There’s Something Rotten in the State of Cybersecurity

By David J. Blumberg

David Blumberg and GM’s Jeff Massimilla discuss today’s cybersecurity problems

The complex issues of cybersecurity rife among the largest corporations may be compared to a Shakespearean classic. In “Hamlet”, the head of the guards for the Royal Danish palace spots a ghostly intruder breaching the rampart walls, and shouts, “Something is rotten in the state of Denmark.”

Similarly, something’s gone terribly rotten in the world of cybersecurity. In recent years, this industry has seen more spending, more vendors, more products and more alerts. At the same time there is too little integration and orchestration, too few trained cyber professionals and an escalating rise in attacks and losses to hackers.

Over the past 15 years, concerned C-suite executives at large enterprises have increased their spending on cybersecurity up to 40 times. In response, VCs and talented entrepreneurs spawned thousands of cybersecurity vendors, and today’s chief information security officers (CISOs) at leading corporations manage between 50 to 500 vendors in an attempt to secure their organizations. Many of the products from this myriad of vendors don’t communicate well with each other once selected, purchased and deployed. The resulting complexity leads to greater insecurity.

Add to those issues the massive talent shortage of cybersecurity professionals (the shortfall is currently estimated to be 300,000 in the U.S. alone) and the likelihood of successful attacks increases exponentially. Just last year, there were more than 130 major hacks in the U.S. with costs soaring into the billions.

In most other business realms, commercial entities simply compete with others in their domain. In cybersecurity, the ecosystem not only contains enterprise customers and legitimate competing vendors, but it also includes vandals, criminal networks and even powerful state actors, looking for the weakest link. The playing field for cybersecurity is dramatically different.

To discuss these issues, I took the stage in Israel at Tel Aviv’s famous Cybertech conference alongside Jeffrey Massimilla, Vice President of Global Cybersecurity for General Motors.  As his title suggests, Massimilla leads the company’s enterprise-wide cybersecurity activities. During our talk, he agreed something’s gone terribly wrong in the industry, and it needs to be addressed. His team utilizes a growing roster of cybersecurity vendors, all under constant pressure to protect GM’s network, data and its millions of customers in an increasingly dangerous world of attackers. The audience, full of innovative entrepreneurs and talented potential recruits, came from around the world, including many who were trained in famed Unit 8200, Israel’s Intelligence Corps Unit that functions similarly to the NSA.

In short, the conference – and country of Israel – is a breeding and training ground for cybersecurity innovation and talent.

Massimilla is also chair of the Auto Information Sharing and Analysis Center whose mission is to advance cybersecurity protection in the auto industry. He is always on the hunt to find the right solutions and the right people. This requires fostering cultural esprit de corps, luring rare talent and providing a larger platform for creating and delivering economic and social value.

In early 2016, GM partnered with HackerOne to launch a public vulnerability disclosure program that would develop relationships with and enlist help from the white hat hacker community in identifying undiscovered vulnerabilities.

“Hackers have become an essential part of our security ecosystem,” said Massimilla. In mid-December of 2018, GM invited security researchers to participate in a 12-week Bug Bounty Private Program. During this engagement, researchers will submit vulnerabilities they find to GM for triage, with GM paying the researchers for findings.

The weakest link also becomes the target point for attackers, so original equipment manufacturers (OEMs) become top targets for attackers who know large organizations typically have robust protection within the organization but may lack adequate defenses between links in the complex supply chain. Moreover, the many partners across the supply chain multiply the number of cybersecurity vendors, products, operators and configurations, and increase the need for flexible integration while exposing more points for attack.

GM has joined business leaders across sectors in support of the Cyber Readiness Institute (CRI) initiative. Their mission is to share resources and knowledge that inform the development of free cybersecurity tools through a self-guided online program. GM’s Supply Chain and distribution network includes many small and medium businesses that can benefit from CRI’s tools and resources to improve cyber readiness.

“We recognize the importance of our involvement to improve and strengthen the security posture of all of our partners,” added Massimilla.

During our discussion one interesting point we surfaced surrounded the need for community in cybersecurity – a coalition of the willing – sharing information, best practices and data analyses to protect one another and create solutions that collectively make the ecosystem safer for all. Our talk veered into potential solutions for all of these issues so prevalent not only in the automotive industry but any industry that uses and stores massive amounts of data.

We converged on what seems to be the best course of action going forward – deploying an automated toolset that overlays the myriad cybersecurity vendors, triaging and prioritizing the attack alerts by utilizing AI to aid expert cyber professionals to identify, track and kill an attack in real time. This would provide an easier way for Massimilla and his team to manage GM’s massive, distributed network and data across factories, offices and suppliers, and to protect its millions of customers on the road.

Global organizations like GM will to continue to vet new cybersecurity vendors and onboard new products, yet it will take a new generation of artificial intelligence enhanced products as well as greater productivity from integration, orchestration and process automation, plus training more cyber professionals and communal sharing of protection technology and techniques to slow and reverse the escalating hacking threats across the supply chain.

Returning to Shakespeare’s Hamlet, we must choose, “To be [safe], or not to be…” – because insecurity is not an option.

David J. Blumberg is the founder and managing partner of Blumberg Capital. Follow him on Twitter at @davidblumberg