As a retired Army Lieutenant colonel and passionate cyber geek, I've embarked on a fascinating journey through the ever-evolving field of cyber security. From the early days when cyber security had an entirely different meaning to the present dynamic landscape, I have witnessed firsthand the twists and turns that shape this captivating realm.
Let's dive into building a cyber security program from the ground up. While many may assume it's a well-established field, the truth is, it continues to evolve and surprise us. As a seasoned cyber geek, I've been part of numerous discussions about cyber security and its uncertain future. Uncertain as we can't predict most threats, so it's wise to remain cautious of those who claim to have all the answers – in my experience, they are usually proven wrong. I must admit, I've had my fair share of humbling moments too.
I've been in the cyber security game since the Army adopted TCP/IP in 1986. Before that, I was working on the MILNET and ARPANET, this was before TCP/IP when we used the Network Control Protocol (NCP). Those were the days when the threats solely emanated from within the network – primary insider threats as there were no outsiders. Security was everyone's responsibility, transcending specific job descriptions. Since cyber technology was still in its nascent stages, security was all about controlling the behavior of the people and encouraging a security mindset. Sadly, over time, we seem to have lost sight of this fundamental aspect.
Now allow me to introduce myself: I'm Curt Vincent, an old cyber geek with a wealth of experience and known as Colonel Cyber. How did I earn that nickname, you ask? Well, I had a front-row seat as Jon Postel and Vint Cerf wrote RFCs and shaped the Internet. In fact, I like to joke that I Shoulder Cerf’ed my way into this field! It was like being there at the Internet’s birth. But I won't bore you with a history lesson – Google can handle that. It's crucial, however, to understand that we didn't have a unified networking and computing scheme until the late 1980s. Before that, we navigated through a variety of operating systems and networking schemes like Banyon Vines, WangNet, and others.
The Army recognized the need to unify the technologies for various reasons, primarily focused on interoperability. I was fortunate to be selected as one of six Army officers to be part of the newly established Army Computer Engineering Center. As a young lieutenant, my initial task involved collaborating with the industry to develop code adhering to the networking specifications known as RFCs. Those were exciting times! Our primary objective was to make the technology work, with security playing a secondary role. Throughout my Army career, I remained deeply involved in computing and networking, eventually serving as the Operations Officer for the Army's Global Network Operations and Security Center (ANOSC). While technology continued to advance, the core of our security systems remained centered around the people and their behaviors. Individuals with clearances underwent regular re-verification and relevant training, ensuring a robust security culture.
After leaving the Army, I ventured into Wall Street, joining prestigious firms such as Goldman Sachs, Bank of America, and spending 15 years at Morgan Stanley. When I joined Morgan Stanley, the Dot Com era was just beginning, and I was entrusted with the task of building IT Security from the ground up. At that time, the concept of security was still hazy, with our primary goal being to keep the bad guys out. We did not focus on insider threat but we had a wary eye I was given the freedom to hire until instructed otherwise, and by the time I left 15 years later, we assembled a formidable team of 400 skilled professionals.
During those years, we developed various departments, including Security Engineering, Operations, Forensics, Incident Response, and Threat Intelligence. Our focus revolved primarily around technological solutions, hoping that technology alone would shield us from all threats. However, we had a partner in our journey – a more minor division called Information Security (INFOSEC), led by Managing Director Bob Vitali. Bob concentrated on what we now refer to as GRC (Governance, Regulatory, and Compliance). Bob and I formed a collaborative partnership that embodied the essence of Cyber Security as we know it today. We recognized the importance of all aspects of security, including the close relationship with the physical security team comprised of experienced retired law enforcement officers holding key leadership roles. Their expertise and contributions were highly valued and respected.
Unfortunately, over the past five years, I have witnessed a concerning shift in our approach to Cyber Security. We have become overly reliant on technology, neglecting the human element in the equation. A prime example of this is the rise of ransomware attacks. No matter how advanced our technology may be, it cannot prevent someone from unknowingly clicking on a malicious link or falling victim to social engineering tactics. It is not the individuals themselves who are bad, but rather their lack of cyber hygiene and awareness. Additionally, many Chief Information Security Officers (CISOs) have backgrounds deeply rooted in technology, often sidelining the critical aspect of physical security – a core element that was integral to Army cyber security.
Today, I proudly serve as a Managing Partner of The Cyber Sure Group, an internationally renowned cyber security practice. Let me share an experience from a recent consulting gig at a large manufacturing company. I was brought in to establish a comprehensive cyber security program, and when I raised the topic of physical security with the CIO, he dismissively brushed it off, claiming it was not within his job description or compensation structure. I was stunned. In the Army, we referred to this kind of thinking as "putting an iron door on a tent." It's all too easy for someone to bypass the front door and gain unauthorized access through alternative means. It is high time to challenge and shift these dangerous mindsets.
Fortunately, there are brilliant minds in the field who recognize that leadership and culture are the greatest vulnerabilities in cyber security. One such individual is Jen Easterly, a respected figure with a background spanning the Army, Morgan Stanley, and cyber security, who now serves as the Director of CISA. She gets it too. I highly recommend following her for valuable insights. However, these voices often fade into the background amidst the clamor of vendors attempting to sell the latest cyber technologies. As a retired Army officer and Wall Street veteran, I have made it my mission to redirect the focus back to the people, leadership, and culture within cyber security. In my upcoming blogs, I intend to delve deep into these crucial aspects.
I invite you to join me on this journey. Together, let us uncover the intricacies and rediscover the true essence of cyber security. It is not merely about the technology; it is about the people who use it. By prioritizing the human element, we can build a more resilient and secure digital landscape.
Get ready to witness cyber security in a whole new light!
Cheers,
Curt Vincent, Colonel Cyber
Comments