Eric Ervin Of 1898 & Co On What It Takes To Become A Cyber Executive

An Interview With David Leichner

Unselfish collaboration. Work to become a leader who models the behavior it takes to inspire trust and confidence across the entire team. Everyone benefits from this and in return, loyalty and team comradery grows! I learned this early when leading cross-disciplined teams across compliance and cybersecurity. This creates a culture of that rewards initiative and proactivity; something that differentiates good organizations from great organizations.

Today, more than ever, new products and software are under attack by a host of malicious actors. This makes the role of a C-Level Cybersecurity officer or a Chief Product Security Officer one of the most important lines of defense against cyber threats. What do you need to know to be a successful cyber executive today? To address this, we are talking to C-Level cyber executives who can talk about “What It Takes To Become A Cyber Executive, Today.” As a part of this series, I had the pleasure of interviewing Eric Ervin, global cybersecurity director at 1898 & Co.

Eric R. Ervin, CISSP, is global cybersecurity director for utilities and manufacturing at 1898 & Co., part of Burns & McDonnell. He leads teams of cybersecurity professionals focusing on improved risk management, situational awareness, resiliency and preparedness for power and water utilities and manufacturers in the U.S. and internationally. Over a career spanning nearly 20 years, Eric has worked for major Midwest utilities in corporate security and cybersecurity roles.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Thank you for the invitation. I grew up in a small Midwest town and was an active member in school, sports, and extracurricular activities. Living near a nuclear-powered generating station, our neighbors and friends worked there and it provided them and our community with many benefits. After I graduated from college, I joined the organization and there I developed a passion for the utility business.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Back in 2003, early in my career working as an application developer, the Northeast blackout event occurred where approximately 50 million people lost power for up to two days in the biggest blackout in North American history. A variety of factors led to the widespread blackout; however, technology was partly to blame. From there, my interest grew as I dove into the causes behind it, how it could have been prevented, and how potential adversaries could target it.

It wasn’t long before federal regulatory agencies were drafting cybersecurity standards for the industry. I was fortunate enough to work closely with my supervisor and mentor to develop the early components of a cybersecurity program.

Can you share the most interesting story that happened to you since you began this fascinating career?

Having been in this profession for about 20 years now, I’ve had a few incidents that my team and I have had to work through. What it has taught me is to have response plans in place and exercised so that when an actual incident does occur, you and your team are ready to overcome it in the most effective and efficient way possible. Think of it like a team sport, if you don’t practice, you won’t be ready for gameday.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

• Show initiative and take action. Leaders are often faced with challenges that may seem risky or out of your area of expertise, however demonstrating your willingness to dig in shows you’re a team player and willing to do what it takes to win.
• Put yourself in uncomfortable positions; it forces growth. Each time I’ve been asked to lead a new team or initiative, second guessing your own capabilities is natural. Lean in with an inquisitive mindset and keep communications open and candid.
• Treat others the way you wish to be treated. In my career, I’ve been around some amazing leaders who have gone out of their way to help me. Assume positive intent, even when things get tense. In my experience, relationships are foundational to success. You have to work at it and instill that trust in others that you’re in this together.

Are you working on any exciting new projects now? How do you think that will help people?

Here at 1898 & Co., we’re in the midst of rapid growth as our clients focus on what it’s going to take to maintain secure operations for their critical infrastructure. The critical infrastructure sectors are experiencing exponential growth and digitization across their operational environments and with that comes new cyber risks that must be addressed to ensure reliability and resiliency.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

The digital transformation that is going on across the critical infrastructure sections, such as Power, Water, and Manufacturing, is at a level I’ve never seen before. Systems that control and operate the services we rely on everyday are undergoing major upgrades. These upgrades are adding new and advance capabilities such as remote operations, advanced analytics and automation for increased productivity, and the exponential growth of Internet of Things (IoT) devices are opening new doors that must be cyber-secured.

There is a dramatic deficiency in cybersecurity professionals to meet the demands of the marketplace. That said, those that are coming out of school and into the workforce are bringing skills and capabilities not seen before. They’re hungry to learn from those who have been in the industry for years and bringing in fresh ideas and counter the ever-evolving threat landscape.

The organizational cultures appear to be shifting. No longer is the cyber team purely focused on the corporate/enterprise computing environments. CISO’s and their teams are now engaged directly with other business leaders to more fully understand the full implications of digitalization across the business and how to address risks in ways understood by executive leadership.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

There is so much talk about pending cyber legislation, funding opportunities through federal grants, and headline news stories about breaches, my concern is that security leaders may lose track of their mission and chase the “shiny penny”. Understand that there is a programmatic way to build and mature cyber operations. Take the time to collaborate with your partners from across the business and understand how you need to adapt and evolve to continue to serve your mission to secure the business as a whole.

With the rapid rise in digitalization across the critical infrastructure sectors, there are so many new systems and devices being placed on the network, it’s nearly impossible to keep up in siloed manner and maintain a robust security posture. Security leaders should be talking to their engineering teams about how to build cybersecurity into the design (see INL’s Cyber-Informed Engineering (CIE) and Consequence-driven Cyber-informed Engineering (CCE)).

Again, a strong cybersecurity program requires a team who understand the evolving threat landscape as well as the business’s need for continued innovation. This requires a workforce who is eager to learn, knows how to interact with the engineering and operations teams, and convey design principles during project meetings.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

There has been an 400 percent increase in attempts to compromise critical infrastructure since the beginning of 2020 and research indicates that around 44 percent of global ransomware attacks target control systems in the OT/ICS space. My concern is that our critical infrastructure providers are not fully prepared to combat an attack on their most critical functions that are enabled through technology.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

First and foremost, your network and security teams may be made aware of an unusual increase in network traffic, which can be indicative of network congestion leading to system availability issues. This can be caused by many things, however, so best to check with your security team and ensure they are aware of the issue and are working to identify the cause. Another leading indicator may be the discovery of new programs or applications which can open the door to adversaries and putting your users and intellectual property at risk. Lastly, and most visible, is when your computer appears to be operating and responding to inputs itself. There have been multiple incidents over the last ten years in critical infrastructure where even the control systems used to control the flow of electricity and water have been compromised in this way. As with most security-related training, if you see something suspicious, say something. Always best to make those response aware of situation so that they can respond accordingly.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

The vast majority of ransomware attacks begin with cyber criminals exploiting common cybersecurity errors. We talk all the time about covering the basics of cyber hygiene and this is a prime example of why. Microsoft analyzed anonymized data of real threat activity and, according to the company’s new Cyber Signals report, found that over 80 percent of ransomware attacks can be traced to common configuration errors in software and devices. In addition, the lack of cybersecurity training for the workforce compounds this and leads to poor user practices (e.g., users are more likely to click on suspect emails or fall for the phish). Lastly, if companies don’t have robust incident response and backup and recovery plans, their ability to recover from ransomware attacks can be further complicated.

In today’s environment, in addition to computer systems, hackers break into the software running many products, such as cars or robotics, for malicious purposes. Based on your experience, what should manufacturing companies do to uncover vulnerabilities in the development process to safeguard their products?

Foundational elements of cybersecurity programs — such as asset management, cyber control management and change/configuration control practices — provide a certain level of cyber assurance. Deploying additional access control mechanisms, such as multifactor authentication, can further restrict remote access to only approved and authorized users. In addition, visibility tools that provide monitoring and detection capabilities can facilitate a response that can minimize or mitigate threats before they can impact operations. Additionally, segmenting the OT and IT systems and networks to keep the utility treatment DCS and business side of the utility separate can limit the potential impact if one system is compromised and lateral movement by the adversary is attempted.

To be prepared to respond to a cybersecurity incident, a utility should have an incident response plan developed, tested and ready to deploy. For instance, if a ransomware attack occurs, the utility should have a response plan in place. It is never a sure bet the hacker will release data after a ransom is paid, and paying the ransom could make the utility a target in the future if attackers know the facility has paid in the past. Through a robust backup and recovery program, the utility will still have the information needed to minimize downtime while also limiting the power the ransomware might have over utility operations. These are core capabilities of our service offerings here at 1898 & Co.

Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Create A Successful Career As A Cybersecurity Officer Today” and why?

1. Unselfish collaboration. Work to become a leader who models the behavior it takes to inspire trust and confidence across the entire team. Everyone benefits from this and in return, loyalty and team comradery grows! I learned this early when leading cross-disciplined teams across compliance and cybersecurity. This creates a culture of that rewards initiative and proactivity; something that differentiates good organizations from great organizations.
2. Assume positive intent. When the inevitable incident arises and tensions are high, I’ve found it’s important to assume positive intent with engaging with others. This serves as a natural de-escalator and allows you to focus on the topic at hand rather than the emotion in play. This was an instrumental tool I used during a merger as I brought two teams together and began working towards a new common goal.
3. Know the business. Today’s CISO/CSO must understand the business they serve, have the ability to clearly articulate cybersecurity in terms of risk, and effectively exert strategic influence. The role has evolved from managing technical tasks such as deploying security tools to managing risk and securing the business.
4. Industry Involvement. It’s important to establish and maintain engagement with the industry you serve and the practice you’re responsible for. Whether it’s your local group of CISO’s that meet quarterly over dinner, your industry trade associations, or your online presence on security-related forums, get involved. I also leverage LinkedIn to build my network and to hear about the challenges organizations are facing the creative solutions they’re building to overcome them.
5. Relationships. Last, but certainly not least, is the power of relationships. In my experience leading or guiding others towards cybersecurity maturation, if you have strong relationships in place with those you work with and engage with, you have a much higher level of success and buy-in when they trust you and know you are coming from a point of view that benefits the enterprise. Those relationships enable you to navigate the ever-evolving threat landscape and reduce the friction when actions must be taken that conflict with other priorities.

You are a person of great influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

For me, it’s all about arming our profession with the right information, providing access to world-class training, and mentoring those who are pursuing a career in this field. From there, it’s up to us to ensure each company has necessary cyber precautions in place to avoid those detrimental attacks.

How can our readers further follow your work online?

Visit https://1898andco.burnsmcd.com/

Thank you so much for joining us. This was very inspirational, and we wish you continued success in your important work.

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.