Introducing the Oregon Cybersecurity Advisory Council

One of the key provisions of Oregon Senate Bill 90, recently signed by Governor Kate Brown, is the creation of a Oregon Cybersecurity Advisory Council. As the newly appointed Chair, I am excited to take on this important role. Kerri Fry, president of Redhawk Network Security, is joining me as Vice Chair on the advisory council along with a great group of experienced professionals from industry, education, state and local government and other organizations.

Mission and Vision

One of the first tasks for the board was to determine our mission and vision statements.

Vision: We believe cybersecurity is a shared responsibility and must be accessible to all.

Mission: Build tangible solutions to protect the digital lives of all Oregonians.

These statements reflect two important values that we all share:

• First, that only when we work together as a collaborative public-private consortium focused on a common goal, can we start protecting data, systems, businesses, and critical infrastructure. Cybersecurity is a shared effort and responsibility.
• Second, if we genuinely want to make a difference, we must build clearly defined methods and tools to protect everybody.

Influential Trends

Right now, the advisory council is working on a number of proposals and ideas. However, there are some important trends that shape our efforts.

1.     Aggressiveness of Attackers

The notion that hackers are nerdy, anti-social kids in their basements is profoundly outdated. While there are plenty of nerdy kids hacking, they do not represent a serious threat. Hacking has become a worldwide enterprise. Many of the cybercrime syndicates and state-sponsored groups are extremely well funded, organized, and capable. In many cases, these groups have more resources than some of the largest corporations and governments in the world.

These hacking groups fully embrace automation and big data analytics to execute their attacks. Hacking is almost entirely automated these days. Vast armies of virtual bots carry out ceaseless attacks against all manner of targets. And these bots are increasingly able to rapidly customize their techniques based on individual targets.

Hackers do not operate within any kind of agreed upon rules or ethics. They can hide behind false identities and use our own infrastructure against us. This makes our task as defenders supremely difficult.

2.    Talent Gap

Compounding our problems as defenders is the dearth of talented cybersecurity professionals. A study from Frost & Sullivan states that there will be 1.5 million unfilled cybersecurity jobs by 2020.

This is a challenge we can solve. To train the next generation of cybersecurity professionals, we must go beyond the classroom and put people in live security operations environments. Cybersecurity is a profession that demands hands-on technical experience.

As such, the Advisory Board is considering numerous plans to recruit people from community colleges and university computer science programs to work in a security operation center as part of their schooling. We are particularly interested in how to extend these programs to rural areas, as this will help bring jobs and opportunity to these communities.

3.    Cloud

There is no doubt, the cloud is shaking up technology. According to statistics from RightScale, 97% of organizations have some of their infrastructure in the cloud. Moreover, 80% of all companies in the USA have budgets to move more services and workloads into the cloud.

The cloud offers us cybersecurity defenders some good news. The cloud can accelerate security in ways on-premise technologies cannot.  We can build dynamic, flexible, and scalable environments that provide strong security monitoring in a fraction of the time and cost of traditional solutions. Cybersecurity services which have consistently remained cost prohibitive to small businesses or municipalities, can be in reach when we use the cloud.

Hackers are already using the cloud, automation, and machine learning to attack us. We can use these same tools to defend ourselves.

4.    Subscription Economy

One of the more profound trends affecting not only security, but the entire technology industry, is the Subscription Economy. This is a term Tien Tzuo, the CEO of Zuora, coined. Briefly, this is the trend of companies offering their products in subscriptions, rather that outright buying them. Office 365, Salesforce, and Netflix are all examples of this kind of engagement. In a subscription economy, you do not acquire things (or software licenses), you acquire relationships. A relationship encourages ongoing engagement and support, not a onetime touchpoint.

This is a model we must adopt for cybersecurity: building relationships based on trust and mutual interest. The plans we are evaluating right now offer subscription-style services for Oregonians. Incidentally, we adopted this model at my own firm, Anitian, this past year with resounding success. Over 80% of our customers are switching to subscriptions for cybersecurity services, as they offer on-demand capabilities that encourage ongoing engagement.

Conclusion

Cybersecurity is at an important turning point. We must move quickly if we want to defend ourselves from the latest threats. It is encouraging to see how many parties and groups want to make this effort a success. From industry groups like Information Systems Security Association (ISSA), to community groups and private firms like Amazon Web Services.

I have spent the past 23 years helping businesses and governments build great security. While defending our digital lives is a difficult job, it is not an insurmountable one. We can do this.

The Oregon Cybersecurity Advisory Council will be working throughout the coming months to field plans that bring tangible security to everybody. We welcome input, ideas, and help from everybody. Together, we can fight back against the growing cyber threat and protect the digital security of all Oregonians.