Cyber Risk (No, Not What You Think)
At SPECINV and SI Cyber—our two professional services business units—we typically manage a full case load and cyber engagement schedule internationally . . . from here in Washington to the European Union to Central and South America, South and East Asia, Africa, and the Middle East. We’ve been dealing with fraud, foreign corruption, intelligence, government and corporate malfeasance, C-level officers hiding material information in their backgrounds, securities fraud in genteel horse country and big-city real estate, and municipalities concerned with civil rights. We’ve also experienced a phenomenal increase in sexual harassment #MeToo investigations reporting to boardrooms since 2017, and definitely in our government contracting practice.
As we continue our investigative operations, we share relevant and profit generating information with you on a regular basis.
On the “investigative side” of our business, we know from client feedback that you like to hear about our cases and our perspective of the investigative ecosystem we inhabit—finance, corporate leadership, fraud, financial services, legal dispute resolution, and information security systems.
Like a new view of a forefront risk you may not yet have considered.
Please, you’re now thinking. That’s all we hear about any more . . . every day, at every level of institutional life, from every advisor, and especially from our lawyers and risk managers. The prefix cyber is at that point in public consciousness where its very mention triggers a reflexive response: eye roll.
You don’t even want to read any further in this post because you already know the drill.
You’re saturated, sick and tired of hearing about cyberspace, cyberculture, cyberactivism, cyberdefenses, cyberattacks, cybercrime, cyberforensics, cyberconflict, cyberintelligence, cyberpolitics, cyber Monday, cyber-blah-blah-blah.
Not so fast. Stay with us. Please.
There’s a particularly nuanced dimension of cyber risk that we believe most firms, even those with robust information technology infrastructures and chief information officers (CIOs), haven’t considered—one that we’ve recently encountered across several of our SI Cyber engagements and clients.
We’ve perceived that companies of all sizes are being effectively defrauded by their internal and retained cybersecurity experts and by Managed Security Service Providers (MSSPs).
Companies, especially firms that are deeply dependent on information technology, are being sold a sense of IT security where it doesn’t actually exist.
Simply stated, that’s because there are decision makers and line managers responsible for cybersecurity who are not sufficiently capable of evaluating whether that expensive cybersecurity expert is making systems more secure . . . or whether he’s simply a great salesman who knows more than you do.
This analysis is a fundamental part of our SI Cyber risk management engagement.
Our SI partners have chaired the boards of directors of information technology companies . . . and they have that cynicism gene essential to real security and effective board-level risk management.
We’ve even encountered a number of CIOs whom we see as being, well . . . unsteady. . . with respect to information technology threats. But these guys (they are always guys) invariably express a high degree of cybersecurity confidence—board-assuring confidence—that they project with swagger to management and the executive suite.
Combine that understandable psychodynamic with retained cybersecurity experts whose principal motivations are profit margin and reselling their consulting engagement and the problem becomes apparent. It’s also a problem that’s not easily discernible by non-experts. The challenge is kind of like managing SEC auditors—except that most line managers know technical finance and speak the language of accounting . . . but very few know the risk dimensions of cybersecurity.
So we’ve written this eight-part checklist for determining whether your cybersecurity expert or MSSP is selling you a bill of goods.
Uncheckable Exotic Credentials. We have a few that we hear all the time, in various iterations. (These are all actual quotes.) “He worked for the NSA.” “We aren’t authorized to talk about our other clients, but let’s just say they’re three-letter agencies. The community, you know.” “He’s brilliant—there are only nine people in the entire world with his level of computer understanding.” And our favorite, with multiple variants: “This is Israeli security.” When we hear outrageous marketing lines, we are quick to call their bluff. Because we can. And because we know how and where to go to check them out.
Withholding Proprietary Methods. Every professional services firm employs proprietary methods. We have more than a few of our own that we use in SI investigations and cyber engagements, following international money trails, and busting fraud. But when you, as a fiduciary of a business, are being asked to accept a confidential and proprietary process, program, or system and integrate it into your IT security, you absolutely need and deserve to know the full technical extent of what the system does and how it accomplishes its task. The danger to you is, that proprietary system could very well require additional cost and IT architecture complexity to support what should be your bulwark against intrusion. At SPECINV or SI Cyber, when we use a proprietary technique, we make it a point to explain to our client exactly what we’re doing, why it’s necessary, and what it’s going to cost. If your cybersecurity people do anything other than that, you’re being had. Not served.
C-Creep. We’ve been seeing more and more people with “C-something” tacked on behind their names, often on a business card or in the banner of a LinkedIn profile. We trust computer security personnel with the CISSP designation—Certified Information Systems Security Professional, from the International Information Security System Certification Consortium (ISC)2. We trust even more high quality university education and relevant experience that we can independently verify. But there are literally dozens of “C” certifications that “cyber” personnel use . . . as marketing tools and especially as credentialization. Most of them, in our recent experience, are fairly specious. It’s the individual who matters. That’s where we begin.
Way Out on the Jargon-Cost Continuum. This one’s simple: The more jargon you hear, the greater risk you’re taking with a cybersecurity expert. The best can always explain what they do—including those proprietary methods—in clear, concise, respectful, managerially-sensitive and cost-knowledgeable English sentences.
Never Been to Black Hat. It’s a question that has a yes or no answer: “Have you been to Black Hat? Short version: You want the guy who goes to Black Hat and who knows many others who do. Vegas, baby.
Reluctance to Permit a New Background Check. We re-background IT personnel regularly, especially those working in the financial services industry or with commercial banking clients, wealth advisors, and SEC-registered Registered Investment Advisors (RIAs). If the cybersecurity expert or the company employing the expert decline to let you background him . . . including his personal finances . . . then why would you ever give him access to your most valuable systems and security procedures? “But he’s already had a background check,” we hear in response. “He’s got a security clearance” is another. We never rely on background checks from the big private agencies . . . and we’ve found felons with security clearances. Remember, a felony conviction and incarceration are not necessarily disqualifying for a US Government security clearance—it all depends. And remember also, supervisors with US Government clearance-granting authority signed off on Chelsea Manning, Edward Snowden, and Reality Winner. Our SI Cyber engagements, especially where IT security is concerned, always include and budget for a real background check. The kind we do.
Reluctance to Permit White Hat Hacking. When we hear how impenetrably secure a cybersecurity firm has made your company, we ask for permission to intrude their own security—vulnerability-assessing and pen testing the testers. The people we know and use and respect just say “Sure. Go ahead. We’re good.” And they smile. The guys who take offense? Again, you don’t want them anywhere near your systems . . . and your financial data.
Weak Knowledge of the Political Cases. It’s the 2020s now, and as for the 2010s . . . uh, good riddance . . . the Russian government-initiated hacking incident to our 2016 US presidential election, which certainly carried over into the 2020 election, is the most important computer security issue worldwide—a process we predict is now here to stay in American politics. Can your cybersecurity expert explain to you how, specifically, technically, simply, each step of Russian political intrusion is accomplished? Or how these lessons apply to your company and the behavior of your people? Here at SI—where we don’t do politics and have Democrats and Republicans who like and deeply respect each other—we’ve analyzed and carefully considered how the whole Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii – Cozy Bear – Guccifer 2.0 – DCLeaks perepleteniye pulled off the 2016 election meddling. When we made that intellectual excursion, we hatched the idea for this post. We were very interested in how Hillary Clinton’s Campaign Chairman John Podesta’s Gmail account was compromised. That audacious hack was catalyzed when his 29-year old cybersecurity expert, a guy named Charles Delavan, cavalierly authenticated a Russian-originated phishing e-mail as actually being from Google (“This is a legitimate email.”). Mr. Podesta and Secretary Clinton certainly deserved better cybersecurity and mitigation of cyber risk. So do you.
We know cyber risk management, from the boardroom. And we’re here to put that knowledge to work for your performance, profit, and market distinction.
