Brandeis GPS Blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: matthew rosenquist

2019 Technology Outlook

Technology Transformation for 2019

December 27, 2018 / / 0 Comments

By Matthew Rosenquist

Digital technology continues to connect and enrich the lives of people all over the globe and is transforming the tools of everyday life, but there are risks accompanying the tremendous benefits. Entire markets are committed and reliant on digital tools. The entertainment, communications, socialization, and many others sectors are heavily intertwined with digital services and devices that society is readily consuming and embracing. More importantly, the normal downstream model for information has transformed into a bi-directional channel as individuals now represent a vast source of data, both in content as well as telemetry. These and many other factors align to accelerate our adoption and mold our expectations of how technology can make a better world.

This year’s Activate Tech & Media’s Outlook 2019 presentation provides a tremendous depth of insights in their slide deck (153 slides) with a great amount of supporting data. It highlights many of the growth sectors and emerging use-cases that will have profound impacts on our daily lives.

Transforming Tech IntelligenceWomen's face being scanned

We are moving from the first epoch of digitally connecting people, to the second epoch of making intelligent decisions through technology. Artificial Intelligence research is advancing and with it the infrastructure necessary to make it scalable across a multitude of applications. Solutions are just beginning to emerge and yet showing great promise to make sense and use the massive amounts of data being generated.

Overall, devices and services continue to evolve with more awareness and functionality. We are in the ramp of adding ‘smart’ to everything. Smart: cars, cities, homes, currency, cameras, social media, advertising, online-commerce, manufacturing, logistics, education, entertainment, government, weapons, etc. It will be the buzzword for 2019-2020.

Such transformation opens the door where tools can begin to anticipate and interweave with how people want to be helped. Better interaction, more services, and tailored use-cases will all fuel a richer experience and foster a deeper embrace into our lives. Technology will be indispensable.

Risks and OpportunitiesGears and numbers

Reliance in our everyday activities means we have the luxury of forgetting how to accomplish menial tasks. Who needs to remember phone numbers, read a map, operate a car, or know how to use a complex remote control. Soon, our technology will listen, guide, watch, autonomously operate, and anticipate our needs. Life will seem easier, but there will be exceptions.

All these smart use-cases will require massive data collection, aggregation, and processing which will drive a new computing infrastructure market. Such reliance, intimate knowledge, and automation will also create new risks.

The more we value and rely on something, the more indebted we are when it fails. We must never forget that technology is just a tool. It can be used for good or for malice. There will be threats, drawn to such value and opportunity, that will exploit our dependence and misuse these tools for their gain and to our detriment. At the point people are helpless without their intelligent devices, they become easy victims for attackers. As we have seen with data breaches over the past several years, when people are victimized, their outlook changes.

In this journey of innovation and usage, public sentiment is also changing across many different domains. The desire for Security, Privacy, and Safety (the hallmarks of Cybersecurity) continues to increase but may initially be in direct conflict for our desire to rapidly embrace new innovations. This creates tension. We all want new tech toys (it is okay to admit it)! Innovation can drive prosperity and more enjoyment in our lives. But there are trade offs. Having a device listen, record and analyze every word you say in your bedroom may be convenient in turning on the lights when you ask, but it may also inadvertently share all the personal activities going-on without your knowledge. A smart car effortlessly transporting you to work while you nap or surf the internet sounds downright dreamy but what if that same car is overtaken by a malicious attacker who wants to play out their Dukes of Hazzard fantasies. Not so much fun to think about.

In the end, we all want to embrace the wonderful benefits of new technology, but will demand the right levels of security, privacy, and safety.

Trust in TechnologyMan poking padlock

Unfortunately, trust in digital technology is only now becoming truly important. In the past, if our primary computing device (PC or phone) crashed, we breathed a small curse, rebooted and went on our way. We might have a dropped call or lost part of a work document, but not much more harm than that. That is all changing.

In the future, we will heavily rely on technology for transportation, healthcare, and critical infrastructure services. That autonomous car we expect not to crash, the implanted pacemaker or defibrillator we expect to keep us alive, or the clean water and electricity we expect to flow unhindered to our homes may be at risk of failure, causing unacceptable impacts. We want tech, but very soon people will realize they also need security, privacy, and safety to go along with it.

But how will that work? We don’t typically think of trust in terms of high granularity. We naturally generalize for such abstract thoughts. We don’t contemplate how trustworthy a tire, bumper, or airbag is, as those are too piecemeal, rather we trust the manufacturer of the car to do what is right for all the components that make up the vehicle we purchase. We want the final product, tied to a brand, to be trustworthy. For those companies that we trust, we tend to believe, whether correct or not, in all their products and services. This reinforces tremendous loyalty. The reverse is true as well. One misstep can become a reputational blight affecting sentiment across all a company’s offerings.

The saying “We earn trust in drips and lose it

in buckets” perfectly exemplifies the necessary

level of commitment.

Writing the word trustedTrust may become the new differentiator for companies that can deliver secure and safe products in a timely fashion. Those who are not trustworthy may quickly fall out of favor with consumers. Privacy is the first in many problems. Consumers, government regulators, and businesses are struggling to find a balance that must be struck between gathering data necessary for better experiences, but not too much that it becomes a detriment to the user. A difficult conundrum to overcome. Security and safety aspects will follow, where the potential risks grow even higher. The challenges are great, but so will the rewards for all those who succeed. I believe those companies which master these disciplines will earn long-term loyalty from their customers and enjoy a premium for their products.

2019 might be the first year where we witness this delineation as consumers may gravitate to more responsible companies and begin to shun those who have misplaced their trust. The big story for next year may in fact be how purchasing decisions for technology are changing, thus driving greater commitment to making products and services more security, private, and safe.

Interested in more insights, rants, industry news and experiences? Follow me on Steemit and LinkedIn for insights and what is going on in cybersecurity.

Read the article as originally published here.

Matthew Rosenquist is a member of the Brandeis GPS Information Security Leadership advisory board. He is a Cybersecurity Strategist for Intel Corp and benefits from 28 years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

With these glasses I will become a Cybersecurity Expert!

When the Wrong Person Leads Cybersecurity

December 4, 2018 / / 0 Comments

By Matthew Rosenquist

Succeeding at managing cybersecurity risks is tremendously difficult even for seasoned professionals. To make situations worse, poorly suited people are often chosen to lead security organizations, bringing about disastrous results. This has contributed to weaker risk postures for organizations and the rapid turnover in cybersecurity leadership.

I am unhappy to report that the industry has a pervasive problem that few want to discuss: a propensity to enlist inexperienced or unsuitable professionals to lead cybersecurity. It is time to change that caustic and enabling behavior by first recognizing the problem.

As an example, recently in the news, there was criticisms for someone appointed with the responsibility to lead the cybersecurity effort for the 2020 Olympics, but had never used a computer. How does someone who has never used a computer and has difficulty answering basic questions about USB drives, be tasked with building a cybersecurity program to protect the digital security, privacy, and safety for hundreds of thousands of people?

Downward Spirals

Sadly, I have seen similar situations play-out over and over again across academia, business, and government sectors. Far too often, poorly suited people are appointed such roles and it simply does not make sense. Let’s be clear, most are truly knowledgeable and accomplished in their primary field, but a transition to security is a significantly different domain. Engineering and product management executives focus mostly on static problems where there is a solution and desired end-state. Whereas in cybersecurity, we face a highly dynamic set of threat agents, people who are creative, intelligent, motivated, and dynamic, who will adapt to any solution. There is no permanent fix for cybersecurity as it is an ongoing competition to managing risks between defenders and attackers.

Human nature, overconfidence, and a lack of understanding the challenges begins to shape a counterproductive mindset. It is common for a professional from a different discipline, transplanted and put in charge of cybersecurity, to believe their prior expertise is equally applicable to the new challenges. Somehow, magically, they think they are as proficient and insightful at an adjacent domain as their previous profession. To those experienced in adversarial challenges who have seen this unfold, it is an affront to common sense. It is no surprise that such dangerous situations most often result in momentous failure.

For years, the turnover rate in cybersecurity leadership positions across the industry has been very high, with most Chief Information Security Officers (CISO) only lasting 2 to 4 years. When surveyed, CISO’s cite a lack of executive management support or insufficient budgets were the pervasive motivators. But that is only one side of the story as many CISO’s have been let go.

I have always been curious what C-suites and board had to say. When I ask company leaders about a change in cybersecurity leadership, I often hear that an outgoing CISO was ineffective, could not communicate risks well, and demanded significant budget increases every year yet the organization did not show a commensurate benefit. Events culminated when a severe incident occurred and then the C-suite or board chose to find a new security leader.

With the shortage of CISO’s in the industry, those displaced quickly find another company and continue their ‘training’. This musical-chairs routine does not serve the company or overall industry needs very well and simply transplants problems from one organization to another.

Masters of All

This mistake occurs regularly with technical personnel, probably as cybersecurity is generally characterized as a technology problem by the unacquainted. An accomplished engineer or architect is put in charge of security and now with ‘cybersecurity’ in front of their title they truly believe they are a risk expert. They are not. Being savvy in technology vulnerabilities and exploits is far different than understanding the massive breadth involved in managing risk. Most are unwilling to admit their shortsightedness in the breadth and depth of the challenges and their arrogance simply becomes a hinderance to seeking the needed help to be successful.

Ego can be such a major hindrance when the fear, of being perceived as not understanding a problem or knowing an answer, limits your actions. It is typical for a person in such a quandary to retreat back to familiar areas they know, resulting in defining the problem and solution only in the terms of technology. This ignores the behavioral, adversarial, and process aspects that are crucial to managing risk. With blinders on, they continue to push forward regardless, thus the car wreck begins.

Cybersecurity is more than just a ‘tech’ problem and will never be ‘solved’ with technology alone (two pervasive misconceptions from engineers first joining cybersecurity). They are likely doomed. I have seen this happen countless times and can spot it a mile away. It is like an automobile accident happening in slow motion with an overconfident driver continuing to push forward as metal bends and glass shatters.

Enlarged Version of Cybersecurity Domains

Part of the issue is that people, who are experts in one field, assume they understand the entire problem set in another adjacent but ambiguous field. It is not until they are in the new role, that they then experience the unforeseen challenges of a different world.

Imagine a hospital. Would you promote the engineer who developed a defibrillation tool to be an emergency room doctor? No. Although tools and technology play a crucial role in medicine, it is not the same as predicting, preventing, detecting, and responding to health risks for patients across their lifespan. The same applies in cybersecurity. Technology is the battlefield, not the war. Understanding the terrain is important, but must be combined with a keen assessment of your opponents, and the ability to operationally maneuver in advantageous ways.

This is true in other fields as well. Aeronautical engineers aren’t promoted to fighter pilots and textbook publishers aren’t necessarily good grade school principals, so why do organizations make the mistake of a taking a software engineer or business-line product manager and expect them to be successful in leading cybersecurity?

Two Scenarios: Vastly Different Chances for Success

Now, I did say this is a recipe for failure most of the time. There are some, very rare situations, where an insightful but inexperienced person takes a cybersecurity leadership role and succeeds. It is possible. I have only seen it a handful of times and in every case that person was realistic about their knowledge and checked their ego at the door.

Guaranteed Failure:

An engineer, project manager, or business executive is put in charge of cybersecurity. They are confused or intimidated by security practitioners in their organization and respond by immediately surrounding themselves with like-minded, yet similarly security inexperienced people. They add other engineers, marketing, and legal people to their core echelon, inadvertently creating a self-reinforcing ineffective group-think team. Congratulations, an inexperienced leader has just encircled themselves with a cushion of people who don’t have the knowledge to challenge poor directives or independently deliver sustainable success. If you wonder what conversations with them are like, take a look at the Dilbert cartoon, specifically the ‘manager’ character. That is pretty close. Funny from afar, but frustrating up close.

Ineffectual organizations tend to grow fast, spend a lot of money, make hollow promises, tell a story of difficult times that are turning around, but have no real strategic plan, prioritized goals, or clearly defined scope with organizational roles and responsibilities. They seek non-existent cure-all solutions, and their long-term stratagem is to hope nothing bad happens while they battle daily issues. Even worse, the proficient security personnel, that may have been part of the team, will likely leave such a caustic environment for a better employer. That breaks my heart when I see capable people who want to make a difference, driven away. When quality employees begin jumping-ship en-masse, it is a sure warning sign.

The easiest way to detect this situation early on, is to look at their metrics, or lack thereof. If a security organization operates without the benefit of tangible metrics, it is a likely sign they have not defined or are not tracking against goals, roles, objectives, and probably aren’t measuring or tracking risk. What they are doing is responding to issues, self-marketing, rapidly growing the team, consuming significant resources, slowing down the business, and the looking for people to blame when their ineffectiveness becomes apparent. These orgs don’t last. They implode. People quickly leave and executive oversight will soon look past the whitewash to cut budgets, headcount, and eventually replace the leaders.

Potential for Success:

An engineer, project manager, or business executive is put in charge of cybersecurity. They understand they are not a security expert, so they assemble a team who has experience and talent in protecting digital assets, understanding threats, can articulate risks, and are intimate with the technology in use. They build an organization structure that is comprised of operations, engineering, and risk intelligence teams. Then listen and learn. Great leaders bring in the best people and let them excel. They quickly get clarification on the business goals and expectations from executives and customers. They then identify prioritized objectives, define a scope, derive the supporting measurable goals, identify areas in need of immediate attention, and establish the measures & metrics necessary to track progress.

Governance issues are addressed and a strategic process capability is embedded to constantly improve the organizations risk management ability to predict, prevent, detect, and respond to threats. They establish both the tactical plans necessary for immediate survival and day-to-day management, but also define a long-term directional strategy that takes into account the ever-evolving threat landscape, technology changes, and shifting expectations for security, privacy, and safety.

Proficient security workers thrive in such organizations and rarely leave. With a strong plan and capable team in place, leaders can effectively communicate and advocate across the organization. If all of these elements land in place, with the proper support, even an inexperienced security leader can have a chance at success.

Unfortunately, it rarely happens.

Failure is Expensive

Cybersecurity is difficult. It becomes exponentially more problematic when someone who lacks the necessary mentality or skills comes in and makes it profoundly worse. Cleaning up an ineffective legacy security program is painful, expensive, and time consuming. Simultaneously, a poor risk posture opens the door to more attacks and greater impacts until a capable security program is instituted.

We must understand that cybersecurity, like many other highly specialized roles, requires a depth of insight and experience to lead. I will echo Sun Tzu’s “…do what is great while it is small” and recommend putting a good leader in place the first time to build an effective and sustainable cybersecurity organization.

Let’s all break the silence and openly discuss the cycle of poor cybersecurity leadership, for everyone’s benefit.

For more insights on the challenges and required strategic deliverables, read my post Cybersecurity Fails Without Strategy.

Interested in more insights, rants, industry news and experiences? Follow me on Steemit and LinkedIn for insights and what is going on in cybersecurity.

Read the article as originally published here.

Matthew Rosenquist is a member of the Brandeis GPS Information Security Leadership advisory board. He is a Cybersecurity Strategist for Intel Corp and benefits from 28 years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

“Ask the Expert” Special Event Webinar

October 6, 2015 / / 0 Comments

InfoBubblez22

“Ask the Expert: Cyber Security” 

Led by Matthew Rosenquist, Cybersecurity Strategist and Evangelist at Intel Corporation

Wednesday, October 21st at 7pm via Adobe Connect

Matt’s areas of expertise include :
  • Security industry advocacy
  • Security strategy and planning
  • Security operations management
  • Platform security product/service development and sustaining operations
  • Emergency/Crisis response command, control, and communications
  • Security policy development, training, and compliance oversight
  • M&A information security strategy and management
  • Security product strategic planning
  • Technical and behavioral risk assessment and threat analysis
  • Determination of security business value and ROI
  • Threat Agent Risk Assessment (TARA) methodology
  • Internal and external investigations
  • Corporate consulting for risk management and strategic alignment
  • Security industry outreach, evangelism, speaker, and champion

 

RSVP here

 

MatthewRosenquist-Oct.21Webinar

Matthew Rosenquist joined Intel Corp in 1996 and benefits from over 20 years in the field of security. Mr. Rosenquist specializes in security strategy, measuring value, and developing cost effective capabilities and organizations which deliver the optimal level of security. Currently, a cyber-security strategist for the Intel Security Group, he helped in the formation of this industry leading organization which brings together security across hardware, firmware, software and services.

The community can connect with Matthew via Twitter @Matt_Rosenquist, Intel Blog and LinkedIn.

 

Increasing Interest in Cybersecuirty Education and Careers

October 2, 2015 / / 0 Comments
Matthew Rosenquist

Written by:  Cybersecurity Strategist and Evangelist at Intel Corporation

The world is facing a growing problem as people’s everyday lives are becoming more digital and increasing our reliance on cybersecurity to protect our interests, yet there are not enough security professionals to fulfill the rising demands.  This leaves gaps in the security of companies and organizations we share information with.  There is hope on the horizon.  Academia is adjusting to increase the training of graduates and there is a rising interest in students to study the variety of cybersecurity domains.  But more students are needed as demand is far outpacing the expected rise in available talent.

All the right elements are in place.  Pay for cybersecurity is on the rise, the needs for an estimated 1.5 million jobs is already growing, and higher education institutions are working collaboratively to establish the training infrastructure necessary for the next generation of security professionals to be prepared for success.  What is missing are the necessary numbers of students.  There simply is not enough.

The good news is millennials are interested, but need more information in order to commit.  Survey results from the Raytheon-NCSA Millennial report show the most prevalent factor for prospective students to increase their interest, is being provided data and expertise to explain what jobs entail.

Providing basic career information is absolutely possible but not as simple as it may seem.  Job roles do morph very rapidly.  Some data suggests as often as every nine months security professionals see their role, expectations, and focus being shifted into new areas or vary radically.  With such a rapid rate of change, cybersecurity is truly a dynamic domain where responsibilities are fluid.  This is not likely to turn off prospective millennials, as they are a generation which embraces diversity.  It may in fact, contribute to the attractiveness of these careers.  Combined with a strong employability and excellent pay, the industry should have no problem filling desk seats in universities.

What is needed right now are for experienced professionals to step up and work with educational institutions to explain the roles and responsibilities to the pool of prospective students.  Open forums, virtual meetings, presentations, in-class instruction, and even simple question-and-answer sessions can go a long way in painting a vivid picture of our industry, opportunities, and challenges which await.  The community should work together to attract applicants to the cyber sciences, especially women and underrepresented minorities who can bring in fresh ideas and perspectives.  I urge higher education institutions to reach out to the security community professionals and ask for help.  Many are willing to share their perspectives and industry knowledge to help inform students and encourage those who might be interested in a career in cybersecurity.  Only together can the private sector and academia help fulfill the needs for the next generation of security professionals.

TwitterIconFollow Matt on Twitter: @Matt_Rosenquist

Interested in Cyber Security? Join our #AskTheExpert session with Matthew Rosenquist! RSVP here

Footerindesign

 

© 2023 Brandeis GPS Blog

Theme by Anders NorenUp ↑

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)