Centric Consulting’s Cybersecurity Service Offering lead David Lefever shares his thoughts on the current cybersecurity landscape, the impacts of AI, and common misconceptions about cybersecurity.
From 2010 to 2023, David Lefever guided a company formerly known as The Mako Group (now part of Centric Consulting) through growth and cyber strategies. As CEO at Mako, he was able to witness and help his team establish a brand representing quality and family values. Now Centric Consulting’s Cybersecurity Service Offering Lead, he continues to guide clients through complex cyber problems.
Tell us about how you came to specialize in cybersecurity.
I’m very much an entrepreneur at heart. Early on in my career, I worked in IT Risk Management and had an opportunity to be on the executive panel of the bank’s risk, compliance and security group. After studying what regulators and examiners expect out of companies to prove that they are protecting information appropriately, I realized this is the kind of stuff I do every day.
Long story short, I saw a need in the marketplace, which is what led me to start The Mako Group and begin hiring talented, technically proficient cybersecurity experts. In 2023 we joined Centric Consulting as it was a natural fit for our practice.
What does a typical Centric cybersecurity project look like?
Clients typically come to us when they have a cybersecurity concern or are being dictated to by someone on the governing body to get their data under control.
Everything we do goes back to helping companies understand their risk of a data breach and then reducing that risk and the impact of a data breach should one occur. We put in mechanisms and software to protect data and then test those mechanisms and software. Much of cybersecurity starts with a process — we build the appropriate processes, formalize, test, and make sure the organization’s controls are in line with expectations.
This can be very complex. For example, we once worked with an auto manufacturer that had nearly 90 critical applications, which means that company needed significant technology enablement to keep track of its applications and users and to test those applications.
What are some common cybersecurity mistakes companies make?
There’s a common belief that if you’re in the cloud, you’re automatically secure. No matter what cloud provider you use, you still need to configure that and set it up securely — it’s really no different than when you were on premises.
Companies also often make the mistake of believing they can automatically trust their service or application providers to be secure. Companies mistakenly rely on these other companies that have ownership or are custodians of data, but that’s not always wise. You need to evaluate every vendor you hand your data over to and perform regular assessments of their security protocols.
How do you predict AI will change the cybersecurity landscape?
AI will no doubt change the threat landscape and is already changing the threat management landscape. Cyber processes are going through a full renovation, with AI making it more efficient. For example, under the current threat management environment, you have someone watching a screen that monitors your endpoints (laptops, printers, and so on), looking for red ink that indicates a problem. When they see that red ink, they call someone to escalate. That whole process is quickly becoming automated.
From the risk side of the house, I can see a lot of trickery with AI. Deepfakes are going to present big challenges for companies. Or, threat simulations that aren’t real to deter companies in one way and then sneaking in an actual threat the other way — that’s going to make security defense challenging.
In some ways, AI will help to enable more enhanced security measures, an on the flip side, bad actors will use it against organizations.
What’s the most rewarding part of cybersecurity projects?
The entire team really enjoys threat simulations. During the simulation, which is very challenging and takes a few months, we’re actively attacking a company while they’re actively defending themselves. To do this simulation, which is sometimes called a coordinated attack, you need a mature private company and a very mature penetration testing team and an adaptive incident response process.
What are some misconceptions you hear from companies about cybersecurity?
Companies can have a false sense of security, thinking that because a data breach hasn’t happened yet, everything is fine. That can be dangerous. For example, we once talked to a company that had billions in revenue yet didn’t have a security person on staff. They had all their data in one place. If they had a cybersecurity event, it would be catastrophic.
Another common misconception is that if you buy more devices, you’re more secure. That’s not true. The more you buy, the heavier your security inventory of assets, the more people it takes to manage, and the more process it takes to hold up. Devices are required, but are commonly a latter piece of the cybersecurity equation, so it’s a mistake to feel a false sense of security just because you pay for some sort of endpoint defense that’s monitoring your devices.
Processes and people are what will fail you, not your devices. One person clicks on the wrong thing, trusts the wrong person. Or, you leave one user with access to the system after they’re terminated. Many of the biggest data breaches in history were from process-driven errors.
Take what happened with CrowdStrike in July 2024. That was a change management issue. It had nothing to do with CrowdStrike’s platform. They rolled out a patch to a production environment, but they didn’t test the patch, and it ended up shutting down the world.
Can you share any words of advice for leaders searching for cybersecurity advice?
Look for someone who can help you understand your risk independently with perspective. They should come in with an open mind and be willing to be part of your team and listen to you. If they come in product first, they’re just trying to sell you a product, not trying to reduce the risk of your unique business.