Ira Winkler has recently been appointed Field CISO of CYE, as part of the company’s hyper growth expansion. He joins CYE following a key role as Chief Security Architect at Walmart and has over three decades of experience protecting large corporations from cyber threats and developing cost-effective security solutions. Ira is the recipient of dozens of awards, most notably and recently the 2021 Top Cybersecurity Leader from Security Magazine and 2022 Cybersecurity Champion of the Year from the Cybersecurity Association of Maryland, and the author of multiple bestselling books about cybersecurity and intelligence.
Ira’s role is focused on CYE’s operations in the US and he will assist clients in optimizing their global security operations and integrating the use of Hyver, CYE’s cybersecurity optimization platform.
We sat down with Ira to discuss his thoughts on the state of security, his advice to CISOs, and his vision for the future of the industry.
Understanding CISO Pains
In your various roles, you’ve had a first-row seat to the pains CISOs face. What would you say are some of the reoccurring issues that seem to be true for security officers across sectors, industries, and company sizes?
It really depends on the company and their management. For some it’s getting support. For others, it’s balancing limited resources. For others still, it’s putting out fires. Some can’t hire the right people. However, the one problem I do see across the board is CISOs’ difficulty communicating the costs of cyber threats to executives and justifying their budgets.
Security Words of Wisdom
What are the security words of wisdom that you find yourself sharing with CISOs over and over again?
The most common thing I tell CISOs is that they get the budgets they deserve, not the budgets that they need. They need to learn to deserve more. This is exactly what Hyver does. It helps CISOs show executives what they deserve, which is why I was drawn to it.
Security’s Common Denominator
You’ve been doing security for a long time. Do the computer crimes of the 2020s look anything like the early cyber breaches of the 1990s, such as the Citibank hack of 1995 or the data breach at Target in 2014? Is there a common denominator that runs through the decades despite the growing sophistication of hacks and the magnitude of destruction that they cause?
I actually worked on the Citibank investigation. The crime was fairly straightforward and not overly sophisticated. The criminals just invested the time to do it. They got caught because they were not sophisticated.
I would say that the majority of crimes we see today are similar to the Citibank hack in that the criminals take advantage of basic cyber gaps and are just persistent. However, cybercrime has become an established business and many crimes are committed by highly efficient groups that can be effective and maximize their gains. It’s not simply about getting lucky anymore, but about treating it like a formal business operation, which in many ways is what happened with the Target breach. That’s a scary notion to entertain, but understanding that cybercriminals spend months studying their victim’s infrastructure, operations, and third-party vendors helps us prepare better for sophisticated attacks.
Explaining Security Threats to Management
How invested are executives and board directors in the security efforts of their organizations? Is the job of relating security threats to management becoming easier or harder as time goes by?
That varies. Some leaders firmly believe in and prioritize security, while others minimize it. They don’t look at it as a necessity. Regarding whether it is easier or harder, it should be getting easier but that’s not always the case everywhere yet. There is more acceptance of security as being a critical business need, so you could say we’re in the process of institutionalizing the discussion. This is one reason why I love Hyver. It makes these discussions easy.
Future of Cybersecurity
And now for the big one, the question we all want answers to: what does the future of security look like?
More of the same, but different. Computer crimes have grown and evolved as value moved to computers. The criminals you need to worry about have evolved with their targets. Those criminals are persistent, creative, and disciplined. Good security programs are those that are likewise persistent, creative, and disciplined. A good security program will experience incidents, but they will generally be contained and mitigated efficiently. Those organizations that do not invest will have uncontained incidents and be at the mercy of the criminals.