I recently hosted and moderated a distinguished panel of Chief Information Security Officers (CISOs) - Nitin Raina, CISO at ThoughtWorks, Mike Wilkes, former CISO at Marvel and Yogesh Badwe, CSO at Druva.
We discussed major trends for 2024 across an array of topics including the evolving threat landscape, recent regulations, data privacy considerations, securing product and critical infrastructure. We also discussed strategy, leadership, resilience, scapegoating CISOs, artificial intelligence(AI) and much more.
The panel acknowledged that more CISOs are under greater scrutiny and are being held accountable for cybersecurity incidents and anticipate an acceleration in fallout.
Mike highlighted recent legal cases involving CISOs, expressing concern about the unprecedented accountability of security professionals and the potential for them to be scapegoated. He discussed cases like Joe Sullivan at Uber and Tim Brown at SolarWinds, emphasizing the SEC's issuance of a Wells Notice for a CISO, a first in history. Mike questioned the trend of holding CISOs responsible for issues beyond their control and predicted a continued exodus of CISOs from their roles due to perceived lack of support.
Yogesh offered a contrasting view, suggesting that recent cases may serve as catalysts for elevating the role of CISOs and improving security programs. He sees a shift from viewing security as a technology problem to recognizing its real-world impact, citing examples like the Colonial Pipeline incident. Yogesh anticipates new regulatory actions prompting positive transformations in the industry, offering a silver lining to the challenges faced by CISOs.
Nitin Raina emphasized the importance of closely examining cyber regulations, particularly for publicly traded companies bracing for the incoming SEC directives. He sees the regulatory landscape as an opportunity for organizations to enhance their cybersecurity practices and engage with leadership and boards to navigate the complexities. Nitin points out the optimistic side of adapting to global regulations in the EU, India, China, and elsewhere, even though it poses challenges. Mike added that the New York Department of Financial Services (NY DFS) has set a precedent by requiring over 3000 covered entities, each with a CISO, to sign a declaration of compliance with new cybersecurity requirements for 2023. Mike anticipates this regulatory push towards enforcing best practices, such as widespread implementation of multi-factor authentication and regular risk assessments, regardless of the potential struggles this transition could pose for some organizations.
Mike introduced the concept of the age of cyber kinetic warfare, suggesting that cyber attacks causing loss of life are becoming more prevalent. Triton malware affecting an oil refinery's safety settings and an attempted poisoning of a water treatment facility in Florida was used as an example. Mike anticipates an increase in cyber kinetic actions and raises the question of permissible digital retaliation in response to attacks that cause harm. He envisions a new era of legal challenges, expanding the law of war to include cyber warfare. Yogesh added that cyber warfare is already intertwined with geopolitical conflicts, highlighting the difficulty of attributing attacks and the challenges countries face in determining appropriate responses.
The discussion delved into the challenges of third-party risk management, particularly in the context of breaches and the delayed revelation of impacts. Nitin addressed the widespread reliance on third parties in today's technological landscape and the need for continuous due diligence beyond initial assessments. Nitin emphasized the importance of close coordination and regular conversations with key third-party providers, highlighting the significance of vendor management skills and understanding the scope of responsibilities.
Yogesh brought up the concept of shared responsibility models inspired by the practices of AWS and Amazon, emphasizing the need for a prioritized and evolving approach to third-party risk management. Mike highlighted the significance of continuous monitoring and the limitations of annual assessments. He underscored the need for default security measures and a shift in perspective towards making systems hard by default. Collectively, the panelists stressed the importance of a proactive and evolving approach to third-party risk management in the dynamic cybersecurity landscape.
The panel discusses the pervasive nature of ransomware and its continued dominance in cybersecurity discussions. Nitin acknowledged its significance within the cybersecurity landscape, and he noted the unique footprint of MacOS-centric organizations.
Yogesh highlighted the alarming increase in ransomware incidents, citing statistics and emphasizing the evolving tactics of threat actors, such as data extortion and the targeting of uncommon areas, including SaaS apps and the cloud. He also pointed out the changing tactics of threat actors, including SEC disclosures and social engineering methods to create additional pressure on organizations.
Mike discussed the recent updates to NY DFS regulations, emphasizing the importance of rapid reporting for both ransomware detection and payment. The panel collectively underscored the severity of the ransomware threat and the evolving challenges organizations face in dealing with its multifaceted nature.
Mike introduced the concept of a "digital potato famine" as a prediction for a hypothetical crisis scenario where threat actors release malware or ransomware that, due to a monoculture in iPhone devices, could potentially brick millions of iPhones simultaneously. He drew a parallel with the historical potato famine in Ireland, where a dependency on a single crop led to widespread suffering.
Mike suggests that the uniformity and locked ecosystem of iPhones make them susceptible to a massive, coordinated attack, resulting in a form of digital depopulation. The prediction is delivered with a mix of seriousness and humor, highlighting potential vulnerabilities in tightly controlled digital ecosystems.
Nitin emphasized the importance of combining technical expertise with soft skills and business acumen in the field of security. While acknowledging the shortage of security professionals, he advocates for investing in capability development and creating opportunities for rotation within the organization.
Nitin highlighted the significance of understanding the business and effective communication as critical skills for security professionals. He mentioned a new role, the Business Information Security Officer (BISO), designed to bridge the gap between security and business, allowing security professionals to work closely with business leadership teams. Nitin encouraged organizations to explore innovative ways to mentor and grow their security staff beyond traditional methods.
Mike highlighted the significance of critical infrastructure security and supply chain issues, particularly in the context of OT (Operational Technology) and IoT (Internet of Things), the challenges of securing OT and IoT environments, emphasizing the difficulty of traditional prevention, detection, response, and patching methods in these settings.
Yogesh reflected that understanding the components of critical infrastructure, especially when it involves OT and IoT, is a complex task due to dependencies on various vendors. President Biden's cybersecurity memo and the increasing momentum in regulatory efforts to improve software supply chains are being adopted. The discussion touched on the importance of initiatives like Software Bill of Materials (SBOM) and the hope for greater adoption of supply chain security principles to enhance the overall security ecosystem.
Mike brought up the criticality of the maritime sector, stressing its significance in global trade and potential vulnerabilities in ships due to cyber threats. He emphasized the need to pay attention to OT risks and the large number of IoT devices with default passwords and outdated firmware, posing significant security challenges.
Nitin emphasized the importance of resilience in Cybersecurity. He noted that while there has been significant emphasis on protection, identification, detection, and response in building security programs, organizations need to pay more attention to recovery and resiliency. Nitin highlighted the need for discussions around disaster recovery and business continuity, not just from a technical standpoint but also from a business perspective.
He urged organizations to focus on ensuring that their infrastructure is resilient, particularly in the context of remote work and changing security challenges. Closer collaboration between security teams, IT, and business operations leadership in addressing these resilience concerns were emphasized.
In the discussion about AI in cybersecurity, Mike emphasized that threat actors are rapidly pivoting towards AI to capitalize on its capabilities. He mentioned the use of AI by bad actors to build models from Dark Web datasets, enabling them to find weaknesses and vulnerabilities more effectively. Mike also brought up the issue of deepfakes, highlighting the potential for AI-generated audio and video that could be used for social engineering attacks.
Yogesh added that the challenges extend to the use of AI in various scenarios, such as remote work environments where AI-generated deep fakes could disrupt typical security processes. He emphasizes the importance of addressing security and safety concerns related to AI systems.
Nitin provided a business lens on the topic, acknowledging that AI is here to stay, and organizations are adopting AI tools and technologies. He encourages security teams to engage with the business early on, create guardrails, and partner with data protection and privacy teams to ensure responsible and secure use of AI.
The consensus among the panelists is that while AI brings significant advancements, it also introduces new challenges and risks, requiring careful consideration, guardrails, and collaboration between security teams and the broader business.
If you missed attending the CISO roundtable, you can watch the on-demand recording here.
Let us know if you have any questions or if you need to get in touch to help you with your API Security or Application Security use cases.
Girish Bhat