Joe Sullivan, spared prison time, weighs in on the lessons learned from the 2016 Uber breach and the import of the SolarWinds CISO case.

Source: MOZCO Mateusz Szymanski via Shutterstock

Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud for failing to alert regulators of a 2016 cybersecurity breach, but Sullivan was spared having to serve any prison time.

Instead, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation, 200 hours of community service, and a $50,000 fine. Prosecutors were seeking 15 months of prison time for the charges alleged by the Federal Trade Commission (FTC) that Sullivan failed to report the breach that affected more than 50 million records for customers and Uber drivers.

"I went to my sentencing hearing fully prepared to go to jail with a specific penitentiary area that we were going to request," Sullivan tells Dark Reading. "I had to research all the different federal facilities and figure out which one would be the one that my family would be able to most visit and that I would be the safest. And I had to think about who would take care of my kids and who would pay my bills on my house and manage everything else."

**Joe Sullivan, Post-Uber Breach**

Now that the matter has been decided, Sullivan is free to speak out, and he plans to share his story in a keynote address at Black Hat Europe 2023 on Dec. 7. Sullivan says biting his tongue for over six years wasn't easy. "My lawyers wouldn't let me say a word," Sullivan laments.

"If somebody labels what you're doing a coverup, it's really easy for people to buy into that idea," he says. "For six years, I had to listen to and see my name in the media saying things about me that I knew weren't true. And my kids had to be subjected to everybody they know asking them what they saw about their dad on the news."

In getting the minimum sentence, Sullivan says he was vindicated. "The judge said we did an amazing job on the investigation," he says. "We followed our playbook. What people don't understand is the company had D&O \[directors and officers\] insurance policies. We had a data-breach response policy that designated a specific lawyer we were supposed to call. The team called in that lawyer and called in PR. I looped in the CEO and kept him up-to-date."

**Transparency Is the Most Significant Lesson**

Sullivan says the key mistake he made was not bringing in third-party investigators and counsel to review how his team handled the breach. "The thing we didn't do was insist that we bring in a third party to validate all of the decisions that were made," he says. "I hate to say it, but it's more CYA."

Now, Sullivan advises other CISOs and companies about navigating their responsibilities in disclosing breaches, especially as the new Securities & Exchange Commission (SEC) incident reporting requirements are set to take effect. Sullivan says he welcomes the new regulations. "I think anything that pushes towards more transparency is a good thing," he says. He recalls that when he was on former President Barack Obama's Commission on Enhancing National Cybersecurity, Sullivan was pushing to give companies immunity if they are transparent early on during security incidents.

That hasn't happened until now, according to Sullivan, who says the jury is still out on the new regulations, which will require action starting in December.

"Right now, too many companies think it's not in their best interest to be transparent," Sullivan says. "I think the SEC is trying to change the incentives through sticks rather than carrots. But that's the tool that they have, which is better than nothing."

**SolarWinds Sends Mixed Signals from the SEC**

Meanwhile, the SEC is signaling a zero-tolerance focus when it comes to data beach mishandling, with its recent charge of fraud in the US District Court in the Southern District of New York against SolarWinds Corp. and its CISO Tim Brown, regarding the software supply chain attack on the company's Orion platform in October 2020.

But Sullivan says the SEC's decision to charge SolarWinds and Brown contradicts the agency's approach in rolling out its new disclosure rules just months earlier.

"On the one hand, they are engaged with the community and have set some new expectations, which I think is great because they're trying to set some rules for the road, and they got feedback from the public," Sullivan says. "But if you look at the Solar Winds and Tim Brown enforcement action, you see a very different approach, which is not so collaborative, and a lot of commentators have suggested that maybe they don't seem to fully understand what life is really like doing security inside of a corporation."

It's too early to predict how the case will play out since only the parties involved know what evidence will be presented, Sullivan says. But based on the SEC's charges, he sees similarities to his own situation.

"The government, the FTC in my case, felt that my company wasn't sufficiently transparent, and they sought to hold me personally accountable for that, even though it wasn't my job to be the communicator of our security posture or answer any of their questions," Sullivan says. "In fact, I hadn't seen a lot of the documents. And so, their case was about me being held personally responsible for the company's approach to communication. Tim Brown's case is the exact same thing."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds

As industries around the world act to mitigate the increase in cyber threats, the aviation sector should be leading the cybersecurity uprising, explains William "Hutch" Hutchison, CEO of SimSpace.

Source: Allen Creative/Steve Allen via Alamy Stock Photo

COMMENTARY

Over the last three years, the global aviation industry has been left reeling by a post-pandemic sucker punch that hit the sector with over $185 billion in losses. Once a bastion of American prosperity, airlines were forced into survival mode, cutting staff from their workforce and flights from their schedules.

Capital preservation was the default setting for boards across the country, but as the sector emerges from economic instability, CEOs and CISOs want to know where to invest to ensure long-term growth. The North Star of success in aviation continues to be the safety of passengers, systems, and the data they house. For decades, this safety was only challenged by spilled coffee, crosswinds, and external market forces.

The cybersecurity of airlines and manufacturers has opened a new domain of safety crucial for the continuity of flight systems, servers, and communication equipment. Security has become an integral component of an economic powerhouse that has contributed to American transportation, trade, and commerce for over 100 years.

To ensure the security of the industry for the next century, protecting critical infrastructure from increasingly complex and frequent cyberattacks should be the No. 1 priority for large organizations across the US. The new litmus test for investors and insurers will be how prepared airlines and manufacturers are for the potentially debilitating consequences of a cyberattack.

**The Rising Tide of Accountability**

Of all cyberattacks against the aviation industry in 2021, 55% resulted in financial loss, and over one-third resulted in the leaking or theft of personal data. The improving success rate of hackers compelled them to go bigger and better, as the average ransomware demand skyrocketed to $2.2m in 2022, although payouts often were less.  Ransomware responses continue to evolve as regulations tighten.

In light of this, regulatory bodies and lawmakers have sounded the alarm, placing a spotlight on securing systems and networks against rising threats. In March 2023, the Transportation Security Administration (TSA) issued an "emergency amendment" to airports and aircraft operators' security programs. The amendment mandates TSA-regulated entities develop implementation plans to improve their cybersecurity resilience, aiming to prevent disruption and degradation to their infrastructure.

At the same time, the US government's new National Cybersecurity Strategy this year has reinforced the necessity of defending critical infrastructure by shifting responsibility from individuals to large organizations. This coordinated governmental strategy has, in part, been a response to the abundance of attacks against targets in the aviation sector. Canadian low-cost airline SunWing faced four days of flight delays last year after third-party software systems breached the check-in process. Indian carrier SpiceJet was also hit by a ransomware attack that left hundreds stranded at airports nationwide, showing that these events are occurring in all corners of the world.

The International Air Transportation Association (IATA) is the foremost authority of global aviation best practice. They made the responsibility of civil aviation cybersecurity clear, stating that "people, processes, and technology" (PDF) are the three main components dependent upon each other to create a unified cyber strategy. We are in an age where nation-state tactics and techniques are accelerating beyond the ability of the commercial sector to defend themselves. However, traditional General Data Protection Regulation (GDPR) approaches to assessing and reducing cyber-risk have simply become obsolete.

If pilots navigated planes only using their knowledge of flight controls, this would not prepare them for the demands of neutralizing an engine failure at 30,000 feet. This is why they test and train their skill set in simulators designed to mimic real-world scenarios, so their knowledge and reactions are robustly exercised for maximum performance. The next generation of cybersecurity is now taking this concept and applying it to the defense of critical assets in the aviation industry.

**One Small Step for Tech, One Giant Leap for Cybersecurity**

Cyber-ranges are the government-grade flight simulators of cybersecurity. By battle-testing defenses in real-world conditions, airlines' IT and OT environments can experience the equivalent of three years' worth of attacks in just 24 hours. However, many airlines use data collection and storage software seen in most industries, making lateral movement through networks relatively straightforward.

Decision-makers in the halls of aviation titans around the country are now deciding how to implement precautions to secure these systems and bolster their company's investment strategy for the next stage of growth. Prioritizing government-grade cybersecurity can help them refine their incident response plans, train employees, and comply with the latest groundswell of regulation. By implementing a "train to failure" mindset, companies can test their defenses against phishing, DDoS attacks and data-breach techniques that contribute to around two-thirds of all cyber threats in the industry today.

If an aviation organization loses less than 1% of its customers as a result of a data breach, millions of dollars in revenue could be lost. Carriers and manufacturers need the data and insight into their IT and OT environments to see what is working, and what isn't.

By implementing a proactive approach to cybersecurity, effective mitigation of threats can be achieved, reducing the dwell time of attackers. By removing the "unknown unknowns" of cyber threats, businesses can achieve the maximum levels of protection needed to keep their company safe.

**About the Author(s)**

CEO & Co-Founder, SimSpace

William "Hutch" Hutchison is the CEO and Co-Founder of SimSpace. He had extensive experience working in the NSA as a senior officer with US Cyber Command. US Cyber Command and the National Security Agency (NSA) are the premier organizations of the US Department of Defense and Intelligence Community, responsible for conducting military and intelligence operations in the cyber domain. Hutch was appointed through presidential order to create a team focused on defending US national infrastructure against state cyberthreats. In 2015 Hutch started the cyber readiness platform to deliver military-grade cybersecurity protection against advanced cyber threats for governments and organisations worldwide.

As a former F-15 fighter pilot, Hutch went on to lead cyber exercises at the US Cyber Command, and created numerous Department of Defense (DoD) cybersecurity training, testing and assessment programs. Hutch helped create a "Special Forces" approach to testing cyber defense teams and continues to serve as the Test Director for cyber operational assessments at the DoD.

At SimSpace, Hutch spearheaded multiple deployments in financial and other commercial sectors. Hutch holds a Bachelor’s degree from Duke University, a Master’s degree in aerospace engineering from University of Texas at Austin, and a master's degree from the MIT Sloan School of Management.

Fight or Flight: How to Keep Cyberattacks From Taking Off

Online shopping websites often lack basic security protections when it comes to PII, allowing malicious actors to capitalize on consumer data or perpetuate retail and hospitality scams.

Source: Valentin Valkov via Alamy Stock Photo

The post-Thanksgiving e-commerce shopping event known as Cyber Monday draws millions of consumers each year seeking out bargains online — to the tune of $11 billion in 2022.

However, amid the purchasing spree, consumers routinely share sensitive personally identifiable information (PII) on e-commerce platforms, including credit card details and addresses, and a recent survey by CyCognito explores the question of whether these sites prioritize security and compliance.

The report unveiled concerning insights on the risk of compromised PII, of which many remain unaware – and discovered substantial pitfalls in the security landscape of Cyber Monday e-commerce platforms.

Even though more than half (52%) of e-commerce Web apps exist in the cloud, the research indicated they aren't immune to security vulnerabilities.

The study revealed 2% HTTPS, the the secure version of HTTP and a protocol for secure data transmission. This poses a risk to around 520,000 of the estimated 26 million global e-commerce stores.

Researchers discovered more than a quarter (28%) of these platforms operate without a Web application firewall (WAF), and nearly one in four (24%) e-commerce Web apps that collect PII are missing a WAF.

Additionally, nearly six in ten (58%) e-commerce Web apps collect user PII, raising concerns about data handling. Equally worrisome is that 78% of these platforms don't seek user consent for cookies, a compliance red flag.

The array of security issues doesn't stop there, with 13% of ecommerce Web apps throwing up certificate validity issues, and just under half (48%) of platforms have one or more cryptographic vulnerabilities.

The report also found that 2% of ecommerce Web apps carry critical security issues, half of which involve PII, and more than three quarters (76%) of these critical issues are easily exploitable.

Rounding out the research findings was the discovery that 7% of all e-commerce Web apps monitored had at least one issue from the OWASP Top Ten list, a commonly used awareness document for developers and Web application security.

**Threats Rise As Holiday Shopping Season Kicks Off**

On the individual shopper front, it's worth a reminder that Holiday spending perennially catches the eye of threat actors, who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

This has risks for organizations, too: Companies continually battle credential harvesting, phishing, bots, and various malware variants, with a recent Malwarebytes Labs report warning of a 50% uptick in credit card skimming in 2023 — and that's only set to get worse during the holiday shopping season.

Vandan Pathak, senior application security consultant at Optiv, says scammers are going to activate their plexus network of techniques to entice victims with fake promotions.

"Individuals are highly advised not to entertain any messages or calls they receive which offer them direct holiday discounts," he says. "In the past, we have seen individuals fall for these traps frequently and the number is going to increase during the holiday season."

He notes that individuals must be aware of scammers and fake gift card offers — often, these "offers" come with the light lift of filling out a survey.

"Only, the survey is fake, and the sole result is your personal information is now in the hands of a bad actor," he explains. "These have historically been quite successful tactics during the holiday months."

He adds security front liners, such as network security engineers or analysts, should be attentive to upticks in unusual activity in company environments.

"Attacks on organizations during this time of the year are successful often due to teams' guards being down," Pathak cautions.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Cyber Monday Kicks Off Holiday Shopping Season With E-Commerce Security Risks

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Someone always has to take the fall. Pity the poor CISO? Come up with a clever cybersecurity-related caption to describe the scene, above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Dec. 13, 2023, deadline:

*   Via social media: X (formerly known as Twitter), Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

Last Month's Winner

Dave Brassey for the win! The manager of privacy, security and risk assurance at Australia-based software company Family Zone Cyber Safety scored himself an Amazon gift card for his caption to accompany October's "Modern Monarchy" contest:

Thank you to all who participated. Keep on trying!

**About the Author(s)**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Slam Dunk

A determination to be taken seriously as a cyber player sees the United Arab Emirates announce a series of collaborations.

The United Arab Emirates' Cybersecurity Council has agreed to a number of partnerships to better improve its threat intelligence sharing capabilities, including forging ahead with collaborations with other nations.

Following a spate of recent cybersecurity conferences, the UAE has signed a series of memorandums of understanding (MoUs) to better improve the state of cybersecurity within the country, including with the US Treasury Department. 

The MoU with the US is an agreement to share information on threats and incidents affecting the financial services industry. This should be particularly relevant when considering that the UAE has been given an AA- rating with a "stable outlook" for its banking sector.

The country also signed a MoU with Morocco, where the two states will set up a joint committee to plan and oversee the implementation of capabilities to respond to cyberattacks (details on specific points of the agreement are not available), and also with Chad, where the two countries have pledged international cooperation on cyber matters. The outreach to Africa is notable given that cybersecurity centers are rapidly being opened across the continent — Morocco's opened last year following directives that were written in the last decade.

**A UAE Cyber Vision for the Next Few Decades**

Mohamed Hamad Al Kuwaiti, head of cybersecurity for the UAE government, told local media that these partnerships are part of a vision of establishing an advanced digital infrastructure to prepare for the next half century.

And indeed, this comes at an opportune time for the UAE, as its overall cybersecurity posture has been improving over the past few years. It ranked fifth in the most recent Global Cybersecurity Index, jumping 33 places from its previous placing, following the opening of its Cybersecurity Council in 2020.

"This allows the parties involved to see the issue of cyber defense from different points of view, and will certainly aid in a better and more well-rounded security posture for all involved, not just the UAE," says Andi Ursry, cyber-threat intelligence analyst at Optiv.

**UAE's Business Agreements on Cybersecurity Readiness**

On top of the national agreements, the UAE also signed MoUs with several cybersecurity vendors. With Kaspersky, for instance, the UAE will collaborate to share information on identifying, investigating, and responding to evolving cyber threats, and exchange expertise on the latest malware trends, indicators of compromise, and security risks faced by the economic sectors of the country.

And with Microsoft, the UAE will cooperate and conduct information exchanges in cybersecurity related fields, with particular attention paid to national cooperation, deterrence, prevention, and responses to cyberattacks. The two parties will also work together to promote awareness-building through educational programs, as well as exploring business and economic exchanges for cybersecurity, they said.

Al Kuwaiti commented that the UAE's ICT industry has opened new "windows of opportunity" but added that the nation is also vulnerable to new and sophisticated types of security risks, which are dynamic and evolving in nature. As a result, these MoUs are forged with partners "with the essential expertise and tools to eliminate information security incidents."

The UAE Cybersecurity Council's actions in the past few weeks show clear ambitions for the country to be more global in its cyber capabilities, says Vibin Shaju, UAE general manager at Trellix. 

"MOUs and public-private partnerships can encompass information sharing, collaborative incident response, regulatory compliance, public awareness and education, collaborative exercises and drills," he notes. "Such collaboration is critical for addressing the dynamic and evolving nature of cybersecurity threats."

UAE Bolsters Cyber Future With US Treasury Partnership, Collaborations

From communicating why security should be a priority to advocating for accountability and greater focus on protecting data in the cloud, CISOs can make the case for keeping people and sensitive data secure.

According to a new study (subscription required), only 12% of S&P 500 companies have board directors with relevant cyber credentials, showing a major gap in the expertise needed to keep organizations secure.

As most organizations shift to digital and cloud-first strategies, businesses of all shapes and sizes must protect their assets. Similar to the Sarbanes-Oxley (SOX) Act of 2002 — which requires corporations to adhere to certain practices in financial record keeping and reporting — the SEC implemented federal compliance for cybersecurity in July. Companies had to begin complying by Sept. 5. These regulations require businesses to provide annual cybersecurity risk management, strategy, governance disclosures, and disclosure of any cybersecurity incidents. Although security has been a board-level conversation for some time, CISOs will be the ultimate source for ensuring best security practices are being followed.

**Closing Board Gaps**

Unfortunately, there's a considerable gap between security leaders and the board directors responsible for managing businesses. A recent Harvard Business Review survey of 600 boardrooms revealed just 47% regularly interact with their company's CISO. That's a severe knowledge gap for a company's security and business leaders. It's high time we started looking at CISOs as critical assets for every company's board to fix this problem. After all, security failures can crush more than just a company's reputation; they can also tank stock prices.

Yet according to research from the CAP Group, among Fortune 100 companies, just 51% have directors with relevant cybersecurity experience. The situation is even more alarming in the Fortune 500, where only 9% of boards have directors with a strong understanding of cybersecurity. This problem extends to companies in the Russell 3000, where just 8% have directors with cybersecurity expertise.

Introducing CISOs to the boardroom is not just about compliance or avoiding enforcement from the SEC; it's also about ensuring transparency and accountability. CISOs are already building security programs from the ground up. They provide business compliance, hire the right people, and find the right technology to supplement their team's efforts. Security posture is critical to an enterprise's future success, and having a CISO on the board that speaks the language can help a board understand if their business is making suitable security investments.

**Increased Stakes in a Cloud Era**

Of course, the cloud unlocks huge advantages — notably, the ability to innovate faster — but also creates new security challenges. The cloud has an exploding risk surface area and a 1,000x rate of change, which means most of an organization's code is created upstream and is often open source, not to mention developers define containers, workloads, networks — everything — as code.

Given how rapidly the current threat landscape shifts, every organization would benefit from the CISO having a boardroom seat. Not only are revenue and profitability directly impacted by a company's digital business, but these corporations are trusted by millions of individuals to use their data appropriately and securely. When assets are at risk of attack, so is the company's ability to thrive. Introducing a CISO to the boardroom helps assuage fears of security threats, as the CISO can effectively communicate risks and keep them out of the shadows of how security impacts business.

But as CISOs enter the boardroom conversation, they also undergo the expectation from CEOs and board members to drive the probability of intrusions, data exfiltration, ransomware, and other attacks, to effectively zero. Many individuals outside of security don't understand that this task is essentially impossible, and it's up to the CISO to communicate that to the board while still assuring them their assets are well-protected by the organization's security practice and team.

**Being More Than a Technical Expert**

At the board level, CISOs ensure compliance with appropriate regulations and standards while driving business growth. These regulations shouldn't be seen as profitability roadblocks but opportunities for CISOs to communicate why security should be a priority and not an afterthought. The increased scrutiny of today's economic environment and the new rules set by the SEC open a door for security leaders to decrease complexity, raise awareness, and solidify engagement with security efforts across the company.

But aligning an entire organization on security is challenging since most employees don't have technical expertise. When proposing a security strategy to a room full of nontechnical folks, there's the possibility that the audience will leave with more questions than answers. That's why CISOs are prioritizing soft skills. The CISO's sole responsibility is addressing security threats and vulnerabilities and getting people to buy into processes and best practices. CISOs' roles are complex and nuanced and need to be treated as such. Their presence in the boardroom would bring greater task efficiency, focus, and accountability.

CISOs are indispensable when it comes to establishing a modern security posture. As the SEC tightens its reins on security and more business leaders understand the business implications of a secure cloud environment, we can expect to see more CISOs join the boardroom to spearhead a change we need to see for a greater focus on protecting the cloud and the data that lives within it. And while the responsibilities of the CISO are changing, one thing remains the same: Keeping people and sensitive data safe and secure is always the No.1 priority.

That's something every board of directors can benefit from.

What the Boardroom Is Missing: CISOs

With the rapid advancement and adoption of artificial intelligence (AI) in cybersecurity, the benefits of speed and accuracy are becoming clearer every day.

In their 1955 proposal for a summer research project on artificial intelligence (AI), researchers at Dartmouth Conference predicted "…every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it." In the decades that followed, AI research continued at what seemed a glacial pace, always promising a breakthrough in the near future — until language tools like ChatGPT finally exploded on the scene.

As we find our footing with AI today, it's clear that we're facing risks as well as benefits. A recent survey of 1,500 IT professionals showed that nearly half (49%) of decision-makers are concerned the new tools will help cybercriminals, but a full 82% said they plan to integrate AI into their security programs over the next two years.

**AI Is the Hero to Embrace, Not the Villain to Defeat**

Rapid advancements in AI since the 1950s set the stage for growth — with no signs of slowing. The global market for AI-based security tools is expected to reach $133 billion by 2030 with more integration and use in daily DevSecOps workflows. As the industry incorporates AI and machine learning (ML) into more processes, we're seeing more and more opportunities to engage AI as a force for good, including the following.

**Faster and More Accurate Configuration for Security Tools**

To be effective, most security technologies today require a lot of manual fine-tuning, often through sophisticated parameter tweaks. Depending on the tool, these can affect what incidents are reported, what vulnerabilities a tool finds, or how issue priorities are determined. All these manual tweaks are time-consuming and can leave you exposed to threats until the right configurations are in place.

That's where machine learning comes to the rescue. In this case, ML can continually optimize parameters, for instance by prioritizing items in a scanning queue to ensure operations run as efficiently as possible. Once they automate these configuration tasks, future cybersecurity teams will spend far less time on tedious manual work.

**Improved Risk Scoring and Threat Intelligence**

Modern scanning tools typically provide a risk assessment once a scan is complete. This shows the various levels of security protection and potential risk across your applications, websites, and networks for a better view of your threat exposure. Different tools will factor in different data, such as the technical severity of vulnerabilities, their potential exploitability, their impact on business if exploited, and their importance for your overall security posture.

While useful, these assessments don't always provide deeper context or guidance, which are necessary for security to keep up with fast-paced software development. In the coming years, security tools will extensively use machine learning for evaluating risk and managing threats. As machine-generated results continue to improve in scope and quality, they will support more accurate, data-based decision making by showing which issues are actionable and in what order they should be addressed to minimize risk.

**Putting a Sharper Edge on Security Testing**

As ChatGPT and similar tools powered by large language models (LLMs) are refined and continue to gain popularity, we can expect easier access to ever more accurate insights. By encouraging engineers and developers to safely use AI and ML in their work, these machine-driven solutions should also provide better and more useful insights over time — even more so when accurate security guidance is included in the mix.

When it comes to security testing, training AI/ML tools to become sharper will further help with fine-tuning static application security testing (SAST) and dynamic application security testing (DAST) tools. Ultimately that means increasing control and precision for scan results, providing reliable intelligence into current and future risks, and improving the efficacy of vulnerability hunting.

**Fewer False Positives for Less Manual Verification**

False positives are a persistent challenge for security and one that frequently translates into hours of manual work checking scan results. As teams spend valuable time verifying reports that should already be as accurate as possible, they can lose confidence in security tools and processes. Fortunately, a recent study by IBM showed that AI can reduce false positives by 65%, freeing resources for activities that add business value.

As the technology progresses, business and operational leaders will have the reliable data they need to confidently make decisions based on accurate AI/ML results. These outputs will harness the power of learning systems to deliver clear and actionable vulnerability reports, allowing DevSecOps teams to focus on what matters most: building and delivering innovative applications.

**Winning the Race to AI Supremacy in Security**

From threat identification to tool configuration, we're already seeing tangible impacts of AI in cybersecurity. Where researchers at the Dartmouth Conference nearly 70 years ago were only speculating, cybersecurity professionals today should look for far more tangible opportunities to incorporate AI and ML into their operations and strategies. If we can realize the potential of existing and emerging tools to continuously improve cybersecurity, AI can truly be one of the good guys.

**About the Author**

    

Frank Catucci is a global application security technical leader with over 20 years of experience designing scalable application security-specific architecture, partnering with cross-functional engineering and product teams. Frank is a past OWASP chapter president and contributor to the OWASP bug bounty initiative and most recently was the Head of Application & Product Security at Data Robot. Prior to that role, Frank was the Sr. Director of Application Security & DevSecOps and Security Researcher at Gartner, and was also the Director of Application Security for Qualys. Outside of work and hacking things, Frank and his wife maintain a family farm. He is an avid outdoors fan and loves all types of fishing, boating, watersports, hiking, camping, and especially dirt bikes and motorcycles.

Getting Smart With Cybersecurity: AI Can Help the Good Guys, Too

CISOs offer recommendations to help secure identities, data, code, and cloud infrastructure and protect against evolving threats and vulnerabilities.

The COVID-19 pandemic ignited an unprecedented wave of remote work adoption, forcing organizations to rapidly embrace remote collaboration tools. However, the transition to remote work came with its own set of challenges, especially in ensuring robust security measures for remote access. Today, CISOs face a new frontier — a borderless enterprise landscape — where they must forge a strong security posture to protect their organizations from evolving threats and vulnerabilities.

To better understand these demands, Cisco partnered with Forgepoint Capital, NightDragon, and Team8 to evaluate the evolving threat landscape and gather invaluable insights and takeaways that chief information security officers (CISOs) can leverage to prepare for the future. Together, we created the 2023 CISO Survival Guide, a simple framework for understanding how teams can secure modern enterprises by defining the security posture of identities, data, and code that are distributed across a hybrid infrastructure.

**Identity**

Identity management is a critical concern for CISOs, as the lack of a unified platform across identity access management (IAM), identity governance and administration (IGA), and privileged access management (PAM) leads to a fragmented identity topology within organizations. CISOs express the need for technology startups to address this pain point by offering solutions that are easier to deploy, provide comprehensive coverage, and offer rich integrations.

**Data**

CISOs are no longer tasked with security alone. They are also now responsible for securely enabling overall collaboration and business operations. This means they must balance data protection and use. To do this, CISOs are breaking data down into four key categories:

*   **Data collaboration:** Being able to locate and apply data governance controls on distributed data.
*   **Data reliability:** Making sure data is accurate and useable.
*   **Data privacy management:** Applying governance, risk, and compliance controls to adhere to data privacy regulations and enable analytics on sensitive data.
*   **Data protection:** Finding, categorizing, and remediating access so that all data serves its intended purpose.

**Code**

As agile DevOps creates a more rapid software development life cycle, enterprise security will only be as strong as its weakest link: the software supply chain. To give an idea of how big a deal this is, 70% of CISOs surveyed say they are prioritizing securing the software supply chain. To do this, CISOs will need full visibility into the development pipeline so that they can adopt a holistic strategy, which includes open source governance, delivery pipeline management, and an understanding of risk in third-party software.

Third-party software is its own issue. It supports quick innovation while operating a distributed workforce, but it can be a black box for CISOs looking to secure their enterprise. Third parties should be held to the same security standards as the rest of the enterprise.

**Infrastructure**

If it is connected, it needs to be secured, even if you can't see it. This is the cloud. By 2025 more than 85% of enterprises are expected to embrace a cloud-first approach. That means cloud security must be near the top of any CISO's priorities because attackers are shifting to the cloud just as quickly as enterprises. There are many tools out there that let enterprises address data challenges related to the cloud, but they don't necessarily go far enough to help CISOs discover the who, what, and where in the event of a data breach.

**CISO Survival Guide**

There is a lot that CISOs must do to stay ahead of these constantly evolving cybersecurity threats. Thankfully, emerging technology startups are providing fresh solutions to help CISOs stay one step ahead of the game in securing their enterprises. Defining security postures of the identities, data, and code distributed across a hybrid infrastructure is just one part to having a secured network that can protect data with a distributed workforce.

For more information, with an in-depth look at survey results as well as insights and analysis from CISOs, read the 2023 CISO Survival Guide from Cisco.

**About the Author**

    

Janey Hoe is a Vice President of Cisco Investments. Previously, she held multiple product management, technical marketing, and business development leadership roles at Cisco, operating multi-billion-dollar product lines as well as pioneering new products in switching, security, data center, and video collaboration. Along with her team, she was recognized as a finalist for the Pioneer Award, the highest honor for innovation at Cisco.

Securing Modern Enterprises in a Borderless Landscape

The CISO role has evolved from a strictly technical position to one that increasingly requires business acumen. Here are some things you need to know.

What types of skills do CISOs need now? As senior vice president and chief information security officer (CISO) of one of the world's most trusted cybersecurity software and services companies, it's literally my job to know.

My responsibilities include protecting and enabling business development at a global organization that wears a big target on its back. We are also "customer zero" at a company that believes deeply in the need to "drink its own champagne." That means we base our cyber defenses on our own internally developed products to the greatest extent possible.

In addition, we're a managed security service provider (MSSP) through our CylanceGUARD managed detection and response (MDR) subscription service, and many of our channel partners are also MSSPs, all using BlackBerry Cylance artificial intelligence (AI)-based products to protect external organizations.

The ultimate decision-maker for purchasing and deploying our portfolio of cyber products is often the CISO of an organization. For all these reasons and more, I spend a fair amount of time talking to fellow CISOs and comparing notes on what keeps us up at night and what success looks like for a modern CISO.

Over two decades of cybersecurity and technology experience across a wide range of industries and organizations have helped me grow as a leader and afforded me many opportunities to "give back" by sharing hard-won knowledge with other cybersecurity professionals. I have watched the CISO role evolve from a strictly technical position to one that increasingly requires business ability and acumen.

Today's CISOs must be able to effectively evaluate both risk and opportunity. They must be able to formulate and execute strategies to strike a healthy balance between these two competing factors and communicate those solutions to senior leadership.

**What Future CISOs Need to Know**

If you are already a CISO, you are well aware of the way this role has pivoted. But what if you are a cybersecurity professional aspiring to reach a CISO role? What kind of mindset and skills should you cultivate? Here are a few to consider.

*   **CISOs must be critical thinkers:** In our digitized world, CISOs play a pivotal role beyond the technical aspects by engaging in strategic business discussions. Their input should be integral to organizational decision-making, requiring a balance of technical and business acumen.
*   **CISOs must be educators:** With increasing reliance on CISO insights for business decisions, they must educate boards and decision-makers and often report directly to CEOs. Staying updated on industry trends and aligning decisions with current risks is essential.
*   **CISOs must value different perspectives:** Effective CISOs benefit from diverse security perspectives gained through experiences in various industries and roles. A broad background spanning different functions equips them to excel in their roles.
*   **CISOs are cybersecurity evangelists:** As cybersecurity leaders, CISOs promote a multi-layered defense strategy, encompassing both technological advancements and workforce awareness. They ensure that end users are informed about risks and contribute as an additional layer of defense.

**Final Advice for All Information Security Professionals**

As you build and mature your program using multi-layered defenses, always bear in mind that _cyber risk can only be managed, never eliminated_. For today's CISOs and those of the future, cyber-risk is another type of business risk every organization will continually face.

In an interview earlier this year, I shared what I think are the top cyber-risk challenges facing CISOs.

I hope these perspectives will help you on your CISO journey, no matter which stage of your career you are in.

**About the Author**

    

Arvind Raman is a Senior Vice President and BlackBerry's Chief Information Security Officer. In this role, he leads all aspects of the company's information security, product security, and GRC program globally, focusing on effective management of cybersecurity risks, policies, and procedures.

Arvind brings over 20 years of information security, technology, R&D experience, and leadership to BlackBerry. Arvind's previous experience includes serving as the Global CISO at Mitel, Global Head Information Security for Scotia Bank, and Director of Cyber & Data Security for CIBC.

CISO Skills in a Changing Security Market: Are You Prepared?

Try these tricks for devising an education program that gets employees invested — and stays with them after the training is over.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading