DesignIntelligence talked with Bob Bigman, founder and CEO of 2BSecure, for his perspective on cybersecurity, its relationship to physical security, as well as the top cyber risks and threats for leaders to focus on in the coming year.
DesignIntelligence: In your 30+ years in cyber and information security, do you find that we have become more vulnerable? Or does it just appear that way because of the speed of change in technology?
Bob Bigman: We’ve become more vulnerable, and it is a result of interconnectivity. Systems are by default connected to networks—making them more easily accessible for bad guys—yet many people don’t even realize the degree of connectivity they have when they connect to networks.
DI: So there are more doors in now?
BB: Yes. In the past, a bad guy had to physically be at the network that he wanted to attack. Today, we’re all interconnected, from our Volvo to our house all the way through the Internet back to our offices. That’s why recognizance in the hacking business is such a big issue: to find a pathway in. Before, the paths weren’t even there.
DI: In the broader context, how does cybersecurity relate to other forms of security?
BB: I think the distinction between cyber, physical and even personal security will not be much of an issue in a few years. And it’s largely because of interconnectivity. For example, any physical security system we purchase includes connections almost by default back to various vendors who make the software and the hardware, who support it, who perform firmware updates and who monitor those networks.
It’s not just the IoT network, it’s the way we engineer the IoT networks to work. It’s always focused on the ease of use for the end customer as opposed to safety and security. Very infrequently do I hear end customers demand security. They always demand the ability to remotely manage their sensor network from their laptop at home, for example. And companies are all rushing to give us that capability, but no one is asking the question about security.
DI: What are the top risks in cybersecurity that A/E/C firms must consider?
BB: First is the risk in the complexity of networking. For example, when a firm uses their own internal corporate network or cloud services, the interconnections between those firms and other vendors—like cloud services vendors, hardware vendors, software support people, maintenance people—are so complex it’s hard to discern whether they are secure.
Second is the lack of security in computer systems which basically exhibit almost zero security, despite all the firewalls and encryption. We all heard about a significant flaw in the Intel chipsets. They are in every computer, making this a native vulnerability at the hardware level.
Third is the ease of use vs. security. The balance has tipped so far in favor of ease of use, ease of access, ease of support, that no matter what the security people do, it’s hard to get a level playing field.
Fourth is we still haven’t properly fixed the identity authentication problem. Passwords and even the biometric systems we use are fairly easy to break—a hacker just needs to crack the digital artifact of the biometrics.
And lastly, organizations don’t understand their data—what’s sensitive, who has access to it—or where it is actually located. This is not just particular to the A/E/C domain.
DI: As we build more smart buildings and they become more connected to the IoT, how should leaders be thinking about cybersecurity relative to the products they produce?
BB: From a technical perspective, they need to understand the networking that’s performing all the IoT, sensor monitoring and control functions of their facilities. Do they have the right separation? Are the right controls in place? Are the right people monitoring it? Is it secured properly?
DI: How do you think these kinds of cyber security threats are changing the way A/E/C firm leaders need to operate?
BB: It’s not a cyber problem, it’s an IT problem. The companies that do cyber well also do IT well. They have central planning, central management and central governance. So governance management oversight or infrastructure must be in place before a company can ever have any hope of getting cyber right. Leaders must take an active role in dictating specific mechanisms and policies as well performance characteristics and attributes for cybersecurity.
Robert Bigman founded 2BSecure upon retiring from a career at the Central Intelligence Agency. With more than 25 years of information security experience, Robert served the last 15 years as the Agency’s chief information security officer. He frequently briefed congressional committees and presidential commissions.