Steve Levinson
Steve Levinson – Online Business Systems – VP, Risk, Security, and Privacy & CISO As the Vice President of Online Business Systems’ Risk, Security, and Privacy Consulting Practice, and Online’s Chief Security Officer, Steve leads a vibrant, pragmatic, risk-based, business-minded security consulting practice that focuses on right-sized security, including advisory services, governance/program management and risk assessments (PCI, HIPAA, ISO, NIST, FedRAMP and preparation for SOC2) technical security services (vulnerability scanning, penetration testing, red teaming, and secure code development), data protection and privacy, cloud security, and specialized security services for the healthcare and financial industries. Steve is considered a thought leader in the cybersecurity community, delivering captivating presentations and webinars, and having penned dozens of insights for many publications. Steve is an active CISSP, CISA, and QSA with an MBA from Emory Business School and has over twenty years of IT security experience, and over 25 years of IT experience. Steve’s strong technical and client management skills combined with his holistic approach to risk management resonates with clients and employees alike. He has performed or participated in hundreds of risk assessments and compliance assessments, starting his consulting career with Verisign and AT&T Consulting, where he provided cybersecurity consulting leadership. Since then, Steve has served as a key strategic advisor for hundreds of clients and has gained the trust of many industry partners and affiliates, earning him a seat as a respected voice around the PCI SCC’s Global Assessors Round Table. In addition to serving as virtual CISO for several clients, Steve has also performed security architecture reviews, network and systems reviews, security policy development, vulnerability assessments, and served as cybersecurity subject matter expert to client and partner stakeholders globally. Wherever Steve’s travels take him – and he travels a lot – he makes friends and finds time in his busy calendar to gather as many local like-minded security professionals, colleagues old and new, to share ideas, foster connections, and build on ideas. His true professionalism and his earnest nature, together, make up the ‘magic’ that fuels the passion of those he leads. It was exactly this combination of Steve’s vision, passion, and his connections around the world that recently helped form Online’s EMEA division, expanding the organization’s security and digital transformation footprint internationally. Keeping up with the latest security trends and threats is easier than keeping up with Steve; when he’s not connecting with clients or fighting cybercrime, Steve is making meaningful memories with his family, keeping pace with his beloved pups, catching the early surf just after sunrise, or charging down a mountain slope. “Where’s Stev0?” is a common phrase jested amongst colleagues around the virtual Online office. But not to worry, if you miss him, he will circle back again soon.
By now you have likely heard about, or worse yet, been impacted by the glitch that crippled Delta Airline’s network and reservations system on Monday that forced them to cancel about 1,000 flights worldwide. Delta has stated that a power control module malfunctioned, causing a surge that cut off power to their main computer network. Normally, the systems would switch to backup computer systems almost instantaneously, however in this case something didn’t go right. Confidentiality, Integrity, and Availability (CIA) are the foundational cornerstones of information security, and in this case, availability was on the wrong flight path. It is safe to say that this problem, which will ultimately cost the airline millions of dollars, could have been avoided through scenario planning.
While Delta has flapped their wings mightily to get everything back online – this outage is a good example of an important security issue…and the impacts not managing all aspects of it can have.
Availability in the world of InfoSec is similar to that in the airline industry – there are things that we can control (mechanical functionality of aircraft, obviously) and things we can’t control (i.e weather, and potentially attackers taking advantage of zero-day exploits). As industries continue to increase reliance on computers, systems, and networks, there is an exponential increase in complexity, which in turn creates multiple opportunities for things to go awry.
For example, in the airline industry, computers and systems are used for everything from reservations to meals to in-flight entertainment. In addition, many airline companies have grown through acquisition and therefore are challenged in connecting disparate systems and networks. With each merger and acquisition, the business must be able to absorb and reconcile the disparate systems, people and processes to ensure they are working in concert.
Don’t Get Stuck in the Middle Seat
Despite all of the technical advances, many airlines still rely on antiquated systems because the act of migrating them to more current platforms could introduce significant risk to the organization. Many of these systems and platforms worked well for their initial intended purposes, but as the business landscape evolved, businesses had to implement tweaks to try to get these systems to communicate with each other, oftentimes at the cost of security degradation. In addition, oftentimes these custom applications are developed in house and not well documented. However, this should not be an excuse to avoid upgrading, but it should be an element of performing a risk assessment and demonstrating due diligence in properly vetting that risk and understanding how it may impact the organization. Utilizing application development best practices like I describe here is a great way to head off many of these concerns.
Bad things happen to good companies. While it seems that a power outage event would be included anyone’s BC/DR plan, this unfortunate incident shows that some scenarios either weren’t played out, were far too remote in likelihood to consider, or were JOOTT (just one of those things). Your Business Continuity plan should, amongst other things, cover various scenarios associated with power failures, including a redundant sources of power, UPS (uninterruptible power supply) battery back-up, back-up power generators, and of course, failover capabilities. Along with architecting these features into your ecosystems, you also should define and perform test scenarios to ensure that your power back-up solution works as advertised! It is unfortunate that a simple power outage crippled the organization and caused millions of dollars of losses along with brand damage.
What’s your Flight Plan?
But it’s more than that. As your environment and ecosystems change over time it’s easy to miss vulnerabilities and weaknesses that spring up as a result of these changes, no matter how granular your change management and SDLC processes are – many small seemingly inconsequential changes may ultimately add up to changes that could significantly impact your organization. That is why it is critical to perform periodic risk assessments to determine how various outages and failures may impact the overall environment. This takes meticulous planning and a clear understanding of your data flows, networks, systems, applications, and data stores. How they are interconnected and their availability impacts each element. You can check out one of my older posts on risk assessment here.
I’m Leaving on a Jet Plane
This unfortunate outage could have been avoided, and at a minimum should have been an accepted risk. We don’t know if that’s the case or not. But, this could have happened to anyone, and as a matter of fact, almost all of the major airlines have suffered computer outages, in one form or another, over the years. Take heart, learn from others’ misfortunes. Take measures to prevent them from happening to your organization. Continue to practice good security hygiene by performing periodic risk assessments to identify potential issues and the impact. Make sure that your BC/DR plan addresses all of the reasonable scenarios you can conjure up as you certainly don’t want to wing it here.
Concerned that your organization could use a little help identifying and mitigating risk? Drop me a line and we can continue the conversation.
Submit a Comment