fotogestoeber - Fotolia
David Mahon is responsible for designing and implementing global security for CenturyLink, which operates 600,000 miles of internet backbone infrastructure.
The company has more than 40,000 employees, 20,000 contractors and operates in 35 countries, serving customers across every industry vertical.
Given the organisation’s breadth and depth, Mahon says: “We see the attack surface very differently from a lot of other companies. We are large and we are attacked every day.”
Mahon was previously CSO at Qwest Communications and before that worked in law enforcement at the FBI, heading up programmes for cyber crime, white-collar crime and organised crime, among other subjects.
Asked about the types of attack that are likely to happen going forward, Mahon says: “I get asked that a lot and I tell people it will be exactly the same kind of attacks that happened this year. The reason is because corporations are not fixing the problem.”
Mahon puts organisations into three categories – reactive, proactive and predictive. “The vast majority of organisations are reactive,” he says. “They may be starting to become more proactive.”
Generally, organisations moving from proactive to predictive security tend to be in government, defence, financial services and security, he says.
“A cyber security strategy enables the achievement of corporate objectives”
David Mahon, CenturyLink
Looking at the recent WannaCry ransomware attack, Mahon says: “WannaCry was not an issue for companies that have a mature patch management programme. If you have a patch management team who are doing their job, they should have patched by the time the exploitation started. The vulnerability was identified in March, the patch was issued in early May and the attack happened in mid-May.”
But Mahon’s view on cyber security goes beyond getting businesses to become better at handling attacks. When he spoke to Computer Weekly in August, Mahon urged businesses to map their IT assets to business strategy and adopt a proactive cyber security programme. Just as every corporation has a business strategy, so cyber security needs a strategy, he says. “A cyber security strategy enables the achievement of corporate objectives.”
And a cyber security strategy needs to be aligned with the organisation’s business strategy, says Mahon.
“The corporate strategy follows a simple process – you design something, then you present the idea to the CEO leadership team, who make suggestions,” he says. “When they have developed the idea to a point where they think it will hit the addressable market for the revenue target, they take it up to the board.
“But where is the corporate strategy that assessed the business strategy and can say, ‘this is how we are going to enable it?’. If that cyber strategy doesn’t exist, then there is a group of adversaries who will disrupt the revenue stream. And what impact will this attack have on your stock price, your customers and your shareholder value?”
But many corporates fail to take cyber security into account when building a business strategy, says Mahon, and this is becoming more apparent as businesses push out digitisation and internet of things [IoT] initiatives. “The problem is the philosophy of being first to market,” he says. “What happens when your home security system can be breached by the burglars? If your home heating goes down at 7am and up again at 5pm, I can tell you are not at home.”
Data collection strategy
Cyber security will become increasingly relevant as businesses become more digital. Take information management, for example. One of the goals of information management is to provide a single version of the trust – one golden customer record – but data collection presents data, legal, regulatory and compliance issues.
A business may have silos of data it has been collecting from customers for years. The risk Mahon sees is when someone in business strategy wants to start pooling these silos into a data lake as part of some kind of digital transformation initiative. A data lake makes it possible to take anonymous data and link it with personal data. “Does this mean the whole data lake needs to be part PCI [payment card industry]-compliant or part of the GDPR [General Data Protection Regulation] programme?” he says. “Where is the staff who will build or operate it?”
Following the massive cyber attack on US retailer Target in 2013, there has been a shift towards greater cyber awareness at company board-level, says Mahon.
“We are seeing changes driven by lawyers, who have decided there is money to be made if we sue,” he says. “They are using the same theory of negligence used in medical malpractice and class action lawsuits. They are suing the company and they are suing the board.”
Cyber insurance on the agenda
For Mahon, this means the board is now very aware of cyber security. And in the US, cyber insurance is now on the board’s agenda.
As the cyber insurance business has matured, so has its understanding of cyber risks, says Mahon. “In the early days of cyber insurance, when our insurance team went to brief the brokers and underwriters, they would ask me for a slide,” he says. “Now they want me on the agenda and I need to be there for two hours to explain how all our security works.”
The insurers realised they had no idea about the policies they were underwriting, says Mahon, pointing out that insurance firms are now starting to hire chief security officers to conduct the cyber risk assessment.
For Mahon, this is furher evidence that businesses need to align their cyber security strategy with their business strategy.
Clearly, CSOs will face resistance from business managers who feel they are slowing down progress, but would any company knowingly release a flawed product? As companies embark on digital business initiatives, it is clear – at least for Mahon – that cyber security should be very much a key element for business leaders to discuss.