Jeffrey Engle of Conquest Cyber: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Tyler Gallagher

Originally published by: Authority Magazine | Dec. 6, 2021 | Tyler Gallagher

“Doing the right thing at the wrong time is still wrong. Like multiplying anything by 0 the answer is always 0. Writing a policy before you know what to do? Wrong. Doing a risk assessment without a common risk frame? More confusing than helpful. Building a network without an architecture? Like building a house with do diagrams. No one wants the toilet in their living room or the locking mechanism on the outside of the door.”

– Jeffrey J. Engle

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Jeffrey J. Engle.

Jeffrey J. Engle is the Chairman & President of Conquest Cyber, as well as the inventor of a cutting-edge Cyber Resiliency Ecosystem Platform & the CEO of 1st Quadrant Services, a Managed Cybersecurity & Compliance Provider. Mr. Engle is a Combat Veteran and Purple Heart recipient who served in US Army Special Operations prior to shifting his focus to the cyber domain. He is a graduate of Virginia Tech and has a fascinating career path that includes hunting for viruses in Kazahkstan to skydiving with the British Special Air Service.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I had an interesting youth. I went to a lot of different locations and schools which gave me the opportunity to have a lot of examples in my life. Some of them to follow and many to avoid. From the outside in it could appear challenging, and in some ways tragic, but I think the diversity of experience helped build a level of resiliency that prepared me for the realities of what I would face as an adult.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My grandfather was the most influential in the decision tree that ultimately led me to cyber. He was a veteran of WWII, Korea and Vietnam. Despite, or perhaps because, he had spent so much time fighting he had the best personality, demeanor, and sense of humor of anyone I was around. I knew that the military would be part of my path. Each step along the way I was drawn to the area I thought created the greatest threat to national security and the American way of life, that gave me opportunities I was able to capitalize on. Now, that greatest threat is in the cyber domain and I have been fortunate enough to gain some knowledge, skills and support along the way to focus on this domain. I think the last 20 years have prepared me well for this challenge, and, I hope, have given me some of the demeanor, personality, and sense of humor that I remember so fondly in him.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Right before moving to South Florida I signed up for a Jiu Jitsu academy since I was a pretty active competitor and wanted to keep training. I was working remotely but flying back to DC pretty frequently. Since I was getting ready for competition, I would show up and train a bit differently than the academy in S.FL was used to. After training one of the guys asked me a couple of questions and we got to talking. Over the next 9 months he kind of recruited me and we built a plan. For the next 5 years he supported me along the way, as an investor, owner and friend before joining the team as the CRO for Conquest.

Are you working on any exciting new projects now? How do you think that will help people?

We have quite a bit going on that will enable the cyber resilient ecosystem to scale more rapidly. It relates to posture management across multiple organizations and domains where common or inherited control data and threat-context data can be rapidly pushed to our deployed platforms. The cyber domain is challenging and complex. This will enable greater transparency and contextualized data for decision makers.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Have a bigger purpose. Do something that keeps you excited. Find people to do it with that you admire and who will hold you accountable.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Our current state. Our adversaries. The environment. We have a ton of capability development that we need to do in order to regain our competitive advantage on the world stage. The cyber industry is not doing much to solve the big problems because it is easier to make a lot of money solving the small ones. Our adversaries are sophisticated, focused and unencumbered by the self-imposed rules we operate under here. That gives them a leg up while we bicker about the definition of an effective control in a compliance framework that hasn’t been implemented. The environment is accelerating with increased dependency on technology and technological development at a frantic pace. This is a scary/fascinating field and domain of modern warfare.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Candidly, they need to start dealing with the threats that are here today. Cyber hygiene is like keeping rust off of a battleship. It’s a metal box sitting in saltwater. It is a constant fight to maintain and when one thing starts to go it has a cascading effect. Once we prevent the scenarios we can predict it makes it possible to adapt to everything else. But, if I had to name a few critical threats on the horizon they would be: 1. Greater prevalence and sophistication of insider threats due to the changes in the way we work and 2. Killware.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

When you have gotten really good at the basics, and train them all the time, it enables you to get really tuned in. Something as 101 as knowing what assets should be on your network, which people and where they are connected from, and what assets (systems, networks, data) are critical and what is happening with them can be the difference between event and incident, incident and breach, breach and catastrophe. Side note: If you haven’t tested the plan in the conditions you are likely to face then it isn’t worth the paper it is printed on.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

As a business leader my main interface is through the SCyOps™ platform. It shows me where I am in relation to where I want to be organizationally and tells me if there is something that needs to get done in order to improve cyber resiliency. The different teams across the company use tools like Microsoft Sentinel and Defender series of products to gain underlying protection and telemetry around key cyber data elements. Since we are a software company we also use tools for code security, as well as the typical perimeter security stack.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Not having a large team isn’t necessarily detrimental. With the right strategy and partners you can realize a great deal of economy. Generally speaking, if you are doing something you want protected then you should upgrade your cyber as soon as you can afford to. This doesn’t necessarily mean hire a CISO. Getting a qualified MSSP/MSP can be a good solution but you need to evaluate your options based on your sector, growth trajectory and business priorities.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

The generic adage is ‘don’t be the slowest gazelle’ but your situational awareness can be a differentiator. In the recent attack on the water treatment facility in Florida, the operator apparently saw the cursor moving on the screen. Things like that can be considered ‘lucky’ from some perspectives but there are many people who would think nothing of it other than ‘that’s weird’ and go along with their day.

A few general items to be on the lookout for are as follows: 1. Unusual timing of events, 2. people trying to gain access that don’t have a need or are trying to circumvent the approval processes, and 3. distinctly different language patterns in online communication.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Just like my combat medical training… Stop the bleeding and then treat the wound. Activate your CSIRT, keep records, execute your incident response plan, contact your cyber insurance company and then make sure that you are dealing with facts versus theory. Everything else is primarily determined by the type of organization, type of systems or data that may have been compromised, regulatory implications and the source of notification. Bottom line: You do not want to be figuring these things out when you are under duress. Understand the scenarios that you might face and what is important to you first. Then exercise those scenarios and improve the plan while training the key stakeholders.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

I think that privacy rules that apply to geo-fenced constituents in this country provides complexity without the desired impact. Privacy protections are an important consideration in overall risk, but I would prefer if there was some basic standard on the national level that aligned privacy to cyber given their overlap. It has always been a consideration for us to include privacy considerations as PII, PHI, etc. are all critical data types.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Not knowing what is on your network, e.g., accurate inventory of hardware and software assets with near real time updates. Not knowing who is on your network or verifying the people who should be there can only access what they need. Not knowing what is critical to your business and the associated levels of priority for other assets. Not labeling and protecting sensitive data.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

I’m not sure the pandemic has increased errors per se. It has however changed the attack surface significantly. Now people are doing activities with sensitive data from home (or some other remote location) without the trusted network connectivity. There has also been a lot of hiring without geographic or personal connection. This increases the vulnerability of organizations in a number of ways that are increasingly difficult to mitigate.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Cyber risk is business risk. The days of getting insurance and hiring a CISO to take the fall are long passed. The buck doesn’t stop at the CISO and the costs of cyber insurance are becoming untenable.
2. Business leaders have a fiduciary AND moral obligation to understand their cyber posture. You should not be making decisions based on the input of someone who will likely not be there when the chips fall. Many organizations support critical infrastructure and if they don’t make good business risk decisions the impact of the inevitable cyber event will be much worse for their business and potentially OUR way of life.
3. Perfect is the enemy of good. You need to know where you want to be and where you are. Then, you have to be realistic about what it will take to make progress and build a cyber resilient culture.
4. If you don’t identify what is REALLY important to your organization then the bad guys probably will. One of the hardest things organizations do is prioritize assets. They may be too close to the problem. There may be organizational politics at play. Perhaps there are better advocates for the ERP than there are for the HVAC. Whatever the reason is, you have to do it. The bad guys can identify it quickly based on what your organization says that it does online, how many personnel support the effort on their LinkedIn profile, etc.
5. Doing the right thing at the wrong time is still wrong. Like multiplying anything by 0 the answer is always 0. Writing a policy before you know what to do? Wrong. Doing a risk assessment without a common risk frame? More confusing than helpful. Building a network without an architecture? Like building a house with do diagrams. No one wants the toilet in their living room or the locking mechanism on the outside of the door.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Mobilize. American businesses, state and local governments, critical infrastructure consortiums, etc. are the ‘soft target’ in a low intensity digital conflict. We really need a combined effort between the tech/cyber industry, government and the business that enable our way of life. Not simply information sharing, grants or building tools but a coherent approach that goes beyond guidance or regulation. Something that eliminates the unnecessary noise, simplifies the critical and enables automation for scale so we can regain a competitive edge. As it stands, many people and organizations approach the challenge in unhelpful ways.

Perhaps they think the government will save them. With hundreds of thousands of organizations that make up our critical sectors how would that even be possible?

Some think it will never happen to them. In all likelihood it already has.

Some think the newest tool or tech will be the savior. Without good risk management, integration, testing and validation most tools will never be properly deployed, and the adversaries will just take a different door.

We must improve our Cyber Jiu Jitsu across the board. That means we need a mobilization similar to WWII. Our country and way of life, our position in the world, has been under attack and we need to get everyone participating in our active defense.

For further information contact:
Mercedes Jorge
mjorge@conquestcyber.com

About Conquest Cyber

CONQUEST is the premier cyber resiliency software platform – enabling an ecosystem of partners and customers across critical sectors to defend against threats, get resilient and enable the US to gain a competitive edge in the battle for cyber supremacy.

Originally founded in 2008, Conquest Cyber took off under the leadership of Jeffrey J. Engle, a retired Special Operations combat veteran and highly regarded expert in adaptive risk management for critical infrastructure. We have an office in Miramar, FL and our Headquarters is in Nashville, TN.