The Importance of Connecting to Build Cyber Security

WHAT IS MOST VULNERABLE ABOUT THE NATION’S CYBER SECURITY? “We have essentially a reactive capability. We wait for something to happen, and then we react.” That was the assessment of retired four-star general Keith Alexander, who was director of the National Security Agency from 2005 to 2014, and in 2010 was appointed first commander of the United States Cyber Command, charged with defending the country’s security in cyberspace.

The real problem, Alexander said at a cyber security conference in December, is that everyone is operating independently. Everyone is defending their own. There isn’t enough coordination. “Imagine crowdsourcing our threats,” he said. “Our level of protection would be magnitudes better than it is today.”

As gloomy as some of his words sounded, Alexander found reason for optimism. There’s a lot of talent in finance, in telecom, in a number of industries that can aid the government’s efforts, he noted. “This area is going to change dramatically in the next 24 months,” he predicted. “There are a lot of things we’ve got to fix in our country, but cyber is one we’re going to fix.”

Alexander is now co-CEO of IronNet Cybersecurity, which he founded in 2014, shortly after he retired from the NSA. The firm’s mission is to help bring companies and industry together in a collective defense to leverage advanced network traffic analysis and enable the sharing of threat intelligence.

He was speaking at a conference in Manhattan put on by TAG Cyber, a consultancy founded in 2016 to offer coaching, research and guidance to tech teams focused on cybersecurity. Sitting next to Alexander on the stage was Ed Amoroso, the firm’s founder and CEO. Amoroso holds a doctorate in computer science, teaches at New York University and Stevens Institute of Technology, and worked at AT&T for 30 years, the last dozen as chief security officer.

The two men have been friends for years, and there was an easy camaraderie in their conversation. Amoroso had started by asking Alexander how he found his way into the Army. “I’m pretty sure that everyone here had the options that I had: prison or the military.” After the laughter subsided, he continued: “You get uniforms. Meals.” (Spoiler alert: He actually went to West Point.)

Alexander’s presentation continued to be leavened with humor as he recounted career highlights, but later he dropped the self-deprecation. His most dramatic story involved Operation Overt in 2006—a security operation to thwart a terrorist plot originating in the U.K. to blow up planes using liquid bombs.

He had just finished reading all the “traffic” that had come in. And then he joined a meeting. Bush, Cheney, Rice and the others were on a screen, looking “like Hollywood Squares,” he said. He didn’t realize that he would be their “briefer” that day—until the president suddenly said to him, “Tell us what’s going on.”

Does he miss those days? Does he miss the NSA? “I do miss the people,” Alexander said. Asked about his transition to the private sector, he said that it’s important to have big goals: People get excited when you tell them, “We’re going to solve this problem.” And you need to show them that you’re “all in.” It’s also important to invest in people, as he’d done in the military. The attitude should be: “We’re hiring these people not to tell them what to do,” he said. “We’re hiring them to ask them what we should do.”

A Mix of SpeakersEarlier in the day

Amoroso had opened his fourth annual conference by welcoming the 120 invited attendees, most of them cybersecurity vendors, and reminding them that his events were not like the ones they were used to. His were all about ideas, he told the crowd, not commerce. No big screen. No booths. No PowerPoints. Just talk. But not all of it from grizzled veterans. Amoroso had gathered an eclectic mix.

First up was Robert Hackett. A senior writer at Fortune magazine, where he has worked for five years, Hackett writes a column on cyber security and covers emerging technologies. He estimated that a third of his work is devoted to fintech, a third to science and a third to cyber security. He and Amoroso were joined onstage by Katie Teitler, a TAG Cyber senior analyst.

Teitler asked Hackett about privacy, wondering whether we’re now forced to trust companies with all of our data. “It’s a scary world out there,” Hackett acknowledged. He recommended a book about the data economy called “The Age of Surveillance Capitalism,” by Shoshana Zuboff.

What about a federal privacy law? Teitler asked. Did he expect one that would push beyond the California Consumer Privacy Act? A federal law will likely pass that supersedes the California law, though it will also likely be weaker, Hackett predicted. Regulation will favor incumbents, making it harder for startups to compete. In the last century, telecom regulations allowed AT&T to enjoy a government-sanctioned monopoly, and today’s big tech companies would be happy to have something similar, he added. “That’s what Zuckerberg wants.” And all the big tech companies want clarity.

A few minutes later, someone from the audience returned to the subject, suggesting that we adults may care about privacy, but kids don’t seem to care so much. Amoroso quickly jumped in. AI should make all of our decisions for us, he said with a grin. It should choose who we marry. Why not? We’re already turning over our entire lives to social media.

His comment made Hackett think of another book: “The Inevitable,” by Kevin Kelly, which says in one passage, echoing many Silicon Valley techies, that privacy as we know it is dead. Hackett doesn’t believe that’s true.

Nor does he believe that robots will take his job (another question from the audience). The future may well be automated. Former Google CEO Eric Schmidt came to Columbia Journalism School, where Hackett earned a master’s degree, and delivered a talk on this, Hackett recalled. “It’s coming, whether we want it or not,” was the gist. But of one thing Hackett remains convinced: Even if robots automate the mundane tasks, the world will still need journalists asking questions.

Learning to Connect With CISOs

The next speaker confirmed that Amoroso has no interest in conventional conferences. He brought Rich Powell up on stage. Powell is TAG Cyber’s lead illustrator. His best-known work appeared in Mad Magazine. He now draws a regular strip, in collaboration with Amoroso, called Charlie CISO. Not only does the comic appear weekly on TAG’s website, companies can hire the two to create personalized strips to raise security awareness. A large cardboard cutout of Charlie CISO himself was standing nearby, in case anyone wanted a selfie.

“Did you ever think you’d be making jokes about cyber security?” Amoroso asked Powell.

“I didn’t know what cyber security was,” he replied.

After a few more questions about his career, Amoroso asked Powell if he had any ideas for their next strip. Remembering Amoroso’s comment about AI during his talk with Hackett, Powell shot back: “Yeah, I thought we’d have AI pick someone’s wife.” He paused for a beat. “And it picks his mother.”

After lunch, Amoroso stepped back onto the stage, alone this time. His keynote pulled together some of the ideas he’d promised. And though they weren’t directly about commerce, they were ideas that could be used to produce it.

Alexander had already suggested some: Invest in people. Start with a large vision that can solve a problem. Listen to your employees. Hackett had touched on one at the end of his turn. Automation may change the workplace, but it’s not going to eliminate a need for journalists—for people who can explain what’s happening.

But Amoroso didn’t start there. He started out talking about uncertainty, about the lack of solidarity, about “pathetic” state and local budgets. He spoke of the difficulty he’d encountered trying to teach a group of young people how to be executives. They were being groomed for management, just below the level of CISOs, but without any training.

Slowly he approached his subject: leadership. How do you lead? Why do people follow? Vendors struggle with this, he said. Nobody buys what you sell. They buy what you believe. “They buy into you.” He challenged his audience: Sit in front of a mirror and deliver a pitch for your business without mentioning your product.

It was at this point that he brought up CISOs, who are often the professionals the vendors are pitching. (And presumably that’s the reason Charlie CISO exists.) Stop thinking that CISOs have a need that your product satisfies, he said. Even if it’s true. “The reason you will make a deal,” he continued, “is your ability to connect, not the quality of your product.”

He finished his talk with three tips.

  • Figure out who the people are you’re trying to sell to.
  • Don’t choose tools because someone tells you to. Figure out the answer for yourself.
  • And if you’re a CISO, you need to decide whether you’re also an executive. If you’re not, you may need to take on a different role to make yourself well-rounded. But if all you want to do is hunker down and work on your SOC, you’re not an executive. You’re a hired gun.