Interview
7 min read
Last updated:
In the latest instalment of our interviews speaking to leaders throughout the world of tech, we’ve welcomed professor Michael S. Wills, SSCP, CISSP and CAMS at Embry-Riddle Aeronautical University.
Contents
- Tell us about the business you represent, what is their vision & goals?
- What inspires and energises you within your work?
- Can you share a little bit about yourself and how you got into cybersecurity?
- Could you walk us through a recent real-life scenario and how the business was affected?
- What are some misconceptions that you believe businesses have about cybersecurity?
- What are best practices for today and how can businesses avoid cyber threats such as ransomware, phishing attacks, etc.?
- What one vital tip would you give to companies who are reviewing their cyber security?
- Does your organisation use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?
- Are there any books, blogs, or other resources that you highly recommend?
- Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
Tell us about the business you represent, what is their vision & goals?
I’m a university professor, working with Embry-Riddle Aeronautical University. As a nonprofit, private, fully accredited university, their vision and goals (loosely translated) are to share what inspires all of us who love things that fly – in the air, in space, or beyond – with everyone – and by doing so, make the world a better, safer, more wonderful place!
Whether it’s being a research and development engineer, a test pilot, a savvier airport manager, a designer of a next-generation spacecraft or spacesuit, or a better business model for making air travel comfortable, safe, enjoyable, and profitable, the ERAU community lives and breathes learning and thinking and being different than other universities do. Having taught or studied with several others in the US and UK, I see this every day. Think about someone who’d write a book called “Why Hospitals Should Fly,” for example; that metaphor of safety of flight, reliability, repeatability, attention to detail, … everything involved…. That’s how this university sees the world and the future.
What inspires and energises you within your work?
I get my greatest joy when I share an “a-HA!!” moment with my students (and with my coworkers too!). I learn through my students; being a part of a system and a place that can inspire and enable that kind of magic to happen, every day, in different ways, is just so worth it!
I’ve been a big-picture thinker and visionary for my entire life; whether I’m zooming in to see the fine-grain details in the tapestries or stepping way, way back to see them in their grandeur, I love discovering how and why the systems of life and everything come together. Sharing that sense of wonder and discovery with people is (in my heart and mind) what teaching and learning are all about.
Can you share a little bit about yourself and how you got into cybersecurity?
I grew up during the Cold War, the dawn of the Space Age, and the dawn of the Computer Age, all at the same time. The spirit of the 1960s was fueled in part by great dreams of wonder and by the sparks flying off of the changes that so many of these “things of the ages” were causing, all around us. They were times you simply could not be alive in and not be changed by!
I chose to study computer science, went with the USAF ROTC program, and spent 28 years and 28 days on active duty, nearly two-thirds of it building and flying national security space-based mission systems. I’ve helped write science and technology-focused national security policy for two nations (US and UK), and realized partway through my time as a teacher at the UK’s Joint Services Command and Staff College that my particular style of leadership is what I call “teaching.”
I tell my students that part of what I do is that I shatter their illusions. They tell me that I make them think. (My wife says they follow that with “and how dare he?!!”).
But from the time I was a kid, watching movies like “2001: A Space Odyssey,” or reading a thousand books about robots and AIs and the over-computerization of our world, it was trivially easy to see that with the great powers that computation and information theory bring to us come great vulnerabilities. (Think of The Moon is a Harsh Mistress as an example.) So while I spent decades being a rocket scientist, space mission systems planner, operations analyst, and systems engineer of many trades, I spent those same decades thinking about how to safely, reliably, dependably build, operate, and live with those systems. And what to do when they fail.
We love our buzzwords; “cybersecurity” has so much more sizzle than “information security” or “safety”. But riddle this: why does the Spanish language use one word to represent both concepts? (For the same reason you turn to your insurance companies to secure your interests in the event that safety measures fail.)
Could you walk us through a recent real-life scenario and how the business was affected?
At ERAU, I am a teacher and researcher of information systems security, decision assurance, risk management, and related topics; I don’t actually “do cybersecurity” here.
One example was a student’s story about the business that their parent worked in, a commercial aviation services provider, and its (then) ongoing recovery from a ransomware attack. You might say that most such small to medium businesses invest in protecting physical assets – such as their aircraft – and making sure that they comply with all of the flight safety regulations for the aircraft and their flight crews.
Making comparable mission assurance investments in their information infrastructure, though, faced the all too typical uphill battle for a share of the revenues. They got hit hard, and lost a lot of data. Some of their bog-standard contingency plans worked; they’re still trying to assess how much of their data has started to circulate on the Dark Web. And they’re starting to rethink their security posture.
What are some misconceptions that you believe businesses have about cybersecurity?
The bitterest one of these is that cybersecurity is a cost, rather than a value function. Reminiscent of the arguments about quality as a cost, rather than as a strategic and tactical way of improving the reliability, repeatability, and affordability of the products and services the company provides.
The SMBs can also be too quick, I believe, to assume that having an effective cybersecurity program is too complicated, and therefore too expensive, for them to take on. This is partly the fault of the cybersecurity industry, and their government partners, who for decades made it seem that you had to first plan, study, measure, inventory, and assess everything in your organization first, then prioritize risks to mitigate, then plan those mitigations, then achieve them.
We in the security space made this Procrustean bed too expensive, too complex, and too scary for all but the Fortune 5 and the big aerospace and defence companies to take on. Thankfully, the ransomware pandemic of the last two years has gone a long way to raising awareness that finding and fixing today’s risks, then taking tomorrow’s risks on tomorrow, is much better than never taking on any risks at all because that mountain of top-down exhaustive risk management is too high and too hard to climb.
What are best practices for today and how can businesses avoid cyber threats such as ransomware, phishing attacks, etc.?
There are LOTS of “top ten tips” lists out there on the Internet, and most of them agree on most points. First, stop and think; identify those assets, processes, or objectives that are the most vital, critical, can’t-do-business-without data-driven “stuff” that the organization has or needs. Review their security posture: do you keep them backed up? Free from malware? Do you restrict who can access them? (Do you let just anybody in the company see them, change them, copy them? Please say no) Find and secure those “crown jewels”.
Make some policy decisions: access control and business continuity of operations are the obvious places to start. Then look at acceptable use policies.
Talk with your people; where do they think your organization’s “soft underbelly” is hanging out?
Then, start looking around your organization a bit further. In the purely physical world, you’d pay for safety inspections to keep employees, customers, visitors, equipment, and your paper files safe from fire, flood, electrical malfunctions, and the like. You’d have reasonable anti-theft locks on the doors and windows, maybe an alarm system or a security services provider. Extend that same thinking, asset by asset, critical business practice by critical business practice, day by day. Don’t try to do it all at once.
What one vital tip would you give to companies who are reviewing their cyber security?
Does your recovery strategy and plan actually work? Ransom attacks, disgruntled employee sabotage, or an earthquake can utterly destroy every bit and byte you have on the premises. It’s easy to say you can quickly buy replacement IT hardware, or contract for a replacement cloud service. But without a malware-free, up-to-date backup of your business data to reload, you’re not just starting over. You’re recreating your business from scratch. And in the meantime, don’t you have a payroll to meet this week?
Does your organisation use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?
The volume of log data means that without using fairly powerful security information and event management systems, you quickly are overwhelmed. Most managed security services providers can provide a wide spectrum of such SIEM services, including security orchestration, automation, and response (SOAR) capabilities, even at price points that small and medium businesses should consider.
Are there any books, blogs, or other resources that you highly recommend?
Well, shamelessly, I will of course plug my own books, which (ISC)2 asked me to write and then update: their official Study Guides and the Common Book of Knowledge for their Systems Security Certified Practitioner (SSCP) Certification. They asked me to focus the study guide more towards helping its readers become SSCPs, rather than just helping test-takers pass the test. I found that to be a rewarding and challenging bit of writing to take on, and loved it!
Nicole Perloth’s This is how they tell me the world ends is on the top of my “scary books” list, with its well-researched, boots-on-the-ground view of how governments lost control of the marketplaces they created for zero-day exploits.
I would also heartily recommend the work of Dr Nancy Leveson at MIT; her Partnership for a Systems Approach to Safety Information (PSAS), and its system theoretic accident modelling and prevention (STAMP) techniques are finding great applicability in every cybernetic domain. As more of us in the “security” space see the boundary between IT and OT as “the final frontier,” we can all learn a lot from PSAS and STAMP. Start at her website, http://sunnyday.mit.edu/, to begin your journey.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
Think about Google Research’s “selfish ledger” idea: that as machine learning systems and smart ledgers become more commonplace, their goal-directed drives for optimization and growth in value (of what their ledgers manage) may have them seek to modify the behavior of other systems. Whether such selfish algorithms are “independent” entities acting with intention or not is philosophically interesting, and may someday be legally important; long before we can sort out those questions, how do we deal with information entities that have no recognizable, accountable human controllers, and which are formulating and pursuing their own agendas?
If you enjoyed this post and want to keep reading our articles then why not check out our guide covering the top Grafana dashboards or our Interview with CTO, Dave Saunders next?