Christian Espinosa moved from Riverside, California, to Knoxville, Arkansas, when the cyber security leader was 12 years old. He grew up in extreme poverty with a single mom and two brothers. His mom was addicted to painkillers and was high most of the time. He was determined to get out of his small town in Arkansas and out of his situation, so he worked hard to enroll in the Air Force Academy. His initial plan was to fly jets; however, when he graduated in 1993, there were no more pilot slots. He got into Communications in the military and served as an Air Force Communications Officer on active duty for six years. During these six years, he was first confronted with cybersecurity.
The story inspired him to pursue a career in cybersecurity.
The fan of emotional intelligence training and the cyber security keynote speaker, Christian became excited about cybersecurity during his time in the military and as a DoD contractor. The concept of cyberwar was fascinating to the cyber security entrepreneur, and he knew it would play a major role in almost everything in the future.
One thing that stands out is one of the initial war planning scenarios in the secure methodology course he went through, where he explained how he would use a cyber-attack to take on the electrical grid of the enemy city. The idea was to remove the power supply, which would further disable the radar and anti-aircraft targeting systems, allowing him to fly over the city to carry out missions in complete invisibility.
The “5 Things Every Company Needs to Know to Tighten Up Its Approach to Data Privacy and Cybersecurity”
Patch systems. According to The Smartest Person in The Room author, this includes the Operating Systems and the Applications already installed on the operating systems. This includes routers, company phones, IOT devices, etc. as well. Everything on the company network and any application should be patched essentially. This seems like advice that is simple. However, it is rarely done correctly. Most data breaches occur through the exploitation of an unpatched system.
Configuration control. Just like patching, devices that are on the network should have predetermined, standard, secure configurations. The Monotasking expert Christian used to consult for a company that would buy laptops from Amazon and plugs them into the company network straight out of the box. These laptops missed patches, had more software, had default passcodes, etc.
User awareness. The user is the weakest link. They need to be trained on phishing emails, vishing or voice phishing, social engineering, and other common attacks.
Processes. Processes should be implemented to fortify against attacks. It could be similar to an Incident Response Plan or a process for paying vendors. Many organizations have been burned by paying bogus invoices because they needed a process. A process for accounts payable could be very simple, like validating the vendor did the work with a suitable person in the organization and having a two-person approval process.
Using a risk-based approach. Most companies try to fortify everything equally, which is a recipe for disaster as everyone has limited resources. Critical systems and critical data should be defined and fortified based on priority. Sensitive information should be limited to only the systems necessary. It is much easier to protect sensitive information if it is on two systems, as compared to 20 systems.
