Harvard Business School: Alumni and Faculty Books

Harvard Business School | June 2018

Digital Resilience: Is Your Company Ready for the Next Cyber Threat?
by Ray Rothrock (MBA 1988)

Amacom:
Rothrock lays bare tactics used by hackers, vulnerabilities lurking in networks, and strategies not just for surviving attacks but also for thriving even while under assault. This book helps businesses understand the threats they face, assess the resilience of their networks against attacks, identify and address weaknesses, and respond to data theft swiftly and effectively.

The Future of Cyber Security, with Ray Rothrock

Dive With Data Podcast | July 26, 2018

With Ray Rothrock, RedSeal CEO

Asha Saxena explores cyber security and the future of Big Data with venture capitalist Ray Rothrock.

In this episode, we’ll talk about how Big Data is impacting cyber security and how businesses can overcome the common challenges associated with Big Data, from keeping sensitive information to finding the right talent to process and analyze the data. Without a doubt, Big Data is here to stay, which is why all businesses should focus on learning how to effectively use it.

PM World Book Review: Digital Resilience

PM World Journal | July 2018

The subtitle grasped my attention, “Is your Company Ready for the Next Cyber Threat?” With the speed of change and the lack of international laws to detect and prosecute the criminals, my mind quickly responded, “I doubt it?”

This title addresses the rise in cybercrimes and every business, large and small are at risk. It helps law abiding business people peek inside the minds and tactics of international criminals to understand the threats, identify the weakness and effectively respond, no matter what it takes.

Russia’s Alternate Internet

New York Magazine | July 13, 2018

By Dr. Mike Lloyd, RedSeal CTO

Russia has nearly completed an alternative to the Domain Name System — the common “phone book” of the internet that translates numerical IP addresses to readable text like “Amazon.com” and “NYMag.com.” When implemented, the DNS alternative could separate Russia and its allies from the rest of the connected internet — a possibility that, however remote, has experts worried about a “balkanization” of a global network.

Last November, the Russian Security Council announced its ambition to create an independent internet infrastructure for Russia and the other members of BRICS (Brazil, India, China, and South Africa). According to reports, the Russian government sought to create the alternative internet to protect itself from American and Western manipulation of internet services and avoid “possible external influence.” (Sound familiar?)

ICS Security: ‘The Enemy Is in the Wire’

Dark Reading | July 12, 2018

By Wayne Lloyd, RedSeal Federal CTO

Threats to industrial control systems are real and frightening. The government is taking steps to keep us safer in the future, but there are near-term steps you can take right now.

“The enemy is in the wire.” During the Vietnam War, this call would ring out to alert everyone that the enemy was in the perimeter of fortifications. In our cyber world, we’ve known this for years; however, the call rang frighteningly true in May of this year.

This particular enemy was first discovered in August 2017, as a new piece of malware, now known as Trisis. A Middle Eastern oil and gas company found the malware when its industrial equipment started shutting down.

Keeping Score with Digital Resilience

Cybrary | July 10, 2018

With Ray Rothrock, RedSeal CEO

As much as everyone hates to think about this, it is a reality that we all must face: cyberattacks are not going to stop, and everyone is a target. It may even be safe to say that any person who has even briefly gone on the Internet has been exposed to some cyber threat, whether it be a phishing email or malware download.

Security Lessons From Crazy-Busy Airports

Forbes | July 9, 2018

By Dr. Mike Lloyd, RedSeal CTO

I found myself in London Heathrow recently with a few hours to kill. I’d heard about a big political brouhaha rumbling along about adding a third runway, but there are lots of competing pressures — from the economic to the environmental and everything in between. So I decided to spend my down time looking into that. Just how badly does Heathrow need another runway?

After reading a good piece in Wired, this amateur pilot found the statistics intense: Heathrow functions at almost 99% capacity, essentially packing in as many people as the airport can take, with a landing or takeoff taking place every 45 seconds. Forty-five seconds might sound like there’s still some room for error, but from my point of view, it’s far from it. I’m not allowed to land the small planes I fly for three minutes after a big jet takes off or lands due to the dangerous turbulence they leave in their wake. If I wanted to land at Heathrow, it would have to make a huge gap, canceling landing clearances for at least three big jets. That would inconvenience many hundreds of people. What’s worse, at these use levels, the ripple effects could last all day.

As a security professional, I found a behind-the-scenes aspect of the story most interesting — specifically, the approach taken to ensure resilience.

Is your sector taking cyber security seriously?

Information Age | July 4, 2018

The responsibility of cyber security falls on everyones shoulders. But, the charge should be lead from the top. Has your sector fallen behind?

The frequency and severity of cyber attacks and data breaches has risen significantly in the last few years, as attacks increase in volume and variety.

The Only Cybersecurity Metric That Matters for Digital Resilience

While the focus on cybersecurity has never been higher, the cybersecurity community – a combined team of solution providers, CISOs, boards and others– haven’t been able to stop most attacks from being successful.

Why?

We have focused too much of our efforts on network perimeters, working to detect and prevent cyber attacks. We haven’t done enough to build resilience INSIDE the network, the part of the equation we can control and quantify with a security metric.

Organizations need to build resilience into their infrastructures and adopt an end-end digital resilience strategy to survive and thrive.

How big is the problem? There are 1400+ vendors focused on cybersecurity. Nearly $100B was spent on information security just in 2016. Yet billions of records have been compromised.

The reason is we have not addressed fundamental issues inside the network. Companies need to build resilience into their infrastructure and adopt a corporate-wide digital resilience strategy with a corporate-wide security metric.

A few years back, RedSeal gathered 800 surveys during the RSA Conference. We learned that:

  • Practitioners are drowning in data
  • They can’t measure the performance or impact of their security efforts
  • Current solutions can’t turn data into action
  • They need useful cybersecurity metrics

The problem with measuring security is that security is the absence of something. You can’t report how often you were NOT on the cover of Washington Post. Many people start by counting what they are doing. But this measures busy-ness, not business. How can you show actual improvements in cybersecurity?

The Shifting Terrain and Digital Resilience

According to the 2016 TechCrunch CIO Report, 82% of global IT leaders report significant labor shortages in cybersecurity. This, combined with issues such as software defined everything, digital transformation, hybrid datacenters, IoT, and shadow IT, means a big shift in thinking is required. We don’t have enough people to throw at the problem.

Digital resilience is a comprehensive strategy across all IT functions and business processes to minimize the impact of cyber attacks and network interruptions. It’s a different way of thinking.  Being resilient means simultaneously striving to minimize each attack and being able to recover quickly from a strike. Resilient organizations have fewer, smaller incidents, understand and respond to them faster, and can rapidly return to normal operations afterwards.

It’s not enough to see the devices in your “as-built” infrastructure – you have to really understand how they are configured and automatically get a list of vulnerabilities.

And that list of vulnerabilities is a problem; there are too many to act on. Even knowing asset value and vulnerability severity aren’t enough to fully understand the risk. You need to understand if they can be accessed. A high value asset with a vulnerability that is segmented behind a firewall is not as big a risk as one that is slightly lower in value, but has an open path to the internet.

RedSeal’s Digital Resilience Score

Resilient organizations must focus on three main areas—being hard to hit, being ready for an attack when it comes, and being able to recover quickly.

RedSeal helps these organizations identify defensive gaps, run continuous penetration tests to measure readiness, and map their entire network infrastructure.

From these capabilities, RedSeal calculates one unified number, so managers, boards of directors and executive management have the understandable and actionable cybersecurity metric they need to drive towards digital resilience.

RedSeal’s Digital Resilience Score focuses on three essential questions:

  • Do you have defects that are easy to hit? RedSeal evaluates how weaknesses from incorrectly configured devices and third-party software could impact you.
  • Can an attacker reach your valuable assets? RedSeal evaluates how well your network is structured, identifying attack pathways and chains of vulnerability that reduce your ability to withstand and recover from attack.
  • Is your network understanding complete? By identifying previously unknown parts of your network, RedSeal evaluates how well you know what your digital infrastructure looks like. With a complete picture, you can be sure you’re managing all assets on your network. During an attack, you’ll be able to understand where an attacker can reach. And, you’ll be able to recover much more quickly.

Instead of getting stuck in an ineffective focus on measuring activity, resilient organizations use RedSeal’s Digital Resilience Score (DRS). This cybersecurity metric works like a creditworthiness score, deducting pointing for defensive gaps, weaknesses revealed by attack simulations, and blind spots in your network awareness. A higher score means there is a higher likelihood that your business can withstand an incident and keep running.

It’s the cybersecurity metric that matters for digital resilience.

RedSeal Named a 2018 Top Workplace by Bay Area News Group

Bay Area News Group | June 28, 2018

Bay Area News Group has recognized RedSeal as a Top Workplace in the Small Business category among 85 companies and organizations in the Bay Area as Top Workplaces for 2018. These companies have been recognized based solely on surveys about the workplace completed by their employees.