This week we switch gears from our past few episodes and talk to a professional deep in the trenches of security, Michael Thompson, CEO of Enact Security. In between the laughs and jokes – parts of this podcast could double as a comedy routine – Thompson shares his perspective on security and the effects of the pandemic. And if we could put a subtitle on this episode, which I guess we can since it’s our podcast, this one would be “Sum of the Rambles.” But you must listen to the whole episode to find out what that’s all about.
And if you have only a few minutes right now, here are the highlights. But you must promise to listen to the whole episode later – you will laugh and learn – in the same 30 seconds.
Word for 2020 from a security perspective
After finishing his military service, Thompson found himself providing customer support for hardware and software and doing so for $6.38 an hour. He quickly learned that he enjoyed solving other people’s problems, and he worked his way up the ladder to technologist and systems admin. And he became even more fascinated with his job – and did lots of reading on the side. He found himself knee-deep in the “worm,” Code Red and I Love You issues of the early 2000s. It was during those hectic days that he realized the term for his passion – security – and became a security analyst, where he’s been happy to go to work and solve problems ever since. But the past six months have been unlike anything he’s seen before, and he responded, “Abominable,” when Gabe asked him to use a single word to describe 2020 from a security perspective, due to most companies’ working 100 percent remotely.
“I am really happy to see all the privacy legislation, but I don’t think it’s enough. And I think we are really late to the game. Why weren’t we doing all of this 10 years ago? After being a security practitioner for 10 years, I find it’s still like pulling teeth to get any movement on data protection.”
– Michael Thompson, CEO of Enact Security
Ransomware is (still) a big deal
While focusing on security for the past seven years, Thompson sees most of the issues coming down to where people have data and what they do with the data. While ransomware was in the headlines years ago, Thompson says it’s still a major issue companies must plan for. Often customers come to him with what he calls the new boogeyman – a ransomware attack, which ties back to the implications of managing and protecting your data. He tells those who haven’t been a victim yet that it’s a matter of when – not if.
Many companies have stories that are similar to that of his recent client that had locked down data and set up backups with a third party. However, the backups weren’t valid and no one had checked the data integrity. Even more concerning, the client did not have a process for validating its business continuity plan for disaster recovery. When the company was attacked by ransomware, the employees were not able to quickly move to backups, because the backups didn’t exist. Thompson said the ransomware attack halted the client’s manufacturing, which meant huge losses.
“I don’t see that we are going to have a federal data security and privacy law that mandates how data is treated. I think states will continue to lead us here. I also think individual countries will continue to lead. The U.S., at a federal level, will continue to fall behind in terms of privacy and compliance legislation.”
– Michael Thompson, CEO of Enact Security
A ransomware attack in the cloud?
When Gabe posed the $8 million question about when a cloud breach will happen, Thompson replied that we already have issues with unsecured S3 buckets, which are technically breaches in the cloud, but he expects a large-scale breach in the cloud from a major company in the near future. However, he thinks that when it does happen, people will finally pay attention to the warnings about cloud security from professionals who have, in Thompson’s colorful words, “been screaming from the mountains, standing on their soapbox and wearing a sandwich board with nothing underneath.” Yes, those were his exact words.
Innovation vs. security
“In terms of the ever-growing challenges of security and privacy, we tend to be victims of our own innovation. IT drives businesses, and as security and privacy professionals, we have the job of enabling each business to move forward as best as it can, as fast as it can and in as innovative a manner as it can, while protecting the assets, the resources and the people who matter most in that organization.”
– Gabe Gumbs