Tools alone won’t solve online threats. That singular message guides Darren Death in his approach to advising organizations on ways to stay cyber safe.
As chief information security officer for ASRC Federal, Death guides the Beltsville, Maryland-based defense and space contractor on ways to shore up its own cyber defenses. He also imparts those lessons as a popular speaker at cyber events, such as the recent Cyber Summit USA. On both fronts, Death’s focus goes back to tools — and why they’re not a cure-all.
“While tools are great, we need to start focusing on the human side of the business and IT operations,” says Death, a Pasadena, Maryland, native. His cyber career kicked off after his start in the Air Force, as an F-16 crew chief, and later led to work as a systems administrator for the Baltimore Convention Center. Eventually, he served as a systems architect, developing Windows systems at Justice Department headquarters.
“I’m passionate about cyber issues,” says Death, when reflecting on his 16-year career, to date.
That passion guides Deaths current work with ASRC Federal, where he began in April 2015. Along the way, Death has seen the discussion of cyber only grow in urgency.
“Especially as technology becomes more pervasive and innovative, and as different technologies are interconnected with each other, the fragileness of our infrastructure is a lot more serious than people realize,” Death says. “One of the things that I’m hoping to do, as part of my career, is to be part of the fix.”
For Death, being part of the fix means driving home the importance of everyday best practices not only in building but securing enterprise solutions. That focus comes just in the nick of time, on the heels of the recent Equifax cyber breach and before then, the widespread internet of things attack that caused DNS services on the East Coast to lock down.
“If you look at what’s been happening, a lot of it has been around organizations not doing their due diligence, either from a planning and prioritization perspective, or in the case of operations organizations, they’re saying, ‘We don’t have the resources so we can’t do it,’” Death says.
In any and all cases, Death adds, simple everyday steps can help thwart the threat of massive disturbances that comes hand-in-hand with emerging new technologies. Rather than ceding that responsibility to senior leadership, Death sees a critical role managers can play in leading a cyber-safe organization.
The first step, Death says, is to understand the organization mission. That means not being afraid to ask the hard questions.
“From the point of view of understanding what needs to be done, it is very critical for the cyber organization to actually hit the pavement, go out and talk to your senior executive leadership — talk to your managers who are actually implementing the vision of senior leadership — to understand what their missions are,” Death says.
“Ultimately, at the end of the day, it’s not about IDSs and firewalls; it’s about data that the organization is processing; what can I do to support that mission is ultimately what I need to be doing,” Death says. “That really needs to be the goal for the cyber organization — to understand what they can do to support the mission, regardless of what the mission is for their respective organizations.”
Factoring in the “human aspect,” as Death puts it, is also critical. That means not just looking at awareness in training as a check-the-box requirement but something essential to an organization’s framework — and then amplifying that message.
“Are we making sure we use all potential media at our disposal, within an organization, to make sure we are outreaching properly?” Death says. “When we look at role-based training, it’s less about looking at training and more about communicating with our customers.”
That’s where targeted communication that resonates with senior leadership must also come into play.
“How are you talking to them about threats that are happening that month?” Death says. “How do you communicate not only to the business managers but also to the IT groups about what they need to prioritize that month? What mechanisms do they use, on a recurring basis, not just once a year to talk to end users about what’s happening?”
Those conversations should span multiple media formats, Death says, citing not only email but display boards and quarterly newsletters, among other media.
“I think it is really important for the cyber program to make sure they are part of that conversation, and creating interesting content, not just content that makes people feel good about technology but content that talks to your audience so they understand how cyber affects them,” Death says. “I also think that in order to make it personal, when you are communicating, make sure you also give out messages that speak to their personal lives.”
Going Back to Basics
Another essential element of communication rests on going back to basics, Death says. That’s especially true at a time when ransomware and phishing scams are only accelerating.
“Going back to awareness, folks need to really work on helping their user base understand, ‘This is what a good email looks like, and this is what a bad email looks like,’” Death says.
That instruction may sound obvious, Death notes, but far too often organizations err on the side of the more complicated — and costly — solution.
“I think folks have been spending a lot of energy hoping that if they spend money on security tools, it will solve the problems,” Death says. “But they haven’t focused on the basics like patching, secure configurations, network segmentation and simple education of the end user.”
Widening the Net
Leading that education shouldn’t be the sole preserve of technologists, Death says.
“We don’t just need technologists,” he says. “Ultimately, from my perspective, we need more people thinking outside the box versus fewer people.”
Widening that diversity of thought means recruiting professionals from a wide range of backgrounds.
“We are implementing trillions of dollars in technology, but it is not solving the problem; I think that what people are missing — and have missed, in a great way, from the conversation — is diversity of thought,” Death says. “We need folks who are music majors, history majors, English majors in the cyber field because they will bring different points of view.”
All these measures, Death says, not only help establish a trust relationship with an organization’s information; they also build on the necessary next steps: establishing the right mix of proper security controls that can help organizations take advantage of new technologies, while minimizing the pain points along the way.
What are the secrets to foundational information security? Darren Death speaks at the Institute of World Politics on Thursday, Nov. 30. Register here.