Henry cited recent research by Carnegie Mellon Cylab, which found that most top executives at Forbes Global 2000 companies are not sufficiently engaged in their firms’ efforts to manage cyber risks. This is a phenomenon that Henry, who is executive assistant director of the FBI, has encountered regularly in his work on cyber intrusions.
In many cases, the FBI is coming to companies and informing them they have been breached. “We are knocking on the door of the organization, and we are telling them that they’ve been breached. In some cases, they have been breached for many months and in some instances years, and they didn’t even know it….When we have to tell them they’ve been breached, that’s bad”, Henry told Infosecurity.
“I have talked to many systems administrators, network people, and incident response people, and I've learned that those folks get it. They are on the front line with the malware, they see the results of intrusions, they understand what an exfiltration means. But a lot of the time, they don’t have the right audience. These folks talk to me about their inability to get support for their budget….It is because they aren’t getting the attention of the C-suite folks”, he said.
“People know what a bomb looks like. If I tell them there is a bomb in their boardroom, they know what to do. They are going to get out, they are going to contact security, they are going to take remediation efforts. But with this threat I don’t think people understand what the ramification are because they can’t see it or touch it or smell it”, Henry said.
The FBI official advised top corporate management to take the initiative on cybersecurity. “You own this, you are leader of the organization, you are in charge of the success or failure of the organization. You need to take a personal interest in it”, he said.
“If the leader doesn’t take something seriously, then the subordinates are not going to take it seriously. If it is important to the boss, then it becomes important to others”, Henry observed.
“The leadership needs to grab their senior executive team and come up with a plan. That means the CSO, the CISO, the CFO, the COO, the compliance officer…and the corporate counsel”, he said.
The FBI has a role in helping the private sector thwart cyber attacks in three areas: threat mitigation, intelligence sharing, and raising awareness. “We are able to take some of the adversaries off of the playing field if we able to do attribution, if we are able to infiltrate organizations, either on the criminal side or the national security side. We can take certain offensive actions”, he said.
The bureau also shares threat intelligence with organizations to help them protect themselves before an attack occurs. “We have been very successful in sharing intelligence on emerging threats with the private sector”, Henry noted.
In the area of raising awareness, Henry has shot a video in which he discusses many of the points covered in this Infosecurity interview.