Cybersecurity is ultimately a journey. It’s an effort to reduce risk, as it’s appropriate for the resources that I’m trying to protect, says Andrew Hollister, CISO, LogRhythm. AI is a tool that will prove priceless, as with everywhere else it is used.
ITSecurityWire Bureau: What are the latest trends that are causing organizations to evolve their cybersecurity strategies?
Andrew Hollister: This is a perpetually interesting question. LogRhythm recently surveyed our customer base in our State of the Security Team report. We found three major trends that are causing organizations to examine their security strategy and evolve it across regulatory changes, new attack types, and AI. So, I’ll talk a little bit about each of those three and some of the factors that we see there.
AI is, of course, a buzzword at the moment. I see three elements here:
- There is the security of AI itself.
- There is security from AI
- And there are threat actors using AI, and you’ve got security by AI vis-a-vis products that are actually leveraging various types of AI to deliver their service.
Ultimately, I guess what we’re most interested in here is security from AI. There have been a few interesting reports about this, but defenders are quite concerned about the threat from AI. I think we’re predominantly seeing it being leveraged in connection with phishing, improving phishing attacks and trying to make them more believable.
There’s a lot of scope for other areas, but the research I’ve seen indicates that, at this point, the defenders are probably ahead of the attackers in terms of how they leverage that technology.
We are also seeing big changes in the regulatory environment. To name a few, we’ve got NIST 2 coming up. The deadline for that is in October this year. You’ve got DORA, the Digital Operational Resiliency Act. Those two are on the EU side, and there is also a deadline coming up for that.
On the US side, we have the SEC cybersecurity reporting and literally dozens of others around the world.
I was, in fact, in a session recently where one of the presenters said they’re tracking multiple changes to the regulatory and compliance environment on a day-to-day basis. I didn’t realize it was at that scale.
So, as organizations try to grapple with all of those compliance requirements, they are really being driven to evolve their strategy to help them meet those compliance objectives.
The third area here is new attack types. I’m always a little bit on the fence about whether anything’s really new there. Our former CISO used to say what’s new is new, and what’s old is new. And we do see that a bit when it concerns cybersecurity and attack types.
I think the old thing that we’re seeing is new right now, particularly living off the land type attacks. So threat actors, certainly the more advanced ones, are beginning to look much more to leveraging the existing tooling that sits on the Windows endpoint or within the Linux deployment.
They leverage the existing tools to achieve their ultimate goals rather than developing their own malware and doing all the testing.
So, we are seeing threat actors tend to behave this way. According to our survey respondents, these three major areas are really driving organizations to evolve their cyber strategies today.
ITSecurityWire Bureau: Data breaches are becoming more deadly and more expensive. In addition to the current tools and policies that you adopted and follow, what extra efforts can CISOs put into staying a little safer?
Andrew Hollister: There is no such thing as 100% security. Organizations can perhaps strive for that and maybe buy a bit into the marketing hype—you buy this technology, and you will be secure. But cybersecurity is ultimately a journey. It’s an effort to reduce risk, as it’s appropriate to the resources that I’m trying to protect.
For CISOs and other security and business leaders, it is really important to focus on how they can reduce the risk of a damaging data breach.
It can be very tempting to add more of the latest technology. Various reports indicate that the average medium-sized enterprise might have upwards of 30 and perhaps as many as 50 cybersecurity tools in place. So, perhaps more isn’t necessarily better. I think this is really about focusing on the problem that you’re trying to solve and thinking about the specific risks.
Listen to the Podcast with Andrew Hollister: Cybersecurity Strategies to meet Rising Risks
As we look across the threat landscape and the data breaches that are happening, we need to ask, what are the specific risks in my environment, and what is it that I’m really trying to protect?
Ultimately, the IP behind my product is very valuable to me. So I think it’s very important that the cyber security leaders think about what they are really trying to solve here. What’s the biggest problem that they face?
They need to think about the tooling in particular. I think visibility is really an important key. You can deploy all kinds of preventative tools, but they don’t help if you don’t have visibility into what’s really going on within your environment.
So, I think one of the big areas of focus should be how much visibility I have in my assets. I should be clear on the activity that’s going on within that environment that I’m trying to protect because you can’t protect what you don’t see. And getting that level of visibility is, I think, really critical to a successful cybersecurity program.
ITSecurityWire Bureau: AI cuts both ways. Do you feel it can play a very positive role in better security? It certainly plays a very strong role in better attacks!
Andrew Hollister: AI is a very broad umbrella; it covers a wide variety of things. Cybersecurity has been leveraging AI in various ways, certainly in the form of ML, for a very long time already. And I think that’s certainly given additional insights and visibility. Think UEBA or NDR technologies! They’ve leveraged machine learning for many years if not more than a decade, in some cases.
So, AI as a general-level technology certainly has already played a significantly beneficial role in cyber security. The question that interests everybody today is, will generative AI take that to the next level? We have seen incredible growth in the capabilities and scope of what LLMs and those technologies can deliver for us. But I think we are very early in the development of generative AI.
When we think about threat detection, investigation, and response, we really need to ask, ‘Can generative AI give us meaningful improvements?’ This question relates to our TDIR activities vis-a-vis the core functions of the SOC.
So far, various kinds of chatbots have been used, but I think there’s a lot of opportunity as we develop our understanding of this space and there’s more innovation.
There is a lot of talk in the industry about SoC analyst burnout because of the repetitive tasks that they have to do. If we can offload some of those tasks, things like report writing, for example, trying to trawl through big, long threat reports, pull out the IOCs, and get to a meaningful summary of threat intelligence, these are some really good opportunities for generative AI to help.
ITSecurityWire Bureau: AI, as you said, responds differently to different stimuli. And it cannot be trusted to perform like a human being. So do you really see or do you really think that you’re going to lose jobs to a technology that is not fully reliable? Or do you think it’s going to evolve to reach there?
Andrew Hollister: GenAI is pretty good at tasks. I read a piece from Sam Altman, the CEO of OpenAI, recently, where he said GPT -4 is almost like a person, but it’s not really good at taking on a role. Can it do many tasks? Absolutely. I think when I think about this from a historical perspective, when we had spreadsheets in Excel. With Gen AI, we made them better. But they didn’t get rid of accountants, they made them more effective.
Similarly, when you think about carpenters, they have power tools at a particular point. It didn’t get rid of carpenters, but it made them much more efficient and able to do the work more quickly.
In the same way, if I can offload, let’s say, writing a report to GenAI, that’s actually a significant time saver for me. In terms of those individual tasks, it will help human beings be more efficient and work together with technology. It may not be accurate to see it as something that’s going to come along and directly replace a human being.
Also, over the past decades, as technology has developed, some particular types of jobs have disappeared. Sure, that’s true, but many other jobs that didn’t exist before are created by new technology. I have no doubt that’ll be the same in the case of generative AI. I don’t expect us all to retire in the next five years and leave it to the machines.
Also read: Three Best Practices for Aligning Cyber Risk Management with Business Requirements
ITSecurityWire Bureau: Will smarter data privacy policies help enterprises stay safer, do you think? We’re talking about regulations and policy; you’re talking about the GDPR, the CCPA, and whatever else the government wants to regulate to protect.
Andrew Hollister: Thinking about a cyber security program for a minute policy is really fundamental to everything that we do. It kind of gives us the framework for our security program. I guess that’s also what governments are trying to do. They’re trying to give guidelines and standards for how organizations approach security.
So, you know, I kind of think about it with this idea that a rising tide lifts all the ships, and we can discuss this all day long – the benefits and virtues of one compliance mandate or one regulation against another. But ultimately, if we can help organizations lift their security programs to a more mature level, that actually helps everyone.
Back to your comment about risk earlier, if I’ve got a mature cybersecurity program, but half of my suppliers have something that’s really immature, that actually indicates a risk to me. So, I think those policies and compliance frameworks lift everyone.
It definitely is a benefit. But ultimately, it’s only going to be as good as the kind of process and the people that actually implement that policy or that regulation. And we have this saying it’s ‘people, process and technology’. You know, it’s ‘people, process, and policy’ in this case.
You can have the best policy in the world, but if people aren’t bought into it and they don’t follow it, it’s not really very much help. I feel like that’s an area where there’s probably more progress to be made. The policy really needs to align and resonate with what the organization and the business are trying to achieve. At the organizational level, when we think about policy development, it’s about connecting the people in the organization to what the policy is trying to achieve. It’s about the outcomes that the business has to focus on that are really key in order to make kind of smart or useful policies.
ITSecurityWire Bureau: Do you think that all business leaders should take security seriously, not just the IT leader, not just the CISO -everyone and people who are heading marketing or, you know, supply chain or whatever business processes that your security should be top of the mind for everybody you think or is it just your responsibility?
Andrew Hollister: Absolutely. I think it should be everybody’s responsibility. Certainly, when I first came into cyber security, it was a subset of IT- a technical issue. I think as time passes, more and more organizations have realized that’s actually not the case. It is de facto a business issue, and pretty well, every business today is a digital business in some form or another.
You really can’t avoid being a digital business. So, this idea that cybersecurity is just a technical discipline that belongs somewhere in the IT department or wherever I don’t think, is really relevant in the era that we’re now in.
I think many people perhaps focus a bit too much on the reporting lines, where the cybersecurity leadership sits, and so on and so forth.
I think it’s about recognition from the board level and down that cyber security is a business issue. It should be treated like any other business risk and addressed as any other business risk. And today, it’s become so significant that, ultimately, you can’t push it off into a corner.
In the survey, I mentioned the state of the cybersecurity team; I think 78 % of those in that survey said that the CEO and/or the cybersecurity leader should be responsible for cybersecurity. And I think that’s really grown over time. It’s now kind of a joint responsibility and joint perspective.
I think the other interesting thing is we are seeing a trend of organizations allocating more resources and cybersecurity teams feeling like I do have sufficient resources. I do have a backup from senior management. Indeed, we saw almost 50 % of execs saying they have either a daily or weekly meeting where they cover cyber security as a subject. So, I think a fairly significant transition has already taken place.
I suspect it’s somewhat differentiated depending on the industry you work in. But certainly, as this area has matured and we look at cybersecurity more as a risk to be managed, I think we’ll certainly see more senior leaders and boards owning that cybersecurity responsibility in a more fulsome way than we’ve seen before.
Today, we stand at a really exciting point in cyber security. I think there’s a lot of innovation going on, and we’re seeing a lot of changes in technology. I think that’s the reason why many of us in this space are technologists at heart. Ultimately, what we want to do is enable organizations to use technology with as little risk as possible attached to it. That’s what keeps the interest going and keeps the focus on cybersecurity as a discipline.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.