Authority Magazine
Published in

Authority Magazine

Cyber Defense: Jason Pfeiffer of ReliaQuest On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

An Interview With Tyler Gallagher

Implement a Zero Trust framework. The premise of Zero Trust is to trust no one, and consider anybody operating inside or outside the enterprise network as hostile. Zero Trust implementation is not a one-and-done scenario and must be unique to an organization’s needs. However, adopting a Zero Trust mindset and framework for your organization is one of the best strategies to protect against cyberattacks.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Jason Pfeiffer.

Jason Pfeiffer is Chief Strategy Officer at Tampa-based cybersecurity company ReliaQuest. Prior to joining ReliaQuest, Jason spent his career building and leading world-class cyber security programs for global businesses, including Lockheed Martin and PwC. He earned his Bachelor’s degree in Management Information Systems from the University of Central Florida and his Master’s degree in Technology Management from Rensselaer Polytechnic Institute.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I’m originally from San Antonio, TX, where most of my extended family still is today. My father worked in retail and my mother was a nurse. One interesting thing about my upbringing was that I moved nine times by the time I was halfway through fifth grade, with the final stop being in the Tampa Bay area.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

As a kid, I was enamored by technology. My parents fed that curiosity by having early computers in the house and allowing me to tinker. As I grew up, services like Prodigy and America Online (AOL) became more prolific. One time while using AOL, someone instant messaged me stating they were from “AOL Support” and needed by password. Even at a young age I thought this was weird, so I reported it and became intrigued with what they were trying to do and how they were doing it. I started researching it and followed chat groups where folks were talking about how they were scamming people and trading access to software that would automate the process. From then on, I was hooked. I was amazed with everything about the internet, how easy it was for things to be hacked, and I just kept going.

Can you share the most interesting story that happened to you since you began this fascinating career?

I have a lot of great “war” stories, but this may be one of the most interesting. While at PwC, during the 2012 Presidential Elections, someone contacted the firm and the media stating they had “hacked” PwC and stolen Mitt Romney’s tax returns. This became the number one trending story on CNN for a few days and had the firm concerned. We were ultimately able to prove that this never happened, and we worked closely with the U.S. Secret Service to identify the individual responsible. While it was stressful and a lot of work, it was a great learning experience for the entire team that was involved.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Humility. Leave your ego at the door or just don’t have one, period. You cannot put yourself above others and expect people to follow you. You have to be willing to do the things that no one else is willing to do.

Accountability. Not everything goes perfectly, and there is always room for improvement, but you must be accountable and own the things that go well and those that don’t. As a leader, you’re accountable for your team, their successes, and their failures. There have been many times where the teams I was leading missed something, such as dates for a project, but the failure is ultimately mine and I will own it all the way through.

Transparency. Your teams need to trust you and know that you will be transparent with them in all situations. They must know you will give them constructive feedback that they may not want to hear, that you will help them understand the “why” and that there is a good reason if you don’t. I’ve found that transparency builds trust and removes a lot of the questioning and concern from day-to-day interactions with teams you are leading as well as those around you.

Are you working on any exciting new projects now? How do you think that will help people?

I’d like to think I’m always working on something new and exciting! I’m working with ReliaQuest’s product and engineering teams on new innovations to help solve the more significant challenges our customers are facing. While I wish I could tell you more, I unfortunately can’t now — but hopefully you will be hearing about them very soon.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

Over the course of the past 15 years, I have spent much of my time building and leading world-class cyber security programs for global businesses including Lockheed Martin, PwC, and Cognizant. I also have a number of industry certifications, including ISSAP and CISSP from ISC2. Now, as Chief Strategy Officer at ReliaQuest, I keep a close pulse on trends in the industry and focus on forward-looking initiatives for our customers and partners.

In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyberattacks that we need to be cognizant of?

There are various types of forms a cyberattack can take. Here are a few of the most common types:

Ransomware: ransomware is one of the most popular and destructive attacks in cybersecurity. The goal of ransomware is to hold the user’s data hostage by making it unusable until a ransom fee is paid. Attackers do this by encrypting the victim’s machine with an encryption key that they then offer to sell back to the victim in exchange for cryptocurrency.

Phishing: phishing is a social engineering tactic in which a malicious actor poses as a trustworthy source, typically via email, text, phone call, or websites, in order to solicit personal information including passwords, financial information, identity, or money. This method is also used to deploy or deliver malware to an unsuspecting user.

Zero-Day Exploit: zero-day exploits are exploits against a previously known vulnerability. They are flaws at their core and leave no opportunity for detection at first.

Who has to be most concerned about a cyberattack? Is it primarily businesses or even private individuals?

Businesses and individuals are both at risk to fall victim to different types of cyberattacks, but large organizations are at a higher risk given their size, complexity, and lack of visibility due to the sheer structure and multitude of data. Technology is pervasive in our lives today, and the amount of technology that we use on a daily basis — such as phones, laptops, smart home gadgets, WiFi — to complete tasks, work, and unwind opens up each and every person and corporation to an increased risk.

Who should be called first after one is aware that they are the victim of a cyberattack? The local police? The FBI? A cybersecurity expert?

When it comes to reporting a potential breach or cyberattack, we encourage organizations to follow CISA and US-CERT Notification Guidelines. These guidelines provide information on who to report cyber incidents to, and the timelines in which they should be reported.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Today, organizations are chasing buzzwords and becoming enamored with shiny new technologies. Plus, with the shift to remote work, businesses are adding security tools faster than they can keep up. Because of this, more often than not, organizations are getting the fundamentals wrong when it comes to their cybersecurity program.

One major mistake organizations make is not establishing standardized metrics benchmarks. More than half of security leaders say the primary obstacle to implementing an IT security risk management program is a lack of standardized metrics to measure progress. What’s more, only about a third of security leaders believe that their teams are tracking the right security metrics. Without proper metrics to measure against, understanding and implementing an effective security program will make companies extremely vulnerable to ransomware attacks and other cyber threats.

Arguably, the biggest mistake organizations are making today comes down to tool sprawl. The majority of organizations have one staff member managing more than four tools. Tool sprawl not only prevents organizations from having full visibility into their tools and data, but also contributes to burnout and skills gaps in the security industry. These issues are heightened even more by the Great Resignation, which is adding strain on the already tight industry labor shortage. Combined, this leaves companies at an increased level of cyber risk.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Seeking out and implementing an MDR (managed detection and response) provider is an important step that can greatly benefit organizations and help mitigate these attacks. While implementing MDR technologies is crucial, it’s key to understand what to look for so you can choose one that will be of most help for your needs and easily integrate with your existing tools and technologies. For example, organizations should choose an MDR provider with the ability to share key security metrics; proactively run threat hunting programs; and provide a clear view across various tools.

What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

Gain better visibility across your security tool stack to limit tool and data sprawl. Having too many tools can lead to burnt out employees and teams, and further increase the risk of your organization falling victim to cyber threats. In fact, 69% of security leaders believe they have less than 50% visibility across all security tools, including on-premises and the cloud. I often work with customers who spend far too much time trying to engineer solutions rather than analyzing the output of those solutions. They have tools and technologies deployed that are leveraging only 20% of their capability, and they end up having several technologies that do the same thing. In cybersecurity, visibility is key as you can’t defend what you can’t see. Optimizing what you can “see” across your technology footprint is key.

Set standardized metrics benchmarks. This will help organizations know what to measure, how often it should be measured, and the progress being made against those benchmarks. 64% of security leaders cite that the primary obstacle to implementing an IT security risk management program is a lack of standardized metrics to measure progress. In one such example, we had a customer who reported that they had 20 security incidents over the last quarter. I asked them if that was “good or bad” and they didn’t know. They didn’t know what “good” looked like, and they didn’t have key milestones or KPI’s they were driving to. Metrics are a critical piece of a good cyber program, but those metrics have to include a baseline or objective that you are trying to hit. Having counts of different things is nice, but understanding the goal you are trying to get to and what drives each of those numbers is what will ultimately make your program excel.

Make cybersecurity a boardroom conversation — and lead with metrics. 63% of security managers believe board members don’t understand the value of new security technologies, and telling this story can be challenging to those with non-technical backgrounds. Leading with clearly defined and easy-to-comprehend metrics will help paint a better picture about cyber risks. If the entire board is educated, not just one person, about why cyber is important and drives that from the top down, cyber preparedness will become a larger priority throughout the entire organization. Most of the best CISO’s I know leverage a standard cyber security framework when educating and working with their boards. Currently, the NIST Cybersecurity Framework is the one most commonly used in the U.S. Use this framework and begin the process of educating your board and getting their buy-in. Being extremely transparent with where you are currently and where you are trying to go. Most boards, while they are tech savvy, are getting smarter on cybersecurity and all of them want to help, you just have to lean in.

Shift your mindset from proactive prevention to real-time reactivity. Due to the aforementioned tool and data sprawl, most organizations have no holistic view into their security tools, and have no understanding of where current gaps are. Organizations and their leaders must shift from a reactive mindset to a proactive one. This includes conducting attack simulations. As an example, I was working with one of my current customers who ran what they called a “very tight ship” when it came to their cyber program. We worked with them and our attack simulation product to test their defenses and we ultimately found out, to their dismay, that they had some rather large gaps in their cyber defenses. Oddly enough, it took us testing the same attack a few times for us to identify the hole. It wasn’t because we missed it, it was because an IT administrator changed a policy unbeknownst to anyone during the testing and left the environment wide open to attack. If we wouldn’t have been running regular attack simulations, our customer may not have seen this issue for 6+ months, if ever. It’s just another example of trust, but verify and do that continually.

Implement a Zero Trust framework. The premise of Zero Trust is to trust no one, and consider anybody operating inside or outside the enterprise network as hostile. Zero Trust implementation is not a one-and-done scenario and must be unique to an organization’s needs. However, adopting a Zero Trust mindset and framework for your organization is one of the best strategies to protect against cyberattacks.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger.

I’ve always loved the idea and promise of “Pay it Forward.” I’ve been so fortunate in my career to have had great mentors and folks who believed in me along the way, and I think it’s important to pay that forward and mentor and guide others. Give someone an opportunity that may stretch them more than they are ready for, but let them determine if they can handle it or not — don’t decide it for them. Outside of work, the idea still stands, we are all human and all of us have been in places where we’ve needed help.

How can our readers further follow your work online?

Readers can connect with me on LinkedIn, and follow ReliaQuest on Twitter and LinkedIn.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

--

--

--

In-depth Interviews with Authorities in Business, Pop Culture, Wellness, Social Impact, and Tech. We use interviews to draw out stories that are both empowering and actionable.

Recommended from Medium

Just Do The Basics

The Zaheck of Android Deep Links!

Introduction

Stored XSS via Invite leading to Account Takeover at Opera.

Improving User Authentication and Security

Weekend Promotion: 40% Trading Fee Off on BTC/USDT Pairs

Which one is the Best User Authentication method?

UniLend Protocol to go Permission-Less on 6th July 2021!🎉

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tyler Gallagher

Tyler Gallagher

CEO and Founder of Regal Assets

More from Medium

A look at Dark Patterns

The Future of the Workplace is Flexible

(Short Story) Uncandid Days CH5

I Tried Leaving Before Embarrassing My Daughter — A Dad’s Story