Inour uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us. As a part of this series, I had the pleasure of interviewing Greg Sullivan.
Greg, former Fortune 100 CIO, CTO, and CEO, is a cybersecurity expert with decades of experience in technology innovation and risk management. His career spans government and private sectors, including 12 years with the U.S. Department of Defense and NSA, as well as leadership roles at Carnival Corporation and Global Velocity, where he spearheaded global cybersecurity initiatives. Now leading CIOSO Global, Greg helps businesses navigate cybersecurity challenges with risk-based strategies.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Yes, gladly. Thank you for having me. I was always interested in technology. The first business I started, upon graduating from college, was a software development services company. We built applications for companies when they couldn’t, or didn’t want to, buy. At that time, the word cybersecurity didn’t even exist.
Early in my career, I recognized the need to protect digital information, so I focused on securing data. It was clear to me that one of the biggest dangers to companies was the threat to their digital information, especially private information. Because of the escalating threat to all of our private information, I realized that protecting data was essential to everyone, all of us, not just to businesses for bottom-line reasons. When we introduced e-mail to our company in the 1990s, our CTO said to us all, “Don’t put anything in an email that you wouldn’t shout from the top of the building with a megaphone.” He was right then, and it still holds true today.
In 2003, I sold my business and soon thereafter became involved with Alma Mater, where I worked on the development of defensive cybersecurity products. This is where I learned about cybersecurity and how important it is. In the early days, hackers or threat actors/bad actors were rapidly advancing their tactics. They were becoming increasingly sophisticated, and it seemed as though they were surpassing government and business defense capabilities. At this time, I developed an additional motto, which became my mantra: Speed. I learned very quickly that speed was essential when it came to insulating networks from hackers. This led me to learn a great deal about complex technical topics, including traffic flows, high-speed pattern matching, and vulnerabilities.
I spent the next 12 years with federal and private agencies working in cyber technology to protect classified settings. These agencies include the U.S. Department of Defense, the NSA, and leadership roles at Global Velocity. I still have the mental scars from those years to prove it. However, these challenging times also led to a deepening of my technical understanding of cybersecurity, which ultimately paved the way for me to become selected as Senior Vice President & Global Chief Information Officer at Carnival Corporation.
While at these companies, I became a consistent critic because I was constantly complaining about why organizations weren’t collaborating as effectively as threat actors. It was clear to me that these hackers were exploiting many vulnerable areas, which I viewed as “red flashing lights,” causing me to ask again and again, “Why aren’t our defenses effective?” I took on answering this question as my mission and became heavily involved in advocating for collaboration on this issue.
My position at a Fortune 50 company made me the ideal conduit for these conversations, enabling me to put my ideas into practice. I was invited to participate as a problem solver in numerous cyber incidents, and sometimes that involved sharing information with the public. This is how I developed my skills in presenting and conveying the situations that needed immediate attention.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Oh, yes! At the beginning of my career, I was fortunate to be among a small group of people outside of the military to be included in the first convening of a U.S. Department of Defense (DoD) Cyber Warrior team led by General Keith Alexander, who had just been appointed the nation’s first leader of US Cyber Command. I recall our first meeting when he said two things that profoundly impacted me. One was during his opening remarks when he stated that a foreign adversary had penetrated the U.S. power grid. That shocked me. And the second thing he said that I will never forget was that among the greatest threats to national security is an application called Angry Birds. As it turned out, there was a significant hack where the infiltrators created a spoof with malicious code.
I was genuinely shocked to learn about the power grid having already been infiltrated. And with Angry Birds, the idea that something so popular that grew as quickly as that did could contain code embedded by threat actors. Well, that was just terrifying to me. It was these two incidents that really brought me to the realization that cyber threats are unlikely to go away anytime soon. Our focus was national defense at that conference, but it quickly became apparent that the U.S. military wasn’t going to be involved with defending utilities or popular gaming apps.
I recall that there was another speaker at this conference who left an impression on me. He had two college students behind him on computers. During the presentation, he offered a digital copy of a pre-released book, which was delivered to the audience on a USB drive for those people who were on laptops. That was when he informed those who accepted the drive that the students behind him now had control of their devices.
After these revelations, I began working with multiple entities on cyber defense. And I gained a perspective on the significance of threat actors and how they operate without concern for retribution.
Can you share the most interesting story that happened to you since you began this fascinating career?
I had the opportunity to work in a highly classified environment called the National Cyber Range. The organization is now public, but back when I became involved, the first National Cyber Range was established in response to 9/11. Its goal was to protect and manage digital information, and I was invited to test its cyber capabilities. I was part of the first commercial organization to test a highly sensitive program. And what interested me was the intellectual knowledge of all the participants involved, as well as the level of talent in the military and their contractors.
This high level of intellectual ability, as demonstrated in testing, suggests that everyone, civilians included, should be concerned about cyber threats, given that the federal government is now investing significant resources in studying them. This gave me great confidence in our military leaders, who were taking the problem seriously. And I learned a lot from them. I also had the opportunity to demonstrate my cybersecurity innovations in this intense environment. The entire experience was reminiscent of a major competition, where there were winners and losers, as evidenced by the person who presented their technology before me, who actually left in tears. However, after I finished my presentation, no one said anything. I count myself among the winners as the audience members just closed their books and gave me a solid round of applause, which was not for me: it was for the incredibly talented team and innovative solution I was fortunate to present in that situation.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Good question! The first character trait is curiosity. I’ve been blessed to work with amazing people. The CEO of Carnival Corporation taught us all the value of curiosity. He would say that if you’re not curious in your interactions with others, then you really don’t care. So, I learned from him to combine my engineering technical background with a high level of curiosity. Ever since that time, when I’m exposed to cyber incidents or a solution, I’m always curious about exactly how it works.
The second character trait is to be a lifelong learner. There’s always time to learn more information. There are books to read and intelligent people that you can surround yourself with. For example, I went on a business trip with an employee I was responsible for, and we ran into someone else whom I had worked with twenty years prior. It was an unexpected and pleasant encounter, and we agreed to meet later for dinner. My work colleague was curious about how my friend and I had so much in common after not having seen each other for twenty years and asked, “How?” My longtime friend explained it in the simplest terms, “If you find someone who knows a lot about what you’re interested in, then you foster that friendship for life.”
I earned my CISSP after concluding my full-time CIO career. I’m also now in my third semester of a Master’s degree in AI/Data Science. I’m having a blast as there is nothing like learning new skills and applying them. In my case, I’m focused on finding ways to apply AI and Data Science to cybersecurity.
This leads right to the third character trait, which is being someone who is interested in building and maintaining relationships over time, e.g., always preserving your networks. I’ve had the pleasure of a long career built on cultivating many personal relationships. These relationships are vital to my mission as a CISO.
Are you working on any exciting new projects now? How do you think that will help people?
For sure! We recently launched CIOSO Global. I’ve been amazed at the pace of innovation and investment in cybersecurity. The mission of CIOSO Global is to stay abreast and support innovation as it comes to market. We help companies mature their cybersecurity and become more compliant and resilient in their IT operations. It’s exciting to spend time understanding these new capabilities coming to market. I also value my positions on advisory boards and corporate boards, where I can leverage this knowledge for the benefit of others.
There are so many cybersecurity innovations occurring right now! Even some of the tried-and-true areas of cybersecurity are undergoing significant revolutions. The level of investment in IT resilience, network protection, software development, and third-party risk management is stunning; it’s a challenge and exciting to keep up with it all.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
1.Believe it can happen to you. There are many financially motivated hackers around the world with enormous incentives to level up their knowledge and penetrate your network for a profit.
2. Be prepared to recover from cyber attacks. You will have to recover from a cyber incident someday. Therefore, ensure that you incorporate a high degree of IT resiliency. This includes continuity planning, penetration testing, and backing up all data.
3. Treat cybersecurity as a risk management and mitigation conversation, just like you do in other areas of the business. Cybersecurity needs to be managed in the same manner as other financial risks are assessed.
4. Make “know thyself” your mantra. You must understand your current cybersecurity maturity level, as well as your IT resiliency perspective. And always continue to absorb as much knowledge as possible, because our adversaries do. In addition, invest in hiring the right people to help you achieve the ideal cybersecurity state, and understand that the software tools you are using to run the business are more like a Trojan horse than Fort Knox. And finally, you must believe that a cyber attack will happen to you.
5. Believe that a cyber attack will happen. This bears repeating because it’s fundamental to everything else we’ve discussed. Once you accept this reality, you’ll make the necessary investments in protection and recovery capabilities.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂
All organizations need to work together more effectively to thwart cyber attacks. There is no shame in being hacked, and the rapid dissemination of information will benefit others. In addition, we have to be as smart and open as the hackers. They’re great at collaboration, at building trust mechanisms. There’s no single human who represents the ability to execute a cyber attack on their own. We must all realize that every facet of society and business is intrinsically connected and discoverable to anyone who has the means to exploit our hardware and software. We must inspire protective innovations through a continued flow of innovation and share these innovations across all industries. That’s how we protect ourselves and win.
How can our readers further follow your work online?
Connect with me on LinkedIn https://www.linkedin.com/in/gregoryasullivan/ or learn more about what we do at CIOSO Global: https://ciosoglobal.com/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
