Illustration by Taylor Callery
Remember a decade ago, when the main cybersecurity worry was a retail breach of credit card information? “Obviously that still happens,” says Chris Young (MBA 2003), CEO of the security software company McAfee, based in Santa Clara, California. “Although banks and credit card companies have become much better at shutting that down quickly.” Now hackers look for personally identifiable information—think birthdays, social security numbers, and addresses—that they can sell on the underground market and use to build synthetic personas. The threats only scale up from there: ransomware, the security of our electric grid, and international espionage, for example.
Young has worked in the field from his early-career startup days through posts at AOL, Cisco, and Intel, where he led the 2017 initiative to spin out McAfee as a stand-alone company. Since 2016, he has served on the President’s National Security Telecommunications Advisory Committee, which provides industry expertise on national security preparedness.
Over that time, cybersecurity has snowballed from a back-office IT function to one that’s top of mind for every chief executive—or should be, Young says. Companies are inherently vulnerable to cyberattacks because the very processes that enable growth also expose vulnerabilities. Mergers and acquisitions, for example, create confusion between converging IT infrastructures and personnel in transition—exposure that attackers look to exploit. Here, Young takes your questions about how to safeguard an enterprise against today’s threats and those of the never-too-distant future.
Where should companies invest their time and dollars to ensure minimal impact of an event and fastest recovery?
—Tim Connor (MBA 1985) and Jazmin Medina (MBA 2015)
YOUNG: Always start by focusing on areas where you have the most risk. Good protection starts with good IT hygiene. The basics—patching and updating systems and basic protections (and controls)—should be in place across the entire franchise. I would recommend focusing on security controls with more advanced capabilities, such as detection and response tools, in areas with the most sensitive data or the most risk to the organization’s mission. Once you’ve identified risk and placed controls in line with your prioritized assets, then you need to relentlessly test and drill your organization on its ability to identify and respond to an attack. Static placement of tools won’t be enough.
With more and more of our information stored in clouds, how should consumers protect themselves? Are some clouds more secure than others? —Liliane Offredo-Zreik (MBA 2000)
YOUNG: Just as companies should implement security systems and services based on what they believe will work best for them and their customers, individual consumers should think carefully about several factors when considering a cloud-security provider: Does the service provider encrypt all data and connections? What forms of authentication do they use? Has the provider’s security ever been successfully breached? What is the company’s stance on privacy? Unfortunately, all clouds are not created equal.
What influence will artificial intelligence have on security threats? —Pierre-Alain Graf (AMP 184, 2013)
YOUNG: Artificial intelligence will make security better, faster, and smarter—both for the data scientist at a security firm and for the nation-state attacker. (Sadly, A.I. doesn’t differentiate.) So it is imperative that we anticipate and prepare for an adversary’s moves, much like a grandmaster chess player. Technologies that use approaches like game theory will be able to better predict an attack and determine what we can do to avoid them in the first place. But A.I. will only be as good as the people who develop it.
Is bulletproof security achievable in an era when data breaches are larger, more expensive, and more common than ever? —John Lacey (MBA 1981)
YOUNG: Bulletproof security is not statistically possible, but we can minimize risk by developing layers of protection and proactive approaches that increase those layers. Adversarial machine learning (AML), for example, is a technique that can be used to attack a machine learning model and cause a malfunction. Data scientists can use it as an elegant tool to better understand areas of vulnerability and proactively correct a threat, instead of simply being reactive. Approaches like these will help increase those additional layers of defense and approach that bulletproof ideal.
Class of MBA 2003, Section A