October is National Cyber Security Awareness Month and Robert Bigman, Former CISO of the United States CIA - under whose watch the Agency was never hacked – shares his thoughts with Lisa Bernard

 

I arrived in Arlington, Virginia, at News Channel 8 Studios to meet Robert "Bob" Bigman before he went on the air as Francis Rose’s guest on Government Matters. From the get-go, I sensed the “quiet celebrity” he enjoys among those in-the-know in Washington, D.C. He is the man who served for thirty years at the Central Intelligence Agency – most of the latter years as Chief Information Security Officer (CISO).  Simply put, he kept the CIA’s data secure.  Now, at a time when most Americans – private citizens and public officials – feel the threat or pain of being hacked, Bob's insights seem particularly pertinent and his achievements especially notable.  I was delighted that this down-to-earth professional – who for so long was under the radar – was graciously coming into the spotlight to share his sense of this with us.  What he conveyed was as inspiring as it was stirring.  His cheerful manner and serene demeanor bespoke a guarded “could-be-done” attitude about recovering the upper hand in the cyber security challenges we face – “guarded” being the operative word.  My takeaway was that we Americans can combat these threats provided 1) our resolve comes with calm, candor and clarity about the nature of the technologies and the humans who engage them and 2) that we have devoted leadership at the organizational and national levels.

LISA BERNARD: On one thing all cyber-security experts agree: human behavior and psychology loom large as key factors.  We are a nation of e-consumers, wed to convenience and beginning to integrate into the job force a generation raised on the efficiency of their smart phones.  Bob, what will it take - new technology or a crisis - to shift the pendulum from user-myopia to individual vigilance? 

 

LISA BERNARD: We are electing ourselves a new Commander-in-Chief next month and although it is now common knowledge that the software we use is outdated - even in our nuclear missile systems -  we hear little about this from the candidates. Just how outdated is government software and why are antiquated systems still in use? 

 

LISA BERNARD: Many of my followers are CISOs themselves or CEOs who rely on them.  With the proliferation of mobile devices and the trend toward super-computing what advice can you give them?

 

 

LISA BERNARD:  If our next POTUS appointed you "Tsar of Cyber Security," with all the resources you would need to set our nation on a modern and safe course, what would be your first priority?

 

 

LISA BERNARD: Since leaving government service,  as a consultant,you have been moving the dial, persuading firms to move toward more managed and isolated networks.  In the private sector, where the internet is like oxygen, how are you doing this? 

 

ROBERT BIGMAN: The really bad news is that even if you wanted to stay disconnected, increasingly, technology and the evolution of your world will connect you.  The marketplace has already determined that you're going to stay connected to the internet.  So what can you do?  Start with your biggest risk - which is how you and your devices - computers, mobile devices, smart phones - how they actually connect to the internet. Know that to ameliorate this risk, you just can't simply any longer rely on commercial capabilities like firewalls, modems and router protection and control lists.  There's a collection of simple things you can do. First, I recommend that you NOT use commercial applications like Windows or Adobe. Instead use alternative operating systems like Ubuntu and Opera as a browser. 

 

 

LISA BERNARD: What products are now available to make this "shift" possible and attractive in a culture that is hyper-connected?

 

ROBERT BIGMAN: There are probably very few products that I would recommend where you can say that if you buy this product that you can secure your data completely and your don’t have to worry any more.  In fact, there are no products like that despite what vendors will tell you.  What I find is the biggest problem is that organizations simply don’t understand the risks to their systems, their networks, and their data and they too often – as a result of attending the RSA conference, the Black Hat conference, the DefCon conference – they too often fall into the trap of using technology to solve very complex problems that require people issues, process issues, policy issues and yes, some technology issues.  But trying to address them with just technology is the number one mistake.  And I know the vendors don’t want you to hear that message, but the fact is that unless you have a cyber-security program and that you have as the component parts of governance, IT management, public policies and processes, no matter how much technology you buy, you’ll still get beat.  And every event, every incident I’ve been involved where we’ve investigated – unauthorized access, penetration, hacking, unauthorized use of data – all involve the process and policy issues violations as ever as they involve misuse or improper technology.

###

 

Bob Bigman is available for briefings, talks and workshops via Lisa Bernard's SecuritySpeak, LLC. See his bio at www.SecuritySpeak.net.  To discuss the particulars of hosting him, phone (203) 293-4741 or email LisaBernard@SecuritySpeak.net.