Throughout his career, John Germain has gained first-hand experience with how constantly evolving technology creates...
constantly evolving cybersecurity vulnerabilities. His first introduction to cybersecurity came when working as a network administrator in the 1990s, when the Melissa virus attacked his company's rudimentary data protection infrastructure.
Since getting a taste for cybersecurity during this venture, he has moved through a variety of IT security executive roles during his career. He has been CISO at Boston-based Duck Creek Technologies, a cloud software provider for the insurance industry, since August 2017. As leader of Duck Creek's security programs and cyberprotection initiatives, he's seen how rapidly advancing technology has created unforeseen risk for companies' data security, and for their customers.
In this Q&A, Germain discusses how tech such as AI and the internet of things (IoT) creates new cybersecurity vulnerabilities for companies.
How has IoT's proliferation created more cybersecurity vulnerabilities? How will these cybersecurity vulnerabilities change as IoT continues to grow in popularity?
John Germain: I mean, it just creates a huge, huge arsenal for attackers to leverage. I think that the devices are not really built for security, so they're very easy to compromise, which makes it really challenging from a security perspective. Even once they're compromised -- which is inevitable -- it's almost unreasonable to get these devices patched or secured after the fact. That's the combination of circumstances that we're facing right now.
How has the increased use of automation and machine learning across industries further complicated cybersecurity efforts?
Germain: From a security perspective, we need to be able to automate a lot of incident management and use machine learning to protect a lot of systems, because we have to react a lot quicker. From my position, I expect that I can call out and tell them to take a machine down and do a virus scan and rebuild it. By the time I've even dialed the phone number, the threats have materialized and the consequences are being realized.
John GermainCISO, Duck Creek Technologies
Machine learning automation is something that all security people are going to have to depend on to be able to respond quicker [and] to identify these attacks. But obviously any good thing can be used for bad, so if we've got machines out there that are talking to each other and there's no human involvement, then that can be manipulated. The bad guys will figure out a way to exploit it. By the time we figure out something has gone wrong, it's too late.
These systems have no compassion. There is risk in that, because there is no human intervention to stop them from doing something that may have some pretty dire consequences. It's complicated and I'm not really sure it's been entirely thought through the way it needs to be. We need to start paying attention.
Is security being considered enough when these new products are being developed, or is it still put on the back burner in order to get products out to market quicker?
Germain: I'll be honest with you, I don't think that security is even a consideration. A lot of these IoT devices are just features and functionality, whatever they think that the consumer is going to be impressed with, then get it out as fast as cheap as they can. There's a lot of competition; there's a lot of demand from a consumer perspective.
It's one of those situations where, let's see what we can get out, let's see how the market responds. Security, unfortunately, will always go to the overhead cost. I don't think the vendors right now are in a position where they're looking to increase costs that way with as much competition as there is.
It goes back to there being no incentive for them to build these securely. I don't see that there's much in the way of liability if they don't. Maybe that's something that needs to change. Think about cars -- they go through crash tests and they get ratings so you know exactly what you're getting when you buy the car in terms of safety. There's nothing like that for these devices.
I think we're going to get to a point where something bad is going to happen as a result of these devices not being secure. This could drive a different approach to manufacturing specifications or requirements, and even from a consumer perspective as far as what expectations we have for these things when we buy them. For now, there's no incentive for anybody to change how they're approaching it, which is to not put much focus on security at all.