Suzanne “Zan” Vautrinot is President of Kilovolt Consulting Inc. and a retired Major General of the U.S. Air Force, with three decades of experience in space and cyber operations. She retired as Commander, 24th Air Force and Air Forces Cyber Command where she oversaw a multi-billion dollar cyber enterprise, leading a workforce of 14,000 military, civilian and contractor personnel, while supporting 850,000 customers and conducting cyber operations worldwide. Zan previously served as Deputy Commander for the nation’s Network Warfare Command and was instrumental in the establishment and early operation of U.S. Cyber Command. She is universally respected as a motivational leader and change agent. As a cyber subject matter expert, she addresses technical, business and university forums, guides key task forces, and has testified before Congress. She currently advises industry, academia as well as government agencies and laboratories on cybersecurity strategy, technology innovation and workforce development.
Zan presently serves on the Boards of Directors for Wells Fargo, Symantec Corporation, ECOLAB Inc., and Parsons Corporation. She is also an advisor to the Air Force Doctrine Advisory Group, America300, the University of Texas Pre-Freshman Engineering Program, and serves on the Board of Directors for the Uniformed Services Benefit Association.
She earned her Bachelor of Science degree from the U.S. Air Force Academy and Master of Science degree from the University of Southern California. She also graduated from the Air Command and Staff College and Air War College, and was a National Security Fellow at the Kennedy School of Government at Harvard University.
You have an extensive background in security and technology, how did you develop an expertise in cybersecurity?
Suzanne Vautrinot “Expertise” might be a stretch, but let’s say I’m passionate about cybersecurity. I was privileged to serve, and my military background focused on national security and the technologies that helped defend us. After graduating from the Air Force Academy, I was assigned to the National Reconnaissance Office, which developed and operated the nation’s spy satellites. This was before the Internet, but these systems had a strong dependence on computer networks and security of data.
Fast-forward through many years operating satellites and running global networks for critical command and control systems, I was selected as the Deputy Commander for a new organization called Network Warfare, the precursor to United States Cyber Command. Network warfare was what one might call “offensive” cyber operations, which also gives you a great understanding of what’s needed to defend your own networks. That led to my selection to the Commander of the Air Force’s cyber component and 24th Air Force.
In that capacity, we had multiple jobs: establishing, sustaining and operating a network, leveraging that network to execute offensive missions, and defending our own networks and systems. Ultimately, we executed whatever actions the President, Secretary of Defense, and Commander of U.S. Cyber Command asked us to do … but instead of land, sea, air or space, our operations were in cyberspace.
It certainly makes sense why network security is so important from a national defense standpoint. Why is this such a crucial topic for corporate leaders today, and what technology changes have contributed to this becoming a more pressing issue in recent years?
Suzanne Vautrinot The implications, and especially the vulnerabilities, that were a National Security concern are the same for the private sector, a reality we now see far too frequently in the press.
Having access to that military infrastructure, seeing what it takes to defend and what can be leveraged to your own advantage gave me a unique perspective. Cyber isn’t a uniquely military capability, but technology shared by all—individuals, corporations and nations. We’re all riding the same networks and using the same technologies.
"If you stop communication, you stop or severely slow the business."
The government figured it out first, and while certainly that didn’t mean that every agency and department acted on the lessons, there was considerable effort to work collectively, to partner with industry and academia, to better understand, and to re-design to defend.
Now you see that dynamic in the private sector. Corporations and individuals clearly see the implications, and are responding in the same way the nation did … discussing strategy and risk. Cyber technology is a business opportunity, and cybersecurity is a corporate risk consideration.
So the government, because of its particular needs, kind of figured this out first. At what point did it become clear to corporations that cybersecurity was something they needed to articulately strategize in the course of everyday operations?
Suzanne Vautrinot It’s less a “point” and more a continuum. Since computers, software and networks were originally designed for open communication, automation and global connectivity, it was hard to see the soft underbelly of “vulnerability.” About 10 to 12 years ago, cyber threats went from defacement, to disruption, to deception, to destruction. Cyber attacks were defacing websites—annoying but not critical except perhaps to reputation. This was followed by viruses, worms and other malicious software designed to disrupt computer and network-based operations and/or extract key information, i.e., espionage (largely focused on government sectors).
Some of those same techniques were then used to disrupt trusted computer-based financial transactions, and we saw ever-increasing criminal activity in the financial sector. Then we started to see a dramatic increase in criminal behaviors aimed at companies and individuals—hacking, theft of intellectual property, financial theft. That progressed to the disruption or destruction of physical systems, for example, power grids, transportation systems, dams, etc., with implications to both public and private sectors.
Add to that an inability to distinguish government, criminal, corporate, hacktivist and other actors, and sometimes active collaboration between them, and now we see cybersecurity is at the forefront of public discourse for government, companies and individuals.
What are some different types of cybersecurity breaches, and how they can harm a company?
Suzanne Vautrinot : Let’s put them in three categories: interdiction, direct attacks on computers and data, and attacks on physical systems.
Interdiction in this sense is to stop the ability for two things to connect— denial of service, in other words. It’s not hurting the computer or the network per se, but perturbs it in a way that doesn’t allow the connection. Jamming is a simplified way of describing it. For corporations, the ability to communicate to conduct business is critical. Everything that travels through the network is the business. In particular, financial systems or stock exchanges are built on transfer of information that allows movement of money. If you stop communication, you stop or severely slow the business.
"Cyber technology is a business opportunity, and cybersecurity is a corporate risk consideration."
Direct attacks go after the computers and the data itself. These alter the ability for basic business operations—which are now dependent on computers—correlation of data, and the movement of data between locations. The loss of the computer or data can prevent ongoing business operations, as well as the ability to restore and resume operations. It’s also the way to lose key data, intellectual property, pricing, M&A and other elements of your corporate competitive advantage. And finally, from a reputational and regulatory standpoint, this type of breach puts protected customer and partner data at risk.
Finally, there’s the attack on physical systems. It is a similar methodology to an attack on computer/data systems, but requires a detailed understanding of the system operations, man-in-the-loop and feedback mechanisms. For efficiency, sometimes safety and to reduce manpower, we implemented automation in industrial control systems. The raising and lowering of dams, switching of rail lines, operation of aircraft or power grids—all of these are inherently dependent on computers and networks to do physical operations. Making a “cyber” change can break something in those physical operations. This kind of breach is intended to perturb or even cause physical destruction. The implications for businesses include power loss, production shutdown, security system shutdown, destruction of critical equipment and shutdown of transportation or supply chain.
Are any particular industry sectors most at risk? What are some key examples?
Suzanne Vautrinot Cybersecurity covers a lot of ground, and while some solutions are the same for all sectors, it’s not cookie cutter—R&D, manufacturers, financial, retail and critical utilities would all have different considerations. It’s a question of what are you accomplishing and protecting as a business, and how to make it viable and resilient to this kind of risk? Informed risk assessment and management is a dialogue for boards at a strategy level. Boards and management evaluate risk elements across all aspects of the business, and that evaluation process is equally applicable to cybersecurity.
That said, there are some special considerations. For example:
Global operations, a large customer base, conglomeration of many diverse business elements, etc., all add to the vulnerability (think bigger attack surface, more points of entry means easier to breach).
Extensive financial interactions, well-known innovation capability or specialty technologies (as in defense or security) increase the interest, which means increased attempts, and more skilled and persistent attacks.
What is the board’s role in overseeing cybersecurity and the general principles of risk oversight? How can boards better prepare for cybersecurity risks?
Suzanne Vautrinot You’ve actually answered the question. The board’s role is to apply the principles of risk oversight, to advise on strategy and help push to overcome challenges—in this case, cybersecurity gaps and challenges.
There are a couple nuances or “front-end” considerations, most importantly, whether the company should build and sustain cybersecurity expertise internally or rely on external experts. Cyber is either a consideration or it is a core competency for that business. If cyber is core, then certainly that competency is important throughout its management and operations as well as on the board, not unlike finance, transportation, mining, or oil and gas expertise would be to companies in those sectors. If it’s not part of core competency, then you might consider looking to consultant or partner expertise. Again, it’s not cookie-cutter.
Have any recent guidelines and regulations addressed cyber risk? How will those affect and influence board decisions?
Suzanne Vautrinot You’re seeing both guidelines and regulations. Cybersecurity is not about checking the boxes and saying, “I met the letter of the law and I’m safe.” In most systems, you’re compliant until the point you aren’t. There are great guides to help you ask the questions, and allow you to look beyond what’s comfortable.
Some examples are an NACD (National Association of Corporate Directors) document, with key questions directors can ask. SANS has continued to publish and update a “top 20” list. Homeland Security released guidelines in the NIST framework, with significant input from industries. The Federal Financial Institutions Examination Council also recently put out a set of considerations. It would be onerous to simply layer them all, and they shouldn’t be used as a simple checklist. However, they are helpful in making the discussion more fulsome, providing a more consistent framework for assessment (to management, the board and external entities), and helping to articulate and address gaps.
That’s a good point. What are some of the main gaps between boards and IT security teams, and in what ways can those gaps cause risk to the board, the company and its shareholders?
Suzanne Vautrinot Communications, access, organizational dynamics and aligning strategic priorities with ongoing activity.
Number one is communications, and making sure that it is constructive in the sense that everyone understands the dialogue with candor, without jargon or technical shorthand. It’s not about technologies, but being able to apply those technologies to work for your business.
"A better practice is to accept that the adversary is inside, then your team is always looking for it.”
Access is the result of focus and keen interest expressed by the board, a norm among directors I know and serve with. I’ve seen it demonstrated through assignment to a specific committee, adding cybersecurity discussion to the agenda, special updates on new or needed capabilities, or visits to key parts of the organization.
Organizational dynamics are tougher. The responsibilities for various aspects of cyber security, or decisions that ultimately affect security, are often spread throughout a company. If responsibilities are subordinated to a level where the risk decision or tradeoff never rises to C-suite of board level, then gaps occur.
Aligning strategic priorities requires a differentiation between the long term, “what we want to be,” with immediate risks that must be addressed. It also requires an upfront assessment of whether new business capabilities (or apps) contribute or add risk to that strategy. In other words, baking security in versus bolting it on.
There’s a great thing I’ve learned about cybersecurity folks, which is unlike other areas of business. Instead of being competitive, they are extraordinarily collaborative with each other. What is a threat to one is a threat to all. On the private side, you need to protect your competitive advantage. But, if you share what you’re seeing, you have a better chance of thwarting the attacks.
What advice would you give boards when identifying best practices for long-term security planning?
Suzanne Vautrinot Companies need to clearly articulate where they are going in making enterprise and architecture more secure. You can think you have 1,000 different attacks, or with better visibility to your own systems, you can see that it’s actually the same single attack coming at you 1,000 times … requiring only one response. Companies that say, “I want to understand what’s in my network,” are able to assess and deal with the risk at a much more effective level. You want a way to decipher what they’re after and how they’re trying to achieve it, because it lets you know (and proactively defend) where they want to go next.
Even five years ago, most organizations were looking to prevent something from getting in, the moat approach. Perimeter protection is necessary, but it’s not sufficient. A better practice is to accept that the adversary is inside, then your team is always looking for it.
Strong policies and architectures with visibility enable your pros to constantly analyze and differentiate the normal/acceptable behaviors of software, hardware, networks and people, identifying and responding when the system indicates an “out of bounds.” Your team (whether you have them internally or use external professionals with that competence) can now decide what is normal, and more quickly respond to or even preclude, the abnormal.
Best practices for this include creating a more homogeneous or unified security architecture, simplifying the myriad of extraordinary but often unconnected capabilities, and automating as much of the identification, analysis, and response as possible, which frees your specialists to focus on new or future threats. Definitely a best and certainly more efficient practice.
What do you think is the greatest challenge for cybersecurity protection?
Suzanne Vautrinot Individual behavior has to be part of the solution. You can design the best systems in the world, but it’s a little like safety. If you don’t wear the seatbelt or a helmet, the technology can’t protect you. Ask cultural and policy questions: Do employees send messages or use apps that create unprotected paths into the system? Do they use and change passwords? Do you carefully limit and specially train employees with special/administrator level privileges? Do you exercise, test and enforce security policies? How fast and how automatically can you implement a fix? Those are just scratching the surface, but there are so many things that count on behaviors of everyone in the organization. Building in a cultural change allows you to move forward. If we make it someone else’s (usually the “IT guys”) problem, there won’t be a solution.
Shared risk, shared responsibility, shared solutions. If the World Wide Web is now a dangerous neighborhood, then we’re all needed for neighborhood watch.