Each October, IT and cybersecurity professionals recognize Cybersecurity Awareness Month, as an opportunity to, “…raise awareness about the importance of cybersecurity across our nation, ensuring that all Americans have the resources they need to be safer and more secure online.”
But this year’s Cybersecurity Awareness Month can’t possibly be like other Cybersecurity Awareness Months, right?
We’re living in unique and interesting times – with a global pandemic changing how we work and live and drastically increasing our reliance on technology. And – in a day and age when data breaches and ransomware attacks are on the front cover of newspapers on a seemingly weekly basis – there can’t possibly be any individual or organization that isn’t “aware” of the need for cybersecurity.
To learn more about how this year’s Cybersecurity Awareness Month may be unique from years past, we sat down with someone that has first-hand knowledge of how difficult securing a complex network can be – Tina Thorstenson of CrowdStrike.
Before joining CrowdStrike this summer, Tina served as the Deputy CIO and CISO at Arizona State University. It’s safe to say that she understands – as well, if not better than most – how challenging today’s unique cyber threat landscape can be for public sector organizations. In part one of our two-part conversation, we talked about the threats that government organizations are facing today, and if public sector organizations are safer this year than they were in October of last year.
Here is what she had to say:
GovCyberHub (GCH): Tell us a little bit about your background and previous experience? How did this prepare you for your new position at CrowdStrike?
Tina Thorstenson: I’m the Senior Director of Public Sector Industry Solutions and Strategy at CrowdStrike. This team is the CrowdStrike Public Sector Industry Business Unit made up of C-level executives responsible for strategic advisory services related to enterprise cybersecurity solutions for federal, state and local, education and healthcare organizations.
Prior to CrowdStrike, I served as the Chief Information Security Officer (CISO) and Deputy Chief Information Officer (CIO) at Arizona State University (ASU). My executive operational experiences span information security, IT governance and strategy, network systems, operations, and integrating and implementing a variety of robust applications and services.
In my work in the university setting over the past 25+ years, I found the complex nature of higher education particularly fascinating. In many ways, universities are very similar to small or mid-sized cities, but with far less structure than some other government organizations. The technology needs are immense, and meeting the demand for services required of each unit are certainly a challenge and vastly different than any other environment.
We developed a cybersecurity program from the ground up including of processes and systems that had to work for everyone – from faculty and staff, to 120,000+ students where some lived on campus and 10’s of thousands joined us on-line even before the pandemic began. I’m excited to bring that knowledge and the skills that I developed at ASU to CrowdStrike customers.
Before all of those years in higher education, I was an industrial engineer and pioneered many of the early mobile devices for the transportation industry where I spent quite a bit of time on docks and riding around in trucks identifying ways in which technology could and ultimately did transform that industry.
I’m excited about this role. It’s designed to strengthen strategic partnerships with our customers. I’ll be focused on understanding our customer’s goals and aligning technology to help them better address today’s cybersecurity concerns.
GCH: October is Cybersecurity Awareness Month. What are some of the largest cyber threats facing government agencies and organizations today? What do public sector organizations need to be aware of?
Tina Thorstenson: While we see similar activities and attacks across the public sector, we’re finding that attacks are becoming more targeted. So, it’s becoming increasingly important to understand the nature of these attacks and the threat to your organization or your agency. Within each government organization, if you take the time – and have the tools – to understand these threats, you can get out in front of the vast majority of them.
We continue to see a wide range of attacks intended to disrupt organizations, impact the brand, or steal credentials so that they can log in and look like a valid user. Phishing attacks are still common, and they’re increasingly targeted and sophisticated – frequently involving well-crafted social engineering campaigns.
Most of the threats facing government organizations are still largely financially driven. Ransomware and phishing can deliver substantial financial rewards and can be incredibly disruptive. As a result, social attacks against the inside team –an organization’s staff, employees, doctors, faculty – are increasing. These malicious actors are looking for ways to interact with them socially and hone in on the people who may have what they’re looking for – whether that’s access to sensitive systems, intellectual property, or something else valuable.
GCH: We “celebrate” Cybersecurity Awareness Month every October. Would you say that the government and its agencies are more secure THIS Cybersecurity Awareness Month than they were LAST Cybersecurity Awareness Month? Why or why not?
Tina Thorstenson: Honestly, the threat landscape is evolving so rapidly that it’s significant work just to keep up. The threat landscape in the first half of 2020 far surpasses anything we saw in all of 2019. In these unprecedented times, there are huge opportunities on both sides. The adversary is taking full advantage of the current situation and all of its distractions to attack organizations and individuals while the defenders have incredible new tools to incorporate into their cybersecurity program.
That being said, cybersecurity involves people and processes to fully leverage the technology. On the people side, there is certainly a deeper understanding of cybersecurity threats. This is increasingly personal – people have dealt with identity theft, data breaches, and other cyberattacks and they now have personal experience with it. That’s making them more cognizant of the threat and helping to reduce the risk, but continued training is still incredibly important.
Right now, many agencies and organizations are undergoing digital transformation, which requires new processes and technologies to help increase efficiency and improve operational effectiveness.
Traditionally, these digital transformation initiatives and changes aren’t implemented overnight. However, there have been many organizations in the public sector space that haven’t had a choice – such as education institutions for example, where many moved students, teachers, and faculty to online learning – as a result of the ongoing COVID-19 pandemic. These rapid changes in process and adoption of new technologies could leave them more vulnerable unless they adopt a strict security-first approach.
Finally, there’s the technology piece. There are clearly better technology solutions now than at this time last year, and many have embraced those new technologies. Organizations that have embraced new security solutions are much better protected against even the most sophisticated attacks.
So, while I’d like to say that we’re definitively ahead of where we were, it’s certainly a race and in my opinion, it’s too close to call.