we roll out microsegmentation with Stealth, it now can be done so it’s so transparent that as long as an employee or an associate’s not breaking the rule, as long as they’re doing what you asked them to do, they’ll never even know it’s there.
Michael Krigsman: So, it’s …
Tom Patterson: […] something they shouldn’t get, that’s when it’s a problem.
So, it’s a … It organizes people by group; but how does that affect the security threats from the outside?
Tom Patterson: So, if someone comes in from the outside, they break in, they’re breaking into some point in your network. And in the olden days, that point would then they’d be able to go east-west or lateral movement, and they would do reconnaissance of your entire network. Now, whatever point they break into, all they can see when they run their reconnaissance program is those few nodes in that little subsegment. They don’t even see that the rest exist. Now, a good security monitor will then watch, and we've integrated Stealth into all the top SIMs, like ArcSight and LogRhythm. And so the big systems that people use to manage their events, we report up to them and say, “Hey! Somebody got in,” and try to see something outside of the microsegment, but they didn’t get any feedback back, so they can’t reach back to their command and control servers. They basically look around and say, “Nothing to see here. Nothing t steal here. Let’s move on and try the neighbor.” And that’s one of the huge advantages both from an external attack and from an insider attack, which is more and more a critical issue for companies.
Michael Krigsman: You mentioned earlier that security is a technology subject as well as an important business topic. And so, how do you talk about this and present this at a senior level inside organizations and what’s the posture that these companies, from a business standpoint, are taking regarding security?
Tom Patterson: Well, that’s something that’s changing almost in real-time, Michael. The past few years, the medians that I take now are very rarely with the IT department. They are now with the boards of directors. The members of the boards of directors. The CEOs with the Vice President of Finance. The people that are responsible for running the business, and they are the ones that are saying, “This can’t go down at this point.”
The conversation has evolved. I started … You know, my first job was in the US intelligence community overseas. I’ve been a security guy my whole life, and I learned the technology along the way in order to do my job. But it didn’t come up through technology. I’m not a programmer to start, which a lot of security people are. You do have to have people that know that. But, they then have to evolve that skill set in order to really work at the business level. And that’s the concept of the Chief Trust Officer that we’ve employed here at Unisys and other big companies around the world are starting to move to.
When you look at it in a more of an overall perspective, not just the bits and the bytes of the problem. That certainly has to be handled, and you have to have CIOs that can really put in the resilient network architecture. Absolutely [a] key technical issue that has to be there. But, there are also privacy issues that you can design in, and physical security issues that you can design in and then the use of advanced, predictive analytics and machine-to-machine; you know, all these things, the speed of these attacks now just overwhelms most groups that try and defend with humans in the line. So, you know, we’re looking at threats that get in and within milliseconds are taking over.
So, you can’t wait for someone to get a text and say, “Yes! We should go to a more defensive posture.” It has to happen right like that. Right instantly. And that’s really the state of the art that we’re moving to here at Unisys.
Michael Krigsman: And, we have an interesting question from Gus Bekdesh, and I hope I’m pronouncing his last name correctly. And, he’s asking, “So, what makes humans so hard to hack? What can we learn from that, and can we encapsulate that in AI security systems?”
Tom Patterson: Gus, I like your question! There is a lot of science that directly […] on that point. I see a lot of university programs that are focused on that. A lot of early startups now that are coming out with an algorithm; one approach to that or a different approach. But, one approach to that [is] trying to figure that out.
I can say we’re getting much better, but it’s a massive, massive problem that has to be addressed. The enormity of what we call the "attack surface" is just so overwhelming that if you do protect it over here, someone could still get in over here. So, while we're getting better at that, we are in the infancy of predictive analytics and, say, using AI appropriately. The next three or four years, I think, are going to show tremendous improvements.
I think it all stems from those AI algorithms. So, if your group that you work with has a big data analytics person, a scientist, or if you’re lucky, a group of them; give them all the R&D money you can afford. Let them go to the great symposiums at the universities around the world. A lot of this information is being shared freely among the scientists in the AI world. And that is just a race to commercialize the algorithms. But, I’d say we’re at the beginnings of that. There are definitely a lot of people, smart people, very focused on that. And then as those new algorithms come to fore and take hold, that’s when we’re able to put them to work.
And, one example was we got an offering called “Stealth Identity,” which sells a lot into areas where you need to be very, very sure of who you’re dealing with. So, for years, that’s worked with physical biometrics. So it has done facial recognition. We’ve managed over a quarter of a billion individuals with at least one biometric marker around the world for our clients. So, it’s a huge operation for physical biometrics.
But, the new, cool stuff that we’re rolling out within our Stealth Identity offering today is focused on behavioral biometrics. We’re not looking at your face geometry or your iris or your thumbprint. Now, we’re looking over a hundred, little, tiny things, like are you left-handed or right-handed? What’s the volume of your voice when you speak? How hard do you press on your phone? Where do you normally go? What things do you do online?
All those go into creating a “risk score.” So, it’s not one, it can be tricked or fooled, and say, “Oh, I’ve changed the IP address so now I’m going to masquerade as Tom.” Now, we’re seeing behavioral biometrics look at all that data, and then we feed that into our artificial intelligence and our predictive analytics capability to come up with a, “We’re 84% sure this is Tom.” So, if all he wants to do is do his email, go ahead. But, if he’s trying to download the source files for our super-duper new product, or, you know, take all the identity information we’ve got on our clients, then we need to ask him for more information or make sure he’s at his office or something.
So, we’re really seeing advances of that in commercialized, as it evolves, but it’s a two-step process. The scientists have to think it up, and then the products like Stealth then have to bring it to the masses that need it.
Michael Krigsman: We are talking with Tom Patterson, who is the Chief Trust Officer at Unisys. Join us on Twitter, hashtag #cxotalk, and you can ask questions.
Tom, you're talking about behavioral biometrics and topics such as that. What is the composition of the team that's needed in order to develop these kinds of products? It seems like you need a very multi-dimensional team.
Tom Patterson: That was another great thing that I found when I joined Unisys. We have a history of hiring some of the brightest and best around the world. And, we put all of them to use in solving our customers’ and our clients’ new problems in this day and age.
So, behavioral biometrics: a different science. So, we've spun up a Big Data analytics team led by a brilliant doctoral scientist, Ph.D. scientist, that has studied this all his life. And then he has directed a whole new team of programmers that feed into our Physical Biometrics team, which feed into our Productization team, which feeds into our Client Solutions team … So everything has to come together in order to make this science useful.
And that’s really one of the things we focus on at Unisys. We’re graded by if our clients are successful. Our clients, you know, do what they want to do. Are they able to take advantage of the cloud safely? Are they able to grow around the world? Are they able to speed this up or keep the lights on? That’s how we figure out if we’re successful or not.
And so, all those pieces have to be in line. But, we are absolutely blessed to have a world-class guy named Rod Fontecilla, Dr. Fontecilla, leading our Big Data Analytics team, which feeds all of that behavioral biometrics business … Go ahead.
Michael Krigsman: So much of security involves trade-offs between usability and hardening the system, or restricting access, let’s say. And in fact, you had an operating system clear a path forward that was never hacked. And so, where do you draw those lines, and where should CIOs and Chief Information Security Officers, and boards of directors, draw those lines for their organizations?
Tom Patterson: Yeah, Michael. The trade-off question is one that we tackle frequently on a regular basis. Because, in the olden days, it was a trade-off. Do you want to be open or do you want to be closed? And if you’re closed, you can’t really do too much, and if you’re open, you’re at risk. And that was the trade-off that was always there.
This day and age, [it] is that businesses have gone digital. And we're using shared resources as though they were our own, like public cloud systems and employees' own mobile devices. All these now share concepts. We're actually able to architect security in, so it’s an enabler of that, as opposed to a trade-off for that.
And, you mentioned a clear path forward. One of the products we're very proud of, it is a fundamental, core system behind over a trillion dollars a day that gets transacted online at banks around the world. Think about that! Over a trillion dollars a day; has been for over five years. And if you go to NIST, the National Bureau of Standards … [Laughter] the new name for the National Bureau of Standards; if you go to NIST's website and look it up, they actually rank the security of all publicly sold products. And if you look at operating systems, we’re at the top of the list. Number of hacks: zero. Successful attacks: zero. Overall, this is a huge bullseye! Trillions of dollars a day! And yet, zero hacks.
And, it didn’t come from restricting it. That came from designing security in. Thought process number one was this has to be used for the most important business of the world. You know, real-time systems. You know, we don't want planes to fall from the sky. We don't want trillions of dollars to disappear. We don't want the power to go out. These systems that have to be right, all the time.
So, we started with the premise that security is Job Number One. So, we built that in. And then, built the systems on top. And this started working on mainframes years ago. Now, it works in virtual machines in anybody’s cloud. But, it’s the same core belief in security, design it in, and we found we don’t make trade-offs nearly [as much as] we used to do; what the businesses of the world used to have to have.
Now, if you’re clever about security, if you’re using modern tools like microsegmentation, you can actually be that business enabler. You can save your organization money by safely using the cloud. You can save your organization money by having a supply chain that’s fully integrated, but do it in a way that they’re all in one little microsegment, not having root access to the rest of your business. So, we really look at tradeoffs being a word of yesterday. And today’s word around security is, “enabler,” and that’s what we focus on at Unisys.
Michael Krigsman: So, how does a company get to that point? Because, nobody wants to be broken into, and if you any CIO, they’ll say, “Of course we’re secure.” And so, how do you overcome that bias in a sense, away from being realistic?
Tom Patterson: Well, again, there's a whole crop of great Chief Information Security Officers that do understand this, that do understand that one of the biggest issues that they've got to face is the constant change; the constant evolution on the bad guys' side and on the good guys' side.
You know, I still maintain a Top Secret clearance from the US Government. So I see all the stuff, right? I sit on a panel at the White House now to help protect critical infrastructure. So, there’s rarely a threat that I don’t see. And people ask me how I sleep at night, you know, aren’t I worried, aren’t I depressed? And I’m not! I’m actually very optimistic because, in the rest of my job, I see all the good guy stuff that’s evolving.
There are great, new technologies. There are great, new thought processes. Universities are churning out, really, really well, thoughtful, creative Chief Security Officers, and Chief Privacy Officers and Chief Risk Officers. And so, we’re really seeing the good guy evolve at the same level as the bad guy. And, that's really ... It's that mindset change is where it all starts.
Michael, you asked the perfect question. If you’ve got a mindset of, “There’s gonna be tradeoffs. All I’ve got in my arsenal is stuff I used to buy five years ago, and it’ll never work,” that’s gonna fail. And, but there are plenty of people out there now that do get it, and they are coming on. And, you’ve seen the leading companies of the world moving towards bringing in those types of CISO. We work with some of the best CISOs in the world. They’re brilliant, but they’re also current! And, they’re not brilliant because “This is the way we used to do it in the ’70, and by gum, we’re gonna keep doing it that way!” They are constantly going to the conferences; they're constantly reading scientific papers. They're constantly trying out new technologies.
Even if they come from a tiny, little startup with no clients; if it’s a clever, new way to do something, they want to see it. They want to feel it. They want to see if it can help them. And, nine times out of ten, they’re able to actually weave together, using today’s countermeasures, a defense that matches and fits into the business requirements. So, it's all about the people at the top.
You know, I do spend a lot of time with members of the boards of directors, and generally, they're not the most security-savvy people in the organization. I spend my time there on purpose because they are key to making this all work! And, I don't want to teach them how to become a security expert, because that's just a failed concept. What I do know is I teach them how to ask the right questions.
It’s amazing what happens in a public company when a member of your board of directors asks the CEO a question. The CEO then starts a whole program and gets the best people; “We need to answer this question!” The board member asked it. Just asking the question is what I tell them. Even if you don’t know the answer, even if you don’t know what the answer should be, asking the question is a good start. That gets the process rolling.
You know, asking a question is not like, "What encryption do we use?" because they shouldn't have to care about that. But ask the question of, "Are we resilient in our supply chain? Is our supply chain connected, or do we have to make changes to the…” Those kinds of business questions start this whole process of thinking that then the right kinds of leadership in a company will embrace, and they'll see that there are great solutions out there today to address.
Michael Krigsman: So, the questions that you're posing to the Board, or suggesting that the Board pose to the CEO, relate to the impact of security on business operations?
Tom Patterson: Absolutely. So, again, I don’t try and make a board member a security expert. But, I also, I get them off of worrying about their home computer and what virus they might have, and why is their computer slow, which used to be the questions. Now, it's all about … I hear GDPR, this new regulation that's coming into force in spring of next year spring of 2018. What's our exposure to that? What's our impact to that? What can we do not only to be compliant but to lower our audit service as we go forward with that? Just asking those kinds of questions start the ball rolling within a company, and generally, they're going to like the answers, is what I tell them.
Michael Krigsman: What about the role of the CIO? Where does the Chief Information Officer fit into this equation?
Tom Patterson: Yes, so the CIO is absolutely key. The bits and the bytes run over the CIO’s infrastructure. The CIO has to be able to architect and deliver an infrastructure that works for their business, and that can support the security that's needed. But it's no longer the only source of input. That CIO now has to be quite the politician; quite the operator; in order to work with his or her counterparts in the organization, and through their advisors like their auditors, to really put together an overall system.
What you don’t want to see is stuff being forced on a CIO. Saying, “Well, I didn’t want to do this. I didn’t want to spend my budget there. I didn’t ant to out this block in here, this giant firewall in there, but somebody told me, The auditor told me I had to." That's the worst of all possible situations. You want to make that CIO a part of this larger risk and trust team that's looking at it holistically so that they can architect in. The CIOs are a smart group of folks. They can architect in. If they know what the goal is, they can architect in in a much saner way, especially using things like public clouds, which are elastic and inexpensive, and you move them in.
All these benefits that they get, that they hadn't been able to have because they were not thinking of it with the most modern security approaches, and with this overall business privacy driver, as part of it. When they put that together, they end up architecting in; then they run a much more efficient, global network that does meet the needs both of the business side and of the security folks.
Michael Krigsman: And, so you mentioned the risk and trust team. What should be the ideal composition of such a team?
Tom Patterson: Yes. And great question, Michael. Every organization that I’ve worked with so far has been slightly different from each other. But the key really has been that the people that hold those roles work well together. Whether there’s a hierarchy, whether they’re in the same group, whether they get together informally; that has turned out to be less important for overall success.
What really has to happen is that all their voices need to be respected, and they need to be proactive They need to b ahead of the bow wave. If the group is getting together for the first time after a security event has happened, that’s the wrong time. These folks should be working together on a regular basis, whether they’re in different groups. And a lot of time, privacy reports to the legal counsel, and the physical security reports to the COO and the Chief Security Officer reports to the CIO. So they can be in different towers still. We haven’t evolved that much that quickly. But, having them work together at the direction of the board, at the direction of the CEO and the Global Leadership team. Get together, work this stuff out together, that’s where they’re finding these great synergies. That’s where they’re saving money. That’s where they’re lowering risk overall; privacy risk, and security risk, and physical security risk. All these things can be addressed together, you know?
Most every company of any size that’s been around for a while has issues like technical debt. They’ve got old stuff, and there’s not enough money to buy all new stuff. So, they’ve got to work together and be realistic with each other and say, “Well, we’ve got this privacy spin that we’ve got to do, and we’ve got this technical debt issue for here, and we’re trying to go an open business in country X and country Y. Let’s design a system, maybe using a cloud provider and some microsegmentation and we do this.” Suddenly, we’re addressing all those issues with one spend. And that is really opening the eyes not only of the practitioners but it's opening the eyes of the business leaders and the governance leaders across the board. And literally, around the world.
Michael Krigsman: And what about the … You mentioned privacy. So, what is then the linkage between security and privacy?
Tom Patterson: Yeah. So again, they used to be at odds. [Laughter] They used to be two separate groups, and in many cases, still are in two separate towers in an organization. But, we work very hard. Unisys has its own security consulting group that’s a very high-end group. It’s not the masses, “Oh, let’s send a thousand people out to go operate your business.” But, we’ll go in and talk to your teams, and coach them, and train them up.
And one of the things that we really focus on is getting those two businesses together. They’ve become very complementary, and they both have great, skilled people at the tops of those organizations in many cases, but they hadn’t worked together well. They hadn’t been brought in together. Now, we’re finding their clients; their customers, the end-users are demanding that. “Hey, we’re not going to trust you unless you convince us you’ll take care of my private data.” And that’s a privacy issue. It’s not a security issue. So, coming up with a system that does that is key.
You know, one of the other things that have been a real wake-up call for a lot of these folks at these companies is they're finding this concept of reducing their audit service. We tell them as security professionals, "you need to reduce your attack surface. You need to not have this big, wide network with all these places that could be attacked." You know, their home computers and their phone lines, and their "this," and their "that," the cell phone of the CEO; all of those things are part of your attack surface. So, what we try and do from a security perspective, is we bring that down. We reduce the attack surface.
We now apply that same thinking to the privacy officer. "Let's reduce your audit surface." So, one of the things that are problematic with all these regulations is the cost, both in time and money, to audit every system that you have; every year. It's a very expensive proposition. It takes people away from doing other, more important jobs that their company would want them to do.
So, what we found is things like GDPR and PCI if you’re in the payments world, or HIPAA if you’re in the healthcare world, these regulations say things very clearly. We need to audit all the systems where customer privacy data has touched them if it wasn’t encrypted. That’s the last bit! So, what happens is most people bring it into their network and it just floats around in packets and they don’t know where it goes. They end up having to audit all of their systems every year. A hugely costly time and money expense!
What we do is we put … let’s just say the PCI data tracks credit card track data … We put track data into its own little microsegment. So, no matter where it goes, it’s in its own little segment. It can never get out. And so, you then, for PCI compliance, only have to audit those few computers that actually touch that. Not all the rest! And that dramatically lowers your cost to be compliant.
So privacy is a big issue, but the answer here is coordinate with security people, with the physical security people, with the businesspeople, and I think you’ll find that you can do things like reduce your audit surface at the same time you’re reducing your tax surface, save money, and get a win for everyone.
Michael Krigsman: I want to remind everybody we’re talking with Tom Patterson, who is the Chief Trust Officer at Unisys. And join us on Twitter with the hashtag #cxotalk and ask questions.
We have some more questions, but before that, Tom, some of the techniques that you’re describing are very sophisticated. And how can organizations that don’t have that level of sophistication and security deal with it? And at the same time, what are the bad guys on the other side doing? They’re pretty sophisticated, too.
Tom Patterson: They are. Two-part question. I’ll take them in order. Again, both interesting questions, Michael.
First off, in terms of the level of sophistication, five years ago, when we introduced Stealth, the only groups we sold it to were the US intelligence community. They had the sophisticated people that could take care of it. In fact, it's the only micresegmentation product that’s approved by the NSA to handle classified data still, to this day. But what we’ve done in the last five years is build a lot of intelligence into the products themselves. I think that’s a trend that you're seeing a lot of the more advanced, better-funded security product companies around the world; maybe the one-offs, startups can't afford to do that. But the bigger companies understand that if you want to make it useful, you have to make it accessible.
So, we built, like for Stealth, we launched a program last year called Stealth Aware, that automatically scans your network. Automatically gives you a visual map of your network. Automatically isolates independent flows and says, “This is probably PCI data. This is probably HIPAA data. This is probably marketing data.”, and suggests security policies that you can then say, “Adjust them a little bit and give me their own names,” and hit “enforce,” and it automatically distributes it, all based on artificial intelligence. So, we’ve made it as user-friendly and accessible as possible because we want all of the world to be able to take advantage of the most modern technologies.
And we’re not alone in this. The firewall companies have emerged to become really next-generation firewalls and really very easy to deploy, say, in the same thing in security and event management, it used to be a nightmare of sophistication in order to make any use of it. Now, new companies like LogRhythm in Denver, Colorado, just made that so easy because they build the intelligence into the product. We’re seeing more and more of that, and that’s certainly the way the industry is headed is taking advantage of that, because everyone wants it to be better deployed. We don’t want “shelfware” as we used to call it in the olden days.
In terms of what are the bad guys doing? Absolutely. This is one of the keys to success is you cannot get complacent. You looked at the … You followed the ransomware issues of Sprint of 2017 that spread throughout the world. They were attacking systems based on the holes in the systems that had been … a patch had been available for three months. So the only places where they were effective were the places that hadn’t patched in three months.
Now some companies have a 90-day patch cycle. Some have an annual patch cycle. Some never patch. But that vigilance that staying current is absolutely key; if you stay current with your patches, if you layer on microsegmentation, if you train your people, invest in training your users about what to do and not do, and what to do if you click on the wrong thing and just be realistic about that; those three things by themselves will make you resilient. And that’s the goal! You’re never going to be perfect, which is what the old goal used to be. Now you just need to be resilient, and you need to make sure you contain an issue down to a level that you’re comfortable dealing with; that you keep the lights going on; that you keep the money flowing, that you keep the bread on the shelf … Whatever your job is, whatever your company’s business is, that needs to keep going. That’s job number one.
And if you have that as your goal, and your modern technology and most modern thinking, people, process, and technology; you have to have the right people, the right current thinking. You have to have the right technology that can do what needs to be done. But, you also need really agile and efficient processes. These don’t just come out of a box or out of a book. This takes real experience to be efficient enough to do all these things without breaking the bank or needing people that you can’t find and hire and retain.
So, you need the people, the process, and technology to all come together. But, they will be a match for the bad guys. The chances of you being the one organization that’s hit by the one zero-day that no-one’s ever thought of are very small. You just want to make sure you’re not the third guy that got hit by that zero-day from yesterday. That’s the thing. You need to be current on your patching. You need to be aware of what’s going on. You should be plugged into somebody’s cyber intelligence feed so you can see what other companies that look like you and organizations that look like you; what they’re seeing so you get a little advance warning. And the more you can layer on things like micro-segmentation; which, again, is transparent, doesn't require new users, works right off of your LdacDAP or active directory; whatever grouping you've already got just feeds off of that.
So, putting in these kinds of things now will save you so many headaches down the road.
Michael Krigsman: So, that combination of being diligent, focusing in your processes and mindset around security and buying the right technology.
Tom Patterson: […] the right technology.
Michael Krigsman: Say it again? I’m sorry.
Tom Patterson: All right. Just being current with the right technology. It’s constantly evolving, and you don’t want to lock into any particular brand or any particular concept. You just need to make sure you’re staying on top of things as it evolves.
Michael Krigsman: We have a comment, a question from Twitter. Arsalan Khan is bringing up the subject, “Who is responsible for dealing with social engineering threats?” And so maybe you can explain what that is. And that seems like it really falls really clearly under that kind of mindset in people and process dimensions that we were just describing.
Tom Patterson: And really, Arsalan has another fantastic concept to discuss. Thank you for the question. It really isn’t one thing, anymore. There’s not one group or organization responsible for that. You certainly want to educate your users to not fall for the common tricks. We spent a lot of time saying that the best phishing attacks no longer look like that Nigerian Prince email with the misspellings that we used to have years ago. Now they look like every bit that they came from your CEO with all sorts of information about you that’s right, and no misspellings at all, but it’s still a trick.
So, social engineering is a huge thing. It’s one of the most common entry points into an organization at first. So, educating groups about what to see, what to do, and that’s key. But, you can’t leave it at that. Then it’s up to the CIO and the CISO to architect defenses against that. So, you can do things like have digital signatures on your email, so if someone says it’s really Tom emailing you, you’ll be able to see some digital proof that it’s really Tom, not some email return address which is easily spoofed. So, putting in things like that can go a long way to reducing the social engineering.
And then, just understand that someone, somehow, at some point, is going to click on the wrong thing. It's just a fact of life. No matter how you train them up and how good they are, it's going to look good. One of the things that are going on now is most of the information on people that bought houses or buying houses, was stolen. And so, what's happened, they're all getting emails that say, "Okay! Here's how you do your wire transfer. Send it here!” And they look perfect! And they’re about to do their wire transfer, and they ended up wiring all their house money to some crook overseas.
So, that’s going to happen. What you want to do is make sure that those people, your employees, operate within a little, tiny microsegment. So, if they get tricked into doing the wrong thing, they don’t take down the whole company. They just take down their little field office or their little subgroup. And again, the smaller you make those segments, the less of a risk it is. So you need to change; work on the people side. You need to work on the technology side to put those things in.
And then, the process. You want people to report issues. "Hey, this didn't smell right. Should I just ignore it, or should I call somebody?" We put in programs where people that call in, "Hey, I don't know if this is spam or not, but I got it." We want to see that because we want to see if there's something happening and our people are being targeted.
We actually reward them. We send them little gold stars, we thank them publicly in our newsletters, we make them heroes for doing the right thing; sort of deputize them in the defense of the organization. And it really works out great. It’s a mindset change, but absolutely any key part of any defense these days.
Michael Krigsman: Tom, we have just about two minutes left. And, we need to talk about policy. So, in a minute or two, you’ve worked in the intelligence community. You’ve advised the government, advised the White House. What are the policy implications of all of this for the government? So, in about a minute, could you just summarize your thoughts on that?
Tom Patterson: Oh, my. You gave me the toughest question, with no time left. That’s not fair, Michael!
Governments around the world have a role to play. There isn’t one government in charge of all of this. We’re starting a sequel operation around cyber, globally. Most organizations, the smallest organizations, now cross borders on a regular basis; their suppliers or their supply chain, their customers, or their clouds, something crosses borders somewhere. You need to focus on international cooperation.
But, if you do your part, if you encrypt your data wherever it goes, and you hold the keys, not some third-party, any third-party, you are miles ahead of what’s going to come down from any policy perspective.
Michael Krigsman: And, in the last thirty seconds or so, this is a little bit off the ranch, but any thoughts on Blockchain and security?
Tom Patterson: Uhh, I love Blockchain. We’re not going to explain it in fourteen seconds. Blockchain is the fundamental technology underneath of things like Bitcoin and Etherium, and some of these massively new cryptocurrencies that are out there. I like it for cryptocurrencies, but honestly, I think regular currencies are working pretty well these days, so I'm not sure what problem they're solving.
I love Blockchain for distributed trust. It's going to be a huge enabler, especially around Internet of Things, where there are so many of them coming, trillions of these devices that are connected. There won't be time to go to a trusted third party. We're going to need peer-to-peer trust. That's what Blockchain brings us. Great place to focus on learning, and investing, and working with building into your systems.
Michael Krigsman: And, in the spirit of answering complicated questions very quickly, what about security and IoT? [Laughter]
Tom Patterson: Oh, man! So, IoT is a privacy issue, first and foremost. When there's Internet of Things, they're used as industrial control systems. So, we protect a lot of the valves that open and close gas pipelines and oil rigs, and electrical switches on towers. All those are little, mini computers. Those have to be secured. The things like the FitBits and the health monitors need to initially be secured for privacy, but ultimately, we need to design the same level of security that we’re doing in the industrial control systems into all sorts of IoT.
Big issue coming out. First, you'll see it in privacy on the consumer side. Then, you'll see it as security, as we move from cars entertaining us to cars driving ourselves home. That's going to be the big change, and we need to take security seriously across the board.
Michael Krigsman: And, even though we are out of time, you mentioned cars. And, this … What about security in cars?
Tom Patterson: Oh, man. So, cars scare me because they are … have never historically taken security seriously. There’s a thing called the Can Bus that is sort of the interconnection point for all the sensors that have been on cars all along.
In the beginning, everything plugged into that, including turning your steering wheel to "park" and pressing the accelerator on your brake. Now, we're starting to get better. We're starting to have better systems. We're starting to have little, tiny firewalls and microsegments in the cars themselves. You definitely are going to be choosing which brand of vehicle to buy based on their cybersecurity safety record, and it’s something that every manufacturer is getting very, very serious on.
Michael Krigsman: Okay. So, we are out of time. I apologize to the folks whose questions on Twitter that we didn’t get to. Tom Patterson, Chief Trust Officer at Unisys. Thanks, so much for taking the time and sharing your expertise with us!
Tom Patterson: I'm happy, and I'm on Twitter @TomTalks, and I’ll monitor that hashtag, too and play […] and forward it whenever I can, whenever I see a question.
Michael Krigsman: Fantastic! Everybody, you’ve been watching Episode #238 of CxOTalk. Next week, we have two shows. Two great shows. So, go to CxOTalk.com/episodes and check out our upcoming shows. And, be sure to subscribe on YouTube. Click the YouTube button then subscribe.
Thanks so much, everybody! We will see you soon. Bye-bye!
Published Date: Jun 16, 2017
Author: Michael Krigsman
Episode ID: 440