WEBVTT 1 00:00:00.840 --> 00:00:04.830 Anna Delaney: Hi, I'm Anna Delaney with ISMG. 2022 will go 2 00:00:04.830 --> 00:00:07.890 down as a memorable year in cybersecurity. The 3 00:00:07.920 --> 00:00:11.280 Russia-Ukraine war turned cyberwarfare into a reality. 4 00:00:11.430 --> 00:00:15.060 Cryptocurrency markets imploded. While there was no Log4j or 5 00:00:15.060 --> 00:00:18.600 SolarWinds level hack that we know of, industry stalwarts 6 00:00:18.630 --> 00:00:21.870 Microsoft and Cisco suffered breaches, as did Twitter and 7 00:00:21.900 --> 00:00:26.640 Uber. So how should we characterize 2022? We consulted 8 00:00:26.640 --> 00:00:28.950 with some of the top professionals in the industry 9 00:00:29.100 --> 00:00:32.790 and ask them to describe the year in one word. Here's what 10 00:00:32.790 --> 00:00:33.330 they said. 11 00:00:33.870 --> 00:00:34.650 Richard Bird: Abysmal. 12 00:00:34.649 --> 00:00:39.179 Chase Cunningham: Affordable. That's what I want to see in cyberspace. 13 00:00:38.170 --> 00:00:42.760 Tom Kellermann: Guerrilla warfare. That's the battle that 14 00:00:42.760 --> 00:00:45.430 we waged, that's the battle that's being waged against us. 15 00:00:45.810 --> 00:00:47.940 Steve King: The biggest problem in my mind, and the one word I 16 00:00:47.940 --> 00:00:54.840 would use is complexity. I think we've created this. We're our 17 00:00:54.840 --> 00:00:55.560 biggest enemy. 18 00:00:55.000 --> 00:01:00.790 Sam Curry: One word is insufficient, but I'll say 19 00:01:00.790 --> 00:01:01.360 hopeful. 20 00:01:02.590 --> 00:01:05.050 Anna Delaney: As we enter the New Year, we asked our experts 21 00:01:05.050 --> 00:01:08.470 about the trends to watch in 2023. They helped us put 22 00:01:08.470 --> 00:01:11.170 together a list of 10 predictions for this highly 23 00:01:11.200 --> 00:01:15.220 unpredictable industry. Our panelists began with the topic 24 00:01:15.220 --> 00:01:19.930 of API security. The API economy is growing as organizations rely 25 00:01:19.930 --> 00:01:23.470 more heavily on open source software, and custom interfaces 26 00:01:23.470 --> 00:01:27.760 to bridge cloud and legacy systems. API attacks resulted in 27 00:01:27.760 --> 00:01:32.740 several high profile breaches and 2022. Expect cybercriminals 28 00:01:32.740 --> 00:01:36.790 to step up their attacks on API vulnerabilities in 2023. 29 00:01:37.030 --> 00:01:39.850 Richard Bird: This is something that Gartner in particular has 30 00:01:39.850 --> 00:01:44.020 been calling out for several years that the kind of Layer 7 31 00:01:44.050 --> 00:01:49.750 application tier is going to become the primary attack 32 00:01:49.750 --> 00:01:55.930 surface and exploit by 2022 was their statement - that it will 33 00:01:55.930 --> 00:02:00.430 become the predominant method. It isn't but it's definitely 34 00:02:00.430 --> 00:02:05.560 trending that way. What we're going to hear more about will be 35 00:02:05.890 --> 00:02:12.070 in 2023 a massive U.S.-based API exploit related breach. It is 36 00:02:12.000 --> 00:02:14.910 Tom Kellermann: It's about modern application development. 37 00:02:12.070 --> 00:02:12.880 going to happen. 38 00:02:14.910 --> 00:02:17.580 It's the fact that the developers in many organizations 39 00:02:17.580 --> 00:02:23.100 are more powerful than security teams. It's about API. APIs are 40 00:02:23.100 --> 00:02:25.800 being attacked left and right for good reason. Very few people 41 00:02:25.800 --> 00:02:28.680 really understand how to defend API, so they think their laughs 42 00:02:28.680 --> 00:02:33.330 can defend them against those types of attacks. I think it's 43 00:02:33.360 --> 00:02:37.560 very concerning in both regards, You have the migration to cloud 44 00:02:37.560 --> 00:02:40.110 and multi cloud environments, public cloud environments with 45 00:02:40.110 --> 00:02:41.340 this implicit trust. 46 00:02:41.850 --> 00:02:45.600 John Kindervag: The developers have way too much power 47 00:02:45.600 --> 00:02:48.870 probably. They care very little about security. They want to go 48 00:02:48.870 --> 00:02:53.130 fast. In fact, I often joke, they're the Rookie Bobbies of 49 00:02:53.190 --> 00:02:56.760 IT. I just want to go fast. I got to I got a cougar sitting 50 00:02:56.760 --> 00:02:59.610 next to me in the car. I don't care about security. I've had so 51 00:02:59.610 --> 00:03:02.640 many people tell me, I don't care about security, I got to do 52 00:03:02.670 --> 00:03:06.030 however many pushes a day. How can I make it secure. And oh, by 53 00:03:06.030 --> 00:03:10.650 the way, by the time that the this has proven to be insecure, 54 00:03:10.680 --> 00:03:12.090 I'll be on to another job anyway. 55 00:03:12.480 --> 00:03:14.670 Anna Delaney: Critical infrastructure, a prime target 56 00:03:14.700 --> 00:03:18.540 of nation-state actors relies on a combination of IT and OT 57 00:03:18.540 --> 00:03:22.440 systems to keep plants running smoothly. However, many 58 00:03:22.440 --> 00:03:25.830 industrial control systems are decades old and vulnerable to 59 00:03:25.830 --> 00:03:31.560 attack. In fact, last year, IBM X-Force observed over a 2000% 60 00:03:31.590 --> 00:03:35.430 increase in adversarial reconnaissance targeting ICS 61 00:03:35.430 --> 00:03:38.970 vulnerabilities, which puts all critical infrastructure at risk. 62 00:03:39.540 --> 00:03:43.440 Our experts warn, be prepared for attacks against power grids, 63 00:03:43.620 --> 00:03:47.460 oil and gas supplies, and other critical infrastructure targets. 64 00:03:47.000 --> 00:03:49.430 Sam Curry: Some parts of critical infrastructure are more 65 00:03:47.000 --> 00:03:50.035 John Kindervag: We will have problems in OT security as long 66 00:03:49.520 --> 00:03:53.990 vulnerable than others. The things that especially have to 67 00:03:50.104 --> 00:03:54.173 as we keep talking about it as OT security and IoT security 68 00:03:54.242 --> 00:03:57.829 versus just cybersecurity, right? Because there's no 69 00:03:57.898 --> 00:04:01.485 difference. It's a packet talking to something. That 70 00:03:57.950 --> 00:04:02.300 do with loss of life, where you get medical care, things that 71 00:04:01.554 --> 00:04:05.417 resource does a particular thing, a POC and HMI, a SCADA 72 00:04:02.750 --> 00:04:18.470 have to do with water, that have to do with food, supply, and 73 00:04:05.486 --> 00:04:07.280 system, it doesn't matter. 74 00:04:18.470 --> 00:04:24.050 energy. I think while CISA has a huge responsibility, and each of 75 00:04:24.050 --> 00:04:28.730 those critical infrastructure divisions has a lot of work to 76 00:04:28.730 --> 00:04:31.640 do, things like energy production is very, very 77 00:04:31.640 --> 00:04:33.680 vulnerable right in the middle of the winter for much of the 78 00:04:33.680 --> 00:04:34.370 Northern Hemisphere. 79 00:04:34.810 --> 00:04:36.580 Chase Cunningham: We have this thing going on where if you 80 00:04:36.580 --> 00:04:40.840 build a system and connect it to water or electricity or nuclear 81 00:04:40.840 --> 00:04:44.620 or god knows what else and then you leave admin on the internet, 82 00:04:44.680 --> 00:04:47.380 somebody can come out later on and go "Oops, I'm sorry, I 83 00:04:47.380 --> 00:04:49.930 screwed up" and they get a golden parachute and walk out 84 00:04:49.930 --> 00:04:53.890 like if you're going to do that, send me $6 million and you can 85 00:04:53.890 --> 00:04:57.040 beat me in the middle of the Superbowl, like that's the crazy 86 00:04:57.040 --> 00:04:59.770 thing for these people don't understand. There's no punitive 87 00:04:59.770 --> 00:05:03.220 measures. We need to introduce a standard and legislation for 88 00:05:03.220 --> 00:05:06.460 negligence. If you're in charge and you do negligent things and 89 00:05:06.460 --> 00:05:09.250 don't take care of it, you need to be wearing an orange jumpsuit 90 00:05:09.250 --> 00:05:11.050 in a six by nine cell for 10 years. 91 00:05:11.040 --> 00:05:13.378 Anna Delaney: Multi-factor authentication was once 92 00:05:13.443 --> 00:05:17.600 considered the gold standard of identity management, providing a 93 00:05:17.665 --> 00:05:21.692 crucial backstop for passwords. But all that changed this year 94 00:05:21.757 --> 00:05:25.134 with a series of highly successful attacks using MFA 95 00:05:25.199 --> 00:05:29.031 bypass and MFA fatigue tactics combined with tried and true 96 00:05:29.096 --> 00:05:33.253 phishing and social engineering. Experts warn that success won't 97 00:05:33.318 --> 00:05:36.566 go unnoticed. Attackers will increase multi-factor 98 00:05:36.631 --> 00:05:38.190 authentication exploits. 99 00:05:38.570 --> 00:05:40.940 Richard Bird: The method of attack predominantly used for 100 00:05:41.540 --> 00:05:46.760 MFA is social engineering to bypass or exploit MFA. The 101 00:05:46.760 --> 00:05:52.340 success that bad hackers had with social engineering against 102 00:05:52.340 --> 00:05:58.670 MFA to exploit it was headline news. Headline news attracts, 103 00:05:58.700 --> 00:06:02.960 you know that next wave of ransomware, other bad actors 104 00:06:02.960 --> 00:06:07.880 that kind of want to jump on the newest methods to exploit an 105 00:06:07.880 --> 00:06:11.360 attack. So I definitely think we're going to see a lot of 106 00:06:11.360 --> 00:06:16.220 situations where MFA strong authentication is exploited and 107 00:06:16.220 --> 00:06:22.550 bypassed. I think, unfortunately, it's just a 108 00:06:23.690 --> 00:06:28.010 reminder to us all that tech is only a certain percentage of the 109 00:06:28.010 --> 00:06:31.430 solution. When we look at the current state of 2022, everybody 110 00:06:31.430 --> 00:06:35.540 is holding on to these old architectures, these old 111 00:06:35.540 --> 00:06:38.900 methods, these old structures of how they're managing 112 00:06:38.900 --> 00:06:42.230 cybersecurity, and they're going "we're doing the best that we 113 00:06:42.230 --> 00:06:47.240 can," which is amazing to me "we're doing the best that we 114 00:06:47.240 --> 00:06:50.720 can with a leaky boat." Why don't we fix the leaks? 115 00:06:51.530 --> 00:06:54.380 Anna Delaney: Ransomware attacks have proliferated across public 116 00:06:54.380 --> 00:06:57.920 and private sectors and tactics to pressure victims into paying 117 00:06:57.920 --> 00:07:02.330 ransoms have expanded to double and even triple extortion, that 118 00:07:02.330 --> 00:07:04.880 because of the reluctance of many victims to report the 119 00:07:04.880 --> 00:07:07.850 crime, the actual number of incidents isn't really known. 120 00:07:08.360 --> 00:07:12.500 Expect ransomware attacks to hit bigger targets, and exact bigger 121 00:07:12.530 --> 00:07:13.250 ransoms. 122 00:07:13.540 --> 00:07:17.470 Lisa Sotto: Ransomware continues unabated. The environment is 123 00:07:17.470 --> 00:07:20.170 honestly more malicious than ever. We say that every year, 124 00:07:20.170 --> 00:07:24.340 but this year, it does seem more malicious than it's ever been. 125 00:07:24.940 --> 00:07:29.110 We continue to battle with the threat actors, for companies in 126 00:07:29.140 --> 00:07:33.610 every industry sector. The threat actors really have been 127 00:07:33.610 --> 00:07:37.090 busier than ever, which means we are busier than ever trying to 128 00:07:37.090 --> 00:07:38.950 manage the fallout. 129 00:07:39.040 --> 00:07:41.320 David Pollino: I think we're going to be surprised by 130 00:07:41.350 --> 00:07:46.780 something that is going to, hit us across the board. I've had 131 00:07:46.780 --> 00:07:49.720 some recent conversations with some security people around the 132 00:07:49.720 --> 00:07:53.410 opportunity to mobile-based ransomware. We've seen a lot of 133 00:07:53.410 --> 00:07:55.720 ransomware around your cloud storage, we've seen a lot of 134 00:07:55.720 --> 00:08:00.310 ransomware around your computer, maybe a little bit less of 135 00:08:00.670 --> 00:08:05.050 what's taking place on your actual device, on your actual 136 00:08:05.050 --> 00:08:10.360 iPad. For many people, that's where it knows more about them 137 00:08:10.360 --> 00:08:13.960 than the individuals as well. So whether it's actually taking 138 00:08:13.960 --> 00:08:19.270 over the device itself, accessing embarrassing or any 139 00:08:19.270 --> 00:08:22.180 information that people want to keep secret on their device, I 140 00:08:22.180 --> 00:08:25.990 think we may see some innovations there by the 141 00:08:25.990 --> 00:08:29.680 criminals but I have a feeling 20 years from now, we're still 142 00:08:29.680 --> 00:08:31.090 going to be talking about ransomware. 143 00:08:32.110 --> 00:08:35.200 Tom Kellermann: Like in ransomware payments to sanctions 144 00:08:35.200 --> 00:08:39.130 evasion and violation of sanctions and let's ban them and 145 00:08:39.130 --> 00:08:42.130 any virtual currency or exchange that's complicit it and 146 00:08:42.130 --> 00:08:44.560 laundering the proceeds associated with ransomware 147 00:08:44.920 --> 00:08:47.800 should have their assets forfeited, and put into a super 148 00:08:47.800 --> 00:08:50.350 fund to fund critical infrastructure protection 149 00:08:50.350 --> 00:08:53.170 domestically. That's my Christmas wish. That's it. 150 00:08:53.530 --> 00:08:56.620 Simple thing. Ample laws on the books. 151 00:08:56.000 --> 00:09:00.020 Anna Delaney: The momentum behind digital transformation 152 00:09:00.020 --> 00:09:03.710 programs has prompted a mass migration to public cloud. This 153 00:09:03.710 --> 00:09:07.250 trend began in the corporate sector and has expanded to large 154 00:09:07.250 --> 00:09:10.910 government agencies, creating a hodgepodge of complex, hybrid 155 00:09:10.910 --> 00:09:14.900 and multi cloud environments. Containerization of applications 156 00:09:14.900 --> 00:09:18.380 has led to widespread malware infections, and this year, we 157 00:09:18.380 --> 00:09:21.350 saw the introduction of serverless malware aimed at the 158 00:09:21.380 --> 00:09:26.240 AWS cloud with so much more data moving to the cloud, watch for 159 00:09:26.240 --> 00:09:29.420 attackers to target the major cloud hyper scalars. 160 00:09:30.410 --> 00:09:33.080 Tom Kellermann: I really think this is the moment where whether 161 00:09:33.200 --> 00:09:36.290 either I'd say the Russians or the Chinese choose to commandeer 162 00:09:36.290 --> 00:09:38.930 an entire public cloud environment and use it as a 163 00:09:38.930 --> 00:09:42.500 launchpad for like systemic wiper attacks or ransomware 164 00:09:42.500 --> 00:09:45.920 attacks as a manifestation of geopolitical tension due to 165 00:09:45.920 --> 00:09:49.430 whether it's what's going on in Ukraine or what's going on 166 00:09:49.430 --> 00:09:50.060 Taiwan. 167 00:09:50.270 --> 00:09:54.830 John Kindervag: To me cloud is a regression in security, the 168 00:09:54.830 --> 00:10:01.550 native cloud controls, stateless hackles from IP tables, 1992, so 169 00:10:01.730 --> 00:10:06.800 I just don't understand why the love affair of security and 170 00:10:06.800 --> 00:10:13.520 cloud happens. If you looked at Martin Casado's report for 171 00:10:13.520 --> 00:10:16.190 Andreessen on the cost of a cloud, the trillion dollar 172 00:10:16.190 --> 00:10:21.110 paradox and how clouds are now as expensive as data centers, 173 00:10:21.440 --> 00:10:23.810 I'm wondering, or I'm hoping that people will start 174 00:10:23.810 --> 00:10:26.840 rethinking that and wondering is the cloud the best place to go, 175 00:10:26.840 --> 00:10:28.070 given the threat environment. 176 00:10:28.100 --> 00:10:31.730 Steve King: We see breaches every day due to bad 177 00:10:31.730 --> 00:10:37.940 configurations for either hybrid cloud or containers. So, I don't 178 00:10:37.940 --> 00:10:41.630 know how we're going to do this with the current level of 179 00:10:41.630 --> 00:10:42.230 knowledge. 180 00:10:42.930 --> 00:10:45.420 Anna Delaney: The principles of zero trust defenses have been 181 00:10:45.420 --> 00:10:48.690 around since 2010. But only in the past few years of 182 00:10:48.690 --> 00:10:52.320 cybersecurity organizations, and the vendor community began to 183 00:10:52.320 --> 00:10:56.010 embrace the concept of least privilege continuously verified 184 00:10:56.010 --> 00:11:00.060 defenses. This approach received a major boost just last month, 185 00:11:00.210 --> 00:11:03.330 when the U.S. Department of Defense announced its zero trust 186 00:11:03.360 --> 00:11:07.410 strategy, with hackers moving laterally across IT environments 187 00:11:07.410 --> 00:11:11.580 with ease, expect wider adoption of zero trust, as organizations 188 00:11:11.580 --> 00:11:13.620 look to modernize their defenses. 189 00:11:13.980 --> 00:11:16.560 Chase Cunningham: If you're sick of zero trust,2023 is going to 190 00:11:16.560 --> 00:11:19.350 be your year, because it's going to keep on coming with a fervor. 191 00:11:19.590 --> 00:11:22.710 So drink your zero trust Kool-Aid and get your zero trust 192 00:11:22.710 --> 00:11:25.500 hoodie and all that stuff. But there's a reason for that, 193 00:11:25.500 --> 00:11:28.380 because the strategy is making a difference, there's studies to 194 00:11:28.380 --> 00:11:31.770 validate that, to indicate that. Organizations are beginning to 195 00:11:31.770 --> 00:11:35.370 move towards the adoption cycle for this whole thing. it's my 196 00:11:35.370 --> 00:11:38.640 ray of hope, what we're moving towards is a better state over 197 00:11:38.640 --> 00:11:42.630 time, the DoD publishing their strategy was a watershed moment. 198 00:11:42.900 --> 00:11:46.020 And it's just going to continue going on from here. 199 00:11:46.000 --> 00:11:48.670 Richard Bird: This is the year, 2022 is the year that I really 200 00:11:49.210 --> 00:11:54.010 experienced a lot of resistance up and down the management chain 201 00:11:54.010 --> 00:11:59.710 within companies to zero trust. And it's starting to crack open 202 00:11:59.740 --> 00:12:05.140 a lot of dialogue about what zero trust is, what it's not, 203 00:12:05.170 --> 00:12:08.920 what it can actually accomplish. I think to that may be the 204 00:12:08.920 --> 00:12:12.340 change in 2023, where discussions become more 205 00:12:12.340 --> 00:12:16.720 relevant, become more tangible, some of it is the efforts that a 206 00:12:16.720 --> 00:12:22.180 lot of folks on this call had been engaged in, inclined back 207 00:12:22.180 --> 00:12:27.010 zero trust from kind of the marketing domain, and putting 208 00:12:27.040 --> 00:12:32.320 meat around the bones. And really kind of focusing on ZTM, 209 00:12:32.320 --> 00:12:37.450 what it delivers from a security standpoint. But I think where 210 00:12:37.450 --> 00:12:43.030 the debate will happen is people are still very, very notionally 211 00:12:43.270 --> 00:12:48.730 tied to defense in depth, overlapping controls as their 212 00:12:48.730 --> 00:12:52.630 security architecture. And that goes back to what I said about 213 00:12:52.630 --> 00:12:57.430 situational awareness? We have, we have nearly 30 years of 214 00:12:57.730 --> 00:13:01.630 documented evidence that clearly shows that those models suck, 215 00:13:01.720 --> 00:13:05.230 and they're not working. And that's why I think that the 216 00:13:05.230 --> 00:13:08.560 dialogue on zero trust is going to be very dynamic and 2023. 217 00:13:08.950 --> 00:13:12.430 Because people are going to have to defend those positions for 218 00:13:12.430 --> 00:13:15.250 their old security architectures, and mindsets and 219 00:13:15.250 --> 00:13:20.530 framework. Because they are failing, and give an excuse for 220 00:13:20.530 --> 00:13:23.980 why they're not willing to try something new relative to 221 00:13:23.980 --> 00:13:24.730 security. 222 00:13:24.850 --> 00:13:26.950 John Kindervag: We have to change the incentive structure 223 00:13:27.160 --> 00:13:31.180 around cybersecurity and make it an imperative at the C-suite so 224 00:13:31.180 --> 00:13:34.750 that they get the proper funding they need. This is the first 225 00:13:34.750 --> 00:13:37.390 year that I got a call from somebody who said we got a new 226 00:13:37.390 --> 00:13:41.740 CFO, and he said, "We're under spending in cybersecurity and we 227 00:13:41.740 --> 00:13:45.850 better start figuring out what we're going to do, because we 228 00:13:45.850 --> 00:13:51.130 can't have this kind of low spin and high risk." And so I think 229 00:13:51.190 --> 00:13:55.840 that the incentive changes that it's driving are going to be the 230 00:13:55.840 --> 00:14:00.130 most beneficial to the industry that we all know and love. 231 00:14:00.600 --> 00:14:02.940 Sam Curry: I've seen encouraging signs, but we still haven't seen 232 00:14:02.940 --> 00:14:05.670 requirements for cybersecurity skills, hard requirements for 233 00:14:05.670 --> 00:14:08.970 boards, they've talked about it with the SEC, I did see the 234 00:14:08.970 --> 00:14:14.610 Sanford policy school and Duke did put on a really great event 235 00:14:14.640 --> 00:14:17.430 where they were board members could come and find out what 236 00:14:17.430 --> 00:14:20.970 questions to ask of cyber people. And they did a simulated 237 00:14:20.970 --> 00:14:23.700 breach. That was a great thing to see. My own CFO asked me if 238 00:14:23.700 --> 00:14:27.960 he should get a CISSP, which frankly shocked me. Because he 239 00:14:27.960 --> 00:14:30.930 was expecting to need those skills is to get board positions 240 00:14:30.930 --> 00:14:33.960 in the future and to be relevant to business. But those are 241 00:14:33.960 --> 00:14:38.370 exceptions. I think while we're making progress, I'm not sure 242 00:14:38.370 --> 00:14:41.790 that most people at the C-suite can spell zero trust yet, let 243 00:14:41.790 --> 00:14:45.210 alone talk about what the tenets of it are, the pillars of it 244 00:14:45.210 --> 00:14:48.720 are, how we get less trust in environments and I think we got 245 00:14:48.720 --> 00:14:52.170 to learn more business speak on our side to get those principles 246 00:14:52.000 --> 00:14:56.620 Anna Delaney: The conviction of former Uber CSO Joe Sullivan in 247 00:14:52.170 --> 00:14:52.770 across. 248 00:14:56.620 --> 00:14:59.920 October for obstructing the investigation of a cover up that 249 00:14:59.920 --> 00:15:03.970 2016 data breach sent shockwaves through the cybersecurity 250 00:15:03.970 --> 00:15:08.110 community. The prospect of being held criminally liable in an 251 00:15:08.110 --> 00:15:11.500 incident response, in addition to getting fired as senior 252 00:15:11.500 --> 00:15:14.560 security leaders rethinking their role in the organization. 253 00:15:15.310 --> 00:15:18.700 Look for chief security officers to negotiate employment 254 00:15:18.700 --> 00:15:21.640 contracts with greater personal protections. 255 00:15:22.410 --> 00:15:26.400 Steve King: I think that the Joe Sullivan case as an example is 256 00:15:26.430 --> 00:15:32.760 going to make a dramatic shift in how CISOs prepare for that 257 00:15:32.760 --> 00:15:33.600 next job. 258 00:15:33.780 --> 00:15:36.870 Jonathan Armstrong: And often in these situations, the C-size is 259 00:15:36.870 --> 00:15:41.790 friendless really. The victims don't love him, the management 260 00:15:42.090 --> 00:15:45.660 isn't necessarily going to support him. And you might have 261 00:15:45.690 --> 00:15:49.980 management actively briefing against the CISO, to 262 00:15:49.980 --> 00:15:56.040 shareholders and to prosecutors. So unfortunately, it is a lonely 263 00:15:56.370 --> 00:16:00.840 place for CISOs. When you're starting a position when you've 264 00:16:00.840 --> 00:16:04.890 got some bargaining power, making sure that your contract 265 00:16:05.100 --> 00:16:10.740 is robust that you've got the protections you need there. I 266 00:16:10.740 --> 00:16:15.750 think it might involve looking at reporting lines. So who 267 00:16:15.750 --> 00:16:21.180 reports to who who is going to report a data breach. And again, 268 00:16:21.180 --> 00:16:25.080 rehearsals are important then so that individuals know their own 269 00:16:25.140 --> 00:16:28.350 roles and responsibilities in the team. And you're clear what 270 00:16:28.350 --> 00:16:31.740 you will do, what you won't do. I think it's about due 271 00:16:31.740 --> 00:16:35.550 diligence, when you move to an organization, is there a data 272 00:16:35.550 --> 00:16:39.750 breach there that hasn't been reported, and how you're going 273 00:16:39.750 --> 00:16:44.550 to manage that if you're the the new girl coming into the team, 274 00:16:44.850 --> 00:16:51.000 and sorting all this out? I think it's about director and 275 00:16:51.000 --> 00:16:54.630 officer liability insurance - DNO insurance - so making sure 276 00:16:54.630 --> 00:16:58.200 that your name is on the policy and making sure that the 277 00:16:58.200 --> 00:17:01.680 organization will support you. If there is an incident 278 00:17:01.680 --> 00:17:02.490 financially. 279 00:17:02.000 --> 00:17:04.959 Richard Bird: I think that there's going to be an overall 280 00:17:05.028 --> 00:17:09.020 change. I think that that's going to break the back of the 281 00:17:09.089 --> 00:17:12.806 old argument of who the CISO should report to as well. 282 00:17:12.875 --> 00:17:17.005 Because we're going to see that in order for things like DNO 283 00:17:17.074 --> 00:17:21.273 insurance to be applied and then vote for a CISO. They're not 284 00:17:21.342 --> 00:17:25.196 going to have reporting structures. They are going to be 285 00:17:25.265 --> 00:17:27.950 one or two down from CEO or CIO or CTO. 286 00:17:28.260 --> 00:17:30.450 Anna Delaney: The first cyber insurance policy was written 287 00:17:30.450 --> 00:17:33.510 more than two decades ago. But the cost of recovery and 288 00:17:33.510 --> 00:17:37.020 business losses from ransomware attacks has grown exponentially. 289 00:17:37.350 --> 00:17:41.520 In fact, losses by hospitals typically exceed $100 million. 290 00:17:42.480 --> 00:17:46.830 As a result of cyber insurance are raising the rates or exiting 291 00:17:46.830 --> 00:17:50.670 the business altogether. The availability of cyber insurance 292 00:17:50.730 --> 00:17:54.270 will continue to dry up increasing financial risks for 293 00:17:54.270 --> 00:17:55.290 business owners. 294 00:17:55.570 --> 00:17:58.270 Richard Bird: Bitcoins quote was a banker as a fellow that lends 295 00:17:58.270 --> 00:18:01.090 you an umbrella when the sun is shining, and takes it away as 296 00:18:01.090 --> 00:18:05.620 soon as the rain starts to fall. I think the cyber insurance 297 00:18:05.620 --> 00:18:10.840 industry is very much in that space, as well as people who are 298 00:18:10.840 --> 00:18:14.530 using as their corporate strategies, cyber insurance as a 299 00:18:14.530 --> 00:18:22.270 backstop to their own security, inefficiencies and problems, 300 00:18:22.900 --> 00:18:26.380 which has been a standard method of operation for a decade now, 301 00:18:26.470 --> 00:18:30.700 which is, I know that I have risks, I am choosing not to 302 00:18:30.700 --> 00:18:34.300 mitigate those risks because I have a financial backstop in 303 00:18:34.300 --> 00:18:40.150 place. That financial backstop is rapidly being removed as the 304 00:18:40.150 --> 00:18:46.180 rain starts to fall. For many companies and anecdotally, a lot 305 00:18:46.180 --> 00:18:49.690 of us are hearing the payouts on massive breaches that have 306 00:18:49.690 --> 00:18:53.680 occurred over the last 24 months have been somewhere between zero 307 00:18:53.680 --> 00:18:59.920 to 30% on the dollar that was agreed to in the premium and on 308 00:18:59.920 --> 00:19:03.790 the payback and reason this is because not only is the entire 309 00:19:03.790 --> 00:19:06.460 cyber insurance industry reevaluating what they're doing 310 00:19:07.150 --> 00:19:11.110 their actuarial is by design. So they're now beginning to 311 00:19:11.110 --> 00:19:15.580 calculate their risk based upon what they've found. Not in news 312 00:19:15.580 --> 00:19:18.820 headlines, but when they've gone and done the deep forensics that 313 00:19:18.850 --> 00:19:21.250 they're going to do every time one of their customers has been 314 00:19:21.250 --> 00:19:25.510 breached. And they're continuing to find that the basics of 315 00:19:25.510 --> 00:19:28.960 cybersecurity have been done poorly or not at all. 316 00:19:28.000 --> 00:19:32.770 Anna Delaney: A series of breaches, major losses in market 317 00:19:32.770 --> 00:19:36.130 value and the FTX crypto exchange scandal sent the 318 00:19:36.130 --> 00:19:40.720 cryptocurrency world into a tailspin in 2022. Look for 319 00:19:40.720 --> 00:19:43.360 government agencies to place tighter controls on 320 00:19:43.360 --> 00:19:47.230 cryptocurrency firms to protect investors by money laundering 321 00:19:47.440 --> 00:19:49.000 and improve security. 322 00:19:49.720 --> 00:19:53.140 Ari Redbord: Today, you already see regulators globally thinking 323 00:19:53.140 --> 00:19:56.980 in pretty sophisticated ways. We've only seen a handful of 324 00:19:56.980 --> 00:20:00.070 jurisdictions where you have a comprehensive framework for 325 00:20:00.070 --> 00:20:04.300 crypto. One of those places is the European Union - the EU - 326 00:20:04.450 --> 00:20:06.670 where you have MiCA - the markets in crypto-assets - 327 00:20:06.700 --> 00:20:11.620 regulation, or legislation that really sort of hits a bunch of 328 00:20:11.620 --> 00:20:15.340 the key sort of areas, starting with stable coin regulation, and 329 00:20:15.340 --> 00:20:19.000 then talks about how do you regulate centralized exchanges 330 00:20:19.000 --> 00:20:25.480 like FTX? And the amicus answer to sort of the future scenarios, 331 00:20:25.480 --> 00:20:32.020 like FTX is a really robust licensing licensing pipeline, 332 00:20:32.200 --> 00:20:37.420 where regulators really dig in to the operations, the 333 00:20:37.420 --> 00:20:42.490 governance structures of how one of these entities operates. And 334 00:20:42.490 --> 00:20:46.180 that conversation is happening absolutely everywhere. Just this 335 00:20:46.180 --> 00:20:52.270 week, we saw the Brazilian legislature, the Chamber of 336 00:20:52.270 --> 00:20:56.950 Deputies move comprehensive crypto legislation to the 337 00:20:56.950 --> 00:21:02.620 President, that has taken seven years, MiCA took years, 2019, 338 00:21:02.620 --> 00:21:06.730 2020 to get to the place we are today. We're just starting to 339 00:21:06.730 --> 00:21:10.840 see movement within the U.S. Congress. And I'm hopeful that 340 00:21:10.840 --> 00:21:14.440 over the next really few years, we'll see a comprehensive 341 00:21:14.440 --> 00:21:16.840 framework, but I think for the moment, we're going to see sort 342 00:21:16.840 --> 00:21:19.810 of piecemeal action, whether it's on stable coins, whether 343 00:21:19.810 --> 00:21:23.650 it's on sort of centralized exchanges, with just given the 344 00:21:23.650 --> 00:21:27.010 FTX scenario, we're going to see movement. But right now, in the 345 00:21:27.010 --> 00:21:29.440 U.S., where we're seeing the most movement is from the 346 00:21:29.440 --> 00:21:32.350 executive branch - what is the SEC doing in terms of 347 00:21:32.350 --> 00:21:34.870 enforcement actions? What is Treasury doing? 348 00:21:34.000 --> 00:21:35.500 Tom Kellermann: The rogue nation states of this world are 349 00:21:35.500 --> 00:21:38.440 laundering the majority of their illicit funds through crypto, 350 00:21:39.070 --> 00:21:43.090 it's not going to break because economic sanctions are avoided 351 00:21:43.090 --> 00:21:45.640 by crypto, it's not going to break because cybercriminals 352 00:21:45.640 --> 00:21:48.670 whole economy of scale that's massive, it's larger than our 353 00:21:48.670 --> 00:21:52.120 industry is laundered through crypto, but I would say it was 354 00:21:52.120 --> 00:21:56.290 an awakening or reckoning for blockchain. I mean, in the 355 00:21:56.290 --> 00:21:59.410 construct of, "oh, it's bulletproof. It's so secure." 356 00:21:59.410 --> 00:22:03.370 And we've seen these dramatic attacks against defy platforms 357 00:22:03.370 --> 00:22:05.980 left and right, where they're just getting compromised, left 358 00:22:05.980 --> 00:22:09.040 and right. How the North Koreans build these missiles, they shoot 359 00:22:09.340 --> 00:22:13.570 on the proceeds of hacked exchanges. But I think it's a 360 00:22:13.570 --> 00:22:16.780 reckoning for the security of exchanges as well. 361 00:22:16.000 --> 00:22:19.210 Steve King: One of the other good things that came out of 362 00:22:19.210 --> 00:22:24.070 this was, you know, that made ... it's reset the venture 363 00:22:24.070 --> 00:22:30.280 capitals, community's approach to funding, great new ideas that 364 00:22:30.280 --> 00:22:39.280 startups have with 10x over valuation. And I think that as 365 00:22:39.610 --> 00:22:42.670 is going to retire for a while, you know, and that's good 366 00:22:42.670 --> 00:22:47.470 because we've been, we're cheap money and all these folks being 367 00:22:47.470 --> 00:22:51.130 hired to work on you, what essentially is crap, for another 368 00:22:51.130 --> 00:22:54.700 point solution to duke it out with a market leaders to me, 369 00:22:55.390 --> 00:22:59.080 never made a lot of sense, we're working on if we're going to 370 00:22:59.080 --> 00:23:03.280 spend that kind of capital, and I mean, people and money, why 371 00:23:03.280 --> 00:23:05.950 aren't we working on the large problem that we've been 372 00:23:05.950 --> 00:23:10.540 discussing here? Why don't we try to solve the reason why 373 00:23:10.540 --> 00:23:13.180 we're here to begin with, instead of, you know, "I've got 374 00:23:13.180 --> 00:23:16.090 this great, you know, endpoint protection solution that 375 00:23:16.150 --> 00:23:19.030 scrambles eggs and makes your bed in the morning alongside 376 00:23:19.030 --> 00:23:21.370 it." I mean, I would actually buy that. 377 00:23:24.220 --> 00:23:26.920 Anna Delaney: And finally, most large corporations have offered 378 00:23:26.920 --> 00:23:30.310 cybersecurity awareness training for years, but it doesn't seem 379 00:23:30.310 --> 00:23:34.990 to be working. Cybersecurity resources are getting harder to 380 00:23:34.990 --> 00:23:39.040 find. Look for organizations to change the way they deliver 381 00:23:39.040 --> 00:23:42.430 education and certification programs, with an eye toward 382 00:23:42.430 --> 00:23:46.630 more engaged learning career paths and upskilling CISOs. 383 00:23:46.870 --> 00:23:50.080 Steve King: We've got practitioners who are working 384 00:23:50.080 --> 00:23:54.340 hard to try to make this stuff work, but they actually have no 385 00:23:54.340 --> 00:23:59.170 comprehend, no understanding of what they're doing. I mean, it's 386 00:23:59.170 --> 00:24:03.610 you, you do got 10 people in a room and said, you know, "tell 387 00:24:03.610 --> 00:24:05.410 me how Kubernetes works." 388 00:24:05.000 --> 00:24:06.410 John Kindervag: We don't train people the way we used to, to go 389 00:24:06.410 --> 00:24:07.730 out and learn these things on their own. They expect it to be 390 00:24:07.820 --> 00:24:09.080 given to them through training certification. And this is the 391 00:24:09.080 --> 00:24:10.850 problem with training as much as I like working with CyberEd and 392 00:24:21.170 --> 00:24:26.360 stuff. We got to get people to be more experiential and more 393 00:24:26.360 --> 00:24:29.930 inquisitive and want to know the answers on their own. 394 00:24:29.000 --> 00:24:33.860 Steve King: Our intention here, our mission is to reduce 395 00:24:33.920 --> 00:24:39.830 complexity through understanding and through, you know, learning 396 00:24:39.830 --> 00:24:42.710 paths that are addressed right at bat so that folks can 397 00:24:43.070 --> 00:24:46.760 actually understand what they're doing, when they're doing it and 398 00:24:46.790 --> 00:24:49.760 that I don't see any of that happening today. So we're 399 00:24:49.760 --> 00:24:50.780 looking forward to that. 400 00:24:52.250 --> 00:24:54.890 Anna Delaney: As you can see, the consensus among the experts 401 00:24:54.890 --> 00:24:58.460 is that for the most part, little progress is being made to 402 00:24:58.460 --> 00:25:02.090 meaningfully respond to the right rising tide of threats but 403 00:25:02.150 --> 00:25:07.310 there's hope 2023. For ISMG, I'm Anna Delaney, wishing you a 404 00:25:07.310 --> 00:25:09.410 happy and safe year ahead.