Smothers: human factor essential to protecting critical infrastructure

January 16, 2019

Cyberattacks against SCADA systems – used to control industrial processes as well as much of our critical infrastructure – are a top concern for security experts like Rosa Smothers. Particularly worrisome, Smothers says, is the potential for hackers to use social engineering techniques to gain access that could eventually compromise an entire system. Hackers and adversaries go to great lengths to discover the identities of personnel involved in SCADA operations and lure them into a costly mistake – and, very often, they only need to succeed once.

Rosa Smothers
Rosa Smothers

That’s why training is so essential, Smothers says – and it has to be more robust than is often the case at many government agencies. Her company, KnowBe4, is helping to tackle the problem by building what it describes as “the world's largest security awareness and simulated phishing platform,” designed to go far beyond the simple once-a-year tutorial many employees are used to.

In December, KnowBe4 announced Smothers as its senior vice president of cyber operations. With the move, she transitioned to a private sector career after more than a decade as a CIA intelligence officer.  She is a 2005 graduate of Capitol Tech’s master’s program in network security (now cybersecurity). In an interview for the university, she talks about her professional path, her priorities and goals in her new role, and her experience with the online master’s program at Capitol Tech.

How did you first become interested in the IT and cybersecurity fields?

I don’t remember a time when I wasn’t a computer nerd, going all the way back to elementary school. My first computer was a used Commodore VIC-20, with a cassette tape drive. My dad bought it from someone he worked with. I was so excited – this was my first, very own computer!

As an adult, I worked in IT prior to starting my career with the CIA. Following the September 11th attacks, many of us with an IT background felt the call to serve our nation in the fight against global terrorism. I was among them. Prior to 9/11, I had never thought I would become a technical intelligence officer and analyst at the CIA.

Now I’ve returned to my private sector work, but with the benefit of all my agency experience. I’ve seen the cyber threats to our country with my own two eyes. It’s been very impactful.

What cyber threats do you find most critical?

Our CEO at KnowBe4, Stu Sjouwerman, likes to ask our clients “what keeps you up at night?” in an effort to maintain awareness of top security concerns. What keeps me up at night is the threat to SCADA systems – water, electric, gas, all those services that we can’t live without.

These systems are vulnerable not only because of issues with the technology, but also because of social engineering threats. Having been a federal employee with access to very sensitive information, I know very well that we’re all being phished. If you’re an admin on a government network with access to social security numbers, passport numbers, or information that is significant in terms of our national security, you’re going to be a target. Anyone with access to sensitive information is a target. That’s what keeps me passionate about what we’re doing at KnowBe4 – I want to see us, as a country, up our game when it comes to training and awareness.

What are effective ways of addressing the human factor and encouraging best practices?

Currently, security awareness and training requirements exist within government – but these tend to be once a year. You’re not going to have security at the forefront of your mind if you only train once a year. There’s very little you can learn about security if you don’t practice it on a regular basis.

At KnowBe4, we advocate recurring training. We not only do training but also simulated phishing tests. When you couple ongoing training with continual simulated social engineering attacks, you’ve always got your users thinking about security. When they receive an e-mail that makes their “Spidey Sense” tingle, they’re trained to know all of the things they can do to determine whether or not it’s safe.

If it’s an e-mail from a friend, but the spelling isn’t quite right, or the verbiage differs from the way they usually write things, pick up the phone and call that person to confirm that they actually sent that e-mail. In general, “think before you click.” If you suspect you’ve received a phishing e-mail, take actions to mitigate. First and foremost, alert your IT folks.

There are two easy ways into a network. One is to go onto the Dark Web and look for existing breached passwords. The other is to phish users. You can take a broad-based approach and phish the entire staff, or you can spear phish – that is, you go onto social media sites such as LinkedIn, find out what you can about certain individuals and their friends, and craft specific e-mails that way. It’s very difficult, if you’re a less educated user, to see through that. If someone has determined that you are a high value target they are going to be relentless in their efforts, because the gain is so high. Look at some of the ransomware incidents that have hit the news in the past few years. There is a lot of money to be made. The best thing we can do is provide an ongoing training and awareness program that can make it a lot harder for the bad guys to succeed.

You chose Capitol for your online master’s degree. What was your experience like?

At the time, I was at the Defense Intelligence Agency (DIA). I told my mentor there that I wanted to get my master’s degree at a program with a highly technical emphasis. He told me a lot of really smart folks had gone to Capitol and that I should check it out.

That’s how I found the school, and thank goodness I did! The program really broadened my level of expertise because I was exposed to instructors – and students – with an abundance of technical diversity in their backgrounds. The instructors did much more than talk theory; there was a hands-on, practical application which was probably my favorite part of the program. It wasn’t about telling us how to do something, but, rather, about showing us how to do it.

I already had strong IT skills coming into the program, but it challenged me and provided additional insights into different aspects of network security.

Do you have any advice or recommendations for students going into the cyber field?

Don’t just think about hardware and software. Think also about end users, what they’re doing on those systems, and how it can affect the security of those systems. Cybersecurity isn’t a two-legged stool. It’s a three-legged one: hardware, software, and end user. Capitol students that agree and are looking for a way to contribute should look at the KnowBe4 jobs board. We’re always looking for great talent!