Share this article on:
Brendan Conlon, an expert on supply chain defence, talks about his experience getting into cyber and how CISOs really need to pay attention to supply chain vulnerabilities.
Brendan Conlon, vice chairman and chief operating officer for supply chain defense at BlueVoyant, was recently in the region to chat to chief information security officers (CISOs) about – well, cyber security.
Cyber Daily had the chance to sit down with Conlon to talk about his experience moving from the US National Security Agency (NSA) into the private sector and what CISOs really need to know about their role and their adversaries.
No lie, asking an ex-NSA spook if it was OK to record our conversation was definitely a weird career moment – but it was a very rewarding chat.
Cyber Daily: Before we get into the nitty-gritty, I’m really curious about how someone moves from the NSA into the private sector. I love hearing about people’s journeys in cyber security – they’re always unique. Tell me about yours.
Brendan Conlon: So while I was at NSA, I met a couple of people who were investing in different things. They were sort of private equity-ish, sort of VC-ish. They had a bunch of money and they were just asking me about tech in general. So it had nothing to do with cyber, it had nothing to do with cryptography or anything like that. It was all just, basically, “Hey, you’re a smart tech guy, can you review this?”
So I would sit and just sort of review things from a due diligence angle. It was due diligence that got me into thinking about businesses in general because it allowed me to ask them, “So this tech looks interesting, but what do you think about the business?” So I didn’t know anything about business at that point, and that allowed me to start thinking about what was going on outside of the NSA.
I had just come back from my third tour in Afghanistan, and I was sort of … I think I’m ready to spread my wings and see what’s out there. And then I started my own company. So it was based on that motivation of talking with these people and understanding some of the business side.
So I started my own company. I went out, I did the raising money and everything, which is always entertaining, started my company, sold that off in 2016, and then moved into the financial sector at that point. I wasn’t like Bill Gates making it huge, but I did all right.
But it allowed me to sort of pick and choose the exact job I wanted.
CD: Has that NSA background given you an advantage over other people in the industry? Or does it just give you a different set of skills?
Brendan Conlon: I think it is definitely an advantage.
I think there are different aspects – the ability to sort of know how you actually break into networks, to really understand when somebody’s talking about … “We need to protect against this adversary” or “What is it that they actually do?” – the nuts and bolts of it. So that’s a skill set.
And then if you couple a government intel person’s background with a good business person who understands markets and how to actually grow a business, that’s a huge sort of win
CD: So talking about knowing how the bad guys operate – something I’m still getting to with myself – do CISOs know enough about that?
Brendan Conlon: I think I would say [that] over the last five years, CISOs have gotten much more sophisticated in their understanding of how things are working and what things work and what things don’t. A really interesting problem that a CISO has is where you have to understand the specific technologies of how things happen, but then you have to apply that to a hundred-thousand-person company. That’s a shift of … I need to know how to lock this specific door, but I also need to know how to lock 10,000 doors, because how do you protect that scale?
So I would say, yes, in general, they do. There are, obviously, some who don’t get it. They’re more focused on the business process, or missing some of the core technical capabilities. But in general, over the last five years, I’ve been really, really impressed interacting with CISOs.
CD: It certainly feels like over those last five years – certainly over the 18 months I’ve been covering this and the two years since cyber security got front of mind in Australia, when we had some really significant data breaches – that people are learning very, very fast. They have to.
Brendan Conlon: That thing is sort of make or break. I mean, granted, some of these CISOs made some poor decisions, and they were actually being brought up on charges, fined by the SEC, all of that sort of thing. So there is a much larger emphasis on doing the right thing, now, and understanding what you need to do, and then implementing it.
CD: So you’re here in Sydney to talk about security, AI security, and supply chain defence, so I’d like to focus on that last one. How do you go about securing something that is effectively inside your own perimeter?
Brendan Conlon: So this is something that always comes up.
In fact, I was in Singapore … I guess it was two days ago. A CISO asked the same question – “Why is it my responsibility to worry about companies that I’m paying to do something?”
And the short answer is the data kind speaks for itself – if you allow companies that are connecting to your network, or allow companies that you’re reliant on, just to be on their own and you don’t double check on them, they do much worse than if you are engaged with them at a technical-to-technical level – your technical people talking to their technical people to understand what risks they have, what they’re seeing.
It’s basically a “rising tide lifts all boats” kind of thing – and that protects your business and protects your bottom line by just interacting with your vendors directly.
CD: Which is really interesting because a lot of companies talk about their cloud partner, or some other provider as a partner, but there’s never any talk of a mutual security angle to those partnerships.
Brendan Conlon: Right?
And we have great statistics on what it looks like when companies aren’t interacting with their vendors and when they’re not. And it’s basically three times more secure – that’s the bottom line. We see vulnerabilities being closed at a three-times rate compared to companies [that] are not interacting with their vendors.
CD: Do you think there’s an attitude among some CISOs of… It can’t happen to us?
Brendan Conlon: I believe that most CISOs believe that it will happen to them.
We do a survey every year of around 2,000 CISOs, COOs, CEOs, CTOs – globally – and we ask them, “Have you been impacted by a breach in the last 12 months in your supply chain?”
Ninety-five per cent of them said yes. And they’ve lost money because they’re responding to a breach in their supply chain. The average number is over four a year. So in the last 12 months, 95 per cent of them – and that’s the average mean, so that means there’s some who have had a lot more than four. Some are just one.
So, hopefully, they know; hopefully, they understand. And if they don’t, they’re probably not paying attention.
CD: What do you think people at the coalface – CISOs and their teams – need to know about the way the threat actors actually behave?
Brendan Conlon: I think that’s a real challenge for some people, because I speak to a lot of people who get hacked, and they all say, “Why me? Why would they choose me?”
You have to understand the technical problems, sure, but it’s a people problem when you get down to it. And any large organisational leader will understand that business processes … “Oh, we’ve got the document that says this is our business process,” but the people are not implementing it. If the people are not motivated to do things, and engaging, then it’s not going to work.
CD: Which comes down to leadership. It’s about educating and it’s about empowering other people and making sure they know what to do in their own leadership circles when it comes to security. It needs to be a whole-of–company solution, correct?
Brendan Conlon: And then truly being part of a team.
That’s where we see it, particularly on the supply chain defence side, is that interaction with your vendors at a CISO to CISO level to be able to say, “Hey, what’s going on? Are you seeing this? I have a problem here. Hey, have you noticed that you have some vulnerabilities in your system? Can you fix that?”
And then it can help you. We help you. This is what we recommend. “This is how we implemented a solution, and it worked really well.”
And that sort of safety net reduces the stress level as well.
CD: So it’s effectively a force multiplier?
Brendan Conlon: Yes.
And just being able to have other technical people to call when things are happening – this sort of community effort is really important.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.