The New York Times may not seem like an obvious target for attackers, but reporting the news requires journalists to conduct interviews, takes notes and collect information, material that appeals to people beyond the Times’ readers.
“About 10 percent of what reporters collect when they’re working on an assignment makes it into the story. The other 90 percent is just background. Third-parties, especially nation states, want that data,” said Mike Higgins, who served as The Times’ CSO.
As the CISO of NBC Universal, Higgins helped the media conglomerate better protect its digital assets, which include blockbuster movies and popular televisions shows, as well as the credit card information of people who made purchases at Universal Studios theme parks and resorts. “You have film products that are worth $2 billion in worldwide global revenue, really, really big assets that you've got to protect until you can monetize them. Television shows, news services, parks -- there's real money in these operations and media entertainment finally figured out they needed to protect those assets,” he said.
Higgins’ first security job was safeguarding U.S. nuclear missile technology from the Soviet Union. He learned that adversaries were more interested in the software that controlled computers than the hardware that the code ran on and switched his focus to protecting Department of Defense computers from some of the first known malware and hacking, “a new term that was coming up at the time.”
In this interview, which has been edited for clarity, Higgins touches on a range of topics, including how security leaders can better connect with their boards, why employees are an organization’s first line of defense against threats and why more students aren’t pursuing security careers.
You were the CSO at The New York Times and the CISO at NBC Universal during a time of major change in the media industry. How did you balance that change with security?
Security has to be tied to the business. The CISO was once seen as an extension of the CIO. Now the CISO is becoming more independent, and is seen as a risk position in the company. How do you do your job in a way that lines up to the business' risk tolerance? If you're out buying companies, expanding operations into new markets, you probably have a fairly high risk tolerance. If you're old and staid, you probably have a very low risk tolerance. You build the security programs based on the organization’s risk tolerance.
I'm not the guy who makes the security decisions; the business does. My job is to educate them that if they do X, then the residual risk will be 10 percent. If they do Y, residual risk will be 50 percent. Which path do you want to take and how do you want to take it?
The only piece of that -- and I find it less and less now -- is you still need a floor. Compliance is still out there. Even for media entertainment companies, there are many compliance requirements, from processing credit cards at newspapers all the way to third-party contractual requirements that make you ISO 27001 or NIST compliant. It depends what the business is doing and what they sign up for.
Then you build the security program around that, understanding that you can never get less than this level of security because of contractual or compliance requirements, but you can always increase it. Then when you have the final bit of risk, you ensure that piece of risk that you're leaving out there. In case you have an incident, you want an insurance company to cover you for the cost of the incident and for the cost of the notifications that may be required.
Could you talk more about what unique or surprising security challenges that media companies like NBC Universal and The New York Times face?
About 70 percent of the Times’ revenue is generated from credit cards, making them a level 1 PCI merchant. They're processing millions of credit cards on a year to keep the business afloat.
With NBC Universal, you think oh, television, I don't pay for that. That just shows up. But there’s Universal Parks in Florida where millions of credit cards are processed every year. There are many businesses within NBC that process credit cards. There’s Golf Now for securing golf reservations at golf clubs and Fandango for buying movie tickets.
The most surprising piece of NBC Universal and the Times is the threats. If you look at an NBC or a New York Times, they were unique because they not only had the typical cybercriminal activity targeting them or the hacktivists of the world trying to hack into them, but we had nation states. Those threats are probably different from the ones other industries face, except for the defense industry.
About 10 percent of what reporters collect when they’re working on an assignment makes it into the story. The other 90 percent is just background, what we in the intelligence world called basic intelligence. Third-parties, especially nation states, want that data. It doesn't have to be second and third-hand of people validating the data that may go into the story. This is just one person's opinion on something. That person's opinion is absolute gold to an intelligence agency of one of the foreign powers that are facing the U.S. People would get into the system and not do any harm but look for email histories, contact lists, notes, Word documents, things that you think are benign but are highly valuable to a third-party nation state.
So defending against that nation-state activity was isolated to news. Defending against cybercriminals was isolated to the businesses, which had a lot of credit cards and personally identifiable information. The TV operations were defended against hacktivists, people trying to get their message out because our platforms were viewed by millions of people every day. To deface our platforms or do something to them to get your message out would be highly beneficial to third parties like the Syrian Electronic Army or Anonymous.
How did you become interested in information security? Your undergraduate degree is in criminal justice, and you have a master's in systems management operations research.
When I got out of the Army -- I was a CH-47 helicopter pilot -- I joined the Defense Intelligence Agency as a technology transfer analyst. The technology transfer analyst’s job was to make sure that the Soviet Union and other prescribed countries didn't get the U.S.' control technology in order to facilitate advancement of their nuclear and missile programs.
One day a former Army Ranger said to me, “It's not hardware anymore. It's now the processes and the software that's doing it.” We were concentrating our technology transfer focus on the hardware. But they want to know about the computer. They want to see the code that runs it. They want to see the code behind the AT&T switches in telecommunication systems. It was going to be all about the software and a new term that was coming up: hacking.
He introduced me to that world. Then major events happened: the Morris worm, the Chaos Computer Club that attacked the Department of Defense. We stood up the DoD CERT to stop all kinds of threats, including malware. Back in the day most of it was just ridiculously non-malicious, but there was some malicious malware coming down the pike as well.
Back in the day the major things that were protected in the Department of Defense were the classified systems. Unclassified systems were seen as add-ons and secondary. We showed that tampering with these unclassified systems could impact the military operations. For example, the healthcare system and changed the blood type of individuals in the battle area, you could cause an unbelievable amount of death and destruction. If you tampered with the transportation system and sent tanks that were being deployed to the Middle East to a different port where there were no ships available, you could really disrupt operations for days and weeks. With disruption to finance, you could take people’s pay away.
I did that for a number of years, and then it became evident to me that the DoD wasn't going to be invited to the next war. It was evident that the criminals, the hacktivists, the nation states, were all starting to divert their attention to the critical infrastructure systems.
I played a part in getting the presidential directive that created the protection around critical infrastructure systems. We recognized that if someone attacks Citigroup, we were completely unprepared. How are we going to protect Citigroup? DoD didn't have any assets that could help Citigroup defend itself against a massive intrusion. Nobody could help our electrical power grid. Nobody could help the transportation system. We had to step up and allow these companies to help themselves by sharing information and sharing threat information and then set up the overall infrastructure to be able to support these companies when bad things started happening to them.
Information security is now discussed at board meetings. What lead to organizations understanding the importance of information security?
The financial services was the first to understand information security threats. Bank of America, Citigroup and Wells Fargo understood there was a profit motive and that someone was looking to make money. All these teenagers had to grow up and move out of their mother's basement and get a job. A lot of them became hackers and did it professionally.
I think the breaches and the activity that went around Y2K pushed it into normalized business mindset. People started thinking of their IT systems as valuable. Nobody spent millions of to fix the Y2K bugs because they're worried about making sure their IT systems know it’s 2000 and not 1900. They did it because it was going to impact their business operations and they realized the criticality of their IT systems. It's just a short hop, from Y2K into Oh, my goodness, my telecommunications, my automation systems actually do impact my business when they're not up and running.
That was the big leap forward that we made within the industry to realize that technology did have significant business impacts. That's when CIOs really took a seat at the table and made the executives understand it's no longer just email and Salesforce and all of these other automated systems that aid us in running our business. They are our business. What business today can run without email? What business today can run without the sales management system? What business today can run without automation of their products? They're all technology companies today. They just happen to make movies or handle people's money.
Media was late to the game. Nobody wanted to spend money needlessly. But now you have film products that are worth $2 billion in worldwide global revenue, really big assets that you've got to protect until you can monetize them. Television shows, news services, parks -- there's real money in these operations and media entertainment finally figured out they needed to protect those assets. I was lucky to get to NBC just as they got a new boss from Comcast. He understood the risks and that we needed to embed security in operations.
For CISOs who are at companies where leadership isn’t totally onboard with the importance of security, what advice can you offer them on showing why security matters?
When you’re talking to executives, drop the security language. If you ever tell an executive that you just implemented a new IDS system, you shouldn’t be the CISO. Talk about how you reduce risk. You need to do it in a business language. Successful CISOs talk security, obviously, to their staff, but they’re talking business risk reduction to the business. They’re not talking about antivirus or next-gen antimalware protection. They’re not talking any of the tool-based information. They’re talking about business risk reduction. They’re talking about all of the preventive mechanisms, whether it’s people based, process based or technology based. They’re talking about those preventions that the business can understand and can then internalize. Once you have those discussions you make the transformation from being just another technical wonk in the CIO shop to being a business partner that they can rely on to make those critical risk decisions, quantify it and be able to justify it.
And the business will then encourage and back your budget cycles. Every time I put a budget forward, I had endorsements from the various businesses for what I was doing. They saw the business value in reducing the risk, for doing segmentation across the network, for isolating portions of the network.
You’re a guest lecturer and visiting professor at Northeastern University and the UNIVERSITY OF VIRGINIA. What do you want future information security leaders to know about the industry?
Security people are translators. They take very technically complex concepts and translate them so the business understands them. You have to be of value to the business. If not, you’re a cost center and you never want to be a cost center because then you face reductions year after year in your overall operations.
Bringing the best value to the business means taking the threats and risks they face and translating them into meaningful business language so the business understands what you’re talking about. You’ll be successful if you talk to the general counsel, business development, the marketing team and the sales team about risk.
I wish I could tell them that this is the threat today and all you’ve got to do is meet this threat, and you’re good to go. We build mechanisms to slow the threat, and the bad guys jump to the next threat. Then we build mechanisms to identify and slow that threat, and they go to the next threat. We’re constantly chasing them. The attackers are highly motivated to make money or push their social agenda. We’re always trailing them. Hopefully, if you stay abreast of what threats they’re using, you’ll be better prepared to defend your company.
Does knowing that despite your best efforts you may never catch the adversary become demoralizing to security professionals?
No. We’re reducing the threat marketplace. If I came in today and just set up a network and started doing business operations, I may have 50 people across the globe that are trying to break in. Then I put in certain security protocols like firewalls, IDS systems and advanced next-generation antimalware devices. I put in certain policies and train people on how to use them. Those 50 people now become 10. Then I use good analysts and the 10 becomes one or two. It’s a constant reduction of the group of people who are capable of attacking you and have technology that can overcome your technology.
It’s a constant battle and people are always looking for new ways in. Who would’ve thought four years ago that ransomware would’ve been a thing? Even though it’s decreasing, it’s negatively impacting businesses across the world. Who would’ve thought that the APT threat would move from nation-states to cybercriminals? You can’t say that you’ve won the war, but you can say that with each individual battle, it becomes harder for the attacker to break into your network and defeat your security defenses.
Your goals should be detection as quickly as possible and then remediation as soon as possible. Prevention nowadays is compliance driven so you’ve got to do, but all prevention should be based on detection. If you can’t stop it, when can you see it? How soon can you see it, and how quickly can you react to it?
What kind of employee education and security training did you implement at the Times and NBC Universal?
People used to say that your employees are your last line of defense. I think they’re the first line of defense. Employees see things that you just never see. Now, in the media entertainment business, the joke is we pay people to open up emails that nobody in their right mind would open up. If someone sent an email attachment and said this is Dick Cheney with his 21-year-old girlfriend, everybody and their brother would click on it. In fact, it’d be a race to click on it, but it would be very effective in the news department.
There are always people that will be the odd people out, but you shouldn’t give up because you’ve got this small group of 10 percent of users in your company who will click on things they should never click on. Address the other 90 percent. Ninety percent of the people, they’re not flying with American Airlines next week, so why are they clicking on an attachment that says they are? There are things that they should not be doing, especially from a Gmail account. There are things that they’re doing that basic training and awareness would help with. Security is isn’t just a security department problem. It’s everybody’s problem. Everybody needs to be educated as much as possible.
If you do simple things like putting in a program for people to report spam, you’ll see more reports in your antispam mailbox that say is this spam. As you continue to increase those numbers, you’re telling more people across the company this is a good thing. This is what you should be doing. You shouldn’t just click on things. It may not be spam, but they’re reporting it. Those are the types of good measurements you have for successful employee training programs.
What area of security deserves more attention?
Mobile represents the next big frontier that people just aren’t quite facing fully. We’ve gone from data center, to endpoint protection, to laptop protection and now we’re in mobile. A lot of companies are using software to containerize and protect the information they put in mobile devices. I saw one statistic that said less than 1 percent of companies in the U.S. use that type of software. The other 99 percent are just letting you forward your email to maybe your business device, maybe your personal device. They’re just letting that information sit out there, and they have no idea where it’s going, who’s using it and what they’re using it for.
How many applications do you have on your laptop? You probably have more on your phone and more untrusted applications. I don’t have an application on my laptop that tells me where the local Dunkin’ Donuts is, but I’ve got one on my phone. Why does that need to be geolocating me 24 hours a day instead of only when I turn it on or not at all? We don’t have those types of permissions on our laptop apps like we do with our phone apps. People are treating their phones like laptops. They’re just downloading things and ignoring them.
This represents a huge risk for companies. Many applications are collecting data from your devices that you have no idea about. How many people review all the permissions of an application when you download it? How many people periodically go through the permissions of an application in your iPhone to make sure that they’re appropriate to what the application does? There are applications that are collecting your location that have nothing to do with geolocation, yet they’re allowed to do it.
Mobile is going to be the avenue into corporate data, which is now on devices instead of behind the perimeter. Why would I spend the time trying to break into a big bank or a big media company when I just have to access someone’s phone? It’s just like laptops were not well understood when they came in the market. We’re going to be taking mobile security more seriously in the next few years.
During your time in information security, what has surprised you most about how the industry has changed?
The thing that surprises me the most is the lack of resources into the security industry. By now I would’ve expected that every grammar school, middle school and high school teacher would tell their students to get into security. It’s a growing business, it’s interesting and there’s just so much to do within the industry. There’s are many aspects of it, from secure coding to the SOC operations to the policy people.
The last statistic I saw around security jobs said something like there are a million vacancies worldwide. I’m still amazed that there isn’t a surplus of a million people worldwide. What amazes me is that more people aren’t getting into this. Given the propensity to really make an impact on a company’s operations, on the bottom line, even top line operations, I would think there would be hundreds of kids going into security. But it just isn’t taking off that way.
I think people put security in that too-hard-to-think-about box. But it really isn’t. A lot of this stuff is just repetitive OCD type of work. The analysis I used at my DoD job was I’m responsible for keeping every door and window in the Pentagon -- and there are thousands of them -- locked at all times of the day and night. I didn’t control people opening and closing them. If someone climbed up the wall of the Pentagon and climbed into one of those open windows, went into the office and opened up a file cabinet, took a picture of a document, put the paper back in and crawled back out the window, there were eight federal agencies that would be responsible for investigating that.
But because someone did it with a computer, we couldn’t find any federal agency that was interested in researching because they didn’t understand the crime and the new age we were entering. I preach to school systems to push students into this industry. There’s just so much opportunity. You never know where the next great idea is going to come from. Get the people in the industry and, hopefully, someone will eventually create that silver bullet for us all.
What do you want to say to students who wonder if they can grasp security?
Maybe it’s the way I think about the world, but security is just logic and patterns. There’s a lot of repetitiveness and it’s understanding anomalous activity. If you’re going to be in the operations shop, you have to be more technical. If you’re going to be in the training and awareness shop, you don’t need to be that technical. You need to just be able to translate things for people to understand. You can be in the policy shop. It’s the comprehensiveness of the policies to know that you need policies to cover XYZ type things with the various compliance requirements.
There are so many different aspects. How do you write secure code? We don’t really teach that in the world. We have a bunch of books for postgraduate level type of activity. You get a lot of on-the-job training. Where do they teach secure coding, and not just have people copy this piece into this program and you can do identity management. It’s how do you know that that’s a secure way to do identity management given that there’s a new risk out there today, or a new risk coming tomorrow, or a zero day that’s about to be announced? How do you make those adjustments? There are a lot of exciting things that you can do in the field, and you don’t have to be a technical expert. Trust me, you’ll become one. All you have to do is apply yourself a little bit, and you too can be one of the industry experts.