Interview with Michael Lester

Email interview held on 11th September 2017 – as follows between Alan Radley (questioner) and Michael Lester (relator):

1. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?

In one word “Abysmal.”  There are few organizations that are truly spending the time and resources necessary to be secure, even to a minimal level. Working for a consulting company, I have the privilege of viewing many different companies from the inside.  I am frequently shocked at the level of security they have.  The main problem, is that corporations are spending hundreds of thousands of dollars on firewalls and other appliances while their software team is fielding new applications, or changes to applications, almost weekly without even performing a static code check on the applications.  Is anyone really surprised that Equifax was the result of an application vulnerability?  Veracode’s recent report shows that over 50% of all attacks are on the application layer, yet only 1% of security spending is on the application layer.  We’re guarding the gate while the enemy is coming in over the wall.

Consumers want security, but they want convenience more.  Most are willing, at least tacitly, to give up some security for convenience.  I find it humorous that many consumers confide in me that they want to know that they are secure, and then post on Facebook their travel plans, their pet’s names, their kids birthdays, and other personal info that a hacker can use.  Consumers won’t be secure until they stop being information donors.

2. What – in your estimation – is the percentage of “cybersecurity professionals” that actually know what they are doing?

This is hard to quantify.  There are some very, very competent professionals out there.  On the other hand, there are a lot of people that may have acquired a certification or may hold a security title that really have no passion for security and don’t understand IT or human psychology well enough to know how to protect it.  I think this varies with position as well.  Actual practitioners are much more versed than many of the executives that are tasked with security.  With nothing to really base my belief on, I’ll go with a safe 50/50 estimation.

3. Where do you go to find your “science” of cybersecurity?

Blogs are fine for real time, fast knowledge acquisition, but they also have a higher noise and false-positive ratio.  For concrete information, I rely on studies and reports that are commissioned by reputable firms that have put a lot of time and money into the research and have their reputation on the line like IBM, Microsoft, Veracode, Ponemon, etc.  But I’m still taking in information from more fast response sources as well.

Information happens so quickly in cybersecurity that it is a full time job just keeping up with the data flow.  I use Flipboard on my phone to track multiple sources of security info and then flip through it probably two dozen times a day just to see what is trending.

4. Do you recommend a particular cybersecurity blog that our readers could follow?

Depending on the purpose, there are many.  I have to comment though that there are also many you shouldn’t follow.  I was shocked to see an article in the news today reference “SwiftonSecurty”.  Seriously?

I checkout  Schneir and Krebs, but more than that I watch hackernews and darkreading.

5. What keeps you up at night in the context of the cyber environment the world finds itself?

I sleep well every night, but I’m a realist.  I know that as soon as I wake up I will find that there was another breach or another zero-day, or another variant of malware.  It is a constant battle.

Looking towards the future, however, I’m concerned with multi-variant, combinatorial threats.  I’m surprised that no one is really looking into this area.  We proved empirically that we could create malware that could be distributed in pieces, each one of which is benign, and then have those pieces combine autonomously into a malicious application (A la Stuxnet).  From a state level, this would be my biggest fear.  How do we protect against that?

From a corporate level, my fear is that many company’s security programs are mostly smoke and mirror, or more correctly, they think they are doing the right thing, but they aren’t.  Target had most of the Gartner magic quadrant devices running when they were breached.  Unfortunately, they weren’t being monitored.  It was like someone put a huge industrial lock on a door next to a plate glass window.

From a personal level, it is almost impossible to stay safe.  The best we can do is limit the information that is available, or structure our lives so that if our information was compromised, that it would have little effect.  Personally, I try to do both…to a degree.  Like many others though, I choose to trade some privacy for some convenience.  I have location settings on my phone turned on so that I can use programs that require that, but I know that someone, somewhere could locate me and where I have been.  It is a tradeoff.

Thank you kindly Micheal Lester for taking the time out of what must be a busy schedule to answer our questions in such an illuminating way.

Interviewee: Michael Lester,

Chief Information Security Officer, Magenic.

Michael Lester – Biography

I’m currently the CISO for Magenic , Inc., a custom software development firm, and the co-founder of LegacyArmour, an online service that represents the evolution of stored information from a “pull” to a “push” technology.

My first computer was a TRS-80 and I loved programming , but as I gained more experienced, I realized that computers were only interesting for the business or social issues that they solved.

Now, my passion is using my years of leadership training and experience from the U.S. Naval Academy and the U.S. Marine Corps to link my deep knowledge of computers and my business training and experience to lead high performance teams that are working on today’s most challenging business issues…and more times than not, that means cybersecurity.

Life is not a series of discrete items, but a complex system where every item affects every other. I’ agree with Robert Heinlein: “Specialization is for insects.” Thus, I can program a computer, fly a plane, skydive, scuba dive, repair an automobile, build custom furniture, con a boat, write a sonnet, lead others, follow others, learn from others, and teach others.

I know when to make changes. When our corporate structure was too flat and no longer supported our corporate goals, I devised a new structure and career progression that increased morale and supported our corporate strategy. But I also know when not to make changes. Change needs to be supported by goals and logic, not made just for the sake of change.