From the continued impact of Generative AI to the importance of identity-first security strategies, this cybersecurity webinar overview unpacks complex challenges and emerging solutions. The discussion covers a range of vital topics from the persistence of generative AI as both a tool and a threat in cyber security to strategies for fostering behavioral change to reduce human risks. Ideal for security professionals and business leaders, our panel of industry experts - Christophe Foulon Founder & Fractional CISO, CPF Coaching LLC; Parul Mittal Vice President of Cyber Risk & Strategy @ Kroll; Steve Gentry Cyber Security Officer; Ryan Sahadeo CEO & Founder@ SecurOptix - explain how to navigate the new cybersecurity landscape, ensuring resilience and effective risk management in an increasingly digital world.
Continue reading below for highlights of the conversation, or click the video below to watch the conversation in full:
Foulon: What are some of the key metrics you lean on when planning or measuring cybersecurity activity?
Gentry: We used to focus on minutia-driven metrics. Today we are getting away from the mindset of protecting the perimeter since we don’t house the servers or the networks anymore. Vulnerability metrics (code, infrastructure, and data) are not something I focus on. Instead, what are we doing to protect the data and then break down those metrics down from there? We are looking at risk-based activities around: who’s got access, what are they doing, and where does it reside? Do you even have a data inventory of your environment? If something catastrophic happens, can we get our code base back? For infrastructure, can we start back up from a cold start?
This allows me to have a risk-based posture discussion with the board versus something like, "How many USB violations did we have?" Who cares about that? We are finding ways to get contextual information around the data we have, and driving action around our metrics.
Mittal: One of the emerging threats is third-party vendors. IBM has reported that 19 percent of data breaches were related to third-party software. So, we focus on things like, how compliant are our vendors? Should we do due diligence before even bringing them on board? How much are we backtracking on existing vendors? Once this is done we will have decent metrics to look at to remediate or reduce third-party risk.
Foulon: How do you use AI to drive metrics?
Sahadeo: This is a tough one to answer. It depends on the layout of the organization. I have been with a bunch of start-ups in my career. It all depends on the tools they have to increase efficiency and streamline workflows.
Mittal: It revolves around training. How many people in the organization are successfully bypassing phishing? A big focus in terms of metrics is knowing the baseline and where the organization sits. Then you can build to fill in the gap. Have a goalpost to shoot for, then you can build a roadmap. Then build a solid incident response plan so people involved are able to put it into practice and do it successfully.
Gentry: We are less worried about third-party vendors. Let’s face it, we can’t do corporate espionage with vendors to really know their internal practices. A better thing to look at is what are they doing for us. What data are they touching? What is our risk posture around that? What I am looking for on the resilience side is what are our risk factors.
Stop focusing on the transfer aspect, but bring it in-house to see how business is impacted.
Foulon: What are some of the best certifications for cybersecurity?
Mittal: Security+ is a baseline and provides a broad spectrum of knowledge to be able to enter the industry.
Gentry: It depends on the path you want to take. CISSP is still the baseline. If you go to cloud, do the cloud version of CISSP. However, I want to warn people to don’t over-certify yourself. If you do so, then you are looked at as a cost center looking to take away dollars.
If you're trying to get into the SaaS world go do AWS GCP and Azure certifications, they are out there a lot of them are free you can sign up for and go through and understand the cloud environment.
It does sound counterintuitive, but if you know leadership is your path, the best thing you should get is an MBA, so you know how what you do fits within the organization. If you want to be a CISO, your best certification is an MBA.
Read More: Is DevSecOps the Future? The Importance of DevOps and Security
Sahadeo: I would say for anyone looking to break into the industry you you can go the Security + route, it's pretty handy for government jobs. You also see CISM, CRISC, and CISM certifications, which you see in job descriptions a lot.
However much of this speaks to companies not understanding what they need. As you get higher in an organization, figuring out the certs that you need along that path is important. I got started without any certs, now as I get more advanced, I pick ones that align with my career.
Gentry: Hiring managers need to stop with certification overload. Pay attention to what you are looking for. Do they really need a four-year degree? What certifications should they have? Which ones are you going to help them get? Stop blaming HR for bad job descriptions when it is the hiring manager who is writing them.
Foulon: How do you manage resiliency when you work with third parties?
Mittal: Doing compliance with the data they are working with. Sometimes vendors are good with handing you those reports, others not so much. To the extent you can really check a third-party vendor, the best case scenarios are maybe you're getting their SOC report, their SOC2 or SOC1 report but preferably SOC2, so you're being able to see what other auditors said about them. Sometimes vendors are forthcoming with that information, but oftentimes they're not. They are not looking to hand out all of their documentation to you without contingencies. It becomes a give-and-take situation. You are noting their risk and then following up on risk. Monitoring and controlling is manual work that requires a lot of resources.
Foulon: What approaches have you found for continuously monitoring threats, either internally or from other vendors
Sahadeo: In the case of third parties, sometimes relationships happen where a higher-level employee brings in a vendor, and security is only brought in later. Security is advising leadership, but if you are not taking our recommendations, if you are not monitoring compliance on an annual basis, trouble can happen. A lot of companies fail to follow up and then have to compensate later on. If I am looking at SAAS vendors to monitor, I look to give them only the access they need to the job. A lot of companies would give vendors full access because it is too much work to give them just what they need.
Gentry: We always talk about engineering, but we've got this whole go-to-market strategy with sales and marketing who run fast and loose with personal data, and there's a lot more stringent Global privacy laws than there are security laws. A CISO needs to connect the dots for the executive team. This goes back to what I said about needing to have an MBA, to understand these issues, so you can answer the “so what” question for them.
From Motion Recruitment: Cyber Security Salaries and Job Trends You Need to Know to Grow Your Career
Foulon: AI is a big factor today. It consumes a ton of data, which is usually external to organizations. What are some of the ways we can work to protect that?
Sahadeo: None of the major organizations, unless you are talking about Google, Amazon, Microsoft, or Facebook, have robust Cloud servers that hold much larger AI applications that could potentially do damage. That isn't to say that outside AI apps don't spring up all the time. They're a dime a dozen on the internet these days and they can cover every single function you can think possible. Back to the organization though, it starts with training. Understand the functionality of AI, and what you can and cannot do. Unfortunately, the more guardrails you put into place, the more people are going to try to bypass them.
Mittal: The biggest concern with AI is the advanced capability of generative AI to create social engineering attacks. With generative AI phishing emails up 1200% and credential theft up 900%, it's a big impact that generative AI is making in terms of these attacks. AI can take your credentials through this method. We need to educate users about this. State and federal laws are starting to address this, but with malware becoming so prevalent with AI, it's important for users to understand what they can and can not use AI for. The main thing is not meant to replace human decision-making, it is meant to enhance it.
Foulon: How do you drive behavioral changes around using AI?
Gentry: Yes, policy and training are fantastic. The third topic piece is that if you are going to do policy and do training, how are you putting mitigations in place? You can lock down personal ChatGPT and force users to use your Business ChatGPT. However, 100 percent you cannot take people out of it. AI doesn’t replace humans. Be thoughtful. Don’t expect vendors and users to take care of you. This is how to drive effective change.
Mittal: Leverage AI to get some advice on how to do this, but augment this with human review. Educate users on what is acceptable use of generative AI. Users are empowered to understand what to use it for, and how not to use it. How to recognize ethical concerns or bias, so everyone knows who to go to for those issues. These are some guardrails to address.
Foulon: What do you see the upcoming job market looking like and what recommendations do you have for job seekers?
Gentry: My recommendation is patience. The job market is not great right now, but the market will correct eventually. Everybody wants to hire unicorns, and hiring managers need to reset expectations as we talked about before with certifications.
Don’t expect to make a ton of money coming in at the start. Be realistic. And finally, get off the myth that security is layoff-proof.
Mittal: Certs are nice to have but stay current on what is going on. This is not too difficult in today’s market with so much information out there.
Be on top of what's important. Knowing emerging threats will help your case.
Sahadeo: Read job descriptions and understand what they are asking for. Don’t be afraid to speak up and ask about it if you don’t understand or if the requirements don’t make sense. Many times, when organizations hire for initial roles, they don’t really understand the role. They try to loop into multiple roles and find a coin that doesn’t exist.