Matthew Rosenquist is an innovative security expert with 30 years of experience, developing practical strategies for an ever-changing cyber landscape. A trusted board advisor and security expert for governments, organizations and academia, Matthew is one of the most well respected cyber security evangelists in the industry.
Towards the end of 2019, you highlighted some dangerous digital technology trends which were extremely insightful, and somewhat outside of the box of normal cyber security reporting. When you describe the ‘loss of trust in technology’ – Fear, Uncertainty, and Doubt (FUD). What would you like to see in our future to balance education with overlegislation?
At the point when cyber related impacts are serious and the general understanding behind them is low, fear runs rampant and can fuel misguided legislation in response. Therefore, to avoid such sweeping mistakes, we must find ways to minimize the seriousness of cyber attacks and raise the awareness of the challenges. It is no easy task, given the interwoven nature and rapid adoption of innovative technology.
Risk management is not about eliminating all threats, as that would be far too expensive and prohibitive. Instead it is about seeking the optimal level of security that delivers acceptable levels of residual risk, sustainable costs, and tolerable usability friction for users. Legislation, when needed, should also be deliberate in understanding and pursuing these aspects in a balanced manner.
What are your opinions on how quantum computing is portrayed in both the technology media and mass media?
Quantum computing is likely to evolve into a powerful tool. By itself, quantum will not solve all security problems nor will it undermine all trust. It will be a tool. For the risks it introduces, such as being able to undermine specific credential algorithms, other algorithms will be developed and deployed that are quantum resistant. For security solutions it will be able to empower new levels of analysis and prediction of attacks, but the threats will then shift to be more chaotic and unpredictable to compensate.
Technologies like quantum computing and artificial intelligence will raise the stakes in what can be accomplished, both good and bad, because they will be very powerful tools. We just can’t ignore that such tools will be employed for benign as well as malicious purposes.
“The pressure has already begun for developers to be responsible for their code”
We recently interviewed Snyk’s Alyssa Miller – a company dedicated to cyber security for developers. Your article noted that “When a vulnerability exists in well-used code, it could be distributed across hundreds or thousands of different applications”, and “Many developers don’t check for weaknesses during development or post-release”.
Do you see or anticipate a shift in the responsibilities of developers in this prolifically innovative time?
Yes, I do see a change in both responsibility and best practices for developers. Code libraries are leveraged by developers to help expedite the creation of software. A single snippet of code may be adopted by software coders for products being developed around the globe. If however, that code has vulnerabilities, the resulting products can also be susceptible to exploitation. The pressure has already begun for developers to be responsible for their code, which includes any libraries or dependencies they included. Vulnerability scanning must look both at the final software as well as the individual components to better understand if weaknesses exist.
As the scanning tools and developer processes evolve, deep scans will become a standard and expected part of the DevOps journey to product release.
One of the most interesting points you made was regarding cyber crime, ‘the next billion cyber criminals’, and economically struggling countries. You also highlighted Ransomware as a service RaaS as being legitimately one of the most alarming threats. Could you elaborate on this?
The internet is adding about a million new users every day. With modern countries already having most of their citizens online, many of the new users are from economically struggling nations. We often forget that half of the world earns less than $10 a day. It is these new internet users in geographies that have few economic options that will be seeking ways to earn money with their new connection to the global digital ecosystem.
Cybercrime, like Ransom-as-a-Service is a perfect fit. It requires no technical knowledge and little to no upfront investment. Participants simply solicit victims to get infected, by opening a file, navigating to a malicious website, or installing a harmful application that installs ransomware. If the victim pays to get access to their encrypted files, the participant receives a percentage of the payment. Although unethical, it can be an economic windfall for people struggling to survive.
The risk we all face is that a percentage of the next billion internet users might willingly become an army of fraudsters for cybercriminals, unless we find a way to undermine the underlying motivations.
“Data will remain valuable; therefore, it will continue to be targeted by attackers”
The Cambridge Analytica scandal highlighted significant threats to privacy. Do you think this was isolated, or could we potentially see another case like this in future?
The Cambridge Analytica incident is not isolated. Data is the new oil. Every company collects it from customers in some way. Many businesses use it in ways that customers don’t appreciate, including selling it. Data aggregation and analysis is tremendously insightful and therefore big business. More data equates to more power. With new privacy laws and protections, many ethical companies are now downshifting their collection efforts to be more conservative. They are also showing flexibility in how they treat, protect, and share such data. Data will remain valuable; therefore, it will continue to be targeted by attackers and misused by unethical organizations to the detriment of society. The battle for privacy is only now beginning and there are many battles ahead.
There are numerous interviews with reformed hackers that would suggest most of the cyber crime we see affecting larger companies predominantly began with social engineering, rather than direct software/hardware hacking. What is your opinion on this?
Social engineering is the most widespread mechanism for cybercrime. The reason is simple. It is both easy and effective. Criminals, like everyone else, typically take the path-of-least-resistance to achieve their goals. Why spend time and energy trying to accomplish difficult technical compromises, when it is easier to trick a trusted user to do the same?
AI presents a variety of novel threats across all business types. How far along do you think the cyber security industry is in response to these new, less obvious threats?
Artificial Intelligence is a hotbed of activity, especially within the sub-domains of Machine learning (ML) and Deep Learning (DL), because the AI solutions are showing results in areas that normal processes cannot accomplish. AI is being leveraged by cyber attackers and by security providers, albeit in different ways. What is important to understand is that AI is simply a very powerful tool. It can be used for example by attackers to defraud victims at great scale with ever increasing success or it can be used by defenders to identify malicious scams and undermine them with unprecedented efficiency. AI is an evolution of technology that for cybersecurity simply raises the stakes of what both sides can do. AI is the new arms race in cybersecurity.
How effective do you think honeynets and honeypots are right now? Do you think offending technology can easily recognize these traps, or do you think purpose built solutions can still work well in identifying new threats?
I have always been a big fan of honeypots and honeynets. They add another layer of detection capability and can provide additional information on what attackers are attempting to accomplish as well as their methods. They are not foolproof and should not be the only detective control, but they are helpful as part of a comprehensive strategy. Advanced purpose-built versions can act as a better decoy and increase the believability factor for attackers to think they are maneuvering in the real environment, when in fact they are being closely watched to see what innovations they bring.
Do you see a particular future technology, or any technology currently in development as being more of a threat than any other?
Artificial Intelligence, specifically Deep Learning and its parent Machine Learning, is becoming a very powerful tool that will be wielded for great impacts. The difficulty is that it will be employed for both positive and malicious purposes. As attackers adopt AI to increase the scale and effectiveness of attacks, defenders will need to employ AI countermeasures to keep pace. AI will be the catalyst for the next arms-race in cybersecurity.
Cyber security has definitely become more accessible and innovations are now available and affordable to many. Do you feel that consumers and organizations now have access to protection that could be considered “military grade” or “government level”?
Cybersecurity is constantly changing. Threats continually increase and security controls must keep pace. The result is, what is sufficient today will be outdated in the near future. So, when we talk about different grades of security, it is a moving target. What really matters is if the controls in place mitigate the relevant risks that will be faced at any given moment. Security must maintain parity with the evolving threats.
What particular cyber security subject are you most keen to discuss/address with organizations when you speak with them for the first time?
Audiences assemble for a reason. They may be seeking insights, looking to address concerns, or want help in achieving their goals. As a speaker engaging an organization it is important to understand the audience’s needs. I focus on the cybersecurity challenges they are facing now and in the future, across technology, behavioral, and process domains. Every organization has a unique set of risks and opportunities to explore. As a speaker and advisor, it is crucial to quickly understand the known pain-points, enumerate the likely hidden risks, and explore the prospects for positive change.
I usually start off discussions with current industry metrics, then narrow it down to what is happening in their industry and with their peers. A natural follow-on is to understand the audience’s concerns and experiences. Then I look to explore their aspirations and what they are seeking to achieve, including their optimal balance of risk. With these foundations in place, a productive, specific, and tangible discussion with recommendations can ensue.
In a constantly evolving sphere, is there any specific aspect of cyber crime you still see as a threat, which should otherwise be resolved? E.g. password security in organizations.
Cybercriminals are predictable. We clearly understand this threat-agent archetype is motivated by personal financial gain. Their objectives align with the access and accumulation of money which paints a clear picture of their likely targets. The other aspect, like many other threat actors, is they follow the path-of-least resistance. They want the easy targets where they can make money.
The simplest advice is: Protect your valuables and don’t be an easy victim!
Practically, that translates to simply following industry best practices. Good security hygiene is vital. That includes among other things; smart online behaviors, proper credential security, data protection, disaster planning, and device security. Being comprehensive and consistent on the basics, goes a long way to warding off cybercriminals.
“Remote workers tend to be easier targets…. Working remotely can be very secure when done correctly.”
The Coronavirus pandemic has affected millions of people in a relatively short time, and has resulted in many workplaces moving to remote work as a solution to delaying the virus. What cyber security issues do you foresee with these actions?
Working remotely can be very secure when done correctly. It takes preparation, proper tools, and guidance to properly manage security. With the current and unexpected rush for workers to connect remotely, several gaps can emerge.
- The transfer of sensitive data from the office to home. People need their files, projects, and data. Using email, USB drives, or insecure file transfers for sensitive data is a problem.
- While at home, workers may be using less-than-secure personal devices to conduct business. This potentially exposes business data and internal systems to others that should not have access. Many home systems are not as clean or locked-down as enterprise provided systems. Most personal devices don’t benefit from security configurations, timely updates/patches, and business class security solutions. It makes them more ‘hackable’.
- While at home and on personal devices, people are more susceptible to social engineering. Especially during a crisis, spam, phishing, and scams increase dramatically. This can not only compromise home systems it can jump to impact work assets as well.
- While not in the office, secure electronic communications between coworkers and into business systems becomes even more important. The problem is, secure communications is not easy or convenient. The hassle can motivate employees to get creative and use other means which may expose data or open systems to being compromised by attackers. Proper tools and policies must be in place.
The attackers know about all these issues and are happy to take advantage of the opportunities. Remote workers tend to be easier targets. To offset the risks, proper security must be established and adhered to.
What are you most excited to be working on this year?
There is so much I am excited about this year!
I have the pleasure and opportunity to work with great companies to bring incredible security innovation to market. I will continue to conduct research and analysis to peer into the future of cyber attackers and defenders. Most of all, I look forward to delivering keynotes, speaking to audiences, and advising organizations on the emerging cybersecurity risks which undermine trust in the digital ecosystem. The more we share and collaborate, the stronger cybersecurity becomes!
Any other comments or statement you’d like to make about the current state of cyber security in 2020?
We are in for a tumultuous year. The rapid adoption of new technologies, growth of users and services, and the vast increase in value connected online is a perfect storm for attackers. They are smart, creative, and persistent. Defenders are tasked with maintaining parity, which is extraordinarily difficult. It takes the best resources, insights, and commitment to remain competitive.
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 30 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies.
Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity.
Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.
Identifying evolving cybersecurity opportunities & risks
Board advisor and guide for cybersecurity risk oversight
Executive consulting and communications
Security evangelism and best practices
Cybersecurity strategic planning
Organizational risk management advisement
Industry communication and leadership
Program and project management
Security Operations Center management
Customer engagement and service management
Security Return-on-Investment Analysis
Crisis management & criminal investigations