Search Results
4 items found for ""
- Generative AI: Friend or Foe to Cybersecurity?
The image of a couple of computer whiz kids hiding away in the basement while they hack into the Department of Defense mainframe makes for an interesting thriller movie plot. However, this is simply not your cyber threat reality. Today’s cyber terrorists are well organized, very well capitalized, and are tirelessly looking to devise new and highly disruptive ways to sneak into your network. It’s not enough to keep running the same enterprise solutions and hope they work forever. This is war! You need to be continuously and proactively hunting for new threats and emerging enemy technologies as well as ways to combat them. Enter, Generative AI. Artificial intelligence; machine learning. Utilizing AI for productivity is so new that we may not fully grasp the utility...or the threat of it. Some of us remember this fateful sequence of events made famous in the syfy classic, TheTerminator: A Skynet funding bill is passed in the United States Congress, and the system goes online on August 4, 1997, removing human decisions from strategic defense. Skynet begins to learn rapidly and eventually becomes self-aware at 2:14 a.m., EDT, on August 29, 1997. Fortunately, the reality of this potential outcome can be cleared up by the AI itself: Is ChatGPT part of Skynet? No, I am not part of Skynet. Skynet is a fictional artificial intelligence system from the Terminator movie franchise, while I am a real-life language model created by OpenAI to assist with a variety of tasks such as answering questions and generating text. I am not sentient, and I do not have the ability to control or interact with physical systems like Skynet does in the movies. I think we are all relieved to hear no ill intentions coming directly from Chat GPT! AI and its implications for Information security In their newsletter Security Roundtable, the Palo Alto Network warns: Cyber threats are increasingly automated using advanced technology. Unfortunately, defense has continued to employ a strategy based mostly on human decision-making and manual responses taken after threat activities have occurred. This reactive strategy can’t keep pace against highly automated threats that operate at speed and scale. The defense has been losing—and will continue to lose—until we in the cybersecurity community fight machines with machines, software with software. Dan Peterson of ZDNet agrees and states: Generative AI has helped bad actors innovate and develop new attack strategies, enabling them to stay one step ahead of cybersecurity defenses. AI helps cybercriminals automate attacks, scan attack surfaces, and generate content that resonates with various geographic regions and demographics, allowing them to target a broader range of potential victims across different countries. Cybercriminals adopted the technology to create convincing phishing emails. AI-generated text helps attackers produce highly personalized emails and text messages more likely to deceive targets. How to think about AI in order to minimize these risks We asked Matt DeChant, CEO of Security Counsel, to talk about his views on the risks and rewards of utilizing artificial intelligence as a productivity tool in our daily lives. Hello Matt, what does Artificial Intelligence mean to cybersecurity? Artificial Intelligence (AI) is a great way to meet one of the primary needs of a security program: Intelligence gathering. All modern security programs are run on the intelligence they gather. Another way to look at it is that you cannot defend against an attacker that you are not aware of. The longer a bad actor can dwell “in the system” looking for things to exploit or steal, the more damage they can do. If you don’t have intelligence around your people, processes, and technology, a bad actor’s typical dwell time might be 6+ months before they are discovered. So, does AI give you better tools to seek out these threats or is it an efficiency play? It may be neither. At this early stage, there are not many available AI-driven security products or services. AI is an open system that is recursive. Privacy is at the core of security and AI systems by their definition are not private. They are learning new things by gathering their own information. The artificial intelligence systems that we have (ChatGPT, MidJourney, etc.) for example, are working on their own intelligence, not yours. They have a primary goal of becoming more informed. As a result of that improvement, the business hope is that you can gain insights from your own information that's used as the inputs. In many ways the AI tools that are available today are just a build on what has been available for many, many years. Just like search engines (e.g., Google, Bing, etc.), this is based on the idea that you are giving up a bit of your privacy to get access to new information. These services are generally free. But, of course, nothing in this world is free. The information you feed into these tools becomes part of its zeitgeist. This is where the danger is. When you feed it sensitive information that you don’t want to make public, it will become public to future queries in the same system. Then, your information also becomes part of the answer for other queries. It sounds like companies using AI tools need to be cautious of the public nature of AI. Absolutely, including any information that you give it. It all becomes part of the constantly developing system. It is designed to retain that information and use it to refine its dataset to become more “intelligent.” Also remember, AI is a tool to make information more accessible. It’s not the oracle that has the answer. You must interpret, massage, double check, and tabulate the data in an appropriate way to find the results that are meaningful to your organization. It’s a good idea to treat it like you can’t fully trust it. Another way to look at it is that AI is your “co-pilot”. You do the driving, and AI is working the map and the radio. So, you can't turn it loose and let it solve your problems? Exactly! We must remember that artificial intelligence is not actually intelligent. Skynet is not going to become self-aware. It is simply an immense amount of information in one place that has the ability to very efficiently give you what appear to be very nuanced answers to things. The problem that we have then is two-fold: 1. We are confusing intelligence with perceived completeness of available information 2. AI must deliver something both novel and exploitable Otherwise, it’s simply a race to mediocrity. If five businesses ask the same question and use the answers in the same way, they are all on a journey to becoming commodity businesses. Businesses want and need that secret sauce to differentiate themselves in the marketplace and become more successful. What does AI mean to bad actors? I would say that most of the actions and attacks that we see by bad actors are exploiting the way that humans are built. We are sort of tribal; we trust certain groups and don’t trust others. Confidence tricksters that separate people and organizations from their money or resources have been operating for thousands of years and this is just a new way, a new tool, to do that. Put simply, it’s just a more efficient way to employ these old tricks. AI allows them to more efficiently identify their marks. With the automation of AI enabled threat tools, the frequency of potential breaches could increase significantly. What can companies do to combat this new more aggressive threat? Just like bad actors who use AI to automate attacks, organizations should take a hard look at tools that can combat that speed and efficiency also using AI. There are new tools being launched every day that utilize generative AI as the backbone of the solution. Research them, evaluate them, then implement them, and do it quickly! Beyond that, all security programs worth their salt will constantly re-evaluate their own effectiveness, including identifying AI generated vulnerabilities in addition to traditional ones. This work needs to drive revision and updates to the overall security program. Employee training must also be broadened to include awareness around AI generated threats like deep fakes. We need to keep reinforcing standard security practices like multifactor authentication, email filters, and training on recognizing AI generated phishing attacks. Diligence is the key to every successful security program! Moving Forward There is no debate on the fact that AI is here to stay. It is an extremely powerful tool that all companies will use in one way or another in the coming years. Its efficiency value is incredible! But, AI is not intelligent. Its outputs should neither be trusted at face value, nor should they be applied as blanket solutions. AI is not good or bad. It is simply a tool. Generative AI needs to be considered in every effective security program including technical tools, training, and automating threat response. We, the humans, will be watching and adapting as generative AI continues to develop on both sides of the information security equation.
- The journey from CISO to Virtual CISO
Listen to an interview with our CEO, Matt, about his journey from CISO to Virtual CISO. Hear his thoughts about the value and the threat arising from the artificial intelligence revolution as well as other timely topics. This segment was recorded just before the company rebranded as Security Counsel.
- Six Key Considerations When Hiring a vCISO
Maximizing your cybersecurity ROI - Part 1 Hiring a full-time Chief Information Security Officer can be an arduous task. It can take a significant amount of time and money, both of which might be in short supply at your organization. This is why hiring a fractional CISO (virtual CISO), has become the go-to choice for small and medium-sized organizations. vCISOs are hired as consultants so you only pay for the time that you need. Some sources say that vCISOs typically cost 1/3 of what a traditional CISO does to hire and employ full-time. This financial model makes engagement with vCISOs feasible for even small organizations. This is great news as cyber security is extremely important for companies of all sizes. Accenture’s Cybercrime study states that 43% of cyberattacks target small and mid-sized businesses and only 14% of these are adequately prepared to defend against these attacks. In addition, according to the US National Cyber Security Alliance, 60% of small businesses that are victims of data breaches go out of business within 6 months. Another benefit to engaging with a vCISO is that they can provide a fresh perspective on your cybersecurity challenges and information security program planning. Furthermore, while it’s true that the vCISO must integrate well with the internal team, they are external consultants. This gives them the advantage of not having to participate in internal politics. Optimizing your cyber security ROI - While the vCISO is technically an outsider, they must lead your information security team as if they were a part of your full-time staff. They need to be an integral part of your internal team and communicate well with both staff and the C-level. Ideally, the vCISO should have budgetary control and the authority to manage your team to implement and maintain your information security initiatives. As you begin your search and interview process, here are some considerations that will help to ensure your vCISO hire will be successful. An effective hire will ensure that you reduce your organization’s cyber-risk in the shortest amount of time, while creating an information security program that is sustainable long after their engagement ends. 1. Communication skills – It is no accident that this is the first consideration when hiring a vCISO. Communication in this business is the lynchpin of a successful engagement. The vCISO needs to be able to effectively communicate with the internal team so that no information is ambiguous or open-ended. Success is a function of the internal team’s ability to execute the plan exactly as designed. It is especially important that they use the same vernacular that your organization does and that this “language” seems familiar and supportive to the rest of the internal team. Equally important is effective communication with the C-Suite and Board. These people are very busy, so it is extremely important to have efficient and effective communication with them. These company leaders need to understand the bigger picture implications of the pending security plans and how they will positively affect the company and reduce risk. They may not be fluent in the cyber lingo we use every day, so the vCISO needs to be able to speak and present plans, updates, and metrics in understandable terms and concise language. 2. Problem processing skills – When reviewing the websites of your candidate vCISOs and later during the interview process, try to get a feel for the types of problems that they have solved and the methods they followed to achieve these solutions. Being confident that the vCISO has solved complex, systemic problems in the past is a strong indication that they will be successful at solving the security challenges of your organization. 3. Relevant experience – A vCISO does not necessarily need to have worked for one of your competitors to be able to understand your business. However, it can help if they have had similar industry experiences or solved similar problems to the ones you have identified in your organization. It can help them get up to speed more quickly and ensure that the solutions they offer have been tested and proven in previous engagements. 4. Regulatory and technical tools knowledge – In this industry, there is no shortage of regulatory requirements and the need for compliance. ISO27001, HIPAA, CMS/MARS-E, and GDPR are just a few of the more prominent ones. An additional bonus that you will get by utilizing a vCISO is the breadth of knowledge they will have due to a history of engagements with a wide variety of companies and industries. They will also be current with the latest releases of each of these regulations and will have had experience with lesser-known requirements as well. Likewise, your vCISO should be fluent in the latest technical tools and software. 5. Personality - Finding the perfect vCISO can be like searching for a unicorn. How a person presents themselves and interacts with people can have a significant effect on establishing respect and building trust. Your vCISO needs to be approachable; their effectiveness depends on being viewed as part of the internal team. They also need to be a leader who builds confidence in the internal team. Your vCISO needs to be someone that your internal team wants to support because they believe in the vCISOs ability to guide them effectively. All things being equal, people want to work for people they like and respect! 6. A track record of success – During the search and interview process, look for evidence of successful engagements. You can often find testimonials on their websites. These quotes can provide insight about what process was followed and the outcomes delivered. They can also shed light on how this particular vCISO might have provided higher-level outcomes than the client might have expected at the onset of the engagement. Also, take the time to have conversations with the candidate’s client references. Knowing that these references are “friendlies,” ask them tough questions, like how this vCISO handled tough situations. How did they behave in a crisis or how did they recover from a situation that was delivering less than ideal results? Also find out their tangible metrics of success for what was promised and how they knew that the vCISO delivered measurable results. Moving Forward - At this point you have determined that you don’t have the time, financial resources, or bandwidth to hire a full-time CISO. For you, a vCISO can be an excellent choice to provide leadership and oversight. Someone who can lead the charge to: Effectively assess cyber threats relative to company accepted risk levels Collaboratively design a plan to resolve these threats Implement your program while also training your internal staff to sustain the plan Measure, evaluate, and update the plan on a regular basis Provide communication and feedback at all levels throughout the process Utilizing these six considerations will help ensure you have put your information security budget to good use and you have maximized your probability of success, resulting in the greatest return on your security investment.
- Security Counsel - A new breed of cybersecurity professionals
Security Counsel has been created as the next stage of evolution in fractional information security resourcing. We specialize in designing and building information security programs from the inside out. As part of this offering, Security Counsel can provide fractional FTE support, including vCISO services, bringing technical experience without the challenges and costs of hiring permanent leadership. In recent years this concept of fractional Information Security resourcing, often in the form of a vCISO, has become very popular. This model can be much more cost effective than full-time staff. In recent years, it has solved the challenge of finding Information Security leadership for many small and mid-sized enterprises. Security Counsel is a little different, however. We are made up of several small, but well established, information security consulting firms and individuals. We come together to create an extremely broad and deep level of experience into what we call the Provider Federation. Breadth and Depth of Experience For SMBs, it can be challenging to find a vCISO with just the right expertise and experiences for your particular set of challenges or in your specific industry segment. Utilizing a vCISO can tap into experiences gleaned from multiple and varied engagements, however, any single vCISO may not have the exact experiences that are specific to what your organization needs. Security Counsel has solved this resourcing problem by bringing together a consortium of small cyber security consulting firms and individuals into a cooperative that greatly expands the resource pool in terms of breadth and depth. Taking your resourcing to the next level by tapping into the Provider Federation can bring several different vCISOs into the mix resulting in an even larger probability that we can provide the vCISO which is the best match for your organization. Additionally, they can bring a support staff of Deputy CISOs, Security Architects, Security Engineers, Security Analysts, and Technical Writers that will perfectly round out the team and provide the best solution for your organization's needs. Advanced and Integrated Team Training Another key area of value that you will receive when working with Security Counsel is our tireless dedication to internal team integration and training. Our philosophy of service is not to sweep in and take over your systems but to instead become an integral part of your team. This approach will prevent your internal team from feeling like outsiders, being unable to contribute. Instead, we start every engagement by taking the time to understand your internal capabilities, strengths, and areas of contribution. Then, throughout the process, we take every opportunity to mentor and train your team, relying on them to become a perfectly meshed part of your newly designed and implemented information security system. With Security Counsel, you are also engaging with a company that has created specific methods and training curricula that allows us to “grow our own” resources, training them to have the skills needed to support your team. More often than not, these newly trained graduates are permanently placed in your organization as new hires, being already capable of doing the work that your system requirements demand. Once onboarded, their training continues in real world scenarios in methods and processes that will result in your team being qualified and ready to support your security system, long after our engagement ends. Moving Forward While it’s true, Security Counsel is a newly formed organization, our experience spans decades across numerous Provider Federation partner vCISOs who are standing by to lead you through your most challenging security issues. This same group will ensure that you have the right resources at the right time and that your internal team will be well equipped to keep your systems running smoothly over the long haul.