Michael F. D. Anaya is the new Head of Global Cyber Investigations and Government Relations for DEVCON DETECT, Inc. (DEVCON). Prior to joining DEVCON, he spent approximately 14 years with the Federal Bureau of Investigation (FBI). He began his career as a Special Agent in the FBI’s Los Angeles field office addressing complex cyber matters for eight years, during which time he led numerous, expansive investigations including one that resulted in the first federal conviction of a US person for the use of a peer-to-peer (P2P) botnet. He then was named a Supervisory Special Agent (SSA) for the Leadership Development Program, charged with bringing together disparate divisions of the FBI focused on a workforce development initiative. This resulted in a more balanced and inclusive program. After implementation of the program, SSA Anaya went on to lead a cyber squad in the FBI’s Atlanta field office. There, he led a diverse group of Agents, Intel Analysts, and Computer Scientists in neutralizing nation state and criminal threats. He secured one of the highest performance standards given by the FBI for the entire Atlanta cyber program, and he helped the program achieve a top five ranking amongst the 56 FBI field offices.
Are there any common traits to what makes a successful security program?
There is one and it is simple. People are the single greatest vulnerability to a company, but they are also, the greatest asset. Successful security programs know the value of strong people.
I recently was talking to one of the most security-centric people I know, and he shared the key to being a good CISO with me. It sounds simple, but it can be very difficult to effectively do: Hire the right employees and manage them well. He went on to state, as a CISO, having a strong technical background is good, but being able to surround yourself with the right people is paramount.
It’s one of the secrets I learned from working at the FBI. The true power of the FBI is not its image, brand, or given authorities. It is the people that comprise the FBI. They are the heart and soul of the organization. A truly elite workforce. And I have been lucky enough to continue the trend of working with fantastic people at DEVCON. If every security program had strong people, the Cyber threat landscape would look far less ominous.
What should corporate boards know about conducting information security?
The one thing that eludes many boards is a key step in information security – sharing with law enforcement, for they are in a position to actually eliminate the threat. Think of it this way:
You are new to a neighborhood. You and your family are excited to live in your new home (located right in the heart of the neighborhood) and are looking forward to all the new experiences. One of those experiences is likely not a break in. But what if there are a series of break ins, starting with the outer edges. What if no one reported them, not even on Nextdoor, and law enforcement was never alerted to the activity? What would happen? The threat would escalate. Undeterred, the actors would continue to make their way to center of the neighborhood. Hitting home after home, until they arrived at the heart of the neighborhood – your home.
Now this is an alarming thought. This analogy mirrors what happens in the corporate landscape when companies do not share data breaches, indicators of compromise, or threat Intel with the appropriate authorities. The threat actors will continue and escalate their activity, moving from company to company until your company is next.
I know talking with law enforcement might be a foreign concept. It might feel unfamiliar or just seem ill-advised. But developing this step in information security is quite pivotal. It should be a step that occurs well before a cybersecurity incident. The board should strive to push the company to cultivate a positive relationship with law enforcement, one where the first time they meet is not after a data breach. A positive relationship allows both parties to begin to understand the other. It will only serve to assist you and others in your neighborhood.
What advice do you have for security leaders?
I would advise them to try and think like their adversary or employ others who are adept at it. How do their adversaries think? Easy, like the rest of us! Well, with a slightly different optic.
I give a number of presentations, and I like to start off the presentation with an interactive mental exercise. I ask my audience to take on the role of a burglar. I show them four various houses. As a group, we discuss the pros and cons of each from the mindset of a burglar. We talk about topics such as perimeter security, pattern of life, police response time, entry points, egress routes, etc. These topics all lead to the crux of the mental exercise – cost/benefit analysis. This is a concept we all understand: Is the risk worth the reward? At the end of the exercise, everyone votes on which house they would target. Each person employs his or her own cost/benefit analysis.
A security leader needs to place himself or herself in the mindset of their adversary. If he or she (as the adversary) was trying to target their own company, what would they do? They should focus on the same key topics in our exercise: perimeter security, pattern of life, police response time, entry points, egress routes, etc. with the underpinning thought of whether the risk worth the reward. Therein lies the rub. In every presentation I have given, there is always someone that picks at least one of the houses. So in other words, someone will always find value in targeting your company. All you can do is access the potential vulnerabilities (from the mindset of your adversary) and devise effective defensive countermeasures such as relying on software solutions to assist in identifying threats, implementing an effective employee training program and ensuring partners you work with are reputable and prioritize security.
Threats are everywhere and always changing. How to address this difficult reality?
Someone once asked me “Do you think we will ever do away with cybercrime?” That question allowed me to think more about what cybercrime is. Simply put, it is a type of theft. I then asked myself, “Well, how long has theft been around?” Since the dawn of time. And after hundreds of thousands of years of humanity’s existence, have we done away with it? Well, no, but should we stop trying to address it? Absolutely not.
How have we, as a society, dealt with the evolution of theft? We have evolved as well. We have trained ourselves, learned from our missteps, created rules to limit activities that we want to deter, created roles in society to enforce those rules, etc, all along enhancing our understanding of threat, but not in a vacuum. We worked in collaboration with one another.
So, how do we address the difficult reality of an ever changing threat landscape? First, we accept it as part of daily existence. We then, by working with one another, form a collaborative group (or consortium) and develop ways to mitigate it. In that vein, each member of the consortium should identify their inherent strengths and weaknesses. The idea is play to each others strengths. If well thought out, there should be minimal (if any) weak points. The consortium would create a more formidable adversary, one that is far better positioned to address the threat than if any single member were to do it alone.
This is not easy. It requires trust and strategy, but it is possible. I would argue that if you are not trying to develop a working alliance with others, then you are not only operating at a disadvantage, but operating in a neglectful manner.
How can CISOs balance security and innovation?
Should versus Could. That is a simple mental exercise I do to help frame an issue. I would invite CISOs to ask themselves: “Could we implement this new product in our security model?” and “Should we implement this new product in our security model?”
Many times the answer to the first question is “yes!” But if you think about the second question, the should, many times the answer is “…well…hmm…maybe.” Think of this quandary: Could you adopt 10 puppies and surprise your spouse tonight? You might be able to do it, but should you do it? The latter is the question teams often forgo in the decision making process, but it is arguably the most important question we need to ask ourselves. So as a nuclear power plant executive: Could you approve the installation of a remote system to access the plant’s core cooling systems, but should you? This is a simple exercise, but very effective.
How important is being able to communicate with your colleagues?
Extremely. I think most of us know the value of communicating with colleagues in our respective industries, but what about communicating with colleagues in the government? I recently left the FBI, and I can reliably say the FBI is actively opening communication channels with those in the private sector. For example, on October 1, 2018, FBI Director Christopher Wray said in front of the National Association of Corporate Directors Global Board Leaders Summit, the following: “On the cyber front, we’ve got Cyber Task Forces in each of our 56 field offices across the country—with partners from over 180 different local, state, and federal agencies…But we can’t do it on our own. We’ve got to work together, particularly with those of you in the private sector. We’re sharing indicators of compromise, tactics cyber criminals are using, and strategic threat information whenever we can.”
Another way the FBI is building relationships with the private sector is the development of the FBI CISO Academy, which is a week long event (held twice a year) for CISOs. It is designed to teach them how to prevent, counter, and defeat cybercrime. The Academy’s class sizes are small, designed to foster relationships and information sharing between the FBI and CISOs. I had the distinct privilege of serving as a FBI ambassador for the 5th and 6th runnings of the Academy, during which I developed relationships with a number of the CISOs. I was able to share key insights with them and them with me. Those relationships are still intact today. Since its inception in 2015, about 150 people have attended the CISO Academy. It is a great program that I encourage all CISOs to ask their local FBI field office more about.
One of my main focuses at DEVCON is information sharing, which I believe will be key to our collective success. This is not just limited to sharing with other businesses, but also key government entities, specifically law enforcement. I know that sharing with law enforcement can be a daunting proposition, but it doesn’t have to be. I am happy to engage with anyone to determine specific steps their company can take.
It is time we truly begin to work together. Given my previous experience, I can attest to the fact our adversaries work together, so shouldn’t we?