Sam Visner on Cybersecurity's Impact on Business
Delivering Confidence In Cybersecurity
Our nearly 2,000 cyber professionals, led by some of the most respected names in global cybersecurity, serve both commercial and public sector clients worldwide providing vulnerability analysis, penetration testing, data loss prevention, managed security, and cyber forensics training and analysis. We also have a global StrikeForce available 24x7 to respond to cybersecurity incidents; a worldwide infrastructure of Security Operations Centers; and the ability to test software’s cybersecurity characteristics at our Common Criteria Test Laboratories — the world’s largest installed base — located in North America, Europe, and Asia. We are the first organization to achieve an independent, third-party Software Engineering Institute Capability Maturity Model (SEI-CMM) Level 3 rating, and have secured a SEI-CMM Level 4 rating for our strength in protecting the integrity of client information.
Learn more about our cybersecurity capabilities
As the world gets more complex and attempts to steal your most precious information become more sophisticated, forecasting your future cybersecurity needs has become increasingly challenging.
For Sam Visner that’s especially true. Visner leads CSC’s cyber strategy, directing a worldwide team responsible for protecting the information infrastructures of our commercial and government clients, many of whom represent some of the world’s leading enterprises and process some of the world’s most valuable and sensitive data.
Visner also serves as a member of the global reserve program that supports the U.S. National Intelligence Council on cybercrime, is a member of the U.S. Defense Science Board Intelligence Task Force supporting the Under Secretary of Defense of Intelligence, and is an adjunct professor at Georgetown University’s School of Foreign Service, where he teaches a course on the effects of IT on international security.
In a recent interview, Visner shares his broad cyber perspective on how executives can best protect their organization’s most vital information today and into the future.
CSC World: Where are the public and private sectors in their use of cybersecurity today?
Sam Visner: Some — perhaps too many — agencies and companies today regard cybersecurity as a question of compliance. For example, if you’re a government agency, you have to meet specific cybersecurity requirements, and companies have a responsibility to shareholders, customers, and others to ensure they have adequate security to protect their interests. To a certain extent, many still use this compliance-based approach.
But savvier people are now asking what information is really at risk, what that risk represents to their organization, and how cybersecurity can help them manage that risk.
This is similar to when Volvo decided to make safety an intrinsic component of their cars, and not just an “add-on” option. At the time, the auto industry looked at safety as a question of compliance, but it wasn’t a key issue. Then Volvo came along and they owned the word “safety,” and it became a competitive discriminator.
In the private sector, some companies are beginning to question their risk and how cyber can give them a competitive advantage. For example, Boeing is asking how it can use cybersecurity to ensure it knows the origin of each plane part and that its test data is valid, so it can assure buyers and passengers that its planes are safe. Some pharmaceutical manufacturers are also asking how they can use cybersecurity to ensure the validity of their test data and to track the origins of their raw materials. In both cases, this speaks not only to compliance, but also to improving product confidence, which can become a competitive discriminator.
CSC World: Why would it benefit organizations to look past compliance and focus on risk?
Visner: Right now people realize they need to comply with a certain level of protection of customer data. If they don’t, their customers will be angry and might abandon them, or worse. But what’s really at risk is their intellectual property — the few things that make a company’s goods and services special. If they lose their operational data, they might recover. However if they lose their core intellectual property — their marketing plans, product design, and research and development — they could lose the whole company.
If they don’t understand the risk to their intellectual property, which is the thing of most value, whether or not they can open their factory doors is irrelevant because their adversaries and competitors own their business. To succeed in the future, companies will need to move from compliance to using cybersecurity as a competitive discriminator and managing the risk to their intellectual property.
In the federal sector, some savvy agencies are also beginning to understand they need to increase their cybersecurity beyond the minimum requirements. They are realizing an agency that doesn’t have good cybersecurity will lose the confidence of its citizens, who then may decide its services are no longer useful.
Government agencies, much like the private sector, compete for business. Today, in the United States, the General Services Administration is trying to increase its role as the contracting organization of choice for the rest of the federal government and, to do so, its own cybersecurity has to be good.
CSC World: How would you rate the world’s overall cybersecurity profile?
Visner: In addition to the companies that look at cybersecurity as essentially a compliance-based activity, some companies believe sufficient cybersecurity is baked into whatever information system they buy, so they don’t worry about it. Then there are organizations that have always been at persistent risk and know it, like financial services firms, and they take cybersecurity fairly seriously.
Then there are the companies whose risk is changing, such as those who own and operate critical infrastructure. Until now they have relied on the fact that the information systems that guide their generators and pipelines have been separate from the public’s systems. But today these systems are being connected through the Internet. In some cases, like the power grid in the United States, they’re being connected to devices that have Internet protocol (IP) addresses, which enable the public to understand and manage the power in their house. As these formerly isolated systems link to public systems, which is now happening for the first time, the risk to these systems is changing from what it was a few years ago. This is something not everybody entirely understands, nor do they understand how they will mitigate these new risks1.
CSC World: Has the risk environment changed and how can organizations respond to new threats?
Visner: It has really changed. New threats like polymorphic viruses and advanced persistent threats, which can get into a system, look for the information they want, seek out the servers that deal with that information, and remain resident there surreptitiously for a long time, can be difficult to spot. Companies that have taken a low-level compliance-based approach to cybersecurity are vulnerable.
Many information systems were built piecemeal over time and weren’t instrumented well. So they don’t have good enterprise management and tools, which allow a company to study and understand the normal behaviors of the complete enterprise.
Most companies are still thinking about that problem. Their systems are segmented into individual stovepipes, and they don’t have the ability at the enterprise level to look across the whole organization. Many organizations simply do not have that kind of understanding. Without that, if a system like this gets infected with these new sophisticated threats, it will be difficult to determine if it has been infected. Organizations need to increasingly pay attention to situational awareness and understand what’s happening inside their company.
CSC World: In the future, what do you anticipate happening in the world of cybersecurity?
Visner: First, I think threats will continue to become more intense. Global competition for business will include efforts to develop and acquire intellectual property. Therefore intellectual property and intellectual capital — those things that set a company apart —will become more valuable than ever before and the threat to them will rise. Second, threats will continue to become more adaptive and subtle. Instead of knowing that a threat has a particular signature or fingerprint, it will have a changing signature and set of fingerprints, becoming more difficult to detect.
Third, attention to cybersecurity will rise. Savvier companies realize they need to protect their intellectual property. It won’t be a question of compliance — it will be a question of survival.
Today’s auto manufacturing environment is a good example of this where manufacturers are being questioned about their parts’ origins and validity of their test data. Fourth, nations will increasingly cooperate to improve the global economy’s cybersecurity. They will do this to make it more predictable and less susceptible to cyber terrorism and cyber vandalism, as well as protect the critical infrastructures of sovereign countries. More and more of this international cooperation will take place. Policies will emerge that relate to global cyber governance. The UK’s Digital Britain report2 is one example.
CSC World: What cyber innovations do you see on the horizon?
Visner: An important innovation is situational awareness, which will enable companies to understand what’s happening inside their enterprise as well as in the global environment. With situational awareness technology, they will be able to see threats as they evolve before they hit their operations. Another development will be better computer-aided tools that will enable companies to assess more quickly and effectively a threat and select the right defense for it, much like a doctor having a more automated, intelligent, and efficient way of making a diagnosis and selecting the treatment. A third innovation, which we are helping drive, involves securing new architectures, like the cloud.
Today organizations are beginning to adopt these architectures because they offer tremendous operational advantages, however they worry about security. With offerings like our cloud security and Trusted Cloud capabilities, organizations will be able to develop secure new architectures.
CSC World: What cyber innovations will clients see from CSC?
Visner: We are further upgrading our Security Operations Centers so we can even more effectively monitor threats and give clients greater situational awareness of what’s happening inside their organizations as well as the general external environment in which they operate. We are also introducing advanced cybersecurity tools and capabilities, such as iRisk, which will let clients assess risks to their information, including their intellectual capital. We’re doing a lot. If people Google “cybersecurity” and “CSC,” they should say it looks like somebody’s trying to make a point, and we are.
1 Learn more about identifying security risks in advanced metering infrastructure and smart meter technologies, at www.csc.com/ami.
2 “Digital Britain, The Final Report”.