On Monday, January 30, the Center for Long-Term Cybersecurity (CLTC) kicked off our CyberMētis Speaker Series with a seminar featuring Davis Hake, Co-Founder and Vice President of Communications at Resilience, a cyber insurance company.
Prior to starting Resilience in 2016, Hake managed cybersecurity strategy for Palo Alto Networks, served on the National Security Council, and was a lead author of cybersecurity legislation in the U.S. Congress. Hake also currently lectures on Cyber Risk Management at the University of California, Berkeley and is a Term Member at the Council on Foreign Relations.
“There’s a huge amount of opportunity in cybersecurity, and the purpose of this speaker series is to help you realize that even if you don’t have hard technical skills, so much of what goes on in cybersecurity is just using critical thought to solve difficult problems,” said Chris Hoofnagle, Co-Faculty Director of CLTC, in his opening remarks. “I hope you will also join us for future iterations of the speaker series and realize there’s a place for you in this growing and important profession.”
In this talk, Hake explained that at the outset of his career, he intended to focus his work on counterinsurgency operations, but a member of Congress advised him to “check out this cyber thing, because it might be a big deal.” In the ensuing years, following Stuxnet and other major cyberattacks, Hake explained that “we started seeing that this is not just an engineering problem, but it is a sociological problem, a political science problem, an economic problem, and also a business problem, which is where I’ve sort of ended up today.”
He reminded the audience of the risks we face in the digital age by presenting an overview of how much information about himself is publicly available online, and how easily an average person can be “doxxed” or have their data stolen. “It’s a good little PSA for everybody to remember how to not make yourself an easy target,” he said. “There’s nothing wrong with presenting a good polished image, especially for grad students who may be looking to apply for jobs, but think about the digital trail that you leave.”
Hake explained that major organizations have undergone a shift in how they regard cybersecurity as they have become more dependent upon digital technologies. He recalled a Fortune 100 board member telling him that “the future CISO needs to be a financially minded business leader who’s the principal cyber risk advisor to the CEO and the board.” The CISO must “own and help curate the corporate trust that that company is looking to build with its customers and shareholders,” but they are not solely responsible, as “more and more, CEOs and boards are finally starting to realize after being bashed over the head by large breaches that they actually have some large responsibility for that digital trust. The problem is, they don’t know what to do with that responsibility.”
He noted that in the United States, “we’re facing a fracturing landscape” due to changes in regulation, which is making it harder for “senior leaders to think about and understand their roles and responsibilities. This is why a future CISO is going to need to take charge of this, and think about it not just from a technical control standpoint, but what’s the liability? What is the risk that our company faces? How do we survive and thrive as we’re using cyber risk to make our business decisions, not just our technical decisions?”
Hake explained that he considers “four buckets of tools” that CISOs can use to “change the conversation out of the technical silo and into a business discussion that’s going to help educate CEOs and boards on how they can effectively navigate their digital risk: budgeting, scenario planning, training, and risk transfer.”
Budgeting, he explains, entails using modeling and risk analysis to determine the financial risk an organization faces. Scenario planning involves using “narratives and stories” that take into account the actual experiences of organizations that have experienced ransomware and other cyberattacks. Training entails practicing the process for managing a cyberattack or other incident, in part to ensure who holds accountability for different decisions. And risk transfer entails using insurance and other means to help mitigate the harms of an attack.
“These are the important conversations that we’re going to need to be having as security leaders that are going to finally start breaking us out of our technical silos, and start showing business value to organizations in ways that drive them to help tackle these larger societal problems that we’ve faced from an underinvestment in cybersecurity thinking over the past decade.”