ACFCS Member Spotlight: For former CIA, White House cyber defender Matt Ashburn, countering digital brigands requires dynamic mix of curiosity, creativity, critical thinking

The Skinny:

  • In this ACFCS Member Spotlight, a top cybersecurity thought leader shares some of his tips and tactics for success in a dynamic sector, fraught with both technical challenges and the inherent, persisting vulnerability of human error. 
  • For Matt Ashburn, who has guarded the virtual halls of the Central Intelligence Agency and White House, part of the passion that drives him to protect customers stems from the understanding of his adversaries – be they advanced hacking collectives or low-level phishing and ransomware opportunists. 
  • He realizes that while trust is the foundation of most relationships, in the context of cyber defense, the concept of “zero trust” is actually a powerful notion that can help companies gird themselves against aggressive external – and pernicious internal threats. 
  • In his more than 15 years, Ashburn has seen the vanguard of network security shift from a focus on preventing attackers from getting in, or data getting out, a chiefly technical exercise, to also encompassing the culprit in the majority of successful cyber incursions: human error. 
  • In his jump to the private sector with Authentic8, he is part of a team crafting a powerful, portable browsing platform in a relatively nascent, innovative field: cloud-based internet isolation.

By Brian Monroe
bmonroe@acfcs.org
May 29, 2020 

For financial crime compliance professionals over the last decade, the industry has been moving to a convergence model, where banks break down silos between anti-money laundering, fraud and cybersecurity to better increase efficiency, effectiveness and prevent investigations from running in parallel.

But for Matt Ashburn, who has protected the country’s most sensitive data at the highest levels of the U.S. government’s top intelligence-gathering body and even the President, his keen understanding of cyberthreats has inspired him to conclude that, in some cases, a silo shouldn’t be broken down, but reinforced.

Ashburn has taken his lessons from the public sector and harnessed that knowledge in a bid to craft a powerful, portable virtual “silo” to allow users to browse the web without fear of illicit infiltration as part of a team for Redwood City, Calif.-based Authentic8.

His actions build more momentum for a nascent but growing arena of the cybersecurity field once reserved for agencies like the Department of Defense, cloud-based Internet isolation (CBII), which aims to reproduce the same layered protections afforded rich companies behind enterprise corporate security levels for the rank-and-file.

Such a mission is even more critical for professionals of all stripes that must do nearly everything online now during the COVID-19 global pandemic, which in recent months has taken more than 100,000 lives in the United States, resulted in lockdowns and business closures and has plunged much of the world into an economic downturn.

The result: with more people online, and working from home in a less secure environment, that has broadened the attack surface for banks, corporates and individuals – just as fraudsters, hackers and organized criminal groups engage in more creative and aggressive cyber, ransomware and phishing fusillades.

The hook in many of the latest scams – information tied to the pandemic, personal protective equipment (PPE) and the status of desperately-needed stimulus payments and corporate paycheck protection programs.

The innovation of these scams – from low level opportunists, savvy foreign nation-state attackers and experienced and determined hacking collectives –  is no surprise to Ashburn as he cut his virtual teeth as a former Central Intelligence Agency (CIA) Cybersecurity Officer and White House chief information security officer (CISO) for National Security systems.

But the technical understanding of arcane cyber vulnerabilities is only part of the solution to adapting and growing in such a dynamic space, he said.  

Some of the most important attributes for professionals in his field: curiosity, critical thinking, problem-solving and a never ending “desire to learn,” Ashburn said.

Those are words he has taken to heart.

Ashburn has a deep bench of experience in many of the most complex and nuanced disciplines of cybersecurity, including policy, incident response, vulnerability assessment, penetration testing and cloud security. 

He has seen the cybersecurity sector undergo a tectonic shift over the past 15 years, moving from a nigh singular focus on “perimeter defense” – think external attacks taking advantage of unknown vulnerabilities or unpatched systems – to a “zero trust” model.

In essence, such a stratagem encompasses one of the most insidious exploits to successful cyber incursions: human error and other insider threats, such as an individual unknowingly clicking on a diseased link or unwittingly becoming the payload of a business email compromise (BEC) attack.

In his jump to the private sector, Ashburn has made it his passion to prevent such a dystopian future from happening.

Ashburn is currently the engagement lead for Authentic8, helping ensure that users and customers can “get the most value from our products and services to enable secure web browsing based on a true Zero Trust model.”

But in order to safeguard users and keep focus on so many plates spinning in the real and digital worlds, there is no place for ego, he said.

A quote from a renowned inventor helps keep him grounded and humble: “Compared to the history of the universe, we have an infinitesimally small amount of time on this earth, so try to leave the world a little bit better and live each day to its fullest.”

Ashburn was kind enough to share some of his insight in our latest ACFCS Member Spotlight:

What do you do in your current role?

I’m the engagement lead for Authentic8, helping ensure that our users and customers can get the most value from our products and services to enable secure web browsing based on a true Zero Trust model.

What does your career trajectory in financial crime look like?

I started my career with an internship as an intelligence analyst and have focused on cybersecurity and cyber intelligence for my entire career. 

I’m thankful I’ve had the opportunity to work in many disciplines of cybersecurity, including policy, incident response, vulnerability assessment, penetration testing, and cloud security. 

I’m incredibly proud of the work we’re doing at Authentic8, and strongly believe that cloud-based web isolation technology can have a tremendous impact to help reduce risk, prevent fraud, and ensure genuinely secure environments.

What is the best advice you have ever received?

I had the chance to spend a few days with Dean Kamen- a brilliant, well-known inventor- and I asked him for advice and what keeps driving him to do so much.

He said: “Compared to the history of the universe, we have an infinitesimally small amount of time on this earth, so try to leave the world a little bit better and live each day to its fullest.”

What would you say are the most important attributes for someone in your role to be able to succeed?

Curiosity, critical thinking, problem-solving, and a desire to learn.

How has (compliance, investigations, etc.) changed and evolved during your career?

Fifteen years ago, perimeter defense was *the* focus to securing an enterprise from outside threats, and most organizations had enterprise networks that were relatively open and accessible once inside. 

Over time, various compliance standards were adopted, many times required by legislation – FISMA, GLBA, HIPAA, etc. – and organizations invested more in assessing and managing risk.

More recent approaches such as the Zero Trust security model and MITRE ATT&CK framework are helping cybersecurity professionals mature their understanding of trust, risk, and adversary tradecraft to implement appropriate countermeasures to defend against even the world’s most advanced adversaries.

What do you see as the key challenges related to financial crime in your role or in the sector overall?

Cross-border international crimes continue to be a challenge. Institutions continue to lose a tremendous amount to adversaries who are difficult to prosecute, whether due to challenges in attribution, geographic location, or because the compromises could be linked to a nation-state entity.

What motivated you to become a financial crime professional?

I enjoy critical thinking and problem-solving. The challenge of mitigating risks in creative ways attracted me. 

Is there anything that surprised you about your current role?

I felt some apprehension when considering moving from the government to the private sector — it’s a significant shift in culture, processes, and work environment.  

However, it’s awesome, and I am fortunate that Authentic8 treats its employees as a family — it’s a warm, welcoming environment that values the contributions of every person.

Why did you join ACFCS and/or become CFCS-certified?

On behalf of Authentic8, I’m looking forward to contributing to the financial crime risk management community through knowledge sharing and collaboration initiatives. I recently published a white paper for CIOs and CISOs on rapidly enabling remote workers in times of crisis.

I’m also presenting at several of your educational training sessions this year, and looking forward to meeting the ACFCS community at the upcoming DC chapter events.

How did you get your first job in the field and what advice would you give other job seekers to help land their first position?

I studied electrical engineering in college, University of Virginia (UVA), and was paying my way through school. An internship with a telephone hardware company fell through, so I asked everyone I knew about other job and internship opportunities. 

A friend of a friend worked at a government agency in Charlottesville and provided me an application for a college internship that resulted in not focusing on electrical engineering, but on assessing technology and capabilities of foreign adversaries, with cyber being the latest challenge. 

I enjoyed the challenge of helping defend against threats. The internship opportunity led to work in and around the federal government in DC after graduation. I wouldn’t be where I am today without it.

Advice: NETWORK and be open to trying something new.  

What is the most rewarding part of your job?

I’ve been fortunate to have worked in both the US government and the private sector. I enjoyed consulting for a large-scale financial institution. 

It’s gratifying to know that the day-to-day work can have a more substantial impact –  enabling organizations to deliver on their mission without unnecessary risks to their data, users, or customers. 

For professionals with 5-10 years of experience, what advice would you give to help them rise in their careers to the next level?

To step outside of your comfort zone.

New opportunities and experiences in a different discipline or industry are precious, building upon previous knowledge, and challenging you to become better at your trade to evolve as a well-rounded professional. 

Experience across all of the cybersecurity disciplines has helped me a great deal to integrate processes, appropriately weigh risks and understand risk management from multiple perspectives.