Effective Communication Critical to Success for the Columbus Collaboratory

Jeff Schmidt

VP, Chief Cyber Security Innovator

Columbus Collaboratory

Moderator

Bryan Kaiser

Founder and President

Vernovis

To listen to the podcast, click here!

Chief Cyber Security Innovator for Columbus Collaboratory, Jeff Schmidt, discusses the changing roles of CIOs and CISOs and effectively communicating in business terms to non-technical management.

Hello, and welcome to the ComSpark podcast, where you will get to meet today's technology thought leaders. To learn more, visit comspark.tech.

BK: Alright, we are here today with Jeff Schmidt, who is the VP and Chief Cybersecurity Innovator at the Columbus Collaboratory. The Columbus Collaboratory is an organization, uh, innovating in the data science and security space and also the talent related to those two areas. My name is Bryan Kaiser. I'm the President and Founder of Vernovis, also part of the executive committee at ComSpark. I'm the guest moderator today. So let's get started. Thanks for being here, Jeff.

JS: Thank you for having me.

BK: So, my first question, how have you seen the CISO role change over the years?

JS: Yes, the role of Chief Information Security Officer, what began about 15 years or so ago, and it was largely a technical role within IT organizations – it was an IT person that was interested in security, might've had some knowledge about very specialty security products at the time, think firewalls, antivirus, etc. And, and it was predominantly a technical position over the last particularly five years or so. We've seen An elevation of the CISO role to much more of a business and risk focused role. The CISO is being asked to present to executive management, present to the board, provide a much, much more language and much more color about the organization from a business and from a risk perspective as opposed to merely a technical perspective. And I think that's a good and healthy sign for our industry, is security is becoming much more about risk and much more about business functions and understanding tradeoffs than the bits and bytes of operating a firewall or an IDS.

BK: So, you're saying that cyber security is no longer a technological issue. It is a business issue.

JS: Correct. In the same way that IT is a business issue, you know, as much as it's a technical issue. There are certainly technical aspects of security, but good CISOs can effectively communicate in business terms to non-technical management, particularly boards. Most boards now have some sort of a cyber risk oversight function. The board training organizations, NACD and others have been advocating cyber smarts, if you will, or cyber awareness for board members, cyber oversight, cyber governance for the last couple of years and CISOs that are effective are able to participate in contributing those communications.

BK: So, in your opinion, what is the most exciting disruptive technology that you're seeing in our work or personal lives?

JS: Sure. So I like, you know, I've always said a security is a young science and really the science of information security is starting to grow up and mature. It is very healthy that we're seeing, you know, increased business discussions about a security and all the areas that I just mentioned, but also increased tooling. From a risk frameworks to, you know, individual  products and services to things like the NIST cybersecurity framework. Very exciting and they show a maturation of our space and I think that, you know, as somebody that's been doing this for 20 years, it is very exciting to see, you know, information security growing up a little bit and, and being, you know, at the board level being discussed in corporate governance. It's very exciting.

BK: So, Jeff, there is much in the news these days about companies being hacked, critical data being stolen. How worried should we be?

JS: Right? So, you know, that's a complicated question. Naturally, the reality is we all need to take information security seriously. Data is extremely valuable. It's certainly getting more valuable, not less. We're certainly creating more data per unit time than we were, you know, a month ago, a year ago or a decade ago. And that data is very valuable. So we do need to consider security. Absolutely. We also need to have though a healthy understanding of the adversary, of who wants to breach our security and why many folks, particularly small and medium sized businesses feel like they're not a target. You know, why would somebody be interested in me? I'm just a small Midwest, you know, fill in the blank. A very large Dutch shipping company, had that opinion up until about this time last year. And the reality is, most information security events are a crime of opportunity. They’re, uh, mugging somebody, can either find a way to monetize some data or find a way to disrupt operations  in a way that is either intended or unintended.

So, you know, the question is, should we be concerned? The answer is yes, absolutely. If you run an operation, you should certainly be thinking about information security. Does that mean that you need to worry about, you know, state sponsored actors from Russia and China hacking your, you know, Midwest bolt manufacture? No, probably not, but you do need to worry about, you know, what's the impact of a ransomware or, you know, a cryptographic malware sort of an issue to my business. By the way. What's the impact of a laptop that’s stolen and somebody's car that happens to have sensitive data on it because that's very likely. That happens a lot. You know, in Chicago, we get two or 300 cell phones a month left in car, in cabs, taxi cabs. There's a pretty sophisticated market to extract data from those and monetize them. So, you know, those are very likely scenarios that you should be thinking about, that you should be making sure that you have some protections against.

BK: So you've been in this space for quite a long time. Longer than most.

JS:  Yes. I like to say since before it was cool.

BK: That's right. Yeah. And now it’s cool. Now security school. Yeah. So what, what keeps you up at night? What's your biggest concern in this area?

JS: So, the things that I worry about are the consolidation of risk. We have seen an increase in homo geniality, if you will, of software of service providers, of cloud providers in our space. And while  the homogeneous nature tends to have positive impacts for business, it tends to reduce cost, it tends to increase compatibility, all of that sort of goodness. It also tends to make a security events more serious and happen more quickly. There was a very good study by Lloyds of London about a year and a half ago where they talked about the possibilities of some major shared service breaches, things like a hypervisor and a major cloud platform or a hypervisor that affects multiple cloud platforms and, you know, things like that have the ability to propagate very, very quickly because there's not a lot of diversity in our space and so you have a core vulnerability and an operating system and a technology, you know, things like Spectre or Meltdown last year, which were core vulnerabilities in physical hardware. Those become very difficult for, for the space to respond to effectively.

The other thing that I worry about is, we are increasingly deploying stuff all over the place. Everything has software in it nowadays. And we don't often think about the ability to timely patch that software. So, one of the most important security mechanisms that we have is the ability for windows and mac OS and IOS and things like that to patch themselves when vulnerabilities are found and they will be found, but you know, when's the last time you updated the firmware on your router at home, your home router? When's the last time you updated the firmware on your refrigerator or your car? Or all of these other things that have a whole bunch of embedded software in them. And then that set of problems is just getting worse as we start to think about, you know, embedding firmware in traffic control systems and other, you know, smart platforms. So I really encouraged the people that are in the provisioning cycles there to think about patch ability and, and seen and rapid patch ability in the event that there is a security issue.

BK: Well, this is interesting that all, you know, all these said stuff, there's all these things that are starting to be connected to the internet. Refrigerators, televisions, you name it. I mean, it's connected in some way. And you made me think about, you know, the recommendation of changing your smoke detector battery every six months, right? That's a recommendation. And, and having a carbon monoxide detector in your house. So what is recommended here with these firmware updates? And how do you even do it?  I mean, I don't know a lot of my friends that are updating their firmware on the refrigerators all the time.

JS: Yeah, no, it's a great point. And the reality is it's a failure of a people in my field to require human beings to go through obtuse firmware updates. They just won't do it, you know  and we saw this with Microsoft windows update, so, you know, windows has been updatable since the beginning of time since windows three, one Microsoft patched or a release patches on their website, but you had to manually go and download it and apply it and things. And what Microsoft found was that nobody did that. A very small number of people actually did that. And the  Columbia and New York cyber crime task force released a paper last year that, among other things, one of the brilliant insights in that paper was they ran around and asked a bunch of, you know, old time security people like me, what the biggest innovations were that have had a positive impact in security in the last decade or so.

And the number one by far, comment was the ability of Microsoft operating systems to auto patch to have a self-patching, because for that very reason human beings don't do it. And so I would encourage anybody that has engineering stuff out there, be it video cameras, door locks, environmental systems, smoke detectors, home routers, refrigerators, automobiles, requiring human being to go and do an updating cycle is not a winning strategy. These devices have to take care of themselves. And when they do take care of themselves,  they'll get patched. By the way, that becomes really interesting when you start to think about things like automobiles and medical devices that have, you know, difficult a surface cycles for updating,  but also have, you know, a true life safety implications. Do you update the firmware in your insulin pump, or how do you update the firmware and your implantable medical device?

BK: Wow, I feel like we could unpack this for hours and wish we had enough time to do that, but we do have to wrap up today. Thank you for your time today, Jeff. This is Bryan Kaiser with Vernovis, Jeff Schmidt with the Columbus Collaboratory. To learn more about us, please visit comspark.tech and we’ll talk to you soon.

JS: Thank you very much!

BK: Thanks, Jeff.