ISMG Editors: Why Communications Skills Matter for CISOsAlso: Health Entities Affected by Massive Data Breach; Identity Trends Anna Delaney (annamadeline) • June 2, 2023
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including why good communication skills are vital for being an effective CISO in 2023, how the hack of Florida-based dental insurer MCNA affects nearly 9 million people, and how CyberArk is securing privileged users with a new browser.
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, ISMG business; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discuss:
- Key takeaways from a conversation with CISO Jamil Farshchi of Equifax on why today's successful security leaders must have strong communication skills to advise the executive team to better understand cybersecurity risks;
- How the hack of an insurance provider that services many state Medicaid agencies and children's health insurance programs compromised the personal and protected health information of nearly 9 million patients;
- Highlights from an interview with CyberArk CEO Matt Cohen, who shares an overview of the company's new Secure Browser, which prevents adversaries from harvesting the credentials of privileged users who are accessing sensitive web applications.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the May 19 edition on the increasing fallout from the Capita breach and the May 26 edition on how Ukraine's defenders prepared for war.
This transcript has been edited for refined for clarity.
Anna Delaney: Hello and welcome back to the ISMG Editors' Panel. I'm Anna Delaney and this is our weekly editorial overview of the top stories in information and cybersecurity. A brilliant panel awaits us today. Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity, and Michael Novinson, managing editor for ISMG Business. What a team! Hello and welcome.
Tom Field: Nice to be back.
Delaney: It's good. Good to see you, Tom. It's been a while. But an awesome sky behind you. I presume it's a sky.
Field: It is a sky. This is me flying home last week over the U.S. and having one of those red-eye flights. I just happened to lift up the visor at the right time. And there was this beautiful sunrise somewhere over Michael's home country of Michigan. So I took this picture and said, "Finally, I've got a background for next week's panel."
Delaney: Very good. Well, we're happy about that. Marianne, looking pretty in purple and pretty behind you as well.
Marianne McGee: Yeah, this is just a bush in our backyard. We call it The Purple Flower bush.
Delaney: Just a bush in the backyard. Well, it's very pretty bush. And, Michael, it reminds me of a hungry caterpillar who morphs into a butterfly. Am I right or am I wrong?
Michael Novinson: You are correct. I am indeed in Amherst, Massachusetts, Eric Carle Museum of picturebook art. My daughter's turning three in July. It seemed like it was a good time to, with the long Memorial Day weekend in the U.S. to make a day trip out there. Lot of stuff for children, we had a wonderful time and we did get a picture of her in front of the butterfly.
Delaney: Well, behind me is a very, very famous street in London called Savile Row, which prides itself on being the world's most famous street for bespoke suits. So if you need a sharp suit, you come here for its great tailoring. And by chance, I happened upon this vintage car exhibition that was hosted by Savile Row. So it was all cordoned-off red carpet and swing band, it was rather special. And, of course, these brilliant cars, and behind me is, as you know, a 1967 Ferrari.
Field: So one can drive away with a vehicle.
Delaney: I tried, but working on it. Well, Tom, you've been back on the summit circuit. And you were in Seattle, I believe, last week hosting ISMG North America West Summit. So how did it go? And what were the key takeaways for CISOs?
Field: Well, you know, it's been several weeks of travel, starting with the RSA conference that we attended a few weeks back and then on the road for various roundtable discussions all over the U.S. And yeah, I was back in Seattle last week for the Northwest Summit. There are a couple of sessions there that really stood out for me - one was we did a repeat of what we've done in New York, in bringing in the Secret Service to do a live business email compromise exercise with the attendees. I can't say enough about such a positive experience, secret service sends in a half dozen or more agents to sit with the crowd. We mobilize our CyberEdBoard members to help be a part of this, and the attendees all get involved. We give them a scenario of two organizations had been involved in business email compromised when we ask them tough questions about what should they do. What did they do? What would you do differently? And they speak amongst themselves and report some of their findings back; sets the tone for the day. You see people from that point forward, wanting to talk together, wanting to ask questions of one another and discuss various issues and makes the entire day more interactive. We segue from there into a session that was run by attorney Aravind Swaminathan about a brief scenario, he was talking with a security and privacy leader and they had a scenario of there had been an incident, but was it enough to alert the CEO and the board? Well, they didn't just discuss it themselves. They opened it up to the room. And when he got so much input on that one question from the attendees - what they would do, what they wouldn't do, who they bring into the discussion - we couldn't even get to a second question. Now this is an attorney that has represented many CISOs when their organizations have been breached, and when fingers point to the CISO. He was doing this before it became fashionable in 2022. And he has lots of insights to share. But I was impressed with how the attendees galvanized behind this conversation and had some real cogent insights. Just so happens that was the ending session. Several of us went from there to a roundtable I hosted, topic of the roundtable was the CISO's role in fiduciary responsibility and how cybersecurity is evolving to become an issue of fiduciary responsibility, and it's the CISO's role to represent this to management and the board. Having been in the exercise about business email compromise, having been in the discussion with our event, our attendees were so primed to have this discussion. It made for probably the most engaging roundtable I've had the privilege to moderate this year. So that's a lot to unfold, but that's how the event went.
Delaney: That's really very interesting about the sort of fiduciary aspect that came up at RSA as well, in one of my interviews, and this idea that cybersecurity brands need to act like financial institutions in a way, you know, where their clients best interests are at heart and defenders, as a result, need to take a more forward looking approach. Did you get a sense or any idea from these security leaders that you were speaking with? Did they have thoughts about how security leaders can or should approach this responsibility?
Field: Indeed, and you know, it all ties together, because one of the conversations I had at RSA conference was with Jamil Farshchi, the CISO of Equifax. And we talked certainly about breach recovery, the big incident six years old. Now we talked how organization is different. But we talked as well about how the CISO role is different, and what this new and next generations of security leaders need to do differently than the ones that came before. Now he made an interesting comment to me. He said, "If there's one thing in cybersecurity that he could snap his fingers and fix, it would be communication." I asked him about that, I want to share with you his response to me.
Jamil Farshchi: The most common challenges as a CISO that we face are, "I need to see to the table, I want to be able to talk to my board more than 15 minutes for, you know, over the course of a year, I need technology to be able to do something, they won't do patch, or whatever it might be. My own team complains I don't have a cogent strategy, like they don't know which direction we're going." All of these problems have one root cause: our ability to communicate, our ability to be able to drive that narrative that ultimately drives some sort of action, and makes it important enough that people are going to prioritize it above the bevy of other things that are out there. And I think that as a security practitioner, myself coming up through the ranks, you know, when you get evaluated at the end of the year for who's the top performers, who's a hypo, you typically look at, "Hey, who's got this degree, who's great at packet analysis, who's great at this architecture, infrastructure," the one person who's like, "Oh, man, he's great at communications," that person never gets the promotion. And so we find ourselves today, where security has continued to increase in terms of its prominence and its visibility within companies, within boards, and so forth. And yet, we've got a group of leaders in this space, who haven't really ever been challenged, ever been pushed to to be good communicators. And so I think that that ultimately ends up being one of the the root causes to many of the challenges that we face. And if we can solve for it, even improve it, I think it puts us all in a much better position.
Field: Here you go. And I think that that speaks to a lot of what I've been seeing. What I'm observing is, you've got security leaders now that are doing what we've talked about for some time to becoming conversant in the business language. They're becoming enmeshed in business risk, and they're evolving themselves in cybersecurity, in the role, in the future of the business, kind of all ties together. And I'm encouraged to see it.
Delaney: Very good. That's great insight, and definitely one of the important elements of the changing role of the CISO. So thank you, Tom. Well, Marianne, moving on to some hot mess, some latest hot mess: nearly 9 million patients' personal and protected health information was stolen in a cyberattack earlier this year. An incident, which you've told me is on track to be the largest health data breach report so far in 2023. Do share more details.
McGee: This breach was just reported on Friday, just before the long three day Memorial Day weekend in the U.S., and it was reported by managed care of North America or MCNA insurance company. The breach report first went to the main Attorney General's Office, which was very fast in posting it on its website and as you said, it's almost 9 million people that were affected nationwide. Now MCNA is a provider of dental and orthodontic care benefits for certain state Medicaid agencies in the U.S., as well as the Children's Health Insurance Program in the U.S. which is a federal program. As of this morning, the MCNA data breach has not been published yet on the US Department of Health and Human Services website, listing all health data breaches in the U.S. affecting 500 or more individuals. But as you said, it is on track to become one of the largest health data breach so far this year. And in addition to that, the MCNA incident also looks like it's on track to be the largest HIPAA breach reported by a health plan since 2015. Now, 2015 was the year of record breaking health data breaches in the U.S. due to enormous hacking incidents reported by several other health plans, including Anthem's hacking incident, affected 79 million people and that is still the largest ever reported health data breach in the U.S.. Going back to MCNA in its breach notice, it says that on March 6, the company became aware of an all unauthorized party accessing its network, and then the company subsequently discovered that certain systems may have been compromised with malicious code. The company does not say if the malware was ransomware but allegedly ransomware group LokBit claimed in March to have stolen MCNA data and then reportedly leaked some of this data on the dark web in April. MCNA has not responded to our requests for details about the incident, including whether the breach involved ransomware or leaked data. The company does say that the information compromised in the breach includes names, date of birth, addresses, social security numbers, health insurance information and also information regarding dental and orthodontic care. MCNA also lists about 100 other organizations that have been affected by the breach, including several state health department's labor unions and also city benefit programs. Now among those affected organizations is Florida Healthy Kids Corporation, which is a state created entity that administers children's dental and health plans in Florida. Now, Florida Healthy Kids was the victim of another hacking incident a few years back that affected 3.5 million individuals. And in the investigation into that incident, a third-party firm, a company called Jelly Bean Communication was a contractor to manage the Florida Healthy Kids website. And federal regulators looking into the incident found that over a seven-year period, Jelly Bean failed to properly maintain patch and update the Florida Healthy Kids healthcare systems which left the site vulnerable to the 2020 healthcare incident. Now, U.S. federal regulators in March slapped Jelly Bean with a $300,000 financial settlement in the Florida Healthy Kids breach. So the bottom line is that health data breaches, especially those involving the information pertaining to minors is something that seems to particularly irk regulators as well as the public. And so for now, I'm predicting that there will be a race to the courthouse for proposed class action lawsuits against MCNA in this big breach, which again, was announced Friday and affects children's health plans. So we'll see.
Delaney: And Marianne, perhaps this stolen data is now in the hands of other threat actors beyond LockBit. The insurer MCNA is offering impacted customers a year's free identity theft protection, I believe.
McGee: Problem is that when it comes to, you know, these - whether it's a health data breach or another breach that affects kids information, that is kind of worrisome. If they have a social security number that's been compromised, they wouldn't necessarily know about it, because they don't have a credit history until maybe they become of age and they start applying for a credit card or student loans or whatever, then it could come back to haunt them. So that's why when children's information is breached, it's particularly worrisome, I think.
Delaney: Marianne, is a use identity theft protection enough, do you think?
McGee: Probably not, and I write a lot about these class action lawsuits that get filed in the aftermath of data breaches, and, you know, a lot of them get settled. And sometimes the settlement includes those affected getting a longer term of credit and identity monitoring, maybe for several years. I've yet to see anything that said, "for a lifetime", you know, or anything like that, but it's usually more than a year.
Delaney: Marianne, do you see regulators taking a tougher stance on these healthcare organizations?
McGee: Well, you know, the Feds seem to have their hands full with a lot of other things they're working on, but there's been quite a few state attorney generals this year that have taken action against some entities that have had large data breaches or HIPAA violations under the High Tech Act. The states have the ability to go after HIPAA violators, even if the feds don't go after a company that's had a breach. So that's a possibility, too. There was a vision care entity a few years ago that had a big breach. And there's, you know, maybe a half a dozen state attorneys general that have gone after that company, you know, with their own HIPAA enforcement actions.
Delaney: All right, thank you. Well, Michael, you recently attended CyberArk's annual Partner and Customer Conference and interviewed their CEO, Matt Cohen. So let's start there. How did it go? And what do we need to know about from the interview?
Novinson: Absolutely. And thank you for having me, Anna. So what's interesting is the space that CyberArk is moving into. So I want to talk a little bit about the secure browser market here. This really has its origins in RBI or remote browser isolation, which is really an actually secure version of Google incognito mode. So for privileged users or people accessing privileged information, it's a more locked down way to go about what's your web activity, without leaving yourself open to compromise from threat actors. What happened a few years ago was people took this idea of browser isolation and said, "Instead of making this a feature in a browser, what if we just built a browser from the ground up that's secure." That could be an alternate to Chrome or Firefox or something like that. So you saw a couple of startups launch in that area, you saw the 2022 RSA innovation sandbox contest winner, Talon Cyber Security, they're getting some backing from CrowdStrike. They have made a big claim here. Then you also have a firm called Island, which is led by Mike Fay, who was the longtime president at both Blue Coat systems as well as Symantec which had bought their way into that RBI space. So you have these pureplay, secure browsing companies. And then coming out of RSA this year, you actually had JP Morgan saying it was one of the technology areas they wanted to watch, which was a little surprising to me, to be honest. Fast forward a couple of weeks, we're at CyberArk impact in Boston last week, and CyberArk announces that they're launching a secure browser of their own, which is interesting, because I'm not aware of other major technology platform that has moved into this space. So they're really taking on the pure play companies that do this, as well as the rest of the market that hasn't adopted this. So it's interesting to cybernetics backgrounds, obviously, and privileged access management and an identity. So they're really concerned about the session hijacking potentially to a cookie that a legitimate user was using to get around the MFA. And essentially take over a user's guide session as if they were the user, and nobody would be the wiser. The CyberArk secure browser is a cookieless browsing experience, the cookies are essentially ported back to the CyberArk server to thwart session hijacking successfully. So essentially, the CyberArk idea isn't because the big debate has been, "Is this essentially just going to replace Chrome, or companies are just going to have everybody use a secure browser when they're doing work for the company." And that's not CyberArk vision, I mean, that'd be costly. And then also people just are used to the browser they used to. So the idea would really be that this is either for certain activities that are more sensitive, or for certain users that are more sensitive. So what the CyberArk secure browser allows you to do is that you can lock down and say, "In order to access this application, you must use a secure browser or these types of users, a CFO and IT admin must use the secure browser at all times. Or you can do a combination of certain applications and certain users require secure browser use." But their idea isn't to business what they feel is the big difference between their approach versus a Talon or an Island is that they don't feel that's realistic, they don't feel that's cost effective. And they're really trying to target certain activities, certain identities for the secure browser and figure everybody else will continue to use the commercial browser that's free and that they're comfortable with, going forward.
Delaney: Michael, what were the other broader themes or topics, the identity trends that you took from the conference?
Novinson: Absolutely, CyberArk is on a multi-year journey now to step beyond the privileged access management, which is the heritage, and become a broader identity security platform. So they're doing a lot around secrets management right now. That's an area of focus. They've also over the past couple years - and there is a lot of identity companies that started up in the late 90s to the early 2000s. Ping Identity and Foxpass and SailPoint, all had to go through this journey that they were built for an on-premises world. And they really had to move everything over to a cloud transition, the pricing model from license to subscription. So several folks been doing that journey as well. And then similar to other folks, they've really been focused on this rise of non-human identities. And what Cohen told me is that for every human identity that exists out there, there's 45 non-human identities, some of those aren't machines, some of those are non-human, non-machine as well. And the security challenges around those are very unique. Machines don't make the same choices that humans do. So that scenario they're focused on. And then in terms of emerging threats, obviously generative AI - who can have conference nowadays and not mentioned that. So they're certainly curious about how that's going to be used for adversaries in the identity arena. And then this, while looking into supply chain type activity, and particularly that lateral movement piece that once you're able to gain, once you find that initial access factor. Well, what happens in an adversary week from there, they're really trying to identify some identity-based approaches to minimize the threat from supplies chain attacks as well as from generative AI.
Delaney: But generally, does he feel that AI, generative AI will help identity security or maybe not?
Novinson: Yeah, I mean, there's, I think at this point, his feeling would be that the offense has an upper hand on the defense, that defense does take a little while to build up. And in particular, there's a lot of concern in the identity world around this voice impersonation. I know 60 minutes have highlighted it at a consumer segment a couple of weeks ago, but then demonstrated on stage just how easy it was to impersonate Udi Mokady, who was their longtime CEO, still chairman of the company. And once you start to add voice impersonation and how easy it becomes to manipulate people into doing things that would jeopardize the security of an operation so the idea that this voice impersonation is going to become available to the masses. And then I've talked to my own parents since there's a video of me on the internet by somebody pretending - like they are asking you to do weird things. Please don't believe. Just call my phone. And I think we're just heading into a world where it's going to be a lot easier to vocally impersonate others.
Delaney: Well, you know, if I had that very same conversation with my parents, so here we are, we must work in cybersecurity. Well, finally, thank you, Michael. Finally, and just for fun, which existing film title best captures the state of cybersecurity today?
Field: The flip answer is to say something like Scary Movie, or it's a Mad Mad Mad Mad World. But I'm going to narrow myself down to Academy Award winners for Best Picture. I think I'll go with the one that just came up, Everything Everywhere All at Once. Yeah.
Delaney: That's good. Michael?
Novinson: Sorry, I interrupted you. Funny thing was I was going to say that one too. But I will pivot to a great journalism movie to the late 1990s focused on 60 minutes, The Insider and we are increasingly focused on insider threats, especially with the layoffs that have been going on. So I will take that old school and go with that.
Delaney: Okay, good. Marianne, something happy and fluffy?
McGee: Catch Me If You Can.
Delaney: That's perfect, actually. Well, I'm going with Raging Bull, Apocalypse Now. Light hearted. Thanks so much for watching. Until next time.