Greg Young, VP Cybersecurity at Trend Micro
Greg is the global Vice President of Cybersecurity for Trend Micro, a 7000 employees, and a $2B security product company.
Greg is one of the earliest pioneers in cybersecurity for Canada, with over 30 years of experience in the field.
At Gartner, for 14 years he was Research Vice President and was the lead analyst for network security, threat trends, and cryptography where he authored more than 20 Magic Quadrants and was Conference Chair for many Gartner Security Summits.
Greg headed several large security consulting practices and was CISO for the federal Department of Communications. He served as chief security architect for a security product company, was a commissioned officer in the military police working on the computer and technical security and counter-intelligence, and received the Confederation Medal from the Governor-General of Canada for his work with smart card security.
Greg is the industry co-chair for the Canadian Forum for Digital Infrastructure Resilience (CFDIR), a Federal government public/private collaboration supporting critical infrastructure and a member of the CFDIR Supply Chain Assurance working group. The Government of Barbados cabinet recently appointed him as a pro-bono advisor and member of their CyberSecurity Working Group. Greg is co-host of The Real Cybersecurity Podcast.
He mentions too often that he was an extra in 2 episodes of Airwolf.
Can you please share your journey with our audiences as experienced professionals in IT and cybersecurity for product companies as well as the private and public sectors?
I started in the field of what we now call Cybersecurity, 33 years ago. I have worked for a vast variety of industries including military, government, consulting, and product companies. I also have 14 years of experience as a Gartner analyst.
What do you have to say about the Cyber Risk Index (CRI), released by Trend Micro which says that Canada has a moderate cyber risk level compared to North America?
It makes sense. Canada has advantages in terms of our banking system, how we receive our internet services and our overall business culture regarding risk. Although, Canada has a very high level of technology adoption, making us more vulnerable in some ways.
Despite Canada being prepared to handle cyber risk, why do nearly three-quarters of Canadian organizations think they’ll be breached in the next 12 months?
These views aren’t inconsistent. There’s a trend of over-optimism about the level of risk in organizations, often due to a dated view of the threat. For example, very few SMEs I speak with have considered the issue of breaches for the purpose of crypto mining. As for the 12 months, I think that is reality creeping into the assessment, with the rate of breaches it is reasonable to expect a breach. It’s the “I’m a great driver, but the rate of car accidents in my town is exceptionally high”.
What is your opinion about Canadian organizations being most worried about security risks in relation to mobile/remote employees? What are the possible solutions to this problem?
It’s a rational concern. Business networks are more difficult to attack than home networks. Given that remote workers are equipped with fewer security barriers and limited IT support, mobile/remote employees make for a better target to gain access laterally to companies. We need to change the psychology that remote workers deserve less: it only increases the risk to your business.
As Ransomware and botnets are among the factors to top the list of key concerns, what are the negative consequences that organizations face after a breach?
Double-ransoms are a big item. That is when there is a ransom demanded for unencrypting the machines and a ransom for not releasing sensitive data. Another concern is that other ransom groups do not respect the payment. It is highly common for multiple ransomware groups to breach a single company, each demanding their individual ransoms. The most interesting outcome is coming to grips with the systemic problem that led to the breach and fixing it, rather than just patching the one vulnerability that was exploited.
What are the strategic tips that you would like to recommend to the organizations to reduce their risk levels?
My mantra for businesses is a patch, backup, and look. Have a reliable process for ensuring software is updated/patched, have a backup regimen that not only backs up what is really important, but itself is safe from being encrypted by the ransomware, and look for things. Looking for things means having visibility into not only the official aspects of your IT but the unofficial parts (shadow IT), and gathering telemetry that is non-traditional. Following these three priorities, the steps include engaging and positive security education, moving to more modern security architectures, better securing open source and cloud components, and automating more of your security.