Cyber Defense: Francis Cianfrocca Of InsightCyber On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack
You need to finance and invest in your cybersecurity. And this doesn’t mean just hiring security professionals. Cybersecurity should be something you buy as a business service, just the same way that you buy motors, investment banking, all the other kinds of tools. Think less about cyber security and more about risk management.
In In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Francis Cianfrocca.
Francis Cianfrocca is the founder and CEO of InsightCyber, a cybersecurity startup developing a new AI-powered security service to provide insights and protection against a wide range of threats in cyber-physical environments. An inventor of key technologies at InsightCyber as well as a previous company he founded, Cianfrocca is a noted expert in the fields of data security, computer-language design, compiler implementation, network communications, and large-scale distributed application architectures. Having a background in music, Cianfrocca attended the Eastman School of Music and the University of Michigan.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was raised in Syracuse, New York, a hub of the arts, especially music. I have fond memories of being interested in classical music from an early age, eventually attending a professional music school. The old adage says that being musically-minded makes computers and math easier, as they’re both aligned to the left hemisphere of the brain. But the most unusual thing about my background is that I’ve been doing cybersecurity for close to 30 years. I have had an interest in deep tech since high school, long before the Internet existed. The Internet didn’t really become a big thing in the business world until the nineties.
I got into the nexus between computers and the physical world when I was in high school, by collecting data and controlling industrial processes. I worked for DCS, a company that ran control systems for the oil industry. And the computer in the middle of it wasn’t a little computer or personal computer, or even an embedded computer, but an IBM mainframe. In fact, it was one of the first computerized control systems for an oil refinery that the Chevron corporation was building in Louisiana. It actually turned out to be one of the last refineries built in the US. I then worked on systems for the pharmaceutical industry, collecting data from pharmacology experiments, and computerizing all kinds of other things. But all of this involved computers and networks.
In fact, my early employment history always involved computers and networks, but not the Internet. Ironically, I’m currently working on very similar projects,but hacker tactics have evolved..
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I fell into cybersecurity almost by accident. Back in the nineties, I started a company called Tempest Software. We were building enterprise software systems on these big computer networks, and hackers started appearing. So, in tandem with developing business processes, we had to find ways to secure the information as well. Later, I was on a call with a client, a major defense company which manufactures weapons. A colleague called to ask if I’d heard of something called SCADA, the acronym for Supervisory Control and Data Acquisition, which many industrial organizations use. And I hadn’t heard the term. But I went and I looked it up, and I realized she was talking about industrial control systems–the stuff I’d been doing at that point for a good 20-plus years. She said, “We’re getting people from the government and the Defense Department telling us we need to help them provide security for this stuff. And we don’t really know what it is, and we don’t know how to go about it.” That was around 2010. At that time, there was a malicious worm called Stuxnet, that was infiltrating computer systems operating big industrial control systems. It turned out to be something developed by U.S. intelligence agencies. It was a classic, incredibly well-executed early attack on physical infrastructure, namely the industrial processes that the Iranians use to enrich uranium. Clearly, this was a rather wicked thing to do. Ever since then, we’ve been involved in cybersecurity for industrial infrastructure, and that one phone call was how that got started.
Can you share the most interesting story that happened to you since you began this fascinating career?
Back in the day, maybe eight years ago, I met with Ed Amoroso, then CISO of AT&T. He ran a global network with 180 petabytes a day going through it. We told him what we were doing and what we wanted to do with industrial cybersecurity. After an hour talking to him, he shared with us the fact that there are millions of devices that they see in their network every day. And just about the only thing they could figure out about them is that they weren’t computers. They had no idea what the industrial control systems were or what they were doing. And so he had been talking to loads of people, including people that are well-known competitors of ours, and let us know that we were the first people that sounded like we knew what we were talking about.
To this day, we keep hearing from people like Ed, and that the whole problem of cybersecurity for the infrastructure that makes our world run, the modern world–our production, healthcare systems, financial systems, telephony, all the stuff that we depend on–it just isn’t being addressed in a systematic way that actually works.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
First of all, the most important character trait of a leader is to have followers. You’re not a leader if you don’t have followers. The key to gaining followers — the second trait — is to have a deep and genuine respect for every person in your organization. Finally, I have always felt that people get the most out of life, and work, when they’re making a big difference in the world, learning a lot every day, and working with people with whom they get along well. Those are three traits right there. If you can make those happen, you’re at the very least going to have a functioning organization. But, just as importantly, you need a really good problem to solve. You need to inspire people, in ways that match with what they want to do in life. Do all that, and you have followers.
Beyond that, good leaders see things that aren’t being done and ask: Why aren’t they? That’s a total cliche, but it’s a lot harder than it sounds. The people who become great entrepreneurs have the essential trait of being absolutely fearless in how they ask that question and pursue the answers.
Personally, in addition to those things, I love looking for stupid ideas. And the reason is because all the smart ideas have already been tried. If you come up with a really, really boneheaded idea, the first ten people you tell will say, “That’s the stupidest thing I’ve ever heard.” Then, I’m interested. Why? Because that means that not too many people have done it.
The problem with looking for stupid ideas is that they are likely to look stupid. It takes a leap of faith to give things a try. And that’s what we’ve done here with cybersecurity. We’re trying to disrupt several different major spaces, both in the technology industry and in industries where people have billions and tens of billions of dollars worth of market investment already in place. And we’re saying, no, you’re doing it all wrong. That’s a pretty stupid approach, until it’s not.
Finally, two bonus traits of a leader? Number one, ALWAYS back your team in front of others (even if you chew them out in private) and, number two, remember the most important words a leader can say are, “thank you.”
Are you working on any exciting new projects now? How do you think that will help people?
InsightCyber is working towards extending a well-known cybersecurity product category into the cyber-physical world. Cyber-physical systems include big industrial control systems as well as IoT (Internet of Things) or “smart” devices that are connected to the Internet. They are all becoming increasingly vulnerable to cyberattacks, especially in critical infrastructure settings. What we are bringing to this space has never been done before, and we are solving hard problems that companies have been grappling with for years. We start by collecting massive amounts of data from our customers’ networks then extrapolating insights from it. While many players in the cyber-physical world are able to collect this data, our innovation comes at the point of extrapolation. We are able to collect and package up more information about customers’ industrial operations than they’ve ever had before, and we’re using it to prevent cybercrime with the help of a very innovative application of artificial intelligence (AI).
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
My experience in cybersecurity has led me to be an authority in a niche space, where not many other cybersecurity professionals sit. My extensive knowledge of industrial automation — how factories and pipelines work — and mechanical, electric and chemical engineering combines uniquely with my knowledge of network technology and cybersecurity to help an industry that has long been overlooked by other cybersecurity professionals.
In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
Cyber attacks can be categorized based on who is executing it.
The three types of attackers are:
Basic hackers: These attackers are poorly resourced and lack enough knowledge to have a meaningful or harmful impact. They can be considered the “trouble makers” of the cybercrime world.
Criminals: Criminals are typically well-resourced, but lack deep knowledge. They typically attack to make money.
Nation State attackers: These attackers are the most dangerous, as their goal is to cause global conflict. They are very well-resourced and have vast knowledge that can cause severe damage.
What we’re seeing more of as of late is a melding of criminals and Nation State attackers. Criminals have gotten better at the craft of cyber attack, and they’ve started to use some of the technologies that previously were only known to the Nation States. Because of this, they’re able to hit bigger targets like entire company networks or critical infrastructure companies. While their attack vectors may be basic in nature (i.e. password phishing), they are often asking for ransom, which, combined with the attack on and potential exposure of data could be extremely damaging.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
The owners and operators of critical infrastructure, including those involved in the capital assets that make up industrial production, should be the most concerned about a cyber attack due to the revenue and the potential for safety/human impacts. Regulators, or people in government and critical infrastructure companies should also be concerned, as they need to ensure strict compliance across an entire industry. Without regulators enforcing requirements, companies are less likely to properly protect themselves and their assets from attack.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
If you, as a business leader, are aware that you’ve been a victim of a cyberattack, you’re probably hearing it from your cybersecurity people. Once you’ve been made aware of an attack, you’re going to want to inform regulators that it happened and give the regulators enough information for the issue to be dealt with. Oftentimes, people hesitate to admit that they’ve been attacked. Any business person would be. But it is important to alert the appropriate authorities of an attack.
So who do you call first? Usually, if your business has been attacked, the FBI is not a bad answer. If you’re an individual at home, the local police or a cybersecurity expert is probably appropriate.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
I think cybersecurity professionals on the whole, and these are InsightCyber’s customers, are the good guys. They’re the people we want to make more cybersecurity more effective and robust. However, the problem is they’re facing a huge job, much, much bigger than they can tackle with the current level of people, processes and technology available. It’s our job, coming from InsightCyber and the cybersecurity industry as a whole, to give cybersecurity professionals better tools. The reason they make mistakes is because the job is too big for humans to cover.
Just managing computers is a massive job, whether a big company has hundreds of thousands or even millions. Now, when you add connected industrial equipment and IoT devices, the number of systems to manage becomes billions. All kinds of devices are talking on computer networks that you don’t even know about. Therefore, just connecting things into networks so that they can enhance business value, which is what everybody wants, it’s impossible to control. People are going to make little mistakes because they’re human. A human error one time out of a thousand correct actions is enough to produce a cyber attack.
This is why my company’s technology is AI-driven, so it doesn’t make as many small mistakes as human-only management. What you really want to do is address 99% of the issues through the use of AI, so 99% of your data is better protected.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
There’s no way to limit the frequency of attacks. In fact, the number and types of attacks are increasing, especially since the bad actors are getting smarter at figuring out how to attack machines. So there really isn’t anything you can do to limit the frequency of attacks.
What you can do is limit the impact of an attack by becoming aware of attacks much, much earlier. This strategy refers to something we call, “the kill chain.” The kill chain is the sequence of events that an attacker undertakes that ends up impacting the victim, and how severe the impact is.
We want to block the kill chain as early as possible. In most cases, that involves knowing a lot more about what your infrastructure, your capital assets and your computers are doing. That’s something you can only do through AI because the systems keep getting bigger and bigger, and you’ll never be able to hire enough people to look at all of the data being generated. That’s the core challenge of cybersecurity. The need to protect operational technology only exacerbates the problem, but the problem exists on the IT side as well. We have to automate our way of solving attacks.
My recommendation to government and tech leaders is to kill the kill chain. Become aware of attacks much earlier in the process so that you can block attacks before they cause impacts.
What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
First, recognize that you are going to be attacked (that is, if you’ve haven’t already). The cliche is there’s two kinds of companies. Companies that know they’ve been attacked, and companies that don’t. So first and foremost, it’s important that you know you are going to be attacked, and then take the necessary steps to prepare yourself.
That leads me to my next point: take a risk management approach rather than a security approach. A security approach is to lock the doors and make sure nobody gets in. A risk management approach is to minimize the degree to which your organization is vulnerable.
Third, you need to finance and invest in your cybersecurity. And this doesn’t mean just hiring security professionals. Cybersecurity should be something you buy as a business service, just the same way that you buy motors, investment banking, all the other kinds of tools. Think less about cyber security and more about risk management.
Fourth, you need to be thinking about your supply chain. Your company may be the most sophisticated organization on planet Earth when it comes to cybersecurity, but can you say the same thing about all the companies you do business with — your vendors, your suppliers, and your customers? They represent vulnerabilities too. You can’t police them. This is why simply putting locks on your doors is insufficient. Your approach needs to be based on awareness, visibility, and data monitoring, rather than putting locks on doors.
Lastly, strive to achieve full visibility into your entire technology stack, because you can’t secure what you don’t know you have. Business leaders need to invest in the tools that can provide awareness, visibility and detailed knowledge about your industrial operations. Concurrent with this, be on the lookout for opportunities to use data to enhance your business operations, because they’re out there. Everybody says “I want to use more data,” and “I want to use artificial intelligence” — InsightCyber is figuring that out. Progress is advancing quickly in these areas, so be aware of it and don’t be afraid of it.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger.
If I could inspire a movement, it would be to get people to stop thinking you need to be an expert in cybersecurity. Cybersecurity is something that we’ve been doing pretty much the same way for more than 25 years now. The firewalls invented in the early ’90s, and they’re still one of the most common means of cyber protection. We really haven’t fundamentally changed how we do it, and we need to. What Curtis Blount, our CISO, will tell you is that the practice of cybersecurity is still all about putting locks on the doors and reading the logs that the locks — aka, the firewalls — give you. That makes you reactive. You want to be proactive. You want to know what’s going on in your network and be smart enough to know what you’re seeing. You want to be able to have the discernment to know that you’re being attacked by somebody who’s doing their very best to keep you from figuring it out that you’re being attacked.
How can our readers further follow your work online?
Our website is InsightCyber.com, our LinkedIn is InsightCyber, and my personal LinkedIn is Francis Cianfrocca.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!