top of page

Search Results

5 items found for ""

  • Generative AI: Friend or Foe to Cybersecurity?

    The image of a couple of computer whiz kids hiding away in the basement while they hack into the Department of Defense mainframe makes for an interesting thriller movie plot. However, this is simply not your cyber threat reality. Today’s cyber terrorists are well organized, very well capitalized, and are tirelessly looking to devise new and highly disruptive ways to sneak into your network. It’s not enough to keep running the same enterprise solutions and hope they work forever. This is war! You need to be continuously and proactively hunting for new threats and emerging enemy technologies as well as ways to combat them. Enter, Generative AI. Artificial intelligence; machine learning. Utilizing AI for productivity is so new that we may not fully grasp the utility...or the threat of it. Some of us remember this fateful sequence of events made famous in the syfy classic, TheTerminator: A Skynet funding bill is passed in the United States Congress, and the system goes online on August 4, 1997, removing human decisions from strategic defense. Skynet begins to learn rapidly and eventually becomes self-aware at 2:14 a.m., EDT, on August 29, 1997. Fortunately, the reality of this potential outcome can be cleared up by the AI itself: Is ChatGPT part of Skynet? No, I am not part of Skynet. Skynet is a fictional artificial intelligence system from the Terminator movie franchise, while I am a real-life language model created by OpenAI to assist with a variety of tasks such as answering questions and generating text. I am not sentient, and I do not have the ability to control or interact with physical systems like Skynet does in the movies. I think we are all relieved to hear no ill intentions coming directly from Chat GPT! AI and its implications for Information security In their newsletter Security Roundtable , the Palo Alto Network warns: Cyber threats are increasingly automated using advanced technology. Unfortunately, defense has continued to employ a strategy based mostly on human decision-making and manual responses taken after threat activities have occurred. This reactive strategy can’t keep pace against highly automated threats that operate at speed and scale. The defense has been losing—and will continue to lose—until we in the cybersecurity community fight machines with machines, software with software. Dan Peterson of ZDNet agrees and states: Generative AI has helped bad actors innovate and develop new attack strategies, enabling them to stay one step ahead of cybersecurity defenses. AI helps cybercriminals automate attacks, scan attack surfaces, and generate content that resonates with various geographic regions and demographics, allowing them to target a broader range of potential victims across different countries. Cybercriminals adopted the technology to create convincing phishing emails. AI-generated text helps attackers produce highly personalized emails and text messages more likely to deceive targets. How to think about AI in order to minimize these risks We asked Matt DeChant, CEO of Security Counsel, to talk about his views on the risks and rewards of utilizing artificial intelligence as a productivity tool in our daily lives. Hello Matt, what does Artificial Intelligence mean to cybersecurity? Artificial Intelligence (AI) is a great way to meet one of the primary needs of a security program: Intelligence gathering. All modern security programs are run on the intelligence they gather. Another way to look at it is that you cannot defend against an attacker that you are not aware of. The longer a bad actor can dwell “in the system” looking for things to exploit or steal, the more damage they can do. If you don’t have intelligence around your people, processes, and technology, a bad actor’s typical dwell time might be 6+ months before they are discovered. So, does AI give you better tools to seek out these threats or is it an efficiency play? It may be neither. At this early stage, there are not many available AI-driven security products or services. AI is an open system that is recursive. Privacy is at the core of security and AI systems by their definition are not private. They are learning new things by gathering their own information. The artificial intelligence systems that we have (ChatGPT, MidJourney, etc.) for example, are working on their own intelligence, not yours. They have a primary goal of becoming more informed. As a result of that improvement, the business hope is that you can gain insights from your own information that's used as the inputs. In many ways the AI tools that are available today are just a build on what has been available for many, many years. Just like search engines (e.g., Google, Bing, etc.), this is based on the idea that you are giving up a bit of your privacy to get access to new information. These services are generally free. But, of course, nothing in this world is free. The information you feed into these tools becomes part of its zeitgeist. This is where the danger is. When you feed it sensitive information that you don’t want to make public, it will become public to future queries in the same system. Then, your information also becomes part of the answer for other queries. It sounds like companies using AI tools need to be cautious of the public nature of AI. Absolutely, including any information that you give it. It all becomes part of the constantly developing system. It is designed to retain that information and use it to refine its dataset to become more “intelligent.” Also remember, AI is a tool to make information more accessible. It’s not the oracle that has the answer. You must interpret, massage, double check, and tabulate the data in an appropriate way to find the results that are meaningful to your organization. It’s a good idea to treat it like you can’t fully trust it. Another way to look at it is that AI is your “co-pilot”. You do the driving, and AI is working the map and the radio. So, you can't turn it loose and let it solve your problems? Exactly! We must remember that artificial intelligence is not actually intelligent. Skynet is not going to become self-aware. It is simply an immense amount of information in one place that has the ability to very efficiently give you what appear to be very nuanced answers to things. The problem that we have then is two-fold: 1. We are confusing intelligence with perceived completeness of available information 2. AI must deliver something both novel and exploitable Otherwise, it’s simply a race to mediocrity. If five businesses ask the same question and use the answers in the same way, they are all on a journey to becoming commodity businesses. Businesses want and need that secret sauce to differentiate themselves in the marketplace and become more successful. What does AI mean to bad actors? I would say that most of the actions and attacks that we see by bad actors are exploiting the way that humans are built. We are sort of tribal; we trust certain groups and don’t trust others. Confidence tricksters that separate people and organizations from their money or resources have been operating for thousands of years and this is just a new way, a new tool, to do that. Put simply, it’s just a more efficient way to employ these old tricks. AI allows them to more efficiently identify their marks. With the automation of AI enabled threat tools, the frequency of potential breaches could increase significantly. What can companies do to combat this new more aggressive threat? Just like bad actors who use AI to automate attacks, organizations should take a hard look at tools that can combat that speed and efficiency also using AI. There are new tools being launched every day that utilize generative AI as the backbone of the solution. Research them, evaluate them, then implement them, and do it quickly! Beyond that, all security programs worth their salt will constantly re-evaluate their own effectiveness, including identifying AI generated vulnerabilities in addition to traditional ones. This work needs to drive revision and updates to the overall security program. Employee training must also be broadened to include awareness around AI generated threats like deep fakes. We need to keep reinforcing standard security practices like multifactor authentication, email filters, and training on recognizing AI generated phishing attacks. Diligence is the key to every successful security program! Moving Forward There is no debate on the fact that AI is here to stay. It is an extremely powerful tool that all companies will use in one way or another in the coming years. Its efficiency value is incredible! But, AI is not intelligent. Its outputs should neither be trusted at face value, nor should they be applied as blanket solutions. AI is not good or bad. It is simply a tool. Generative AI needs to be considered in every effective security program including technical tools, training, and automating threat response. We, the humans, will be watching and adapting as generative AI continues to develop on both sides of the information security equation.

  • 2025 Cyber-threat Predictions (and what to do about them)

    2024 has been a big year for the bad guys. Cybersecurity crimes have cost US companies record dollars this year. Virtually everyone has felt the effects of a breach one way or another. The current count for records stolen in just the AT&T breach is now topping 1Billion and still counting! And they weren’t even the largest breach, they were number 4!  The bad news is that it’s not going to slow down and with bad actors using more sophisticated tools augmented by AI, the rate of attacks will likely keep increasing in 2025.  The good news is that you can effectively combat cyber-attacks in a lot of different ways. Over the next month, we’re going to take a look at the forecast for cybersecurity threats in some specific industries based on some anticipated trends for 2025. And more importantly, offer some tips on how best to prepare your organization to defeat these adverse events before they happen.  In this first installment, we will look at some overall factors that will affect all businesses in 2025.  AI driven cyber attacks    Like it or not AI is here to stay and as an efficiency tool, it has greatly matured over the past year. Likewise, AI generated cyber-attacks have become much more sophisticated than ever and are predicted to surge in 2025. Between the increased sophistication of AI deep fakes and the ability to automate attacks making them much quicker and more frequent, this is a technology that must be proactively defended against. Organizations must be hyper-vigilant on compliance and prevention around AI threats.  Tips and tricks   – for keeping AI (and all) threats at bay   In your home, protect your most vulnerable populations which include the elderly and young children.  Train your workforce - publish a comprehensive AI use policy document and formally train them on it in regular intervals  Filter or block traffic from outside the US unless it is a known source you do business with  Run periodic Tabletop Breach Simulation Exercises to give your management team a thorough understanding of their roles in the event of an actual breach  If you are associated with sensitive information at work or within your family (e.g. high net worth individuals), go private on social media  People need “second factor” authentication methods that AI cannot intervene in or manipulate – this has been stated as the single most effective step you can take to fight cyber crime    Risk Management:   With cybersecurity risks increasing at an increasing rate, a sound, logical, and measured cybersecurity preparedness plan is required to balance the ​​corporate risk register, a risk management repository of all identified risks and their mitigation strategies. The corporate risk management plan must include all aspects of cybersecurity risk. Risk management needs to be proactive - don’t assume the concept of risk management is understood in your organization, and that all of your leaders collectively manage it the same way.  Tips and tricks   – for running effective cyber-risk management   Run a risk management-led security program and train your non-security managers on the concepts and processes along with your security team  Don’t over index on expensive risk tools when a spreadsheet and meetings will suffice  Take action – risk management is not just a conceptual thought exercise. You are modeling future events and their business impact, but it has no value to the business unless you also act immediately upon discovering a weakness in your risk matrix, which is the organized output of your risk assessment activities.    Human Centered Program Design and Execution    As tech wizards and cyber geeks, we can get all too caught up in the details around tech stacks, Hypertext Transfer Protocol Strict Transport Security, and Host-based Intrusion Prevention Systems, and much more, but the critical glue that holds all these concepts and systems together is human interaction.   People are usually the weak point of entry that bad actors will exploit. Poorly designed software interfaces and dashboards, insufficient training to recognize information that is suspect, and frankly overburdened and stressed-out work force, can all lead to gaps in the security framework.  A cybersecurity program’s success is heavily reliant on human centered technology solutions with a focus on usability as well as helping support human behavior change.  Tips and tricks   – for supporting a human centered security program   Human Focused Security Training is critical to supporting your staff - classroom education (in person and interactive), if possible, leads to greater participation and buy-in not a web based annual 30 minute review.  Provide a mentorship attitude from your security team to support the staff – not viewing the IT support team as the cybersecurity police but instead as a resource will go a long way toward buy-in and adherence to your program guidelines  Implement a user driven cybersecurity support program which includes initial security onboarding, specific role-based training and support, and if needed remedial training for certain situations  Show patience and understanding for the non-technical team members who are required to learn new technical information  Build consensus around the need for human centered training at the C-suite/board level – buy in at from the top will ensure that budget and other resources are properly allocated to effectively support the program    Upcoming information for specific industries   Over the following weeks, Security Counsel will release 2025 cybersecurity forecasts for specific industries which will include healthcare, manufacturing, the insurance industry, and several more. We will review specific trends and predictions around the threat landscape and offer more tips and tricks to help your organization guard against these risks.

  • Six Key Considerations When Hiring a vCISO

    Hiring a full-time Chief Information Security Officer can be an arduous task. It can take a significant amount of time and money, both of which might be in short supply at your organization. This is why hiring a fractional CISO (virtual CISO), has become the go-to choice for small and medium-sized organizations. vCISOs are hired as consultants so you only pay for the time that you need. Some sources say that vCISOs typically cost 1/3 of what a traditional CISO does to hire and employ full-time. This financial model makes engagement with vCISOs feasible for even small organizations. This is great news as cyber security is extremely important for companies of all sizes. Accenture’s Cybercrime study states that 43% of cyberattacks target small and mid-sized businesses and only 14% of these are adequately prepared to defend against these attacks. In addition, according to the US National Cyber Security Alliance , 60% of small businesses that are victims of data breaches go out of business within 6 months. Another benefit to engaging with a vCISO is that they can provide a fresh perspective on your cybersecurity challenges and information security program planning. Furthermore, while it’s true that the vCISO must integrate well with the internal team, they are external consultants. This gives them the advantage of not having to participate in internal politics. Optimizing your cyber security ROI - While the vCISO is technically an outsider, they must lead your information security team as if they were a part of your full-time staff. They need to be an integral part of your internal team and communicate well with both staff and the C-level. Ideally, the vCISO should have budgetary control and the authority to manage your team to implement and maintain your information security initiatives. As you begin your search and interview process, here are some considerations that will help to ensure your vCISO hire will be successful. An effective hire will ensure that you reduce your organization’s cyber-risk in the shortest amount of time, while creating an information security program that is sustainable long after their engagement ends. 1. Communication skills – It is no accident that this is the first consideration when hiring a vCISO. Communication in this business is the lynchpin of a successful engagement. The vCISO needs to be able to effectively communicate with the internal team so that no information is ambiguous or open-ended. Success is a function of the internal team’s ability to execute the plan exactly as designed. It is especially important that they use the same vernacular that your organization does and that this “language” seems familiar and supportive to the rest of the internal team. Equally important is effective communication with the C-Suite and Board. These people are very busy, so it is extremely important to have efficient and effective communication with them. These company leaders need to understand the bigger picture implications of the pending security plans and how they will positively affect the company and reduce risk. They may not be fluent in the cyber lingo we use every day, so the vCISO needs to be able to speak and present plans, updates, and metrics in understandable terms and concise language. 2. Problem processing skills – When reviewing the websites of your candidate vCISOs and later during the interview process, try to get a feel for the types of problems that they have solved and the methods they followed to achieve these solutions. Being confident that the vCISO has solved complex, systemic problems in the past is a strong indication that they will be successful at solving the security challenges of your organization. 3. Relevant experience – A vCISO does not necessarily need to have worked for one of your competitors to be able to understand your business. However, it can help if they have had similar industry experiences or solved similar problems to the ones you have identified in your organization. It can help them get up to speed more quickly and ensure that the solutions they offer have been tested and proven in previous engagements. 4. Regulatory and technical tools knowledge – In this industry, there is no shortage of regulatory requirements and the need for compliance. ISO27001, HIPAA, CMS/MARS-E, and GDPR are just a few of the more prominent ones. An additional bonus that you will get by utilizing a vCISO is the breadth of knowledge they will have due to a history of engagements with a wide variety of companies and industries. They will also be current with the latest releases of each of these regulations and will have had experience with lesser-known requirements as well. Likewise, your vCISO should be fluent in the latest technical tools and software. 5. Personality - Finding the perfect vCISO can be like searching for a unicorn. How a person presents themselves and interacts with people can have a significant effect on establishing respect and building trust. Your vCISO needs to be approachable; their effectiveness depends on being viewed as part of the internal team. They also need to be a leader who builds confidence in the internal team. Your vCISO needs to be someone that your internal team wants to support because they believe in the vCISOs ability to guide them effectively. All things being equal, people want to work for people they like and respect! 6. A track record of success – During the search and interview process, look for evidence of successful engagements. You can often find testimonials on their websites. These quotes can provide insight about what process was followed and the outcomes delivered. They can also shed light on how this particular vCISO might have provided higher-level outcomes than the client might have expected at the onset of the engagement. Also, take the time to have conversations with the candidate’s client references. Knowing that these references are “friendlies,” ask them tough questions, like how this vCISO handled tough situations. How did they behave in a crisis or how did they recover from a situation that was delivering less than ideal results? Also find out their tangible metrics of success for what was promised and how they knew that the vCISO delivered measurable results. Moving Forward - At this point you have determined that you don’t have the time, financial resources, or bandwidth to hire a full-time CISO. For you, a vCISO can be an excellent choice to provide leadership and oversight. Someone who can lead the charge to: Effectively assess cyber threats relative to company accepted risk levels Collaboratively design a plan to resolve these threats Implement your program while also training your internal staff to sustain the plan Measure, evaluate, and update the plan on a regular basis Provide communication and feedback at all levels throughout the process Utilizing these six considerations will help ensure you have put your information security budget to good use and you have maximized your probability of success, resulting in the greatest return on your security investment.

  • The journey from CISO to Virtual CISO

    Listen to an interview with our CEO, Matt, about his journey from CISO to Virtual CISO. Hear his thoughts about the value and the threat arising from the artificial intelligence revolution as well as other timely topics. This segment was recorded just before the company rebranded as Security Counsel.

  • Security Counsel - A new breed of cybersecurity professionals

    Security Counsel has been created as the next stage of evolution in fractional information security resourcing. We specialize in designing and building information security programs from the inside out. As part of this offering, Security Counsel can provide fractional FTE support, including vCISO services, bringing technical experience without the challenges and costs of hiring permanent leadership. In recent years this concept of fractional Information Security resourcing, often in the form of a vCISO, has become very popular. This model can be much more cost effective than full-time staff. In recent years, it has solved the challenge of finding Information Security leadership for many small and mid-sized enterprises. Security Counsel is a little different, however. We are made up of several small, but well established, information security consulting firms and individuals. We come together to create an extremely broad and deep level of experience into what we call the Provider Federation. Breadth and Depth of Experience For SMBs, it can be challenging to find a vCISO with just the right expertise and experiences for your particular set of challenges or in your specific industry segment. Utilizing a vCISO can tap into experiences gleaned from multiple and varied engagements, however, any single vCISO may not have the exact experiences that are specific to what your organization needs. Security Counsel has solved this resourcing problem by bringing together a consortium of small cyber security consulting firms and individuals into a cooperative that greatly expands the resource pool in terms of breadth and depth. Taking your resourcing to the next level by tapping into the Provider Federation can bring several different vCISOs into the mix resulting in an even larger probability that we can provide the vCISO which is the best match for your organization. Additionally, they can bring a support staff of Deputy CISOs, Security Architects, Security Engineers, Security Analysts, and Technical Writers that will perfectly round out the team and provide the best solution for your organization's needs. Advanced and Integrated Team Training Another key area of value that you will receive when working with Security Counsel is our tireless dedication to internal team integration and training. Our philosophy of service is not to sweep in and take over your systems but to instead become an integral part of your team. This approach will prevent your internal team from feeling like outsiders, being unable to contribute. Instead, we start every engagement by taking the time to understand your internal capabilities, strengths, and areas of contribution. Then, throughout the process, we take every opportunity to mentor and train your team, relying on them to become a perfectly meshed part of your newly designed and implemented information security system. With Security Counsel, you are also engaging with a company that has created specific methods and training curricula that allows us to “grow our own” resources, training them to have the skills needed to support your team. More often than not, these newly trained graduates are permanently placed in your organization as new hires, being already capable of doing the work that your system requirements demand. Once onboarded, their training continues in real world scenarios in methods and processes that will result in your team being qualified and ready to support your security system, long after our engagement ends. Moving Forward While it’s true, Security Counsel is a newly formed organization, our experience spans decades across numerous Provider Federation partner vCISOs who are standing by to lead you through your most challenging security issues. This same group will ensure that you have the right resources at the right time and that your internal team will be well equipped to keep your systems running smoothly over the long haul.

bottom of page