Jeff Man 0:01
This week on Security and Compliance weekly, we are streaming live for the first time ever. And we’re also hanging out on our security weekly Discord server on our very own channel #SCW. On our show today we’re talking to Ann Cleveland. And as the executive director of the Center for long time cyber, long term cybersecurity at the University of California Berkeley School of Information. Since we’re talking to someone from Berkeley, and I’m a child of the 60s, I thought I’d dress appropriately. The CLTC recently published the results of a study that they performed last year, in partnership with Booz Allen, that looked at how boards of directors approach cybersecurity governance in their organizations and what they should do differently. So we’re going to talk to and get to know her a little bit, learn a little bit about the CLTC in general, and also talk about this study, hopefully with a sprinkling of security and compliance mixed in. So join us as we continue our journey of tearing down silos and building bridges on security and compliance weekly.
This is a security weekly production. And now, it’s the show that bridges the requirements of regulations compliance and privacy with those of security, your trusted source for complying with various mandates building effective programs, and current compliance news. It’s time for security and compliance weekly. RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights, and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access, control and reduce business risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information visit securityweekly.com/RSAsecurity. Welcome to episode number 29 of security and compliance weekly, recorded on May 19th, 2020. Also, we’re live streaming. I’m your host, Mr. Jeff man. And joining me today are my co-hosts Mr. Scott Lyons, Mr. Josh Marpet. And our esteemed chief CEO head honcho and the guy who is responsible because Paul told him to make us live today. Mr. Matt Alderman Gentlemen, welcome.
Scott Lyons 2:44
Holy episode 29?
Matt Alderman 2:46
I didn’t get the memo about the wardrobe though.
Jeff Man 2:49
Sorry. There was late-breaking, I just thought about this like maybe an hour ago. So I apologize. I’m sure you have something in your closet somewhere that you can pull out in a pinch Matt. The other guys are way to young. Hey, got a couple announcements before we start off today. Join us at infosec World 2020 which is now June 22 through 24th and it’s a fully virtual event. Security weekly listeners can save 15% off the infosec world main conference or world pass to get the discount. Visit securityweekly.com/ISW2020 Click the registration button to register with our discount code. Also, join our security weekly mailing list and you can receive your invite to our community Discord server, which we’re on right now since we’re doing all this live. You can get there by visiting securityweekly.com/subscribe and clicking the button to join the list. Alrighty, so today as we mentioned, we are joined by Ann Cleveland and the director, Executive Director of the Center for long term cybersecurity at the Berklee School of Information. Welcome Ann.
Ann Cleaveland 4:04
Hi, Jeff. Thanks for having me. And thanks for inviting me to come talk with you about this research.
Jeff Man 4:11
Sure, we’re excited to to have this conversation today. When I was talking to in about today’s episode a couple weeks ago, working out our topics. I kept thinking in my head. There’s something there’s somebody famous from cybersecurity, that was involved at Berkeley and I thought I knew who it was and I I didn’t trust myself and I had to look it up afterwards. But I did confirm In fact, that it is none other than Cliff stall the author of the Cuckoo’s Egg. So he was doing his thing back in the early 80s discovering glitches in the accounting bill for his mainframe operation which led him to find out that there were East Germans you know, hackers spies had broken into mainframes were stealing government secrets. You know the drill read the book if you haven’t the Cuckoo’s Egg. So anyway, that’s another reason why I thought it’d be really cool to be talking Berkeley today. But we came across this study back in January, as we were going through, you know, news articles, we saw the article that announced this study. The study itself is entitled, resilient governance for boards of directors considerations for effective oversight of cyber risk, which, if you go to the wiki, you can find a link to the, to the to the actual study, and we can probably, if somebody is on the ball, drop the link in the discord server, nudge nudge, wink wink people that are on the discord server. So and you know, we want to jump into ultimately a discussion of this study. But we’d like to start off when we have visitors on the show, just getting to know you a little bit. Tell us a little bit about yourself how you got into cyber security, I think you kind of came from a different background than a lot of us. But just you know, please tell us a little bit about yourself starting off.
Ann Cleaveland 6:12
Yeah, thanks. And I’m loving the Jerry Garcia look in honor of Berkeley. Thanks. So I, yeah, you know, I’ve been in cybersecurity for just a little under two years. So really not very long in the scheme of things. And I’ve noticed that a lot of people in the field seem to come to it from a roundabout route. And in fact, Cliff Stoll that you just mentioned, I believe he was an astronomer by training, is that right? Before he, before he got into cybersecurity, he was an astronomer at LBNL. I think.
Jeff Man 6:47
That’s right. Yep.
Ann Cleaveland 6:49
Ah, so anyway, I’m the same, I actually left a great job in climate advocacy to come lead the Center for long-term cybersecurity. And that was at least partially motivated by the sense that digital security has become as serious a threat and is difficult a collective action problem. as climate change. You know, they’re increasingly connected, and both impact just about everything and every cause that we care about. I think that’s become even more obvious to people in the current COVID-19 emergency, you know, as all of these global threats intersect, and more of our lives move online.
Jeff Man 7:32
Interesting. And it’s interesting that you’re sort of new to the field, because most of us hosts and a lot of the people that are our listeners, have been around for a while. And some of us that are older and might be a tad jaded, or disillusioned or, or even, let’s say biased. But…
Josh Marpet 7:52
Jeff Man 7:52
We like to, we like to ask all of our guests sort of the same level setting kind of question. And it’d be interesting to get your response, there’s no right or wrong answers. This is just your view of things. But you know, given that you’re sort of new to the to the industry, the question we like to ask is, you know, since this show was about security and compliance, what do you see? Where do you stand? What is your opinion about security versus compliance? The question that we typically ask is, where do you fall on the security versus compliance continuum?
Ann Cleaveland 8:32
You know, I guess the you know, that my short answer to that would be, it’s not an either or in the sense of a trade off. I think it’s a both/and with security and compliance.
Jeff Man 8:47
Fair enough? Sound answer as far as I’m concerned, and like I said, there’s no right or wrong answers. So you’ve been in the business for two years. And you and is it safe to assume that the two years have been mostly spent at the CLTC?
Ann Cleaveland 9:04
Jeff Man 9:06
So how did you come to be there? And what is the cltc? How did it come about? What what’s its goal? What’s its charter? Why why why?
Ann Cleaveland 9:18
Sure. So the Center for long term cybersecurity – we’re five years old, we were set up with a mission to amplify the upside of the digital revolution, if you will. So there are a couple of things that follow from that. And I hope we’re maybe a little bit different and interesting to your audience. For those reasons. One, the scope of the issues that we’re interested in, is defined under the umbrella of cybersecurity but quite broadly, so of course, interested in things that people traditionally associated With cybersecurity, you know, network defense, authentication, adversarial attacks, etc. but also really interested in the social and policy and cultural problems around cybersecurity. And I’m sure we’ll talk about this more later. But that’s where the Board Governance piece comes in. I guess the other thing I’d love for your audience to know about the center is, we take the long term part of our name seriously. And you know, because we’re part of an academic institution, we have the luxury of being able to look a little bit over the horizon in a way that some of our corporate colleagues or others may not be able to. You know, as you guys know, a lot of cybersecurity as it as practice is a little bit like an emergency room analogy, where you know problem comes in, you patch it up, you send it back out again. And we really are trying to help people with our research, step back and get out of that emergency room analogy and try to look three to five years ahead about what are tomorrow’s cybersecurity problems? And how can we be better prepared for them?
Jeff Man 11:19
Yeah, I for one was, was interested in bringing to our audience more of an academic viewpoint or academic perspective, because, you know, we haven’t really had too much of that so far, in the brief history of our show. And also, as you’ve expressed with some of the other things, that you’re just kind of weave into the picture. It’s definitely a Berkeley thing. And I think that’s an interesting perspective of well, gentlemen, co hosts, and any questions for an off the bat here.
Josh Marpet 11:55
So yeah, I’ve actually got one right off the bat. And that’s the long term aspect of this besides the cultural implications of cybersecurity, which you mentioned, I love that. I love how broadly defined that that’s lovely, thank you. And not just cultural, but all the different implications, not just traditional ones. But I love I’d love to talk about the the long term aspect you mentioned, you said 5-10 years, where as we know, and you mentioned, people being in an emergency room or a fireman, you know, a mindset, I’ve got this massive fire in front of me, I’ve got to fight that fire. I don’t have time to figure out what’s next down the road, right? And so five to 10 years for companies that are traditionally, what’s this quarter, what’s this quarter? What’s maybe next quarter? And even that’s a push? Have you see pushback when you say we need to talk about the next five years, though, like, we need to talk about the next five days.
Ann Cleaveland 12:49
Yeah, absolutely. And, of course, you know, we understand that and sympathize with it. But we’ve also found, companies really appreciate the chance to come to some of our workshops, we put something out called cybersecurity futures. And you can see this on our website, there’s a set of 2020 futures that we actually just did a post mortem on, and also send a set of 2025 futures, you know, again, as a provocation for people to think, three to five years, maybe not all the way 10 years, because five years in cybersecurity is probably like 10 years in any other industry. But, you know, people from the corporate side who come to our workshops, and we’ve done a few industry verticals around these scenarios, so you know, insurance industry, oil and gas industry, etc. say they appreciate so much having a day or half a day to lift themselves up out of that fire that’s burning on their desk, and spend within a day with us kind of thinking strategically and lifting out of their day job. You know, you again, it’s a it’s a both and you have to put out the fires. But you do also have to carve out some time for that longer term strategic conversation.
Josh Marpet 14:10
Oh, absolutely. Agreed. I think everybody here will agree with you on that. That’s not a question. And well said. What I’m curious about, though, as a follow up is, what trends are you seeing when you start looking forward to the 2020 futures, the 2025, even the 2030 futures? Do you see any trends in terms of they’re going from technical to cultural they’re going from cultural to I don’t know socialization? I mean, what kinds of trends can you tell us about?
Ann Cleaveland 14:36
You know, one, one of the things that we think is interesting that we’re seeing across scenarios is this idea that cybersecurity is moving from the idea of protecting data or securing data to keeping data from being manipulated in almost imperceptible way If that makes sense, so.
Josh Marpet 15:03
Deepfakes. Absolutly. Yeah, yeah.
Ann Cleaveland 15:09
So that so that’s one of them. Another thing, and I’m sure that you all have talked about this a lot is just where where is authentication going? You know, what, what is going to kill the password, eventually. So we see that in our research, and then a sense that increasingly, you know, the internet in the early days, the culture around it was, it’s somehow separate from traditional geopolitics. And something we’re seeing very much in the long term trends across scenarios are the ways where traditional geopolitics are shaping cyber security. You know, whether anybody likes that or not, and where did what is it going to mean for people if they’re dealing with different regimes? You know, the cartoon version, and very simplistic version of that is one as a china led internet regime, and one is a Western lead internet regime. But of course, there there are lots of variations in that.
Josh Marpet 16:18
Yeah, no. Go ahead.
Matt Alderman 16:19
And what’s interesting is the internet is also shaping that geopolitical environment as well now, which also has very interesting consequences in the cybersecurity space also. So it’s not just one way it the internet’s also influencing things the other way as well.
Ann Cleaveland 16:38
Yeah, I think that’s exactly right.
Matt Alderman 16:42
I was looking at the 2025 forecast and the 2020. Because it was interesting. Yesterday, we were talking about building strategy and looking out five years and then kind of building your strategy model back. And this is something that I did, as Jeff knows, in late 2015, when I was at Tenable. And so I wanted to see how close your 2020 predictions were to some of the ones that I did. And there are some similarities. I looked at it from a very specific security vendor perspective. But when I look at 2025, we’ve seen also a few of these trends. Right. You talked about quantum computing, there in some of the other trends that are that are coming. You know, I still think we’re probably a little further off from a true quantum computing state. I think you’re a little early, but just kind of how did you come up with the different scenarios for the 2025 forecast?
Ann Cleaveland 17:37
Yeah, so well, just to respond to something you said at the beginning, before I answered the question. I, I, it was really interesting, when we did the post mortem of the 2020 scenarios that what we found was we had been too optimistic about the ways that technology would improve in those five years, and sort of focused on the new shiny object and the new shiny technology. And didn’t put enough emphasis on the fact that all of the tools that were needed for the kinds of cybercrime and cyber attack and destruction that we saw between 2015 and 2020, were already there in the environment. So that was a lesson for us. In terms of how do we come up with the scenarios. So the scenario discipline is something that actually came out of Royal Dutch Shell in the late 70s and early 80s. And is a methodology that we that we use to drive some of our research agenda. It’s not, it’s not meant to be predictions. It’s more meant to put forth it alternative versions of the world, which are all possible given current trends. And to provide people the opportunity to develop a little bit of foresight, and to try to place bets against the different scenarios. That would mean that your, you know, organization, or your project, or whatever you’re doing could be robust, depending on how the world then evolves in those ensuing five years. Does that answer your question?
Matt Alderman 19:26
Yeah, I mean, we know that this concept of quantum computing is coming in and put some real interesting challenges on our encryption algorithms. And some of the other things that we’ve traditionally leaned on for the past 20 plus years in this industry, right. So there is definitely in there, we’ve done interviews on other shows around this that we have to start thinking about this. Now even though maybe the full power of quantum computing we don’t see for another 10 to 15 years, but for not trying to address this now. We’re going to be behind in some of the other ones around kind The trust model, right? We talk a lot about zero trust. There’s a lot in the news around privacy. And those aspects. We’ve already talked about identity plays out in your 2025 predictions as well. So these are these are definitely trends that we’re seeing. I haven’t dug into each one to kind of get the details, but it’s, it’s interesting that those are some of the ones. You know, you’ve got a couple short term that are kind of playing out right now. And then some that are a little longer term that that will play out maybe 10 years from now.
Ann Cleaveland 20:34
Yeah, I think that’s right. And with quantum computing, specifically, the I think the last time I heard a talk about this at RSA, the speaker said, yeah, it could be 10 years, or it could be never, or anywhere in between that.
Josh Marpet 20:50
There you go, and much the same things. Yeah, exactly. You know,
Scott Lyons 20:55
You know, we do a lot of compliance with a lot of organization. I’m sorry, Josh, I have to we do a lot of compliance with a lot of organizations, and we’re still finding organizations with Windows XP in their environment. Right. What do you see, as far as the transition mean, you keep talking about quantum computing, and you’re throwing out all these other words, right? What do you see is the transition from now state to next gen? Like, can you can you walk us through a little bit of that thought process.
Ann Cleaveland 21:25
Now states it next gen of quantum computing.
Scott Lyons 21:29
Yeah, between where we are now, right? with organizations struggling to not only maintain their current IT resources, but then trying to look forward. Right
Josh Marpet 21:40
Not just quantum computing. Scott, you’re talking about everything?
Scott Lyons 21:43
Yeah, that’s true. That is true. Can you can you talk about, about that, specifically, right there, like what gets a company out of the we need to do this now to stay afloat mindset to, we need to be able to focus on the future mindset.
Ann Cleaveland 22:01
Yeah, and I’ll say at the outset, that is not my specific expertise. So I’m speculating a little bit. But I do think what we see is, you know, with, you know, as an almost any technology adoption curve, you have people who are out ahead who are the early adopters. So let’s say, you know, just as an example, it’s not quantum computing. But let’s say we were going to, we decided the whole world was going to move from passwords to continuous behavior based authentication. That whole transition might take, you know, 10 years or two decades before you get every company to make that transition. And there’ll be leaders and there’ll be laggards. And there are some who will do it in the next two years. And there will some that will take the next decade to make that transition, almost like an I’ll go back to a climate analogy. It’s like replacing everybody’s lightbulbs. with LED, right, it’s going to take a long time, even though the technologies available for every household and every business in the US, for example, to make the transition.
Josh Marpet 23:17
Scott Lyons 23:18
Absolutely. But the problem, the problem is that it took households years to adopt the PC, the personal computer, and then even years more to adopt a work at home culture, right? I don’t I have to, I have to go against the flow here and say that I don’t share the same sentiment in that quantum computing will be the next best thing. Right? We still have way too many basics that we too many people are missing, right to be able to even get to being able to see in the crystal ball of what’s going to be 10 1520 years down the road. Right? So how, how is the How is the center addressing current, like pitfalls, right, for not only everyday home users, but also for business users, right? Like, isn’t that isn’t that tied to the mission of the center?
Ann Cleaveland 24:09
Yeah, and maybe I can give, maybe I can give a really concrete example. And I think I agree with you. Although, on some level, I think we’ve also seen, you know, 10 years of digital transformation in the past 10 weeks, right? So there are these external exogenous shocks that can end up speeding up or slowing down the transition, but I absolutely agree with you about the basics. And one of the programs that we have is called the citizen clinic. I was talking to Jeff a little bit about this in prep for the webcast. And that is looking at how can nonprofits accomplish the basics of cybersecurity. And I think, you know, it’s a little bit analogous to small and medium sized businesses where you have a small organization, they may not even have any dedicated IT staff, they don’t have a ton of resources. But they still need to be secured with the basics. You know, multifactor, authentication, patches upgrading from Windows XP, our particular program actually looks at nonprofits that have an added layer of being at risk of politically motivated cyber attack. You know, because that seemed to us like a really worthwhile thing to research with insights that could be useful for the whole nonprofit sector. And I would extend that to some of the small and medium sized business sector as well. But those are the kinds of things we’re trying to do on the ground, you know, getting in and doing assessments for organizations that are contextually dependent and will help them get over whatever the hurdles there are for them to implement the basics. And, as you guys know, and I think he talked about frequently, the hurdles are as much cultural or process hurdles as technology hurdles.
Josh Marpet 26:14
Absolutely. Absolutely. Actually, let me, let me throw something in the mix here. Have you ever heard of the NACD? The National Association for Corporate Drivers?
Ann Cleaveland 26:22
Yes, I have. Yeah. Yeah, they put out a great bunch of resources for board cybersecurity.
Josh Marpet 26:30
Exactly.I wanted to talk about Have you done any collaboration with them? Or have you thought about that? Because the report you just turned out, or the cltc just turned out, forgive me. looks very similar to a couple of reports that pre COVID Scott and I saw Actually, we were there when they released their Blue Ribbon Commission Report.
Scott Lyons 26:47
Hey, Josh, we did um, we did a on the street interviews. I think it was security and compliance weekly Episode Three, right, which gave us one heck of a look into boards.
Josh Marpet 26:59
Yeah, that was so I just, I was curious if you’ve used their stuff, obviously, you have you know about it? And if you found value, collaborating with them, or if you have collaborated with them about some of these reports?
Ann Cleaveland 27:12
Yeah. We’d like to collaborate with them and have a ton of respect for what they do in that organization. Our research was meant to be complementary to and build on what the NACD is doing for boards. And it’s partly informed by Well, let me take a half step back. The question that motivated us in this research was, you know, how can boards of directors play a more strategic role in governance and oversight of cybersecurity risk? And what we found when we took a look at the literature was a lot of what is out there, talks about what this the CISOs relationship should be with the board, what questions the board should ask the CISO? What qualifications of boards look for NFC so and so we were trying to get a little bit beyond that and think about what is the culture and the process that boards need to have within themselves in order to work effectively with a CISO. And I think that’s what differentiates us from what NACD has done, although, again, they’re they’re complementary efforts, and hopefully, there’s a collaboration there in the future.
Jeff Man 28:28
Super, hey, I think we’ve done a really good job. So far, sort of learning a little bit about the CLTC. In sort of its goal, its mission, its dreams. I hadn’t actually looked at sort of the future plan. I do have a question about that. But let’s take a break real quick. We’ll come back. I’ll ask a quick question. And then let’s just sort of dig into to the report itself and talk a little bit about, you know, what you found what your findings were in the recommendations and such so we’ll be right back.