“The entire cybersecurity game is a war. It's us versus them. It's the hacker community against the rest of the world.” — Dr. Alissa Johnson, CISO at Xerox
Dr. Alissa Johnson (Dr. J) is the Chief Information Security Officer for Xerox and the former Deputy CIO for the White House. Prior to joining Xerox, Dr. J served as the CISO at Stryker. Dr. J has 21 years of public and private sector IT experience and is recognized as one of the most social CISOs in the world. Dr. J holds a PhD in Information Technology Management and has served as an adjunct faculty member at multiple universities, where she developed and taught numerous courses within information technology, business, and mathematics.
Dr J is also a lifelong basketball fan, player and subject matter expert. When Dr. J and I collaborate, we speak as much about basketball as we do about cybersecurity, IT trends, CIO leadership lessons and future of work. That said, I asked Dr. J to analyze the 2017 NBA Finals with the Warriors and Cavaliers, and then draw an analogy and lessons learned from the games to cybersecurity and her CISO roles and responsibilities.
Dr. J: Let me first set the stage. The entire cybersecurity game is a war. It's us versus them. It's the hacker community against the rest of the world. It's a grudge that one side has against the other. It's a back and forth challenge that determines if the most prepared side is ready to play! Let's play out this scenario and allow the Cleveland Cavaliers to represent industry and government, while the Golden State Warriors represents the hacker community. Here are 3 lessons we can learn from the NBA finals to address cybersecurity issues.
1. You have to stay sharp! Let's look at the Golden State Warriors. Though they have a strong starting lineup, when one person goes out, they have multiple options to play the various positions. In Game 2 of the 2017 NBA Finals, Draymond Green was in serious foul trouble. Kevin Durant came in the game to play Green’s position of power forward and boy did he do that well. What better person to come in and be the backup but one of the strongest players in the NBA!
There is such a big talent gap across cybersecurity. In fact, that is probably one of the most talked about topics across industries. Government and Industry are confined to budgets and challenges to be lean organizations at various times within a fiscal year. Frequently training budgets are cut, but there is still one less used option --cross training. We have to cross train within our organizations in order to expand our coverage areas. It's not a complete solution to the talent gap issue, but it definitely helps. Hackers are diverse. They have to be generalist to a certain point and able to be nimble enough to learn various areas in order to truly succeed.
2. You have to address basic issues! There is still so much low hanging fruit in terms of old, basic, prudent, responsible security practices that puts organizations in a reactive posture. Bad patch management schemas, enterprises using old Operating Systems, as well as the inability to make aggressive investments in hardware and software refreshes. Refreshes are a part of your security strategy. Technology refreshes are important because the vendor is always going to make sure the newer stuff is patched in order to help defend against the latest exploits. So that is why so many organizations found themselves so far behind when the ‘Wanna Cry’ crisis hit.
Now let’s look at the NBA Finals series. Cleveland has kept the same team, same squad for the last 3 years. No patching, no upgrading, so there have been very few modifications to their system. The team may be working harder, but still they haven't implemented too many changes. What we may end up seeing are the results of Cleveland not evolving. I see them being very reactive, while Kevin Durant and the Warriors are getting wide open dunks. We are still so behind in implementing good security practices. Security is a part of the ecosystem. It is not just infrastructure and applications. All layers (infrastructure, applications, data, and processes) have to be constantly addressed.
3. You have to have the right tools! Be specific about the tools you need. I have seen so many cybersecurity tools that end up as shelf-ware. No tool is really going to solve the problem. The hacker community is a strong community that continues to sharpen their tools. Golden State is a strong solid team that last year set a new record for the most wins in one year, but why stop there? They continued to evaluate, see what was available and consider options-- in comes Kevin Durant. Did Golden State NEED another tool? Arguably not, but they found an available option that sharpened their level of play.
We, in government and industry continue to buy shelf-ware and even take too long to address the needed tools in our tool set. The shiny gadget we just purchased lost its shine because it was too difficult to implement, didn't provide the most bang for buck spent, or didn't fit well into the larger strategy. The hacker community continues to introduce new tools, evolve the current methods, and then find ways to trip us up when we think that we are ahead of the game.
“At the end of the day, the winner will be the side with the best tools, the side that uses those tools effectively, and the side that is most prepared. I have been preparing for this game of dominance. Cheering from the sidelines and even screaming at times. Advising and providing opinions that some won't care to listen to. Either situation, the question to be answered is --Which side is ready to show up, be a solid team, not choke, and win with the best slam dunk!” — Dr. Alissa Johnson
Dr. J and I have much respect for both teams competing in this year’s NBA Finals. The Cavs are the defending champions and capable of achieving the impossible - who can forget their incredible championship victory comeback in 2016. And in the spirit of full transparency, as a lifelong fan and resident of Boston, I would prefer to see the Celtics win their 18th championship above all else.
This article was co-authored by Dr. Alissa Johnson. You can follow Dr. J on Twitter at @dralissajay.