A Conversation with Mark Houpt, CISO of Radware Partner DataBank
One of the many benefits that comes from working at Radware is the opportunity to work with cybersecurity professionals whose empirical experience protecting organizations from cyber threats and attacks presents a treasure trove of insightful and highly useful information. Mark A. Houpt, the CISO of data center provider and longtime Radware partner DataBank Holdings, Ltd. (DataBank), is a perfect example.
For more than eight (8) years, Mark has led and managed security teams and programs within DataBank. From working with him, including his team of professionals, it became very apparent that his experience, thoughts and advice about cybersecurity should be shared with others. For that reason, we asked Mark to respond to a number of questions to get his thoughts on them. His answers will resonate with anyone working in cybersecurity or those interested in pursuing it as a career. His views and opinions are solely his and do not necessarily reflect those of Radware.
Mark, what do you see on the cybersecurity horizon for 2023?
I think in 2023 cyber threats will impact the financial sector the most. There are many indicators that we’re going to have a major recession that will last the remainder of this year and into 2024. I personally think it will probably last through the election of and possibly the inauguration of the next U.S. president in early 2025.
A recession will impact cybersecurity in multiple ways. One of the challenges we always have with cybersecurity is showing ROI (return on investment) for what we’re doing. An economic downturn means less revenue. And that means compliance teams will be forced to pare down because they don’t generate apparent revenue. Unfortunately, this comes at a time when many laws and regulations are coming down the pike. There will be cybersecurity ramifications as a result.
So, I think you’re going to see thinned-out cybersecurity and compliance teams. With overworked, but smaller, compliance teams, you’re also going to see a lot more audits. There will be other scenarios, including maintenance items, that can slip through the cracks. This can create a snowball effect to open the door to more large-scale threats, like ransomware attacks and regulatory compliance failures and fines.
Regarding compliance teams, they’ll be greatly affected because there are twelve (12) new compliance privacy laws that are going into effect in the United States. Each is in a different state. You have the California CPRA (California Privacy Rights Act), and Virginia and Michigan laws, to name a few. Other places are instituting new privacy laws, as well. And any time a new regulation is put in place, there’s overhead. There are things that an organization has to do in order to comply. And in order to comply, you need to prove your compliance. Or respond to failures to comply.
To add to that, there are currently twenty-six (26) potential laws that will go into effect because twenty-six (26) different states have legislation pending right now in their legislatures. So, over half the states within the United States alone are attempting to enact new privacy laws. That doesn’t count the potential for additional federal laws, as well, at some point.
So, compliance teams — keep in mind that I’m not talking about your typical security teams here; those are operational — will probably take a hit due to the economic downturn. There won’t be enough time for most companies to respond to these new laws and regulations. And with those teams being thinned out, there won’t be personnel and time to respond to these new laws that will be enacted across the country.
How do you think the Russia/Ukraine conflict will affect cybersecurity?
No question, it will influence cybersecurity and inspire threat actors. Of course, Ukraine believes the Russians will be the ultimate losers. If that happens, you have to think about what that means for threats coming out of Russia. What will happen when Russia, the “bear”, is pushed into a corner? How will they react to a defeat in Ukraine?
Of course, the Russians have always been purveyors of ransomware and other attacks across the landscape. You have to worry about that piece. While there has been a little bit of a downturn in ransomware in early 2022, at least the large-scale attacks, I think it will pick up in 2023. One of the reasons it was down is because one of the largest ransomware teams disbanded and was blown apart. Many who were a part of that team started to align themselves with others or create new teams.
Many of the ransomware attackers were Eastern Europeans, and many of them were Ukrainians who had an affinity towards the Russians. Why? Because the Russians were paying them to be their agents. When the Russians physically attacked Ukraine, many of these Eastern European nationals, although originally aligned with Russia for the money, became afraid the Russians were coming after their home countries next. As a result, national pride comes before money, at least initially. I think in 2023 you’ll see ransomware on the rise as all these teams coalesce, regroup, and become more targeted in their efforts and attacks with new bosses, not the Russians. There will be (or are) Mafia-style business units launching ransomware attacks independent of the orders from a nation state.
Now, if Ukraine loses, there will be a host of different issues, as well. Realignment of the ransomware kings. New alliances perhaps formed between governments in Easter Europe, leaning towards the Russians instead of the west. It is a strategic chess match that those of us in cyber-security need to watch closely.
I think we need to watch out for what happens in Asia as well, primarily North Korea. They have a significant cyber warfare unit that has launched many worldwide attacks in the past. But what I think we really have to watch out for is whether China is provoked into something that makes them launch attacks on their own or with Russia. The geopolitical issues are causing the most instability that will boost cybercrime.
Why do you think ransomware will pick back up in 2023?
Along with what I mentioned earlier about the rise in ransomware, the biggest reason ransomware continues is that we continue to pay for it. Cyber Insurance often covers it, as well. As long as ransoms are paid, the attacks will continue. If the money dries up, attackers won’t be as interested in launching ransomware attacks. Why would they? It’s the reason ransomware exists, with the exception of using it to cover other hack attacks and the theft of intellectual property.
Another reason ransomware exists is because organizations don’t practice good security hygiene and hackers playing around and find easy targets. Ransomware is only their weapon of choice to get a thrill off of the success of an attack. To combat ransomware, you need to have good backups that are properly done and do the basics of patching, removing unused accounts and other hygiene. That doesn’t mean just taking a backup and setting it to the side. If you create good backups, there’s no reason to pay ransom. Just rebuild everything from the backups and get it back online. But for whatever reason, many people don’t pay the upfront money to fully protect themselves.
I’m not knocking cyber insurance. There is certainly a place for it, especially if it’s used responsibly. If I have car insurance and go around driving my car at twice the speed limit, taking curves like a madman and not caring about it because the insurance will cover damage, that’s not a responsible use of insurance. If you drive responsibly and you take care of your vehicle, the insurance has significant value because it’s there for an emergency. Unfortunately, many people these days are driving their cyber security “car” around thinking that if something goes wrong, they’ll be OK financially. As a result, cyber insurance premiums have gone up precipitously. In fact, they have gone up over 100% each year for the past three years.
What are your thoughts on the cybersecurity skills gap?
There’s a ridiculous lack of professionals in cybersecurity. One of the problems is that we’re graduating many students who don’t really understand cybersecurity. We’re getting underqualified people coming into the industry right out of college because all they have is book knowledge. Cybersecurity is not academic, it is practical action, sometimes even hand-to-hand combat with a keyboard.
One of the questions I always ask applicants is to tell me the best algorithm and key strength to use to encrypt HIPAA data. First of all, most don’t know the difference between an algorithm and a key strength. They just give me key strengths. In fact, most college graduates with no experience often don’t even understand what HIPAA is. They can’t tell me that the HIPAA component we are speaking about is designed to protect medical healthcare data and that there are many other provisions of HIPAA not related to security.
You have kids coming in with Master’s degrees, but they don’t have a good foundation in technology. You also have CISOs that transfer in from other areas or departments, and they may not have a good cybersecurity foundation either. Bottom line, they don’t know how to really secure an environment. As a result, you’ve got CISOs that go to their CEO and say they need hundreds of thousands of dollars to secure their environment, when they may be asking for a budget that’s unnecessary, at least at the level they’re requesting because they don’t understand risk, threats and how to defend against them – they only read about the business in a book.
Honestly, you don’t need a college education for cybersecurity. That might not be a popular opinion, but this is blue-collar-type work. It’s a modern version of “Pick up a hammer and a wrench.”
A great option if you want to work in cybersecurity is what I did — go into the military. I went in as a cryptologist in the Navy back in 1991. I got a very good foundation that served me very well when I went into private sector cybersecurity. The military is the only place in the United States where you can legally do offensive security, meaning you’re actually attacking another entity in the name of defending our country.
If not college, then what can we do to educate our workforce and gain experience? Of course, you can get certifications and work in an apprentice-type program. But I recommend learning about technology first, then building your cybersecurity on top of that. I’d like to see students take two years’ worth of trade school-type education, then two more years of internships. Put them in the field and in security operations centers (SOCs). Also, inside financial institutions where they really have to talk the talk and walk the walk. Make them learn about all the different technological pieces that come together, including physical security, to make up the big picture we call security. That’s how I would do it. That’s how I would address it; like I said, it’s a blue-collar thing.
When you just learn from a book and the attacker’s job is to do everything they can to circumvent the book, you need to know how to defend against that circumvention. If you don’t know, you can’t do it.
To use baseball as an analogy, you first start in little league, build up to high school, then college, then the minor and major leagues. And it takes practice day in, day out to get really good at it.
Questions About Cybersecurity? You Have Two Great Options To Choose From
Mark A. Houpt is the CISO at DataBank, where he leads and manages security teams and programs within their Cloud Service environment. He is a security/vulnerability assessment professional and handles security compliance as it relates to vendor acquisitions and assessments. Mark is an expert on the application of FedRAMP, HIPAA, and PCI-DSS in a shared tenant environment. He is responsible for communicating control responsibilities in cloud services to customers and internal agents and agencies, preparing for audits and accomplishing annual Service Organizations/Vendor assessment and compliance processes by the development of a repeatable assurance program that allows for measurement of security posture, year over year. Mark is also an expert in assisting smaller and mid-size companies in presenting their security posture to potential business partners, guiding companies through the complex and sometimes daunting process of answering vendor security/posture questionnaires, developing a compliant security program, and remaining compliant with client demands.