Dave Mahon brings impressive credentials to his current position as Chief Security Officer at CenturyLink. Former supervisory special agent with the FBI, Mahon began his 31 year career with the US domestic spy agency investigating organized crime, moving from there to international terrorism. During his tenure, FBI investigative methods evolved with advance of the computer industry – Mahon’s group of agents was the first to use computer forensics in the investigation of white collar crime – and with the emergence of a second generation of “bad actors” whose operations were built on Internet-based attack methods. After completion of FBI training in technology-focused counter-terrorism and counter-intelligence activities, Mahon himself became a specialist in investigations related to the exploitation of Internet, computer and networks systems, eventually running the Bureau’s cyber program out of Denver, Colorado.
This experience provided a key learning that Mahon believes is invaluable in corporate environments as well as FBI investigations: “whether you are working organized crime, terrorism, or cybercrime, you learn very quickly that you have adversaries out there. It’s very important to study them, study their objectives and to see how dedicated they are in their bad activities. What you begin to realize is that they are very motivated.” However, when the corporate world transitioned to computer dependent practices, businesses had no experience with real adversaries: Mahon explained, “they never thought about the word ‘hacker’, and they didn’t realize that they were building something that someone was going to try to compromise.” Until very recently, he observed, the philosophy in the commercial space was to buy technical solutions – firewalls, spam or web filters – and rely on placement of these in corporate networks as a means of providing total protection. “But that’s not how the bad guys work” Mahon argued, instead, they detect these solutions and simply move their activities elsewhere. With his FBI training and experience, Mahon has been able to bring a more “threat-focused mindset” to securing corporate assets, which are vulnerable to the same kind of attacks that government agencies encounter in their intelligence work.
According to Mahon, the best approach to effective cyber security is to first study the threat – the “five bad actors,” including nation states, such as China, Russia and Iran, large-scale criminal enterprises, terrorists, activist communities and insider threats. While technically-based solutions can provide a first line of defence against these, it’s more important to try to think like the adversary in order to anticipate what is coming next. This tactic, Mahon argued, is the best foundation for development of cyber-strategy that can protect the organization. The biggest threat will be different for each business and will align with its particular vulnerability – for example, a bank’s greatest asset might be individual customer records, personal data that is likely of interest to criminal organizations looking to steal credit card information. For the startup with new technology, the biggest threat might be the criminal organization or the company’s own employees looking to access and sell the IP associated with the technology. The key, Mahon explained, is to consider the organization’s assets, what the business is, what the objectives of the five bad actors are, and which of these might have interest in breaching security walls in order to determine who would be the most likely attacker. In other words, understanding cyber risk is the basis for developing cyber strategy that offers the best defense.
In protecting diverse assets, applying a security framework is the next step. Since 2011, Mahon has been CSO at CenturyLink, an IT and communications service provider with extensive physical, digital and staff assets, including 500,000 miles of Internet backbone, 60 data centres, 47,000 employees and customers in financial, healthcare, government, energy, and other critical sectors. Mahon’s purview at CenturyLink ranges from cyber security and critical infrastructure protection to physical and industrial security, network fraud and abuse, global threat intelligence and executive protection. In his experience, the NIST Cyber Security Framework and the ISO 2701 are two examples of building blocks that can form the basis for development of a governance, risk and compliance structure – and corporate security processes and policy rolled into this GRC model. And with policy/process in place – data classification and protection, for example – in place, a next stage involves development of an incident management or data breach plan. At the end of this thought process, a final, high-level decision revolves around evaluation of current capabilities, and the determination to build what’s missing or to outsource to a third-party provider. “I think where many small, mid and sometimes even large companies will evolve to is to say, ‘the five bad actors are so sophisticated, I can’t even hire enough people to deal with it. I will move to outsource my risk or transfer it to a company with a managed security offering.”
This last option reflects an increasing IT reality for many organizations, which is the interconnection of corporate infrastructure and assets with those of other suppliers or businesses – in a cloud environment, or outsource relationship, for example, that may entail increased exposure. CenturyLink encounters this in its colocation business, where customers may also engage its managed security services or may opt for reliance on their own security resources. In these circumstances, to ensure one customer does not spoil the bunch, CenturyLink works with individual companies to understand their business objectives and risk profile and to draw a clear security demarcation line.
“What we explain to them,” Mahon stated, “is that security has a supply chain aspect to it, and you have to understand the security supply chain of your computing environments.” Each process in the colo relationship is mapped out, with responsibility for different pieces for CenturyLink, the customer and third party vendors spelled out, and security provided to the specified demarcation line. “If we are providing transport services to a switch in our data centre, and the customer is going to take data from that switch into their server, then they own the security [or data breach] from that switch,” he added. In addition, CenturyLink provides physical security, access control and vets the reliability of data centre employees to ensure the facility’s security. For the customer, SOC 1, SOC 2 or SSAE 16 reports based on third-party attestation of a service provider’s security credentials act as audits certifying that the provider meets certain security standards and that its internal controls are designed properly and operating as designed – a benefit that may be transferred to the customer’s client who may need to respond to regulatory requirements.
In the cloudy world of public, private and hybrid environments, CenturyLink follows a similar tactic, first understanding client assets and objectives in outsourcing work. If the goal, for example, is cost reduction in commodity workloads, then security in public environments may be appropriate. If additional control, intrusion protection, monitoring and reporting is required for more critical data, CenturyLink may advise building a private cloud. “The first question,” Mahon noted, “is, what are your needs? Don’t buy a space shuttle if a Chevy will get you there.” While analysis of log reporting for many basic audit functions (email filtering, web filtering, etc.) can be automated in a public cloud environment, monitoring for suspicious activity, or activities carried out by “hunters” with specialized tools who look for specific issues may warrant the increased cost and capability of another type of environment. An understanding of the company/data “risk tolerance” is key to decision making around IT service delivery that management and the board must apply in developing its cyber security strategy. In this exercise, cloud security standards for specific verticals can offer some guidance. As Mahon explained, “If you are in the financial services industry, you have PCI standards – credit card industry data standards that talk about access management or patch management. If you move to healthcare, you have HIPPA standards that also talk about access and patch management in a way that is similar. In government there are also FISA standards…” Managed security services, he argued, allow the customer to take advantage of a providers’ experience building to these standards: “we have had to develop these services and network security controls for all the verticals, we understand how they map to one another and scale. We put the controls in because it serves us horizontally across all verticals.” An individual company, on the other hand, that was building its own network would have to invest heavily in resources and competent staff to make this PCI certified. “The unemployment rate in cyber security is zero, and will be zero for the foreseeable future,” Mahon added.
Despite highly publicized failures in data protection, many companies have neglected to adopt this kind of realistic or systematic approach to cyber security, which is an increasing requirement for companies operating in a digital world. Mahon sees this as an issue related to oral and written communication skills, where technically-driven individuals that have a tunnel-vision approach to solving problems may have the required technical education and strategy but are unable to communicate effectively to the board of directors how security can act as a business enabler. To solve for this, Mahon urges security specialists to explain cyber security threats in a context that management can understand. To illustrate, he advised in tongue and cheek fashion: “If I was meeting the CFO for funding, I would not title my cyber security deck with ‘cyber security business case’; instead I would title it ‘how to mitigate unintended earnings volatility’.”
Going forward, Mahon believes that the insurance industry may play a role in driving better behaviours. While cyber security insurance policies have been with us for some time, brokers and underwriters have had difficulty assessing risk and setting appropriate pricing. But as the fallout out from high profile breaches like the Target or Sony fiascos have become more apparent over the past year and a half, underwriters are recognizing the need for more diligence in identifying risk and setting prices on insurance policies. “Where this will affect the market is when companies try to renew or buy insurance for the first time – insurers might require that certain cyber security measures be in place, whereas before they didn’t do that.” If demonstrating the required attestation to show that appropriate security is in place proves difficult for many companies, re-evaluation of rates may be even more challenging, and a growing cost of doing business in the digital realm.