Scott Schlimmer is an award winning former Central Intelligence Agency (CIA) officer who now runs Schlimmer Intelligence Consulting, specializing in training, analysis, and cyber security. Mr. Schlimmer served seven years with the CIA. He earned a National Intelligence Award for his work on terrorist threats to the homeland. Mr. Schlimmer is co-author of the book “Stories from Langley: A Glimpse Inside the CIA”. He is also a member of the Mensa high IQ society.
LIFARS: Tell us some background on you and how you got where you are today.
Scott: I’m a former CIA officer. I left the government in 2014 and started my own consulting firm. I was focused on physical security – my experience is more in the anti-terrorism world – but a major European energy company came to me and asked me to apply my previous experience to the cyber problem. Since then, I’ve focused more on cyber than on physical. I still offer consulting services to companies on cyber and physical, and I’m a Partner of the new cyber security firm CyberSaint, whose CyberStrong product measures your cyber security posture. Based on the NIST Framework, it is one of the most comprehensive cyber scorecards on the market. CyberStrong also uses artificial intelligence to offer recommendations to improve your cyber preparedness and improve your score, turning cybersecurity into a standard, measurable business process.
LIFARS: What are some basic things companies should do to protect themselves from cyberattacks and cybersecurity threats?
Scott: Companies seem to over-focus on technical solutions, which are quite expensive, and under-focus on training and governance, which are relatively inexpensive. Moreover, the human is still the weakest link and the largest vulnerability, so the human side of things is extremely important. Security teams also focus more on the tactical, while sometimes neglecting the big-picture, strategic issues. Tactically-focused security teams often have trouble communicating security issues to business units and executives, who are more concerned about security at the strategic level. This is why it’s particularly important that companies train security teams to work and communicate on the strategic level to be most effective at protecting against cyber threats.
LIFARS: Could you please let us know the cybersecurity training program you are currently developing on? Who is it for? What are the key takeaways of the training program?
Scott: A Fortune 15 company asked me to develop a training program for their cyber threat team, focused on the core tenants of analysis that I learned at CIA – critical thinking, writing, and verbal presentation. The approach is similar to what we used to prepare for terrorist attacks. The key takeaway is that you can tap more into your people’s expertise and not have to rely so much on threat intelligence. Another key takeaway is that the threats a company faces can be better communicated to business units and the C-suite, which is vital for ensuring optimal strategies for the entire company and getting security teams and business units to “play nice.”
LIFARS: What is the current trend in cybersecurity training and what do you think the future look like?
Scott: Cyber is stuck in reaction mode, with teams responding to the daily threats. Wash, rinse, repeat. Based on the request for training from the Fortune 15 company, I see cyber teams in the future becoming smarter and more strategic. They’ll use this sort of training and change their approach to envision attacks in advance, and get out of this reactive approach that requires playing constant catch-up to the hackers.