Michael Siegel is a Principal Research Scientist at the Sloan School of Management at the Massachusetts Institute of Technology. He is also the Director of Cybersecurity at MIT Sloan (CAMS). Siegel’s research focuses on the management, strategy, technology, and organizational issues related to cybersecurity with specific interest in vulnerability markets, cyber risk metrics, dark web business models, IoT endpoint security, cybersecurity workforce development, and educating management in cybersecurity. His work at MIT over the past 30 years has included a wide range of publications, patents and teaching accomplishments. Recently Siegel helped design a course at MIT Sloan School of Management on cybersecurity leadership for non-technical executives. During an interview with The Innovator he shared some of the key takeaways from the course and from his research.
Q: In an article you co-wrote this summer you advised companies to approach defense as a business problem first, not a technology problem. What does this mean in practice ?
M.S.: You can have the best technology in the world but some 60% to 90% of cyberattacks are the result of human actions which are unintentional or sometimes intentional: they include someone clicking on a phishing email, posting a password or picking up a thumb drive. And while the technology is getting better and better and some believe that the required tech stack is getting smaller it is still not unusual to find companies managing as many as 200 or more cybersecurity-related tech products. This is very difficult because there are many things that you have to share information about with employees and many people need to be trained. Sometimes a single person is familiar with a particular technology and when that person leaves the company that knowledge is gone. What we try to do in the course and in our research is to address how to deal with some of these issues and best manage and create business strategies to become more cyber-resilient.
Q : Are cyber threats becoming more serious ?
M.S.: Today there is not a single organization that is safe from being attacked. That said, the area where the losses are potentially the greatest is in physical domains. There are only a few known cases but more are expected. One is the Stuxnet computer worm that targeted SCADA systems [Supervisory Control and Data Acquisition, a control system architecture for high-level process supervisory management] and is believed to be responsible for causing substantial damage to Iran’s nuclear program in 2010. Another is the 2014 cyberattack on a German steel mill in which hackers successfully took control of the production software and caused significant material damage to the site. The potential for a greater number of cyber physical attacks on plants is real and the damage could be catastrophic. The world is very different from the one that people who run plants are used to managing. Physical plants used for production or generation are built according to solid engineering principles : if you install six generators in a plant you can calculate that any one of the generators will go down due to accident or failure at some point but the likelihood of a second is very low. In a cyberattack someone is physically trying to do you harm and the goal is to shut down all of the generators at the same time. We did not design our plants and factories to be attacked at that level. Most systems in manufacturing facilities are built to withstand accidents or engineering component failures but not a purposeful attack. Non-technical managers have to understand that this is a whole different thing, that is not like any other time, that someone can take you down as a company by taking over control of your systems.
Q : Many companies have moved to the cloud in order to increase security but isn’t it true that moving to the cloud introduces new cybersecurity issues ? How should companies deal with these issues?
MS : Ten years ago moving to the cloud was viewed as highly unlikely. Today, for many it is an economic and operational imperative for IT-based companies, which is virtually all. There are significant economies of scale, even with security. However, the cyber physical world has been slow to adopt the cloud. This is where the future will be important.
Q : Why do companies have so much trouble calculating cybersecurity risk ?
MS : It is difficult to calculate the risk for several reasons. There is very little data, the large insurance companies don’t have the actuarial data and don’t have experience. And in addition to all of that there are really, really bizarre things that can happen out of nowhere that you can’t predict like NotPetya [a destructive malware] or the 2016 DDoS [ distributed denial-of-service] attacks delivered through a collection of hacked Internet-connected cameras and digital video recorders. These were black swan events, incidents that were unprecedented and unexpected when they occurred.
Q : Can cyber insurance help?
MS : Cyber insurance is the fastest growing line of business in the insurance industry This is no longer just an IT-based risk but also a major business risk that is being considered at company board and ownership levels. A 2018 paper on Cyber Insurance As a Risk Mitigation Strategy prepared by the MIT Sloan School of Management, Boston Consulting Group and the Geneva Association noted surveys that found that 99% of all boards of directors discuss cyber risk on a regular basis and 80% of CEOs consider cyber risk the number one threat to business growth As more regulations are adopted, including global notification requirements such as fines and penalties, the corporate sector is looking to insurance to offer mitigation solutions that can effectively deal with the risk.
Q : But aren’t companies learning that their expensive cyber insurance actually gives them very little coverage ? There are apparently a number of loopholes. If your company is attacked by a nation-state, for example, it is apparently considered an act of war and exempted from coverage.
MS : In general the coverage of cyber insurance is small. The best thing that companies can do is accept that there are certain risks but limit their exposure and protect the valuable parts of their business that, if compromised, could cause a major incident. I have heard leading government and private organizations say ‘ we know people are in our system, it is a matter of limiting the damage.’ Senior management of large companies also need to accept this as a reality and prepare by organizing tabletop exercises [meetings to discuss a simulated emergency situation].
Q : What advice do you have for companies ?
MS : Every company is at risk of being attacked. Hackers are not people wearing hoods that operate by themselves. They are extremely well organized and provide software-as-a service to help others construct attacks, making it possible for even a non-technical person to control an attack environment. Knowing that, companies have to figure out what things they can mitigate, what they can accept and prepare so that the damage is not as great as it could be and what risk they can transfer. In the process of doing that they need to try and figure out who is likely to attack them, what is the threat landscape, how good are the security controls and then carefully access their cyber culture and manage that. Are their employees trained to employ good cyber hygiene? Are they properly restricting external access to their systems? Are their partners in the supply chain taking proper precautions?
Q : Who — in your opinion- should be in charge of cybersecurity due diligence ?
MS : In some organizations the person in charge of cyber hygiene is the CTO (chief technology officer] and in others it is a relatively new position, the CISO [Chief Information Security Officer]. Who that person reports to is critical. If the person they report to has a mission critical goal to establish an IT infrastructure delivery date there could be push back. That was the lesson of the 1986 Space Shuttle Challenger disaster. [The shuttle broke apart 73 seconds into its flight, killing all seven crew members]. MIT was asked by the U.S. government to do an analysis of what went wrong. The disintegration of the vehicle began after a joint in its right solid rocket booster failed at liftoff. The failure was blamed on O-ring seals used in the joint but it was actually a systemic failure due to a management problem. The supervision of O-rings and quality control was moved to a mission delivery division and that mission delivery division had signed a contract to get product out of the door by a certain date. Statistically what occurred with that one move was the chance of an accident moving from being very small to one in a hundred. This is why companies have to carefully consider the C-Suite structure and decide whether the CISO report directly to the CTO, CEO, CFO, CRO or other.