Dr. Richard Forno, the assistant director of the UMBC’s Cybersecurity Institute and Director of the School’s Cybersecurity Graduate Program, discusses navigating the cyber frontier and provides career guidance.
He shares insights on how his interests in national security and technology led to a career in cybersecurity, and the challenges he faced building a cybersecurity program for the US House of Representatives.
Check out a previous Cybersecurity Guide interview the Dr. Forno.
A summary of the episode
Dr. Richard Forno emphasizes the importance of developing both technical and professional skills for a successful cybersecurity career and explains how diverse backgrounds in fields like psychology, business, and the humanities can be valuable.
He highlights the evolving cybersecurity landscape, the criticality of incident response, and emerging trends like AI and technology resilience that should be on the radar of those considering cybersecurity.
Listen to the episode
A full transcript of the interview
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening today.
Our guest is Dr. Richard Forno, the assistant director of the University of Maryland, Baltimore County’s Cybersecurity Institute and Director of the School’s Cybersecurity Graduate Program. We’re going to be discussing navigating the cyber frontier insights and career guidance. Let me tell you a little bit about Dr. Forno before we bring him in.
Dr. Forno has over 20 years of experience in operational cybersecurity and he has worked across the government, military, and private sectors. He helped build the first formal cybersecurity program for the US House of Representatives and was the first chief security officer for Network Solutions, a co-founder of the Cyber Maryland Conference.
Dr. Forno is recognized for his cybersecurity information warfare and critical infrastructure protection expertise. He has taught at institutions like Carnegie Mellon, American University and National Defense University, and is an affiliate at Stanford’s Center for Internet and Society. Dr. Forno holds a PhD in internet studies from Cur University and has authored numerous papers and books on cybersecurity. We are excited to have him with us today to share his insights. With that welcome Richard. Thank you for joining me today.
Richard Forno:
It’s great to be here.
Steve Bowcut:
All right. This is going to be fun. I’m looking forward to it. So let’s start as we are want to do on this show. Let’s start with kind your career beginnings or aspirations, and I always find it interesting to figure out or to learn when cybersecurity became a thing for you. Was it in the very beginning and it’s always been a thread or did it happen during your postgraduate work? How did it work for you?
Richard Forno:
I had a pretty interesting career history in cyber. I mean, when I was growing up, the internet and cybersecurity wasn’t even a thing. I mean in the 1980s it wasn’t really, nobody talked about it, but growing up I wanted to go deal with either the military or intelligence or the national security world in some way. But I was also very, very good with computers growing up. I did a lot of programming on my old Apple II, made some money selling math tutoring software to friends. Even though I was lousy at math,- my software worked wonderfully because the computer did all the work.
I pursued my undergraduate degree was in international relations because I did want to go into, as I say, the national security world, but also at the time, this is the early 1990s, I was seeing that the internet information was becoming much more digitized and stored on computers. And what intrigued me was that there was sort of this convergence between my technical interests and being a hacker and the programmer and things like that, and the national security interests of keeping information safe and secure. So being in DC as this transition occurred in the early to mid-nineties, I was in the right place at the right time to blend my, what was my hobby, computers and technology and things like that with my academic interest in national security to launch myself into a pretty unique career path that blended both technical, traditional computer type stuff and more non-traditional policy and management type of things into a pretty, I think, eclectic career. That might be kind of hard to do today because the industry has developed so much more robustly than it was 25 years ago.
Steve Bowcut:
Interesting. Okay. That’s fascinating. So maybe it was your desire for threat mitigation helped you identify what the threats really were and you had the technical expertise to do it.
Richard Forno:
I actually didn’t think about it as threats and threat mitigation back then. I looked at it more with a hacker’s mindset. When you’re in college or a teen, you want to buy beer before you’re able to, so you think about how do I get a fake ID or how do I make a fake ID? And then if you make a fake ID and it gets accepted, you’re happy it got accepted. But then you wonder how did that get accepted? Did I trick somebody or are they just being humoring me because they felt sorry for me? And kids and teenagers, young adults, we want to get around the rules. We all do. It’s human nature. Anybody who’s ever been a parent knows that you tell a child no, they’re going to find a way to do it anyway, so that sort of deviant hacker mindset was with me at a very, very early age. I was a good kid, don’t get me wrong, but that thinking about the system, however was defined kind of got me thinking about how that ties into computers and information and digital things. And then as I learned more about cybersecurity and internet security early in my career, really things started clicking together and it made perfect sense.
Steve Bowcut:
Got it. Okay. Thank you. Alright, so one of the things in your bio that stood out to me was your involvement in the cybersecurity program for the US House of Representatives. And I thought, wow, that would be such a challenge or it seems like it would be for someone who’s never done it. So can you talk about that a little bit? Maybe give us some insight to some of the challenges that you may have encountered in that.
Richard Forno:
It was a challenge, and again, this is the mid 1990s before again, the modern internet really was a thing and the world really didn’t understand. I mean, back then you still logged on to the internet and the internet was always this thing you went to and then stepped away from. Not like today was really, you always connect.
So back then it was a little bit different. It was a great learning experience for me. We were trying to implement a basic cybersecurity program for a large government agency, but one in which you had two different sets of rules. We had one set of rules for the elected officials, the congressmen, and then we had another set of rules for everybody else.
So for example, staff couldn’t use their computers for personal purposes and all sorts of niggling administrative things, but we really couldn’t tell the congress people, the elected officials, what to do because by law politically, they were elected by the people. So we could recommend that they do certain things, but whether they did or didn’t was up to them. And of course that looking back, that created all sorts of problems because when you’ve got two sets of rules and you’ve got people that don’t understand the technology or what’s involved, it can lead to a lot of drama.
So we really had to enforce 435, 436 different standards, if you will. And that was pretty challenging. And from that, I learned that a lot about how people work and how to sell cybersecurity in an organization that may not get it. A good example I use is we would walk around Capitol Hill with wireless scanners to scan for cordless phones in offices and things like that. And we caught many people, staff and congress folks, elected officials engaging in sensitive conversations, be it personal information with the family or their bank or something else, or more official government, political or even security related matters. And congresspeople figured, well, if I’m in a building, nobody can hear me. But they didn’t think about the cordless phone is essentially a radio transmitter, and that transmits to anybody in rage. So you could sit outside in a park bench and monitor this unencrypted communication.
And then when you tell the members of Congress, then they go, oh, that’s interesting. Now whether they follow through and change their ways, I don’t know. But it was a very significant challenge because it really previewed the problems I would see later in my career in trying to build a security program for a company when you’ve got all these various competing interests and personalities and standards that you have to try to enforce and make work. And it was a very challenging time. It was a lot of fun, but it was really, I think a good start because I saw how the world works and it informed me well in the years to come.
Steve Bowcut:
Excellent. And I appreciate that because those are exactly the challenges that I had envisioned when I think about trying to do that, okay, well, you’ve got this group of people who can essentially do what want, so you have no real authority over them, and yet you have a responsibility and always having responsibility with no authority can open all kinds of issues.
Richard Forno:
And it was amusing where we would advise a member of Congress to not do something. They would hear us, they would listen to us, but they wouldn’t hear us. And then six months later, they might be back in their district. And that very same thing that we warned them about doing, they did. And then it turned out to be a political problem and generated news for them and they got embarrassed. And all we could do is say, we told you so.
Steve Bowcut:
Exactly. And nobody wants to say that. Not at least initially,
Richard Forno:
No.
Steve Bowcut:
All right. So you’ve obviously been around long enough that you’ve seen lots of changes in this evolution in the cybersecurity landscape, is the way we term that. I think it would be fascinating to hear specifically as it relates to technology on national security or if you want to go even broader global society.
Richard Forno:
Well, I mean the world has certainly evolved over the past 25, 30 years. Technology has evolved in many ways. We do things now more dependent on technology than ever before. Imagine not having your phone handy to do banking. Oh my gosh, I’ve got to go to a branch where is my nearest bank branch?
Steve Bowcut:
Yeah, never been there before.
Richard Forno:
Exactly. How do I stay in touch with my friends without my phone or Instagram or Snapchat or things like that? The good example I use when I talk about trying to teach students about the importance of staying rooted in reality in the real world versus just becoming very dependent on technology is we all have cell phones. And when I’m in front of students, undergrads, in particular, younger students, I asked them on the first day of class who’s got a cell phone? They all raise their hand. And I say, great.
Who here knows the top three or four numbers in their cell phone that they call parents, boyfriend, girlfriend, brother, sister? And hands will go up and I say, oh, really? Can you tell me the numbers? And they say, no, I just call, I dialed mom or dad. And I say, okay, let me ask you a question. Let’s say you were in a car accident and I come along and I want to offer you help, and I see your phone and your phone is broken and you tell me to call mom. If I dial mom on my phone, I’m calling my mom, not yours. My mom doesn’t know you.
So- how do you deal with this? And then you see the light bulb turning on like, oh, wait a minute. We really are dependent on that contact list, but we don’t know the data behind it to be able to make these calls from another person’s phone. And I use that as a really basic example of how dependent we’ve become. And in some ways what we’ve kind of sacrificed along the way for the convenience of all this, it is just a very basic example.
Can we still do things for ourselves or are we so dependent on technology to help us or do for us that when that technology and that network is gone, that we become crippled and coming from a time before the internet was what it is today, I remember those days and we still managed to live lives and have fun and be very successful. But I worry that an overdependence on technology in society around the world may create longer-term problems for us if we’re not careful because we become too dependent on the conveniences of the technology and we’re not really looking at the risks, both the technical risks and the social societal risks that may come as well over a longer period of time.
Steve Bowcut:
That is such a fascinating topic. We should have you on again, and maybe we could talk about just that topic for an hour probably because I had that conversation all the time, particularly as it relates to AI and what that’s doing to our ability to, we won’t go down that rabbit hole today, but that is such a fascinating topic and very applicable to cybersecurity. So thank you for that.
So let’s kind of zoom in a little bit and look specifically at UMBC and the cybersecurity graduate program. Talk to us about maybe some of the core skills and knowledge areas that you like to emphasize for students to kind of prepare them for real-world cybersecurity work.
Richard Forno:
When we launched this program in 2011, which is I came to UNBC in late 2010, so the program was already under development when I arrived. I was really interested in how the university approached cybersecurity, and they asked a lot of local employers from the government and the private sector and the military, if you were going to hire graduates from a cybersecurity program, what are the top 10 things you’d look for in these students that would make you want to hire them? And believe it or not, the first three or four items had nothing to do with technology or computers.
It was about can they write well? Can they work as a team? Can they communicate? Can they learn? Can they grow beyond what they’ve been taught? And oh, by the way, if they’re good with technology, we can work with that and kind of build security on top of that. But they were very interested in developing the professional skills first, then the technical skills kind of in parallel. And that was very informative to us because over the years when we launched, we designed the program that we focused on cybersecurity and the technology involved and the relevant related knowledge, but we also included experiences to let students develop their writing and their group projects and their ability to present and critically think and analyze problems and present findings so that when they graduated, they had both the cybersecurity skills and knowledge they would need, but more importantly, they had the professional skills and knowledge they needed to put that cyber skills into practice effectively once they got their job.
And that, I think, sets us apart because a lot of cybersecurity programs have tend to just focus on the bits and the bites and do this, punch this button, type in this script to do that, and they either overlook or they really downplay the broader context that the student, the future employee is going to be dealing with. So it’s important to really balance the technical skills with these non-technical skills to be an effective professional. This year we’ve transformed our program even further. We’ve launched a master of science degree in cybersecurity. It’s still very technical, but again, we also, we haven’t lost sight of where we came from, and we still know that the best cybersecurity professionals have a blend of both the technical knowledge and capabilities and the professional skills to be effective in the workplace.
Steve Bowcut:
I absolutely love that you can have all the technical knowledge in the world, but if you can’t get along with other team members and be a part of a team, you’re not going to be successful in cybersecurity. There aren’t any lone wolfs in cybersecurity.
Richard Forno :
I often tell students at orientations and information sessions and advising, you can be a great geek and you’ll always have a job or a series of jobs throughout your life, but if you want to have a career that has advancement, potential and title and rank and salary and responsibility, you have to do more than just be a good geek. And that’s where these other professional skills come into play. Now, if you want to be an engineer or a geek for the rest of your life, that’s certainly fine. We need people like that who can answer those tough questions. But that’s not necessarily for everybody. And I always tell people, don’t just look at the next two to three years, kind of think about your career and how that might unfold When they grumble having to do a presentation versus hacking a website, I say, you got to know how to do both.
Steve Bowcut:
You know how to do it and tell other people what you did or how to do it. And that kind of leads right into the next thing I wanted to see if I can get you to comment about, and that is academic pathways and degrees. So there’s lots of options. There’s certifications or even bootcamps that could fall in there anyway, but there’s certifications, master’s degrees, PhDs, and obviously students should be considering these things for what they will do. But maybe you can help shed a little light on that. So when do I need to be thinking about PhD? What kind of work am I going to be doing if I get a PhD versus a master’s degree or just a bachelor’s degree or maybe just a bootcamp or certification?
Richard Forno:
Well, I think the important thing is to first get a good understanding of the cybersecurity landscape. What interests you, the student in cybersecurity? Are you more of a techie? Do you want to be that geek behind the keyboard looking at network traffic? And maybe if you’re in the government launching a cyber attack against a foreign adversary or you’re doing that low–level traditional geeky stuff, or are you more of a policy person or a management person, enough technology to be able to manage other people or you know enough about the policy and the laws related to cybersecurity and cybercrime- to be effective as, let’s say a lawyer.
I have some students that have gone through my program. They had their law degree, they came through my program to get a master’s in cybersecurity, and now they are a lawyer who really understands cybersecurity and have a decent technical understanding of cybersecurity as well. People like that will be well-positioned for government or for commercial sector jobs. I mean, to have a corporate lawyer who understands not just the law but the technology as well, that’s really valuable.
But for folks in high school and early college, you may be listening, explore the field, see what’s out there, what interests you. And remember that not all cybersecurity is technical. You don’t need to be a good geek to be a good cybersecurity professional.
Just as I tell students, you don’t need to be a coder. That’s all the rage coding this, coding that, yes, programming is important, but you don’t need to be a programmer or a coder to enter and have a meaningful cybersecurity career either. So that’s what I would say is starting off certifications and bootcamps are great for a quick hit, get, get some exposure really quickly and see what this is all about. Knowledge will never hurt you. I think that’s very important. A lot of employers look for employees who have cybersecurity and technology certifications from the SANS Institute or Cisco or Microsoft or the EC council, for example, the Certified Ethical Hacker. Those are very valuable, and employers look for that. So if you earn those while you’re still in school, that’s great.
At the graduate level, again, a master’s degree is a middle-career sort of thing. You want to really expand your knowledge and get some more in-depth opportunities to research. That’s certainly doable. And I encourage people to certainly consider that either right out of school if it’s possible, or certainly down the road, maybe even if your employers will maybe help pay for your tuition. At the PhD level, a-nd I always caution students, PhDs are like having children. I’ve never had kids, but in my mind, I think I know what it’s kind like because the PhD did consume my life for several years. It did keep me up at night. It did lead to depression and anger and mixed feelings and all this other things. But really that’s a commitment. And if you’re not looking to go into higher education as a professor or as a researcher somewhere else, that’s really what a PhD is for.
You don’t need to have a PhD to go be a chief security officer. It might look great on your resume if you had one. But that’s really a deep multi-year commitment, and it’s really not essential unless you’re going into a academic or a really, really hardcore research type position. So I would focus on looking for undergrads, computer science, computer engineering, information systems, those type of degrees specialize. Take all the electives you can on cybersecurity. But remember too that even if you’re not taking a course on cybersecurity, a course on network administration or systems administration includes cybersecurity by its very definition because a big part of being a good network or systems administrator is doing cybersecurity, creating user accounts, looking at log files, configuring servers, making sure that your servers are patched. Those are not just IT functions in a vacuum. Those are actually cybersecurity duties.
And that’s important because when you go looking for a job, don’t just limit yourself to cybersecurity in the title. If you’re just starting off as a recent graduate or look for cybersecurity, look for network security, network administration, systems administration, these jobs are related to cybersecurity. They include a lot of cybersecurity activities and are a good foundation for sort of the IT environment in the workplace and will serve you well when you then move up the career ladder and move into more cybersecurity-focused positions. So take a very open broad perspective on technology and how cybersecurity really impacts all aspects of it.
Steve Bowcut:
Right. Perfect. And that there again leads very nicely into what I wanted to get you to comment on next, and maybe you’ve already covered this adequately, but I’m always kind of intrigued with this idea that there are students out there or people that are considering what they want to do with their lives, but their interests lie in like say psychology or something that is totally not related to cybersecurity at all.
And I personally believe, and I like to explore the idea of that there’s a place for just about anybody in cybersecurity because cybersecurity has become so broad, both their interests and skillset as well as the types of industries they want to work in. Because every type of industry, every vertical, if you will, needs a cybersecurity just like they need IT. If you have an IT department, you need cybersecurity professionals within that IT. So can you talk more about those soft skills or do you feel like we’ve covered that?
Richard Forno:
That’s a really important point, and it bears repeating if we did talk about it, but I said, you don’t need to be a geek only to move into cybersecurity. I’m living proof of that. Yeah, I’m a geek, but I’ve had no formal computer training. I’ve never had a computer science degree. I don’t hold certifications. And yet I’m running a graduate program at a research-heavy university, A very technical department where I’m at. Okay, but yet I’ve never had a computer science course.
So you don’t need to be a geek only or have a computer science degree to move into cybersecurity. But broadly speaking, I mean you look at cybersecurity, yes, technology plays a big part. But when you look at the guiding documents of our industry, and I’ll refer students to things like the NIST cybersecurity standards or the NIST Risk Management framework, for example. These are free documents. You can take a look online.
Technology is important, but equally important are things like, do we have the right policies and procedures in place? Have we trained employees on best practices of cybersecurity? Do they know not to click that link from a stranger or even from a friend if they weren’t expecting it? Do they know how to report suspicious things? And a great example about showing how interdisciplinary cybersecurity is.
I like to use the idea of the social engineering attack. The most complicated computer system in the world is the most vulnerable computer system in the world and the easiest one to hack, and I’m referring to the human brain, if I can trick you into clicking the link or giving me information over the phone or in a chat or via text message or with a fake id, as I mentioned earlier, okay, I’m not using geek techniques. I’m not hacking you in the traditional Hollywood sense, but I am hacking the system that we’re operating in because I’m still trying to trick you into giving me what I want. So social engineering doesn’t necessarily target the technology directly. The ultimate target is the end user.
So how do we deal with the end user of courses like in psychology, sociology, how do we sell cybersecurity to upper management? Courses in business may apply. Organizational management, organizational psychology, these are all relevant fields for cybersecurity. There’s a longstanding maxim in this industry, and I’ve said this for years even before it kind of became a longstanding maxim, is that more often than not the technology problems we deal with, the cybersecurity problems we deal with. They’re not technology problems, they’re people problems. People use the technology, yes. But that software vulnerability that led to that huge data breach, we just read about who designed the software. It wasn’t AI, it was people.
Did they cut corners in how they wrote the software? Did they not have appropriate quality assurance measures to ensure that this was a secure product before it was released? Did companies run by people market these things, push them out to the world before they were ready because they needed to meet quarterly profit numbers for investors? These are all people-based problems, not technology-based problems. So the people problem has been and will continue to be and probably always be the biggest fundamental problem explaining why we have so many cybersecurity issues both today and in the future.
Steve Bowcut:
Oh, that is so good. I certainly agree with that. Thank you. So among the many things that you’re expert at, incident response is one of them. So you co-authored a book on incident response. Can you talk to us about that a little bit? Maybe the importance of having a strong incident response protocols?
Richard Forno:
Sure. I got an incident response because I was also had a very strong interest in helping others emergency services growing up and in college, things like that. You’ve got volunteer fire services or paramedics or volunteer organizations, and incident response is obviously what they do. But we did
In the cybersecurity world, incident response is the exciting time. I mean, as we said in the book and as we joke about now, cybersecurity for the most part is a very boring job except when it’s not. And when it’s not. It’s like you’re a fireman at a firehouse. It might be boring during the day, but once the alarm sounds and you get on the truck and the lights and the sirens go, the adrenaline gets going and we all have fun and we all become teenagers again because it’s exciting. We’re doing something that’s a lot of what incident response is like when problems actually occur. It’s critical that we have incident response capabilities in place to protect us and make the impact of a cybersecurity problem less than it should be. And don’t let the name response fool you. Incident response is really a combination of incident preparation, incident response, incident remediation, and incident prevention.
We’re never going to prevent everything from happening, but what we want to do is raise the bar through good cybersecurity practices ahead of time, having good response practices to deal with any crisis that comes up. And then we can learn from our mistakes, learn from what worked and what didn’t work, and hopefully then educate ourselves to not make the same mistakes again. So absolutely a company, an organization, a government needs a strong incident response capability, which involves both policies and practices, but training, staffing the appropriate budgets and it can’t operate in a vacuum. Incident response also is dependent on having very good IT structures in place. You can’t respond to an IT incident if you don’t have an IT department to help you out. It doesn’t work that way.
So incident response is one slice of cybersecurity, but cybersecurity as a whole is dependent on having good IT practices in place. And I’ll give you a very good example. The city of Baltimore several years ago was paralyzed by a ransomware attack. It made national news, it was shut down for several weeks. Businesses couldn’t pay taxes, they couldn’t get zoning licenses. Citizens couldn’t do e-business with their government. They couldn’t call because the employees could not respond to citizen inquiries. The incident could have been resolved fairly quickly, but as it turns out, the city did not have a strong incident response procedures in place, and they didn’t have a strong IT management structure in place. So they had to physically go computer by computer throughout the city to rebuild the effective systems. So that’s what took so long, and it costs time and money and disruption.
So incident response is critical, but it doesn’t operate in a vacuum. We have to also work very closely with our IT staff, our IT departments, our lawyers, perhaps even human resources, because if the problem stems from an insider, you’ve got an employee that’s gone rogue, as we would say. How do we find a way to get them off the system in a way that doesn’t let them know we’re onto them and we’re tracking them so that they don’t cause further damage on the way out? So incident response is another example of interdisciplinary where it’s not just computers and geekery, it involves all these other aspects of business and organizations as well to be effective. But it’s absolutely important that we have incident response in place for any organization these days.
Steve Bowcut:
Excellent. Thank you. All right. So as we kind of wrap up here, there’s two more things that I kind of wanted to get your input on. So advice for students and not necessarily leaders. I think you covered that pretty well when you talked about the various degrees and programs. But before I move on to the final topic, which is kind of a forward looking, what do you see coming in the future? Is there anything else in the way of advice that you would give someone who’s trying to decide, is this the right career path for me? And if so, which direction do I want to go in inside cybersecurity?
Richard Forno:
Well, I think the first thing for students to know is that no degree or certificate alone will ensure you a job or ensure you a high-paying job to start. I tell my students, both graduate and undergraduate, you have to, if I was still a hiring manager, if I was still a chief security officer, I was looking at resumes, I would want to see people who have demonstrated a passion for learning and a passion for cybersecurity. Sure, you can just take your courses and your classes and get your degree and be done. But I would be more interested in the candidate who did their courses and their classes. Maybe they joined a cyber competition club at their school. They competed in CTF type of events with other schools. Maybe they won. They attended hacker and security conferences. Maybe they presented at some of them, maybe they blogged or they wrote some software.
They’re showing a passion for the industry more than the discipline, more than just getting their degree. And as I say this, I’m thinking back to when I was the CSO at Network Solutions, which at the time was really the digital center of the internet. And I hired somebody at a West Virginia University who had a degree in forest sciences and the HR person and my boss thought I was crazy because, well, you’re a security group. Why do you want this forest sciences? What does that have to do with cybersecurity? Well, it turns out that the student in question impressed us in his interviews. He was more technical than I was at the time. He asked very probing questions. He knew his stuff and his name was in the Linux kernel credits. So that right there says this guy is doing more because there’s a passion involved.
He’s not just getting his degree to get out there. He believes in this. He’s hungry. This is what keeps him up at night. What’s the next thing I can do in technology? And that inner passion needs to come across to prospective employers, particularly if you want to get your resume past the automated screeners that we all know is becoming a problem these days. Employers, I will say, I know are very interested in students that they may have certifications that they earned outside the classroom. If you’ve competed and if you’ve won a CTF or a competition, you have a very good chance of being picked up very quickly because again, that shows not only a passion but expertise. And then my third point I would say is as you look at cybersecurity as a possible career field, think broadly about your interests and where your interests lie, not only in cybersecurity, but in life.
I was interested in national security and foreign policy. I never thought I’d have a career in computing and cybersecurity, but I found a way to kind of match my hobby with my academic interest into a career that works. Don’t run away from the humanities, don’t run away from the arts and sciences. I firmly believe, and this is speaking as somebody who comes from the humanities, that all my degrees, the humanities inform us. They provide us the context and answer the question why computing is great and we need to know how things work. But if we can balance that technical knowledge with the context in which that technology exists in the world around us, we will be much more effective in the workplace answering the tough questions of cybersecurity both now and in the future.
Steve Bowcut:
That is such great advice. Thank you so much. I appreciate it. Alright, so we’re going to wrap up with, it’s kind of a fun question really. So we’ll ask you to dust off your crystal ball and look into the future. So what should be on the radar of anybody considering cybersecurity? Either if it’s not, they should put it there, but what does the future look like? What kinds of things do we need to be watching?
Richard Forno:
Oh my God. Oh my God, we’re all going to die.
Steve Bowcut:
Yeah, that’s the one. Yeah,
Richard Forno:
I say that tongue and Jake, but thinking back on our conversation, my first reaction is we need to continually reinforce the basics of cybersecurity. A lot of the problems that we see in the cybersecurity world, data breaches and incidents that make the front page more often than not stem, because somebody somewhere didn’t do the basic cyber hygiene activities that we teach. They didn’t do good IT management. They did do good cybersecurity.
So I think we have to renew a commitment to focusing on the basics of cybersecurity and make it more difficult for bad things to happen and more difficult for bad people to try to do bad things against us. In terms of what I see coming, AI is certainly a concern. I think most people are familiar with AI and where we are and where we’re heading. But AI, like all technology is not perfect, and AI is still developed by people and people are human, and we’re inherently flawed.
So we have to be wary of things like bias in AI, bias in facial recognition technologies to be able to discriminate effectively between good guys and bad guys and not just discriminate based on skin color, let’s say, which is a huge problem for computers in all kinds of ways. So AI is a huge concern. Resiliency I think is a huge concern, and I talked about this a little bit earlier. We as a society, and cybersecurity plays a big part in this need to make sure that we can still stay functional when problems occur. The cybersecurity industry is based on three principles, confidentiality, integrity, and availability. And we’re pretty good with confidentiality, keeping things secret. We’re kind of okay with integrity, the integrity of information to make sure that it hasn’t been tampered with, but we don’t really focus that much on the availability in a holistic way.
So that’s why it’s front page news when iCloud goes down or Gmail has a hiccup or Spotify is not working because that’s a question of resiliency and how can we function in a world if resiliency is threatened? So think again about the technology and question and more importantly, can you function without it? Or if it gets degraded, companies deal with this all the time, they pay large amounts of money, but in our own personal life, think about the cell phone. Can I dial the numbers to my loved ones? That’s a basic example, but it applies to everything we deal with.
The genie is out of the bottle. So as we move into the future, these platforms, these products, they’re all designed by people and the people behind them should be informed as to what’s involved, the cybersecurity concerns, and how their products and platforms and services can impact the world in both good ways and bad ways.
That’s not meant to make everybody, anybody afraid of technology, but as I said, nearly every technology problem we deal with ultimately comes back to a people problem. And to address the people problem, we need folks who understand the technology and understand the world around them. And that means their education and their preparation needs to include both the computing and the cybersecurity and also the liberal arts and the humanities to be able to put the technology in context so they understand how it fits into the world around them.
Steve Bowcut:
I love that. The example that comes to my mind is, and I’ve seen this happen in few organizations that I’ve been associated with, they’re very security minded, but they make it so difficult for users to do their job because of the security protocols that they put in place that people will invariably find a way around it, which is much less secure because they want to do their jobs. They don’t mean to bypass all of the rules and the security protocols, but they got to get their jobs done and they don’t have time to do four factor authentication every time they want to get on their computer.
Richard Forno:
I’ve been in this industry for going on 30 years now, and I will say I freely say the only time I’ve ever written down a password, which was a cardinal sin in cybersecurity, the only password I ever wrote down was for some computers I was working on with the military because the standards were password length was like 18 characters, alpha numeric and special figures and things like that. And every Monday morning I would spend half an hour on the phone calling the help desk, verify my identity to reset my password, and I got sick of doing that. It was by into my productivity time. So I broke that cardinal rule and I would just write down the password on a post-it note and kept it with me because it was crazy. So it has to be a balance between security and convenience and being able to get the job done.
The pendulum cannot swing too far either direction, but it oftentimes does. After something bad happens, The pendulum swings to fix all the problems, and then it kind of swings back as people realize, wait, we have to be functional and we have to keep work and money has to keep flowing to the company and there has to be a balance. So that’s a really good point. But again, those decisions are made by people and we have to look at security risks in a calm and rational manner and focus on the probability that something bad may happen versus the possibility that something may happen because anything is possible, but is it likely? And if we try to protect against the possibility, we’ve got to protect everything and people are not going to be able to work, and as a result we end up protecting nothing.
Steve Bowcut:
Yeah, understanding risk is so important and the elements of make up risk and sometimes we get that wrong, or managers who are not taught those kinds of things will get those things wrong and not really understand probability criticality, all of those things that go into determining what the risk actually is.
Richard Forno:
And that’s not just a technology concept. That comes back to what I said about having this broad-based educational background in the humanities where you know how to communicate these concepts in ways that whoever you’re talking with can understand it and go, aha, that’s really important. A lot of computer people, they’re great geeks, but they can’t communicate well and geeks and non geeks, they often talk past each other. And that’s really a challenge when you’re trying to sell cybersecurity in an organization to managers and to accountants and to executives and boards of directors and politicians. You have to understand how to communicate to the audience you’re talking to and find a way that the light bulb goes off over their head and they realize, aha, this is important. I got it. And then they will support you in your actions.
Steve Bowcut:
Excellent. Alright, Richard, this has been so good. Thank you so much. I really appreciate it. Our audience is going to love this. I know I have. And so we appreciate your time today.
Richard Forno:
My pleasure. Thanks.
Steve Bowcut:
And a big thanks to our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of The Cybersecurity Guide Podcast.