Inside the mind of a cybersecurity boss
GE Reports: You recently gave a keynote at the Institute of Directors’ leadership conference in Auckland; did you have a chance to assess how New Zealand and Australia are doing with cybersecurity?
Tim McKnight: From my experience, a lot of the cyber expertise has been shared amongst The Five Eyes, the US, UK, Canada, New Zealand and Australia. The governments of those countries have been working on it for many years now. But I got the sense that in New Zealand it’s a topic that’s only arrived in the past few years for the boardroom, and that they’re trying to get their arms around it for their businesses—to figure out what are their frameworks for an approach, what is best industry practice for approaching it, and managing the risk of the company. The folks in the room were absolutely focussed on trying to learn from any mature companies, like GE, in this space.
GE Reports: Do governments need to become more involved with helping businesses? For example, the Australian Government recently said it’s offering to help big businesses here conduct voluntary cybersecurity health checks.
Tim: The partnership between government and industry is critical to solving the challenge. The fact that it’s voluntary is also a very good start, because a heavy regulatory regime is not going to solve the problem. When 80% of the critical infrastructure in any given country is in the hands of industry, the government needs to find ways to work with industry to help solve cybersecurity problems. That’s how we approach it at GE. We’re very focussed on how we share with government, how we share with trade associations, how we share with our peers in information-sharing and analysis centres. Any resources that the Australian or New Zealand governments can bring for companies absolutely should be brought to bear.
GE Reports: Do we have enough trained cybersecurity practitioners available? In Australia the government recently announced 800 new roles in intelligence and cybersecurity. That’s a lot of new jobs.
Tim: It is. I’ve been trying to convince my teenagers for years that it’s a great place to go! The skills shortage in this space has exploded in the last few years. Ten or 15 years ago, it was easy to find people to hire, we had them coming out of the military, the defence-industrial base and Fortune 50 companies. But in the past five years, the increase in demand has made it difficult to attract, grow, retain the best talent. The good thing is that formal education in the space has grown significantly. When I started, there were maybe five or six universities in the US that had some type of cybersecurity education; it wasn’t even a major. Now we’ve got numerous bachelors, masters and even PhD programs. But you’re right, there’s a big gap right now in filling those roles. It’s very competitive and we need to focus on that, and governments need to assist as well.
GE Reports: Is creativity part of a cybersecurity job description? Is there a personal trait you look for in your hires?
Tim: In my years of doing this, we’ve drawn from the traditional areas: trained by the government, worked in the military, did forensics for a law-enforcement agency. We’ve definitely drawn from the IT community, with more of a traditional computer-science background and training ... people who do networks and firewalls who understand IT systems. But we’ve also found that some of our best hires are just really good, detail-oriented problem solvers. Depending on the role in the organisation, they might have a history degree and take soft security certifications.
GE Reports: With the Industrial Internet built on zettabytes of data, connecting for GE alone more than $1 trillion of customer assets, the security stops with you, doesn’t it? Are you sleeping well at night?
Tim: There’s a little cartoon that shows how the CEO sleeps, how the CFO sleeps and how the COO sleeps: on their back, on their side and in a foetal position! They don’t even show the CISO in bed! I don’t sleep a whole lot! But that’s part of the job that I love. It’s constantly a challenge because it’s like playing a good rugby game, or a football game here in the US. You’re running different plays so your opposition isn’t reading your play, and running to gaps that you may have in your defence. We’re very focussed on the fact that cybersecurity and information security matters to our customers, and they’re really demanding that of us as part of our move to Predix and their move to Predix. These are also critical infrastructures that we need to protect: keeping the lights on and making sure that our trains operate safely, that medical equipment operates safely and in a safe environment.
GE Reports: Clearly OT [operational technology] security is vital, too. But when you have those connected physical assets open to multiple users and multiple organisations, that makes it harder.
Tim: It’s no doubt a challenge. GE’s strategy is driving connectivity to big iron, so that we can pull big data off of those devices. And our challenge is to make sure that’s done in the most secure way possible, and that we’re defending that big iron as well. This has led us into launching a new business, Industrial Managed Security Service, through Wurldtech. We’re definitely at the cutting edge of this and I’ve met with a lot of our Fortune 50 customers about it, and the feedback is tremendous.
GE Reports: How does the GE Store approach help as you look across the business for solutions to enhance cybersecurity?
Tim: When I got to GE, definitely there was a view that every business ran on their own [cybersecurity]. But over the past few years we’ve moved to a “one team” approach, and pulled together as one security team, across the company. We have 1,200 cybersecurity professionals across this company and we are making sure we’re utilising that talent very aggressively in solving challenges across the businesses, and getting best-in-class solutions. They may come out of Aviation, out of Transportation, or out of Energy Connections... We’re absolutely taking advantage of those opportunities. And it’s really exciting. We’re probably one of a dozen companies with a talent force for cyber that big. We’re very lucky.
One example is a tool [NOMS in a Box, aka NIAB, software] that was created by the GE Aviation team, which we’ve shared with our customers. It helps them identify bad actors that are operating against them in their networks.
GE Reports: With Predix, you’re inviting outside developers onto your open platform. What do you say to the customer who asks whether their IP and their data are secure when you’re trying to open things up and keep them safe at the same time?
Tim: They are asking that question. We have numerous customers coming to co-develop with us on the Predix platform, and we are working aggressively to address their security concerns around their data. And they have very extensive data. Whether it’s an airline or healthcare, we’re implementing controls at numerous levels: at the data level, at the database level, at the application level and then all the way out wrapping that in a managed security service and protecting the overall platform.
GE Reports: Nevertheless, it is asking a lot of customers, to trust in GE expertise.
Tim: It is. But cybersecurity is a very small community. I’ve been doing this for 16 years as a CISO in industry and FBI before that, and I know just about all of my peers among our major customers. So they are not shy in reaching out. We’re building GE for GE, on Predix. All of our businesses are moving on to the Predix platform, which gives us the ability to sit down with our customers and tell them that it is good enough for us, and they can decide whether that’s good enough for them.
GE Reports: How should industry be working to help improve cybersecurity?
Tim: It’s really important that companies like GE stand up and help to raise all boats with respect to their cybersecurity posture. Whether that’s sharing the tools we create, sharing the threats we’re seeing, sharing our practices, setting the agenda for our industry or setting standards for our industry. I’m a big proponent of that, and we do that in just about every industry we operate in. My CISOs in each of the GE businesses sit on many of these information-sharing analysis centres, within their respective industries, to help drive those agendas. While we have a big team working on cybersecurity, in other organisations it drops off very quickly … to where it’s some guy sitting in a room next to a closet. So helping smaller companies understand the basics of blocking and tackling ... giving them some tools, giving them some direction … that’s something we are constantly working on. In some cases, we’re even reaching out to them and saying, “Hey, we’re seeing somebody knocking at your door and we know they’re a bad person.”
GE Reports: So for any business, this attention to cybersecurity needs to come from everyone, right?
Tim: It’s not an IT problem, it’s a business problem. Cybersecurity is something the chairman, the CEO, the CFO, the general counsel, the CIO, the business leaders need to care about because it’s something that could erode their margins, take away their business, even destroy the business. I’ve seen companies go out of business from cyber attacks, let alone the intellectual property theft that has occurred. It should be treated within the framework of enterprise risk management for the company. You should be as concerned about cybersecurity as you are about financials, or as you are about losing key talent, or any of those other enterprise risks that you may track. You should have somebody who’s carrying the ball and leading the team in terms of implementing a program to address those risks.
GE Reports: That means that CISOs should have a corner office rather than the office next to the closet?
Tim: (Laughs) Yeah, I believe so. The faster the CISO role is elevated, the faster that person can have those discussions with other leaders in the company, the more educated they’ll get, and the more they’ll be working on the challenge to reduce the risk to their business.