One on One with Booz Allen Hamilton's Bill Stewart

ART1150785_BillStewart-3With every passing year, the threat of a large organization experiencing a cyberattack grows. The hackers’ (or “adversaries” in security speak) techniques are always evolving, which means if businesses are to have any chance of fending them off, their defenses need to keep pace. Consulting caught up with Bill Stewart, Commercial Cyber Security Business lead for Booz Allen Hamilton, who offered his insight on the state of current cybersecurity threats, the emerging threat of the Internet of Things, and the continued importance of a human touch to help at-risk organizations stay one step ahead of the bad guys.

Consulting: Talk about the overall state of commercial cybersecurity heading into 2016.

Stewart: There is continuing growing awareness around threats and adversaries and what they can do and what they are doing. That’s with good reason, because we’re seeing the bad guys sharing information needed to attack others in ways they couldn’t in the past. You also have increased damage occurring, which means the problem is continuing to accelerate. On the commercial side there is continued increased investment and increased activity to defend assets, and boards and CEOs are taking these threats more seriously.

Consulting: Is cybersecurity being on the radar of the c-suite a new trend?

Stewart: I would say in the last year, year and a half, there’s more of an acceptance that they have to do something about it, and that they can’t just spend their way out of the problem. You can’t just throw money at it and have it go away. It’s truly an issue of having to manage a risk. It’s really not a solvable problem; it’s a problem you have to manage. At the board level that’s a relatively new understanding. They also thought they had it covered because they hired a security officer and a team and they gave them some money and checked that box, but it’s clearly not enough.

Consulting: What are some of the emerging cybersecurity threats?

Stewart: There’s a whole spectrum of threats depending on who you are and what you have. At the highest end you have the nation-state actors, the very capable, very sophisticated adversaries that are able to get in pretty much wherever they want to because they have the resources and the know-how to do it. With the state of security technology it’s really difficult to protect yourself against a determined, sophisticated adversary. Then you have criminals, who are getting better and are learning from what these more sophisticated adversaries are doing. Once an exploit gets out there, once malware gets unleashed once techniques become better known, criminals can more easily exploit corporations and other people with information they’re trying to protect.

Consulting: Are some industries further ahead of the curve than others in building up their cybersecurity defenses?

Stewart: What’s interesting is that the best is actually the government. Part of the reason is they’ve invested in this technology for multiple years. They’ve taken it seriously; they’ve developed talent and techniques. And they’ve had to do this to survive. In the national defense and intelligence business they’ve had to create those strong capabilities. What’s happening now is commercial industries are realizing that and starting to extract that talent and expertise to support their requirements. Next is probably financial services. Again, it’s driven out of necessity. They’re a target because they, generally speaking, have money. So as soon as they got connected they had to deal with the fact that people are trying to extract resources to them for malicious means. They’ve evolved capabilities that are, generally speaking, ahead of other industry verticals. Then you have lots of others that are really starting to get serious about it. Retail has become much more serious about the liability associated with breaches and the fact that it can affect their brand. Healthcare is another area. You’ve seen some big breaches there and health information is valuable.

Consulting: How closely are you watching the rise of the Internet of Things as a potential cybersecurity threat coming down the pike? 

Stewart: There’s no question, and it really changes the game in terms of scale. A way of thinking about Internet of Things is just a lot more things connected to the Internet, and in order to enable it we’re shifting to a much greater address space, we’re going from IPV4 to IPV6, which is opening up a lot more potential addresses, which is a good thing, but it means some of the ways in which we’re achieving security today will need to change. Today we rely heavily on monitoring, trying to track what an adversary does before they attack so we can generate an intelligence database and share information. We’re also using a hunting capability inside institutions to figure out whether we’ve been exploited because we recognize we can’t keep them out. All that means very active defenses that involve people, and the people have to spend a lot of time looking through information. Some of the analytics that are being developed help with that, but when you try to scale that up to the size of IPV6 and so many more devices, it’s hard to see how you can keep that monitoring going in the same way. Right now, artificial intelligence is more artificial than intelligent. We’re seeing more of it than we ever have, but it still takes a human in the loop to determine what an adversary is doing.