October is Cybersecurity Awareness Month. That makes it the perfect time to publish an interview with Shirl Mitchell, who recently joined Telesat as Director of Cybersecurity and Compliance.
Read below as Shirl talks about steps companies can take to improve their cybersecurity, how Telesat plans to comply with evolving security standards, and how she has seen the security field change throughout her career.
The following conversation has been edited for length.
Q: Please share some information on your background
A: I’ve spent the last 37 years working for Pratt and Whitney Canada, a division of Raytheon Technologies, with the last third of that time focused on cybersecurity. Most recently, before joining Telesat, I was their Chief Information Security Officer (CISO).
I started my career as a developer, which gave me a front-row seat view into how developing software and considering cybersecurity has gone from an afterthought to being at the forefront. Thanks to efforts such as Cybersecurity Awareness Month, which is an internationally recognized campaign held in October each year, it has become easier for us to bring cyber education to every employee at Telesat in a fun and gamified way. It’s a win/win, our employees learn how to mitigate cyber threats while earning chances to win prizes.
Business email compromises (BECs) and breaches resulting from phishing are frighteningly common. Employee education and awareness are the only way to combat the sophisticated social engineering that goes into phishing attacks.
Q: What are some things Telesat is doing to strengthen cybersecurity?
A: We are building cybersecurity into everything that we do, from the ground up. That means it is top-of-mind here at Telesat and what makes me proud, is that this mindset, is throughout the organization! When asked in one of our awareness quizzes, where cybersecurity lies, 100% of our employees answered “with every employee at the company.” That is impressive! We also insist that this rigor is built-in with our supply chain, by ensuring that any RFP, which could affect our information or information entrusted to us, includes our strict cybersecurity controls.
With Telesat, the cybersecurity controls of a supplier are, of paramount importance. Years ago, many of us tended to only focus on price or the technical expertise of our suppliers, and, of course, these are still a consideration at Telesat. But now, without strong cybersecurity controls, we won’t engage with them.
At Telesat, we’ve adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Over and above that, we have recently analyzed the cybersecurity controls (close to 500) of the Infrastructure Asset Pre-Assessment Program (IA-PRE) to ensure the highest level of cybersecurity is built into our next-generation Telesat Lightspeed products.
For example, Telesat Lightspeed, our new Low-Earth-Orbit (LEO) satellite constellation, has sophisticated, enterprise-class LEO protection elements built in. These include jam resistance, low probability of intercept and Layer 2 data encryption.
Build security in at the beginning, and make sure your suppliers know what controls they need to match.
Q: October is Cybersecurity Month, how is Telesat recognizing it?
A: Many enterprises know the steps they should take to improve their cyber hygiene. That said, things like Cybersecurity Awareness Month are valuable chances to drive the message home. It should be noted that collaboration is key in these campaigns, in my experience, an effective awareness campaign is one where the security team and the communications team work closely together.
Here at Telesat, we created a high-quality video that garnered a lot of positive feedback internally. Part of the appeal was putting a “face” to the people involved in the campaign. We also did things like design a cybersecurity-specific background image for employees to use on video conferences.
As mentioned above, we also added an element of gamification to the campaign with weekly quizzes for the entire company. Anyone who took the quiz was entered into a weekly draw for prizes. We received plenty of great feedback about the quizzes as well!
Our themes for the month were ones that every company needs to promote – strong passwords, multi-factor authentication, and how to recognize phishing.
Q: How have you seen enterprise security evolve?
A: Earlier in my career there was no such thing as a cybersecurity organization, or if there was, it was tiny and under-resourced. As I mentioned, cybersecurity was an afterthought, rapidly pushing projects to production and costs were the paramount objectives. That was always the excuse – ‘well if we add security, it will increase the cost.’
Obviously, ROI is important, but, thankfully today there is recognition of the value of cost avoidance through stronger cybersecurity. For example, if better cybersecurity costs tens of thousands of dollars but, it prevents a data breach that could cost the company millions, it sure makes sense to spend that money upfront to be proactive and not reactive.
The role of the cybersecurity leader has evolved and needs to continue doing so. More companies today understand that cyber threats are a business challenge, not just an IT challenge. Cybersecurity is something that is now discussed at the Board of Directors level.
I recently read a report from Gartner that 88% of boards regard cybersecurity as a business risk rather than solely a technical problem. The report went on to say that 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026.
That’s a major and hugely positive shift. Telesat also has a strong relationship with the Canadian Centre for Cyber Security, organized by the Government, including public and private sector experts. They reach out to us, and we reach out to them to share threats we’re seeing and suggested best practices.
Q: If you could give large enterprises just one recommendation to improve cybersecurity what would it be?
A: Can I combine two in one? Because both the enterprise side and the employee side are critically important.
On the enterprise side, make sure you are considering cybersecurity whenever you are developing or changing any kind of system. HR, marketing, CRM – whether in-house or cloud-based. The same diligence must be considered when building your products, and for your suppliers as well.
On the employee side, as I’ve said, keep working on those foundational cyber hygiene basics. Humans are our own worst enemy. Deloitte has reported that 91% of cyber-attacks start with a phishing email, and 32% of all successful breaches involve the use of phishing techniques. With some creativity and a strong relationship with the Communications team, you can make your employees an effective first line of defense.
Q: Thank you for your time, and for joining Telesat! Anything else you’d like to add?
Working at Telesat has been even more exciting than I expected. I’ve been very impressed with the skill levels and proactivity I’ve found here among my peers. Telesat’s culture understands that better cybersecurity is everyone’s job.
It’s also fulfilling to be working here during such a dynamic time in the satellite industry. Satellites and networks are complex; offering enterprise-class services means we have stringent requirements to satisfy, but that is what makes the job fun. The next few years will be amazing for Telesat customers, partners and employees, and I’m proud to be part of the effort.