Tom Parker of Hubble Technology: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
You need to continuously reflect on cyber security and think through whether the controls you have in place still are enough. Think about how things are changing in terms of threats as well as your business. Are you moving to the cloud? A remote workforce? What does the future of your business look like? Is your cyber security program equipped to meet your future demands?
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Tom Parker.
Tom Parker is a globally recognized cyber security expert, technologist, author, speaker, and the CEO and founder of Hubble, a tier-one VC backed startup in the DC area. He has more than 20 years of expertise in the cyber security space, including extensive experience driving revenue growth and scaling global organizations. He is a frequent speaker at conferences around the world including the BlackHat Briefings and lends his time to lecturing at universities, participating in community research initiatives and is often called to provide his expert opinion to mass media organizations, including BBC News, CNN, and online/print outlets such as Vanity Fair, The Register, Reuters News, Wired and Business Week.
Tom Parker is the CEO and founder of Hubble, a company pioneering the emerging market of technology asset intelligence. Tom is a globally recognized security expert, technologist, author and speaker. He has more than 20 years of expertise in the cyber security space, including extensive experience driving revenue growth and scaling global organizations across the globe.
Tom’s prior role at Accenture Security (a $2 billion security business), included head of Growth and Strategy and Global CTO. He joined Accenture in 2015, through the acquisition of FusionX, a leader in the advanced red-teaming space, where he was CTO and co-founder. Tom has held numerous other notable roles, including Deputy CISO at AIG and sits on several advisory and non-profit boards.
Tom has published several books on the topic of information security including “Cyber Adversary Characterization — Auditing the Hacker Mind” and a contributor to the popular “Stealing the Network” series. He is a frequent speaker at conferences around the globe including the BlackHat Briefings and lends his time to lecturing at universities, participating in community research initiatives and is often called to provide his expert opinion to mass media organizations, including BBC News, CNN, and online/print outlets such as Vanity Fair, The Register, Reuters News, Wired and Business Week.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
My first job was writing video game reviews for Computer Shopper, the biggest magazine in the UK where I found that I really enjoyed learning about new technologies and writing about them. I was responsible for getting our first email system set up, which entailed learning UNIX based operating systems, and I quickly found out that I had a fascination with security. This was long before cyber security was an industry, but I found myself intrigued by the potential vulnerabilities within these new technologies and how their weaknesses might be exploited. The rest is history!
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
There wasn’t a single pivotal event: in today’s industry you either decide that you want to get into cyber or you fall into it by accident. For those of us who have been in this since before it was an industry, it was just something you fell into through natural curiosity with the idea of exploiting or defending networks. Often, we were engineers or systems administrators that were interested in not what a technology was designed to do, but what it could be made to do. My interest has always stemmed from a place of curiosity: where could things go wrong, who might do it, and how can we prevent them from happening?
Can you share the most interesting story that happened to you since you began this fascinating career?
The most fascinating things I’ve experienced in my career are the ones I can’t talk about! I’ve worked with many interesting customers over the years, including some of the biggest organizations in the world. Most seasoned practitioners will tell you that the most exciting cyber stories are the ones that manage to stay out of the press through proper incident handling. Today, news of a new ransomware attack seems to be a daily occurrence, but the reality is that the vast majority of them are never known to the public.
Some of the more interesting stories that I can talk about tie to the people I’ve been fortunate to meet throughout my career. In the late 90’s, quite through happenstance, I was introduced to some very senior executives within the Department of Defense. Subsequently, we worked closely with members of the NSA’s information assurance directorate, other three letter agencies, and a smattering of private sector cyber leaders to create the first taxonomy ever for profiling cyber adversaries. This resulted in the publication of my first book and the first publication on the topic of cyber attribution, which remains highly relevant even to this day .
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
A lot of people put their faith in me, for which I’m incredibly thankful. There were a few pivotal moments that made me think that I wasn’t going to follow a traditional career. As I was finishing secondary school, my career advisor said, “This computer thing might turn into something huge, but it might be a flunk. You could kick yourself for not pursuing a more traditional path.” He probably didn’t realize he was delivering advice, but I took it that way and it was a lightbulb moment that encouraged me to go do something [cyber security] that was far from conventional at the time. I’ve always been one for taking calculated risks and placing big bets, particularly when I think there’s going to be an incremental benefit to our industry. We’re making a big bet at Hubble that is really going to change the way that organizations manage and secure their technology for the better.
Are you working on any exciting new projects now? How do you think that will help people?
I am excited to be bringing Hubble to market. This project builds off of my decades of experience in cyber security and is poised to solve some of the toughest problems we currently face as an industry. We bring visibility to your asset environment in order to eliminate risk, reduce cost, and enable transformation.
As a company, we are highly energized because every day, we know that we are eliminating previously unknown risks for customers. They may have legacy systems in place that don’t have adequate protections or have missed opportunities for process improvements through automation.
We’re doing something that solves for one the fundamental challenges in the market. We hear from C-level executives, finance executives, IP attorneys, and technologists that this problem of asset visibility touches them all in some way. It looks different for each stakeholder, but the general theme of not understanding what and where your assets are is a big challenge across the board. It’s certainly a huge challenge and requires some pretty innovative thought around the solution, but we think we’ve got it and are super excited to talk to the industry. Some people are ok with walking up a hill: we’ve decided that we want to move mountains.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Always find humor in your day. There are gonna be good days and bad days and sometimes it feels like more bad than good. But I think that having the right balance is key, and that can mean different things for different people. You have to take care of yourself both mentally and physically. While you may decide that because you’re starting a new company you have to work from 5am-midnight, it’s a short-term strategy because you will burn out. In any company that’s going to succeed, the founders and early employees have to be in it for the long haul.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
It’s exciting that there’s continued interest in the cyber industry from investors and consumers. It used to be a niche subject, but in the past five years security has become mainstream. Now, discussions of election hacking and not being able to get gas is dinner time conversation. Cyber has become mainstream which is exciting but also frightening; generally, it has become mainstream because bad things continue to happen.
For us who’ve been around for 25+ years, we’re seeing that while a lot of foundational work was done, there’s still a lot to do particularly when it comes to protecting the consumer and our critical infrastructures. We think that Hubble is very well positioned to help for the better in the long-term.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Ransomware is the obvious answer, but organizations’ supplier/vendor management is going to become an increasingly hot topic. As organizations bring more vendors and SaaS providers into their ecosystems, there’s more risk to supply chains. I think we have some unpleasant surprises ahead with the technologies that we rely on becoming compromised.
We’ll also hear more about quantum cryptography. Right now a layperson can’t just break SSL with relative ease, but you are going to see those types of attacks become more commonplace, as access to quantum systems becomes more widespread. It’s not a question of if, but when it will happen. We need to start thinking about that now so we can be prepared for what we’ll do when it does happen.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I’d like to think I’ve spent my whole career stopping cyber breaches, but you never really quite know what impact you’ve had — what may have happened had the organization not implemented a certain control.
As a consultant I once worked with an organization that was in the process of selling one of its business assets. This would have been a transaction worth hundreds of millions of dollars. It was a competitive bidding process for the asset and we found that one of the bidders was breaking into the company’s network to insert compromising information to generate bad publicity, therefore devaluing the asset and turning away other potential buyers.
What makes breaches and incidents interesting is what the adversaries were trying to do. If you look at the root causes of most breaches, it’s almost always a lack of hygiene, lack of patch management, and unreliable asset inventories. We spend a lot of time talking about fancy security technologies but you can’t implement those well if you don’t have a trusted inventory to help you understand where they should get implemented. .
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
We use a number of industry-leading technologies, the details of which are confidential. Cyber security is an extremely saturated industry with thousands of new, small security companies popping up. When I was the CTO within Accenture Security, we found that there were over 2,000 new security startups with under $10m in revenue that accounted for 80% of the market. With so many vendors, it’s difficult as a CISO to figure out what you should be buying to move the needle for your organization. It can be interesting to talk about what you’re using, but it’s more important to talk about how you’ll use it and teach your employees to use it. If you purchase shelfware that isn’t properly implemented and no one is trained on it, you won’t see results. So when you think about ROI, how you manage the technology becomes even more important than the technology itself.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
CISO is a responsibility as much as a title. Even if you don’t have a dedicated CISO, you need someone who has that dedicated responsibility. The only way you’ll build security from the ground up is if you assign accountability to someone. You need to create a culture of security within your organization, no matter the size of it.
There’s no point in time when you need to have someone in the CISO role: your board of directors will often make that decision for you and it will depend on your specific business.There’s no right or wrong answer, it really depends on the business and environment you’re operating in. But no matter the business, someone needs that responsibility, even if it’s not by title.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
One of the biggest telltale signs are user access events. If you see users logging into accounts late at night in different time zones, that’s a good indication that something is going on. There are events that are obvious, such an endpoint alert, and some that are more behavioral. If you’re dealing with a sophisticated adversary then you need to be looking for subtle behavioral signs. Always pay attention and respond to the warning signs! So many organizations see the signs, but don’t do anything about it until it is too late. What’s most important is not ignoring the signs and prioritizing and triaging them appropriately. If you think something is going on then you need to preserve evidence as early as possible, even if you haven’t fully confirmed that a breach has occured yet.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The most important thing is to stop the bleeding, but to do that you need to understand the underlying cause. I’ve seen many occasions where organizations have tried to remediate the breach without understanding what was going on and then the adversary got right back in. With certain nation state attacks, the B-team will commit the initial breach, you kick them out, and then the A-team comes in. It then becomes a lot more expensive to get the adversary out of the network. After you become aware of an incident, gather as much information as possible. If you can’t do it yourself, bring in someone from the outside. The actions you take in the first few hours and days will determine how many weekends you get to work for the next few months of your life.
For customer protection, communication and transparency is key. You’ve lost their data and you can’t go back in time and change that so being honest with your customers about what happened and what you’re going to do about it is really important. The worst breach responses have been where the organization has been in denial because they didn’t really understand what had happened early on. The last thing you want to have to do is retract statements you’ve made — further eroding consumer confidence in your brand.
Be precise in how you communicate and work with your attorneys to communicate with surgical precision. These days, the public generally believes that breaches happen, often due to foreign governments going after Western companies. Build trust with your customers by talking about how you’re responding to the attack and the new security controls you’re putting into place. Equifax did an amazing job: they have been extremely transparent about what their security program has done in the past few years. You need to think about what your next five years will look like as a business to prevent another incident and let your customers know your plans.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
With many of these laws, their heart is in the right place. They’re designed to protect people’s information, but in general the laws were drafted in such a way that didn’t anticipate how they might also encumber our ability to protect this very information. Take GDPR for example: I might need to look into your emails because I don’t want you to get spearfished. The only way to check is to have a computer program look at the contents of your email. A privacy attorney would argue that there could be private info in the email so now I’m not allowed to look into it. Now you might get spearfished and you might lose your PII because I wasn’t able to look into your email to identify the spearfishing attack in the first place.
Many data privacy laws are works in progress. Because of them, it often takes organizations years to implement security controls in certain parts of the world because of poorly written data privacy legislation. The US is generally fairly easy, but some of the data privacy laws and workers council issues in countries like Germany makes it extremely challenging. All of this time caught up in red tape just leads to worse breaches and attacks. Legislation is having a negative impact on security programs around the world so we need to continue to ensure that those writing the policies are aware of the counterarguments to these rules.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Patch management, asset inventory, and incomplete logging are the most common causes of breaches. People will tell you that the biggest weakness in an organization is people; having ineffective or incomplete user training is definitely part of it, but at the end of the day you can’t fix people. You can make it less likely that someone will click on a compromised link, but if you have 500k employees then you’ll have some people who just don’t get it. Technological controls need to work in tandem with user awareness training.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
I’ve seen that organizations have been forced to become more lenient with their security controls because there’s been a sudden need to become more flexible. Some organizations have taken a hard line to data privacy controls in terms of how and where you access data, but many have erred on the side of flexibility for their employees. Whether that’s resulted in errors or breaches I don’t know for certain, but I would imagine that it has happened. You’ve moved from an environment where everyone works in an office with a security guard checking IDs at the front desk and all of a sudden your employees are working from home with their teenage kid on the same network who could be an aspiring hacker. It’s a very different threat scenario. I’m sure there have been incidents: this is why security technologies like Hubble and Crowdstrike that enable endpoint visibility are so critical. Understanding where your assets are and how they’re being used is fundamental in giving you the agility needed to manage your workforce.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
One: Understand that cyber security is a moving target and not a one-and-done project. You need to continually evaluate the business you’re in, the threat environment, and your technology stack (which is where Hubble comes into play).
Two: You need to continuously reflect on cyber security and think through whether the controls you have in place still are enough. Think about how things are changing in terms of threats as well as your business. Are you moving to the cloud? A remote workforce? What does the future of your business look like? Is your cyber security program equipped to meet your future demands?
Three: Accountability is critical. Someone in the organization must always be accountable for cyber security regardless of how big or small your business is. That person needs direct access to the CEO and board. Cyber security is a strategic imperative, not an IT project. Even if you haven’t had an incident, you need to be outspoken about the role that cyber security plays in your business. Any savvy buyer will always be looking for vendors they can trust with their data so talk about your commitment to security and privacy.
Four: Data privacy and cyber security are not the same thing and it is important that organizations have appropriate subject matter experts to lead programs in both disciplines. Data privacy is an increasingly complex area of law and needs the appropriate level of attention.
Five: Continually assess your technology investments in cyber security to ensure they align well with your current and future strategy. To avoid shelfware, when implementing new security technologies, it is critical to budget for effective implementation, including ongoing user training and awareness.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective, and something everyone can do!)
An understanding at the board and CEO level that to be secure is a necessity for the growth of your business. This is not an IT project: organizations need to consider it a strategic imperative for the future wellbeing of their organization. It may be that you don’t see a short-term return, but if you look at Equifax for example, they have plenty of publications about how their very outward approach to cyber has bolstered trust in their brand. Cyber security is a foundational component of any business and needs to be treated as such. CISOs need to report to the CEO and not get stuck in a technology silo. These efforts protect the value of your business, your intellectual property, and customers’ trust in your brand. Security needs to be elevated to the right level and taken seriously across the organization.
How can our readers further follow your work online?
You can follow me on Twitter and LinkedIn.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
