Governance & Risk Management , Risk Assessments , Security Operations
Are We Doomed? Not If We Focus on Cyber ResiliencePatricia Muoio on How the 'War' Metaphor Has Held the Cybersecurity Industry Back
Here's how to doom a cybersecurity program: Think of cybersecurity as a war against an attacker that must be fought to the finish, invest in threat tracking technology for threats your organization has no capabilities to defend against, and let the sunk cost effect determine how you spend your security budget.
In reality, cybersecurity is more like policing crime than going to war and returning when you've won. There will always be criminals. The goal should be to manage crimes in a resilient way.
Patricia Muoio, a partner at SineWave Ventures, uses another metaphor to describe cybersecurity. Comparing a cyberattack to an infection, she says, "There will always be disease," so take preventative measures to avoid getting sick and take medicine if you do become ill.
In this episode of "Cybersecurity Unplugged," Muoio discusses:
- SineWave's focus on companies that have "broad-based technologies that enable you to face a variety of threats and remain resilient";
- Setting up a "different kind of defense" that is "way more effective" through microsegmentation and two-factor authentication - a zero trust approach;
- "Rethinking the structure of the CISO role" and the role government can play in the cybersecurity marketplace, especially when companies such as SineWave can build "bridges between the government thinking and the commercial implementation."
Muoio has been a partner at SineWave Ventures, an early-stage venture capital firm dedicated to helping new technology companies grow across the commercial and public sectors, for eight years. Previously, she spent 13 years running R&D for the U.S. Department of Defense. She has provided strategic direction for secure wireless, resilient systems, trustworthy computing, and securing science and cryptography.
Steve King: [00:13] Good day, everyone. This is Steve King, the managing director of CyberTheory. Today's podcast episode is going to feature Patricia Muoio, who's a partner at Sinewave Ventures in New York City. That's an early stage venture capital firm that's dedicated to helping new technology companies grow across the commercial and public sectors. Pat's been a partner at Sinewave for eight years and spent 13 years running R&D for the Department of Defense with the big team of 100 researchers and a lot of different interdisciplinary efforts that hopefully enable national security customers to operate safely and in compromised environments. She's an expert and has been providing strategic direction for secure wireless, resilient systems, trustworthy computing and security, science and cryptography. So in addition to earning her undergraduate degree from Fordham, she went on and got a PhD from Yale. Welcome, Pat. I'm glad you were able to join us today.
Patricia Muoio: [01:23] Thanks for having me.
King: [01:26] Let's jump right in here. Can you give our listeners a little background on Sinewave and the work that you guys have been doing and what this year has looked like so far for you guys.
Muoio: [01:42] Sure. As you had mentioned, Sinewave is an early stage venture firm, dealing with helping companies get into the commercial and government sector, and what we concentrate on our computing analytic and cybersecurity companies that really help agencies and industries that haven't been traditionally information driven and use information safely and effectively to influence business and policy decisions. We have a small size, but I think mighty impact portfolio of companies in those three general areas. In terms of cybersecurity, we've always had an attack agnostic kind of approach. We don't really invest in companies that aim to address this particular attack vector or this particular way of getting into your system, but rather to look for sort of broad based technologies that enable you to face a variety of threats and remain resilient in the face of known and unknown challenges. Our investment size is three to 5 million typically. And we always invest with a consortium of others, trying to build a set of investors that really can help the company survive.
King: [03:01] In later rounds or early rounds?
Muoio: [03:03] Early rounds. A is our favorite, we also do some seeds, and we do some Bs. In the companies that we invest in, we will do follow on if we like where the company is going, but we don't commit to following on. With each round, we assess them anew.
King: [03:19] No particular market emphasis within cybersecurity?
Muoio: [03:23] No, I have a particular interest in some of the new zero trust stuff that's emerging. I think the new challenges are at the application layer and at the identification and authentication part of the system. So we try to be strategic in the parts of the system, that we're looking to find technologies to fit. Because we're attack agnostic, we're not big into threat identification systems and stuff like that.
King: [03:52] Yeah, that makes sense to me. I think that for companies that approach it from an attack point of view, or it seems very tempting. It's like, that's great for the first month, but what happens when the next attack vector occurs?
Muoio: [04:12] You get just caught up in this game of Whac-A-Mole. There's no reason to keep trying to win that way, when there are other better ways.
King: [04:22] You have a philosophy about getting companies to think more about cyber resilience than cybersecurity. What do you mean by that?
Muoio: [04:32] Traditionally, particularly with people who have attack-based approaches to cybersecurity, there's always been this tension that you invest in security at the expense of business objectives. You may have to limit what people can do. They may need complicated login procedures. This is always this war between security capabilities and what needs to get done. With the notion of cyber resilience, the idea is that the cybersecurity technologies actually help your company survive in normal operating conditions. But in conditions where things go wrong, whether that be attack or power outage or hurricane, the idea is to continue to know enough about your system and to put controls in place that you can continue operating at least your critical functions, and have the wherewithal to quickly build back any of the functions that had to be downgraded because of the problematic period you were in.
King: [05:36] Yeah, we approached cybersecurity in different ways. But if you look across the spectrum, I think there's a mindset around what we do when we fight a war, our experiences, as men, we military up, we head off into country A and we conquer them and then we come back in the war's over. That's never been true, nor will it ever be true with cybersecurity. It's really more like a police action around crime. So the assumption should be that there will always be criminals, like four or five main things that we worry about homicide and armed robbery and burglary and etc., we're going to focus on trying to manage those into a resilient model. I guess, is that kind of where the mindset is?
Muoio: [06:39] Yeah. I think your point on the war metaphor is extremely well taken. I personally think the war metaphor has held back the cybersecurity industry for years. The contrasting metaphor that I like to use is health. It will be there's always going to be a disease, and particularly in time of COVID, I guess this has become a less clear metaphor than it used to be. But there's always going to be disease, but you wash your hands, and you take your vitamins, and you eat good food. When you do get sick, you have drugs that help you get better quickly. But you don't expect that germs are going to be eradicated from the face of the earth, just like you don't expect cyberthreats are going to completely disappear. What you want to do is make sure you are not impacted by any of those germs in a way that you can survive. Similarly, you want to make sure you're not impacted by any cyber action in a way that you can't recover from.
King: [07:31] Agree. Good analogy. Speaking of the eternal fight here, I wrote a book that is in the process of being published this weekend. My publisher insisted on calling it "Losing the Cyber War." It's focused on five different theatres of war. My thesis is that we're losing in each one but I offer recommendations for how we can avoid that and get out of it. We spent $150 billion I think in 2021. We're probably going to spend about $150 ish in 2022 on cybersecurity, and yet, the only correlation between what we spend and the attacks are the number of breaches, is that they both go up. If we dropped in from Mars, you'd conclude that our funding is actually increasing the number of cyberattacks that we have to deal with. Are we doomed or what?
Muoio: [08:33] We are not doomed, and I think we are doomed when we invest in things that solve the wrong problem. We do a lot of investments. There are many threat tracking technologies. It's important that security companies understand how the threats are evolving, where they are, what they are. It's important the governments understand that and so on. In both cases, you can build defenses, you can do research, you can figure out new and innovative ways to address the attacks in general. But here I am, small and medium business, I buy threat tracking thing, I have not a single knob in my system that I can turn if I know a particular threat is in my area to make my system safer. All it does is tell me you can worry now, which in general, you'd be worrying anyhow. If you had a capability, you would have already deployed it in all cases. You're not going to just turn it on when threat x is in the environment. There's this whole lot of investment in protecting the individual attack or an understanding a threat environment that you didn't have no capability to do anything about. There's a lot of tools that analyze your system and alert a gazillion times and tell you have this vulnerability and that vulnerability but not in a way that enables you to do something about it in real time. Or to do something about Even in long time, and so that whole mode of chasing after the attacker gives the attacker the advantage and the attacker will ultimately win. If that's the motive of defense we do. There's a different kind of defense though that I think is way more effective that involves basically shaping the game board. If the attacker is coming into an environment that you have set up for you to win, and for them to lose, the likelihood of the attacker succeeding becomes significantly smaller. To give an example of that, there's a whole lot of technology emerging now in the area of micro segmentation which says, we're going to carefully control who and what other assets in the system and help logically lay out the network according to the business rules so that only legitimate types of interactions can happen. If an attacker comes in, they do a phishing and they come in as me average person, they'll only be able to get to those parts of the system, which me average person could get to. That would not include the privileged spots that they would need to really execute their payloads. If you started doing things like that, if you have, people like phishing is a big thing. So many passwords are stolen, true enough. But if you have two-factor authentication, just stealing the password is not enough, you also need to get the other authentication form. The two-factor authentication, besides preventing the phishing things would prevent, password guessing; it would prevent a variety of other ways where you gain the credentials of an individual to try to gain access to this system. I think if we turn our attention to what we can do within our system, to make it really difficult to rain for the attacker to reverse, we do have a chance of winning and we are not doomed.
King: [12:02] I don't actually see any progress toward that model. How do we you we get people to change the way that we have done this historically and do it a different way?
Muoio: [12:16] I think part of it is a timeline thing. I mean, we in Sinewave are trying to get people do that by investing companies that do exactly this, and so making sure that solutions like that actually survive in the marketplace, I think is one phase of enabling the shift to this mindset. I think the realization of things that you just said, the more we invest in security, the more breaches happen. People are beginning to realize there's something fundamentally wrong with the security marketplace, and the solutions is providing I'm, you know, optimistic that over time, people will move to this. The analogy I use in my head is a number of years ago, perimeter defense was the whole story, right? You keep people from getting in, it's your perimeter that you protect, and all of the products were addressing that problem. While that was going on, though, the notion of endpoint protection evolved. That is a way more robust way of addressing cyberthreats. Although it took a number of years, to unseal the perimeter protection paradigm, now, I think there are a few people who say, a broad system perimeter is the way to defend your system. People are talking about moving the perimeter to the individual piece of data, and so on. The idea is that the actual castle walls are not a solution that's going to work. I do think, over time, the success of newer types of technology becomes more apparent, but it takes years, it's not a fast thing, and one of the things that troubles me, is there's also the case that many of the people who have made investment in cybersecurity, say it's a ton of money. There isn't a graceful way for them to say, "oh, let's tear this out and, and do this new thing," which is better in this important way. With this whole sunk cost mentality and there is a reputation cost associated with suggesting that things have moved to a different place now. The size of invested solutions is getting in the way and is making it more difficult for new solutions to break through. That said, I think, over time, if you just made an investment, you're not likely to change it, but if you made an investment three years ago, you might be looking again for a different type of solution. I think we have to be a little patient which is something unfortunately difficult to afford right now. But I do think the paradigms do change over time to get to better places.
King: [15:09] You're right. Let me ask you, from my view. I was a CISO six years ago and my world six years ago was very simple compared to the technology map, if you will, today's world, and I'm pretty sure that I was working 12 hours a day, six years ago. So look at the current complexity of the environment from a CISO point of view. I am pretty convinced that none of the folks I know who run these things for a living, have a safe understanding or an effective understanding of the technology that they're overseeing, or how to implement it properly, or what the standards should look like, or anything about the adjacent impacts of rolling out another layer, a hybrid cloud instance, that's going to be built around Kubernetes containers, which I think if I asked 10 folks that I know, who understand and can explain Kubernetes, I don't find that I can see a show of hands period. From my point of view, the complexity is kind of killing us. But also, there's this unwillingness to raise your hand and say, hey you want me to do this stuff, but I don't understand anything that we're doing, but digital transformation keeps pushing me because you keep saying serve the business units. What does the CISO do?
Muoio: [16:50] I think there was/is a recognition or the importance of the role of the CISO that overtime moved the CISO role up to a C-suite kind of role, remove the CISO from the groups that were actually writing the software, implementing the network, managing the IT system, and put them in charge of their security fiefdom which was divorced from the executing parts of the company. I understand that this was done in a well meant intention of giving security the consideration and concern it deserves. But I think unwanted side effect is that it really reduced the effectiveness of security solutions. The decisions were made by people who were not the people who were implementing the IT system. There was back and forth about what security doing to me now, rather than how can security help me implement this network in a way that's going to work for the company in a safer way. Similarly, developers, often that there were code audits at the end of a process that only slowed them down. The security guys weren't seen as people who help them build better code. But as guys who got in the way of their delivery dates. I think that separation of the security function from the software and hardware development and execution function is truly problematic, and does need to change or the decisions will be made without a full understanding, as you said, of the concerns of the business of what needs to be done, of what these technologies really do, how they interact, and so on. So I think it really is worth rethinking the structure of the CISO role, and perhaps embedding more of it in the places where the system is implemented. The other thing about complexity, I do think that there's not enough understanding of security architecture as opposed to security solutions and security orchestration. I don't know how to make that a more central part of the CISO's toolbox. But it's really important to pick your solutions in an architected way, to know how they interact, to know whether they're helping each other or hurting each other, to understand their performance impact when used together and all sorts of things like that? I haven't looked at many school curricula or anything like that these days. But I would think that there needs to be an increased emphasis as people are being educated and trained in the importance of architecting solutions rather than just deploying them.
King: [19:46] Everything you said is spot on One of the things that I do for ISMG is run the thing called Cybered.io initiative, which is an online education platform, and there's no paucity of those, and there must be 70 competitors in that space. But we're different because we've looked at it from our learning path point of view and built coursework within multiple learning paths that relate to the specific roles that are in the real world, and a practical way, if you will, to allocate responsibility tied loosely to the NIST framework. We have a pretty strong emphasis on zero trust. Because we're I think one of the original proponents of zero trust in the market. You had described in the answer to your last question, I think, basically a zero trust approach when you're talking about microsegmentation, and so forth. The answer to the question you just suggested is, from my point of view, since I couldn't find you a CISO, who could tell me what the topology of his or her network is today? Why don't we just rip it all out and start over? Why don't we start over with a zero trust strategy and a zero trust reference architecture, and then build to the business requirement from that point forward?
Muoio: [21:34] If we could pause time to get things right, and then start over, that would be a fabulous idea. This is a company where we're considering for investment now at Sinewave. That is a zero trust microsegmentation company. Their approach to this, which I happen to love, is that the system is what it is. The zero trust technology has to bear the burden of learning what the system is not by asking people but by querying the system. Then can you lay out the policies, given this understanding of what the system is and what the business rules are that do come from people. I think there's something to be said, and this goes with the theme of resilience a little bit. Technology is understanding that they're not delivering into a blank slate world, and figuring out how they can accommodate the existing mess and still add their value to provide a reasonable solution. It does make the development of the technology harder, but I think that's a very responsible way to do your design of novel tech - to recognize the world you're delivering into and not assume that it has the characteristics you need for your solution to be viable.
King: [22:55] Absolutely. Maybe our final question here might deal with the connection between your current business, the VC investment model, cybersecurity as a market, and then the government's role, if you will, having spent 13 years with the Department of Defense, you have I'm sure rich appreciation for the realities of government. What do you think?
Muoio: [23:26] I think the government has some important roles to play in the cybersecurity marketplace. I think the government should be the source of guidance. You mentioned the NIST framework earlier, I think that's probably the most recent source of guidance. The executive order or the cause of zero trust is another important one, where I think the government has fallen a little short is that guidance is not as accessible and implementable as many enterprises needed to be. There's good reason for that. The government has these fairness requirements, they can pick a technology, and they can pick a company as a winner. So necessarily that makes the descriptions of this guidance be so high level, that's hard for people to get their heads around. I think trying to figure out a way that you can make this advice more actionable, while still maintaining the need for fairness and not to stifle innovation by picking a solution when a new one might be better later down the road. I think that that has to club through by either the government making the advice more actionable, or perhaps some other organizations like your own, providing interpretations that people can get their heads around. There is another big role that the government plays forensically, there's a big role the government plays in understanding the tax base particularly for advanced persistent threats. All of these roles are important to inform what I think is the commercial space is going to say have this problem for all companies and agencies. I don't think this is something where the government can invent particular solutions and deploy them out. When I was at the agency doing research, we needed to work through commercial partners to get solutions into the mainstream without mandating solutions. I think the government is in some ways, hampered by its own rules. I think the government people are extremely smart, though. If we can figure out a way to get the idea space translated into the implementation space to the commercial world, I think that's important. That's part of what we're trying to do at Sinewave too is build these bridges between the government thinking and the commercial implementation that helps companies be successful.
King: [25:57] Sure. Second part of that question, in the last 20 years, what job or what role gave you the most satisfaction?
Muoio: [26:07] My last job at the government was heading up the Justice System's research group, which was the cybersecurity or information assurance research group, and I am convinced that is the best job in the government. The problem space is fabulous. The people are brilliant, and hardworking, the creativity level is high. I just loved it. It was a kind of job, where as an executive, you could execute by brainstorming. It wasn't one of these things, very rule-based, bean counting kind of a job. That was by far my favorite job. Sinewave is just a completely different beast. I was assuming you meant of my government jobs.
King: [26:54] The venture capital job is very different than that. But great, thank you for taking the time out, Pat, to sit with us. For me, it was great and informative. If you'd like to do it again, I'd like to do it again. We can probe further into some of these areas in maybe end of the first quarter or so next year.
Muoio: [27:19] Sounds good. Thank you again for having me. I appreciate it.
King: [27:26] Sure. I appreciate your cooperation here with us and thank you to our listeners as well for spending a half an hour of their day with us and hopefully it was equally interesting to you guys. Until next time, I'm your host, Steve King. Signing off!