Cybersecurity Expertise: From the White House to the C-Suite
Anthony J. Ferrante, FTI Consulting’s new Head of Cybersecurity in the Global Risk & Investigation Practice, addresses the growing cybersecurity threats affecting U.S. businesses today.
As the former Director for Cyber Incident Response at the U.S. National Security Council and the former Chief of Staff of the Federal Bureau of Investigation’s Cyber Division, Anthony J. Ferrante has seen cyber risk evolve from a niche focus of intelligence agencies and information technology professionals to a true national-level challenge.
This challenge emerged quickly and is now accelerating rapidly, making it difficult for America’s organizations to keep up. Because of that, cybersecurity has vaulted into the boardroom and created a pressing need for a more formal approach and expertise.
Ferrante joined FTI Consulting in April as a Senior Managing Director and Head of Cybersecurity in the Global Risk & Investigation Practice. Prior to joining FTI Consulting, he coordinated the U.S government’s response to unfolding cybersecurity crises and issues (including the Russian attempts to meddle in the 2016 Presidential election) and has provided incident response and preparedness planning to more than 1,000 private sector and governmental organizations. Included among them are more than 175 Fortune 500 companies.
Here, Ferrante discusses his intelligence-led, strategic approach for addressing the cybersecurity threat to corporate America.
FTIJ: We seem to hear about cyberattacks almost daily. Despite our current technological advances, why do you think they persist?
Ferrante: As we continue to connect more and more of our infrastructure to the Internet, as we build out the “Internet of Things (IoT),” and as the resulting ecosystem relies more heavily on automation and machine learning, we create more entry points for attackers. Cyber risks become more frequent and more serious. Because of this, the cyber threat is evolving rapidly, becoming progressively broader and more dangerous. Incidentally, more than 90 percent of Americans report that they cannot protect their own personal data.
Ferrante: From your experience, what is the most vulnerable point of access for malicious cyber activities in corporations today?
Ferrante: A company’s cybersecurity posture is no different from their physical security posture — a company is only as strong as its weakest link. Companies need to invest in cybersecurity holistically and consider their cybersecurity from a 360 degree perspective — from deploying best practices to ensuring their staff is fully trained and aware of the latest emerging threats targeting their industry. Seasoned investigators may also have a network of personal contacts acquired in past investigations who can help ferret out hidden assets with a piece of local intelligence or industry gossip. So, when asking who should look for assets, consider retaining a professional investigator. It’s also worth noting that billing rates are lower for investigators than lawyers, and they are therefore more economical for clients.
FTIJ: Executives themselves have lately become high profile targets from attackers using more sophisticated methods. What are some of those threats?
Ferrante: Executives are constantly being targeted by malicious cyber actors for intentional deception, either for personal gain or to damage the executive’s reputation. A well-known example is the threat of sophisticated phishing campaigns. These campaigns are often used to deliver targeted malware to enable remote access of the target’s computer and possibly infrastructure. Once a malicious actor gains access to your systems, their motives can range from theft of intellectual property, financial gain, strategic misinformation campaigns (unauthorized disclosure of sensitive communications), platform utilization to target another company, storage of illegal content and a variety of other malicious uses.
FTIJ: Would you say many executives today underestimate the vulnerability of their corporations to attack and/or compromise?
Ferrante: Yes. Cybersecurity threats are a new and complicated factor to consider in assessing corporate risk. Executives have a special responsibility — and a unique opportunity — to set policy, define employee expectations and employ the appropriate individuals and practices to secure their networks and ensure continuity of business operations.
FTIJ: Where do these threats primarily come from?
Ferrante: Cybersecurity threats originate from all over — both external and internal to an organization. [See sidebar “Continuing Threats” for discussion of additional threats.] One is nation-state actors. Specifically, these are foreign government, or government-directed, organizations targeting your organization to erode economic stability or steal your intellectual property, which in turn influences the political and diplomatic landscape and/or destruction of your operations. Last year’s election brought nation-state-sponsored malicious cyber activity acutely into the public spotlight when the U.S. intelligence community assessed that senior Russian officials worked to influence the 2016 Presidential election. Cybersecurity threats from nation-state actors are going to continue to grow in scope, scale and sophistication. As our advancements in technology increase so will our adversaries' use and exploitation of it for illicit means. We mustn’t forget the internal threats posed by either an internal malicious actor, or misconfigured infrastructure that will disrupt operations and expose vulnerabilities to your organization.
FTIJ: What are some practices executives should employ to improve their posture against cyberattacks?
Ferrante: The first thing is to create internal policies and risk management practices that inherently demand good security practices by all. These policies and practices may cover a variety of topics depending on the business, but some areas they might include would be: adopt proactive prevention, define and identify the data that needs to be protected, evaluate email controls, implement enterprise-wide security controls and regularly test those controls. Also, executives should insulate the business’ infrastructure; and define the parameters for preparedness planning and testing — plan the business’ continuity operations.
Second, executives can increase employee cybersecurity awareness and accountability by implementing a system that provides employees with opportunities to improve their skills, test their abilities and understand the risks of poor security practices. Finally, executives can determine when they have a cybersecurity issue that is beyond their business’ ability to resolve and should not hesitate to rely on industry subject matter experts to supplement their internal resources.
Organizations that rely on information technology systems alone to secure their business operations against a cyber adversary have failed or will fail. An organization needs a dynamic intelligence-led cybersecurity team that has the expertise to understand, think and act offensively and defensively to combat the ever-changing cyber threat landscape.
FTIJ: Describe your approach to threat-hunting operations. What is the first step you take to assess corporate vulnerability?
Ferrante: We approach an operation just like a threat actor would approach their attempts to conduct malicious activity. Once we have a better understanding of our clients’ infrastructure through an open source vulnerability assessment, we deploy a variety of digital tools and human techniques observed throughout our 20 years of experience.
FTIJ: Some corporations reach out only when an incident occurs. How would you help a corporation with remediation efforts?
Ferrante: We help corporations surge their capabilities, either by serving as their incident response team or by augmenting their existing capacity to respond. For corporations that fall victim to cyber threats and aren’t prepared to address those impacts, we would deploy a vigorous response that minimizes the damage to the company’s reputation and its bottom-line operations. We help organizations understand their own environments, harden their defenses, rapidly and precisely hunt threats, provide a complete response to crises and sustainably recover operations and reputation after an incident. A proactive posture is always best. But we can help organizations recover from unexpected and unplanned, impacts.
FTIJ: What’s your approach following remediation to move an organization towards long-term proactivity? What is the first step you take to assess corporate vulnerability?
Ferrante: In the moment of crises, we are keenly focused on containment, remediation and recovery, for both a business’ operations and reputation. After the incident is remediated, we work with affected entities to plan for future incidents targeting their organization that will inherently shift their approach from reactive to proactive. Our plans are personalized and scalable, so clients can choose a range of services that will work within their existing business plans and budgets to provide added security going forward.