The days of prevention are over: Boards should refocus on recovery and resilience, says Halcyon CISO

The days of prevention are over: Boards should refocus on recovery and resilience, says Halcyon CISO

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, I'm joined by Tony Spinelli who spent his entire 30-plus-year career devoted to pioneering and advancing technology, digital transformation, and cybersecurity capabilities across the globe. Currently, he is Vice President and Field CISO at cybersecurity and technology firm Halcyon, as well as a current board member for Blue Cross Blue Shield Association and PPAC Private Bank, where he additionally serves on the Risk Committee and the Compensation Committee. Previously, Tony has been a CISO for Capital One, Tyco International, Equifax, and First Data. Tony, thank you so much for joining me today.

Tony Spinelli: Joe, it's great to be here with you. I'm excited to talk about all the things we've got lined up for Cybersecurity Awareness Month.

Joe Kornik: Right. We are recording this in Cybersecurity Awareness Month but obviously it's something that we focus on year-round and Tony, I know you certainly are. You serve on multiple boards and have been a CISO several times over. So, I know you've seen plenty of change, but it feels to me like the pace of that change has certainly accelerated. Tony, I'd be curious to hear your thoughts about whether or not you think CISOs have done a good job keeping boards informed about the rapidly evolving threat landscape and have boards been responsive enough to those new risk factors that have emerged recently?

Tony Spinelli: Yes, Joe, I think we're probably still in the early innings of informing boards and keeping boards informed. Having been a board member, I guess, over eight years now for multiple organizations and a CISO for more than 25 years at four organizations, I think we still have ways to go on keeping boards properly informed and boards really thinking strategically about cybersecurity. I think too many times what we get as board members, as we're informed about, whether it's a monthly or quarterly meeting, is what we're doing well in cyber. I think we've really got to flip the model: have a heavy dose of what's not going well and what we're concerned about. Because as board members, that's where we can really provide not only oversight but some help, right? Do you need funding? Is it a personnel issue? Do we need to think differently about the strategy that we're applying for cybersecurity? So, seeing hundreds and hundreds of decks at this point where you get information about cyber, I think you're getting 95% to 99% of what's going well and about 1% to 2% of what we're really bad at. I think that's where we as board members have to help leadership say, “Look, we know you're working hard. We know you're trying to do all the right things for cyber. Please never shy away from telling us what we're not good at and what we need more help with.” 

That's why I think we're a little bit in the early innings around that. I think some of it comes down to, in many cases, knowledge gaps. I think in some cases we're thinking about cybersecurity in terms of strategy, that everything needs to be secure. I can tell you, the definition of security in a secure system really doesn't exist. The way you need to think about cybersecurity, especially as a board member and certainly as a leader in cybersecurity that's on the strategic side, is to start thinking much more deeply about defensible systems. When you think about secure versus defensible—and we like to say, “Look, everything's secure and it's going to be great. We're very hopeful that it stays that way.”—that's just very unrealistic. If you can think about your cybersecurity systems in terms of them being defensible, I think you really have a shot, right? Because you're thinking much more about resilience. You're thinking much more about recovery. 

When you think about security, it's an old focus of cyber before 2010 where we used to think “Look, we're just going to prevent everything.” As we've seen, Joe, we have to be right millions of times a day to stay secure where the bad guys have to be right just once. So, I think as a board member to start thinking and critiquing and reviewing cybersecurity around the line of thinking about defensible, which means “What happens when the bad thing happens? What happens when a bad actor gets into our environment?” Because it will happen. The days of prevention are over as we've seen with the many headlines that are playing us today, especially from ransomware and the likes. It's really, really important that board members start wearing that defensible hat rather than secure and prevention because, really, as we're seeing today the best companies in cyber are the ones that can respond quickly, react quickly, and make sure that their systems are very, very resilient.

Joe Kornik: Right. Tony as both a CISO and board member where do you see the biggest knowledge gaps between CISOs and board members and how do we close them at this point?

Tony Spinelli: I think one of the big knowledge gaps is, we're seeing a tremendous amount of supply chain disruption, that's been plaguing us for probably more than four or five years now and has seemed to be hitting a crescendo in terms of those supply chain disruptions around ransomware. What's really intriguing about how this is coming about is we're seeing a lot of global manufacturers, fintechs, healthcare having their supply chains disrupted, if not their business operations disrupted. From a mismatch with regard to the cyber strategy and what they actually need to have in place, I think many times when we're informed about our cyber program a lot of it focuses on technology. And what bad actors are doing today is they're really exploiting the human threat vector to then move to the technical threat vector. What I mean by that is one of the biggest knowledge gaps is that these bad actors are really focused on human threat right now. That's very hard to get at because when you think of human threats, they're doing things like social engineering, phishing emails. But beyond that, some of the more nefarious knowledge gaps and challenges have been around impersonation of the help desk, where they're impersonating your help desk, calling your employees and getting information about their credentials, their passwords. If they can't get that, they're cracking those passwords. There's about a 46% efficacy rating right now that bad actors have for cracking passwords, 46% is incredibly high. Then we hear a lot in board meetings around “Well, we're going to start focus on zero trust” or “We're going to implement zero trust,” which a lot of times means how are we thinking about MFA and two-factor authentication and those things that go along with zero trust. Well, bad actors are exploiting individuals there with MFA fatigue, where they get the credential, they use the MFA and repeatedly send those messages to your phone. Eventually what an employee does to get it to go away, is they'll just click on it, right? Then you're in. Then therein is when the technical lateral movement and the ability to really start creating havoc in your environment. In many cases, what the bad actors will do is they'll turn off your endpoint protection, they'll turn off your technical controls and really provide them with a platform to either data exfil or provide a method where they can extort funds from you through ransomware and encrypting your information. That's what the number one threat vector is today, is exposing user IDs, passwords, you're really thinking about bad actors using valid credentials. That's what I think so challenging for board members and cyber practitioners today is that 98% of these attacks are being completed with valid credentials, right? Think about that. Is there a cybersecurity tool today on a piece of technology that stops valid credentials from working? No. That's really what we're up against, right?

Joe Kornik: You've given us a lot to think about in terms of risk factors. When we talk about risk factors, I think we probably have to start with AI, which obviously many companies are beginning to leverage in their core business functions. What do you see as AI's impact?

Tony Spinelli: I think AI is going to be a big challenge, and for board members is really critical to, I think, think along really four dimensions when we think about this as it pertains to cybersecurity. I think one of the most important things you could do is make sure that the leadership of the firm has a really great understanding of AI policy and practice. The way you can do that is by using the NIST AI risk management framework. It's a holistic framework that'll help you be really thoughtful about what the right policies, practices and procedures are and give you a box to make sure that you're really, really well controlled. 

Number two, I think—and this is probably the biggest one that I would focus on, and I personally have focused on with the boards that I've been on—and that's around a data governance program. I think as all companies today have a factor—with being a technology company—that you've had massive data sprawl wherever you've been. While you want to be well controlled and well managed, AI really requires a different level of data governance. You have to have really strong data modeling. You have to have really strong understanding of the uses of that data. I would really make sure that as a board member you ask to be walked through what the data governance program is, not just for AI, but what the data governance program is for the firm as a whole. 

I then think number three, as you go to the next step, as you're thinking about AI and the use cases come up, is you should have a really strong methodology for thinking about use cases and how those use cases are formed. When you get to that point, where you're thinking about specific use cases, as a board leader you want to ask about the risk assessment process, right? Is how do you have a risk assessment process built around AI use cases? Because that's going to be absolutely critical. So, if you're using large data models, you're using a lot of customer information, a lot of proprietary information, a ton of PII information, and you're going to do some very articulate and challenging things with AI with that data, it's paramount that each one of these use cases has its own risk assessment. As a board member you can go back and say, “Well, look. I looked at the use case and the risk assessment with it.” It doesn't have to be a 75-page document. It could be a two- or three-page deck that just says, “For each one of these main use cases we've done a risk assessment and here's what it looks like.” 

I think fourth, you can never take your eye off the ball of third parties. right? You don't have full control of your third parties but in many cases your third parties are either providing you data or you're providing data to them that's going to be part of that AI model in some way. So, it's going to be really, really important that you think about the risks of third parties. That's, Joe, what I would say are the four key aspects for board members to think about.

Joe Kornik: Tony, I'm curious how worried you are about the lack of AI knowledge and capabilities from both the C-suite perspective and the board perspective. Is there enough AI capability out there right now to meet the demands that the future will bring?

Tony Spinelli: No, there's really not. Joe, I think that's the one thing that's different about cyber and maybe even sometimes this risk management view of technology that boards and practitioners really need to think about is that you're going to really need more cyber talent as AI becomes a larger part of your organization, especially if you’re a cyber organization in IT and perhaps you're using less developers or less other types of technology associates. You really want to invest more in your cyber program to make sure around, like we talked about data governance, and having that talent to really understand how AI can be used to protect your enterprise and then guard against AI from an offensive perspective. I think you're going to need more talent in cyber that's much more focused on recovery and response and reaction.

Joe Kornik: Tony, you touched on something there that I think is really important and that's geopolitical developments this year have raised awareness regarding resiliency challenges and keeping core functions up and running in the wake of an attack. We've seen quite a few attacks recently specifically around supply chains. How can business leaders prepare for that? How can they be sure that they can stay resilient amid all the uncertainty right now?

Tony Spinelli: I think you need to really have a test-and-learn mentality and test the resilience and the recovery capability doing both tabletop exercises and tabletop exercises plus, where you're really testing from an attack and penetration perspective your ability to recover from a significant ransomware event or an attack on your supply chain. I think it's absolutely paramount. As you think about the global developments and the global nature of this, you've got massive, organized crime groups, and I do mean massive, thousand people plus in some cases, Scattered Spider, Akira, Medusa, Chilin. All of these are focused on business disruption and supply chains. The reason is pretty obvious. There's billions of dollars that they're extracting from those areas. And you can look at it today. There's a large global manufacturer of trucks and cars that's had challenges for weeks now due to an attack, $60 million a day, a thousand cars a week not being produced. If you think about that from a ransomware perspective and if it's a Scattered Spider or a Chilin or one of those larger organized crime groups, you know if you can disrupt a global manufacturer of that size and scale, you're not only affecting them but the pressure campaign you can bring to bear to get billions of dollars is massive because manufacturers of that size have supply chains of 30,000 companies. They are supporting each one of them to create a car or a truck for example, right? So, if you've got 30,000 vendors that are all supplying something to that large manufacturing company, it could be any manufacturer of that size and scale, the pressure campaign that one of these organized crime groups can bring to bear is just daunting to think about, right? Because if those 30,000 vendors cannot pay their employees, cannot produce capability, you're talking about affecting the economy of small countries as this happens.

Joe Kornik: Thanks Tony. I really enjoyed our conversation.

Tony Spinelli: Oh, thanks Joe.

Joe Kornik: And thank you for watching the VISION by Protiviti interview. I'm Joe Kornik. We'll see you next time.