ISMG Editors: What CISOs Should Prepare for in 2024Joe Sullivan Also Discusses Identity Management, AI, State of Information Sharing Anna Delaney (annamadeline) • February 9, 2024
In the latest weekly update, Joe Sullivan, CEO of Ukraine Friends, joins three editors at ISMG to discuss the challenges of being a CISO in 2024, growing threats from disinformation, vulnerabilities in MFA, AI's role in cybersecurity, and the hurdles in public-private information sharing.
The panelists - Sullivan; Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; and Tom Field, senior vice president, editorial - discussed:
- Top concerns for CISOs, including how they can collectively defend against disinformation and nation-state attacks;
- The need to rethink identity management in the face of relentless breaches;
- The current state of public-private information-sharing initiatives, including recent hurdles federal regulators have encountered.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Jan. 26 edition on emerging AI tech for cloud security in 2024 and the Feb. 2 edition on why Microsoft's systems are so vulnerable.
This transcript has been edited and refined for clarity.
Anna Delaney: Hello, and welcome to the ISMG Editors' Panel. I'm Anna Delaney, and on this week's episode, we're asking the tough questions. What does it take to be a CISO in 2024 amidst rising risks? How do we tackle the looming challenge of disinformation? And are we ready to rethink identity management in the face of relentless breaches? Well, we're not answering these questions alone. Fortunately, joining us is a distinguished guest with an impressive background as a lawyer, CISO and former federal prosecutor with the U.S. Department of Justice, currently serving as the CEO of Ukraine Friends. He's also held prominent roles as CFO at Facebook, Uber and Cloudflare, as well as an Associate General Counsel at PayPal, Joe Sullivan. Joe, welcome to the ISMG Editors' Panel. It's an honor to have you with us.
Joe Sullivan: Oh, thank you for having me on. I'm excited to be here.
Delaney: We also have excellent regulars. Tom Field, senior vice president of editorial, and Mathew Schwartz, executive editor of DataBreachToday and Europe. Good to see you all.
Tom Field: Thanks for having us.
Delaney: I'm going to pass the torch over to Tom, to start things off.
Field: Yes, what does it take to be a CISO in 2024, given the inherent challenges, and who wants the job, given the inherent challenges and the risks?
Sullivan: That's a good question. A lot of CISOs are asking that question themselves. I spent last week at a CISO retreat with a bunch of top security executives. And it was one of the topics, for sure. But I think that as much as there's fear about the risk, there is excitement about the growth of the role. The world is changing, and expectations of how companies and organizations should deliver security. The expectations are growing dramatically, and so that's a good thing for security leaders, because forever, they've been begging for the resources to do the job well. They've forever been begging to be on the exec team, to be able to talk to the board, to be able to talk about risk together with the other executives, and they're finally getting that chance. So on the one hand, there's the fear that comes with that responsibility. But the opportunity to grow in the digital world right now. Responsibility inside organizations is expanding around digital risk 20 years ago, it was just information security. And then 10 years ago, expectations were that these roles were going to step up and get involved in privacy operations. Five years ago the company was moving on to the blockchain, and somebody had to manage the risk of that. And now every company is deploying AI, and somebody has to manage the risk associated with that. And so who better than the CISO to step up and say, look at all of our risks in an integrated way. No risk function should stand alone inside an organization, we have to think about risks in an integrated way. And I see CISOs jumping to that opportunity.
Field: So we live in a world today; we have got zero days, we got nation-state activity, ransomware, election threats. What are the threats that give you the greatest concern today as a security leader?
Sullivan: Well, I spend about half my time consulting and advising companies and CISOs. And based on my conversations with them, ransomware is still number one. We talk about a lot of different things. But the reality is the ransomware attacks are so aggressive, so consistently never ending and hitting every industry. And so as a result, for the last few years, the boards and the CTO have been asking the security executive, how are we dealing with ransomware. And everybody's invested a lot of time and energy, and there are lots of products that claim to help solve your ransomware problems. But there's no silver bullet in this situation. It's about good hygiene across the board. And so even with all of that effort, I think I just saw an article that suggested that last year was the worst year in terms of ransomware payments in history. So even with all that effort, the problem is not going away, because for the bad guys, the economic opportunity is too big. And so a lot of people are still very worried about ransomware.
Field: Ask you about another threat, which is disinformation. As the World Economic Forum has called it the top threat of 2024, just the headlines just the other day showed an organization in Asia that had been scammed considerably by a deepfake. How do we even begin to get our defensive arms around this disinformation challenge?
Sullivan: Yeah, I had the good fortune to be in Davos for the World Economic Forum a couple of weeks ago, and I was there doing some kind of lobbying for support for Ukraine and in the war situation for on the humanitarian side and also involved in a lot of different cybersecurity conversations. And yeah, it was a big topic of conversation. If the WEF says, misinformation is the number one global risk, it's going to lead to conversation. But the interesting thing, the question I kept asking everyone, when I would walk up to people inside companies, I would say, who's responsible for managing misinformation at your organization? And 90% of the people I asked didn't have an answer. So we at least we know who's responsible inside the organization for stopping ransomware. We don't have any kind of discipline or organized approach, across industry, across government and industry, across government industry, and the companies that are building the next generation of security products. It's kind of like a gray zone of lack of responsibility right now. But it's the public that seems to be most upset about it. And so someone's going to have to step up and do something about it soon.
Field: Very good. Joe, I appreciate your time. Appreciate your answers. And I'll pass you off now to my colleague, Mathew.
Mathew Schwartz: Hey, Joe! Great to see you. I've got some identity questions for you. And this is a topic which I think can seem , complicated, especially when you see some of the big players in this space, the identity providers, the IDPs, continuing to get popped, the likes of Microsoft, and Okta. And if they can't even keep themselves secure, or their customers secure, do we need to be rethinking do you think how we are approaching this identity management platform question?
Sullivan: I do think we need to re-examine it. It's a topic that I've spent a lot of time digging into. And statistically, you can find 100 different reports that say something like 80% of all compromised organization involve the abuse of a trusted Identity inside the organization. So whether it's the breaking in through the front door straight through the identity and access controls, or lack of controls that exist, or they're coming in through a different kind of vulnerability. As soon as they get a beachhead inside your organization, they're typically going to try and take over an identity and use the privileged access that comes with it. And so identity is probably the number one area of investment for CISOs in 2024. And we're all thinking about where we place that investment. And one of the topics that I think it's starting to come up is maybe we shouldn't consider our IDP to be, or that we shouldn't consider the software that manages people getting in and out of our enterprise to be a security product. So for example, we don't, in most organizations just rely on our email provider to do all the security of email. Large organizations have at least one dedicated security product focused on email security, many organizations have two or three layers there. It's kind of shocking that we don't have those layers of controls and protection behind our IDPs. And I think we'll see more startups and security companies starting to offer products that stand behind the IDP and/or kind of scrutinize what the IDP is doing for the security organization.
Schwartz: That's fascinating. There's so many assumptions, I think that come along with using an identity provider platform, like you said, some of the other assumptions we have are things like multifactor authentication, for example, people who like I've enabled MFA or 2FA. And you see these sorts of defenses. While they're essential, right, everybody should be using multifactor where they can. But sometimes they get routed around, sometimes via simple seeming attacks MFA push notifications, for example. You keep getting him keep getting him, eventually a target accepts them. And I know that you've written about how a lot of people don't understand, under the hood, how authentication works, how maybe it's supposed to work, I guess we have protocols and frameworks, but then how it does work in the case of, say, FIDO2 in practice, or it might work in unexpected ways. This sounds like such a challenge. When you're trying to get better defenses in place. What should security teams be thinking? How can they upskill themselves? What sorts of assumptions would you caution against?
Sullivan: Yeah, that's a great question. So I've spent a long time in my career thinking about how I best secure the identities of our insiders. Over a decade ago, we started rolling out hard keys as a second factor at Facebook, you had to have a hard key to get into our production environment, to touch code at all. And it's funny, that was only a decade ago, that was kind of an environment that was pre-SaaS, if you will, pre-cloud. And in that environment, when we deployed the hard key, as the second factor, we knew that you had to physically have that hard key to get into that environment, because it was behind a network perimeter, it was kind of like an old school environment. Now, I've helped a couple of companies in the last year rollout hard keys as their only second factor of authentication on the theory that, okay, if we have the hard key, that solves all our problems, you can't be phished, etc. But what we've seen in the last year is a rise in a very specific type of attack that I don't think enough people understand. So when you go through an identity provider, you can configure certain things like how long should my authentication session last? Should it be bound to a specific browser? Should it be bound to a specific device, like there are all kinds of things that you can work with your identity provider to put in that? So when I go through, say, an Okta, and I log into a corporate environment, Okta drops a cookie, or we call it an identity token. And that token will very specifically put limits in place that Okta, say designated. The problem we're seeing now is that most of the time your identity provider stands in front of a bunch of SaaS apps and on-premises apps and the like, and it's not the identity provider that drops the ultimate token that determines whether you will get access to that environment. It's the SaaS app itself. So Okta will drop its own token saying, okay, you have to re-authenticate every four hours, because that's a corporate policy. But on the back end, the SaaS app that you just got authenticated to might drop a separate token that says, we think we're going to allow everybody to stay authenticated for a month because our users get frustrated when they have to re-login. And so that simple, like, handoff where your identity provider tells the SaaS app, what the rules are for your authentication seems to be broken. We see too many times, the SaaS app provider, they might charge you that single sign-on tax, but they don't go and configure the token that they're going to drop to honor what's in the IDP's instructions. And so all an attacker has to do is get on the device. And then they can go and steal that unencrypted token and take it and maybe that token is long lived. Or maybe it's supposed to be device bound, but it's not. And so that's where we're seeing repeated attacks against the same environment. Because the bad guys, one of the ways they can establish persistence, right now is to grab that second token. And they'll grab all those tokens and they'll experiment and see which SaaS provider kind of screwed up and left the security team in the lurch.
Schwartz: Fascinating. Thank you. I think you're going to be hearing a lot more about this. People are so innovative and experimental. And this stuff just keeps surprising. That's great. Thank you so much. Speaking of surprises, I know Anna's got some questions for you.
Delaney: Got a couple of surprises. That's brilliant stuff so far. Thank you. Well, Joe, we can't overlook the topic of AI in this discussion. So where do you see AI supporting the defenders today? And what are your aspirations for its future impact?
Sullivan: On the one hand, everybody's freaking out about the risks of AI. But on the other hand, we're all talking about them right now, in the early days of deployment, which is a lot better than in a lot of other kind of like technology revolutions of the last 25 years. It's so much better, that we're having public private discussions, we're having large organizations think about how to deploy and manage it, we're having lots of investment on the security side, I can't keep track of all the security startups that have launched in the last year or two or have pivoted in the last year or two to be something related to AI security. When you think about AI security, there are two kinds of topics. One is how do we secure the AI itself? And there's a ton of conversation about that. But then the second question is, how we use AI for security. And that's where I'm seeing some cool stuff right now. In fact, just yesterday, I paired up one of the startups that's doing AI for security with a company that I had helped hire their first security executive, and that security leader, he's a one man band at that company right now he's hired one person, but he's got a company that's growing quickly and has lots of risks. And we paired the startup security company with this other company, because the AI for security opportunity is huge. A small security team will be able to keep an eye on many more things like, if you're a one person security team, you often are like, okay, today, I will go in and review all the identity and access logs and make sure that that's all going well. And then the next day, I'll go review I need to do another sweep to make sure that our employees haven't connected to a bunch of extensions that are downloading our data. And then the next day I need to go. So it's like a constant, too many things to keep track of, and having an AI assistant that's looking at all your security tools and telling you what is the most important risk to go jump on today, or is even automating some decision making on in some lower risk areas. That is a real tool for small security organizations that can help them scale quickly. And then the second reason that AI for security is so exciting is most of what we tend to do in security number we focus on prevention, but we also assume that we're going to get compromised. And then so we all invest in these large detection and response efforts where we collect a ton of logs, and they sit in these giant data warehouses. And we hope that our security detection tools will find the needle in the haystack. Well, AI is going to help in that in that respect, because it's going to be much faster at processing the data and much better at identifying anomalies over time, as we train it. So there's some real exciting opportunities for defenders to be able to use AI to be much more effective.
Delaney: Very encouraging. That's great. And before we wrap up, I like to ask you about information sharing. I know you've long advocated for threat intel sharing to bolster our defenses. However, recent reports suggest that CISA is encountering hurdles with its cybersecurity initiatives, raising concerns, of course, about the politicization of government cyber efforts. So given this backdrop, what are your insights on the current state of private sector and sharing and public private initiatives, and are we at a level that meets your expectations as a security professional?
Sullivan: Anybody who's been in security, as long as I have, have seen this conversation going on forever. The reality of the internet is that most of the internet's technology, and data is sitting in the hands of private organizations. So historically, we always counted on our governments to keep us safe. That's what yeah, one of the core reasons that people I don't know thousands or millions of years ago, bound together in communities was for the common defense. For the first time ever the cyber world creates a difficult problem for governments in that they don't have visibility into what's happening unless somebody in the private sector cooperates. But why haven't we gotten better because people have this concern about privacy that's real. And the idea that the government would have incredibly more access and visibility into all of our private lives if we just gave the government unfettered access to all that data. So there's this fundamental tension that exists in cybersecurity, that doesn't exist anywhere else. So we've all been fighting for years to try and get better and better at collaboration. And it's two steps forward, one step back. And look, as much as there's criticism of CISO, for not being perfect right now, they've taken us many steps forward in the last few years in terms of that collaboration. And so, like, we have to nitpick, we have to criticize, because we all want to do better. But we shouldn't just throw in the towel, because it's not working perfectly yet. It's going to be a collaborative dynamic process. So that we maintain the right balance of privacy and security. And no one person can sit in all those spots and see a perfect solution. So we just got to keep pushing for it. Because at the end of the day, we always say in security, the bad guys all share all the information, and the good guys are at a deficit. I do think that the push towards more transparency for companies is a very good thing in that because if companies, by default, are afraid to share, because it'll hurt their brand or reputation, then the rest of us don't get the information we need to be able to learn the lessons from their failures. So I hope that we move towards we're seeing a lot of sticks right now, in terms of trying to force organizations to be more collaborative. But we still want to see more carrots too like, when I was on President Obama's cyber commission in 2016, one of the things we talked about a lot was how do we give immunity to organizations that come forward quickly? How do we reward them for wanting to cooperate and share the intelligence information that would help all of us in our collective defense? And I hope we can keep having those conversations about like, let's do carrots to not just sticks.
Delaney: We're all for carrots here. More carrots, please. This is great. This is good insights. I mean, thank you so much, Joe. We've got one final question. We're going to give you a break for a moment. But it's just for fun. I'd like you to pick a sport and demonstrate how it can apply to cybersecurity. Are there any parallels between the sport and navigating the complexities of cyberspace?
Field: It reminds me of a story. The first time I visited India years ago, I sat down with one of my hosts. And he said, can you explain American football to me? And I said, can you explain cricket to me? Both games fascinating to watch, millions of supporters worldwide, or for someone that doesn't understand them, the rules are extremely complex. And the two of us sat down with napkins and drew what we could share with each other. And so I'd bring both those sports in there. Because it's something from the outside, you can enjoy watching. You can sort of get your hands around, but to understand the intricacies, it takes some work.
Delaney: Very well said! Mat, what are you going to throw at us?
Schwartz: What am I going to throw you? Thank you. That's not a lovely image. I'm going to be coming running toward you. Because maybe like 15 years ago, I decided I was going to learn how to run, like as in jogging, not just escaping from things. And I thought it would be a good thing to do because it was moving to Scotland. And I have so often on my computer needed to get out. And so I found the Couch to 5K program, which I think a lot of people have done, where over eight weeks, you learn how to go from perhaps a sedentary couch bound lifestyle, to being able to run five kilometers without stopping. And the thing that I love about that, which is counterintuitive, is that it's interval training. So you don't just run and just see how far you get. But you run and walk and run and walk and over the eight weeks, you start running more than you're walking. And I think that's a good thing to keep in mind when you're trying to master complex, difficult things. Especially like cybersecurity.
Delaney: Yeah, a lot of wisdom there. And you've run across the globe now so you run further than 5K I think so.
Schwartz: All the way around the globe. Yeah, maybe soon.
Delaney: Okay, good. Did you know that there's such a thing as extreme ironing? It is classified as an extreme sport in which people are enclosed in unconventional places and extreme locations such as mountain peaks or underwater or whilst skydiving so with that in mind, I think cybersecurity professionals often find themselves in unconventional, perhaps unexpected situations. And they've got to employ creative ways of thinking about things of protecting the crown jewels and I think thinking outside the box is an expression which can be applied to both.
Field: Extreme ironing!
Delaney: Yes. Am not doing it anytime soon but that did catch my interest. Joe?
Sullivan: I'm going to say skiing. And I fell in love with skiing about a decade ago and it's something that I always try and find some time to do. And I was thinking about why do I like skiing? It's a risk reward situation. It's so much like what we do in security. It's risky, because if you go too fast, or you or you go faster than your skills would allow, you get hurt. But it's a rewarding experience. Because when you do it with other people, it's more fun. And when you practice, and you focus and you're disciplined about it, you get better at it. And so to me, anything where you're looking at taking risks, and figuring out how to navigate them, it's like my day job. But at the same time, when you're out skiing, one of the nice things about it is you can't think about anything else you have to think at the moment. So if you've had a lot going on getting out there and it's like going for a run or something like that. It just clears your head. And I think all of us in the risk business need to clear our head every so often.
Field: Very well said!
Delaney: We approve, that is a great, great example. So, Joe, thank you so much for playing along with that. It's been absolutely wonderful having you grace the ISMG studios. And thank you so much for your perspectives and expertise. We hope that you will return, we'd be honored to have you back.
Sullivan: Thank you for having me. Be happy to come back.
Delaney: And that's a wrap. Thank you so much for watching. Until next time!