Some Lessons from the Cyber Trenches

Looking back over the past 18 months, three corporate security professionals sometimes sounded like battle-scarred veterans as they talked about the cyber wars their companies have weathered.

Meredith Harper, chief information security officer (CISO) at Eli Lilly and Company, spoke of the “relentless” adversaries that “take advantage of any opportunity to be able to continue to attack not only ourselves, but also the strategic partners — the supply chains that we work with.” Michael McNeil, global CISO at McKesson Corporation, noted that the Covid pandemic created a “perfect storm for threat actors,” since workforces suddenly had to abandon offices and work remotely. And Chris McCurdy, general manager of IBM Security, noted the “double- digit increase in ransomware” attacks and ever more sophisticated phishing attacks targeting executives.

Rather than sharing war stories, however, these panelists at the recent IBM Security Summit focused on lessons they learned, and what companies should take away from the challenges many have endured. They talked about how to manage supply chain risks, how to recruit and retain tech talent, and how to ask management for resources without resorting to scare tactics.

The moderator of the discussion, Scott Austin from WSJ Digital Business, started by asking about the influence of the global pandemic. Eli Lilly’s Harper began on a positive note. One of the biggest surprises, she observed, was how well companies were able to respond to the crisis. “Honestly, I would say that we found out in this moment that, as cyber professionals, we can do anything,” she said. “We were able to, at the drop of a dime, convert our organizations from in-person organizations to remote organizations.”

McKesson’s main focus during the pandemic has been its job as one of the prime distributors of Covid vaccines, according to McNeil. At the same time, there was a large jump in phishing attacks, particularly messages that lured the unwary with purported information about Covid-19. The required response was vigilance, McNeil said, and the company “doubled down” on training.

IBM was able to take in the threat landscape with a wider lens. “We run one of the largest threat intel organizations in the world,” McCurdy said. The company manages and monitors 18,000 different clients globally, he noted. One troubling trend trailed the migration of businesses to the cloud. Attackers followed them there. McCurdy cited “over a 150 percent increase” in attacks in the cloud during the past five years. There was also a home-grown problem — literally. Security incidents caused by shadow IT mushroomed, according to McCurdy, as employees working from home used unauthorized systems that violated company policies “because people had to find new ways to work.”

Securing Supply Chains

The conversation shifted to supply chains. McKesson recognized a need to monitor its third- party risk management program, McNeil said. And then they wanted to be sure they had a handle on their “secondary and tertiary types of organizations.”

Lilly’s Harper picked up on this theme. “Don’t underestimate the complexity of your supply chain,” she warned. Smaller organizations may have different attitudes toward security, which can leave their larger partners vulnerable when attacks multiply and adversaries search for the weak links. “I think sometimes we just kind of trust that the third party we’re working with is doing all the right things,” she said. “But we’re not always verifying that they are.” Lilly decided to engage in a global review to ensure that partners were meeting their expectations. “When you do that,” Harper added, “be prepared, if you have a third party that is supporting a critical part of your value chain, and they are choosing not to rise to the occasion, to move them out.”

IBM’s McCurdy took it one step further. “Do you have a backup?” he asked. If there’s a problem with the security of a major supplier your company uses, have you identified potential sustitutes you can turn to? For some large companies, he continued, it would not be practical to have replacements picked out for every third party they deal with, which can run into the thousands. But they should at least prioritize their top 10 vendors, and have backups identified for them, McCurdy said.

The Fight for Talent

Moderator Scott Austin asked about the global demand for employees to fill open tech positions. He noted that Michael McNeil had recently spoken on the topic. “It seems particularly dire in cybersecurity,” Austin said.

It’s challenging, McNeil acknowledged. It’s not just a matter of hiring, he said. In this time of the Great Resignation, it’s also executing retention strategies that will hold on to them. Because no matter how ambitious they may be, the odds are against any of them rising to be CISO. Others have no such aspiration. So it’s crucial to manage expectations. The key, McNeil said, is to understand what new hires need, ensure that they understand the opportunities, and create employee development plans that match the two.

Clearly companies are jittery about their talent pools. Austin asked Harper if she’s seeing “an exodus in tech” at Lilly. “No exodus. I thank God for that,” she said. The company’s recent strategy has been to try to reach women and minority candidates, recruiting at colleges and universities. But entry level hires are not sufficient to fill their needs, she continued. And the search for experienced candidates has led her to bump heads with McCurdy and McNeil “in this war of who can get the best talent,” she said. “We’re moving people around on the chessboard.”

How can they create a more robust pipeline? “We need to look further than just college-age,” she said, answering her own question. “How do we get to the high schoolers? How do we get to the middle schoolers, and introduce them to STEM careers?” The goal: “I want to be able to replicate me in the industry as much as I possibly can.” And a big part of that is supporting them once they arrive, and giving them opportunities to do “some really cool things,” she said. “Don’t underestimate how much that helps team members stay connected to your organization, so they can’t be swayed away by the Michaels of the work, who want to pay them way more than we probably can.”

Scott Austin broke in. “I might have to have you give a pep talk to my daughter,” he said, to “get her more interested in STEM.”

McCurdy also has a daughter, he said. “And diversity and inclusion are extremely important to me.” Like its competitors in the talent sweepstakes, IBM has reached out to secondary schools. And has created summer internships. But it’s found another route as well. “Some of the best security people that we’ve hired are former developers that have security in mind, so they understand the importance of embedding security,” he said. And in the big picture, he went on, “we need to embed security culture at our houses. So that way, whey they come into the workforce, they’re thinking about security as they come in.” McCurdy also expects artificial intelligence will mitigate the problem by taking over lower level security work.

As the session wound down, Austin read a question submitted from the audience. How do you convince management to set aside resources?

Effective Pitches for Resources

When you approach management with budget requests, they need to be “risk-based,” McNeil emphasized. “You should never go in with fear, uncertainty, and doubt — the sky is about to fall,” he said. “I guarantee you it’s not sustainable. I guarantee you it’s not believable at the executive levels. You have to present the particular business case, and it has to have the appropriate sets of value propositions.” That approach has worked for him, he added.

Harper agreed with McNeil. And she had this to add: Instead of coming to the board with talk of firewalls and encryption, about which these people know little, bring a story. In the past, she explained, security professionals too often failed to address the company’s business imperatives, and how they could help meet those through technology and security. “I’m not going to go in and start talking about zero trust, even though we’re doing it,” she said. “I’m going to talk about what it will enable, what it will allow us to do. We have to get better and smarter at telling that story.”

Sometimes the perfect story can be crafted from a devastating attack that’s in the news. “If I am smart,” Harper said, “I am going to review and monitor my own organization, to see if some of the conditions are consistent in my organization that allowed that bad thing to happen to someone else.” And if there are similarities, she will present the parallels to Lilly’s executives. “That’s a strong business case,” she said. “We don’t want to be them.”