If a baseball team has a losing season, a typical response is to fire the manager.

If a company or an enterprise experiences a ransomware attack or a data breach, does the organization do the same for the person overseeing security?

 
Perhaps but not always. That is the view of Gary Hayslip, a longtime member of San Diego’s cybersecurity community.


photo

Gary Hayslip CISO SoftBank Investment Advisers

photo

Tim O’Brien Director of Cyber and Security MMA Programs Marsh and McLennan Insurance Agency LLC

“Incidents happen,” said Hayslip. They are no longer a death knell to the career of a chief information security officer, or CISO.


“Unfortunately, as a CISO, I have to be right 24-7, all the time,” said Hayslip. “The bad guys have to be right once.”


Hayslip was one of several tech executives who have faced cyberattacks during their careers, who recently spoke with the San Diego Business Journal.


Cybersecurity First


The National Cybersecurity Alliance has designated October as Cybersecurity Awareness Month.
One of the ideas the group wants to convey is that cybersecurity should come first — that is, make cybersecurity a top priority rather than an afterthought.

 
Tim O’Brien recalled his emotions after discovering that the computer system he oversaw had been locked up with ransomware. Hackers who perpetrate such attacks encrypt a victim’s data, and then offer to restore the data for a price.


“It is a sinking feeling when you wake up to discover that a network that you spent a great deal of time securing has been compromised,” said O’Brien, who was working for a regional government at the time. He has since become director of cyber and security at MMA Programs, a division of Marsh and McLennan Insurance Agency LLC.


The second feeling he had was better. It was confidence in the network architecture he had designed. O’Brien recalled that his team was able to recover all core system network operations over a span of four to six hours, which was record time.


His data had been backed up. This allowed a full recovery “as if nothing had happened.”


photo

Robert Renzulli Owner CyberGeist Security LLC

A Date With SamSam

Robert Renzulli was working with the Port of San Diego in 2018 when his agency experienced a ransomware attack. In that instance, two Iranian men used the SamSam ransomware to lock down the port district’s computer systems, making data inaccessible. The port district was among 200 governments, healthcare agencies and other institutions hit by the two, according to an indictment from a federal grand jury.


The port did not shut down, but it took months to recover.


Renzulli’s team reacted to the crisis by writing notes on small pieces of paper, which eventually covered about 50 feet of a wall in the IT Annex building. “Sticky notes became our best friend,” said Renzulli.


There are several lessons to be learned from the incident, said Renzulli, owner of CyberGeist Security LLC.


It may sound like a cliché, he said, but remember that people are your greatest asset. He recalled that every port employee became a “cyber deputy” supporting the recovery effort. If people were not directly working on the recovery effort, they supported each other, making sure their peers got food and rest.


Renzulli recalled that the first direction he gave was to make one of his employees his “scribe,” to document everything that went on during the recovery. The role rotated among several employees throughout the 24 hours of the day. The notes were used during conversations with the cyber insurance companies, and with the agency’s board and executives.


Training Creates Readiness


Hayslip, who now works as CISO of SoftBank Investment Advisers, spoke of the importance of creating “muscle memory.” Habits can be developed through incident response training, so that when the real thing happens, the information technology staff knows how to respond.