Question: From your perspective, what do you see as the biggest challenges that business leaders face today when it comes to cybersecurity?

Jason: In conversations with CEOs, CFOs, and boards of directors, a lot of the pressures that they feel relates to the speed at which their business needs to innovate in order to stay relevant. Technology is evolving rapidly around them, so they need to deal with the competing priorities of the business and keep up with assessing and managing the risks at the same time.

Now, couple that with the speed at which privacy laws are changing, regulation is changing, and oversight is changing. Also, the pressures of state and federal privacy laws. We see executives being criminally and personally liable for data breaches. On top of that, you have vendor risk management as well as clients evaluating businesses for their cyber resilience. There has never been a more complicated time for business leadership, with all of these competing requirements that executives have to manage.

What are some of the more significant threats that are happening and what are my responsibilities as a leader when that happens?

Jason: Many organizations are moving to the cloud and threat actors are responding, demonstrating a high-level of sophistication in navigating cloud control planes, and taking advantage of the nuances of the control sets that are there because there are so many in these cloud applications. The time from when an adversary finds you to the time that they can actually expose you is about 10 minutes on average. How? They’re looking at public-facing APIs and public-facing cloud assets of your organization. They have automations that can find your cloud assets and begin exploiting them in minutes.

A lot of the effort stems from organized cyber threat syndicates and crime-as-a-service organizations. These are bad actors who have built out mafia-style syndicates and treat cybercrime like a business. They shop their platforms and services to other mal-actors, other criminals, to get those economies of scale to attack organizations. We just saw it hit the news, with EvilProxy. It’s a phishing campaign tool at an enterprise level that’s being sold as a subscription service to criminals and has the ability to target and exploit multifactor authentication enabled Microsoft accounts. The threat landscape is full of extremely advanced tools out there right now.

If the business hosts their data in the cloud should they assume that the host is protecting them from those risks?

Jason: The more mature cloud providers have a shared responsibility model that you can follow; it’s out there for the customers to review. They have models and matrices out there that you can review to know what controls they’re going to cover and what you are responsible for as a client of theirs. So, as you go into cloud environments, SAAS software or hosting services, take a look at what that shared responsibility model looks like, what type of risk is, and what type of overhead of management you’ll be taking on.

What would be key pieces of advice you’d give to CEOs or business leaders, in both small and large companies, that they could action today to address the threats?

Business leaders understand risk management. They’ve been managing financial risk for a very long time. Integrating cyber risk into your overall enterprise risk management program is a great way to start. At the leadership level, and at the board level, start having conversations around your cyber risk. Whether it’s with an internal resource who’s a subject matter expert who can, speak the language of the business and translate that back to cybersecurity, or having a very versed partner who can do that. Either way, it’s beneficial to have those conversations.

Integrating security into your overall risk management planning is crucial because now your board and leadership team are talking about it. It’s right in front of your CEO and your CFO to manage that risk. From there, you can support a security-first culture. Every employee should be a cyber warrior. You should have substantive cybersecurity acumen within your organization because it’s a necessity; it’s a business imperative. It’s part of managing overall risk.

What about artificial intelligence? Are there specific cybersecurity concerns related to AI?

Jason: With AI, I want to talk about the integrity side. AI is dependent upon the data that’s in the model and the way the model is trained. We’re seeing a lot of artificial intelligence engines come back with “hallucinations” which are providing erroneous information back to its users, perhaps because the model wasn’t trained correctly. There are also vulnerabilities with prompt injections that can manipulate AI engines into giving incorrect and potentially dangerous responses. The next phase of that is called model poisoning where, if a threat actor can get to that data model, they can poison the results of what that model is going to present back to the end user or the company.

What can be done to build and maintain a strong cybersecurity team and what role should a business leader look to play in fostering a security conscious culture?

Jason: We’ve seen the talent skills gap numbers thrown around by the media – anywhere from 300,000 to 1.5 million. What is the true talent gap that is being discussed in Washington, DC by some of the biggest leaders in cybersecurity? By 2024, experts expect there will be anywhere from 500,000 to 700,000 open roles in cybersecurity in the U.S. alone, and anywhere from 3 to 5 million globally open roles that cannot be filled.

One of the things we talk about as a cybersecurity leadership consortium when CISOs get together, is that we really need to influence our HR departments in changing the way we hire. Let’s start looking at the attitude and aptitude of candidates versus whether or not they have a master’s degree. How much talent are we leaving behind at the K-12 level? Kids that may not be built for college but have massive potential nonetheless and could be developed into key contributors before they hit the workforce. Additionally, I’m getting interns from colleges that I can’t put to work right away so there’s a gap there because they aren’t ready for the work world. We need to create process to help entry-level workers so they can hit the ground running right away.

Do you need help assessing your cybersecurity posture? Contact Envision Technology Advisors.