Cyber risk with WhiteHawk founder Terry Roberts

In this interview, Terry Roberts discusses why directors can't afford to do nothing in the face of cyber risk and how organisations can protect their data by investing in their employees.

1. In an earlier interview, you said “Right now the bad guys are winning and the greatest threat to business is to do nothing.” Why can board directors not afford to “do nothing”?

If you think about it, it’s simply virtual crime and fraud, it’s not different to physical crime and fraud. We would never “do nothing” vis a vis physical crime and fraud. You’re going to lock your offices, you’re going to make sure people off the street don’t have access to your customer or client files, you’re going to make sure your financial transactions are protected. But because this is a relatively new dynamic in the last 3-5 years that has been hitting all businesses in all sectors, we’re frozen. And so we’re getting robbed continuously.

To do nothing is to put the revenue and reputation of your company or organisation at risk.

2. What role do board directors play in ensuring the organisations they steward are cyber-resilient?

As board directors would discuss business objectives or organisational targets, and systemic risks to reaching those objectives, I never start with security. It’s all about ‘what are you trying to achieve,’ and then ‘what are the risks’?

I ask board members to question, what the organisation’s or business’ dependencies are on their network, online data, and communication with their members or customers. It’s really about helping the organisation to think through the business model and then its dependencies on technology, networks, devices or online data.

3. While each organisation has their bespoke cyber challenges, what are universal cyber risks relevant to all operations?

70% of all cyber events in the US are as a result of employee actions, and I imagine it’s very similar in Australia. The number one way to reduce those risks is awareness training for your employees. Most of the time employees take action inadvertently, or its negligence or its ignorance. So it’s our job to make sure that, in the same way we give them annual ethics training, you’re giving them annual “digital literacy” training. It all boils down to cyber risk awareness.

The threat is the bad guys and the way to prevent the criminal from getting inside your organisation is by ensuring your employees are trained. I think there’s one other universal recommendation that I have: leverage a cyber security rating company to provide an outside-in rating of your organisation. All they need is the URL for your company and the IP address formulas, and they pull together open data sets and use their algorithms and analytics to give you a cyber security score card or a rating. They can tell you where you have weaknesses or issues. And, they don’t get money based on whether they rate you high or low, so you receive an honest base line comparison of where you are and that is a really important step.

4. In light of high profile cyber-attacks against government agencies in Australia, including on the Australian Bureau of Statistics and more recently Family Planning NSW, what can governments do to more proactively guard against cyber threats? What should governments be doing differently?

The number one issue that I have seen with the US government, especially on the civil service side, is old infrastructure. For instance, on the issue you raise of ABS and Family Planning, those kinds of civil organisations tend to have very old hardware and software. Having old IT infrastructure is like using a lock from the 1900s. It’s so out of date that it’s wide open for low level criminals to be able to come in.

Often what I recommend to government, and we actually had an initiative like this in the US last year, is to conduct a baseline of their software, hardware and business applications, and spend money on updating their infrastructure in a way that that ends up getting rid of huge vulnerabilities. This way, you spend your cyber security dollars on taking your enterprise to the next level as opposed to trying to patch something that is already riddled with vulnerabilities.

5. Which governments are modelling thorough cyber preparedness and how?

Somewhere like Singapore, though it is smaller and technologically advanced, has worked hard in ensuring that their IT infrastructure is up-to-date. But I think maybe the best place to start is just to conduct an IT infrastructure baseline. Know what you have, know where you are, and then prioritise what we call a “migration plan”. What can I replace this year? What can I replace next year?

I don’t believe in adding tens of millions of cyber security dollars on top of a weak foundation.

6. What were the events that leading up to your founding WhiteHawk?

In 2014, I was working for a large defence-industrial base company focused on the intelligence community. I was running the cyber work for them. I attended our large cyber security conference in San Francisco and to make a long story short it became apparent to me that the space was growing in complexity and that it was even difficult if you were a sophisticated government or industry entity.

It occurred to me then: What are mid-size or small businesses meant to do in the current growing environment of online climate fraud? I knew I didn’t want to start a consulting company because that doesn’t scale. I wanted to be able to put together an online platform that was openly accessible, and provided the enablement that small and mid-sized businesses who don’t have the technical expertise and won’t be able to hire that expertise.

I started fashioning a business model around that imperative. So I decided to align three basic things:

1. The ability to very quickly help companies to assess their key risks through an online AI questionnaire;
2. Match that to affordable and impactful action – meaning I don’t want to dictate what they have to buy, but rather tee up options and make sure they could be easily implemented; and
3. Ensure there is a human being at the end of the phone who has a level of expertise and could help walk them through the process.

The last thing I decided to offer on our platform was some open content that would discuss industry risks, trends, best practices and all in non-technical business language.

7. What is the WhiteHawk’s ‘CyberPath’ Decision Engine’?

When I first studied AI, believe it or not it was in the 1980s in my graduate program. What we were trying to do back then was basically help intelligence analysts be able to connect first phase analysis dots and being able to automate analytic connections.

So when I was at Carnegie Mellon many years later, seeing where and how AI had advanced as well as machine learning, my idea was: how do we make complex technical buying decisions easier, taking into account what needs to be tailored for them?

I wanted to find a way of helping them to connect their technical needs with a buying action. That’s what CyberPath is about. It’s about answering some very straightforward questions that anyone in the business could answer. The responses to the questionnaire uncover certain connections that then allow us to discover what their priorities are. For example, we ask about your business sector and if you’re a law firm, you are bound to share the same kinds of issue areas or vulnerabilities that other law firms have.

Just by telling us what your industry is and then giving us a sense of the size and scope of your industry and some specific answers about your company, we can really narrow things down very quickly, enabling us to put the basics in place for you immediately.

Think of it as a way to quickly triage yourself. Stop the bleeding by putting some important solutions in place and then working with you over time as a customer to get to the next level after that. But our immediate focus is to immediately reduce your risks to cyber-crime and fraud.

Sometimes, if you’re more complicated than you think, we might tee up a more advanced package, which is when we may act as a more traditional consulting company. Still, our goal is to get you cyber secure as quickly and painlessly as possible, so when an event happens you can operate through it.

Terry Roberts was previously the Executive Director of the Carnegie Mellon, Software Engineering Institute, leading the technical body of work for the entire US Interagency, with a special focus on leveraging and transitioning commercial innovation and acquisition excellence to government programs and capabilities, and establishing the Emerging Technologies Center and Cyber Intelligence Consortium.

Before transitioning to industry in 2009, Terry Roberts was the Deputy Director of Naval Intelligence (DDNI), where she led, together with the Director of Naval Intelligence, more than 20,000 intelligence and information-warfare military and civilian professionals and managed more than $5 billion in resources, technologies, and programs globally.