If I Knew Then: Kimberly Baker, SVP and GM Public Sector, RedSeal

Crain’s Washington DC| October 25, 2017

The mistake I made involved who to seek professional guidance from.

Early in my career I was working for AT&T. As a young woman in the telecommunications industry I was feeling like I was working very hard in my sales position and I was doing the things that were part of my job description, but I wasn’t getting the kind of coaching and direction that I felt I needed to adjust course along the way.

The Enemy Within

Security Advisor ME| October 2017

While most businesses are focused on preventing and mitigating external threats, there is often a greater danger their security teams need to worry about closer to home — insider threats. Contrary to popular belief, breaches don’t just occur at the hands of disgruntled employees but from non-malicious ones unintentionally as a result of ignorance.

Searching for the Unknown

Security Advisor ME| October 2017

In the Paleolithic age humans subsisted by hunting and gathering. Living in the wilderness they were exposed to a number of predatory beings and hunting increases their chances of survival. They had to learn how animals behaved, and develop tools and tracking methods to eliminate these threats.

Pursuing today’s cyber threats is much like hunting during the prehistoric age, in that we have to gather and hunt to survive.

Top Security Tools, 2017: How Cutting-Edge Products Fare Against the Latest Threats

CSO and IT News| October 20 2017

Threats are constantly evolving and, just like everything else, tend to follow certain trends. Whenever a new type of threat is especially successful or profitable, many others of the same type will inevitably follow. The best defenses need to mirror those trends so users get the most robust protection against the newest wave of threats. Along those lines, Gartner has identified the most important categories in cybersecurity technology for the immediate future.

We wanted to dive into the newest cybersecurity products and services from those hot categories that Gartner identified, reviewing some of the most innovative and useful from each group.

This Essential Job Role Will Go Unfilled at Millions of Companies. But, There’s an Immediate Solution for Your Business.

Entrepreneur Magazine | October 16, 2017

RedSeal CEO Ray Rothrock tells Entrepreneur Magazine that there is little to no rational hope do business leaders have of recruiting or training between 1.8 million and 3.5 million cybersecurity personnel ASAP. So, it is time to rethink the crisis.

Evolving Ways to Train the Channel

Intelligent Tech Channels | October 9, 2017 | Page 51

In this month’s issue of Intelligent Tech Channels, RedSeal Global Channel Program Director Kimason Brown writes about moving to online training modules in order to keep partners properly trained during a fast-moving time in cybersecurity with competing demands from other vendors.

RedSeal CEO Joins Cheddar TV to Talk Equifax Breach, “Bad Governance”

Cheddar | October 3, 2017

With Ray Rothrock, RedSeal Chief Executive Officer

RedSeal CEO Ray Rothrock joined Cheddar TV’s this morning to discuss the the Equifax data breach, the response from retiring CEO Richard Smith, and how this was ultimately a “case of bad, bad governance.”

Fishing for Trouble in a Smart Fish Tank

Computer Business Review | October 3, 2017 

By Dr. Mike Lloyd, RedSeal CTO

More Internet of Things (IoT) means more security risk, says RedSeal Chief Technology Officer Mike Lloyd – but by gaining a better understanding of how your network works and where key vulnerabilities lie,  you’ll be able to implement effective segmentation to reap all the benefits of IoT without succumbing to data loss or damaging outages.

What Equifax Tells Us About Cybersecurity

What Equifax Tells Us About Cyber Security

By Richard A. Clarke

This month it is Equifax. Previously it was Yahoo and before that Target. Each new breach seems to set a new record of how many pieces of personal identifiable information have been compromised. It is easy to get inured to these news stories, especially since the media generally does not deduce any lessons from them. Many people come away thinking that data breaches are just something that we have to accept. But do we? What are we to take away from these recurring stories about huge hacks?

I have been working on cybersecurity for two decades now, initially from the White House and now in the private sector. Here is what I think should be our reaction to the Equifax story and similar breaches.

First, it is not impossible to secure major networks. Some companies and government agencies have quietly achieved sufficiently secure networks that they do not experience major data losses. It is, however, not easy to achieve.

Second, the essential ingredient to securing a network is not software or hardware. It is people – trained and skilled people. This country has an extreme shortage in such personnel. Despite the good salaries that are available in cybersecurity, there is a mismatch between what colleges are producing and what is needed. Colleges are simply under-producing cybersecurity graduates. There are hundreds of thousands of vacant jobs and even more positions that are being filled by under qualified staff.

Most colleges produce computer science majors or have graduate programs, however, they do not require education in cybersecurity as a condition for obtaining those degrees. Although it is sometimes derided by computer science faculty as too much like a “trade” and insufficiently academic, the truth is that cybersecurity is more difficult than basic computer science. Cybersecurity skills are built on top of knowledge about computer science.

In the absence of a focused and funded national initiative to significantly increase the number of cybersecurity trained graduates, corporations and government agencies will continue to fail at securing sensitive data.

Third, securing networks is expensive. Most companies spend only 3-5 percent of their Information Technology budget on security. These are the companies that get hacked. Most corporations have never properly priced in the cost of cybersecurity to their overall cost of doing business. There is a popular misconception in the business world about what it costs to run a major network. The original cost of security for a network was relatively low in the 1990s when most companies began building out their information technology infrastructure. The threat environment was significantly more benign then than it is now. Moreover, the security products available in the 1990s were limited to relatively inexpensive anti-virus, firewalls, and intrusion detection/prevention systems.

Today’s large networks require encryption, network discovery, threat hunting, data loss prevention, multifactor authentication, micro-segmentation, continuous monitoring, endpoint protection, intelligence reporting, and machine learning to detect and prioritize anomaly alarms. Corporations can no longer accurately be described in categories such as airlines, banks, or hospitals. They are all more accurately thought of as computer network companies that deal in aircraft, money management, or patients. If your company cannot do its business when your network goes down, then you are first and foremost an information technology company, one that specializes in whatever it is you do.

Fourth, because almost every American has now had their personally identifiable data stolen in one of these breaches, it should no longer be acceptable to use (or request) social security numbers, dates of birth, mother’s maiden names, and other publicly available identifiers to authenticate a user. Stop using them. Alliances of corporations should develop other, more advanced forms of identification that they would all use. In the jargon of the tech world, what we need are federated (more than one company employing it), multi-factor authentication. Even the government could use one or more of such systems, but if the government creates it there will be push-back from those fearing government abuse of civil liberties.

Finally, many companies and executives in them will continue to mismanage corporate cybersecurity and divulge sensitive data in the absence of significant penalties for failure. Today, even CEOs who are dismissed because of data breaches walk away with eye watering bonuses and severance packages. They do not suffer personally for their failure as managers.

Former White House cybersecurity official Rob Knake has observed that oil companies only got serious about oil spill prevention when they began to be fined based on the number of gallons that they spilled. He suggests that we hit companies that lose personally identifiable data with a heavy penalty for each bit of data compromised. In addition, companies should be required by federal law (not by the existing hodge-podge of conflicting state laws) to notify the government and individuals promptly when data has been compromised.

In sum, major cyber breaches do not have to be a regularly occurring phenomenon. They can be significantly reduced if we as a nation have a program to produce many more trained cybersecurity professionals, if corporations appropriately price in the cost of security, and if there are real financial consequences for companies that spill personal data into the hands of criminals and hostile nations.

Richard A. Clarke was Special Advisor to the President for Cybersecurity in the George W. Bush Administration and is the author of eight books including CYBER WAR.