Fighting Cyber-Crime for the FBI and Deloitte
By Eileen Feretic
What do you do after you've served as the supervisor of the FBI's 9/11 investigation … and an on-scene commander after the USS Cole bombing … and an investigator of the 1998 bombing of the U.S. embassy in Tanzania … and the Special Agent in Charge of Cyber and Special Operations in New York City?
That's what Baseline asked Mary Galligan, who recently retired after handling all those weighty responsibilities in her 25 years with the FBI. Her response: You continue fighting cyber-threats by helping organizations deal with cyber-security and crisis management. That's Galligan's new job as a director in the Security & Privacy practice of Deloitte & Touche.
One of the main lessons Galligan learned from her years dealing with terrorism is that, if we are to win this battle, government, business and academia must work together and share information about threats.
"This needs to be a two-way street," she said. "Government has begun sharing cyber-security information with the private sector, and business is starting to share more in a confidential way. Part of my role at Deloitte will be to educate and advise the private sector about the importance of sharing security information and to tell them what the government can bring to the table."
Galligan has seen a significant change on the private sector side in the last few years. Part of that is the result of a number of very public breaches that have opened the eyes of corporate boards to the importance of cyber-security. A growing number of directors, she said, now understand the damage a breach can do to a company's profits, customers, regulatory issues and reputation. Consequently, more of them are willing to fund budgets for increased security.
The U.S. government, for its part, has been taking proactive steps to help the private sector. A key initiative is Feb. 2013's Executive Order 13636: "Improving Critical Infrastructure Cybersecurity." Among other things, the order states: "It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber-threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber-threats."
As a result of the Executive Order, the National Institute of Standards and Technology (NIST) has developed a cyber-security draft framework, which includes voluntary protocols for dealing with cyber-risks. The framework covers the entire threat landscape—from deciding what needs to be protected to dealing with the aftermath of an attack.
"NIST is working with the private sector—including Deloitte—on these protocols," Galligan said, adding that there needs to be more of this kind of public-private collaboration.
Galligan pointed to the National Cyber Investigative Joint Task Force as another example of cooperative endeavors. The NCIJTF, which includes 19 intelligence agencies and law enforcement, "focuses on making the Internet safer by pursuing the terrorists, spies and criminals who seek to exploit our systems."
When dealing with such overwhelming security issues, it's hard to know where to begin. "You have to start with the fundamentals," Galligan emphasized. "You need to establish a culture of security, and that includes educating both managers and employees. Security should start at the keyboard."
Governance is obviously a critical component of any security initiative. "Companies have to make decisions about security as a business, and that involves working closely with the IT organization," she said. "For instance, a company has to decide how to handle the BYOD [bring your own device] movement. Most business smartphone users want to connect to corporate email, but only a small percentage of them have mobile security software. That needs to be fixed.
"Critical data makes up a company's crown jewels and must be protected, but a business has to decide which data is really critical. They should take a ladder approach, with the most important data at the top, and then decide who can access which 'rungs.' Once that's decided, they can design security around it."
When asked what poses the biggest threat to information, Galligan said that each company needs to figure out who would be most likely to target them—and why. "Who would want your data?" she asked. "A hactivist, criminal, nation state or one of your employees. The insider threat is often overlooked, and that's a big mistake, so be sure to involve HR and IT in protecting against internal breaches.
"Do a thorough risk assessment: What data is likely to be targeted and who would want it? Then reinforce your physical and cyber-security efforts around that data."
Asked her final words of advice, Galligan said: "These risks aren't going away, so take all possible steps to protect your data. And, if there is a breach, contain the damage and recover quickly."