Sean Berg synthesizes three decades of public and private sector experience in his role as president of global governments and critical infrastructure at Forcepoint. The executive optimizes the delivery of high assurance security to government and critical infrastructure customers worldwide. Berg came to the company in 2017 as vice president of global government sales and has also held the position of its senior vice president and general manager of global government and critical infrastructure.
Berg’s career includes time spent on the White House staff during the Bill Clinton administration in the mid-1990s and nearly seven years as a captain in the U.S. Marines Corps. He furthered deepened his understanding of the needs of the government in positions at Dell and Polycom where he served all manner of federal agencies, including defense, intelligence and federal civilian, as well as state and local, education and healthcare offices.
Berg is currently working to intensify Forcepoint’s presence and leadership in the cross-domain government security markets. He sat down with ExecutiveBiz to outline the company’s work with the Cybersecurity and Infrastructure Security Agency and the growing impact of insider threats during this Executive Spotlight interview.
Forcepoint was recently selected for CISA’s Joint Cyber Defense Collective, a public-private sector cybersecurity information-sharing program. How will Forcepoint’s experience help JDCD drive positive change for the cybersecurity industry across sectors?
We’re proud to have been chosen by CISA to join JCDC, as it’s the premier organization for collective action around cybersecurity. Since the collaboration’s inception in 2021, JCDC has worked to improve visibility into the threat landscape, disseminate critical cybersecurity guidance and create strong strategic and operational alliances. Our expertise at Forcepoint aligns seamlessly with these goals. For over 20 years, we’ve led cybersecurity efforts for more than 14,000 private and public sector clients, educating them on proactive planning and supporting real-time cyber responses—experience we are eager to bring to JCDC for the common good.
We also have a specialized research group, which will provide JCDC insights into cyber threats and emerging trends to further improve the nation’s cybersecurity posture. At the same time, the work we’ve done with CISA and the work we will do with fellow JCDC members to protect this country’s critical assets and data will also provide us with key learnings that will shape the future of cybersecurity for our customers. This year, for instance, JCDC is focused heavily on concentrated risk, collective cyber response and high-risk agencies—all areas that are priorities for our clients.
Insider threat has been capturing headlines across the public and private sectors recently. What are some driving factors behind insider threat activity? How can federal and civilian agencies detect and mitigate these threats?
Insider threats should be top-of-mind for all agencies. One big misconception, though, is that all insider threats are malicious. In fact, malicious insiders—those who intentionally use their access to hurt the agency in some way—only make up about 20 percent of insider incidents. Malicious insiders often use compromised user credentials to do things like transfer large amounts of sensitive data to a personal device, use servers or systems they should not have access to, and/or modify logs to cover their tracks. However, most insider threats actually stem from unwitting insiders. These insiders may be employees who do things like use unapproved apps or inadvertently download compromised content, unaware that their negligent behaviors create risk and expose the organization to bad actors.
In the current landscape especially, federal agencies must be ready and able to deal with all types of insider threats, whether stemming from a malicious insider or unintentional risk. The first step to mitigating insider risk is user activity monitoring, or UAM, which entails gathering data from a variety of control points to have a clear picture of normal user behavior. This allows agencies to detect any deviations from the baseline, such as accessing data outside of normal working hours, and respond based on the associated level of risk. To that end, when UAM is combined with behavioral analytics, agencies can create a dynamic risk score for every user—scores that are updated in real time as behavior changes.
However, protection from insider threats doesn’t stop with UAM and behavioral analytics. Technologies like content disarm and reconstruction and remote browser isolation are also crucial for mitigating lesser-known drivers for insider threats, such as malware from documents or the internet that could open an organization up to compromise. As the name suggests, CDR works by deconstructing a file, extracting its valid code, then reconstructing a new malware-free file. With RBI, internet browsing is sandboxed, which minimizes the risk of malicious phishing links and infected file downloads. By layering these technologies together, agencies can achieve optimal protection from insider threats.
There have been several insider risk-associated attacks targeting supply chain and critical infrastructure. How can insider threat management procedures be improved for these highly targeted entities? What are some of the national security implications surrounding these attacks?
This is a major trend, as more than three-quarters of critical infrastructure organizations say they’ve seen a rise in insider threats over the past three years. From Stuxnet (the first known cyber weapon) to Shamoon 3 (one of the “most damaging cyber-attacks in history”), attacks on critical infrastructure are growing in frequency and impact. A recent audit of the Department of Energy, which houses the National Nuclear Security Administration, showed that the department was not monitoring user activity on all classified networks, as is required by federal policy. The national security implications of an insider threat to the National Nuclear Security Administration are clear, and in an era of remote and hybrid work, these threats are only magnified.
Previously, many critical infrastructure organizations turned to virtual private networks to offer remote workers access to agency resources, especially during the pandemic. But once users log in over a VPN, they can potentially reach all systems and data, so this approach no longer provides adequate protection. Instead, the mindset should follow the zero trust approach to never trust and to always verify. All users, devices, applications, and other entities must verify their identity every single time they attempt to access a system or data. This relates closely to the concept of least-privilege access, which grants employees the minimum level of IT privileges needed to do their jobs.
Ultimately, zero trust alone is not enough to mitigate cyber threats or insider risk to critical infrastructure. These entities should apply the concept to strict access control, UAM, and behavioral analytics solutions to ensure they have complete visibility into their data and networks, including the ability to track trends in real-time.
Next-generation firewalls, data diodes, and data guards can also help critical infrastructure organizations stay on-guard against cyber-attacks. While mitigating insider risk is important for all agencies, it’s particularly urgent for operators of critical infrastructure, as critical infrastructure is a highly vulnerable target for rogue nations. UAM, CDR, and RBI cannot fully eliminate insider threats, but they can create a closed loop of flexible safeguards that increase an agency’s overall cybersecurity posture.