Smart teams manage and mitigate cyber risks
By Michael Cocanower, CEO, AdviserCyber
Wise business owners don’t purchase fire alarms and sprinkler systems merely because their installation is required by local building codes. Rather, they take pre-emptive steps to mitigate risks, protect the lives of employees and customers and safeguard the value of their business’ inventories, data and equipment.
Yet too often we continue to see executives whose approach to cybersecurity — compliance rather than protection — is strikingly similar to that of the ill-advised business owner whose minimal fire protection is designed only to meet the building code.
It’s clear, however, that Kemba Walden, the nation’s acting national cyber director, is committed to a fundamental change in our approach to cybersecurity — a focus on investments in tools and skills that provide protection, not mere compliance that allows executives to check a box.
A new national strategy
In her keynote address at BlackHat 2023 in early August, Walden straightforwardly laid out the Biden Administration’s vision of a National Cybersecurity Strategy, one based on the adoption of the right cybersecurity tools and the deployment of the best people. It’s not a strategy that simply sets a low bar and allows executives to sleep well in the knowledge that they have “checked the box” regarding digital security.
I recently asked a group of corporate leaders if their IT teams were well-prepared to deal with cyberthreats. More than 80 percent answered yes. While corporate leaders believe in the security of their organizations, this is unlikely unless the organization is large enough to have an IT team dedicated entirely to cyber defense. Few organizations are that large. The mismatch between executives’ perceptions and reality is shocking.
Seasoned cybersecurity professionals, then, recognize the challenge that Walden and her team are addressing. For too long, many business leaders have refused to accept the need for a transition beyond mere compliance and toward true risk mitigation. But as the transition to mitigation begins to gain traction in the worlds of businesses and their regulators, conflicts are brewing.
Facing the threat in finance
Increased commitment to risk-mitigation couldn’t come at a more important time in the securities industry. There, the number and sophistication of threats from bad actors plainly are rising at the same time that the Securities and Exchange Commission is nearing release of a regulatory framework that will govern the industry’s cybersecurity responsibilities. The rapid adoption of artificial intelligence tools is also raising new questions even faster than regulators and industry security specialists can come up with answers.
Cyberthreats are surging across the financial services sector. In CrowdStrike’s 2023 Threat Hunting Report, it was found that the financial industry was the second-most targeted vertical last year, overtaking the former long-time second place telecommunications companies and the always top target technology industry. In fact, the report found the volume of interactive intrusion activity in the financial sector rose by more than 80 percent from June 2022 to June 2023, as threat actors launched every possible type of attack against financial institutions. Phishing attacks against financial institutions alone accounted for more than 27 percent of the total phishing attacks against all the industry sectors studied by CrowdStrike.
The reasons for the upsurge? Threat actors — including, notably, North Korean adversaries — apparently believe that the needs of financial-service organizations to maintain uptime and their concerns about sensitivity of client information make them particularly attractive targets for ransom shakedowns.
Regulations draw pushback
In response to the growing threat, the Securities and Exchange Commission in 2022 proposed stronger rules on cybersecurity protection as well as the process to report breaches. Registered Investment Advisers and investment companies of all sizes would be covered by the new standards.
In the measured words of the SEC’s staff, “certain advisers and funds show a lack of cybersecurity preparedness, which puts clients and investors at risk.” I think that’s particularly true among smaller and medium-sized Registered Investment Advisors. The big players in the securities industry generally have strong cybersecurity teams. Small and mid-sized firms, however, often have far less sophisticated cybersecurity protections. As a result, they can dramatically underestimate the level of risk they face.
This quickly became apparent in the written comments that poured into the SEC before the final rules were adopted in July of this year. While many suggested changes to improve the proposals — providing more time for companies to disclose a breach, for example — many opponents simply wrote off the improved cybersecurity rules as onerous, expensive and unneeded.
This is just one example of the current thinking about cybersecurity. In the wealth-management sector — and, frankly, across the business world — decisions about investment in cybersecurity expertise and technology continue to be made by executives who don’t have a deep understanding of cybersecurity issues. Worse yet, they don’t realize how little they know, and they’re unwilling to consult with experts who could help guide good decision-making.
Manage, mitigate risk
It’s important, as Kemba Walden told the BlackHat audience, that businesses and other enterprises of all types reframe and simplify their thinking about cybersecurity. At its heart, cybersecurity is simply a matter of managing and mitigating risk. Nothing more. Cybersecurity experts themselves can deal with all those technical details that cause C-level executives to nod off during boardroom presentations. Security teams don’t need to bog down meetings with cyber-speak. But every executive understands the importance for managers to mitigate business risk, and that’s what cybersecurity leaders need to be talking about. Good practice in risk management is based on a clear-eyed look at available information about risks and the costs of mitigating them to an acceptable level.
In order to truly optimize an organization’s risk management, strategy and spending on cybersecurity should always be derived from the organization’s risk profile. What is the risk? How much can the organization put at risk? How is this profile changing? Answers to these questions then fuel the decisions designed to mitigate the greatest risks.
The truth about firewalls
One of the most important lessons that cybersecurity professionals can share with top managers is this: No system in the world is completely secure and safe from hacking. Investments in perimeter defense can make life more difficult for hackers. Perhaps the costs of overcoming a good perimeter defense will be great enough to discourage an intruder. Traditional perimeter defenses such as firewalls may be enough to keep out low-skilled hackers.
But when the attack comes from a sophisticated threat — say, a team that’s supported by the financial resources of a national government – perimeter defenses will melt like an ice-cream cone on a Summer sidewalk.
That means that effective risk-management strategies will focus on detecting an intruder quickly and then expelling them before significant damage can be done. We’re talking about minutes, not a day or two. Quick expulsion is possible only when cybersecurity professionals keep a constant eye on the system in real time, not when organizations rely on tools that produce a look-back report that covers the previous day, week, or month.
Corporate leaders who are focused merely on compliance often think only of firewalls and other perimeter defenses. Our profession needs to help them understand that true risk mitigation looks to limit the damage that comes from the intrusions that are essentially unstoppable.
AI risks and promises
At the same time, the rapid introduction of tools based in artificial intelligence changes the calculus of risk dramatically — but it also promises to bring improvements to the management of that risk.
No one should underestimate the speed at which AI is arriving. Azure AI, Microsoft’s portfolio of AI tools for developers and data scientists, has been the fastest-growing service in the history of Azure.
The greatest challenges presented by AI to cybersecurity professionals are likely to be associated with so-called “autonomous AI,” the development of products by AI that acts on its own without instruction.
It doesn’t take much imagination to think of an AI tool tasked with protecting a system or solving an IT problem. The AI decides a particular tool is the best for that job, but sees that the tool isn’t available on the computer where the AI is running. It does a search on the Web, finds a link to the software it needs, installs it and completes its task.
How do we know that the web links the AI is finding — without our knowledge — hasn’t installed malware on our system? Those are questions that should be keeping security professionals awake at night.
Sleepless nights will be even more common among cybersecurity professionals in industries that are heavily regulated like financial services. There, emerging regulations focus extensively on transparency and disclosure. It will be difficult to square these requirements with the black-box aspects of AI. How will security professionals assess the security of third-party vendors, especially those whose products are handling confidential financial and personal information, if the vendors rely on black-box AI? Keep in mind that transparency is an impossible goal when a business operation is entirely opaque.
Given the speed at which AI is sweeping into the marketplace, and given the slow and careful pace that’s customary among regulatory agencies, it’s safe to assume that new regulations — or even regulatory guidance — will significantly lag the development of AI technology. As a result, organizations are going to be on their own when they determine how to meet regulatory requirements when they use AI.
The bad guys, meanwhile, already are using AI tools to enhance their attacks and improve their evasion techniques. Beleaguered IT staff members who are expected to address security threats while managing the entire enterprise system will be bowled over by the rush of new threats.
Most importantly, those business executives who already fail to adequately account for cybersecurity risks will be in even greater danger as AI supercharges the computing universe.
New skills in an AI world
But the adoption of AI changes the risk calculations, it also helps organizations better manage the risks.
Leaders of the cybersecurity industry talked a lot about workforce development during BlackHat 2023, both during the formal presentations as well as informal conversations over a cup of coffee. The smartest take-away, I think, came from Kemba Walden’s presentation.
The cybersecurity profession, she said, finds itself in a position very similar to the position of banks when ATMs were rolled out in the early 1970s. Back then, everyone worried that automatic tellers would take the jobs of all the human tellers. Today, many worry that AI will dramatically reduce the need for human expertise in cybersecurity.
But, she reminded us, bank tellers didn’t disappear. Instead, they developed new skills and began handling a wider variety of tasks in bank offices. Cybersecurity professionals, too, will survive and thrive in the world of AI as they upgrade their skills and seek out new opportunities to put those skills to work. This, of course, is not good news to those workers in the cybersecurity business who have done little more than list “compliance” as a bullet point on their Web sites and promotional materials. In any profession, AI is most threatening to those who do routine tasks in a routine way.
But cybersecurity professionals who sharpen their skills in ways that allow them to provide risk-analysis and risk-mitigation to top leaders of organizations will continue to thrive. They won’t bring routine answers. They’ll deliver sharp insights that provide true value.
More than talk
But still, it all comes down to the organization’s commitment to move beyond mere compliance into a position of risk management and mitigation. It takes more than talking.
Years ago, when Kemba Walden’s boss, President Joe Biden, still was a U.S. Senator from Delaware, quoted: “Don’t tell me what you value. Show me your budget and I’ll show you what you value.”
That’s particularly true in today’s cybersecurity environment and further emphasized in what was discussed at this year’s BlackHat conference. Organizations that truly value security, those that choose to manage and mitigate their risks, are establishing budgets that show what they value, and they’re putting those budgets to work with smart people and powerful tools that make us all more secure.
About the Author
Michael Cocanower is Founder and Chief Executive Officer of AdviserCyber, a Phoenix-based cybersecurity consultancy serving Registered Investment Advisers (RIAs). A graduate of Arizona State University with degrees in finance and computer science, he has worked more than 25 years in the IT sector. Michael, a recognized author and subject matter expert, has earned certifications as both an Investment Adviser Certified Compliance Professional and as a Certified Ethical Hacker. He is frequently quoted in leading international publications and has served on the United States Board of Directors of the International Association of Microsoft Certified Partners and the International Board of the same organization for many years. He also served on the Microsoft Infrastructure Partner Advisory Council.