07 Apr CISO Report: If You Can Drive A Bus, Then You Can Fight Cybercrime
in Blogs, Videos
Lessons from HPE CISO Bobby Ford how to build a cyber army
– David Braue
Melbourne, Australia – Apr. 7, 2023
The CISO Report is sponsored by KnowBe4.
Despite all the talk about the damage caused by cybercriminals — through ransomware, credential theft, malware and the like — Bobby Ford believes there’s another aspect of cybercrime that we’re only just starting to get our heads around.
And while these high-profile cyber-dependent crimes are expected to cost the world $8 trillion annually this year and $10.5 trillion by 2025, it is the impact of cyber-enabled crimes that Ford believes is far less well understood.
As CISO of tech giant HP Enterprise (HPE), Ford — a former US Army soldier who has worked across aerospace, defense, life sciences, and fast-moving consumer goods — has had the opportunity to observe cybercriminal activity from many angles, including working alongside law enforcement agencies.
And if cyber-dependent crimes are the tip of the cyber iceberg, then cyber-enabled crimes — traditional criminal activities that leverage new technologies to extend their reach or intensity, such as selling drugs on darkweb marketplaces — are the rest.
“I don’t think we fully appreciate how big the problem is,” he told Cybercrime Magazine.
“As we continue to talk about digitalization, and we continue to see things move to the web, I think that [cybercrime] will only continue to grow — but we still haven’t even begun to go deep and truly understand the magnitude and impact of just how much cyber activity and cybercrime will actually cost us.”
Yet for all its menace, and the results of a cybersecurity spending explosion that is expected to pass $1.75 trillion by 2025, Ford believes many companies may actually be spending too much on cybersecurity — and in the wrong places.
“It’s one thing to spend enough, and another thing to spend effectively,” he explained, likening the situation to his own challenges balancing his love of collecting great shoes with the need, after relocating to London, to buy practical walking shoes.
“You do a lot of walking in London, and I should have been buying for function more than fashion,” Ford admitted. “It wasn’t about how much I was spending, but how I was spending. And when I look at the industry today, I still think that’s a nut that we haven’t cracked.”
Many companies, he said, have taken a conventional approach to spending that conflates the degree of spending with its effectiveness — leaving many companies with high-tech security solutions that don’t necessarily benefit the business the way they’re intended to.
“I still think that we’re spending and we don’t truly understand where we should be spending,” he explained, “and then how much value we’re getting when we spend money.”
“How much are we actually spending to reduce risk?”
Building a cyber army
As CISO of a worldwide organization with around 60,000 employees, prioritizing security spend to maximize risk management is particularly important for Ford. Yet effective management of cybersecurity risk is as much about people as it is about technology — which keeps him focused not only on cybersecurity technologies, but on managing that workforce to ensure the human element supports his efforts to minimize operational risk.
By taking the right approach to building up a cybersecurity team, Ford believes businesses can and should increase the overall cybersecurity skills pipeline rather than concentrating their efforts on poaching experts from other companies.
Putting its money where its mouth is, HPE has been working to do just that through its HPE Cyber Security Career Reboot Program — a retraining program that has gained considerable momentum by targeting exactly the type of people that conventional cyber security organizations would normally overlook.
“There are only two qualifications you need to be in the program,” Ford explained. “The first is that you can have absolutely no cyber experience — and the second is that we would prefer you not have a degree.”
That may sound strange given the widespread perception that cybersecurity is complex and technical — but by bringing in employees on the ground floor and training them up, Ford says HPE has been able to capture new restaurateurs, school bus drivers, and other non-technical workers that have thrived when given a leg up into the new industry.
“When I enlisted in the Army, all they required of me was a pulse,” Ford said, “and they’d teach [us] everything else we need to know. I’d take that same mentality when it comes to cyber: if you have a pulse, we can teach you everything else you need to know.”
Yet teaching employees about cybersecurity is only part of the equation.
Many companies, Ford argues, are wedded to the wrong approach — top-down security awareness training in which employees are, for example, encouraged to report suspected phishing emails to central IT departments.
This approach can be useful, but by centralizing the response Ford believes companies that adopt it are missing an opportunity to make their workforce better educated and more responsive to cyber threats.
“You’ve often heard it said that humans are the weakest link,” he said, “but I fundamentally and philosophically disagree with that: they have the potential to be our strongest line of defense — but, unfortunately, we’re still relying on awareness and education as opposed to actually equipping them to help us in the fight against the adversary.”
Disintermediating the phishing response, for example, might see employees empowered to flag phishing emails as malicious and have the same message automatically pulled from the email inboxes of their fellow employees — all without relying on overworked central IT organizations.
“Education and awareness has increased, and our employee base is much more aware,” Ford explained. “But the next evolution that we should be talking about is going from education to equipping our employees so they can help us in the fight.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.
Sponsored by KnowBe4
KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.