Morgan Stanley's Rachel Wilson talks cyber strategies in new AI-enabled threat landscape

Morgan Stanley's Rachel Wilson talks cyber strategies in new AI-enabled threat landscape

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re joined by Rachel Wilson, head of cybersecurity for Wealth Management at Morgan Stanley, where she’s responsible for securing all sensitive client data from theft, loss or compromise, as well as for the resilience and continuity of core business processes in times of turbulence. Prior to her nearly nine years at Morgan Stanley, Rachel spent 15 years at the NSA, where she held several executive-level leadership positions. Rachel will sit down today with my Protiviti colleague, Managing Director Sameer Ansari, Global Security and Privacy Lead. Sameer, I’ll turn it over to you to begin.

Sameer Ansari: Thanks, Joe. Rachel, thank you so much for joining us today.

Rachel Wilson: Sameer, I’m so happy to be here. Thank you so much for having me.

Ansari: Rachel, you’ve been in your current role for over eight years now and have spent 15 years at the NSA, so you clearly have a lot of experience and have seen a lot of things. We’d be interested in your perspective in terms of how you see the focus on cybersecurity and resiliency. How has it evolved over the past several years? Not only in your current position and the private sector, but overall, what have you seen companies do to strengthen and really look at the response and recovery capabilities?

Wilson: Sameer, I would bin the evolution over the last five years in the following three ways. One, certainly in the cybersecurity space, banks, financial services firms, and large companies have always been focused on the threat posed by nation-states. So, five years ago, I was very focused on North Korea, Iran, and what we were seeing from Russia. All of that is still going on, but the change in focus around cybersecurity has been all about the increase in what we would call cyber criminal syndicate activity.

If five years ago the vast majority of malicious traffic on the internet was nation-states, now 70% of the malicious traffic we see is actually financially motivated and criminal in nature. So, that has required us to change our tactics, our focus, really to be working on extending that perimeter of protection, which for folks like us would typically have been on our firms, our employees, our network systems and applications. Now we’re focused on extending that perimeter of protection to our clients, our customers, really thinking about that broader ecosystem.

When you think about resilience, I’m so glad we’re talking about this today because resilience, the level of emphasis there from our board of directors, our shareholders, our stakeholders, and from our regulators, has increased dramatically. So, this view that a cyber incident that causes a business disruption, that creates a business continuity issue, the view now is that that is not an if, rather that is a when, which is why your point around response and recovery is so crucial. Firms need to invest in all of that preventative technology in detection, but the focus around response and recovery, I’ve never seen it quite as amplified as it is now.

Ansari: That’s a great perspective. Piggybacking on that, obviously, given some of the recent geopolitical events, and obviously, you’ve mentioned the shift from the nation-state aspect to more of those that are there for financial gain. It has obviously increased awareness amongst business leaders and boards in terms of understanding cybersecurity and the resiliency challenges. How can business leaders better understand and fulfill their roles in addressing these challenges, especially when it comes to a crisis and they’re in the middle of a situation or a cybersecurity event?

Wilson: Well, Sameer, that’s exactly it. The last thing we want is leadership and boards trying to figure out their cyber response playbook in the throes of their bad cyber day. So, we see a lot of emphasis now on tabletop exercises, on actually training like you’re going to fight and doing that all the way up to your board and C-suite level. So, increasingly, this idea that while cybersecurity as a tactical exercise is the domain of technologists like us and is the focus of our chief information security officers, it’s this broader recognition, exactly to your point, that business leaders need to be deeply engaged here.

The questions that I ask the companies that I support are, “Does your CFO understand their role in a cyber attack? Has your general counsel thought about whether you are a company, an entity, or an institution that would pay a ransom if you found yourselves in the midst of a ransomware attack?” Those big existential questions are not questions for your technology teams. They are questions that we really want to see having been practiced, having been rehearsed, so that again, when that if, not if, but rather when a cyber attack occurs, leadership understands those roles and you’re not having to learn in public in the midst of those exercises.

Ansari: Yes, that makes a lot of sense. Also, shifting a little bit or maybe an adjacent topic there is, obviously, I think, while executives understand their role in terms of protecting their enterprise, obviously, the continued reliance upon third parties and their overall supply chain of their organizations. I would love to hear—because the conversations we’ve been having with our clients are really around how they are handling third-party risk management—I’d be curious to see what you’re seeing there, as companies, I think, sometimes think of it more as a check-the-box activity. How can organizations really think about this as managing their risk?

Wilson: Well, Sameer, it’s crucial, and I sadly agree with you that all too often, historically, companies have viewed their third-party risk program as a box-checking exercise, right? We’re going to go through the motions. We’re going to do that due diligence, but are we really thinking about material risk reduction? Of course, we’ve got to think about this along two vectors, right? There is the fact that many, many companies, mine included, entrust our vendors, our third parties, with huge volumes of customer, client, and frankly, employee data.

When you think about the degree to which customers and clients that all of us have, very appropriately, and for all the right reasons, outsourced many of our critical functions to third parties, if that outsourcing comes with a whole bunch of employee or customer data, are we really confident that those third parties are meeting our cybersecurity data protection, even fraud prevention standards, Sameer? So, I would argue that companies need to go well beyond that box-checking exercise.

Then, when you add the resilience components, think about those vendors, those third parties in your environment that we would consider air-and-water services, that your business cannot function without. Have we really thought about the opportunities for resilience enhancements there? Do we have true disaster recovery planning? Do we have contingency and exit plans for those vendors that maybe provide that crucial service and for which there really is no alternative?

Again, I think about those air-and-water vendors in that way, but the point you made in your question that I think is particularly crucial is the question around streamlining. The answer to improved vendor due diligence is not an infinite process. If your vendor onboarding process now consists of a thousand questions and takes a year for you to execute in the modern era, companies are not going to be successful if those are the timelines they’re looking at for onboarding a new critical vendor.

That’s the challenge, right? That’s the juxtaposition, Sameer, of how do we recognize that our vendors present potentially tremendous risk, but at the same time, streamline those risk management processes, those onboarding processes, so that our businesses can truly be agile and dynamic. I will tell you, personally, I don’t see many companies that have cracked the code on this, and it’s a question that I think we are all adding and asking of our advisors, our supporters, our consultants. We’re not there, and I don’t think I’ve seen any case where someone is really getting that balance right today.

Ansari: Yes, it really is a balancing act in terms of managing the risk and being thorough, and also balancing, obviously, the impact of third parties. I don’t think I’d be able to get through this entire conversation without turning to the next topic of the day, which is clearly around AI. So, we would love to hear your perspective on AI’s impact on security. What are some of the biggest opportunities and threats posed by AI in the cybersecurity domain, and how do you balance innovation with risk?

Wilson: Sameer, I feel like balance is our big theme today, and you’re totally right that that’s the example and really the exemplary post that we have to talk about here. What we talk to our board of directors about is this idea that the proliferation of artificial intelligence, and I would argue, combined with the democratization of very advanced nation-state-level cyber capabilities, has essentially lowered the barrier to entry to being a reasonably sophisticated cyber actor.

Sameer, we know from our history that five years ago, if you wanted to be a capable hacker, you needed an advanced degree in a technical field, you needed access to covert infrastructure, you needed a nation-state toolkit, and you needed training. There was a pretty significant learning curve to becoming a reasonable, scalable hacker. Today’s environment, we see the opposite, right? A little bit of ChatGPT, a little bit of Gemini, throw in some YouTube videos on how to use those capabilities, and these layman hackers are off to the races, quite capable in a matter of weeks.

Then, when you add AI to the overall cybersecurity landscape, what we’ve seen is that it has been a real catalyst and a real amplifier. So, now cyber attacks are at a scope, a scale, a velocity that I don’t think those of us who’ve been in this space for a long time could have imagined even three years ago. Now that’s what we’re seeing at scale. So, AI lowering that barrier to entry, increasing that scope, scale and velocity, these are attacks both on us as firms and on the customers and clients we support.

This, of course, gets to your balance. I’m increasingly of the view that the only way we defeat all of these AI-enabled threats is by leveraging more AI in our environment. So, one of the metrics that we’re increasingly holding ourselves accountable to is the idea of what percentage of the cyber attacks, attempted cyber attacks that we see at our perimeter, as loose a term as that might be, are we successfully detecting and preventing through solely automated means.

So, whether you want to call that AI or machine learning, whether you want to call that pure process automation, I’d argue that a strong cybersecurity program today is detecting and preventing 99.9% of their incoming cyber attacks all through automated means. Many vendors are getting better and better in this space, but you’re right that it’s a balance.

Then, when you add that third component, obviously, I have to give my employees AI tools in their toolkit. That’s the only way we’re going to continue to be competitive in this environment. Morgan Stanley has really leaned into artificial intelligence as an enabler for our workforce, but enabling those capabilities comes with risk in its own right, whether you’re thinking about data quality, privacy rights, all of these downstream impacts of leveraging AI in our environments. Folks like me in the governance and risk management space have got to look at all of those components to balance that innovation with risk mitigation.

Ansari: Yes, I think balance is going to be the continued theme through this discussion, because the next thing I wanted to discuss with you was really around, obviously, you mentioned AI three years ago wasn’t really as much of a topic. A lot of our attention from a cybersecurity profession perspective was around things like quantum computing, which I know Morgan Stanley is getting quite involved with as well. We’d love to get your perspective on that balance for CISOs and cybersecurity professionals in terms of balancing your basic blocking and tackling and focusing on that versus keeping your eyes forward-looking in terms of new technologies that are coming with things like quantum computing and obviously AI.

Wilson: Well, Sameer, that’s exactly it. I think your thematic here around balance is what I’m hearing from the entire ecosystem, the entire community right now. This is exactly it, right? We cannot lose sight of that basic hygiene, that blocking and tackling. I mean, even some of the vulnerabilities that we’ve seen disclosed in the last few weeks, all things that you and I have been talking about.

If we’re not responding appropriately to these critical vulnerabilities in our environment with that basic blocking and tackling, that patching cadence, that employee training, all of that table-stakes, brass-tacks stuff that we were raised on as cybersecurity professionals, I hear all too often cyber teams getting distracted by the sexy stuff. Of course, I love to geek out on the sexy stuff too, but if we’re not doing those basic things right, if we don’t have identity correctly managed, if we’re not thinking about those core table stakes controls in our environment, we’re going to miss the boat.

Now, all of that said, I think when you look at the environment around post-quantum readiness, we are absolutely in a call-to-action state. So, at Morgan Stanley, this is going to mean, for the next two years, really getting our arms around an inventory of all of our cryptographic algorithms. What I hear CISO saying is that the first step is really understanding the size and shape of your risk when it comes to post-quantum readiness, once we’ve got that inventory—and of course, Sameer, that’s at all levels, right? Our hardware, our networks, our applications, and even how we interact with customers and clients—getting our arms around that inventory so that we can really get to the hard work of upgrading those algorithms, that’s a long-term project. I know this really speaks to that balance, but I am really encouraging CISOs that we work with, don’t delay on at least getting your arms around the size and shape of your post-quantum problem, while, of course, to your point, not losing sight of that basic cyber hygiene.

Ansari: Yes. I think we’re also seeing increased conversations, obviously, with regulators as well, Rachel. So, I’d love to get your perspective on: regulators always focus on data and security, and the loss of data, but now they’re focusing a lot more on resiliency and the business continuity side of things. How do you think about business leaders’ ability to demonstrate their ability to really look at overall resilience in a way that is not just from a compliance perspective, but also adds value?

Wilson: Yes. Well, Sameer, to your point, I think this is an area where the Europeans are way ahead of us. Just a few weeks ago, we were at a regulatory conference in Europe, with regulators from all around the world, and they were asking exactly this question. So, you bring together all of these ideas, data security, cybersecurity, what does it mean to be preparing? We’re having to help our regulators understand how to regulate us when it comes to asking questions about the implications of quantum computing. Then the focus on resilience, and again, especially from the Europeans, is higher than we’ve ever seen it before.

The focus, and I think this is very appropriate, Sameer, is going beyond having a written business continuity plan and really getting to a place where you are testing those plans and assessing them for viability. That’s what I’m hearing from regulators. Don’t just give me a piece of paper that says what you would do in the event of a significant third-party outage, in the event of a significant business continuity issue, whether that’s geopolitical in nature, weather in nature, all kinds of manner of things. Show me that you’ve really exercised your game plan and that your teams understand how they would react to that, whether that’s transference, whether that’s fallbacks, or whether that’s manual processes. They want to see that you’ve actually walked the walk, not just written the white paper.

Ansari: Yes, makes a lot of sense. Last question for you, Rachel. This would be a good looking-ahead question. As we think about 2026, what do you see as the most critical areas for investment in cybersecurity? How do organizations start to prepare for that next wave of advances in technology, things that we’re not aware of today? Like three years ago, as you mentioned, we weren’t maybe even thinking about the impact of AI. So, how should business leaders and cybersecurity professionals be thinking about what the future holds?

Wilson: Well, so much of this for me, Sameer—and in this case, I’m putting on a little bit of my fraud prevention hat as well—I think it will be thinking about a world in which we all cannot be confident that the person we’re talking to on the phone, over Zoom, through a video conferencing platform is really the person we think we’re talking to. This undermines all kinds of things that I think are really existential to humanity, right?

If I can’t be confident that the customer I’m talking to, the client I’m talking to, the vendor, the third party, the interview candidate, that any of these people are really who they appear to be, that is going to be a fundamental change to how all of us do business, how we do business internally, how we do business with our vendors, and how we do business with our customers. So, I think we’re going to see a lot of investment around, really, identity-proofing all of our various channels. Whether that’s calls to the call center, whether that’s how we conduct interviews remotely over various platforms. All of that. When you look at the risks and threats in the environment, a lot of that is going to have to change.

Then you add to that these next-generation technology enhancements. So, quantum computing is an example, but many more things. When we think about wanting to leverage AI to improve the efficiency and effectiveness of our workforce, recognizing what risks and threats that potentially poses. This is certainly a time for investment. I would also say, Sameer, that this is also a crucial time for partnership. Even companies, large companies, Fortune 50, Fortune 100 companies, none of us can be doing this by ourselves. So, that reliance on third parties, I think, is only going to increase, both to support innovation and to have us responsive to all of these emerging threats.

Ansari: Rachel, this has been really a great conversation. Your perspective, obviously, from your experience at the NSA and clearly from the financial services experience, has really been beneficial. Thank you for your time today. I really enjoyed our discussion.

Wilson: Sameer, this was wonderful, and I look forward to more. Thank you so much for having me today. This was great.

Ansari: Thanks. Joe, I’ll turn it back to you.

Kornik: Thanks, Sameer, and thanks, Rachel. Thank you for watching the VISION by Protiviti interview. On behalf of Sameer and Rachel, I’m Joe Kornik. We’ll see you next time.