CISO Talk: Security Challenges During COVID-19

In this inaugural episode of CISO Talk on TechStrong TV, Alan Shimel and Unisys CISO Mat Newfield talk about the results of the 2020 Unisys Security Index as well as cyber challenges in the time of the COVID-19 pandemic.

The video of the conversation is below, followed by the transcript. Enjoy!

Transcript

Alan Shimel: Hey, everyone. Thanks for joining us. Our next segment here on TechStrong TV features Mathew Newfield. Mathew is the CISO, or CISO as some pronounce it—I’ve always said CISO. “Sisso,” “seeso”—tomayto, tomahto. Anyway, Mathew is the CISO at Unisys. Matthew, thanks for joining us.

Mathew Newfield: It’s a pleasure to be here. Thank you, Alan, for having me today.

Shimel: Oh, my pleasure. So, Mathew, are from the “sisso” or “seeso” school of thought?

Newfield: I’m the “sisso” school, but you are correct, I hear both.

Shimel: Alright. Yeah, you know, it’s funny, I was in security for about 20 years, and the last one I co-founded was called Still Secure. I left there, and I started something called The CISO Group, which was kinda like CISO in a box, if you will. And I got so used to hearing people go back and forth that I found me, myself, I go both ways on it, right? [Laughter] Sometimes I say “sisso,” sometimes I say “seeso.” You know, but it is what it is.

Anyway, you know what, before we jump in, I know Unisys recently came out with some interesting news, and analysis. But I always want to share with our audience, right? We have about half of our audience is cyber folks, half are more on the Dev cloud native side—or DevOps. But people want to know, how does one become a CISO, right? What’s kinda your—what was your career path, Mathew, to becoming CISO at Unisys, here?

Newfield: Alan, I love that question. So, I always tell people that what you did early on in life really doesn’t matter for this role. I actually have a Psychology degree, and I started my career in restaurants. I used to be a General Manager for a restaurant.

But when I decided to get into technology and have the dream of becoming a Chief Information Security Officer, I focused on working my way through every area of a CISO’s responsibility, from being a red team, from being purple team, to administration, design. I worked help desk for quite a well—so that I had a better understanding of all the components. And then I started working my way back up through management until I was given the opportunity to be a Chief Information Security Officer for Unisys.

Shimel: Absolutely. Beautiful. I think one of the other things, Mat, that people need to understand that—first of all, for a long time, from organization to organization to organization, the role of a CISO was different, right? In some organizations, it was very much at technical, hands on position where you were really rolling up your sleeves and working on security tools with the security team. In other organizations, the CISO really served as sort of a nexus translation point to take the security bits and bytes talk and  translate it into business talk, right? Whether that was to the CIO or to the executive team or the board level or the CFO and Risk Management and those folks, right? You were the universal translator—not you personally, but the CISO role was the universal translator, if you will, of security and business.

And, you know, we’ve seen all of these roles now finally solidify a little bit, I think, anyway, and people understand, they don’t look at you like you have two heads when you tell them that you’re the Chief Information Security Officer any more

Newfield: Yeah. The role really has changed over the past few years. You know, I don’t look at this role as the Office of No, which is what this office used to be, right?

Shimel: Yep.

Newfield: We are the enabler of business. So, one of the things I stress very heavily in our organization with my team is, our job is to find risks. That’s what we do. We look, discover, find and expose risks to the appropriate business owners within the organization and then we help provide guidance. That’s the job. We’re really the enablers of business securely.

Shimel: Yes, we can. [Laughter] Yes.

Newfield: Or at least with a reduced risk profile. Or, finally, the other area that I focus a lot on is, at least if you’re gonna make the decision and there’s a security risk, go in with eyes open. None of this, “I told you so” or, “Why didn’t you tell me?” It’s just an open, honest conversation about what’s really going on in the world.

Shimel: Absolutely. Alright, we’ve gotten that out of the way. That may be a reason, we may come back to that. We’ll have you on another time, Mathew, because there is so much that you want to talk about with that kinda stuff that makes—a lot of people are interested in. But you were kind enough to come on today regarding some recent findings by Unisys, and let’s share that with our audience.

Newfield: Sure. We just completed the 2020 Unisys Security Index, which is actually the longest-running recurring snapshot of consumer security concerns that’s conducted globally. We’ve been doing this since 2007, and what makes this year very interesting for us is the fact that we actually started this survey in the March/April time frame and we started making the polls out

Shimel: Right in the middle.

Newfield: – in the middle of the pandemic, right as things were really hitting the news and all of the information about what COVID really was and how it was impacting the world was spreading and we were starting to see a lot of the shutdowns that a lot of people are still experiencing. And we ran this in 15 different countries, both emerging countries as well as emerged countries, and we do that based on a bunch of factors, and the report is available on Unisys.com.

But one of the interesting things that we saw, for the first time since 2010, the concerns of the general populace around Internet security has been at its lowest level, and at a level we’re not used to seeing, because we expect, with all the news about identity theft and ransomware and attacks or the concern on the general consumer around the world to be pretty high. But it’s actually very, very low.

Shimel: It is. You know, I think I told you before we went on today, I just, had just recorded Episode 58 of TechStrong TV, which we started when COVID started. And I gotta tell you, as I mentioned, I’ve been in security about 20 years—22 years, something like that. As a human being, right, just as a human, one of the things that most disgusts me about this whole COVID situation is that the hackers, the bad guys, they never miss an opportunity to take advantage of a good crisis, and even with all the human suffering and death and what we see going on here with people losing livelihoods and homes and just every, you know, a year for, like, biblical plague kinda year, right?

Newfield: Yep.

Shimel: These people are out there and we’re seeing a pandemic—we’re literally seeing a pandemic, not only of the biological virus, but of cyber attacks, whether it be ransomware, phishing, I mean, just one thing, you know, it’s disgusting as a human to say that these are fellow humans who are doing it.

Newfield: Absolutely, and countries that are doing it, and let’s—

Shimel: And countries.

Newfield: Yeah, and let’s be honest. When people’s minds are not focused on this, and for all the right reasons, let’s be honest—what’s going on in the world with the pandemic, what’s going on in the world, what you see in the news, these are very important things for people to have to deal with, and you hit a really valid point. If I’ve got to decide whether or not I’m gonna worry about Internet security or livelihood, the health of my family, the health of my friends, you know, can I go out and get groceries, am I gonna find a way to pay my mortgage or my rent? Of course, it’s gonna fall to the bottom of the list, and we would expect that.

But, unfortunately, to your point—and I think this is something people really need to understand—that’s the time that the adversaries really do come out. Because, for them, for a lot of them, this is business and they will have a better opportunity to make more money when people’s guards are down.

I was talking to someone earlier in the day and they said, “Well, give an example of susceptibility, here.” Well, everybody’s desperate or news. Everybody wants to know what’s going on with COVID. Am I going to be able to go to a store or a restaurant? Are they gonna open back up? So, when e-mails start coming into your inbox and you’re not paying attention, if the tagline or that headline is good enough, people are just blindly clicking. They’re not saying, “Did that come from a news source? Did I sign up for this?” and they randomly click. And the same is, if you’ve been out of work and you get an e-mail that says, you know, “We have a job for you,” you could be an in emotional state or a mental state, not thinking clearly, and they hope that you will click those links, they hope you will download those attachments or provide credentials to them through adversarial means.

Shimel: You know, I gotta tell you, when I’m done with this interview, we have our Friday afternoon—we’re recording this on Friday afternoon—we have our Friday afternoon team meeting. And one of the things on my list that I have to go over with my team is, started receiving this week e-mails addressed to people in our team, you know, on our team, using our e-mail format but not realizing that people use, they don’t use their full name, if you will, as e-mail. And so, they’re using full names of our people’s e-mails, and the e-mails purport to come from other folks on our team, right? And they’re signed by other folks on our team, and it’s only when you click or hover over the “from” e-mail address in your e-mail program that you see they’re really some random Gmail account and, you know, they’re spear-phishing us.

And so, I need to—you know, we’re gonna run through a quick little phishing, anti-phishing exercise in our team today. And the e-mails are just what you described, Mat. They’re innocuous from, you know, “Hey, Joe, it’s Jim. You know me, Jim, who works with you every day. Hey, I need your help here, I just—I didn’t get a chance to send this out. Could you click on that?” Signed, you know, Jim Jones. And, you know, Joe’s gonna look at it and say, “Oh, Jim needs me to do him a solid—boom” without even thinking, right? Done, right? Now you’re done. It’s, again, it’s a scary thing.

Let me ask you a question. Let’s bring it back to the report. When you do the 2021 report—let’s assume you’re gonna do one, right?—do you think a lot of, no pun intended, but a lot of what we see this year, is it gonna be an anomaly or is that the new normal?

Newfield: I think we’re at the new normal for quite a while. I mean, let’s equate it to work from home. You know, I get questioned a lot—is the work from home stats that we’re seeing today, is that an anomaly, or is that going to be a norm? And nobody can predict 10 years out, even 5 years out when it comes to these kinds of things, but for the next few years, I think what we’re seeing is going to be a norm.

For people, for example, who have been unemployed for a period of time, just because you start work again doesn’t mean you’re made whole quickly. It takes quite a while for people to feel like they’ve been made whole, and I do believe for quite a while, we’re going to see cybersecurity and cybersecurity concerns and incidents really low on the reporting schedule.

And the other thing that causes me concern for next year and even the remainder of this year, a lot of the breaches that are occurring today will not make it to the news. Now, it’s going to be a while before any of that information comes out to the public eye because there are too many other things to report on to, then to talk about what you and I are actually talking about, which is why this is so exciting to be able to have these conversations. Because, you know, I don’t want to downplay anything that’s going on in the world or people’s lives.

But the point of all of this and the point of the conversations around the index is, through all of it, please don’t take your eye off the ball. Please just remember to do those basic things like you just said—hover over the link. Take an extra 10 seconds and just look. If it’s too good to be true, it’s probably too good to be true, right?

Shimel: Yeah.

Newfield: If you’re getting e-mails with information and you never signed up to get that information, there’s something wrong, here. And another point I think a lot of people, and when you’re having your discussion that I think people need to get over is—and I hear this all the time—“Who am I? Nobody’s attacking me. I don’t have anything they want.” And I think the consumers and the general population need to understand that you’re correct. Who am I? I’m not always just being attacked on a personal level.

A lot of these attacks are very random, right? They’re attacking IP addresses. They’re buying very large lists of e-mail addresses from the Dark Web and utilizing those. Very rarely are people attacking you specifically, like a group is going, “I’m going to do something to Alan today” or to me today. They’re looking at the larger scope, because that’s where they’re gonna get their return on investment. That’s where their money is best spent is, you hit as many people as possible.

And if you get that mindset to realize that—oh, wait a minute, this isn’t personal, it’s not targeted, it’s just because I happen to be using whatever e-mail system or I happen to work or a company that they were attacking that domain, that’s where you’re gonna have your problems.

Shimel: Yeah. Mathew, we’re almost out of time. I want to end things on a positive note, if we can. So, I’m gonna share something, you know, from our own analysis and analytics here. So, we run DevOps.com, Container Journal, Security Boulevard. Just looking at traffic logs, since COVID, Security Boulevard is up 79%. And that’s stripping out the bots, the bull crap. I’m talking real people, real numbers—79% since COVID, almost 80% increase in traffic.

Now, granted, our site doesn’t aim at consumers much. It’s probably more aimed at security pros. But the fact that people are concerned enough, and they are trying to stay up to date on what, you know, things like the index from Unisys and other servers that we’ve seen come out recently, right, people are—I think people do care. I think, as you mentioned, in the stack of human suffering and humanity in general that we see right now—yes, cybersecurity is low down the list. But within the IT sphere, I think cybersecurity is right there, right? People are understanding—man, this is real important. We gotta stay—with all the remote work and working from home and all that, we have gotta stay on our game with this, and we’re trying, right? And we’re trying.

Newfield: And I agree with that. One of the things that, you know, let’s end on that high note—people like myself, we often get accused of being inflammatory or the sky is falling, and a lot of that call that FUD, you know, instilling fear, uncertainty, and doubt. And that’s not our point. Our point is just to keep open, keep your eyes open, keep thinking. But to your point, start using some of these other resources. There are a lot of resources out there. We have some of them in our index if people want to go take a look at that index and read through who to call, how to call—you know, those kinds of guidance.

That’s what the whole mission of this is, is to help make sure that, as people are navigating through 2020 for this year, 2021 and beyond, that they have a roadmap, they have an understanding of what they should be looking at when it comes to cybersecurity, and to do our best to make that roadmap easy so, again, they can focus on those more important things—health, family, and the ability to generate revenue for them.

Shimel: Absolutely. Mat, thank you for joining us. Come back and visit us again. We love hearing CISO perspectives anyway, so—and thanks for doing your work with the Unisys index. It’s, you know, just again—especially as you go year to year to year, these kinds of things are so invaluable. So, have a great weekend, thank you or joining us.

Newfield: Thank you so much, Alan. It was my honor to be here.

Shimel: Alrighty. Mat Newfield, CISO at Unisys on the Unisys Index, check it out. This is Alan Shimel for TechStrong TV. We’re gonna be right back with our next guest.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 52 posts and counting.See all posts by alan