Cyber Security With Dr. Eric Vanderburg

Why did you get into cyber security?

I have always had an interest in technology.  I played with some of the early computers and tinkered with them to see how they worked.  In the dawn of the PC age, I fixed the computers of friends and neighbors.  Eventually I made a career out of it, first focusing on personal computers and then working with company networks.

You could say I came to a point in my career where I had to make a choice.  I had enough knowledge of how computer systems worked to do one of three things.  I could use my knowledge to exploit others by stealing their valuable information.  I could stand by and not get involved or I could help people and organizations protect themselves against cyber criminals.  A life of crime doesn’t suit me and I am not the type of person to sit idly by so I started advising companies on how to be safe.

When I first got started in information security, the industry was so new that I mostly just installed firewalls at company sites and educated employees on how to protect against common threats like spam, viruses and unauthorized persons at a workplace.

As you know, the industry did not stay that way for long.  The casual attacker of those days is gone.  He or she has been replaced by three much more organized groups: Organized crime, cyber terrorists, and corporate or government espionage groups.

The goal of organized crime is to steal information that can be used to make money such as social security numbers used to create fake identities, credit card numbers, or account details.

Cyber terrorists are interested in disrupting services to incite panic and create awareness of their “cause”.  Corporate and government espionage groups wish to steal proprietary knowledge such as corporate designs, customer lists, classified information and government technology.

In the same way, my role has changed and now I and my company work to prevent threats of a much greater impact.

What can you tell us about cyber security which we may not know about?

Cyber security is not about implementing more and more technologies.  It is mostly about people.

For cyber security to be effective, it must be part of an organization’s culture such that they perform their tasks securely without even thinking about it.  This comes with training and with the continued modeling and promotion of leadership.

Is the industry a growing business?

Yes.  Given the threats I mentioned earlier and the increasing number of high profile data breaches we see in the news, companies are having to ask themselves the tough questions.

• Would my company be safe if it was presented with similar circumstances?
• Can I trust my employees and the companies I do business with?
• Will the data my company relies on to do business be there tomorrow when I need it?
• Am I doing what my shareholders expect of me to protect company and customer information?
• Could I lose my job or even face time in prison for not complying with government regulations on information security?

Describe one of your most interesting projects

That is a hard question because I have worked on so many interesting projects.

I guess I could highlight one case where I was an expert witness.  The company I was representing found that one of their competitors had proprietary information on their company but they stated that the information was available publicly and that they obtained it legally.

I was brought in as an expert witness to evaluate whether the information in question could be obtained publicly or if someone would need to break into the organization to obtain it.

If you were to leave our readers with one piece of business advice what would it be?

If your organizational security relies purely on trust or secrecy, it will not last long.  Both operational and technical controls need to be in place to identify theft or misuse of information so that it can be handled quickly.

There must also be layers of defense.  To exemplify this, the way a safe works is not a secret but it can still be relied upon to protect what is inside it.

Still, a dedicated attacker can crack a safe given enough time so layered defenses are provided to protect against this.  These defenses may include guards, alarms, motion detection and temperature sensors.

One must defeat all the controls to get to the loot.