Print Friendly and PDF

Phishing for Trouble

David Behen talks cybersecurity, C-suite attacks and partnering to protect Michigan

By James Martinez 

The Detroiter recently caught up with David Behen, Michigan’s chief information officer and director of the department of technology, management and budget. Recognized as a leader in information technology in government, Behen has been instrumental in achieving the ambitious cybersecurity goals laid out by Gov. Rick Snyder that have made the state a leader in the field.

Describe the cybersecurity landscape right now as you see it.

Just about everything in our world is connected now. Your personal devices, personal computer, smart devices that you use nonstop in your professional and personal life. So cybersecurity and the threats that are made today in your professional and personal life have never been at this level before. The cyber awareness and the protective measures that you can take are really important not only at work, but in your personal life, as well.

What are some of the unique challenges you are seeing emerge in this landscape?

The bad guys are getting better, but so are our defenses and awareness of cybersecurity. And so are the partnerships that the state of  Michigan has with essential partners like the Department of Homeland Security, FBI, Secret Service, Department of Defense and our private partners across the state. We’re getting better, too.

Cybersecurity is everywhere. We’re seeing a lot of the DDoS (distributed denial-of-service) attacks still, a lot of the phishing emails, and they’re getting more and more advanced. In those phishing emails, they look very, very real and if you’re in a rush or not paying attention, you could easily get duped. Those are things that we’re facing, but like I say, the bad guys are getting better, but the defenses and the partnerships — because of the conversations happening everywhere now — are getting better, too.

Let’s talk a little bit about whaling and specific attacks geared toward getting to the C-suite because of the access they have to sensitive information and the unique danger of that kind of attack.

I think C-level folks are very attractive targets because of the jobs they perform every day and the leadership they provide. And so you’re going to see all levels of advanced and targeted attacks. I think the C-level folks need to be as educated now as they expect of their team.

I like to say cyber isn’t an individual sport, it’s a team sport and everyone’s got to be pulling their weight and doing their part to ensure that your infrastructure and your organization can be as safe as it can be. … It’s not just on your desktop. It’s on your smart devices. Everyone is busy, but C-level folks have quite a bit on their plate and rushing through things. Clicking on things because it looks like the normal stuff is something that they’re really going to have to be careful about and review the stuff before they open it because they’re coming after us, and we really need to be prepared.

If you had one message that you would want to get across to the C-suite out there, what would you tell them?

Cybersecurity is something they have to face. It’s an everyday issue, and it’s not only a once a month or once a quarter board meeting that they’re going to have to address security. They’re going to have to address it with their teams every day, and they’re going to have to invest in their cybersecurity teams because it’s not going away. I’ve had the luxury of talking to organizations all over the world. This is something everyone has awakened to and that’s what needs to happen.

Even with this increased awareness, what do you think people in the business community still may not understand about cybersecurity?

That’s a good question. Sometimes people don’t think it’s going to happen to them, but at some point something is going to happen. So it’s really important that you have your strategies in place, and your partnerships in play. Like in the state of Michigan, we have our cyber instructions strategy. We have our cybersecurity initiative with the Governor’s policy plan over the next few years.

So it’s really about preplanning and exercises, and the things that you need to do because it’s less about the protection and more about response. At some point, something is going to happen to you, so you just don’t want to turn a blind eye to that. You want to make sure that once something does happen, that you respond quickly and appropriately, that you work with your partners to fix a situation.

The sophistication and technology almost changes by the minute. How do you stay on the forefront with that rate of change?
It’s really hard. I like to say the IT decade is 18 months. But you’re right, things are moving fast. What we do in the state of Michigan, quite frankly, is we have a great cyber team. We have great partners in the Michigan State Police, the National Guard, and our private partners are great partners, as well. So we really have a hybrid approach to cybersecurity. We need all those partners working together because gaining talent, to better your cyber team is really hard right now.

I think there’s actually negative unemployment in the cybersecurity world — more jobs than there are people. You really have to be partnered up really well with folks, and be open and honest about what’s going on. Put together creative collaboration and partnerships to really try to stay up with the threats that are out there because it’s very, very difficult and no one organization can do it on their own.