The Great Resignation Creates Great Vulnerabilities – Techstrong TV
Ben Smith, Field CTO at NetWitness, and Charlene discuss how the Great Resignation creates “The Great Vulnerability” in organizations. The video is below followed by a transcript of the conversation.
Charlene O’Hanlon: Hey, everybody. Welcome back to TechStrong TV. I am Charlene O’Hanlon, and I’m here now with Ben Smith, who is the Field CTO with Net Witness. Ben, thank you so much for joining me today. I do appreciate it.
Ben Smith: Charlene, it’s my great pleasure. I’m looking forward to this conversation.
Charlene O’Hanlon: Great, great. Thank you very much. I want to talk to you a little bit about some of the security implications to what everybody is calling the Great Resignation. But, before we get started with that, I was wondering if you could introduce us to Net Witness. What are you guys all about?
Ben Smith: Yeah, sure. Net Witness is a threat detection and response platform. So, we help organizations determine if there are bad actors on the network or on your endpoints or on your other network devices. Net Witness has actually been around for almost two decades, believe it or not, and we’re a business unit of RSA Security, which has been around for over 40 years. RSA, of course, I would argue, humbly, responsible for enabling e-commerce on the internet today. 20 years, 40 years, I’ve only, air quotes, only been in RSA for 12 years. But, it’s been a great ride and continues to be. The industry definitely looks different today, Charlene, than it did even a decade ago.
Charlene O’Hanlon: Yeah, I remember the early days at RSA and attending the RSA conference, back when, you know, that was just kind of a small industry event, and now it is the behemoth that it is, and RSA certainly is one of the biggest names in security, and certainly sets the standard for so many organizations. So, good stuff, and 12 years, 12 years, right? So, good for you, though. That’s great. So, tell me a little bit about the Great Resignation and the cybersecurity implications thereof. Because it seems like, at the beginning of the pandemic, everybody was kind of freaking out about, you know, what, you know, I hate to say it, but, you know, where they would be in six months, and, or, a year.
And I think there was a lot of soul searching that happened during that time and that, ultimately, has kind of resulted in kind of this Great Resignation, people understanding that they don’t really have to stay at their jobs if they don’t really like it. And, you know, and I think companies have been kind of slow to react, if you will, because they’re just first, I think the first was like, okay, now we’re just separating the wheat from the chaff. These people didn’t really want to work in the first place.
And now, it’s kind of become, well, now, our biggest, best employees are finding work elsewhere, and, you know, they’re not really – organizations aren’t really reacting, or they haven’t reacted as quickly as they could have. And part of that is the cybersecurity implications of, you know, these masses of people leaving. So, what are you guys seeing in this space right now as it pertains to cybersecurity and these masses of employees resigning and moving to other jobs?
Ben Smith: Yeah, so there’s a couple angles, Charlene. When you have somebody leave one organization, he or she joins another organization, so there’s kind of an exit and an entry angle. One of the important things we like to kind of talk to our customers about is, especially for folks who are only the way out, there’s some pretty good research that’s been run out of Cert, which is associated with Carnegie Melon up in Pittsburgh. They’ve been working on this question 15, 20 years around insider risk and insider threat. And it’s pretty well demonstrated at this point that the most dangerous 60 days in terms of an employee or a consultant potentially taking stuff with them as they’re leaving are the 30 days before notice is served, and then the 30 days after termination. That’s not necessarily a contiguous 60 days. And that second example, 30 days after termination, they shouldn’t have access to stuff.
Charlene O’Hanlon: Right.
Ben Smith: Well, in some cases, that’s not quite the case. So, just because you have somebody who might have been with your organization for a long time or a short time and they’ve chosen to leave doesn’t automatically make them a threat. But, one of the places we’ve seen organizations kind of stumble when, in hindsight, some of those employees did turn out to be threats, was poor internal communications between the Information Security team – that might be your infosec team, it might be your security operations center or your SOC – between those groups and human resources. HR has a lot of very valuable information about employees, including the fact that employees might be on a particular plan for improvement. Maybe an employee has put in their notice.
And sometimes those organizations don’t talk to one another internally. So, there’s an insider risk angle to when folks leave. And, again, I want to be careful. I’m not casting a wide net. The vast majority of folks who leave one organization and join another have goodness in their heart. They don’t take anything with them. The other angle in the second direction, Charlene, I just wanted to touch on, really relates to culture. Employees leave one organization for another for a number of reasons. Sometimes it’s looking for a new challenge. Sometimes it’s I love everybody except my boss so I have to get out of here.
And sometimes it’s I’m just not happy with the culture, generally. And while it doesn’t sound like I’m talking about a cybersecurity point here, culture has a very important role to play when you start to talk about security awareness. Every organization today, even down to the small organizations, realize and they might even be compelled, depending upon their industry, to have some sort of a formal security awareness program, trainings that get rolled out, hopefully more than one time, maybe on an annual basis to their employees. And I’ve done a lot of advising around awareness programs that have worked really well, and I’ve seen a lot of awareness programs that don’t work well. And, interestingly enough, Charlene, culture tends to be the common thread there.
Charlene O’Hanlon: Interesting, interesting. So, you know, when we’re talking about culture, what, specifically, do we mean by that? Are we talking just kind of a lackadaisical attitude that is pervasive throughout the organization with regards to cybersecurity? Or, is it something altogether different?
Ben Smith: Yeah, there is that component. There’s kind of what’s the overall mindset towards following and being compliant with the rules. If you’re in an organization that forbids the use of things like USB drives or external hard drives, do you use those devices? Some organizations have the rule but they don’t necessarily have the means to prevent the behavior. In the worst case, they might not even have the means to monitor for that behavior. So, my experience that, you know, the more rules you have, sometimes the more technology that you need.
Culturally speaking, as we think specifically about security awareness, one of the places where I have seen very consistently companies fail is when they use their security awareness program like a hammer. They use it very negatively. They punish folks who may have made, in most cases do make, perfectly honest mistakes. I have been that person who clicked on the wrong link, maybe more than once in my career. I suspect most of us have done that. And in some cultures, employees, even a well-meaning employee, even your A player employee who you absolutely want to keep, may be nervous about even putting his or her hand up to say, hey, I may have just done something, but I’m not sure.
In cultures that are using that hammer to punish someone who has made an honest mistake, that’s not a good culture in the long run. That can actually be a driver to encourage that employee or those employees to leave the organization – not today, not tomorrow, but in the long term. So, it’s a very natural instinct, if you’re on the hammer side of that equation, to say I’ve found a problem. I’m going to fix it right now, and the way I fix it is I have a one-on-one with this person or I put them through remedial training. Take a more beneficial approach, and welcome it as an opportunity to educate your employee. And there’s the really important thing, assure your employee, give him or her credit for putting up his or her hand to say I might have done something wrong. I’m not sure. I’m nervous. Can you help me?
A good culture recognizes that as an opportunity to pat them on the back and to thank them for their service. Great security cultures, Charlene, are the ones that every employee realizes that it’s not just the security operation center’s job to keep the organization and its intellectual property safe. Every employee is on the front lines, and those employees that feel comfortable and confident in reporting even something that might turn out to be completely innocuous, that’s a good security culture.
Charlene O’Hanlon: That makes a lot of sense. It really does. And, you know, I’m wondering, also, about, you know, thinking back to the beginning of the pandemic when everybody was sent home to work remotely full-time, and I know that there were a lot of kind of security shortcuts that organizations took to make sure that their employees could remain productive, no matter where they were. Do you think that now that we are almost three years into this pandemic and so many organizations are still working fully remotely, do you think that that, in and of itself, kind of poses an insider risk or insider threat because there is this, you know, I’m sure a lot of organizations have kind of worked to kind of lock down their systems again. But I’m sure there are a healthy number of companies that have just kind of kept working the way that they’ve been working since the beginning of the pandemic, because nothing is broken in their minds. So, do you think that that also is kind of maybe contributing a little bit to this insider threat?
Ben Smith: Yeah. There is, absolutely, a risk, you know, as we start that third year of the pandemic. Two years ago, so, let’s kind of go back to when, roughly, this all started for us, I think, from my perspective, we’ve really seen three waves of activity around security. The first and maybe the most obvious one was when people couldn’t go into the office anymore, they still had a need to work. So, companies and organizations had to figure out how to securely let those individuals connect back to the corporate infrastructure, to connect back to those assets. Maybe that was through a virtual private network, VPN capabilities. Some companies I spoke to had VPNs. Most do today, but they weren’t licensed for the right capacity.
You might have been in an organization where five percent of your workforce worked remotely, and all the sudden, you had 100 percent or 95 percent. So, there were licensing concerns. But, the big scramble was how can I support my employees working in the best place and the safest place that they can, which tended to be the home, and make sure that everything is secure. So, there was kind of – let’s call that, maybe, an authentication wave, to make sure that folks could get in securely. There was a second wave, and it’s a wave that’s a little closer to what Net Witness has traditionally been focused on around, then, monitoring those connections. Many organizations had structured their corporate networks not assuming that there were going to be these huge volumes of individuals transacting huge volumes of data through the VPN infrastructure.
So, they might have great sensors scattered throughout the corporate environment looking for this or that. They may not have had really good visibility into the VPN. VPNs, one of the reasons that they are secure, of course, is that traffic tends to be encrypted. So, there’s a technical challenge there in being able to see what’s actually traveling on the wire if you wanted to be able to see that this employee who’s sitting at home is opening a connection to this website, for example. All that’s encrypted. That gets kind of hard, if not impossible. So, there was kind of a monitoring wave where organizations realized that maybe they didn’t have sufficient tooling in place. And a lot of organizations have worked through that.
The third and the final wave, and the end of this long answer, Charlene, is we’re in the middle of the third wave right now because the shortcuts that you mentioned, every organization was forced to take shortcuts at the beginning of 2020. Even the most mature organizations did not necessarily have a fully formed and comprehensive plan to support the reality that we were all living through. So, there were shortcuts that were made. Maybe some systems were made less secure to enable that those now-remote users could still access them to get their job. And in the hullabaloo, if I can use that phrase –
Charlene O’Hanlon: Sure.
Ben Smith: sometimes you put out the fire, and you pat yourself on the back, and you go to fight some other fire, and you might not realize that that initial fire is actually still burning. We started advising organizations about a year ago to go back and revisit all of their assumptions. Hopefully they documented that while everything was happening. Hopefully they’ve got good visibility, not just into those users, but into the nature of the systems, because there were shortcuts that were taken. And the more shortcuts that there are in an environment that security and management don’t either remember or don’t know about, that opens a door to, whether it’s an insider threat or an external threat, to come into your environment.
So, shortcuts were made. The third wave is really around regulatory bodies that realize this. They’re not going to be new regulations, Charlene, around the pandemic, but I do get the sense that regulatory bodies are going to be coming back to companies to enforce the existing regulations that were in place. And some companies may have made some shortcuts to keep operating; they may be exposed, not just to those threats, but to regulatory action.
Charlene O’Hanlon: Yeah, that was actually something that at the beginning of the pandemic when this was all happening and there were just wholesale shifts to the cloud, and for organizations to, you know, to your point, open up the VPNs and just kind of get that information flowing, one of the first things I thought of was, yeah, I wonder how many compliance rules and regulations are being broken right at this moment. And so, I wonder if that’s going to kind of come back to haunt some organizations. But, you know, when – kind of circling back to the whole idea of the Great Resignation and the insider threats, do you think that the problem is going to get worse before it gets better?
Or, do you think that organizations are going to – I kind of feel like settle is probably a good word to kind of settle into where they are today compared with where they were almost three years ago, and take a real hard look at their security posture, and recognize that, you know, there are certain things that do need to happen with their security infrastructure to lock it down, to make it more secure, to mitigate the possibility of employees who do decide to leave, you know, their ability to access information, either before they leave, the wrong information, either before they leave or after, to your point, after they’ve left? Do you think that that’s going to be happening? I mean, I hope so, but, yeah.
Ben Smith: We’re living in the new normal, so any organization that’s waiting for the new normal to kind of settle down and figure out, and they’re just waiting – maybe they know they’ve got an issue, but they’re waiting for some reason; we’ve all been waiting for two years now, so I’m here to tell you it’s here. And those organizations that are still waiting are those that are at the most risk of an insider threat. A lot of the insider threats, Charlene, believe it or not, aren’t even necessarily malicious. They are accidents. They are well-meaning employee who might email something form a work account to a home account, or they might use that USB stick that we talked about before, honestly, because they need to print something off and the only way they can get it to their printer in on a USB stick because they’re at home.
So, I think that that is – the settling down capability, we’re there at this point. It’s super important for any security and risk management professional to remain flexible in terms of what we are experiencing right now. A year ago, when I think there was still a glimmer of hope, at least from this end of the phone, there was a glimmer of hope that maybe we would be pushing – bringing more people back into the office, I was advising organizations to take advantage of that inevitable Monday when people are going to start coming back in to do things like set up a desk at the guard desk out front and, before that employee physically interconnects back with the corporate network with, maybe, their laptop, do a scan of that machine. Make that part of the first day’s exercises.
So, I was advising folks so you plan that out, and you can only support so many of that per day. And now we’re a year later, and that’s really kind of laughable because, not in every industry but in most industries, it certainly looks like we are not going back to that model. So, being flexible, understanding that your architecture, if you’re that security architect, if you’re that security leader, the odds are that your IT infrastructure was built and designed and implemented around an assumption that folks were going to be in the office.
And maybe you were, as most organizations have already started thinking about that cloud journey that you mentioned, maybe you were starting to move to the cloud, but everybody’s plans certainly got upended, and budgets have been upended. I’ve got some customers, Charlene, who squeezed two to two and a half years of digital transformation plans into the first three months of the pandemic. And not everybody has the budget that they can pull forward for that, but that’s a great example of being nimble and understanding that things have changed. So, that is a long answer to your question. I think that as long as you’re not sitting still, as long as you’re not waiting for things to get back to normal, you’ll be in good shape.
Charlene O’Hanlon: All right. All right, well, I agree with you 100 percent. I don’t think we are going back to what we knew before in any way, shape, or form. So, it’s time that organizations really kind of decided that, yeah, you know, we’re not doing in-person anymore, at least not full-time. But, Ben, thank you so much for your insight. It was a great conversation. I really enjoyed it. Thanks again.
Ben Smith: Charlene, it’s my pleasure. Appreciate it.
Charlene O’Hanlon: All right, everybody. Please stick around. We’ve got lots more TechStrong TV coming up, so stayed tuned.
