It’s not just me.
After listening to former assistant director of the Canadian Security Intelligence Service (CSIS) turned security consultant Ray Boisvert tell the annual SecTor security conference in Toronto on Tuesday about the never-ending cyber threats against the private sector and governments — skilled hackers, criminals, nation states, insider threats, terrorists, the Dark Web, plus coming water shortages, the rise of the right wing, anti-Semitism and that “Western hegemony is under threat” — the future looked, well, pretty grim.
And then he admitted that “my wife accuses me of being in the fear industry.”
Not so, he assured the audience. There are mitigation strategies to cyber threats.
There’d better be or his present job as CEO of I-Sec Integrated Strategies, which advises organizations on identifying and measuring risks will be in danger.
I suppose that being only two years out from his post at CSIS, where he led counter-terrorism, makes you still look on the dark side of things. Like a cop on a beat, intelligence people look for threats to the country everywhere, and have no trouble finding them. Especially these days. After all, someone hacked the systems of the Treasury Board, Revenue Canada and the National Research Council.
In person, Boisvert is a mixture of friendly and intense, flicking through his BlackBerry as we talked to catch up on the latest email before going on stage for his keynote.
We started with me asking if Canadian business takes cyber threats seriously enough.
“I think they now are,” he replied. “I think a year ago would have been a different story. I think the high profile events [like the Target data loss] have helped tremendously, but there are still a couple of challenges: I think the C-suite, the CEO and the board of directors are now paying attention, but they have a number of risk to manage (as well).
“Cyber is part of that, which is a good thing. But then they’re challenged on the technology piece a little bit, I suspect because all of this is new they’re hearing a lot of rhetoric, a lot of fear-mongering. So they turn to the only subject matter expert, the CIO. But he or she is very busy keeping the pipes flowing, doing the patching. meeting the constant demands for new technology….sometimes they can’t see the forest for the trees.”
And while a news report this week said enterprise spending on security is increasing, Boisvert isn’t sure it’s all going to the right places. “It’s easy for the non-tech people to tell CIO buy an appliance to make the network safe,” he said. But “proactive cyber defence is a combination of a lot of things. It’s about layers, keep on building and refurbishing, and its about going on the dark Web and finding out what others are saying about you.”
Searching the dark Web — accessed through the Tor network — will also help enterprises discover if corporate secrets have been stolen and are on sale.
CIOs have to do what the intelligence agencies do, he said: Go out and engage the threat where ever it may emerge.
And while he admits that technology is part of the solution to fight cyber threats, “its mostly about people — the threat actors or the persons in your organization who are witting or unwitting threats.”
“Stop trying to keep the bad guys on the outside at the perimeter,” he advises. “You’re just going to have to accept that a lot of them will get by all those defences.” Instead organizations should use behavioral analytics to analyze behavior on the internal network to detect suspicious activity.