Cybersecurity education is more important today than it has ever been. In this insightful interview, InCyberDefense Managing Editor Wes O’Donnell speaks with American Public University System’s Program Director for Information Systems Security and Information Technology Management Dr. Kevin Harris. Dr. Harris’ career encompasses diverse experiences both in information technology and academia.
Wes O’Donnell: Wes O’Donnell here at Commencement 2019. I’m here with Kevin Harris, Program Director of Cybersecurity at American Public University System. Kevin, thank you so much for joining us today.
Kevin Harris: Thank you for having me.
Wes:What do you think the biggest threat to cybersecurity is in 2019?
Kevin: Funny thing. I probably would have never thought I would say this, but a toaster. It’s just with the explosion of IoT devices in the home and in businesses ‑‑ toasters, refrigerators ‑‑ all these different appliances are connected.
That’s one additional threat that we have that probably we wouldn’t have thought of even five years ago if we would have to worry about appliances and part of the security threat vector that we have. Also, just the more centralized data that we have. That’s a continued threat that we’re going to have. The awareness levels are threats that we continue to see.
Also, our devices, our wearable devices, and even medically implantable devices, are all areas that an attacker can possibly look to a breach, which possibly, with some of the medical implantable devices, could be life-threatening to individuals.
These new technologies that we have that allow for a lot of outreach where individuals don’t have to come into a medical facility, where they can be monitored from home and medicine adjusted, these are all the threats that we’re continuing to see.
Wes: How do you counteract a threat with IoT things or medical devices? What’s the path to fix those problems?
Kevin: I think it’s from the very inception and design of the product, to have security in mind, limitations, and even what protocols are going to be used to communicate back and forth between the locations and the actual devices. Really, the decision has to be made at some point, is the convenience worth the risks?
Wes: Let me ask you this. What led you to cybersecurity in the first place?
Kevin: My IT background, I started in infrastructure, so networking and server administration. That was kind of before we called it cybersecurity or information systems security. It was just we were setting systems up to be secure, and it didn’t have a name. I’ve been in the cybersecurity area probably the majority of my career.
I worked as a database administrator for a while, so it was limiting access to data, making sure that users had access to data when they needed it. Probably initially, we were doing it for efficiency when we were talking networks, just making sure that we didn’t need to let users traverse the entire network, but to segment it. That’s one of the best security practices, but it’s also for efficiency as well.
Wes: I know that companies are beginning to look more and more at vulnerability assessments to try and protect their assets within the organization. What other types of contingency planning would you recommend for a company trying to protect itself?
Kevin: I think one of the big things is what you said, is assets. Asset identification, that’s got to happen first. Companies have to realize what digital assets do they have so that they know, what can they do to protect it?
Some of the ways are penetration testing, so hiring external companies to come in and look for those gaps or those vulnerabilities that they may have that they may not recognize. Even if they recognize them, might help them assess the risk level of an attacker taking advantage of those vulnerabilities.
Different things that companies can do is also, when they’re looking at their strategies, whether the strategies are on-premise or design of their network and their tools, whether it’s a cloud‑based or a hybrid. All of that can help them with the contingency planning that if there is a hybrid solution between on-prem and cloud, they could integrate that into some of their contingency plans.
That if their physical network was compromised, or their physical infrastructure was compromised, they could roll to the cloud.
Wes: When you say penetration testing, that sounds a lot like hiring a hacker to hack into your company. Are there any risks with penetration testing?
Kevin: There are risks. Probably one of the biggest risks is that some of your internal rules that you have, especially if you’re using intrusion detection or intrusion‑prevention systems, that this attack from the outside, if not properly managed, could be considered a legitimate attack. Then your plans to protect your network, shutting off access to certain areas, could potentially be a problem.
There also is some debate in the cyber area of whether it’s a good practice, instead of hiring the penetration testing, are companies that penetrate, try to assess these different vulnerabilities are also hiring hackers, if you will, to try to do some of the same things without having the boundaries of some of the hiring professional companies. That’s a debate.
Then you have a risk of hiring somebody that may not have some of the best practices that some of the penetration companies have. That’s a debate that’s going back and forth.
Wes: What’s funny is I’m from Michigan, and GM is a huge presence up there. Really, a lot of the newest discussion in cybersecurity, at least in my neck of the woods, is about how to protect against hacking into a vehicle. It occurs to me that a car really is the most expensive computer that you own. What are some strategies you would recommend?
Kevin: I think one of the things is just, again, design and conception. When we talk about vehicles, of what communication do you want to be made available? GPS and mapping in cars have been around for a while, but part of that comes into play that if you’ve got a map loaded that’s a few years old, and there’s a new area that you’re trying to get into, your maps aren’t updated.
Some of the newer vehicles automatically update via connections that are in the car. The thing there is the more communication path that you’re opening from the outside, that’s increasing the risks. Each one of these communications, whether you have WiFi available in the vehicle, whether the software can be updated remotely, all those are introducing another potential vulnerability.
To think about that, consider that in the design. Again, it’s convenience versus security, as well as, do you keep those redundant physical connections? When you modernize cars, or you have the vehicles that are controlled by computers, there’s not necessarily a need to have a physical connection, say, for instance, to a braking system.
Do you make the decision to keep that for a fail-over, or do you get rid of that actual connection and totally rely on the technology?
Wes: It sounds like companies need to be more proactive. Right now, the industry, at least the auto industry, is more reactive. Like you said, moving that into the design phase sounds like the way to go.
Kevin: Yeah. I think it’s hard with tech, because we always constantly have to look at those. They’re in the tech sector. When these new technologies become available, when is the right time to use them? What’s the right application to use them? Sometimes the decision is that we can do it, but maybe we shouldn’t do it in a certain situation.
Wes: Let’s switch gears real quick and talk about jobs. What type of education do you think companies are looking for when they’re trying to hire an IT manager, say, or a cybersecurity analyst?
Kevin: I think one of the things they’re looking for on top of, they want somebody with the breadth of technical knowledge so that they can communicate technically, and they can understand the technical risks. They also want somebody that is available to…They want somebody that can work with the business functional units to understand what the actual business is.
They want to critically think, so I think these additional skills on top of the technical skills are really important in what they’re looking for in a manager, somebody that can make those decisions, that understand the risks that are out there.
Wes: Just hearing you say that, having those extra skills, that occurs to me that that’s something that veterans might possess. It seems to me, cybersecurity is a very easy field for a veteran to transition into, given that set of skills. Not necessary, but it could help.
Kevin: Yeah, definitely. I think that’s one of the biggest things about the cybersecurity field, is making sure it’s an inclusive field. Veterans and other populations that we don’t see a lot of in the cybersecurity field, to make sure that it’s welcoming, diverse, so that all these unique experiences that individuals can bring can help to ensure that the field’s secure.
Wes: Right, right. That actually leads me to another thing. We’re talking about veterans, but there’s another demographic group that’s not very well represented in cybersecurity, and that’s women.
Wes: What can companies do to try and attract more female talent into their companies?
Kevin: I think having programs and recruiting, starting back from even awareness programs throughout the company. A lot of time, there’s a misconception that cyber or computers, the computer field in general, is only, you have to look like this, you have to have a certain skill set.
Again, from securing actual servers, securing the data, securing web structure, securing social media, these are all parts of it. There’s availability for everyone to be cyber warriors, if you will.
Wes: Back over to jobs, or back over to education, rather, how important are cybersecurity certifications as opposed to a degree program? Should there be some combination of both?
Kevin: It’s a question in the IT field in general that’s been there for years. I always like to say that it’s not one or other. If you look at the combination of experience, certifications, and degrees, all three of those work together to show someone that’s a well‑rounded individual. It’s not one versus the other. It’s how well those three work together.
Wes: That makes sense. We had, this past year, 2018, some pretty massive cybersecurity breaches, from Facebook to Uber, to T‑Mobile, to Hyatt. Are criminals just that much more advanced than these companies can keep up with? What’s happening? Are these companies not prepared? Do they need to employ more cybersecurity analysts?
Kevin: I think one of the things, when you look at some of the breaches that you talked about, the issue is not necessarily what the companies aren’t doing. Of course, everyone can always firm up their foundation with their cybersecurity.
Most organizations, companies, medical facilities, government agencies, are collecting so much vast amounts of data that if there is a breach, it’s not just affecting 10 people, it’s not just affecting 20 people, it’s affecting millions of individuals. I think that’s the landscape that we’re in, that when these breaches happen, they’re large‑scale.
Unfortunately, because of the interconnectivity of these organizations that we’re going to start seeing these breaches continue to get larger…
Wes: More often.
Kevin: Just because of how much data is being stored centrally.
Wes: Right, right. There is a severe shortage of trained cybersecurity professionals in the United States. What’s the solution?
Kevin: We’ve got to move into ‑‑ and I think we’ve got there ‑‑ is its a collaborative effort. How do we shore up this pipeline of qualified cyber individuals or cyber warriors, if you want to call them, to protect the critical infrastructure here in the country? It’s collaborative, between educational institutions, organizations, government entities setting policies, setting legislation, passing legislation.
All this has to work together. We really have to be creative. What type of cyber programs are they? I think educational institutions, what programs are being delivered? There are vast amounts of diverse cyber programs, and there’s a place for all of them.
Relationships with the K-12 industry. Just when someone gets to college, and they decide to choose a career path, they make that decision, possibly, in fourth grade, fifth grade, or sixth grade. Making sure that programs are available in primary and secondary education so that someone knows that this is a viable career.
Also looking at alternative paths for people that decide that they want to go directly into the workforce ‑‑ apprenticeship programs, co-ops, all these, because we want to ensure that we have this trained workforce. I think we have moved, and we’ve gotten there as a country to realize that we need all these organizations and institutions working together. There’s work for everybody to do.
Wes: I think you nailed it, talking about catching them younger, catching them in a secondary-type institution. I recently visited a high school called Pinckney High School. The state has actually funded this high school to be a cybersecurity training range on the cybersecurity range in Michigan.
It’s amazing having these young people really get involved in cybersecurity in high school, at that age before they have even started thinking about college. I think you nailed it. That’s exactly when we need to be attracting that talent.
Thank you, Kevin, so much for joining us at Commencement 2019. Again, that’s Wes O’Donnell, Commencement 2019, and we’re out.