The Network Edge – Our Interview with Robert Bigman
Robert Bigman served fifteen of his thirty year career in the CIA as their first CISO before retiring in 2012. He is now President of 2BSecure Inc., an independent cybersecurity firm that builds cybersecurity programs and helps organizations successfully resist attacks. He also provides cybersecurity programs and training to global government and private organizations. Robert contributes to a number of cybersecurity blogs and frequently appears on media outlets.
Tell us about your background
I’ve been in cybersecurity now for over 38 years, and my career has paralleled cybersecurity as an initiative and a program. I began as a consultant to The Agency (a.k.a The CIA) and then joined full-time and advanced through the ranks, first in the Information Security Group, then as the Chief of Network Security, and ultimately as the CIA’s first CISO.
As networks and computer systems grew in sophistication – from IBM mainframe computers, through pre-ethernet token rings, to the internet and routable networks – the challenges we were facing became more complex. I saw the role of the security program evolve from defining simple policy definitions to protecting local data access all the way to combating advanced ransomware and zero day attacks. Over the span of about 15 years, the department grew in size from 20 to over 300, and we were the first to test and implement a lot of the cutting edge security tech that is prevalent today.
In 2012, I retired from the Agency and began working as a security consultant to companies large and small, working daily to stay current and ahead of the game.
What are some of the challenges that have caused your phone to ring recently?
In the last six months to a year, in part due to the rise of remote work, it’s all been ransomware. I keep up to date with some of the different APT (Advanced Persistent Threat) groups and analyze them. Companies call and ask how to protect themselves. I tell them what the bad guys are doing and what they need to do in response—what policies they need to have in place, what system architecture is better protected from attacks, etc.
How would you describe your philosophy as a security leader?
From the perspective of protecting systems and data, I believe there are two key aspects:
- Cyber is first and foremost a people business, not a technology business. I have consistently found that the companies with better cybersecurity are the ones that have good program and messaging people, not necessarily the best technology people. The best organizations understand their priorities and put the right resources in the right place at the right time to get the job done. Regardless of whether they had better or worse technology, they had better cybersecurity. They just programmatically did it better.
Too many organizations want to solve security with technology and throw products at it; they want the next big thing from Israel and hope that the new technology will solve all of their problems. It (almost) never does. This is because many organizations have cybersecurity as part of their IT, and IT is primarily about technology. CEOs can understand asking for more IT things – compute, storage, networking – but can’t understand what “more security” means. It’s not something you can buy incrementally, by the pound or by the bandwidth, but rather a programmatic change that makes cybersecurity a part of every decision. That is why it’s important to have the right people promoting the right messaging to make sense of it.
- It’s all about Protect. The NIST cybersecurity framework identifies five main concurrent and continuous functions for cybersecurity: Identify, Protect, Detect, Respond, Recover. To me, there’s only one that matters: Protect. And to hackers, there’s only one that matters: how well you are protecting your network and systems.
Companies show me how they’re doing their cybersecurity framework and where they’re putting their money. They hear they need to distribute their funds across all functions. I tell them it’s not true. Hackers care about things like good Linux security, sophisticated Microsoft security capabilities in the system, self-signed certificates, and DRM, not a security operations center.
Organizations need to be primarily focused on data and system protections. Yes, you do want a response program, a training program, and other things in cybersecurity, but you better focus on Protect. I work with companies on how to evaluate priorities within that function, but at the end of the day, you have to focus on protecting systems. Many companies allocate resources to the wrong programs.
What tips you off to a good cybersecurity program?
I’ve been doing this for a long time and I can smell a good cybersecurity program in five minutes. I’ll ask questions like, “How do you protect your local and domain admin accounts? What’s your philosophy? What tools do you use? How do you do it?” I’ll usually get, “We use Microsoft WAPs. We give the users training,” which is a completely inadequate answer. Or I’ll hear something like “We have some users who have local admin accounts.” This lack of a clear chain of command tips me off that the CISO’s influence is probably not great.
How do I know a good CISO from a bad one? The good ones have established a program where the IT or business manager comes to them first whenever they want to put something new in place. The U.S. government now has regulations requiring CISO approval—you cannot expend funds on IT things unless the CISO first reviews and approves them.
And so, another thing I ask is what they do when part of their business wants to make something new, like build an app, a container in Azure, etc. How and when do you engage with them? How do they engage with you? You have governance to make sure that before they start writing code and building systems, you need to okay it. Almost always the answer is, “Well, they’re supposed to come to us for approval,” but a lot of times they don’t.
When I was at the CIA, we never did DHCP – dynamic addressing. If you wanted to do something, you had to get an address. Guess which office you got it from? There was no way you could put something on the network without going through the CISO, because you needed an address. We asked questions, scrutinized everything, and made sure we approved.
In many companies today, the CISO sees about half of what’s going on in IT, but there’s another half they don’t know about. They only come across it when they do a scan.
Those are the things I judge to see if companies have a chance.
What is the most underserved category of cybersecurity at the CISO level today?
Governance. Bluntly, unless you have your finger on the entire IT organization, there’s no hope. It doesn’t matter how good your security operations center is or how well you pass pen tests. If you’re not involved in the company’s IT, making sure that things get done properly, then it won’t happen. Every organization I’ve worked with has great policies, but very few actually use them. If IT and IT security are not integrated as one discipline, there’s no chance.
When I was Chief of Security at the CIA, I sat in the office with the CIO. I watched what he did, and he watched what I did. We worked on everything together. We wouldn’t let the senior IT people do anything around The Agency without us keeping tabs. You have to know what’s going on.
Here’s a recent anecdote that illustrates how problematic things can get without proper governance: I was brought in to assess the cyber program in a very large, global company from a 50,000 ft level. I sat down to talk to a senior business IT guy who was working on application development and it turns out he had built an entire internal subnet, processing some of the most sensitive corporate information. He did so without getting approval from the CISO or even letting him know about it. Again, if the CISO doesn’t have governance over the entire IT organization, things won’t be done properly from a security standpoint. So I flat out told them that their program sucks. It’s really not technical – it’s the governance of the program. And this is where we, as an industry, must strive to improve.