Michael Brice has played a lead role in providing cybersecurity solutions to many companies, and has deep commercial and military experience in the financial services industry and in classified government operations. He answers questions around the growing concern of online security — and why CEOs can no longer afford to ignore it.
How did you become involved in Cybersecurity?
As a Marine Signals Intelligence and Electronic Warfare Officer, I was involved in cybersecurity before the word “cyber” was even in our lexicon. In that capacity, I served in the First Gulf War and saw how rapidly evolving communications technologies could be weaponized for immediate effect. Previously, electronic intelligence activities had predominantly been more of a nation-state, strategic chess game that didn’t involve the average person.
After leaving the Marine Corps, I became a Chief Information Officer for a publicly-traded company where I learned that the civilian consequences of a cyber event could have significant shareholder impact. This concept was not something I had ever considered while in the military.
Specifically, the concept that a hack with no operational objective could result in a huge public relations fiasco or result in the firing of a CEO from a simple loss of data (e.g., personally identifiable information) was a new concept to me.
With this new understanding, I realized that I wanted the same adrenaline rush I had only previously felt when dealing with nation-state actors while on active duty. I wanted to find a way to go head-to-head with the bad guys. While it didn’t happen overnight, I eventually created a cyber consulting and forensic firm focused on the financial services vertical. While I’m never pleased to see the carnage cybercriminals can inflict on our clients, I still get a rush every time we work on an investigation, knowing that we can and will make a big difference.
What would you consider the most significant cyber challenges facing CEOs today?
Although we work with extremely intelligent C-suite leaders, I find that many have not elevated cyber or prioritized cyber to their executive agenda. It’s somewhat stunning because cyber risks can often result in a catastrophic financial and reputational event for a company and an existential risk for the CEO. Many of the CEOs we work with assume that their CIO, CTO, or IT department have it covered. One thing I’ve learned in business is that when it comes to existential risks, you may trust, but you must always verify. CEOs often have a poor understanding of strategic cyber risk. As a result, they don’t require critical additional security oversight controls to ensure they know the actual dimensions of the strategic risks associated with cyber.
Many executives don’t grasp the crucial difference between Information Technology (IT) staff and cyber staff. While IT staff members spend their entire career focused on making IT operations work as smoothly as possible, cyber staff spend their careers discerning how a malicious actor might disrupt those operations. The epitome of this example is when I see an organization allow the IT department to conduct an internal investigation into a breach. Often, the breach was a mistake or failing of IT in the first place — so having IT investigate themselves is clearly not an optimal approach. Yet, I continue to see this misguided reliance on IT when cyber professionals should be involved.
Let’s assume a CEO has a proper appreciation for strategic cyber risk — what issues might they still face?
I see many executives address cyber risk as if there’s an end-state solution with execution that is single-threaded — that focuses on remediation of a specific vulnerability. By single-threaded, I mean a presumption that the risk will be remediated by merely performing several discrete actions (e.g., annual training, quarterly phishing, penetration testing, etc.) — to address what I consider the ‘low hanging fruit.’ While this is a good start, it misses the key issue – which is the undeniable fact that cyber is a continuously evolving science in which today’s solutions will not prevent tomorrow’s threats. The CEO’s cyber plan needs to address cybersecurity as a continuously living program that will quickly evolve in ways that we cannot currently foresee or even budget for — and that last one (budget) is a real challenge right now. If you ask ten CEOs how much investment is required in cybersecurity, I suspect you will get ten different answers. Cyber program development and related budgeting are challenges that genuinely need an experienced security expert who can quantify risk and translate it into a budget so that the CEO can understand and accept.
What’s your biggest challenge?
Finding and retaining world-class cybersecurity talent. Due to the nascent nature of the many diverse technologies associated with cybersecurity, it’s tough to find experienced employees. Consequently, it’s easy to fall into the trap of hiring a person who might look good on paper with the appropriate certifications, but have very little real-world experience. While we don’t mind developing our talent, inexperience sometimes results in poor decision-making, making a bad cyber situation much worse. On top of that, due to the shortage of talent, retention is also a challenge. It’s not unusual for a highly skilled cyber employee to change jobs every 12-18 months.
Tell me about your best success story.
That’s easy – we saved a PE firm from losing $300 million. We were brought in to do a forensic investigation by a Private Equity (PE) firm with a holding company that had lost $1 million to wire fraud.
The PE firm wanted us to determine how the holding company had been breached and confirm that it wasn’t an inside job. In the course of our investigation, we discovered that the holding company hadn’t suffered a breach, nor was there a malicious insider who had been involved.
Instead, it was the PE company that had been breached. Moreover, the breach was ongoing. We were able to terminate the malicious actor’s access approximately one week prior to the PE company making a $300m wire transfer. We were also able to explain how the prior wire had been fraudulently misdirected and not detected — primarily from a combination of poor security controls and no voice wire transfer confirmation controls. We’ll never know what might have happened with that wire if the corrective actions hadn’t been implemented per the investigation. However, I believe the criminals would have targeted the entire $300 million in the same way they successfully redirected the prior $1 million wire.