Most larger companies have a staff — or at least a person — that handles cybersecurity. But that’s not enough. To protect against the rising threat in the world, companies need to create a culture of cybersecurity from the top down. Most cyberattacks begin with human error. That’s why security is everyone’s job.
In the ninth episode of our Cybersecurity Awareness Month podcast series, we were joined by Debbie Gordon, founder and CEO of Cloud Range. She talked about why security is everyone’s job, how artificial intelligence (AI) won’t replace humans and how “Office Space” is actually a cybersecurity movie. Listen to the full podcast here.
The following has been edited for clarity.
Gary Cohen: Cybersecurity Awareness Month always highlights some key behaviors, things that we should all be doing: multifactor authentication, strong passwords, recognizing phishing. What do you think people should be focusing on this month?
Debbie Gordon: I think everyone should be focusing on the fact that security is everyone’s job. When we think about security awareness, our minds often migrate to preventing phishing, things that the general user needs to be aware of — or, as somebody said, a kindergartner or your grandmother. But it’s really everybody’s job, and it’s becoming a lot more evident now, especially with the focus by boards of directors and C-suites and even investors taking a look at cybersecurity. It’s not just something that’s an afterthought. It is a huge priority. It’s everybody’s job in a company. It’s not an IT (information technology) job. It’s not a risk job. It is every single person’s job in the company, and I think that that is a message. If we can get that message out, then all of the different stakeholders within that greater population of everyone will know that it’s their job, too, and they’re not just going to pawn it off on somebody else.
Cohen: What trends and developments in cybersecurity are you particularly excited about heading into the new year?
Gordon: There are a lot of technologies that are coming about, but when I think about trends, I’m thinking about how organizations are looking at cybersecurity.
Going back to your first question, I have personally seen more and more security leaders knowing that developing their people is really their job. It is not in their job description necessarily. It’s not what they signed up for — to be a CISO or a VP of security or whatever their role is — but it is their job. If they’re going to be responsible for security in their organization, that means that the most important tool in that security stack is the people, and they have to be responsible for that.
So I’m calling that a trend simply because, since we founded the company in 2018, I have personally seen that become more and more top of mind for security leaders. It used to be “Technology solves all problems” or “Compliance solves all problems,” but it doesn’t. I’m really pleased about the fact that security leaders are not just rolling their eyes and saying, “Oh, I have to do this. I have to be responsible for the people and their development.” They’re actually doing it, and they’re taking steps to make that happen.
Cohen: I’m asking you to go into your memory banks here. Can you share a memorable experience or case from your career that highlighted the importance of cybersecurity for you?
Gordon: Well, gosh, so many because we hear about it every day from our customers who have experienced so many different kinds of attacks, and now they’re able to prevent attacks by using simulation. But I’ll digress a little bit from that theme of just seeing it in our large customers.
A bad guy got very close to almost having a lot of money wired from an account by somebody in my company once. This was before Cloud Range, but good old social engineering, checking on emails and stuff, we caught it. I was like, “That is not me.” What we learned, of course, which I hope everyone practices, is that if somebody tells you to wire money, there always has to be multiple authentications on that, even if it’s picking up the phone or walking over to somebody’s house and saying, “Did you just ask me to do that?”
Cohen: A lot of the attacks that have been happening recently have been pretty headline grabbing, whether that’s SolarWinds or attacks in the city of Dallas or Atlanta. What have we learned from this recent slate of major attacks?
Gordon: We have learned that we’re never going to be fully prepared for everything, so we have to continue to practice, practice, practice, and look ahead at what could happen, not just respond to what has happened. Too many companies have something bad happen, and then they say, “Oh my gosh, we need to do more. We need to train our people.” But that’s too late.
So what we have learned is that you can never be too prepared. I was a Girl Scout. Be prepared: That is our motto. I think Boy Scouts, too. Always be planning ahead, and there are ways to be able to do that. We learn, obviously, when there is an attack on somebody else. We learn what they did wrong, and we hope that we can be proactive and help our customers make sure that they don’t do the same thing, not only in that specific type of attack, but looking forward into things that have not necessarily happened yet that could happen or may have partially happened. But anything that is sourced from different types of threat intelligence, we can get ahead of.
I think we’re continually being reminded that there is always more to learn. I always say that cyber defense is like golf. You’re never finished being good at it. You’re going to have a crappy day one out of five times — or maybe more — but you have to keep practicing, and you’re never finished.
Cohen: When I asked you about emerging trends earlier, you mentioned technologies. What are some of the emerging technologies that you see having a big impact in the field of cybersecurity in the near future?
Gordon: The big one is what everyone is talking about, which is artificial intelligence (AI). It’s endless. Even just as an individual, every day I’m seeing new uses for AI, not just in cybersecurity but in any aspect of life. I think that there is so much that’s going to continue to happen. I mean, we’ve seen it happen just in the last six to eight months even. But it’s going to affect how people work. It’s going to affect how people perform, how people think or don’t think. That’s something that concerns me a little bit, is that people are going to be too dependent on AI.
But we still need people. At the end of the day, if you look at any type of innovation in history, yes, it may have eliminated a job, but new jobs were created, and that’s going to happen with AI. We’re not going to eliminate the need for humans. It’s just going to be different what they need to do, and we cannot stop thinking.
Cohen: Because this is what you deal with every day, what is one thing in Cybersecurity Awareness Month that you wish more companies either knew or would embrace about cybersecurity training and simulation?
Gordon: At Cloud Range, we work with companies all over the world that use our simulation platform to proactively prepare their cyber defense teams for any type of cyberattack. When we developed this five years ago, the whole concept of as-a-service, that you don’t need to own a cyber range, this was pretty big. This was a big deal in the industry. We got a lot of attention from different industry analysts and obviously from our now customers.
But it’s kind of like the flight simulator. When the flight simulator was invented, people didn’t not use it. It was there now. So we spend a lot of time talking with the market about the fact that this exists now. Cloud Range exists now. Similar to a flight simulator, it’s there. You don’t want to not use it. You don’t want to not prepare now that there’s a tool available to be able to do that.
Cohen: One debate we have around the proverbial water cooler is if there are any good cybersecurity TV shows and movies. It started with: When doctors watch “Grey’s Anatomy,” are they like, “This is all garbage”? Which, generally they are. What is your favorite movie or TV show that has anything to do with cybersecurity?
Gordon: Gosh, I think there are kind of the usual suspects. But if you remember “Office Space,” we can use the zero-trust element here and remember that somebody changed something in a system — it was like a 10th of a penny of every transaction went into another bank account, and these guys accidentally just built up a ton of money. I think we would consider that something to do with cybersecurity and zero trust because that guy was able to do that. That’s one of my favorite movies.
Cohen: I consider that an excellent answer because I love that movie. I actually haven’t seen it in a while, and now I feel like I’ve got to go back and watch it.
Gordon: I did rewatch it this weekend.
Cohen: That one was not on my bingo card for cybersecurity movies.