While prominent companies and healthcare institutions around the world were reacting to a ransomware attack known as WanaCryptor 2.0, or WannaCry, a young man working for a cybersecurity firm in southeast England landed on a solution that cost just $10.69. He found the so-called “kill switch” in the malware’s code that involved the simple purchase of an unregistered domain name. He promptly registered the domain, halting WannaCry’s spread. The identity of this cyberknight remains anonymous, but one notable fact about his background has emerged: he’s only 22 years old.
According to a 2015 study by the Center for Cyber Safety and Education, the average age of security practitioners is 45 years old. Many security professionals will leave the workforce within the next 20 years, but younger professionals are not seeking careers in cybersecurity at a pace sufficient to keep up with companies’ demands. Developing a workforce that will be prepared to meet companies’ increasingly complex cybersecurity needs means companies—and educators—will need to build a bigger, more inclusive talent pipeline for people interested in the practice.
When I spoke with cybersecurity expert Summer C. Fowler for the cover story of the May/June 2017 issue of NACD Directorship magazine, I asked about her work at Carnegie Mellon University to recruit diverse candidates to the programs she leads at the CERT Division of the Software Engineering Institute. One look at her Twitter profile illustrates that she’s a passionate supporter of the Cyburgh, PA Initiative, a program developed in partnership between Carnegie Mellon and the Pittsburgh Technology Council to advance the city’s status as a leader in cybersecurity technology. The initiative could not be successful without being inclusive.
“The issue of building a talent pipeline is such a challenge because of what we’re offering by way of schooling,” Fowler said about the role of university-level education in developing the cybersecurity talent pipeline. She then drew a parallel between the education and training of doctors in the 1970s to the challenges the cybersecurity sector has with finding diverse candidates. “When you look back to the early 1970s, the medical field was exactly the same. Only about 11 percent of doctors were women. There also were not many minority doctors in this country. We’re investigating what changes in the medical community were made to bring in more women and underrepresented minorities, so that we can do the exact same thing with computer science and engineering fields.”
Fowler pointed out that there needs to be further delineation of roles in the cybersecurity industry to clarify the hierarchy of talent desired. “When we talk about cybersecurity, we all think about a Ph.D. from Carnegie Mellon or from Stanford,” Fowler said. “We need to get better at differentiating the roles and what training requirements are. When we get there, I think that striation of roles will naturally open a pipeline to more people who are interested in the field because it would be seen as this daunting job that requires a Ph.D.”
Still another challenge exists: getting diverse talent interested in the topic to begin with. I shared with Fowler an anecdote from my own high school experience. My path diverged from that of a male friend who was interested in white-hat hacking, which is the technology industry term for the benevolent hacking of systems to detect vulnerabilities. While I was curious about the world of professionals who were defending against cyberattacks, I had no outlet for learning about programming at the time. No one at my public high school in inner-city Memphis was engaging young women in learning about computer science in 2004, and my friend had family who supported and encouraged his interest.
Fast forward nearly 13 years later, and my friend is a practicing white-hat hacker for a Fortune 500 company. I, on the other hand, earned my bachelor’s degree in creative writing, and have since revived my interest in the topic and write about it from a governance perspective. Could I have been working at the same company with the helpful nudges of invested educators, or with after school programs for young women like Girls Who Code that are sponsored by interested corporations? Fowler seems to think the answer is “yes.”
She suggests that the solution now will not be to bring girls and young women to technology, but to bring discussions of technology to them within contexts that interest them. “Instead of saying to girls, ‘You need to belong to the computer science club,’ talk to them about what computer science might mean to ballet, or to whatever program they’re involved in.” She suggested discussing breaches to the entertainment industry with young people interested in acting or movies, for instance, as a way to pique their interest in a field they might not have considered before.
Ultimately, one of the greatest challenges to building the cybersecurity pipeline will involve developing aptitude tests, then encouraging promising young people to pursue a career down that pipeline. “It’s also a matter of figuring out what the specific competencies are. We’ve done a really good job for lots of different types of jobs at being able to say, ‘Let’s perform an assessment to see what your skills are and what you’d like to be doing.’ That process enables us to say, ‘Wow, you would make a great attorney, or you would make a really good financial analyst.’ We don’t have that in the realm of cybersecurity.
Building out more roles in cybersecurity and advocating for the inclusion of the role into other career aptitude tests would help young people—and perhaps even more women—to get excited to join the ranks of cyberkinghts in the future.
Katie Swafford is assistant editor of NACD Directorship magazine and also serves as editor of NACD’s Board Leaders’ Blog.
If I were sitting on a board, this attack would prompt me to ask questions about the following three areas:
End of Life (EOL) software;
EOL Software. EOL software is software that is no longer supported by the company that developed it in the first place, meaning that it is not updated or patched to protect against emerging threats. WannaCry took advantage of versions of the Microsoft Windows operating system that were beyond EOL and had well-known security vulnerabilities.
Typically, a company runs EOL software because they have a critical application that requires customized software that cannot run on a current operating system. This situation might force you to maintain an EOL version of Windows, for example, to run the software. In the instance of WannaCry, Windows XP and 8 in particular were targeted. Boards should be asking what risks are we taking by allowing management to continue running EOL software. Are there other options? Could we contract for the development of a new solution? If not, what measures have we taken to mitigate risks presented by relying on EOL software?
Other times companies run EOL software because they do not want to pay for the new software or they expect a level of unacceptable operational friction to occur during the transition from the old version to the new. Particularly in a large, complex environment the cross-platform dependencies can be difficult to understand and predict. Again, it is a risk assessment. What is the risk of running the outdated software, particularly when it supports a critical business function? If the solution is perceived as unaffordable, how does the cost of a new solution compare to the cost of a breach? Directors should also ask where are we running EOL software and why.
Patching. Software companies regularly release updates to their software called patches. The patches address performance issues, fix software bugs, add functionality, and eliminate security vulnerabilities. At any one time, even a mid-sized company could have a backlog of hundreds of patches that have not been applied. This backlog develops for a variety of reasons, but the most central issue is that information technology staff are concerned that applying the patch may “break” some process or software integration and impact the business. This is a valid concern.
In the case of WannaCry, Microsoft issued a patch in March that would eliminate the vulnerability that allowed the malware to spread. Two months later, hundreds of thousands of machines remained unpatched and were successfully compromised.
Directors should ask for a high-level description of the risk management framework applied to the patching process. Do we treat critical patches differently than we treat lower-grade patches? Have we identified the software that supports critical business processes and apply a different time standard to apply patches there? If a patch will close a critical security vulnerability, but may also disrupt a strategic business function, are the leaders at the appropriate level of the business planning to manage disruption while also securing the enterprise? Have we invested in solutions that expedite the patching process so that we can patch as efficiently as possible?
Disaster Recovery. It is considered a disaster when your company ceases to execute core business functions because of a cyberattack. In the case of WannaCry, many businesses, including essential medical facilities in the United Kingdom, could not function. WannaCry was a potent example of how a cyberattack, which is an abstract concept for many business leaders, can have devastating impact in the physical world.
One aspect of disaster recovery is how quickly a company can recover data that has been encrypted or destroyed. Directors should have a strategic view of the data backup and recovery process. Have we identified the critical data that must be backed up? Have we determined the period of time the backup needs to cover and how quickly we need to be able to switch to the backup? Have we tested ourselves to prove that we could successfully pivot to the backup? What business impact is likely to occur?
The hospitals impacted by WannaCry present another angle of the disaster recovery scenario. For these hospitals, the disaster wasn’t limited to the loss of data. Most medical devices in use today interface with a computer for command and control of that device. During this attack, those command and control computers were rendered inoperative when the ransomware encrypted the software that allows the control computer to issue commands to the connected device. In many cases there is no way to revert to “manual” control. This scenario is particularly troubling given the potential to cause bodily harm.
It is easy to see a similar attack in a manufacturing plant where a control unit could be disabled bringing an assembly line to a halt. And it is not hard to imagine a threat to life and limb in a scenario where we rely on computer control to maintain temperatures and pressures at a safe level in a nuclear power plant.
Directors should ask about the process to recover control of critical assets. Can we activate backup systems that were not connected to the network at the time of the attack? If we bring the backup system on line, how do we know it will not be infected by the same malware? Have the appropriate departments practiced recovery process scenarios? What was the level of business disruption? Does everyone in the company know his or her role in getting critical operations back up and running?
Directors provide oversight of the risk management process—they do note execute the process. Understanding how the company is managing risk around EOL software, patching, and disaster recovery sets the right tone at the top and ensures that the company is better prepared for the inevitable next round of attacks.
Major General (Retired) Brett Williams is a co-founder of IronNet Cybersecurity and the former Director of Operations at U.S. Cyber Command. He is an NACD Board Governance Fellow and faculty member with NACD’s Board Advisory Services where he conducts in-depth cyber-risk oversight seminars for member boards. Brett is also a noted keynote speaker on a variety of cyber related topics.
If power and cellular phone service to your plant were inoperable because of a devastating hurricane, how would you reach employees to confirm their safety first, and then address the status of the facility? If your company handled classified projects and a building’s power grid failed in a natural disaster, how long would backup generators work before being refueled by trucks that might not have an easy route to the building? What if the building’s doors were unlocked after the back-up locks failed—could the classified work within the facility be compromised?
These real-life stories, shared at the April program of the NACD Carolinas Chapter, illustrate the unpredictable nature of crises. How can companies prepare for the unknown, and what role does the board play in oversight and direct response in the event of a crisis?
James H. Hance, director for The Carlyle Group, Cousins Properties, Acuity Brands, and Ford Motor Co. (and a former director of Sprint Nextel Corp., Bank of America, and Morgan Stanley), and Linda P. Hudson, chair and CEO of The Cardea Group, and director of Bank of America, Southern Company, and Ingersoll Rand, shared their experiences and advice on crisis management. They were joined by Deloitte’s Henry Phillips and Theresa Drew, who moderated the conversation.
Lessons learned from real-world crises and how the boards of their companies responded follow.
1. Establish and understand what amounts to a crisis.
“As a director, you know the company will have a crisis,” said Hance. “But what will that crisis be and how do you prepare?” He defined a crisis as an immediate problem that “requires the CEO of the company to be involved.”
Further, the initial measure of a company’s successful response tends to be tied to how early the crisis is identified. Social media may lead to the whole world knowing about the crisis very quickly, so the company must be agile enough to respond very quickly in kind.
2. Prepare for the known, but expect the unknown.
According to Hudson, if your company hasn’t thought through the possible risks involved in crisis scenarios, then the company likely will fail in its response. However, even if risks have been evaluated, there “isn’t a high probability the crisis that happens will be what was originally identified.” Hance added that those companies with a robust enterprise risk management function will likely be more prepared for a crisis, whatever it might be.
During her time as CEO at BAE Systems, Hudson deployed playbooks that addressed key crisis management questions. Some of the most critical items included in those playbooks follow.
Who will identify the situation as a crisis?
Who is on the team that is pulled together to respond to a crisis?
What is the escalation protocol?
Who calls whom (ex., customers, regulators, and other stakeholders)?
Who will be the public face of the company?
3. Board oversight is critical.
“The board must be in the escalation cycle in a crisis management plan,” said Hudson. Hance agreed. He also added that the board should exercise policy oversight. Hance pointed to a recent story in the news. A board would not, for example, look at how passengers are removed from planes. However, it would review the airline’s policy for bumping passengers, as well as the company’s culture, and make suggestions to management based on those considerations.
Phillips also emphasized the role of the lead independent director given that a crisis can be very emotional for board members closer to the company. The lead independent director can act as a source of calm leadership through a crisis. In addition, Hance emphasized, “The CEO needs to have a sounding board, and this group of people should be identified and set up ahead of time.”
4. Learn from each crisis and study your competitor’s crises to help prepare for your own.
Each crisis—whether one of your own or one happening at a competitor’s company—is an opportunity to learn. For example, panelists pointed out how well the CEO of General Motors Co. handled the ignition switch crisis, and called out the genuine connection the company made with affected people. Hance concurred and noted that other car companies were watching and learning. He also shared how Ford changed some of its processes after Toyota Motor Corp.’s crisis over sticking accelerators.
Unexpected events like 9/11 and Hurricane Katrina taught companies valuable lessons. For example, many New York banks routed electronic traffic through networks at the World Trade Center. When those networks went down, so did the banks’ ability to do business, according to Hance. Similarly, Hudson shared that after Hurricane Katrina made landfall on the Gulf Coast in 2005, landlines and cell phones alike stopped functioning. Now the company has satellite phones in each of its locations, enabling seamless communications in the event of a communications-disrupting crisis.
5. Use outside help judiciously.
Depending on the industry, Phillips noted the importance of ensuring that the company has the right connections to important officials in the event of a crisis. For example, does the company have an established contact at the Federal Bureau of Investigations in case of a cyber-attack?
The panel agreed that, while legal help can be critical, it is also important to be open and honest, resisting any advice to keep silent during the crisis. Liability will follow, regardless. When asked about involving public relations firms, Hudson shared that each company “should tell its own story.” Doing so can be more authentic.
6. Always do the right thing.
The panelists agreed that the best defense in a crisis is to be sure the company directly addresses the personal needs of those impacted—whether they’re employees or members of the community. After Katrina, Hudson’s company assisted employees in Mississippi who had no access to banks by meeting their need for cash through the recovery period. The company never asked for that cash back.
Hance noted that the board is likely to be criticized in a crisis regardless of whether the proper oversight was exercised. So, as a company, the best approach is to identify what feels like the correct response for each event, and simply to “do the right thing.”
NACD Carolinas would like to thank the panelists for sharing their experiences with attendees and Deloitte for its support of the program.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.