For this CISO executive Q&A we reached out to Eric Cowperthwaite, former director of information security at Esterline Technologies Corporation, who has since joined Herjavec Group. as VP, Identity Services. Eric has led an interesting and diverse career in information security. Eric has held senior positions at security services providers, security software vendors, healthcare, and now in the defense industry. His career in security began before enterprise security had formed as a profession.
In this interview with Eric we discuss his start in information security, the relationship of a security program to the organization, and how AI will affect the role of enterprise security.
Here’s a lightly edited version of our conversation:
Thank you for taking the time, Eric. Let’s jump in. How did you get started in enterprise security?
I’ve always referred to myself as an accidental security professional because security isn’t what I thought I was going to do. In the mid-90s, after I left the Army, I went to work for EDS. They don’t even exist anymore. I was a system engineer. I did business process outsourcing work and I led a system engineering team. None of this had anything to do with security, other than IT, which at the time included some security as part of general practices. But back in the 1990s, we didn’t think about security much at all. That started to change, however.
I ended up working on a contract that EDS had with the state of California. We actually had a website taken over and defaced. There’s a throwback security problem, for you. Today, the problems are a much different ball of wax. But at the time, there were those who were figuring out if they could do this and just having fun with it. And they defaced this website. They replaced the main page with something that said: Hey, I took this over. Ha, ha, ha. It was that kind of a thing.
That got me thinking about the fact that we were seeing the web and the internet and e-commerce becoming a big deal. And then some opportunities inside EDS came regarding more IT security-focused work. I thought that was interesting, and at the same time, other people were telling me, “I don’t know why you’re doing that, man. That is not the future. You want to stay on this system engineer pathway that you’re on. You’ll be a CTO or a CIO somewhere someday.”
I heard that advice a lot, but I found security really interesting. And I knew it was going to be important. But again, it was really accidental. If those opportunities didn’t come up, I wouldn’t have stumbled into security. I wasn’t planning on this as a career.
How did you make the leap to a full-time professional?
Well, that’s a funny question. It was sometime around 2003, and EDS had won a contract with the state of California. This contract required EDS to provide an information security officer for a specific program in the state. And there wasn’t anybody interested in taking that role. I decided to take it. I went to my boss and told him I was interested. He said: I thought I told you this is not the road you want to go down.
Yeah, but it sounds really interesting, I said.
I ended up being contracted to the state of California as one of their information security officers. That led me to a job in enterprise security at the regional hospital Providence Health and Services.
Back in 2003, I was convinced the industry would eventually solve most of the information security challenges and, as a journalist, I’d move on to another subject.
I think we solved the first round of security problems. Think of this as two different wars. The first one was all the email worms and website defacements in the early 2000s. We won that war. We beat those guys. Between securing our Exchange servers, building strong web DMZs, and securing the endpoints we solved those early problems.
What we didn’t realize at the time was that success would drive our adversaries in an entirely new direction, which we clearly have not solved at all.
The smartest thing that the bad guys did is that they figured out they needed to stop going after our strongest defenses and target our weakest points, which turns out to be humans. This shows that identity is the foundation of security. If you don’t know who people are and whether they’re authorized to be in your information systems, then you just don’t have good security—period. You can do everything else. You can have all the anti-malware, advanced threat protection, threat intelligence, well configured firewalls, secure email systems, and everything else. But if you don’t have a solid foundation in identity, you just don’t have good security.
That’s so true. If you don’t know the who, what, when, and why someone’s accessing a resource, you’re toast.
Look at a company like Esterline. There are 12,000 people, operating in 22 countries, speaking 27 languages. And how we identify people is very much dependent upon local law and regulations. I can’t always gather all the information I might want on people in every country in which I operate because of privacy regulations.
And making sure that everyone has an appropriate level of access is challenging. And if it’s challenging for Esterline with 12,000 people, imagine what it’s like for organizations with 100,000 or 200,000 people.
And the thing is, identity isn’t a linear problem. As you add people, the challenge becomes exponential because every person has a computer they use. And a phone they use. They have seven different applications in your network that they use. They have their standard user identity, then they have an identity to get onto the internet. They may have a privileged user identity.
So, it may be one person, but it’s an exponential number of identities involved.
You’ve worked in many different industries as a security expert. Have you noticed big differences in how security is approached from industry to industry?
That’s a great question. I’ve been a security officer in manufacturing and healthcare, and then a consultant in state and local government, retail, transportation, and financial services. It really is different from industry to industry. And a lot of that has to do with how the organizations view themselves.
When I first was in healthcare, the organization viewed themselves as doctors fixing people. But by the time I was leaving healthcare, they were viewing themselves as an information industry. That change made a big difference in how they approached security. Prior to their thinking of themselves as being in the information industry, security wasn’t very important.
But when maintaining all of the health information about patients became crucial to helping patients be healthier and live longer lives, then information security became very important. It really was two very different perspectives, and I’m seeing that same shift in manufacturing.
Many people in manufacturing still think of themselves as an industry that makes a product and ships it to customers. But more are starting to see themselves as being an information industry. So their perspective of security is beginning to shift.
If you think of yourself as being an industry that does a thing, then you approach information security as a very discreet part of your business. You make sure that your billing and finance systems are secure, but other than that you are not too worried about security. But as a business shifts to become an information business, then everything changes and security becomes much more central to what you do.
Are you starting to see artificial intelligence and machine learning applied in real-world security use cases?
We are in the first stage of this right now. Industry is in the information and data gathering stage and enterprises are putting into place the right tools so that we can see what’s happening. Over time we can learn what events are good and bad in our environments and be able to take the appropriate action. The next stage is going to be AI and machine learning. We are already moving toward this. Our systems and connected devices are getting so complex that the amount of data being gathered is getting overwhelming. Humans can no longer see everything.
This ties into Industry 4.0, which is going to be very cool. We are going to start seeing distributed assembly lines. Today, when it comes to assembly lines, is a company may have a supply chain that’s three factories deep, but each factory runs its own discreet assembly line beginning to end and then ships its product to the next assembly line. Then, that assembly line takes some action on the product and then ships its product to the next line, and so on. What if you could orchestrate all three factories as a single distributed assembly line?
In this near-future world, identity is insanely important because one needs to make sure that production operators are only touching the right machines in the right factory.
Do you think some of the artificial intelligence, machine learning tools that are new now, and we’re just starting to apply in security, will help to make a broad shift to a more proactive security posture?
Yes, I think so. And I think that we have to combine AI with security that scales. A couple of parts of the industry have gone there already, if you think about it. Look at email security. Some email security vendors are doing very cool things at scale using machine learning. They already know 99.5 percent of all the malicious email that’s out there. They already know it because they operate at huge scale, because they have tens of millions of customers, and they’re seeing billions of emails a day. They stop most of that malicious email before you ever see it. You don’t have to worry about it. You don’t have to classify it yourself. You don’t have to do anything.
Now, think about a system like that when it comes to network security or identity management. A system that can see the behaviors of identity at scale across the organization and it can automatically and accurately identify 99 percent of the bad behavior and just stop it. That’s awesome. And then if you add onto it a capability to react after the fact for the very small percentage that aren’t stopped proactively, you get even better security. But that ability to scale and use large amounts of data and machine learning at scale to identify out-of-bound activity is really crucial, actually, for the industry to get to a much better place where cybersecurity is more effective. Security professionals better get comfortable with AI and machine learning because that’s how we are going to solve our problems.