Latest episodes 
Subscribe 
Season 3 / Episode 129
Nate Nelson talks to Art Coviello, Former CEO of RSA Security, and Malcolm Harkins, Vice President & Chief Security Officer at Intel, about the current cyber security landscape - 10 years after the RSA Breach.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
Hosted By
Ran Levi
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Art Coviello, Jr
Chairman Of The Board at Epiphany Technology Acquisition Corp.
Exec. Chairman & CEO of RSA Security until 2015. Currently an active investor and advisor in the technology industry.
Malcolm Harkins
Board Member, Advisor, Mentor/Coach at Protect to Enable
Malcolm Harkins is a Board Member, Advisor, and Executive Coach for Protect to Enable Ventures. He is responsible for enabling business growth through trusted infrastructure, systems, and business processes.
Vice President & Chief Security & Privacy Officer at Intel until 2015.
Episode Transcript:
Transcription edited by Suki T
[Ran] Hi, and welcome to Cybereason’s Malicious Life, I’m Ran Levy. A few months ago, we aired a two-parts mini-series that, for the first time in ten years, told the real story behind the infamous breach that hit RSA, a global leader in cybersecurity, in 2011. When a successful breach hits a company such as RSA, that’s not something that one can simply acknowledge and move on. I mean, when a bank gets hit or a hospital suffers a deadly ransomware attack, these are serious events, no doubt, but these organizations are not cybersecurity vendors. That is to say, their focus is somewhere else. Banks do money, hospitals save lives, but companies like RSA are focused on security. Security is what they do for a living. They are the experts, in all caps. And so, when a company like RSA gets breached, that says something important, something deeply fundamental about the state of the industry. The real question is then, what does it say exactly? That is, what are the industry-wide lessons we should learn from the RSA breach? Or in other words, what are the implications of the RSA breach on the basic philosophy of cybersecurity? For that reason, we brought two of the best minds in security on our show today to talk about the lessons we, the industry as a whole, should learn from the RSA breach and how this breach might shape the way cybersecurity is done in the future. Our guests today are Malcolm Harkins, previous Chief Security and Trust Officer at Intel, and none other than Art Covellio, former Chairman and CEO of RSA at the time of the said breach. Nate Nelson, our Senior Producer, talked with Malcolm and Art about the pros and cons of the two basic approaches to cybersecurity. The reactive approach, where an organization reacts to a present threat, versus the proactive approach, for example using Intel and sophisticated AI tools to try and identify threats before they actually manifest in reality. Also, what kind of people should serve on the board of a big company? What is the right form of collaboration between governments and the private sector? And how, if at all possible, can we solve the basic tension between a company’s financial bottom line and investment in cybersecurity defense? It’s a very sophisticated, very high-level discussion of the cybersecurity landscape and I hope it will leave you with some deep thoughts of your own. As usual, I’ll pop up here and there to provide relevant information and context. Enjoy the interview.
[Nate] All right. Let’s start with each of you just briefly introducing yourselves. How about Malcolm, you go first.
[Malcolm] Malcolm Harkins, currently a board member and an advisor, previously chief security and privacy officer at Intel, chief security and trust officer with Silence, and then I did a stint at a web application security company for almost a couple of years.
[Art] Art Covielo, formerly chairman and CEO of RSA Security, also currently a venture investor and advisor to a number of companies, including Cybereason.
[Nate] First question, what has really changed with regard to the overall threat landscape in the last decade? Malcolm.
[Malcolm] Yeah. In many ways, there’s been a lot of changes because the urban sprawl of IT and obviously the advent of ransomware and different attack surfaces and different techniques and stuff like that. In other ways, it hasn’t changed that much because we’ve still created vulnerable technology. We still are managing vulnerable technology and in many cases, we’re not doing a good job across the board of managing the controls in our environment to manage and mitigate the risk issues. That honestly hasn’t changed for a couple of decades, if you look back over the growth of all the cyber risks that we’ve seen. Yeah.
[Art] Well, if you go back 20 years and you look at a number of categories here like devices we were using, we still had those monolithic desktops and laptops just being introduced fast forward 20 years and you’re well past mobile and into the internet of everything. If you look at applications, businesses were running client server. Now we’re well past the introduction of agile developments where we introduce new code every day that’s accessible, obviously through the internet. In terms of data, maybe one exabyte of data being stored. Now we’re looking at 100 zettabytes a year, speed 2G up to 5G, social media, AOL instant messenger. Now it’s TikTok and Instagram and Donald Trump is now suing Facebook and Twitter, isn’t that delightful? Perimeter, we had controlled access. Now there’s virtually no perimeter. Hackers, we were worried about script kiddies, obviously always worried about nation states. We burst through criminal ecosystems to hacktivists and now the potential for non-state actors, even terrorists. In terms of attacks, barely intrusive in 2000, all the way through disruptive, destructive and now the potential for literally cyber Armageddon. A lot has changed in the last 20 years and certainly in the last 10 since RSA got hacked, but if you look forward, you can’t make this up. With the advent of 5G rollout, with agile development, with the number of workloads moving to the cloud, I was recently on the phone with executives at Google and they said that only 5% of workloads had migrated to the cloud, so all of that’s going to go forward. Geopolitical cyber wars, IoT and OT, which again, we’re in that era, but we’re at the nascent stage of it, and social media, big data, all of this is creating an ever greater attack surface and accelerating the threat landscape.
[Nate] What trends are you seeing in the evolution of security solutions over the same period we’re talking about, Art?
[Art] Well, they’ve certainly got more and more granular and they’ve had to. We talked about going from a reactive model of security to an intelligence-driven model where we actually focused on the risks and the need for tools that were more agile that could react to facts and circumstances and getting leverage from those tools. Now we’re in an age where risk is so dynamic that, yeah, you’ve got to do periodic evaluations of your risk profile, but you’re introducing new risk every day and that means the need for solutions that have massive capability in terms of AI and ML are crucial. As much as I’ve enjoyed the NIST framework, the ability to respond and recover gets ever more difficult with the sheer volume of alerts that are getting hit, so the need to stop things before they get going, the need to understand vulnerabilities upfront and shut them off before they can be exploited, all of those things are getting more and more important in terms of the nature of solutions, and those solutions do indeed get more granular.
[Ran] Art mentioned the NIST framework and I think it’s worth elaborating a bit on this framework, both because it’s a very high-level concept that sometimes doesn’t have an explicit impact on the day-to-day lives of many of us in the industry and because it is a very basic framework that in some ways serves as the basis for everything that Art and Malcolm talk about in the interview. So, NIST, for those of you who might not be familiar with the name, is the National Institute of Standards and Technology. It is a federal agency that is entrusted with developing many of the standards we use in almost every industry, including computer and IT-related standards. In 2013, President Obama issued Executive Order No. 13636. The order directed NIST to work with the private sector to develop a framework, a set of standards and guidelines for reducing cyber risks to critical infrastructure. The framework was published in 2014. It is a voluntary framework, that is, there is no legal obligation to implement it in any organization, but in practice the NIST framework was willingly adopted in many industries and even outside of the United States. And it is easy to see why. Such a framework should, rightfully, be seen as the best way to do cybersecurity in the present. After all, it is the NIST, an organization with 120 years of experience behind it. And because of its importance, it is one of the first places we should go to, to ask are we doing cybersecurity correctly? Is the current philosophy of cybersecurity, as it is reflected in the most basic framework, correct? Or does it desperately need to be improved? Back to the interview.
[Malcolm] Yeah, you know, just adding on to what Art said, I think there’s some things that have evolved, certainly with artificial intelligence, machine learning, the ability, as Art was saying, to be more granular, understand things, and the speed with which in some cases we can identify things to take action. On the response and recovery, I think Art’s also completely accurate. I think the problem we’ve got, though, by and large with the industry, is there’s still too many organizations that are stuck on dated architectures and dated security solutions. And that’s because to some extent, the security industry who sells them that markets that it’s better when it’s not, helps pay the testing industry and the analyst community to say things are in a magic quadrant when in reality, those solutions have failed their customers. So you have some things that are, again, have gone through a slow progress of evolution and people are still stuck on them, which makes them more exposed, you know, which is why I’ve spent more time in the startup community, because I think the innovation coming that we’ve seen the past several years, we’re seeing more of, whether it be in the traditional endpoint space, network, other aspects of machine learning to, as Art said, identify the vulnerabilities before they’re exploited. And that also requires of us in the practitioner side to also be risk takers. We have to be at the forefront of technology, not only before the IT organization or the business gets there in many cases, because if we’re the risk managers and the risk mitigators, we have to be the biggest risk takers. And that’s also a problem that we’ve got in a lot of security organizations. They’re not prone to take risks. And so therefore, we’re not in front of that evolution of technology. And sometimes that also causes us to fall short of looking at innovative approaches to the way in which we can control for risk and the new solutions that are out there. And one of the areas that’s particularly bothersome to me has been, honestly, since my Intel days for 15, 20 years is below the operating system security risk. And we’ve certainly seen late last year, earlier this year, even the Trickbot malware reaching into firmware. And most people are still, by and large, struggling with above the operating system issues. And those below the operating system issues in the firmware, the BIOS, even hardware architectural issues are going to start really biting people in the ass here pretty quick.
[Ran] Firmware attacks. That’s something we didn’t yet cover in depth on our podcast. But as Malcolm noted, this type of attack is on the rise in recent years. According to an April 2021 report from Microsoft, firmware attacks have increased fivefold in the past four years or so, and a survey of a thousand enterprises across multiple industries has revealed that about 80% of them have experienced at least one firmware attack in the past two years. A worrisome trend, indeed. So, what are firmware attacks? As I said, we’ll dedicate a whole episode to that in the not too distant future, but in a nutshell, we’re talking about attacks targeting the hardware layer of a computer, or more accurately, the BIOS software that runs underneath the operating system and controls the most basic functions of the computer, such as reading and writing to memory and the hard drive, initializing the various registers of the hardware components, and similar functionality. The main advantage of such an attack is its stealth. Since we’re talking about software which runs even before the operating system boots up, it opens up a sea of possibilities for the hackers to gain control of a machine without the user even being aware of it. A clever malware can circumvent many of the defenses set up on the OS level. Another advantage is that unlike OS level software, firmware is hardly ever updated at all. I mean, I bought my most recent computer some three years ago, and since then I probably had hundreds, maybe thousands of updates to almost every software I use, but only updated the firmware once, and to be honest I spent at least a good half an hour praying to all the gods I know of that the risky update won’t break my machine. The downside of firmware attacks is that they are much harder to pull off. Designing such a malware is much harder than creating OS level malware and requires some very specific knowledge and skills. Also, since OSes are basically there to mask from developers the complexity and variety of hardware platforms out there in the world, that means an attacker now needs to tackle all those complexities by themselves, in essence taking them back some 40 years to the era before DOS, Windows, iOS and such. Anyone who did software back in those days will tell you how difficult that was relative to our current computing environment. Still it is almost certain that nation state actors have the funding, skill and motivation to take on these challenges that makes firmware attacks a major threat in the coming years.
[Nate] So building off this, in the last decade or so you both have experienced and had to lead through significant breaches at RSA and at Intel. So how has cyber defense, in your view, improved in the decade since?
[Art] I’ll take it first. I think it’s improved dramatically. Ironically, one of the reasons why we were able to catch on to the attack as early as we did and ultimately really prevent any damage from being done, notwithstanding the noise level in the media and with our customers, was the fact that we had only recently acquired a company called Netwitness, which we had already deployed in our environment and we could see anomalies in the movement of packets across our network. So that was one of the early days of being, what I call, involved with proactive security. So we were able to see the attack develop. But all of those tools have gotten markedly better. I remember an RSA conference, it must be 13 or 14 years ago, Alan Turing was the highlight that we used to, every year we have a theme for the conference, and Alan Turing and thinking machines was the subject in a particular year. And I actually called for the use of more artificial intelligence. That’s really, I think, the big change, machine learning and advancing these capabilities so that we’re seeing these attacks develop. And more and more, I think the security models, I talked about the model that is more MALOPS focus, that we have to elevate ourselves above the battlefield and not just treat a symptom, not just see that a virus might be executing, but actually see the nature of the attack and have a better idea of what’s going on.
[Malcolm] Yeah, let me kind of add on to that and I’ll be probably a bit more bipolar than Art, which is probably usually the case anyways, given how I will perceive things. At a macro level, and this could be because of the media cycle that Art had referenced, but at a macro level, you look at all the breaches, all the attacks, all the ransomware stuff, that’s just grown and grown and grown and grown. So if you look at it from that level, again, Ego, we haven’t done a great job of reducing our risk exposure. And that could be because of technological implementation issues, it could be because of organizations not managing the technology stack well. So at that level, you could say not much progress has been made. But the companies that I’ve been in and certainly post my Intel time, the advancements as Art was talking about on machine learning, artificial intelligence, the ability to inspect things at a more granular level and do it faster have improved. And certainly organizations that have been more, as I was mentioning earlier, kind of innovative towards leaning in on advanced solutions, they by and large have been able to bypass most of the attack vectors that are hitting other people because they’re able to preempt the issue. They’re able to spot it before it becomes a chaotic, potentially catastrophic event. And their response and recovery mechanisms are tuned so that they can be on top of things quicker. And I even have experienced this in my silence days because even security companies aren’t immune from incidents or issues, right? We all have them. The question becomes, have you reduced the noise enough because you’re able to knock away all the common things that are hitting everybody else and have the fidelity in your other technology and processes to spot something that is truly a zero-day, truly unique and could impact you? And when you’re in that side of things, I think your ability to be in front is much better. And Art mentioned the NIST framework and I’m a big believer in it, but I think as Art was referencing, the response recovery in many cases has gotten too much of the focus. And if you look at the cybersecurity framework, it starts with identify, then protect, then detect, and then response and recovery last. And I think the more we can, again, focus upfront in the identification of the potential risks, at what level, understanding the impacts to it, put in the right protection mechanisms to prevent as much as possible the occurrence of risk. And then once you’ve done that, you don’t have as much noise. And so your ability to identify in the detection side of things and then respond become better.
[Ran] Malicious Life is sponsored by Cybereason. There is nothing better than a live simulation, especially when you’re fighting cyber attacks that are becoming more and more complex. Defenders are always looking for the critical edge to reverse the attacker’s advantage and it’s only through live attack simulations that you can truly see what might provide you that winning edge. Join Cybereason’s global attack simulations to watch firsthand how attackers use the latest infiltration methods and execute on sophisticated malicious operations, and more importantly, how to end these operations before they happen. Reserve your spot today at cybereason.com/attacksim
[Art] By the way, you know, one of the things we’ve missed here, too, is that, and I think Malcolm was alluding to it, is the fact that there’s just such a stratification in terms of talent running these security infrastructures across, you know, numerous organizations and vertical industries. So you know, if you look at the companies that have been hit hardest by ransomware, they’re in industries that have been notoriously bad around protecting themselves and might not have the talent. So I’m not saying that the tools are available that can stop any attack, but boy oh boy, it’s never about eliminating risk, it’s how much you can ratchet it down and the tools to ratchet it down are available if people can put the right combination together.
[Nate] And that leads me to my next question, which is, you know, looking back on the breaches you two have dealt with, what kinds of advanced tools do we have now that may have really helped out back then, do you think?
[Art] Well, clearly, given that we had zero day embedded in a executable in a spreadsheet, that if we had the kind of anti-malware capabilities that are available today, like cybereason, for instance, we would have nailed the attack very, very early on. The other thing is, just in terms of vulnerability and where things are, where the assets are, what’s most vulnerable, we can do a much better job of that up and down the line. So whether it’s understanding your vulnerabilities, the endpoint capabilities, the identity and access management capabilities that have improved so dramatically, I think would have gone a long way to protecting us.
[Malcolm] Yeah, I agree with Art. I think, you know, certainly, you know, where the attacks began, right, with the execution malicious code, the ability to preempt that with advanced anti-malware stuff, the identity based attacks, where credentials are taken and used and stuff like that, the ability to manage and mitigate that has certainly improved, even with different multifactor authentication and, you know, mitigation against credential stuffing account takeovers and things like that. Vulnerability management has come a long way, but I still don’t think it’s come far enough. I think, you know, it’s very rare that the one device or one identity that’s stolen and becomes the entryway to a breach is really the only thing that will stop the breach. There’s a complexity of connected systems and identities and applications and devices through our networks and on-prem, off-prem, hybrid environments, SaaS and stuff like that. So we have to have the ability to look beyond the traditional vulnerability management, which is a component driven approach, and be able to stitch together proactively understanding the exploit paths that could exist in our environment and then taking action on those exploit paths. And sometimes, you know, the focus on just the traditional vulnerability management and patching this and doing that is necessary, but it’s not sufficient because you can’t eliminate risk, as Art said. And so you’re always going to have the potential for an entryway. The question becomes, once they’re there, what path is the likely path they’re going to take and where is the pivot point of exploit that then leads to the catastrophic event? And finding that and then exploit path reduction as a focus will go a long way going forward to helping us, again, proactively manage and mitigate the risks.
[Art] It does require that capability within your security infrastructure toolset to elevate yourself above the battlefield and again, see the nature of the attack, not just treating the symptom. So it really is about defense in depth at the end of the day. Do you have the right systems for understanding vulnerability? Do you understand your risk? Do you understand what your critical assets are and where they are? And what are the tools you have for appropriate defense? And then ultimately, if all else fails, what is your ability to respond and recover?
[Nate] So to the point of how the sort of grand philosophy around IT security has evolved over the last decade, are you two seeing the lessons that you’re talking about now, the lessons from the earlier 2010s being applied today across industries to modern data breaches? Or are we sort of overlooking them?
[Malcolm] On the one hand, the absolute answer is yes. You see organizations who’ve had issues or organizations who don’t want to have the issues take a very proactive approach to this and they hire the right talent. They elevate the security role. They put the right budget and resources in place. And by and large, they’re able to manage through these things. At the same time, and I can tell you this because I saw it even in my silence days, we’ve got an arcane approach to compliance and compliance doesn’t equal security. And a lot of organizations also because the executives are just tired of always the security team asking for more and more and more and more and not seeing any results from the spending and the resources. And so they just take a compliance-driven approach to security, which on the one hand, you know, gets a certain baseline. It’s necessary but not sufficient. But a lot of the compliance regimes also point you towards dated technology. When I was at Silence, I don’t know if it was PCI or FedRAMP or one of the compliance regimes. They’re asking me how often I update my data definition files. We knew signature-based endpoint protection and signature-based network anomaly detection was a failed and insufficient flawed control. Yet the compliance regimes still point to those technologies to check that box. So the other thing we have to do is reorient our compliance approach. And compliance should be the residual or residue of a good security program. And in many cases, the compliance regimes are pointing us towards things that are making us more vulnerable.
[Art] Well, that’s a great segue into something I wanted to bring up anyway because compliance usually is equated with regulation and governments just cannot keep up with the rapid pace of technology change. And boards of directors who need to play a more active role in governance over the entities they’re responsible for are sadly deficient in technical knowledge. So I’ve been advocated for years and I’m not looking for another board seat. I’ve got plenty of board opportunities, but the fact that you wouldn’t think about having a board of directors without a financial expert, how could we in an age where technology has transformed everything not have technically literate people on boards of directors? So that’s one. How can we talk about year after year having a public-private partnership with government and industry and then not really get any significant action over the last almost 20 years since Dick Clark’s study in 2003, Bush’s strategy to secure a cyberspace? It’s like every six years, you know, in 2009, Obama did a 60-day study and he said we should have a public-private partnership. In 2015, we all got together at Stanford after the Sony attack and the upshot of that was we should have a public-private partnership. Now Biden takes over six years later and I have high hopes for this administration because we’ve got some real good talent in Homeland, in the White House, and now the Congressional oriented appointee, Chris Englis, former deputy director of the NSA, all giving real good guidance in this administration, but we also need international cooperation, which has been scant and, you know, until we really come together, the most vulnerable countries, we’re not going to be able to take on the criminals in Russia, not to mention the government of Russia, the government of China, and all of the adversaries that would do us harm. So we need a higher level cooperation network if we’re actually going to make progress.
[Nate] Right. So one of the things that became really abundantly clear as we were covering the story of RSA were all the similarities between what happened to RSA 10 years ago and what’s been happening to a lot of companies recently, right? There’s the nation-state supply chain, compromised cybersecurity company, all these things. Do you two ever look back and say, maybe in spite of everything we’ve been talking about, not much has actually changed?
[Malcolm] I look back and say that all the time. You’ve probably heard it from me a couple of times on this. You know, it’s hard, right, because, you know, on the one hand, we have made tremendous progress as an industry with the advancements of technologies and stuff like that. But when you up-level it and you look at the acceleration of risks that we’ve seen, we’ve done it to ourselves because we’ve developed technology with vulnerabilities and we’ve shipped it. You know, minimal viable product means minimal security, minimal privacy. And so we’re perpetuating ourselves to being insecure. And, you know, and to Art’s point, I think having a technologist on the board is a good thing. But, I mean, let’s be frank, that doesn’t solve the problem. SolarWinds was a technical company and look at what it did and the implications of it. There’s a lot of technology companies that are cobblestone with no shoes because they’re focused on their profit, their bottom line, and spending money on security doesn’t add to their net income. And most boards are going to compromise on cybersecurity. National Association of Corporate Directors in about a year and a half ago did a study of board directors and over 60% of them said they compromised on cybersecurity for a business objective. You know, so at the same time, we have the wrong incentives for executives. We have the wrong incentives for engineers. You can become an engineering manager, a principal engineer, a fellow in a technical role because you created functionality that could sell. But it could be riddled with security holes, but you’d still get promoted because you created functionality that sold and you got the patent for it. So we’ve got the wrong incentives in many cases that are perpetuating the problems.
[Art] I guess I’d take a slightly different twist on what Malcolm says. I don’t disagree that it seems like nothing has changed, but the reason it seems like nothing has changed is there’s still attacks and the attacks are still successful. And the attacks at some level are far more serious than perhaps they were 10 years ago. But the reason for all of that is just the sheer amount of digital transformation that’s taken place and the amount of exposure and risk that we have created as we’ve yielded the fruits of all of that in terms of productivity and efficiency. So it’s not so much that things haven’t changed. They’ve changed dramatically, but it seems that they haven’t changed because the risks are so much greater. And as much as we’re doing a better job protecting ourselves, there’s still great disparity from company to company in terms of talent capability. And now I’ll pick up on Malcolm’s thread about bottom line focus versus security. You can have both. There’s no excuse in my mind. And I think it comes down to what kind of a culture do you want to have. And if you recognize that skipping on cybersecurity means significant risk to assets, revenue, your reputation, and what have you, then you recognize that you have to spend appropriately in this area.
[Nate] So then what is the solution to sophisticated supply chain attacks?
[Art] Well, it’s never one thing. I think it’s a combination of the kind of tools that we’re now capable of developing and will need to continue to develop. That’s why I am an investor. And it’s really improving the capabilities with organizations. And I don’t want to say improved awareness because how could you not be aware of the problem of security? And now I’m talking at a macro level with governments and boards and cross industries and cross continents. And that’s a better understanding of what it will take to work together to not only do it company by company, but have a collective safety regime across the entire planet.
[Malcolm] Yeah. And I agree with Art. There’s not just one silver bullet. You can’t just look at endpoint and then the question becomes what type of endpoint because endpoint proliferation and devices and even wearables and what is my network and where is my data, all that type of stuff. We have to look at this systemically across all of the stuff. And that’s also one of the problems that a lot of organizations have had. They don’t have good IT asset management. They don’t know where their data is. So if you’re not actually understanding all of that stuff, it becomes even harder to manage and mitigate the risk. I remember having some discussions with some peers when SolarWinds hit and pretty sophisticated organizations, people I’ve known for a long time, have good budgets, smart people, advanced tools. They didn’t even know if they had SolarWinds in their environment. They spent a weekend trying to figure out where it was and if they had it. And I was just baffled at that, that people didn’t understand that. Or in other cases, the security team looked at SolarWinds as a low-risk capability. And I’m like, in what world would a systems management tool who had privileged access over your infrastructure be low risk, right? So we’ve got to broaden our thinking and honestly just be open to the complexity and then get advanced tools that will help us identify through the complexity of our environment and people and assets and data and on-prem and off-prem where we’re exploitable so that we can take action on it.
[Nate] Finally, how about a parting thought from each of you, Malcolm, maybe you go first.
[Malcolm] Well, you can’t eliminate risk. So that’s the other thing we have to be real on. We can’t eliminate it physically. You can’t eliminate it logically. Heck, you can’t eliminate it in the financial markets. So first and foremost, recognizing that. But we can manage and mitigate it better than we’ve done today. And that means we all have to be accountable for it from the boards to the security team to the IT team. And I think with having a forward-looking view of risk where we’re predicting it because it was easy to predict where we’re at today. I was doing that 20 years ago at Intel talking about a perfect storm of information risk. And it’s happened because we haven’t been strategically thinking about where those vulnerabilities will potentially come from so that we can proactively manage them. And then we’ve got all the tactical day-to-day stuff and just the operation side of things. So it’s a complex problem, and it requires people with the right level of business acumen, technical acumen, and the right foresight on security to buy the right technical solutions, hire the right people to manage it right.
[Art] Yeah, I do think that we’ve done a much better job in security over the last 10 years in terms of the level of innovation. And I’ve been in technology almost my entire career, and I’m endlessly fascinated by the level of innovation that I see day in and day out. And you don’t think you’re making much progress, but then you look at the rear-view mirror and you realize how much you actually have done. And the solutions today are far more capable than they’ve ever been before, but they need to be deployed, and they need to be deployed by talented people. But I keep coming back to it just can’t be on an individual organization basis. What Malcolm said about eliminating risk is absolutely true. So if we really want to minimize risk to the maximum extent, we’ve got to get the nations of the world to address what I actually said in my last RSA Conference keynote, which was we have to make cyber war as abhorrent as chemical war. We have to make sure that cross boundaries, we’re able to find, arrest and prosecute cyber criminals and keep them from having a lucrative trade as they do now. We have to make sure that commerce across the internet remains unfettered and that intellectual property is protected. And finally, with all of this, we also have to protect our own humanity with the right level of privacy protections. And those can only be done if governments and industry come together and cooperate. In the meantime, we will still have tremendous innovations of technology. I call what’s going to occur in this decade, the roaring 20s for technology, but potentially the calamitous 20s in terms of cyber, if we don’t have these higher level initiatives. In the meantime, there are great solutions and if you take advantage of them, you’ll sleep a lot better at night.