As cyber attack methods are constantly evolving, guests on this episode of The Insuring Cyber Podcast offered their best advice for how to evolve with them.
“This idea of being cyber resilient really involves planning for that worst day, ensuring that you know how to respond quickly, ensuring that your team can detect problems that are actually happening, and then looking at tools like risk transfer or cyber insurance to know what is covered, to know what resources are available to you, and to know, frankly, how to get the ninjas in there quickly to stop the bleeding if need be,” said Davis Hake, vice president of policy and a co-founder of Resilience Insurance.
This all starts, guests agreed, with continuous education.
“The fact of the matter is that hackers and their techniques are continuously evolving, and technology is continuously evolving as well. So, in our industry, being in this constant state of learning is not just a nice-to-have, but it is an absolute necessity,” said Shelley Ma, incident response lead at Coalition in Canada. “There simply is no place for stagnancy in my career.”
Ma works in digital forensics and incident response, where she aims to catch cyber criminals before they attack. Since 2014, she has analyzed, responded to and investigated more than 750 cases, and for the past two years at Coalition, she has helped policyholders defend against bad actors trying to wreak havoc inside their networks.
“It never ceases to surprise me how innovative, creative and opportunistic cyber criminals are,” she said. “And the types of cases that I worked on in 2016 are nowhere near the level of sophistication that I see today in 2022, and it’s only been a handful of years.”
She said her passion for continual learning in cybersecurity was sparked at a young age by a true crime obsession and Neopets—a website where users can own virtual pets and buy items for them using virtual currency. That led her on a journey through high school and college in which she landed in the field of digital forensics with the assistance of her own teachers and mentors. Through it all, education has remained close to her heart.
“Training and teaching is a very rewarding part of my career. I used to be a teacher before I got into science, so teaching is very much a part of my identity, and I imagine that it’s something I’d like to keep doing, ideally forever,” she said. “I feel like so many of the world’s problems could be solved if we just shared more information with each other.”
Hake similarly started his career in cybersecurity and now works in cyber insurance. He has nearly a decade of experience working with U.S. government, previously coordinating federal interagency cyber incident response and policy at the National Security Council and the U.S. Department of Homeland Security. Before joining the Obama administration, he was a leader in cyber and defense legislation and oversight on Capitol Hill, where he ran the Congressional Cybersecurity Caucus and drafted the first comprehensive cybersecurity legislation, culminating in the passage of the Cybersecurity Act of 2015.
He also helps train chief information security officers as a lecturer at U.C. Berkeley’s School of Information.
“I’m lucky enough to lecture for U.C. Berkeley’s School of Information, and they built a cybersecurity master’s program several years ago. The gap that they saw is something that still very much exists today, and it’s that cybersecurity is very much its own silo,” he said. “We have been trying to break it out of just the IT space for almost a decade.”
Hake said that he sees a big opportunity in the cyber insurance industry to bring more traditional tech leaders on board.
“I’m very excited about where the insurance industry can take this financial risk investment viewpoint and really help these more traditional technical security leaders up their game to something that matters directly in dollars and cents,” he said.
Another guest on this episode who has a passion for education is Kall Loper, vice president of digital forensics and incident response at cybersecurity firm Cyderes and a computer science professor at Southern Methodist University. He said that he believes education at the college level and beyond to encourage future cybersecurity professionals from a broad set of skills and backgrounds can go a long way in filling the industry’s talent gap.
“We have a skills gap,” he said. “We have a sheer workforce gap.”
In fact, he has personal experience with this as a cybersecurity professional who started his career wanting to pursue a related field: criminal justice. His goal was to deliver mental health services to prisoners. While working on his PhD, Loper found himself needing to quit his court-appointed job, where he says he was working on legal issues that dealt with prisoner access to the court, to spend most of his time collecting dissertation data. He instead became a UNIX systems administrator by night—a role in which administrators typically install, configure and maintain computer systems and servers running on UNIX—while working on his dissertation by day. In this role, he had access to a couple of hacker forums and found himself analyzing hackers’ communication patterns instead for his dissertation, which he says haven’t changed much in the past several decades despite how much the attack landscape has changed.
After finishing his PhD in criminal justice at Michigan State University, Loper built a career in cybersecurity, working closely with cyber insurers and advising clients post-incident about cyber insurance. He said encouraging professionals to enter the field from a range of backgrounds can only add value.
“I don’t think we should try and distort people to fit the model of what we want them to do. I think we should look to see if there’s a way we can take what people do well naturally and thrive while they’re doing it, and see if that’s going to be valuable to the pursuit,” he said. “If we can make it comfortable and productive for everybody who comes in, I think we’d just have better luck retaining people.”
All of this comes as the cyber attack landscape shows no signs of slowing down anytime soon, guests said.
“The attacker will often always have the advantage, right?” Hake said. “Because they only have to be right once, and you have to be perfect every time.”
Loper agreed.
“The most important thing about cybersecurity is that no matter how well you build it, somebody is going to defeat that,” he said. “There was a time when we thought all we need are end-point detection response tools. Once I saw my first version of that, I thought, ‘It’s over. My field is done. We don’t need us anymore.’ But the truth is, people found new ways to let the attacker in. Attackers found new ways to exploit the access they could get a hold of and bypass those tools.”
With this in mind, Ma said that training and talent acquisition needs to reflect the dynamic nature of the risks.
“In the cyber insurance industry, I would imagine that a successful workforce would be comprised of people who thrive in changing environments, who are hungry to learn, who enjoy and are curious about newness, and who aren’t afraid to step completely outside of the box.”
Check out the rest of this episode to find out what else Hake, Ma and Loper had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter.