25 years of cybersecurity evolution: Insights from an industry veteran
Eric has been working in technology for over 40 years with a focus on cybersecurity since the 90's. Now serving primarily as Chief Cybersecurity Evangelist and part of the Executive Leadership Team, Eric has been with Atlantic Data Security starting from its inception, filling various roles across the company. He leverages this broad perspective along with his passion, collective experience, creative thinking, and empathetic understanding of client issues to solve and advocate for effective cybersecurity.
In this highly informative interview, Atlantic Data Security Evangelist Eric Anderson reflects on the past 25 years in cybersecurity, discusses important observations, and provides valuable recommendations for businesses worldwide.
In looking back across the past 25 years, what has “wowed” you the most in the field of cybersecurity? Why?
Eric: It’s often taken for granted now, but I used to be absolutely amazed at the pace of things. Not that it’s not still impressive, but I think we’ve all gotten a bit used to the speed at which technology evolves. It’s even more pronounced in our specific field. Cybersecurity may have a somewhat unique driver of innovation, since it’s largely pushed by illicit actors that are constantly searching for new threat vectors. Defenders are forced to invest in developing responses to keep up.
While all areas of tech evolve with amazing speed, most are driven by the constant gradual pressure of consumer desire. Meanwhile cybersecurity has a daily requirement for advancement due to the actions of external forces. We often have to take big leaps into entirely new product categories to respond to new risks.
Can you share insights into the early days of cybersecurity and how Atlantic Data Security was involved with the first firewall installations?
Eric: My personal journey with Check Point started in the mid 90’s with one of Check Point’s early reseller partners. By 1998 or 1999, our business transitioned from being a network integrator/VAR to a dedicated security shop — primarily selling, installing, and supporting Check Point firewall and VPN solutions. Shortly after that, I became our second certified Check Point instructor to help handle the massive demand for training. I have continued to get more involved with all aspects of Check Point ever since (from the partner side), including taking the helm of the Check Point User Group back in 2014.
One of my favorite aspects of our current company is how many of us have known each other for decades; either working at the same company, as partners, or competitors, and how much of that history shares Check Point as a common thread.
My favorite example is with Kevin Haley, one of the owners of ADS. When I first met him in 2001, he had long since been running the security reseller division of a company called Netegrity. He had been focused primarily on selling and supporting Check Point products from back when their name was Internet Security Corporation — which had the distinction of being Check Point’s first partner in the U.S.
What are some of the key lessons learned via efforts around the first firewall installations and how do they inform cybersecurity strategies today?
Eric: Back then, we were all learning a lot about security. Many of us had some comprehensive networking experience, but the extent of our “security” exposure was often just a handful of passwords. Our footprint was typically contained within a few buildings and maybe a small group of remote users.
It was amazing to see how rapidly the internet changed our security exposure from local to global. Almost overnight we had to start contending with an entirely new class threats. Forward-thinking companies like Check Point were there to give us the tools we needed, but we had to quickly gpost from network engineers to cybersecurity experts. This rapid reshaping of the landscape has never really stopped. Every time things seem to settle down a bit, a new trend or technology, like cloud adoption or the shift to remote work, comes along to shake it up.
Ultimately, we need to remain agile and flexible. We can’t reliably predict the next big change we so need to have buffers in our planning. I think it goes beyond incident planning and is more something like “paradigm shift planning.” What resources do we have available for the next big thing? Having a good handle on current projects and priorities can allow for better optimization of resources.
We saw this with the adoption of VPN almost 30 years ago. Organizations were either using either modems and phone lines or slow, expensive direct connections, like frame relay and T1’s. While VPN wasn’t a required shift, its was vastly better, reducing costs, improving speed, and enhancing security. Clients who were flexible enough to adopt VPN early reaped significant advantages. Others took much longer to adapt, having to deal with higher costs and more cumbersome operations throughout. While this wasn’t an essential shift to deal with an imminent threat, it clearly illustrated the advantages that organizations can gain by being flexible and the role of cybersecurity in enabling the business to function more broadly.
The CISO role is known for its evolution. Given all of the demands placed on modern CISOs (technology, people management, board-level commitments), does it still make sense to have a single CISO role? How do you foresee the role continuing to evolve? How would you like to see it evolve?
Eric: I recently spoke to a room full of CISOs and others serving similar roles. I asked them two questions: “Who among you will not be held responsible in the event of a breach?” No one raised their hand. “Who among you has all of the necessary power and resources to keep it from happening?” A few hands did go up; all from people working at smaller organizations with relatively flat hierarchies, allowing them more latitude and purview than we see in most mid-sized organizations or larger. But they all agreed that while CISOs bear the massive burden of cyber defense, they aren’t given the budget, staff, authority, or support to keep from buckling under it.
While I’d love to see the role of the CISO change, I fear that the broad interpretation of the title/term is unlikely to shift significantly.
What I really want to see is for security to become part of every department’s structure and culture. It would be great to have security officers within each department; from infrastructure, to desktops, to finance, especially in DevOps, and everywhere else. Those officers could be more in tune with their group's specific drivers and needs, working closely with them to reach goals, with security as an overarching priority and mandate. A CISO’s role in that environment would be to globalize and unify security efforts across an organization.
I have seen things like this being done in some forward-thinking organizations. Making security a part of all aspects of an organization will only make it stronger.
Given the current pace of technological advancement, how do you anticipate that cybersecurity technology will evolve across the next decade? What are your thoughts about the role of artificial intelligence?
Eric: That’s a loaded one! There are some clear areas that are already starting to show improvement. Tool consolidation and orchestration solutions have helped manage complexity more effectively than ever. As a field, we’re getting better at cultivating security-conscious cultures in our organization.
One major trend that I hope will continue is progress towards greater accountability. While GRC can feel overreaching and burdensome, when implemented properly, it grants us the freedom to share and use data. Our industry developed so quickly that it was impossible to put guardrails on it. If we look at a more mature industry like transportation or finance, they have rules and regulations that have evolved over a much longer time. While speed limits and safety inspections can seem restrictive, we largely accept them. It's similar to how rules and regulations allow drivers to share roads with some degree of confidence that their safety isn’t in immediate jeopardy. Companies have repeatedly demonstrated that responsibility and accountability won’t be adopted voluntarily. Painful as they may seem, regulations and standards like PCI, HIPAA, and GDPR have shown some positive movement in this direction.
AI is proving to be an area where this type of governance is essential and welcomed by most. Not to be too flippant, but if science-fiction is any indicator of our potential non-fiction future, as it often is, unchecked, unregulated, unleashed AI could eventually be our downfall.
While it’s a very hot topic right now, and it will continue to reshape the world around us, I don’t subscribe to the idea that it will be a tool used primarily for either good or evil. Experience has shown me that every technological advancement has ultimately provided benefits to both the well-meaning and ill-intended. I may be overly optimistic, but I feel like both sides eventually find ways to leverage the same tools to effectively cancel each other out. One concern is the gap created as each side leverages new tech at a different rate. The time it takes to develop a response is nail-biting.
Another interesting yet frightening advancement may show up in the area of computational power; either true quantum computing or something close to it. As has always been the case, as stronger computing becomes available, it can be used both for data protection and compromise. While both keep pace with each other, a significant leap in computational power may lead to a downside that’s hard to counter: Data captured today, no matter how securely encrypted by today’s standards, would be trivial to crack tomorpost. It’s a major concern, and if I had the answer, I’d be off working up a business plan.
Are there specific threat vectors, such as supply chain vulnerabilities, that you expect to become more prevalent in the near future?
Eric: I think the most prevalent vector will usually be closely tied to whatever our biggest weakness is. In an odd way, I hope that it continues to change — because that moving target means we’re successfully dealing with our biggest weaknesses, forcing threat actors to change tactics.
Specifically, I think DevOps is an area that needs major improvement — or at least more focus on security. This was recently underscored by a joint CISA/FBI alert urging executives at all levels to work harder to eliminate SQL injection related vulnerabilities.
Identity management and authentication is another area that needs more scrutiny. Weak credentials and unnecessarily elevated access continue to be a leading factors in security breaches. While MFA and stronger rights management can be inconvenient and challenging, they need to be embraced and adopted comprehensively. It’s that one, old, forgotten “test” account that will be exploited.
Back to my hopeful redefining of the CISO role, parts of an organization that don’t recognize security as an essential, integral priority, will continue to expose us. Security as an afterthought, applied with duct tape and followed by prayers, isn’t working.
If you were to select 1-2 meaningful highlights of your career, what would they be and what corresponding lessons can be shared with other cybersecurity professionals?
Eric: It’s a tough question because I’ve been fortunate enough to have quite a few. I think the seminal moment, however, came as a teenager, before I was able to drive. While my summer job was not technical in nature, I spent a lot of time with our hardware technician. He happened to be out sick one day and I was asked if I could help a customer in need. Thus began a career in IT — once someone agreed to drive me to the customer’s office.
One broad highlight for me has been meeting new people. I’ve had the good fortune to get to know some amazing folks from all over the world, whether I was the one traveling or they were. Interactions with each and every one of them have shaped me into who I am, for better or worse. My advice in that area is not to pass up an opportunity to engage, and when given that chance, to check your ego at the door. My younger self always wanted to be the smartest person in the room. I’ve learned that, while maybe once or twice I was (or was allowed to believe I was), that gets boring and stressful. While I’m still often called on to share my knowledge, experience, opinions, and creative/wacky ideas, I revel in being able to listen and learn from others. I’m happy to be proven wrong as well, because once I have been, I’m more knowledgeable than I was before.
Do you have recommendations for CISOs regarding how to prioritize cybersecurity investments in their organizations? New factors to consider?
Eric: I find myself repeatedly advising CISOs, not to get sucked into a knee-jerk replacement of technology. It’s easy to point fingers at products or solutions that aren’t “working.” Often, however, the failure is in the planning, execution, administration, or even buy-in. I cry a little on the inside when I learn about aggressive rip-and-replace initiatives that could have been salvaged or fixed for far less money and with much less grief. If the core problems aren’t addressed, the replacement could ultimately suffer the same fate.
I’ve also seen successfully aggressive marketing campaigns lead to impulse purchases of products that are either unnecessary or redundant because an existing solution had that unrealized, untapped capability.
The bottom line is to take comprehensive stock of what you have and to investigate alternatives to all-out replacement. Don’t level the house in favor of a complete re-build just because of a leaky pipe. Of course, if the foundation is collapsing…
Would you like to share a bit about your partnership with Check Point? What does that mean to your organization?
Eric: Check Point is how I personally cut my teeth in cybersecurity, and therefore will always have a special place in my heart. But at Atlantic Data Security, I’m far from the only one with that long standing connection. It’s almost like Check Point is in our DNA.
Starting with the invention of the modern firewall, continuing for over 30 years of constant innovation, Check Point has been the most consistent vendor in the industry. Many players have come and gone, but Check Point has never wavered from their mission to provide the best security products. I’ve learned to trust their vision and foresight.
As a similarly laser-focused advisor and provider of security solutions and services to our clients, we have complete confidence that properly deployed and maintained Check Point solutions won’t let us or the client, down.
We work with a variety of vendors, providing us with the flexibility to solve client challenges in the most effective and efficient way possible. We always evaluate each need and recommend the optimal solution — based on many factors. Far more often than not, Check Point’s offerings, backed by their focus, research, and vision, prove to be the best choice.
Our commitment to and confidence in this has allowed us to amass an outstanding, experienced, technical team. Our unmatched ability to scope, plan, deploy, support, maintain, and train our clients on Check Point’s portfolio is leveraged by organizations of all types and sizes.
I’m confident that between ADS and Check Point, we’re making the cyber world a safer place.
Is there anything else that you would like to share with Check Point’s executive-level audience?
Cybersecurity is not one department’s responsibility. For every employee, every manager, every executive, and yes, even the entire C-cuite, cybersecurity is everyone’s responsibility.