Stevan Bernard’s diverse career has spanned nearly 50 years, working and living in over 50 countries and serving in leading roles in both government and the private sector. For the past 17 years, Steve Bernard led Sony Pictures’ global protection services. On July 1st he founded and launched Bernard Global, LLC. In this one-on-one interview, he spoke about cybersecurity trends and strategies.
Q: You work with a very wide range of organizations of different sizes. How do you tailor your recommendations to each organization?
I’ve worked in food, entertainment, tech, oil and gas, law enforcement, military, and I grew up overseas, so I’ve learned to appreciate that everyone’s different. Every company is different. The goal in the end is always the same for all organizations: continuous improvement – making things better.
I add value by coming in with a fresh look to gauge where they are and where they want to be. I then develop a plan for them, but one that’s achievable. You have walk before you can run.
Q: What advice would you give a company’s Board of Directors today regarding how they should protect their assets, invest in the program, etc.?
What do we know? Cyberattacks (known and unknown) are escalating on a global basis. The costs and impacts are spiraling. Confusion over how best to prepare and even counter attacks requires a renewed focus. We can’t ‘insure’ our way out of this. We can’t delegate and assume all is well. Cybersecurity is truly an enterprise responsibility, not just an IT issue. BOD’s review and address risks – this one is significant.
What can we do? Consider appointing a cyber expert to the BOD. Conduct an independent analysis to gauge the current state of cyber security. Establish an information security committee and meet as often as needed. Benchmark with your peers and involve your government. Ask where your crown jewels reside, whether they are encrypted, who has access and why. Review related policies. Focus on legal and internal compliance. Be prepared to change behavior and create a sense of urgency. Ensure crisis and contingency planning is adequate enough to survive breaches regardless of how severe. Educate and engage the workforce.
Q: What do you see as the coming trends/dangers/remedies relating to cyber security?
I see a strong need for cyber security and physical security to be much closer. In many organizations today, this gap presents a vulnerability, but a vulnerability that can be addressed and corrected. The two functions need to learn to speak the same language. They need to define roles and responsibilities better.
In my cyber security experience, I very often see that what to an organization may look like a cyber breach, is something much broader. As a simple example, think about a power company that has a cyber breach in winter. The company’s customers are going to be very physically impacted. So, there’s a very physical aspect to it as well as a cyber aspect, and that is very often the case with cyberattacks.
In one company I worked with, there was a very serious cyberattack. But that wasn’t all. The group that was behind the attack then tried to muster people online around the world to go to the company’s physical stores and disrupt the business. What initially looked like a cyber breach crisis was much more than that. You just don’t know the extent of the damage until you dig in and analyze all the ramifications.
Q: What’s your take on the recent spate of ransomware attacks impacting global commodities companies such as Norsk Hydro?
Ransomware attacks can shut you down globally and has done so in many cases, such as in the recent Norsk Hydro attack and others. Companies may often be tempted just to pay the demand in hopes of getting their data back, but there’s no guarantee that when they pay it they’re going to get their data back. Or, if they get it back, it may have been contaminated. In any case, if you’re going to pay to try and get your files back, you’d be supporting very damaging criminal behaviors. When data is regularly backed-up the loss can really be minimal.
Q: What is your experience with the various crisis management mobile apps that are on the market? What are the strengths and weaknesses of the various platforms that buyers should look for?
Efficiency is key. Anyone with a smart phone and a little training can be on the app to contribute and add value in the midst of a crisis from anywhere in the world. The Groupdolists mobile app, for instance, is very unique and very needed in the marketplace. In my experience, once users become familiar with it, they really see the value of it.
Q: Who is the decision maker for buying a crisis management mobile app?
That differs from one organization to another. Who’s going to benefit from the app may not be the same person as the one who’s going to make that decision. And the decision they make should not be only regarding the purchase but the way you structure the app, the way you set it up.
It’s important to have a platform that is easily adapted to a particular organization’s needs. That’s something every decision maker should make sure of – can the platform be precisely tailored to your business’ needs. If you’re in California worried about earthquakes and fires and floods, that may be a different model than if your facility is, say, in a location subjected to seasonal hurricanes. You’d need to be able to adapt the app to suit your needs.
Q: Which are the best countries in terms of observing cyber security standards, having constructive regulations, etc.? Which are the worst countries for cyber security? And how does the U.S. compare?
There are 218 countries, so that’s a hard question to answer. As we’ve seen over the years the Israelis are always a step ahead on their technical solutions and forward thinking. The US is quite tech savvy but, perhaps because of our dependence on technology, we have a lot of vulnerabilities that we haven’t solved. As for weak countries: we know who they are. You have to be much more cautious when dealing with them. Don’t assume everyone or every country has the same level of sophistication. They don’t.
Q: What steps can organizations and government in the US take to improve cyber security?
In the US, the private sector and the public sector (our government), continue to struggle in how best to communicate. We face a common enemy and one of the roles of the US government is to support US enterprise worldwide. And so, when they see a threat, a new malware, for example, or some other threat, the sooner they can communicate with the private sector the better, the stronger we’ll be.
As you look out, 5-10 years from now, if we don’t figure that out, we’re in trouble. Because the benefit of improving private and public sector communications is to be united in our approach. The enemy is a common one, and criminals and nation states are targeting some of the same things, whether it’s government or the private sector. We need to learn to speak the same language with each other. We’re facing the same enemy. We simply have to improve government-private sector communications on cyber-related threats.
Companies must strive to build trust with their government. When your adversary resides outside of the country you operate in, or where the criminality crosses borders, you have no rights other than perhaps some civil remedies. You also have little insight into who is attacking you and why. While partnering with the government can test the issue of legal privilege you may have no choice. Plan ahead, get to know your partners in government.
Q: If you’re a global organization, can lax local regulations make your cybersecurity weaker, and is it possible for you to override those deficiencies with your own system?
Today it’s still a problem that if you want to do contract manufacturing in China, you have to provide them – by law – with your source code and everything else about the product. Well, how are they safeguarding your data? You’ve given them your jewels, so to speak, and sometimes you’re not able to have the controls you need. Yet you’re still willing to take the risk because you think it’s cheaper.
When a corporation in the US decides they want to offshore manufacturing of a product, they have to ask themselves: What is the value of our product and what happens if it were to be counterfeited somewhere because we made the assets available without the right controls in place? You have to weigh all the benefits and all the risks before you make that decision to go off shore, and that’s huge. If you spend a little more money to manufacture in a place where you have controls versus a location where you don’t, you have to do a net-net analysis. Manufacturing offshore may be cheaper, but maybe not.
Q: Which countries are enabling cyber criminals and why? What can you tell us about the government-sanctioned attacks coming from Russia and N. Korea? What other countries’ governments are engaging in cyberattacks?
There are a lot of countries whose intelligence services are not only involved in protecting but they’re also involved in snooping. Looking at what the other guy’s doing.
There are times when that happens, and the target just doesn’t know about it. And a lot of the time governments hire someone off the dark web to do the spying. These guys are gunslingers, for sale, and they’re good. When nation states hire someone off the dark web they distance themselves. It was Joe off the dark web who did this. It wasn’t us. We’re not involved.
Q: What was your experience during the 2014 Sony hack by N. Korea?
I don’t like to get into details of what went right, what went wrong and what we would do differently. In every attack you’d do that as part of your final analysis. However, what’s more important is, when you think about a cyber breach the immediate reaction most often is to contain it, stop it, eradicate it. But you need to ask first, what is “it” you’re trying to fix? And who did it and why? So, an APT attack by, say, a nation state is typically covert. They never want you to know they were there. And they may be in for years. If you discover it and find out they’re in, do you want to tip your hand, or do you want to run a trail and observe what they’re doing? When your first reaction is to contain that can backfire. It is not always the right thing to do.
Having a really good analysis team take a fresh look is the way to go. Then sit down and discuss what your strategy is for containment, retaliation, what your legal remedies are, whether or not you want to file an insurance claim, etc. The list is very long, but assessment comes first. No knee jerk reactions. Get the right people at the table and really think through it before you proceed.
This interview was reprinted with permission from Groupdolists. To speak with Steve or to arrange a demonstration of Groupdolists, visit https://groupdolists.com/contact.
About the Speaker: Stevan (Steve) Bernard’s diverse career has spanned nearly 50 years, working and living in over 50 countries and serving in leading roles in both government and the private sector. On July 1st he founded and launched Bernard Global, LLC. Their scope of services includes advising senior-management on all facets of global protection services; an emphasis on cybersecurity; creating and conducting awareness programs; executive recruiting; partnering with the FBI and Department of State to enhance awareness and build trust.
He recently joined Groupdolists, a New York City-based technology provider that simplifies coordination during routine and emergency incidents, instantly creating a common operating picture across operation centers and dispersed response and recovery teams, keeping everyone involved synchronized during any situation, as an expert advisor.
For the past 17 years, he led Sony Pictures’ global protection services with responsibility for the CSO/CISO function, investigations and forensics, physical security, BCP, environment, medical, major events and protection, employee health and safety. Prior to this he worked in high-tech, energy and law-enforcement. His tour in the US Army included a year in Vietnam where he was awarded the Bronze Star. He is a Certified Fraud Examiner, has a BS degree in Criminal Justice, an AA degree in Psychology and is a graduate of the FBI National Academy.