Interview with Danielle Jablanski: Addressing cybersecurity risks for businesses

Danielle Jablanski is a senior research analyst contributing to Guidehouse Insights’ Digital Innovations research service. She specialises in the disruptive impacts of cybersecurity, artificial intelligence, data integration, and blockchain technologies for industrial applications and critical infrastructure owners and operators.

Jablanski has been responsible for conducting academic and market research on emerging technologies throughout her career. She has independently consulted for the United States (US) government and a technology start-up on novel technology applications for the military, Department of Defense, and commercial sectors.

We caught up with her to talk about the digital transformation of businesses and, the cybersecurity risks for businesses it poses.

Question 1: As a senior research analyst, you’re familiar with trends and shifts. In your opinion, how has the digital landscape progressed in the past decade?

Danielle Jablanski: The digital landscape has progressed to witness everything we knew the internet might provide for us 10 years ago, and learn to accept what we got wrong. We are more interconnected than ever, and the increased dependencies on data, technology, and digital services has also made society more vulnerable to digital harms. After the .com bubble, there was a new platform for everything. Then convergence took over. In 2021, integration is the name of the game. I think we will soon realize we need to be much more strategic about where, when, and why we use the term “end-to-end”. Not everything can and needs to be connected to serve a worthwhile purpose. 

Question 2: In your experience, what are the top cybersecurity issues for industrial control systems in today’s time?

Jablanski: While there are several technical and functional vulnerabilities worth addressing in ICS environments, many of the top concerns remain the same as 15 to 20 years ago – known vulnerabilities in popular vendor systems, internet connectivity, remote access, etc. I think the major challenge today fits in three main buckets: 1) Management has to realize that cyber risk in ICS is a major safety and risk concern, not just a business or bottom-line decision. Without this recognition, budget and personnel resources will continue to miss the mark; 2) We need to professionalize cybersecurity across entire organizations, rather than the field itself – meaning instead of creating barriers to entry created by formal training requirements, cybersecurity in ICS environments requires a holistic approach, incorporated into all aspects of physical processes and operations. And 3) We need to be extremely careful where, when, why and how we layer new technologies, like smart meters, IoT and IIoT onto legacy critical infrastructure technologies. 

Question 3: The digital revolution has given birth to digital electronics such as IoT devices. From a cybersecurity standpoint, are IoT devices secure enough to combat cyberattacks?

Jablanski: IoT devices are widely known to be insecure by design. Even if devices are manufactured with baseline security in mind, they are often misconfigured at the implementation phase, which leads to security issues down the road. I’ve heard of security features being disabled for legitimate configuration reasons, deployments with zero encryption, and even IoT that has been deployed underground with default hardware passwords still enabled. Any operation using IoT should deploy devices in accordance with use cases and business requirements but also leverage robust network and data security mechanisms to combat device level insecurity. There’s a lot of work being done to deploy edge computing to improve the redundancy of IoT capabilities. More could also be done to manufacture IoT devices with security lifecycles in mind, specifically related to the future of encryption mechanisms and post-quantum cryptography.

Question 4: Ransomware attacks have escalated exponentially, causing billions of dollars in damages. How can businesses and individuals secure their data against such attacks?

Jablanski: Most asset owners with ICS and OT do not have visibility into their OT network connections, assets, or processes. Securing these networks requires knowledge of what data, devices, and systems exist, and where, when, and how they communicate. We stress that asset inventory is a critical first step to mapping out an organization’s network and communications nodes. Though the frameworks and tools continue to change, building a security program with resilience in mind as the shift from prevention to detection manifests will set organizations apart when they become victims of a cyberattack. I think more can be done within industries to share critical information, best practices, threat activity, and more to produce industry-led insights and build resilience. Lastly, I always stress the utility of simulations, training, tabletop exercises, and any learning objective that level sets business and individual preparedness for attacks – far beyond the information security teams. 

Question 5: In your view, should companies developing software and hardware be held liable in case of a breach?

Jablanski: Like any cyber person will tell you, it depends. There are certainly opportunities to build more security by design into hardware, and to test software more in depth before roll outs regardless of proprietary or open source code base. Ultimately, the onus is on the end user or organization to understand what is operating and communicating in their environment and mitigate against potential risks associated with any technology. That said, the tendency to wait to invest in cybersecurity until after experiencing a major breach or event is beginning to change. Going forward, insurers will likely increasingly raise the cybersecurity requirements for coverage, demanding certain policies, procedures, and tools be implemented and properly integrated for coverage to be applicable and ultimately paid out. Lastly, I think that authorized pentesting is never a bad thing with strategic objectives laid out. 

Question 6: Software outsourced to unreliable vendors puts user’s privacy and security at risk. Are existing security checks put in place enough to combat cyber espionage?

Jablanski: This really depends on what type of data you are talking about. Existing security checks to combat cyber espionage vary greatly across industries and verticals. The more important question to ask I think is, “Do we have a good reason to be collecting, storing, aggregating, and using data for intended and articulated purposes?” Across the board organizations, software vendors, and even individuals should all seek to minimize the amount and transfer of frivolous data. Policies for collecting, sharing, storing, and transferring data can ultimately address many privacy and security concerns without outsourcing anything. What worries me here is the future applications which might deploy biometrics technologies, for which you cannot simply replace debit cards or reset passwords. 

Question 7: Lately, the widespread adaptability towards security tools has increased, causing a rise in security solutions. Are security tools good enough to secure critical IT infrastructure?

Jablanski: If you have the right teams and a dynamic security posture, there are plenty of tools that are robust enough to secure critical IT infrastructure. Where that IT infrastructure has touch points with physical or kinetic impacts is where I focus my attention, but innovation sometimes outpaces the security and regulatory conversations in this realm. Budgets and organizational procedures are ultimately what prevent security tools from being procured and implemented correctly. Many organizations struggle with the many types of solutions and acronyms in the market, often purchasing and deploying products they may not know how to use. On the positive side, we are seeing many valuable partnerships between companies across the industry leveraging their unique value add, and we are also seeing a significant progress in the liability issues associated with robust cybersecurity across many industries. 

Question 8: How do you enjoy your time off work besides the stealthy world of cybercrime and data breaches?

Jablanski: In my free time, I am learning more technical cybersecurity skills and tinkering with things. I also love reading, biking, being outside, and exploring all that Texas has to offer, from the food to kayaking at the lake to camping in Big Bear National Park. We are always squeezing in trips to get outside with our two German shepherd/chow mix pups! 

Thanks for a great interview, Danielle. Since there is a lot of room for cybersecurity to be discussed at length and many online dangers that people need to be made aware of, we’re certain that our readers will find your answers very insightful. As  for our readers, you can follow Danielle on Twitter where she often tweets @CyberSnark or follow her on Linkedin https://www.linkedin.com/in/daniellejjablanski. 

Until our next installment of the cybersecurity interview series, take care and beware of the online dangers that lurk