Perplexing Problems: Security, Privacy, Complexity

Rebecca Herold is CEO and co-founder of Privacy and Security Brainiacs. She’s also a Ponemon Institute fellow and the CEO and founder of Rebecca Harold LLC, a cloud-based privacy and security firm. She is currently finishing her 20th published book on information security and privacy.

Herold, who has hosted the radio podcast show Data Security and Privacy with the Privacy Professor, weighs in on the state of cybersecurity and privacy education and gives her recommendations on how to remedy the many issues the security community faces today.

“Making sure that the entire population is educated about cybersecurity and privacy as well, is absolutely necessary to improve the very vulnerable state of our networks, systems, applications and data”

In this episode of Cybersecurity Unplugged, Herold discusses:

  • The gap in cybersecurity education and how to incorporate information and cybersecurity, as well as privacy, into public school curriculum;
  • How to fully and successfully address privacy whether from the lens of compliance, governance or the intersection between the need for privacy and the need for security;
  • The Internet of Medical Things, deadly exposure of connected medical devices and predictions for the future of medical device security.

CLICK HERE for a full transcript of the conversation.

Steve King 00:04
Good day everyone. I’m Steve King, the managing director at CyberTheory, and today’s episode is going to focus on education in cybersecurity and privacy. And joining me today is Rebecca Herold, a cybersecurity and privacy expert with a dozen or so certifications. She’s a Ponemon Institute fellow, the CEO and founder of Rebecca Harold LLC, also known as the privacy professor. She’s CEO and founder of Privacy and Security Brainiacs. And she’s hosted the radio podcast show Data Security and Privacy with the Privacy Professor. At one point in Rebecca’s long and distinguished career, she worked alongside some of my colleagues here at ISMG developing training webinars and and she also was an adjunct professor and curriculum czar for the Norwich University Master’s science and information security and assurance program for nine years. She has been a subject matter expert on the NIST IoT cybersecurity development team for two years, a subject matter expert on NIST privacy framework team for the two years before that, and prior to that she led the NIST Smart Grid privacy group for seven years. He’s also a founding member of the IEEE privacy and security architecture for consumer wireless devices working group. Rebecca has received numerous awards and recognitions for her work throughout the course of her career, and is currently finishing her 20th published book to date. She earned her bachelor of science and math and computer science and a master’s degree in computer science and education and is a longtime member of ISACA, InfraGard, IAPP and several other worthy cybersecurity and engineering organizations. So without further ado, I welcome Rebecca. I’m glad you could join me today.

Rebecca Herold 02:11
Well, thank you very much for inviting me, Steve, it’s always a pleasure to speak with you.

Steve King 02:16
Thank you. So let’s talk about the gap in cybersecurity education first, it’s huge. We both know that and it’s growing faster every day. And and does that worry you?

Rebecca Herold 02:29
Well, it certainly concerns me. I mean, this is something that I’ve seen as an issue throughout my entire career. Actually, since the 1990s, I’ve been a really strong proponent of incorporating information and cybersecurity, as well as privacy into public school curriculum from you know, all the way down from preschool, throughout postgraduate education and throughout our entire lives, because computer use is becoming even more ubiquitous every day, many of the millennials and just think about all the Gen Z, folks, they do not know what life is like without internet access, or without having some type of computing device that they use or have with them. So making sure that the entire population is educated about cybersecurity and privacy as well, is absolutely necessary to improve the very vulnerable state of our networks and systems and applications and data. There are many ways to to incorporate cybersecurity, formal education, as well as ongoing awareness tips and messaging and activities into the lives of all generations. You know, our economy and our our national security depends upon it. And it certainly was my motivation back in 2005. When I started publishing my free monthly Privacy Professor Tips message, which I’m still publishing today, and that 1000s of businesses and even more direct to the public individuals receive and it’s one of the core reasons I co-founded my Privacy and Security Brainiacs, SAAS services business and I did so with my now 24 year old son, and we did that in January of 2020. And continue to build out services through it to reach all parts of the The population so I’m so grateful for having a Gen Z perspective mixed into that business.

Steve King 05:09
I’m sure you are. It’s a perplexing problem, you know, we have more complexity today than we did yesterday. And than we did last year and etc, in our networks and in our network infrastructures, and in the systems and tools that we continue to layer in one on top of another. And as we saw so blatantly with SolarWinds, and Microsoft attacks, no one knows what’s in that underlying code, let alone be in a position to, you know, maintain or troubleshoot it, on the one hand. On the other hand, we have fewer and fewer and fewer people that are sufficiently trained to join the ground forces, if you will. When we began planning CyberEd.io, our online training and education platform, I talked to about three dozen CISOs across every industrial sector imaginable, trying to make sure that we are covering the specific gap that needed the most attention and 100% of the cases they said cyber warriors, what’s your perspective on that particular need?

Rebecca Herold 06:23
Well, I can certainly understand from a CISOs perspective, and to their responsibilities, why 100% definitely would say cyber warriors, because I know it’s hard for a lot of organizations to find that capability within organizations. But, you know, taking even a wider view of this, as I said earlier, everyone throughout the population needs this information throughout their lives. And certainly, we need a larger, more knowledgeable and more experienced number of information and cybersecurity warriors and in the narrow, as well as in the more broad terms to be committed to devoting careers to these issues. And certainly we need entry level to also deeply experienced, we need those who are focused on the depth of knowledge, first, specialized cybersecurity. But also, along with those who have a broad base of domains within which they work. And there’s plenty of work for 10s of millions of people to be in these types of careers. Everyone in information assurance careers, such as cybersecurity, also need to realize that not only do they need to stay up to date with new and emerging threats, but they also need to continue to address threats that existed 50 and more years ago, along with knowing the vulnerabilities that have developed with all of those still being used legacy systems and physical security practices throughout that time. You know, two or three years ago, I heard a CISO at a conference giving a keynote, and the CISO’s from a really large tech company. And during the keynote, he said, “Well, what you did 10 years ago for cybersecurity no longer applies.” And I just thought, “Wow, that’s a very irresponsible statement,” given that all those old vulnerabilities and threats from 50, and in some cases, even more years ago, are still with this, and they are still being exploited, especially now. Some of them are being exploited more than back when they were originally actually because the eye has been taken off of the ball of all of those vulnerabilities, you know, the legacy systems and those things that are still in use. So while we also need to address the new and emerging tech and data practices, and related risk, absolutely. We still need to look at those. So we need cybersecurity warriors, I agree. But also the general population to be aware at all levels. So you know, I still think back on that and that tech CISO should really have realized that the security pros who have 20, 30 and more years of experience are still needed within his own company to continue to provide insights and expertise for all the millions of systems from his corporation that are still being used.

Steve King 09:57
Yeah, well, some some CISOs don’t actually have legacy systems. So, you know, if we’re fortunate that he may have come from that kind of environment. But you’re absolutely right. Of course.

Rebecca Herold 10:09
I’m a little skeptical about that. I did a lot of risk assessments. Steve, just three years ago, I found during a risk assessment, dial up modems in a company that also said, “We don’t, you know, we got rid of those we thought years ago,” well, no, the person who maintained them, left the company, and nobody else did anything with them. So there, they were just sitting there open, it was crazy.

Steve King 10:41
Touché. So we’re planning to launch our CyberEd.io platform next month. And we’ve got about 1700 hours or so of our own original cybersecurity training modules in there that’s delivered by some of the most respected cyber professionals in the field. And in addition to that, we’ve curated and acquired what we think is the best content from third-party providers as well. What is your opinion? Or what, in your opinion, is the correct focus on on privacy? Is it compliance, governance or the intersection between the need for privacy and the need for security?

Rebecca Herold 11:18
Well, I love that question. Thank you for it, because privacy is a term that is interpreted so differently by different individuals. And it’s very subjective in many ways. But addressing privacy successfully and fully, does not depend upon choosing just one of those options. So folks really need to first understand that privacy is about allowing individuals to have insights about how others are collecting and using, and making decisions about and sharing their personal data, and also about giving them control over key aspects of those activities. So the most successful focus for managing privacy really needs to be multi-pronged. Organizations need to consider legal requirements, absolutely. And know the associated compliance actions that are necessary. But in addition, they also need to be able to recognize privacy risks that exist outside of any compliance requirements, and there are many, and then they need to govern privacy management based upon a comprehensive framework, truly, they need to be able to be successful, such as the NIST privacy framework that considers but also looks beyond solely compliance requirements. And, you know, I’ve been addressing privacy within business since around 1993-94. At that time, I was given the responsibility of establishing the privacy requirements for what my employer at the time, a multinational corporation, indicated was going to be the first online bank. Now this was in addition to my responsibility for creating the information security requirements for that online bank. Just think about ’93-’94, there were no privacy laws, at that time, applicable to online banks. And of course, why would there be if ours was going to be the first. So the lawyers in this multinational corporation where I worked they said, “Well, you know, that sounds important,” but they weren’t the ones to do that, because there were no legal obligations to comply with privacy requirements, when I met with them and asked them to get involved, but I really strongly believed that it was important. So I knew the the CEO, and of course, my senior VP. So I convinced both the CEO and the VP at the time to have privacy addressed. And I thought “Great, the law department is going to get on this.” Well, my senior VP came back Few days later and said, “Well, Rebecca, you know, you made really great points, you convinced us. So since you feel so strongly about it, we’re going to give you the responsibility for privacy, in addition to information systems security, because this is an illegal issue right now. It’s a risk management issue right now,” which I’m glad they did that, because that’s what got me into privacy along with security simultaneously. So ultimately, there needs to be a privacy leader within the organization responsible for oversight of all privacy-impacting activities and issues and risk and governance. And then there needs to be a team that has members who have assigned responsibilities. And that way they can ensure that every aspect is being addressed. And some teams often include folks contracted from outside the organization if you don’t have folks internal, who have expertise in specific areas that may not be found there. But it’s so important to keep in mind that it’s not just about compliance. In fact, Steve, a few years ago, I was surprised when I was contacted by a PhD, Information Assurance researcher from a university in Australia. And he got in touch with me, he said, “Hey, did you know that the antivirus program that I created for that large corporation was the first one that he could find documented as being implemented in practical use within an organization beyond just theory.” And then he went on to tell me that then the remote access solution I created with floppy disks, and dial up modems, but he said that that was the first one that was implemented at the corporation as well, anywhere that he could find that was in the ’93 to ’94 range. So the point is, just because there’s not a legal obligation to address privacy in a specific way, does not mean that there isn’t the need to do so to mitigate privacy risks.

Steve King 16:45
No kidding. And the, you know, we’re limiting that conversation thus far to, you know, PII and data. You at one point a few years ago served as the co chair of the IoMT Connected Devices Conference in Princeton. And, you know, with COVID, you know, HIPAA folks have kind of covered their eyes a bit for the last year or so related to privacy violations and enforcing the regulation for good reasons. One, health care providers have been struggling to just stay above water. Doesn’t the deadly exposure of connected medical devices scare you? And what are your thoughts about the future in that threat arena?

Rebecca Herold 17:36
It is a very important issue, it needs to be addressed. And I guess, I don’t know if it really scares me or frightens me, because I do know that those risks can be mitigated. If the appetite is there to do it, it can be mitigated, but the fact that the medical device manufacturers and vendors are not doing more to secure those devices, and the systems that are used to support the devices does concern me. And quite frankly, it disappoints me that manufacturers who create life improving, and life saving medical devices are at the same time willing to hurt their patients by not implementing sufficient security and privacy controls within these devices. Because certainly, those controls need to be there to truly have safe patient care.

Steve King 18:37
Indeed, a little while ago, I was visiting a friend and in a local hospital here, and I must look like a doctor or something because as I was going walking down the aisle to their room, there was a portable desktop device sitting on a, whatever those things are called, a dolly. I, you know, walked up to it and started fooling around on the keyboard and people passed me multiple times. No one questioned who I was or what I was doing there, which is, to me, extremely frightening.

Rebecca Herold 19:12
Exactly, unintentional social engineering there just because you look so authoritative.

Steve King 19:17
Yeah or just dropping a USB, I mean, a memory stick with, you know, open ports, and then I’m in right. So, you know, that’s got nothing to do with systems or technology that has to do with policy and procedure in hospitals. But you know, if you’re only concerned with saving lives, and you reasonably sort of hide behind that principle, then it’s hard to argue about what else you should be doing or shouldn’t be doing with the limited resources that caregivers have. It’s a dilemma that nobody seems to be dealing with. You were a group leader for the SGIP Smart Grid Security and Privacy Group for like seven years. And then you ran the NIST Smart Grid Interoperability and Privacy Group, as well. And you led the team that produced the NISTIR 7628 second volume, which created a set of international standards for it and industrial control systems. The intention, I guess, was to provide a common baseline and guide for all participating companies to ensure that we have some defense and resiliency measures in place for ICS. How’s that going today?

Rebecca Herold 20:33
Yes, well, indeed, that was back in 2009. So, you know, I applaud NIST for starting that group, because it was kind of very forward-looking at that point in time, when the utilities or the vendors making equipment in the electric grid would say, “Oh, well, what we’re never going to be connected to the internet. That’s not an issue we even need to think of.” And look today, it’s much different. But I am very proud of our team that did all that work. For those years that put in literally 1000s of hours of work. NISTIR 7628 was truly the model for the first Smart Grid privacy law in the country. And that was in California, the state that adopted the law that was based upon NISTIR 7628. Now, since I left that project, five or six years ago, I’ve done some very interesting proof of concept, cybersecurity tests on actual electric grid equipment for the distribution area of the grid, such as on solar inverters, and reclosers, and others. But NIST has continued the work and in fact, last July, in 2020, they released draft version four of the NIST framework and roadmap of smart grid interoperability standards. So that work is still going strong. And you know, they they do good work over in that group.

Steve King 22:09
Yeah, ICS and SCADA, though, are just to horribly exposed today. And, you know, we saw, obviously, the colonial pipeline, and JBS attacks and so forth. And then the Chinese are continuing to bang away at all of these systems. And, you know, whether Colonial you know, admits to their OT being connected to their IT or not, it’s fairly obvious that it probably was right. So and, you know, we’ve got whatever it is, you know, 2 million miles worth of pipeline connections and in the States, and those are all run by private entities, and of all people, the TSA are supposed to be responsible for those things. Don’t you find that there’s a significant exposure here? And what do you think we ought to do about it from an organizational point of view, I guess?

Rebecca Herold 23:06
Well, you know, it’s complex, especially if you’re talking about specifically the grid, the challenges there, the fact that there are not only private, but in public, but government agencies, all that are a part of that huge grid. And there are different rules and laws and regulations at the state level, at the local level, and then you have at the federal level. And then you have, as you mentioned, private entities that are involved in providing the hardware and the software and doing the maintenance, it really does need to have more unified requirements that everyone needs to follow no matter where they’re located. And plus the human factor absolutely has to be addressed. Because when we are leaving it up to so many different disparate entities throughout this very complex grid to do things, that’s it only takes one weak point, right, in a huge complex system to be able to throw a monkey wrench into the whole thing and bring down huge portions of the grid. So yeah, I think it needs to be better coordinated for sure.

Steve King 24:26
It feels like 100 years since Obama was in office. But let me quote from what he said back in 2015. He said, “America’s economic prosperity, national security and our individual liberties depend upon our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable internet. Critical Infrastructure continues to be at risk from threats in cyberspace and our economy is harmed by the theft of our intellectual property.” From my view, instead of creating a natural response to that, it’s gotten actually far worse than it was in 2015 in the ensuing six years. We keep talking about it. What, in your mind, should we do to change it?

Rebecca Herold 25:16
Well, I agree, you know, the internet, now, people are completely dependent upon it, to do many things. Some people, you see them online and social media, when their internet goes down, it’s just like a major problem for them, because they depend upon it for everything. But, you know, as I mentioned earlier, we have all of these new types of technologies emerging. But we still have all of the same risks that have accumulated throughout the past 50 plus years. And then we keep adding to them every day, new and emerging tech that’s being used by more people than ever before. And then there’s more data from all of that new tech being created more than ever before. And all of the same systems are still out there. There are many actions that need to take place. But to truly build a long term, strong base of knowledgeable tech users, we absolutely need to update our public school curriculum and incorporate privacy and security into the preschool, all the way up through postgraduate formal education and do much, much more education with a wide range of general public outreach areas. We cannot just rely upon formal education anymore, we need to get out and do much more education within a wide range of general public outreach areas because it’s obvious from all the misinformation out there that people still don’t understand things. And now with misinformation being spread, it makes it even harder to get security to be addressed in appropriate ways. That was one of my goals for my new Privacy and Security Brainiac SaaS services is that to have it to at least contribute to such increased education and subsequently, more secured systems and data.

Steve King 27:26
Yeah, from my view, anyway, it appears as if the folks that are involved in teaching K-12 are also unskilled, if you will, in the ability to to address those issues from an educational point of view. So how do we get the teachers to learn enough so that they can actually teach this in those years that you correctly point out are so crucial given that we’re all living in a digital world now? You know, there is no analog anything, right? So we’re here. And you know, whether we’re working from home whether or you are studying in school physically, or whatever, you were exposed to a tremendous amount of vulnerability and risk. I look around my home office here, I’ve got at least six connected devices to a router that supports everything else that’s going on in the home here as well, and then connects to the corporate network, which, you know, places me and all of this at extreme risk. If we don’t, how are we going to get our teachers, the folks that are involved in the day to day education of these kids to get up to speed.

Rebecca Herold 28:39
Well, that is important. And in fact, something that I don’t know if I’ve told you before, but I actually taught seventh through 12th grade math and computing between getting my bachelor’s and master’s degree. And then I grew up with a father who was a superintendent of schools. And he also, before he became superintendent, spent several years teaching math. So it’s something that is important. And I have seen in the past few years, especially, just a degradation of support for our public school systems, because I know from being a public school teacher, that there are so many challenges when you don’t have sufficient funding when you don’t have sufficient support. Now, I’m seeing states taking the funding that is available, and giving it out to private entities, or you know, realigning it elsewhere. We can do another whole show on that Steve, but I do have very firm opinions about that just growing up in a household where I saw what my father did in trying to make sure, at that time, and that’s been a long time ago prior to the internet, but certainly still trying to support teachers to make sure they have what they need. And also making sure that the students have what they need as well. So yeah, that is a huge concern, Steve, and it definitely needs more attention than it gets, it seems like too much is said from folks, you know, in different industries, that kind of blame public school teachers, but once you’ve walked a mile in their shoes, I guess you could say, and I did for two years plus lived with a father who was in the public school system, I can say, most teachers love what they do, and they love teaching. They need to be appreciated more and get more support for what they’re doing. So they want to know what to do that’s protecting the students’ information and teaching students more about security and privacy. The will needs to be there, again, from those who have the authority to give that support and to give that funding.

Steve King 31:15
Well, we’re not short on cash, as we can see. So I’m not sure how that money doesn’t go to those.

Rebecca Herold 31:23
Yeah, the school systems don’t get that. I mean, teachers are spending their own salaries, which are far less than most in industry…

Steve King 31:35
For paper clips. Yeah.

Rebecca Herold 31:37
Well, more than paper clips. I mean, it goes beyond that to the actual tools used within their systems. I have friends who are still, know many people who are still teaching, a lot of my clients or schools. And I know that they’re using, trying to use really old PCs, because the school systems have allotted, reallotted a lot of their funding to other areas that are outside of their actual classrooms. So yeah, a lot needs to be done there. Hopefully, we’ll see some improvements made in the coming years. I always have hope Steve.

Steve King 32:21
An optimist after my heart. Let’s get together and another three or four months and talk about that topic, because as you implied here earlier, that we can spend a long time just talking about that single problem and it has a cascading effect, right? I mean, we’re producing these students who are ill equipped to deal with the world that we’ve created for them. So at least that’s my view. So I’m conscious of the time I know we’re out of it. I want to thank our guest, the amazing Rebecca Herold again for taking time out to join me in what I think was an interesting exchange.

Rebecca Herold 32:59
Well, thank you. I, you know, I really enjoyed speaking with you, Steve. I always do and, of course, I invite your listeners to check out our new PrivacySecurityBrainiacs.com site because getting to education, again, we’ve not made a formal launch yet, but we still have a lot of things out there free videos and other items if they want to check them out.

Steve King 33:22
Indeed, they should. So thank you, Rebecca, and thank you to our listeners for joining us and another one of CyberTheory’s unplugged reviews of the stuff that matters in cybersecurity, technology and in our new digital landscape. So until next time, I’m your host, Steve King, signing out.

Category: Podcast
Previous Post
Art of the Possible: Autonomous Real-time Patching
Next Post
Unfettered Digital Doors: Complacent or Complicit?
Menu