Fred Cobb of InfoSystems: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Jason Remillard

You must have a cyber technology stack. In other words, one tool isn’t going to protect you. The tech stack starts with an antivirus on laptops and desktops, a firewall, a spam filter, a SIEM system. You have to have a good mixture of technology supporting you at different layers.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Fred Cobb, Executive Vice President of Services & CISO, InfoSystems.

Fred Cobb is a senior IT professional with a proven record of achievements and experience that have involved systems engineering, systems architecture, security program development, network administration, security operations center design, life cycle management, IT project management and ITIL/ITSM implementation. His career in IT includes more than 25 years with DEC/Compaq/Hewlett-Packard (HP) where he served in multiple technical roles. Fred has also worked for the US Department of Defense’s Missile Defense Agency and has spent more than a decade developing and delivering a comprehensive list of cybersecurity services to the private sector.

Specialized in all phases of IT operations and IT security, Fred has served as an Enterprise Administrator, Information Systems Security Officer, Virtual Chief Security Officer (vCSO) and Data Center Operations Manager for multiple critical business operations. Fred was a part-time IT instructor for a number of years and has helped over 900 students in their pursuit of various technical certifications. Fred holds a B.S. in Applied Management from Tusculum College along with a variety of industry certifications.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in a small-town, Mayberry-type environment. I always had a fondness for automobiles — I’ve always tinkered around with them and have a couple collector cars still today. School always came naturally to me, and I didn’t have to study too hard. When I was growing up, cybersecurity wasn’t really a career — but my natural mechanical inclination, curiosity, and passion for problem-solving are, I believe, what led me down this path.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was very fortunate as a sophomore in college when I happened to be hired by a company called Digital Equipment Corporation (DEC). DEC eventually merged to become a part of Hewlett Packard. DEC rivaled IBM at the time, and I literally started in the mailroom/parts depot. From there, I worked my way up, doing computer installations for systems much larger than what you see today including mainframes — many were big enough to climb around inside. When I started in the IT industry, cybersecurity was a consideration for things like military installations, but it wasn’t commonplace in commercial endeavors due in part to the proprietary and closed-loop nature of networking at the time. But the more the industry evolved, particularly with distributed networking, and the more I learned, the more intrigued I became by the possibilities of a career in this discipline.

Can you share the most interesting story that happened to you since you began this fascinating career?

There are so many. Due to the nature of my work, I have had the opportunity to be at Cheyenne Mountain in Colorado, if you remember the movie War Games. I have been involved in incident response work that involved the treasury department of an entire Caribbean country. I have worked with the NFL, the Motion Picture Association of America, Boeing, Shriners Hospital for Children, and countless other companies, large and small. I have a thousand stories from all the experiences I have had, But we’ll go with this one: In my early days with DEC, we used to go to school in Massachusetts for weeks, if not a couple months at a time. DEC had an entire apartment complex that engineers from all over the world would come stay at while attending training. It was on a grand scale. One afternoon, while sitting in a class of about 20 engineers, I happen to turn around to find that the founder of DEC, Ken Olsen, one of the most powerful and influential individuals in the history of the computer industry, had come into the classroom and was sitting 5 feet behind me. Think of meeting the biggest hero in your life. That was what it was like getting to have a brief conversation with Mr. Olsen. In fact, the Windows operating system everyone knows today, was developed by former DEC engineers that went to Microsoft. Windows and the concept of virtual memory systems have their origin in DEC’s virtual address extension (VAX) architecture.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I have a couple of heroes: as mentioned, Ken Olsen, the founder of DEC. Even back in the early 80s, he was a billionaire but lived the life of a humble man. Ken was an engineer at heart, so he did everything with an engineer’s mindset. I am so grateful to be a part of the organization he founded. Ken’s concept of “satisfaction engineering” in being the best one can be, technically as well as in servitude to customers and co-workers, has helped propel me throughout my career.

The other is Jim Lindsay, a former co-worker, who I’d describe as a consummate brainiac. He was so humble and open to showing me the ropes and kept me on a course to success — not only professionally, but personally as well. Jim was a technical mentor, but also a nurturer and father figure in my life.

Are you working on any exciting new projects now? How do you think that will help people?

Many! My main goal, in addition to daily operations at InfoSystems, is trying to keep customers out of harm’s way. Because of that, we’re working on projects to make it much tougher for hackers to penetrate our customers’ systems. Traditional cybersecurity, an emphasis on securing the human, next-gen technology such as deception decoys, remote browser isolation, and so much more are all a huge part of our technology stack of offerings.

InfoSystems is also heavily involved in compliance and assessment work. Frameworks such as NIST 800–171 for prime and sub-prime contractors that provide products and services to the Department of Defense, HIPAA for healthcare, PCI for the protection of credit card transactions, and several more are a huge part of our services portfolio.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Realize you have to have a good work-life balance. When it comes down to it, I could work 80 hours a week every week — but that’s not sustainable. Sure, sometimes you’ll have to extend yourself beyond your typical workflow or schedule to meet a deadline or handle a time-sensitive issue, but you can’t take the project home with you every night.

I also encourage people to keep reinventing themselves. I’ve been doing this for 40 years, and my career today is nothing like it was even just 10 years ago. When I see people getting burned out, in many cases, it’s because they’re afraid to adapt. Do things that make you excited. Re-invention has kept me excited and passionate about the career path I chose so long ago. One day in the not-too-distant future, it will be time to hand over what I am doing to another, yet just as passionate version of my professional self. In the meantime, re-invention is the key to longevity.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

1. The will to win. There’s so much sinister activity going on out there, and working in cybersecurity kind of gives you a law enforcement mentality. What we do behind the scenes saves companies, their customers, and so on. I am excited about those wins, big and small.

2. The rapid pace. To stay ahead in this industry requires rapid adaptation to change and constant learning. I enjoy that rapid pace, and it keeps me engaged and excited to continue my evolution as a cybersecurity professional.

3. Future technical advances. Over the course of my career, I’ve seen us go from the “dark ages” of computer technology to today, where we talk on cellphones that have more advanced technology in them than entire computer systems of the past. We’ve come so far in just a couple of generations, I get excited imagining what things will be like 10 or 20 years from now.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Every day. Companies need to be thinking about cyberattacks as a “when,” not an “if.”

Phishing is still the number one type of cyberattack, and it generally comes through the human element (i.e. phishing emails containing links to malicious content). It’s important to do regular cybersecurity training with your team to better protect your business, your employees, and your customers against this type of threat.

I also really encourage more vendor vetting. Using the Solar Winds breach as an example, a security questionnaire just isn’t enough. It is incumbent upon IT and cybersecurity leaders to be aware of supply chain risks to better understand the internal construct of how third-party services and products can impact the business.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

There are so many. Here are a couple.

A few years ago, I was part of an election-fraud investigation in which I had to conduct some forensics work to determine whether or not hackers had accessed the network. Through our investigation, we concluded that foreign hackers had gained access to the network where the voting machines were located, but that they had not influenced the outcome of the election.

I also recently worked with a leader in the financial industry who had fallen victim to an email hack. The hacker gained access to an incredible amount of sensitive information in the span of about 24 hours.

The vast majority of what I do is highly confidential, so please bear with the vague nature of these stories! The takeaway here is that everyone thinks it won’t happen to them, but it can. It’s so much easier to implement preventative measures than it is to do damage control. I can’t harp on that enough.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

We use many. Arctic Wolf, Cylance, PacketViper, Perch, major firewalls, endpoint security, antivirus tools… The key is projecting yourself using multiple layers. It’s best to approach cybersecurity from a solutions- and education-oriented perspective vs. a product-only, “set-it-and-forget-it” perspective. When we recommend tools, the tools are a portion of a much larger, more comprehensive plan. Products are important, but perhaps even more important is ensuring they’re a piece of an overarching program.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

From my perspective, every business, large and small, should have a knowledgeable cyber professional focused on securing the company’s IT ecosystem. No, that doesn’t mean you have to go out and hire a CIO or CISO. But it does mean that you should contract with an agency, even if it’s just for a few hours of work a month. That team can guide you through growth challenges and offer advice and additional support as your needs grow and evolve.

Even larger companies who have teams of cyber pros can benefit from contracting with an outside company. It’s good to do what I call “sanity checks” every now and then to make sure in-house teams are equipped with the right tools, are implementing the right solutions, and are generally headed in the right direction with cybersecurity efforts.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be “amiss”?

1. Unusual activity in logs. If you are consistently reviewing data logs, you’re much more likely to notice malicious activity. For example, if you have records that show a significant and unusual spike in data usage for a team member, that may be an indicator that something is amiss.

2. Network performance issues. This isn’t as common today, but it’s still possible that a cyber attack could trigger a network slowdown.

3. Your Information on the dark web. It’s a good practice to routinely scan the dark web. If you find any information floating around, this gives you a heads up to dig deeper into potential breaches.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

The absolute first step is to get containment of the situation. Go into a lockdown status, and bring in a trusted cybersecurity partner as quickly as possible. Find out what’s happening, how the data is leaking, whether it’s an insider threat or a hack, do forensics on your network, post containment. But in all of this work, the primary goal should be to get containment as quickly as possible.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

We do work for companies that maintain personal information for citizens of the EU (what GDPR is all about). Essentially, even US companies have to plan for integration with GDPR privacy requirements if they do business with people in the EU.

Here in the US, data privacy regulations can vary from state to state. In a breach situation, it can be a nightmare for companies to navigate all of these varying privacy laws — determining who to notify, how many times to share information, etc. My hope is that eventually, we’ll have a federal privacy law similar to GDPR to simplify the process, but as of yet, this does not exist.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Not being prepared for the inevitable, not training employees to be cyber-aware, and not testing the integrity or protecting backups of data. Putting in the work to prevent cyberattacks and to protect yourself should one occur is truly of the utmost importance.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

It kind of goes without saying that when you move to overnight telecommuting, additional problems with security and compliance are going to arise. When people are doing work at home with private information, such as PII or PHI, companies have to figure out how to remain compliant.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Bad people are out to get your data 24/7. This may sound dramatic, but you have to have that awareness and that mindset. Look at breaches as “when” not “if,” and adapt accordingly.

2. Employees are human. This means they’re generally the weakest link in a cybersecurity program. Train employees regularly, and share details about current cyberattacks to give them real-world examples of ever-present threats.

3. You must have a cyber technology stack. In other words, one tool isn’t going to protect you. The tech stack starts with an antivirus on laptops and desktops, a firewall, a spam filter, a SIEM system. You have to have a good mixture of technology supporting you at different layers.

4. Constantly test the fidelity, integrity, and availability of backup data. Backups are no good if they aren’t being properly maintained. It’s critical to ensure backups are functioning properly.

5. Provide ongoing training. Annual IT training isn’t enough. Quarterly training with simulated phishes is a good place to start. Also be sure to send periodic reminders and updates, whether that’s via email or during team meetings. Cybersecurity should be top of mind all the time for all members of your team.

*BONUS TIP: Provide positive reinforcement. Cybersecurity threats can be daunting. Breach stories are grim. But every day is a good day when you don’t get ransomware! So celebrate those wins.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

If I could change one thing in the cybersecurity realm, I’d figure out a way to better track and audit cryptocurrency, or better yet, eliminate it. Cryptocurrency makes it extremely easy to pay cybercriminals. Until we get control over it, we can’t cut off the money stream to extortionists conducting cyber crimes.

How can our readers further follow your work online?

InfoSystems.biz/news and on LinkedIn

This was very inspiring and informative. Thank you so much for the time you spent with this interview!