CyberScoop‘s Editor-in-Chief, Greg Otto, got the chance to talk with Phil Reitinger, President & CEO of GCA, at RSAConference 2019, where GCA was the nonprofit sponsor for the third year.
The topic of conversation was all about the GCA Cybersecurity Toolkit for Small Business, and of course, Reitinger was more than happy to discuss the “cookbook” for basic cyber hygiene that small businesses should take advantage of.
You can watch the full interview below!
Last week at the RSA Conference, Information Security Media Group (ISMG) sat down with GCA’s CEO, Phil Reitinger, and Mastercard’s Senior VP and Cybersecurity Evangelist, John Brickey, to discuss the GCA Cyber Security Toolkit for Small Business.
In the video interview, Reitinger and Brickey are asked numerous questions about the toolkit, talked about why it was created, and how it works.
To watch the full interview and get all the details, click on the image below!
By Phil Reitinger
As I was reflecting on last week’s RSA conference, I was thinking about suggestions from Megan Stifel and Rob Knake that there should be a “B Corps” model for cybersecurity, where corporations promise that they will donate a portion of their revenue to cybersecurity nonprofit organizations, for the greater good. Of course I’m a fan – I work at the Global Cyber Alliance, a nonprofit that could be a recipient of these funds. Where you stand depends on where you sit, and all that.
Nevertheless, Megan and Rob have a point. There are nonprofits doing super good work but are resource-poor. The level of resources nonprofits have, compared to the array of criminal and state-sponsored bad cyber actors, reminds me of the movie “Stripes.” If you are as old as I, you will remember that in the second half of the movie, the “heroes,” Peter Winger and Russell Ziskey, go behind enemy lines to rescue their captured platoon in an armed motor home. Winger describes the challenge they face as follows:
Winger: “They got one big gun. They got a couple of tanks. They got a hundred [armed soldiers].”
Russell: ”Yeah, what do we got?”
Winger: “We got? What do we got? What are you talking about? We got one heavily armed recreational vehicle here, man.”
Of course, the mission is successful, because (1) it’s a movie, and (2) the RV is very capable and managed by committed, if offbeat people – so it’s actually a pretty good analogy to more than one nonprofit. Of course, rescuing a platoon is different than winning a battle or a larger conflict, which is what we face in cybercrime.
The Global Cyber Alliance is blessed to have awesome funders: public bodies, founders, partners, foundations and sponsors. Other nonprofits would say the same. But I’d agree with others that the global level of funding falls short of the need.
There are many requirements to secure the Internet ecosystem, including the companies, governments, people and devices connected to it. The primary way of meeting these requirements is the market, especially organizations like companies and governments spending money to secure themselves or their customers. There are also organizations that work to secure their members (such as the ISACs and ISAOs mentioned by Rob) or help those members accomplish a noble purpose that also benefits business objectives (threat sharing organizations, advocacy groups like associations, and standards bodies are all good examples). And there are the charities, that work for the public good where the market and government activity falls short. I’d put GCA in the last category, and I hope you would agree.
This “charity” category concerns me the most, in part because GCA operates as a charity and does not charge dues or fees to its partners. (As I mentioned above, although we do not charge dues, we get great support from our partners and friends.) Systemically, however, across the entire ecosystem, funding falls short, and even where it is sufficient sustainability is an ever-present concern.
I wrote a year ago that there is a gap of about $2 trillion between what was spent comparatively on the Apollo Program and what is spent on cybersecurity. The moonshot analogy is of course not a perfect fit, and it’s also true that we could get a lot more bangs for the cybersecurity bucks already spent. What I would say is this – if there is some gap in corporate and government spending to secure themselves, and I think there is, what do you think is the situation for small businesses, local governments, nonprofits, NGOs, and individuals?
Here is what I said last year, and it remains true: “Closing this gap, even a little, will take extensive investment from both the public and private sectors. Governments and companies need to spend up to the level required by the cybersecurity risk they face to solve their own problems. And investment must be focused not only on making government and big companies more secure, but the entire Internet community more secure. It is possible to buy very good security, but the majority of companies and people are below the cybersecurity poverty line and can’t afford effective cybersecurity. While moving these companies and people to cloud services will help significantly, it won’t solve the problem. That will take a different type of investment, one in entities that make solutions available to anyone – nonprofits and NGOs.”
I hope you enjoyed RSA. Thanks for listening, and have a great year.
By Adnan Baykal
Committed the grand sin in cybersecurity and attended the RSAC once again. Walking on the tech floor full of promises of stopping every attack that is imaginable, not a single entity was discussing the basics. Basics that are so essential that everything else becomes meaningless without them. Basics that are so essential that everything else is secondary to them. Having strong passwords, patching your systems, two-factor authentication, backing up your data, and email security are some of the most basics that all have to do. And they are really easy to do now with GCA’s Cybersecurity Toolkit for Small Business. No complicated AI algorithms needed, and you don’t have to be a cybersecurity expert to use them. Best of all – you don’t even have to pay for them!
Responsible cybersecurity companies must speak the truth and provide value to their customers and to everyone who is on the Internet, not only to those who have huge security budgets. Stories I have heard today on the RSAC floor made me realize that we, as a security industry, have made “easy” cyber hygiene practices very difficult. It is time to change the elitist approach and start telling things the way they are. Make cybersecurity accessible and easy for laymen so we can all be more secure.
The author, Adnan Baykal, is the Global Technical Advisor at the Global Cyber Alliance. You can follow him on Twitter @adnan_baykal81.
By Alejandro Fernández-Cernuda Díaz
One of the first things that I learned when I started working in security, quite a few years ago, was that criminals were always smarter, they were always several steps ahead from us. Over time, I even ended up joining some of my peers’ admiration for their creativity, their capacity to always find ways to take the lead.
Cyber security, in that sense, does not differ much from traditional security. Just to mention some of their latest achievements, e-criminals were the first to monetise cryptocurrencies and blockchain, and the first to discover the benefits of distributed resource and data sharing. They also mastered advanced technical knowledge such as signal eavesdropping or cryptography and are skilled professionals in non-IT fields such as finance, criminal law, and international relations. And, of course, their capacities in social engineering are simply unmatched.
During my baptism by fire at GCA, that is, during my first days at the RSA Conference, I have been able to confirm these thoughts. Creativity, adaptability, and a multidisciplinary approach are the key trends in the ever-competitive market of cyber security. Any company, organisation, or professional trying to make a difference in the fight against e-crime has to display their strength in all three skills.
GCA, that unique animal in the ecosystem of nonprofits (as Phil Reitinger, our president and CEO likes to say) has those skills and is indeed making a difference.
As shown by the implementation of DMARC, by the deployment of Quad9, or more recently by the launch of the Cybersecurity Toolkit for Small Business, GCA has proven to be creative enough to actually re-invent the wheel, to bring actual innovation to well-trodden areas of cyber security such as e-mail authentication, DNS security, or basic protection for SMEs. This is quite an unusual achievement for a nonprofit.
Also, GCA has proven to have a unique nose for finding new opportunities and adapting its light, versatile structure to new climates and realities, such as the complex and hyper-regulated EU market, or the restricted playground of LEAs, where it acts as a respected and trusted partner.
And finally, the multidisciplinary nature of GCA’s team, a truly vivid collection of unique animals ranging from IT experts and former law enforcement heroes, to communication professionals and policy gurus, increases the group’s sensitivity and responsiveness, with a large display of antennae and sensors in multiple, disconnected forums.
I, a humble cyber linguist with an Espanish accent, have recently had the opportunity and the honour to join this group. I just hope I will be strange enough to help GCA keep to make a difference. Gracias por contar conmigo.
The author, Alejandro Fernández-Cernuda Díaz, is the Director of Communications and Marketing at the Global Cyber Alliance. You can follow Alejandro on Twitter @CyberDiplo or connect with him on LinkedIn.
By Phil Reitinger
Recently I posed this question on Twitter: “If talking to a vendor at the @RSAConference and the conversation lags just ask ‘Please tell me about your deep learning implementation of blockchain to address supply-chain challenges with cloud infrastructure.’” The jargon can be overwhelming. Then Dr. Allan Friedman of NTIA posed a picture of his RSA badge with a pin that says “No Purchase Authority” to reduce vendor harassment. As of now I have over 40 meetings, events, interviews, and receptions planned for RSA, and that will only go up. On Friday, I’ll be exhausted and past-ready to head home. I’m not 20, 30, 40 or even 50 anymore.
So why do we come? I wrote about that two years ago: “it’s the people. The sessions can be very interesting, the keynotes provocative, and the exhibit floor educational. But that isn’t why I come every year. I come because it is the best chance and place to connect with the infosec and privacy community. I’ve by far lost count of the number of people I’ve talked to this trip, and I bet the same is true for you. And while the planned meetings can be great, or not, often the chance encounters offer the greatest ROI.”
Let me expand on this a bit. For all the technological folderol of conferences, the growing consensus is that cybersecurity is about business and business risk, not technology and technology risk. And in the triad of measures to reduce risk – people, process and technology – people is still underappreciated. Cybersecurity is a business problem and a people problem. RSA provides an opportunity to talk about the business of cybersecurity with a larger collection of the people who can help more than anywhere else.
I most emphatically do NOT mean that we will solve our cybersecurity business problems by throwing people at them. As I like to say, people do not scale. We will not train our way out of the ongoing crisis – we must use process and technology – because properly designed and implemented, these solutions can scale. But throwing technology and process at problems, without a shared understanding among participants or a strategy informed by others, is no more effective than throwing people at that same problem. To be most effective, we need a community developing solutions and a community working together to implement them.
This is where events like the RSA Conference, and especially the RSA Conference itself, come into play. There is a network effect among people far more powerful than that among devices. Based on the amazing people I will talk to over the next week, I fully expect to fly home on Friday with at least a couple of new, big ideas to try, and partnerships to form that can make a real difference. That’s why I’m here.
Oh, the talks and the parties are pretty good too.
By Phil Reitinger
I like to say that cybersecurity is a people business. That’s sometimes a hard argument to make, because as much as any other industry we are packed with introverts (like me). But it is true nevertheless, and we will only make significant progress by building community and taking on problems through community.
So that’s why the Global Cyber Alliance is celebrating the RSA Conference not by hosting a big party (which we can’t afford), or launching a new tool (which we did a couple of weeks ago with the GCA Cybersecurity Toolkit for Small Business), but by building its global community with two new members of the team located in Europe.
Klara Tothova Jordan is joining GCA as its EU Director. Klara is joining GCA from the esteemed Atlantic Council, where she was the Director of the Cyber Statecraft Initiative. She had prior roles with FireEye, NATO, and Orlie Yaniv Strategies, and is a recovering lawyer (like a bunch of us). Klara will lead GCA’s work in the European Union with EU institutions and our partners there. Klara will be located in Germany and often work out of Brussels.
Alejandro Fernández-Cernuda Díaz is joining GCA as Director of Communications & Marketing. Alejandro is joining GCA from CaixaBank, where he was the Team Coordinator of the Corporate Intelligence Unit, and the Anti-Phishing Working Group EU, where he helped build out the APWG footprint in Europe. Among other things, Alejandro speaks about as many languages as I have fingers. He will be in Barcelona but expects to move to Brussels this summer.
Chances are most of you know either or both Klara and Alejandro. They are part of our commitment in the Global Cyber Alliance to be global and have people and capabilities around the world who understand the environment and build relationships and get things done – the motto of GCA being “Do Something. Measure It.”
Please feel to contact us to join with GCA and its partners to make a real, global difference on cybersecurity and privacy.
By Aimée Larsen Kirkpatrick
RSA. The anticipation. I look forward to this conference every year. RSA was my entry into cybersecurity. It’s where I cut my teeth and where I first made friends in the industry. This will be my 12th year at RSA and my 12th year in cybersecurity.
I had just started a new job with a cybersecurity nonprofit based in Washington, DC. My task was to run a national awareness campaign. Simple. Easy. I had just come off of running several very successful social change campaigns; I had this. What I had was…not a clue. I thought cybersecurity would be easy – I knew about passwords (or thought I did) and a thing or two about firewalls, and even a little about access management. But, really, I knew so little.
After two weeks at my new place of employment I made the trip from DC to San Francisco. I was tasked with attending several meetings and running a number of others. It was like being fed with a fire hose. But I took the opportunity before me and made a lot of connections – many of whom I count as friends to this day. They were the people who answered my questions, whom I sought out for advice.
The experience twelve years ago was almost overwhelming. I saw the good side of the industry and the ugly side of the industry. Upon reflection, there has been a lot of change. The conference has grown considerably – almost tripled in attendance, more vendors, more people taking over San Francisco. The conversation has shifted. I recall the conversation twelve years ago being about botnets, passwords, information sharing, and public-private partnership (I’m sure there was more, but these are the things I remember). This year I expect to be hearing more about blockchain and cryptocurrency, AI, machine learning, cloud security, and the ever-present, ever-changing threat landscape.
Twelve years ago some of the behavior I saw and experienced was cringe inducing. The booth babes and the harassment was off-putting at best. At worst…well, it was pretty bad. The lack of diversity – diversity of all types – but particularly the lack of women, was concerning. Over the past few years I’m pleased that the industry and the conferences have taken steps to address these issues. Companies, and the conferences, have raised the bar on what is acceptable behavior and decreased the tolerance for the questionable. There is a movement to increase diversity in cybersecurity. Organizations like the ICMCP, ISACA and IEEE are beginning to make their mark. Certainly there is much to be done and a long way to go, but the first steps have been taken.
I’m looking forward to this year’s conference. It’s a chance to have a finger on the pulse of the industry and stay abreast of emerging technology. But most importantly, for me, it’s a chance to strengthen existing relationships. To reconnect with friends and colleagues, perhaps find new ways to collaborate. And it’s a chance to forge new relationships. Perhaps it’s to meet with someone I’ve been communicating with via email, read about in an article, or met through good old fashioned networking. It’s about finding common ground and places where we can make a difference together. For me, the heart of RSA is all about connection.
If you want to connect at RSA, drop me a line. I’d love to see you.
Arriving just in time for the New Year, GCA’s December 2018 Newsletter is now available!
Click below to get the latest updates and info from the team. If you’d like to receive information from GCA directly, please sign up for our mailing list here!