Cyber Security Lessons from the NSA


Written by Lara White

In today’s threat landscape, cyber security isn’t just an enterprise concern, nor is it entirely a government concern. cyber security threatsIn fact, enterprise and government cyber security go hand in hand: corporate espionage can have ramifications for national economies and foreign relations, and cyber surveillance by national actors can affect the enterprise as well. That’s why we believe it’s important for the enterprise to understand the government stance on cyber security.

To learn what that stance is and what security challenges government agencies are facing, we spoke to retired US Air Force Colonel Cedric Leighton. Over the course of his career, Col. Leighton has served in various capacities in the US intelligence community, in addition to working in combat operations during Operation Iraqi Freedom. And he also served as the Former Deputy Training Director at the NSA, training personnel in both signals intelligence and cyber warfare.  Here are some of Col. Leighton’s insights and how they apply to the enterprise.

Col. Leighton: “The state of cybersecurity is a really dangerous area right now…There’s no way that the standard antivirus suites and the standard firewalls can actually keep track of all that and have a meaningful, really deterrent effect on any of these different variants that are out there.”

The same holds true for the enterprise. Cloud computing is turning traditional models of infrastructure security on their heads. The enterprise perimeter has all but disappeared, and firewalls and antiviruses are less than adequate to protect enterprise data and resources in public cloud infrastructures, on mobile devices, or in environments compromised by shadow IT.

Col. Leighton: “Every business and even every individual is vulnerable to cyberattacks today. It becomes very important to weave in solutions such as CipherCloud’s, because right now there is no adequate policy from the federal government to address this issue.”

In the enterprise, regulatory compliance is often a key cybersecurity priority, with HIPAA, HITECH, GLBA, and PCI-DSS among the most common regulatory burdens organizations must bear. But compliance isn’t everything, as we learned from the Target breach. In fact, most data privacy regulations fall short of providing a truly effective framework for data protection, hampered as they are by the slow pace of legislative change compared to the rapid rate of technological development  from both the security and cyber criminal sides. The truly security-minded organization must go beyond the basic requirements outlined by data privacy regulations if it wants to keep its information secure from attackers.

Col. Leighton: “Look at solutions such as CipherCloud’s, because they are going to be very important to securing data and making sure that the data only goes to the intended recipient and not to anybody else.”

Here, Col. Leighton hits on the key point that enterprises must understand when it comes to cloud data security: the fact that it has to revolve around data security. In a world where data is in constant motion and outside the enterprise perimeter more often than not, any security measures that do not directly secure the data itself leave that data vulnerable to theft or exposure. This makes technologies such as cloud encryption and tokenization especially critical.

In the full interview video, Col. Leighton provides many more insights and much more guidance for cybersecurity managers and executives.