IDGNS: How did the situation change over the time you were working on security within the DoD
Schilling: The threat actors' technologies and capabilities are not really changing that much in the last five years. We're seeing a lot of the same tools being reused and changed to meet a specific purpose.
Where the threat actors have really upped their game and improved is their operational processes. It is incredible how quickly criminal gangs are operationalized. When a zero-day exploit is announced, within 18 to 24 hours criminal actors are building or modifying tools to be able to exploit those critical vulnerabilities. I wish that I could study the software development programs of the criminal gangs, because they are very, very quick.
The second point I'll talk about is the nation-state actors. The nation-state cyberwarfare activity really was not in the forefront of the news and didn't get a lot of scrutiny in the past. No matter what country you're in today, there just seems to be a lot more national attention and international attention on these types of activities, and a lot of policy discussions on 'Should we be doing it or shouldn't we be doing it?' Those nation-state actors are putting a lot more investment in, and I think we'll see a technology leap ... improving their security processes to make sure that it's harder to detect their activities.
IDGNS: How are things going to change in the future?
Schilling: I think that we're going to get better at defending our networks. So the threat actors are going to have to up their game in the technology that they're using against us. As network security, both in the retail industry and other verticals, gets tighter, you may see some of these criminal actors start going to ... physical access operations where they try to actually penetrate the physical security boundaries of companies. So going forward, I think that we really have to get better at detecting the insider threat as well as with our physical security programs.
IDGNS: What did you learn in the military that may be useful to enterprises?
Schilling: Yesterday I was driving down the road. I saw a guy riding down the sidewalk. He was wearing a bike helmet, but he didn't have it strapped on. So what happens when this guy hits something and goes flying over his handlebars? That helmet is going to come flying off. I've seen a lot of companies that have that same problem with their security. I think you've seen some of the retailers that had bought a lot of security appliances and security technology but really hadn't trained their people to be able to understand and leverage that technology and also didn't have the processes in place in escalating some of the alerts that you get from that technology.
Sign up for CIO Asia eNewsletters.