Min Kyriannis is a cybersecurity and business development lead at the A&E firm Jaros Baum & Bolles. Kyriannis has 25+ years of experience in converged, global, information technology, cybersecurity, and physical security, as well as risk management across the U.S., Europe, Middle East, and Asia. She serves as Chair of SIA’s Cybersecurity Advisory Board and Vice-Chair of SIA’s New Product Showcase Committee as well as Co-President of Women in International Security - NY Chapter, which enables her to empower women and minorities in the technology and security industry.
In the following interview with Kyriannis, we discuss how companies are handling insider threats due to COVID-19, the alignment of physical and cybersecurity, and what is the perfect security hire.
You’re clearly a cybersecurity leader, and an inspiration for women who wish to rise in the profession. How much of that is intentional?
Every time I go to conferences, I notice there aren’t that many women in technical panels. I’m a big proponent of having women stand up and lead, and I try to embody that and serve as an example.
What gets you going right now in this difficult time?
Anarchy fuels opportunity. In my mind there’s a huge opportunity that’s out there right now. The thing is finding a niche marketplace. Cybersecurity is always a big one, and now especially so because of the new vulnerabilities due to the hybrid workforce. As more and more offices reopen, there’s going to be a huge shift because not everyone’s going to be going back to work. There’s a lot of questions about intellectual property, home networks, taking laptops home, and the code of conduct because you are now working from home.
The way I see things, the people who are willing and ready to take that risk in this unsteady environment are the ones who are going to be leading this next generation.
People are working at home who were quickly handed a Surface and may not be following corporate protocols, have virus protection, the right training, properly configured devices, or be using a VPN. Kids are sharing their parents’ computers. How do you get a handle on this?
You nailed the points. I would say a majority of companies don’t have a good security posture, much less have effective work at home protocols. There’s huge liability there. If you don’t have a strong security posture for the devices you provide employees, and now it’s infected someone’s computer and their personal finances and their identity is stolen, who’s liable? It’s a huge question but no one’s thinking about it.
Companies can modify existing policies to adapt. How many people out there are thinking about home networks? A person who doesn’t understand tech will use a router their ISP gave them that has software that tracks what they do for marketing purposes. There’s a big differentiation between commercial and business systems.
Also, cell phones are an issue. There’s a big case in which a company was probably compromised by a BYOD device and a home network. The consequence of stories like this is that people have to scrutinize their own networks. It’s going to be an interesting 6 to 9 months or 9 months to a year to see the fallout from these practices.
Experts are warning about increased risk of insider threats because of lower security in home networks, and people being furloughed who might maintain network rights and sabotage systems. Desperate people, a slumping economy, and poor work-at-home protocols are a volatile mix. What are your thoughts?
Insider threat is a big issue, but the threats are both internal and external. Since Covid-19, there’s been an increase in cyber attacks by at least 250%. A lot of instances don’t get reported because of legal restrictions. These threat actors tend to use human fear to gain access to networks. But the biggest risk is a cyber attack with profound physical consequences. My prediction is that a big attack will happen and take down a grid or city. I deal a lot with smart building systems; legacy systems that don’t have any security enabled or programmed are going onto the network. Elevators, water supply systems, and more are sitting open on the network. Okay, your data may be compromised, and that’s bad, but imagine if a hacker hijacks your elevator and threatens to drop a car full of people 50 floors. You’re talking lives, not just data loss. It’s likely that nation states will likely attack each other’s infrastructure. It’s happened already, and those are just cases we know of.
Years ago, physical security dominated cyber. At a certain point, cyber overtook physical security, certainly in budget, staffing, and leadership roles. Cyber is a board issue, physical rarely is. What do you think the right balance is?
In my mind, physical and cyber have to be aligned. Let’s take a typical building. If you see a guard sleeping I can find a port and compromise your network right off the bat. That’s both physical and cyber, and those policies have to work together. CSOs and CISOs have to talk. Data is money, data is your business. But there’s nothing more important than protecting your people.
How do you structure that? Should they both report to a Chief Risk Officer?
It depends on the company and the vertical. I can assure you that a tech company won’t have a CISO report to a CRO. It’s not how it’s structured; it's how well people play in the sand box together. Company culture is critical. It’s not the titles, it’s the people who can work together. It’s not a matter of reporting. They all have to align together.
Who is the perfect security hire? CSOs and CISOs say there’s no one with both sets of skills.
There’s too much detail out there for one person. It’s impossible to know every cyber regulatory law, and how every security system works.
I saw a job description for a CISO loaded with specific technical requirements. Is this the right way to go?
Not at all. CISOs should be business executives, not necessarily technical wizards. Job descriptions are too regimented. Jobs are evolving as well to fit future criteria. Let’s see which companies can keep up.