Geoff’s opinions and industry knowledge have been publicized worldwide in the Washington Post, and other mainstream media. His 25 years cyber security experience covers Military, IC, DHS and other federal agencies with 18 years across the commercial & Federal sector.
Your current cyber security advisory roles encompass a myriad of infrastructures, operations and initiatives in both public and private sectors. Would you say your role of advisor is mostly reactive, or proactive in delivering information?
In both my advisory and operational roles across public and private sectors, my responsibilities are less reactive and more proactive. I do have the occasional larger corporate or federal agencies issues, but by and large I work with organizations that want to be proactive and are concerned about risk.
I organize my work into basic cyber operations and advanced cyber operations. They both cover business and technical aspects of any organization. I create agendas and program plans as needed across seven sectors.
“If you want something you have never had, you have to do something you have never done”
When working in the public sector, what is your biggest challenge in getting organizations to adopt strategies?
Once I get past the “not invented here” issues, what usually comes up is “we don’t do it that way”, “we don’t have the money” or “we don’t have the resources”. I have heard this from the US, UK, Germany, Australia, Israeli, Singapore, Japan, Italy, Estonia governments (civilian, military and the intelligence community) – this has been over the last 12 years specifically. Eventually they seem to realize that “if you want something you have never had, you have to do something you have never done”.
Conversely, in the private sector, how difficult is it to have an organization take on board new security measures? What is your on-boarding/strategy for easy implementation?
First step is to identify where the company is today in regards to business and technology risk. And tie any new changes to where they want to go and a road map to get their. Its usually where I start first. Then I apply the cyber program to the business risk and Board issues.
For most scenarios there are already tools, systems and strategies to combat cyber security threats. That being said, how much time do you dedicate to developing new programs/tools for emerging threats?
Great question – it depends on the client I’m working with. Some need help with basic cyber ops. Others (more established organizations) want to get more proactive. At this point I’d say a 30-70 split with 30 to basic cyber ops and 70 to emerging threats
Working in SOC analysis, how much of the role requires a certain amount of intuition (and initiative) when recognizing early threats?
To be successful in running a SOC, the need (especially today) [is for] insight and intuition to be successful. Many SOC’s are very functional and very reactive – I think this is due in part to the people running the SOC – there is a lack of expertise/creativity in how bad actors act.
This is key for running a SOC, not just keeping track of high risk areas, but having the creativity and ability to look at the organization through the eyes of a bad actor.
Would you say the majority of malware threats you observe in SOC’s are destructive in nature or for monetary gain?
The majority of threats (over the last 10 years) have been focused on intel gathering. Not destruction, but what data is valuable, how the organization is structured, who the key players are, and who the organization works with (supply chain etc).
Getting this data is more valuable in the end. The OPM breach-malware was used – not for destructive purposes, but for data gathering. The same is true with the Marriott breach (same bad actor too)
Do you see Deception and Denial being adopted more widely in future?
Yes, fully. It is a natural flow of how cyber ops will evolve in the future. The use of cyber deception has been around for more than 30 yrs; in the last 5 vendors have “discovered” it and are trying to make money at it. It will become normal for most companies.
You were quoted last year in the Washington Post, regarding the Trump administration’s cyber defense , stating “We need to have a strong cyber-doctrine and deterrence plan and an offensive strategy.”. How much do you think has changed, and what still needs to be done?
The doctrine has not changed much in the last 5 years, and deterrence theory and application have increased. As far as offensive strategy, it has grown considerably. Which is a good thing, because it does support deterrence. I can’t get into the details, however it has increased.
“People are still looking for the ‘silver bullet‘…”
In your 20+ years in cyber security, which time period proved the most challenging? Has there been a time where the defense technology could not meet the threat advancements?
Most challenging… well, in the 1990’s it was like the wild west; it had its ups and downs.
I think in the mid 2000’s it got complicated because cyber technology was still under development, but the threats were growing exponentially. As far as when the defense technology could not meet threat advancements – that’s still going on today. We find that many companies and countries are still lagging behind some of the most basic threats today. People are still looking for the “silver bullet”
As we move toward the quantum technology era, do you think enough is being done to prepare critical infrastructure for potential threats?
I think quantum technology is an interesting threat vector, however why go there when people still don’t change their passwords? Or companies still don’t inventory what is on their networks. From a bad actor perspective, I will go with the easiest, lowest hanging fruit first.
The nation states will and have invested in quantum tech- which at this point makes it easier to detect and manage. I expect this to change in the next 3-5 years.
Which websites or subscriptions do you consider absolute necessary reading in terms of threat intelligence/new threats?
Well there are a lot- Hacker news is interesting for semi-up to data data, also Cyber Threat (.com) has good lists focused on cyber intel. I do get a fair amount of data from the government and the 5I’s.
The best data on threats is in the form of traditional intel about what bad actors are doing. This can be telling information, what motivates people to use cyber attacks and to what aims? This is the best place to start.
Which books do you consider are “recommended reading” for cyber security advisors?
Tough question – it depends on what you want to do in cyber. Cyber is a tool to protect companies and countries. There are many areas to consider.
“As the internet grew and bad actors started to use it for their own benefit, cyber security became a strong tool in protecting America in the late ’90s and 2000’s.”
Is there anything specific that prompted your career choice in cyber security?
I looked at cyber as a tool to protect innocent people, or a way to stop evil people.
As the internet grew and bad actors started to use it for their own benefit, it became a strong tool in protecting America in the late ’90s and 2000’s.
What do you feel is the most prolific threat to organizations in 2020? What are your defense suggestions?
Most prolific- the use of Machine Learning (not AI – that’s marketing BS), to automate and overwhelm cyber systems in critical sectors for the purpose of overwhelming national security. And the not so common use of cyber to impact and manipulate social behaviors and opinions about the truth.
Recommendations – application of basic cyber ops (20 CSC) to cover the basics so then expertise can be spent on unique problems, and better education and ability to spot fact from fiction/opinion online.
You can find out more about Geoff Hancock’s speaking engagements and his work here: –