The job of the CTO should take in company leadership, technical know-how and oversight, along with an idea about where the company’s technology has come from and where it is going. Therefore, taking on the role of CTO at an already-established company could provide some interesting challenges.
Craig Harber joined Fidelis Cybersecurity earlier this year after 33 years working in the US government. “I worked on the global information grid, which was defining the information assurance architecture and when we got selected, we assumed there was an architecture but we had to define that too,” he told Infosecurity.
From there, he moved to the NSA’s threat operation center, and saw more work “at an operational tempo,” as while he was doing systems engineering, he was also defining product requirements, and determining partners to get products built to those requirements.
Later he moved to the NSA’s active cyber-defense program, initially named NAZCAR and then renamed DoDCAR, and this focused on how to do a better job with security from a defensive standpoint.
“It is fair to say it was widely known that the Department of Defense (DoD) and government had seen intrusions over recent years, and we were called in to explain why they were still seeing intrusions happening over and over again.” This is where NAZCAR came in, as he said that what traditionally happened was “well-meaning people had a good idea on how to solve problems but never looked at the problem holistically.”
Harber said that a holistic view was needed to determine if the adversary was fully understood, and what the DoD was trying to defend against, and that resulted with the Cyber Threat Framework, which took advantage of frameworks including MITRE and Lockheed Martin. He added: “These kill chains were about understanding the adversary’s behavior and defining the adversary’s techniques, tactics and practices.”
For the DoD, it was about how well it could detect, protect and respond to any techniques based on the deployed solutions on the DoD’s classified and unclassified networks.
Internally, Harber said that surveys of hardware stacks found them running anything from 30 to 60 different vendor products, and often they were not well-integrated with a lot of duplication. With this experience of development of frameworks, architecture and products, as well as a clear view on how not to do things, the move into the CTO position seemed to be a fairly sensible one.
Moving from the DoD to Fidelis, Harber said he wanted the opportunity to use the framework to drive operations. “What I mean by that is, imagine a cybersecurity architecture that any agency is standing up; you can put up equipment to protect, detect and respond, but the challenge has always been how to get to the point where you are detecting it soon enough that you can predictively or proactively respond?”
The options to slow down, and ultimately defeat the adversary, and doing a better job of detection in advance of the event to take proactive action is what led Harber to Fidelis. “What I see is that you need sensor capabilities in the cloud, in email, on web services and on the endpoint, but how do you bring together all of that understanding and be really integrated and automated in what you do?”
One thing that brought him on board was an intention to reduce analyst and alert fatigue, streamline security stacks and use the cyber-threat framework to enable that. He said: “As we’re scoring ourselves across the cybersecurity framework, what coverage do we have? Let’s say we’re 60%, the streamlined security stack means partnering with other vendors to collaborate on that coverage to make it 100% and that will happen through other products. Even though we have an open API, we will have to do that through integration.
“That is what drives me to what I think the cybersecurity community needs; where we are today with the Fidelis platform and the work that needs to be done, and start to identify what the right partnerships are that we need to have a solution that provides coverage.”
To conclude, Infosecurity asked if it was obvious what needed to be done? Harber explained that his first action was to understand the state of the Fidelis platform, and also understand the position of the company, and start to work with the engineering teams.
“To go back to the cybersecurity framework, that is the basis of the way we’re going to demonstrate our value to the market, by saying ‘here is the coverage we have’ and working with the engineering team to expand that coverage with new capabilities that we need,” he said.
He gave the example of detection which it currently does not have, which becomes a priority of the release strategy, or it is a gap that only a partner can fill.
He also said that if you are not on the radar of the large government contractors, as far as understanding the breadth and depth of capabilities that any vendor offers, then you’re at a disadvantage.