Richard Rushing and The Challenges of Cybersecurity Today

Richard Rushing is the Chief Information Security Officer for Motorola Mobility LLC. Richard has led the organization’s security effort by developing an international team to tackle targeted attacks, cyber-crime, and emerging threats to mobile devices. He has organized, developed, and deployed practices, tools, and techniques to protect the enterprise’s intellectual property worldwide.

What is your day-to-day currently like?

My day-to-day is currently around managing and directing my staff and putting out fires as the CISO. Its’ quite chaotic. But for me, chaos is king, and there are many indicators of it around me at all times. The stress level of my employees is one of the main ones I look at, usually concerns over project deadlines or timelines because we can’t work and collaborate like we did before the pandemic and everything has to happen right now.

Things are also always coming up that are important so it’s increasingly harder to multitask. You’re not able to put all the fires out unfortunately, they’re burning still, so you have to go back the next day and it almost feels like you’re never making progress on the things. The other thing is to try to move the security needle higher by deploying or changing or configuring some tools or processes that are around that.

Can you tell me about anything exciting you’re currently working on with Motorola?

Orchestration and automation. In other words, can I simplify the fire?

You don’t need to start at the super complicated level. You start at the simple level and take it from there.

Continuously taking low-hanging fruit or the simple things that we already know how to do well that can be easily be automated. When things come up, we have to ask ourselves, is it a simple security issue where someone just needs to go in and change something? Or is it more complex and is there something to validate etc?

Phishing emails are a really good example of that. The process from, “Hey, I think I got a phishing email,” to “ok so now what do we do, what’s the plan”. Well, if it takes me an hour and a half to research it to figure out whether it’s a phishing email or not and how to help my user, I need to eliminate that downtime as much as possible. So how do I get back in and provide information back to my customer?

My user is becoming critical because of the increasingly complex issues around timing.

The other area is data aggregation. Like, Oh, take these two spreadsheets, mash them together, give me a list of people, and then go do something to those people.” That kind of stuff is the general side of the automation versus the esoteric, high-end, oh, we want to use all these cool technologies to be able to figure out something that’s going on around it and automate it or do something super complicated. You don’t need to start at the super complicated level. You start at the simple level and take it from there.

What’s keeping you up at night? What are some of the major challenges that you’re dealing with right now?

Attacks. The amount of attacks has gone up by almost 400% from the first of the year. And that’s already a lot in our case as a global organization. And it’s not just the geopolitical things going back and forth between all countries around the world. In some of the cases, that’s important, but in a lot of cases, things like new privacy laws and regulations are coming into play.

So that’s why I say dealing with the attacks is a portion of the burnout from employees because it’s one of the things if you’re not focused on your employees and making their life easier to deal with then there won’t be any work-life balance for them. Trying to hire and retain a cybersecurity person or team has been difficult, and you will always lose people, unfortunately.

What plans do you have in place to help you and your employees detect these “fires” or incidents quickly and to lessen the impact and then return your business to normal?

Knowing the end result of what you want to have done, I think it is critical.

Some of it is the way we’ve structured our organization, things around endpoints, things around defense-in-depth, so I have different controls that I can enable or disable. I’m trying to think of a good way to design or be part of these plans from the get-go because it does impact you in some of the cases that are there and does provide good levels of control. Knowing the end result of what you want to have done, I think is critical.

For example, say I wanted a big red button that says if I press this button and type in “user account”, it automatically disabled that user account. Or if I want to isolate a computer, I can press this button and it will disconnect it from the network. And nothing will talk to it and nothing else was there.

Some of those areas where you’re thinking about the next step, you found something bad? What are you going to do now? And I think that’s the critical area that you really need to go into. Those are the kinds of specifics because I don’t think there’s anything else that you’re going to fall into on a regular basis. If you’re not careful in a lot of cases that are around that, I think that’s the big one that I’ve seen on occasions where if you’re not thinking about how you’re going to manage it, you can get yourself in trouble because you don’t have a plan.

You always want to plan, but you also want a plan that can generate its own ability, so you know, kind of what you want to do ahead of time versus the other side, whereas I don’t know anything that’s going on and I’m now trying to figure out how or why that kind of behavior is happening. And if I don’t know where or what to act on first, then I’m just going to be lost in a lot of cases.

What is your stance on programmatic advertising leveraging location and device identities to sell? Do you think this information is the property should be the property of the device owner?

Amazing question. I think it depends on whom you are talking to. If you talk to the carrier, the carriers will tell you that it’s their information because this is where things are coming from. So the carriers have their own sides of the house that they’re looking at, from the perspectives of the hotspot providers as they have their own information, and that’s actively being used in some of the cases. So, I have some details on you that I can leverage or use or sell.

But as far as private initiatives and certain things around that I think that’s one of the things that the privacy side of the industry has basically always stated that it’s the property of the user. Hence the kind of opt-in function for a lot of different stuff that’s around. If you look at privacy statements or app statements, they’re always asking for you to opt-in. And yes, maybe share your location with a third party.

I think that’s one of the things that the law basically comes back and states is that it’s the user’s responsibility as part of the opting-in process or the control process. I don’t think using it is bad or evil. But just like any kind of information, it contains a lot of data that if I wanted to match up against other things could be leveraged in a very bad context or something around that nature that’s there. I think from an advertising perspective and some of those areas that that there’s always this need for those kinds of functions.

Mostly everybody abides by their privacy policy. Securing private data is not hard, and there’s plenty of solutions and technologies that allow me to do that. Using data that is private is very hard and you have to do it securely right?

So that’s the struggle that you have, the second that I get this information now what do I do with it? If I said that I anonymize you and everything else as part of my privacy policy, that’s fine, but what does that mean? Since I only have anonymous access, I can’t share that information with advertisers, etc. Or do I take the anonymous data, mash it up with another database and it no longer becomes anonymous data? Then you get into the fuzzy area kind of stuff.

Are there any topics within cybersecurity that you think the public needs more awareness on? Or do you have any final thoughts you’d like to leave our readers with?

It’s important to plan, but have a plan before you plan, so that way when those fires pop up, you are equipped to some degree to deal with these challenges, and not react once they have already happened.

I think from my perspective, cybersecurity is hard right, it’s always been hard, so don’t expect it to be perfect, It’s never perfect. It’s never going to be perfect. We’re focusing on detection and recovery and resiliency around it.

The thing with cybersecurity that’s really scary is that besides natural disasters, there’s nothing else that can shut your business down. So, if you think about it, you can have labor disputes and strikes. Does it shut your business completely down? No. But you can have other things or around that it does. If I do ransomware, I have completely locked your organization up from everything from manufacturing distribution sales across the board. Everything is now turned off. It’s like nothing’s there and the only thing that comes close to that is a natural disaster.

When it comes to the recovery process, on the other hand, the best-case scenario is a month’s time to recover. So, OK what’s critical for a month? Figure it out, revenue lost sales, lost inventory, etc. This is why you have companies that just go pay the ransom because it’s like, OK, six weeks of downtime or $5,000,000.