On this episode of The Zero Hour Podcast, we interviewed Dr. Eric Cole, CEO of Secure Anchor. A cybersecurity veteran who's worked for the CIA and companies like Lockheed and McAfee, Cole currently provides business-driven security advice and services for Fortune 500 companies.
Ensuring Business-Driven Security from a Veteran’s Perspective
In this insightful interview, Cole discusses the key lessons he learned from his time at the CIA; how to ensure business-driven security; what makes a good CISO (and what doesn't); why cybersecurity attacks are actually becoming less sophisticated; and much more.
Lessons on Providing Business-Driven Security
Dr. Eric Cole's storied career has included stints in both the public and private sectors – from the CIA, to McAfee, to Lockheed. From his wide range of experiences, Cole picked up key lessons which he now takes to his advisory business. Two of these lessons are paramount for companies who want business-driven security.
"In security, to be really good at the defense, you have to understand the offense."
"The first one is: in security, to be really good at the defense, you have to understand the offense," Cole says. Spending eight years in the CIA compromising enemy systems, he realized that cyber-B&E is not as magical as people imagine it to be. "It's very systematic, compromising a system. And it really comes down to three fundamentals: a visible IP, an open port, and a vulnerability to service."
"You're never going to have 100% security if you have functionality. The only way to be 100% secure? Give up technology, shut it off."
"My second big lesson is: you're never going to have 100% security if you have functionality," he continues. Most companies, Cole recalls, demand a 100% secure system that will never be attacked. Realistically, however, that is never going to happen. "The only way to be 100% secure: give up technology, shut it off. Become Amish, and you're good to go."
Back to the Basics
When asked about what security professionals should be tackling in the near term, Dr. Eric Cole says we should all go "back to the basics" of cybersecurity.
"Today, we have become so enamored with the latest and greatest: AI, behavioral analytics, and all that," Cole points out. "But most organizations I see getting compromised have unpatched systems; they don't know where their data is, and their users are still clicking on malicious links."
"If I was a cybercriminal, why should I go in and try to build zero-day exploits when I can just send a link?"
Cole explains that most cyberattacks, though causing more damage and extorting more money, have not actually become more sophisticated. "If I was a cybercriminal, I'm going to do the easiest, simplest, most straightforward method that gives the best results. Why should I go in and try to build zero-day exploits when I can just send a link?"
Cole provides an example that stimulates the fear response. "If I write a subject line that says, 'three of your coworkers got infected with COVID, click this link to see if you had exposure,' 99% of the population will click on that link, and I’m in their system."
What Makes a Good CISO?
When asked what makes a good CISO or CIO, Cole believes it's someone who can focus on strategy and translation. A CISO should be someone who can bridge the business and security gap that most companies often have, establishing business-driven security.
"When CISOs can't speak the right language to the right people, they get ejected from their seat at the table."
"If you're a CIO or a CISO," says Cole, "what you need to be able to do is talk techie with the engineers, translate that into business language, and then communicate that to the executive team."
The problem, however, is the fact that most CISOs are very technical people. This often results in miscommunication, because most members of the executive team won't be able to understand jargon and "geek speak." When CISOs can't speak the right language to the right people, they get ejected from their seat at the table.
"If you're going to sit in the boardroom, you better recognize it's all about dollars and cents."
Cole has been witness to many CEOs complaining about CISOs that "don't speak English" and don't understand business. Because at the end of the day, that's what the board and executives care about: business and profitability. "If you're going to sit in the boardroom and you're going to have a seat at the table, you better recognize it's all about dollars and cents."
To ensure business-driven security, CIOs and CISOs need to use the right language. Enumerating the top risks, the likelihood of occurrence, and the costs needed to counteract or fix the damages is as straightforward as it gets. "It's all financial, because that's the language of executives," Cole says. "And if you can't speak financial, you're not going to be a good chief."
You can listen to the podcast episode here, and is also available on Stitcher, Apple, and Spotify. The Zero Hour Podcast is the intersection of information security and business innovation. Learn from industry experts in cybersecurity, marketing, and business management. We talk about the challenges and opportunities that come with new technology.