Bryce Austin started his technology career on a Commodore 64 computer and a cassette tape
drive. Now, he’s a top cybersecurity expert, leading the conversation about emerging technology and critical issues.
“Artificial Intelligence may be your firm’s new best friend, and ignoring AI could let your competition gain a competitive advantage that you don’t have. The cyber landscape has changed in just the past two years,” says Austin, who points to ransomware as just one major cyber risk for most businesses now. “With ransomware, hackers steal data that’s important to your business and extort you to get it back – they look for low-hanging fruit, the equivalent of someone who leaves their keys in the ignition and the window open. Now we have AI engines looking for patterns of behavior that indicate when users, or even entire companies, are more vulnerable to cyber attack.”
Unfortunately, many companies view complex risks like cybersecurity to be so challenging that they ignore it and hope nothing bad happens. “The problem is that it is almost impossible to prevent very sophisticated hackers or agents of a foreign government from getting inside a network,” says Austin, who is past president of SIM’s Minnesota chapter.
“The new cybersecurity landscape is about being able to detect them when they get in. And what about an employee error due to a lack of cybersecurity training, or malicious insiders going rogue in your systems? That’s why you must focus on behavior as a primary indicator of cybersecurity threats.”
Austin, who spent a decade as CIO and CISO of Wells Fargo Business Payroll Services, advises companies in industries from financial, retail, and healthcare, to tech and manufacturing, to assess their cyber risks using the same risk matrix they use for non-security risks, like natural disasters or the loss of a key executive.
“First, you need to understand what cyber risk looks like for your business,” he says, looking at common threats like data breaches or ransomware.
Then, climb a few notches and define what business disruption specifically means for your firm. “What’s your business disruption tolerance?” Austin says. “How long can you be down for? What happens after one hour, one day, one week? Do you risk any fines or sanctions from downtime? What’s the reasonable worst-case scenario for your business and how will you deal with it? Answers to these questions will vary widely depending on the industry and size of a given company.”
Austin, who holds a CISM certification, is also author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. He urges companies to focus their cybersecurity efforts by asking some key questions:
- Where’s my data, and how can I keep it secure?
Between your cloud-based file-sharing services, mobile applications and third-party vendors, do you really know where all your data is? “Decide what data is sensitive to your company and clients, and what could be misused if it’s made public,” Austin says. “Finding all your data is substantially harder than it sounds.”
- Who’s responsible for cybersecurity concerns at your company?
Austin posits that having a head of cybersecurity who’s also your technology chief is a fundamental flaw. “Those two areas need a healthy tension between them, as cybersecurity best practices often conflict with ease of use for system maintenance,” he says. “Wouldn’t it be easier if every IT staff member had global admin rights to every system you have? Many companies operate that way. Cybercriminals love that model, because as soon as they hack one account, they have the keys to your entire kingdom.”
- What’s my playbook if I have a cybersecurity incident?
It’s critical for companies to have a documented and rehearsed incident response plan. “Missteps taken in serious recent data breaches, such as Equifax, were the obvious result of a lack of a plan on how to respond to an incident,” Austin says.
“You also need to have rehearsed scenarios using your cybersecurity playbook, so that when you have a real cybersecurity incident, you don’t make missteps or waste time. Having a well-thought-out response to a breach is critical, and time is of the essence” he says.
What’s next? Austin wants to see more cybersecurity regulation and accountability for companies. “Companies often aren’t required to make the victims of breaches whole,” he says. “There should be a base level of cybersecurity as a prerequisite to sell products or do business in this country.”
And artificial intelligence may be your firm’s new best friend. “Using AI to detect abnormal behavior of your systems and people in them is kind of like today’s arms race,” Austin says. “Companies that ignore AI as a cyber security defense mechanism will be on the losing end of cyber-attacks.”
Bryce Austin will speak at SIM Connect Live in Dallas on April 11–13, 2018, offering the session, “The Ostrich Effect: How proper communication with the C-Suite will lead to good decisions around technology and cybersecurity.”