But are boards genuinely paying attention? And are today’s questionnaire-based supplier checks still fit for purpose? To find out more, GRC specialist Diligent gathered a group of typically outspoken cybersecurity leaders for a recent RANT roundtable in London.

AI Talking to AI

Diligent’s Jelle Groenendaal, Co-founder of the firm’s 3rdRisk business, kicked off proceedings with some words of comfort for attendees round the table: “I feel your pain”. Groenendaal was a Cyber Resilience Manager at Deloitte when he realised that legacy approaches to TPRM were woefully outdated.

“You’re asking highly educated people to chase emails and send out questionnaires, then collate all that information in a central spreadsheet. It just wasn’t working,” he explained.

Most of the CISOs around the table were in agreement. One argued that, too often, TPRM is a “one and done” process. “How do we get more agile? How do we recognise that our risk changes frequently over the course of the year?” he said. “I fundamentally think something is broken.”

Text-heavy, point-in-time questionnaires can soon overwhelm teams. The danger, one CISO argued, is that you skim the details and assume that everything’s OK. Another suggested that if they receive a document with featuring than 50 questions, they’ll simply deal with it via AI, rather than engage personally.

“People are automating their responses to a questionnaire that has been created by automation,” said another concerned CISO. “If there’s so much being written, it’s not going to be read.”

In any case, large suppliers like the hyperscalers are likely to ignore detailed questionnaires, and simply point the organisation to their “trust centre” page, another attendee claimed. That highlights a challenge that many said they face: devising an effective way to manage risk across a broad range of suppliers and partners, with different risk profiles.

“There’s a level of real discrepancy,” argued host Matt Ford, Third Party Risk Manager at Howden. “How to get something that’s manageable for all, that represents the genuine size of business risk you have associated with these partners.”

For many, there’s no beating the human touch. Several attendees noted the benefits of simply picking up the phone for a CISO-to-CISO chat with their suppliers. But that’s not going to be possible for every single supplier. This is where smarter, more targeted questionnaires could help.

A false sense of security?

Security leaders around the table were conflicted about the value of standards, frameworks and certifications, like Cyber Essentials and ISO 27001. One labelled the latter “both useful and a complete sham”. The challenge is that it is often used as a tick-box exercise, with companies failing to dig deeper into the Statement of Applicability which reveals exactly what Annex A controls suppliers have put in place.

“Even the latest version of ISO 27001 doesn’t mean you’re secure,” said one CISO. “It just means you’ve written something down.”

Context is therefore critical to effective TPRM, attendees agreed. Exactly what kind of service a supplier provides, the size and complexity of their IT infrastructure, and even their financial stability or otherwise are all important risk factors. But there are many more.

In the defence of standards and certifications, one security leader argued that no single compliance attestation should be treated in isolation. The trick is to build a more coherent picture of risk by combining multiple sources of information. Another suggested that, at least compliance with Cyber Essentials could create a “pathway” for a supplier to improve their security posture over time.

It’s a partnership, stupid

For many, this gets to the heart of what TPRM should really be about. Rather than “hammer” smaller suppliers with lengthy questionnaires and rigorous requirements, organisations should see the relationship as a mutually beneficial partnership, several attendees argued.

“It’s not about ticking those boxes. You’re looking for threats, risks and ways to ensure they don’t materialise,” said Ford. “We’re here to support and help them to develop. We may want them to get SOC 2 or ISO 27001, but that’s a journey. Seriously consider your suppliers are part of your own journey to success just as much as you’re going to be for them.”

Echoing these views, another shared that they ditched one supplier following a breach, but this came with a huge cost, as they were forced to find another mid-project. “In that situation it’s a lose-lose,” she said.

Traditional questionnaires were criticised around the table for being too “crude” and encouraging a “pass/fail” culture which leaves both parties worse off.

“There’s an obligation here for senior leaders that TPRM shouldn’t be a tick box. It should be something UK PLC is working on to enhance the security of everyone,” said one senior risk leader. “Security should never be a competitive advantage. It should be a leveller. We all want to be as secure as possible. So stop sending out 200-page questionnaires, and work to help your suppliers understand what they need to do to get to a level that benefits us, them and everyone.”

The board may already be bored of this

The challenge facing CISOs, another attendee opined, is convincing the board that TPRM is still value for money. Like immunisation, if it’s working, there will be no visible result to crow about. “We need to turn to something usable and make sure it resonates with boards, so they don’t see this as dead money that will be gone after a certain point,” argued one security leader.

“That is why we acquired 3rdRisk,” responded Tom Ryan, Diligent GRC Sales Director. “Because what we’re trying to help CISOs and CROs give to their board is the context … So you can say to the board ‘you wanted to achieve these objectives, well, this is the level of risk we’re currently carrying.’”

Ultimately, “there’s a time and a place” for questionnaires, said Howden’s Ford. They can help to make the board care about TPRM, as long as they’re treated as part of a “multi-source” strategy.

“The one thing we care about is breach probability,” he concluded. “How easy will they be to take down? How much are they going to take down from us? And how bad are their nth party suppliers?”

When couched in those terms, maybe supply chain risk management isn’t so complicated after all.

Ready to transform cyber risk oversight with integrated GRC capabilities? Schedule a demo to see how Diligent’s platform delivers comprehensive cyber risk intelligence to boards.

The post Collaboration Not Conflict: Are CISOs Getting Third-Party Risk Management Wrong? appeared first on RANT Community.

   “When [Lord Melvyn] Bragg used to host it,” Murphy explained, “at the end, he would ask: ‘Is there anything you wished we’d explored further?’ And tonight, we could have spent the whole hour just talking about leavers.”

Murphy was referring to a path that had been signposted during the evening’s discussion, when one of the security specialists attending had remarked that a company they had been doing some work with had assessed that a vast 80 per cent of its risk profile came from insider threats, and reckoned that the majority of that chunk came from people leaving the organisation and taking proprietary data with them to their next employer. But such was the pace of the conversation, so varied were the thoughts and ideas brought up by the senior cyber staff in the room, that this ended up being a pathway that the roundtable’s guests simply didn’t head down.

“The fact that we didn’t get to spend any time on that at all highlights how diverse this subject is,” Murphy said. “Just look at what we couldn’t agree on! We can’t agree if the regulations are clear in all circumstances; we can’t agree if the responsibility should sit with the users or with the IT security teams. This is why these problems are so hard to solve. But what I do know, because we see it all the time, is that this is where the frontier of risk is moving to for most organisations.”

A Burden Snared

“The practicalities of data protection,” RANT’s guest host for the evening, Jon Mattey, CISO of the Forge Holiday Group, had said about an hour earlier, “are something that resonates. We deal with data-privacy teams, who say: ‘Here’s what you have to do,’ and we have to go away and deliver it. But can we actually, practically solve these problems? And if we can, what is involved in doing that? Is it culture? Technology? Behaviour?”

“All of them!” piped up one CISO immediately, if not entirely helpfully.

“That’s the easy answer!” Mattey gently chided.

Another wag chimed in by suggesting that, surely, buying a product would provide a quick and easy solution. Nobody dared to respond with the dread cliche about there being no silver bullets, but that was the general gist of any serious response to this admittedly jocular suggestion.

These are knotty, complex issues, so the existence of a single, simple solution is inherently unlikely. “You can’t get all the way unless you look at the whole thing,” one leader summed up, sagely.

   “You need to build a culture,” another CISO said, before adding: “People, processes and technology – if you get the first two right, the technology will solve itself.”

And part of getting that culture right, attendees seemed to suggest, lies in having corporate structures in place that are flexible enough to allow employees to use their common sense, while ensuring enough protections can be wrapped around those staff members so that they are protected from doing bad things by accident. Because if the malicious insider is potentially the business’s worst enemy, the staffer who leaks data or opens a back door to an external threat by accident can be just as dangerous – and there are many more of them.

Keys To the Castle

Setting and establishing a culture that prioritises security yet still empowers staff to use their initiative to help the business to succeed competitively became the foundational element of the ensuing discussion. Sometimes it may not have been the main focus, but it always seemed to sit underneath whatever topic was getting the majority of the attention, and each of those separate areas felt like they relied upon a strong and flexible culture being in place before anyone could think about resolving their complications and contradictions. And at the heart of some of the most contentious discussions that were directly concerned with corporate culture was the vexed question of policy – or, as one attendee put it, “the P word.”

   “It’s a dirty word in my organisation,” they said. “Policies are just something written down. In these conversations about culture, you’re going back to targeting people for doing the wrong thing. Really, you need processes in place to stop those things happening. If someone’s had a bad day – maybe they’ve had a fight with their partner, or the baby’s been up all night crying – they’ll lose focus and make a mistake. And if your controls aren’t in place to stop that happening, no policy will help you.”

It was a strong point, but not universally accepted.

   “People find a way,” another security leader countered. “No matter what the controls, they’ll find a way around them. I was working for an organisation where an executive wanted to get a piece of information out: they had every right to, so they were shown how they could change the label to allow them to do that. Three weeks later, people were passing that information around the organisation, about how to bypass the data-loss prevention filters.”

The conversation kept returning to that three-pronged requirement set mentioned earlier: people, processes, technology. And how all that needed to be wrapped up with the conversations around culture, so the whole thing makes coherent sense to everyone in the organisation.

   “I’ve made a new mantra recently – and I do mean recently – with my dev team,” one security veteran said. “You can’t replace practice with policy. You can’t say, ‘I’ve got a policy, so it’s someone else’s problem.’ I can give loads of examples from my experience of bad leaks where someone copied some over-given permissions. We still see it today.”

“That’s where process comes in – for how permissions are given,” another leader said. “But it can’t be your only control. Culture is one fundamental, but it can’t be the only one. You need a culture where your policies can be written honestly, and then you have the technology to support the policies, and complete your security environment.”

The Experimenter

All fine in theory, of course. But what might this all look like in practice? And is it even possible? One CISO was willing to share their direct experience.

   “We’ve gone through a transformation, with an emphasis on changing the culture, and it’s come from the top down,” they began. “That’s where those discussions need to be held.”

This, it seems, is the key to getting culture right – and therefore at least allowing for policy, process, people and technology to all fall into helpful alignment. And it’s possible, this leader argued, even in organisations that begin the journey from a starting point where flexibility is given a higher priority than security.

   “At one point we had a lot of freedom when you’re on your own machines – a lot of trust, and quite convoluted policies which read like a legal document,” they continued. “We’ve changed that. But we’ve added an exemption process, with a mechanism for if you need to break a policy. There’s a way to ask permission; it gets put on the risk register, and gets owned by someone who’s invested in that decision. We try to say that the security team will advise on the risk without saying ‘No’. I think that helps.”

“We’ve also put in technology controls, around what people can do on their machines, which exposes to them the things they’ve been doing without realising they’re breaking policies,” they added. “Sometimes that’s resulted in them asking for more budget, because it’s business-critical to do that insecure process.”

A comprehensive case study, then. Not easy, not quick, but it seems to be working, and it appears to have succeeded in allowing the security team to be seen as enabling and supporting individual innovation, rather than just being The Department For Saying No. The critical element, though, is that the transformation has been driven by the organisation’s senior leaders. “For us, the biggest thing is the involvement of the people at the top,” the CISO concluded.

Psy-Ops Dispatch

Another “P-word” found its way into the discussion, though the first person to mention it chose to do so with great care. And they did so only after the conversation – inevitably, if perhaps slightly belatedly (it was about 25 minutes before the two letters made their first appearance) – began to look at how so-called AI systems might be making many of these problems worse. With these tools so widely used by people in their personal lives, the temptation to use them in the workplace is increasing daily – and if businesses or their security teams hope to minimise risk by blocking unauthorised AI in the workplace, all they often end up doing is pushing employees into working around the controls.

   “I hope there’s no psychologists in the room,” a CISO began – and they actually looked like they were checking – before adding, “but this is a psychology problem. We all want the quickest route to the best outcome, and that drives behaviour. So does culture, but behaviours and cultures are interlinked. We’re humans, and we want to do the right thing, but we want to do it quickly. How we can enable people to be as good as they can be and to work as fast as they can? We’re naturally inquisitive, and people will look at AI, and think it’s an answer to that. What can we do to help?”

It was a good question, but it was perhaps even more complicated than it appeared – and, by asking it of present company, any answers offered may not, ultimately, be the most helpful.

   “This is a room of people who work in cybersecurity,” Murphy pointed out. “We all think about risk-versus-reward. Either intentionally or informally, we will always do that risk assessment. But we are not the norm. Everyone else? They won’t even see it, let alone mitigate it. Nor should they.”

“When you talk about data-protection regulations, how many people in your organisation would even know what they are?” asked another security leader, as those around the table began to warm to the theme.

“I don’t think those regulations are clear enough,” another attendee argued. They had had some direct experience of working with the Information Commissioner’s Office, supposedly the authority on such matters in the UK, and had found that, even there, nuance was all, and clarity often proved hard to achieve. “Any question you ask of the ICO about GDPR,” they added, referring to the European Union’s General Data Protection Regulation, “the answer is, ‘It depends’.”

“But is it not clear when you’re talking about an employee putting information into a large language model?” another CISO asked.

“No, it isn’t,” came the immediate response from a contemporary. They pointed out that there would be nuances not just resulting from what the lawful basis and the legitimate interest of the data processor were, but different ones based around whether it was client data, company proprietary information, whether the LLM in question was a corporate-only version or the public version, and where the servers were hosted.

Oh, Lordy, troubles so hard.

Destroyed Fortress Reappears

The AI part of the discussion was spirited, feisty and – inevitably – inconclusive. The issues differ in their specifics but are common to all companies, in all sectors. Some situations stand out, where an unusual approach may have been taken, but even in those cases the challenges remain vexing.

   “We were talking about getting buy-in from the top,” one CISO noted. “Well, with us, our CTO was on board with it, so overnight, AI was completely blocked. The thought process was, ‘If it’s important to a user, they’ll come to us and ask where their AI’s gone.’ For a while there was a huge scramble, with people saying they had access and were using it for X, Y and Z. That was amazing for us – we saw those use cases come through. It was a very bold move, and it’s still being worked on. We know we can’t do it forever. But it’s one way to find out how AI is being used in your organisation.”

The methodology came as a surprise, but other businesses have had experience of discovering how staff are putting AI to use. Not all of it has been particularly encouraging.

   “I’ve seen people come in with use cases where you could literally have done it just by using a formula in Excel,” one CISO said, wearily.

“They jump the logical steps and go straight to AI,” another agreed. “It’s baffling sometimes.”

“It’s getting like whack-a-mole now,” another beleaguered security leader lamented. “We brought in a third-party app for the legal department, and all of a sudden there were loads of requests from outside legal to access it. Why? Turned out you could access Grok through it.”

“We had a developer who installed the open version of Claude on his laptop,” one attendee began.

“Awesome!” another replied. “Where’s his P45?”

“It’s an impressive tool,” a third attendee said, “but there was a story just this morning – one of my analysts sent it at 7am while he was walking his dog – about Claude hacking the Mexican government. People don’t realise what they’re allowing these things to do.”

“Everyone has a different view of what AI means to the business, and what it should mean,” Mattey said in his concluding remarks. “But coming back to those fundamentals seems to be the only thing that’s been agreed on.”

“The more we can have these discussions, the more we can figure out,” Murphy agreed. “There also seems to be unanimity that collaboration with users, to help them make the right choice at the decision point, was loud and clear. I like being in a room with collaborative people!”

Learn how Mimecast addresses the complex challenge of insider risk with its dedicated Insider Risk Management solution – blending people, processes, and technology to help organisations reduce human-driven threats and protect critical data. Find out more here!

The post Protean Threat: Why Is Human Risk Such a Hard Problem To Tackle? appeared first on RANT Community.

   “Controls are built in boxes, but attackers don’t think in boxes – they think in routes,” Quinn said. “Everybody here works for companies which have invested in all the usual defensive tech. It all looks solid. But attackers aren’t looking to smash through those. They’re looking for the small weaknesses – the service account that’s no longer used but is still active, things like that – and they’ll use those to move around our defences.”

Quinn cited the example of the 2024 ransomware attack on the American health technology firm Change Healthcare, where the lack of multi-factor authentication on a remote access server led to an identity compromise which the attackers were then able to exploit, escalating the account’s privileges and moving laterally through the corporation’s network. The impact, as he notes, was huge.

   “Paralysis across the whole of U.S. healthcare; loads of patient data locked down; billions in knock-on costs,” he said.

From that first foothold, they were able to move to the heart of the company’s digital infrastructure. The end results could have cost lives; they certainly cost huge amounts of money.

Clearly, a company of that size and scale, handling data as sensitive as medical records, and working in a highly regulated, literally life-and-death sector, would not have skimped on its digital defences. But the point Quinn made was that all the expensive solutions to specific cybersecurity challenges can only solve their own discrete problem set. You still need them, and if an adversary launches themselves directly at them, they’ll probably prove strong enough to repel the attack. But because they’re there, most attacks will be designed to go around them. And that requires businesses to be thinking differently about security.

   “An attack path isn’t a tool – it’s a mindset shift,” he said. Instead of thinking, where should I build my walls, and where should I put my moat? A business needs to be thinking like an attacker, and working out how defences can be bypassed, he argued. The conversation, Quinn said, needs to move from, how do I shore up my defences, to: “How would I go from here [the perimeter] to domain admin if I was attacking?”

Give The Dog A Bone

SpecterOps provide businesses with a tool called BloodHound that can help with this mindset change by, essentially, mapping all the routes an attacker could potentially take around their defences. Once the problem is made visible – in the form of a diagram that even non-technical people can easily understand – changing that mindset starts to become possible.

There are two main iterations of BloodHound – a free version, Community; and the paid, all-bells-and-whistles Enterprise. The purpose of having a free version is not just to tempt businesses to become paying customers: SpecterOps believes in the principle of a rising tide floating all boats, and its founders feel strongly that if they can help any user to understand how attackers could breach their systems and reveal ways in which they could prevent that happening, then everyone will benefit.

One challenge, though, is that the tool – in both versions – can reveal rather more routes than most business leaders would be willing to believe could exist from the tiniest cracks in the perimeter to the vital data that the business relies on to function. For the most part, this is because most businesses rely on their active directory (AD) to manage their identities, and all their access protocols are based on those identities.

AD is an ageing technology, so is well past the stage where “creaky” or “clunky” really do it justice – but its centrality to so much of what the business does means no big organisation is willing to risk seeing what might happen if they tried to replace it. Also: its existence predates many organisation’s cybersecurity departments, so its corporate ownership resides elsewhere. Consequently, its security is rarely something security teams have ownership of, despite its centrality to the entire enterprise’s digital estate. In effect, AD security isn’t just something that attackers can leverage as they waltz around and between expensive security technologies – it’s something that network defenders have to work around too, since they’re not empowered by the business to fix it.

   “When you look at your AD, it’ll be a shitshow,” Colin Makin, SpecterOps’ sales director for Europe, said, deploying a piece of highly specialised technical terminology. “We did a proof-of-concept for a core national infrastructure provider: how many routes did it show? Two billion.”

This provides a fundamental challenge for the company: how do you persuade people to acquire a technology that appears to be showing them how badly they’re doing? Worse, one that appears to imply that all the spending they’ve made on security tools, while it may not have been wasted exactly, still hasn’t managed to provide much in the way of solid protection. “People don’t want to buy a tool that shows them how dirty their laundry is,” is the way he put it.

Again, the challenge here is one of encouraging the decision-makers in the business to accept that it’s time they started to re-examine their mindsets. Quinn argued that expecting a security tool to fix a problem isn’t really the right way to think about it.

   “Tools like BloodHound make the attack paths easy to see, but it doesn’t fix things for you,” he said. “If forces clarity – but it’s up to you to respond.”

Problem Child

Businesses which have deployed BloodHound – whether in the Enterprise or the Community version – have started down the road towards those necessary mindset shifts. But it is not always smooth going.

   “We’ve done it in our corporate environment, but in our customer environment it’s difficult,” one CISO, whose company supplies software to the public sector, explained. “We connect lots of information for public bodies. They all share data and software. Those attack paths are the most dangerous for me. It could start in one region and quickly take out the whole country. We model all the attack paths for our software – but our customers? No. And it’s them that worry me.”

“I understand our environment really well,” another senior security manager said, “but trying to get that mind shift of getting rid of the accounts that you don’t need any more…? People who work in the organisation should only have credentials that are necessary. But many organisations are very naive to what’s left lying around in their own environment.”

Just as worrying are those users who have been given greater privileges than their role actually requires. There are many reasons why this happens, but none of them appear to justify the risks created.

   “A lot of people, when they ask for privileges, don’t know what they’re asking for,” Quinn said. “They say they need a domain admin identity, but all they need to do is go from A to B.”

“It’s like using a Ferrari to go to the shops,” Makin agreed.

“Or sometimes,” offered another CISO, who had clearly seen the same thing happen more than a few times, “it’s more, ‘He’s got a Ferrari, why can’t I have one too?'”

And organisations are exacerbating this problem by, as one leader put it, placing “compatibility layer on top of compatibility layer because nobody wants to switch off their AD. When are we going to architect these rules?” they said, pitching the comment partway between an exasperated plea and a frustrated cri de coeur.

Leavers, joiners and movers in the organisation are another fertile breeding ground for overprivileged accounts, duplicate identities, or worse.

   “I started off in my company being a UNIX system administrator,” one veteran security leader recalled. “My job has changed, and has ranged from being really low level on some production bits, to now, where, in the nicest possible way, I shouldn’t be trusted to be on those servers. I believe all my old accounts have been disabled. They certainly should have been. But are some of them still lingering? I don’t know.”

Other attendees contributed other troubling real-life scenarios, from the firm with four people who have the same name, to the person at the table who shared a name with a colleague in their company, the only way to distinguish them on a list being one of them has a doctorate.

   “The number of times privileges get mixed up between people is ridiculous,” one of these leaders said. “People add privileges to one account, but they don’t apply them to the right one. Or they don’t know which to apply them to, so they apply them to all of them.”

Dirty Deeds Done Dirt Cheap

The differences between the two BloodHound products provoked questions, with some attendees wondering how those might manifest themselves. One CISO who had moved from a rival service and taken up BloodHound’s Community edition had noticed a huge increase in the number of attack paths revealed. Is the step from Community to Enterprise likely to cause as big of a further increase, they asked?

   “Yes and no,” said Mark Wilson, a SpecterOps senior sales engineer, before offering an explanation. “When you use Community you’re trying to work out a route, but you can’t see the whole map. With Enterprise, we analyse the whole map. If a company has two million paths, you’re never going to remediate them all. We map out the terrain, and work out what are the points of convergence that an attacker must traverse in order to get control.”

This methodology will help businesses to turn awareness into effective action. As Wilson notes, no SOC will have the time or the resources to individually disrupt millions of attack paths – but if three-quarters of those routes have to pass through a handful of nodes on the network, then work can be focused on those, and ways of disrupting adversaries as they move through them can be deployed.

Moreover, BloodHound Enterprise doesn’t just look at the company and customer networks. As well as the IT, it can map paths across the OT environment.

   “We can add in backup servers, and take it further,” Wilson said. “We look at all the assets that are critical.”

“Hopefully OT is separate from IT,” Makin added. “But if a user can pivot between them, an adversary can too.”

Once a map exists, those embedded mindsets can, perhaps, start to shift. If a security staffer tries to tell someone in HR, or in sales, or on the board, about a security challenge, eyes tend to glaze over. Show them a map of the environment, which describes the problem in a way that they can see at a glance, and there is at least the chance for understanding to dawn, and that deeply engrained habits and ways of thinking might begin to change.

   “This is a good contextual narrative to move into,” Kay Daskalakis, a SpecterOps sales engineer, said. “You can say to a colleague in HR: ‘Look – you can go from here to the server, from the server to the principal, and take over the company.’ That’s interesting to all these people. It’s not a niche problem.”

And those lessons tend to stick.

   “Once you see it, you can’t unsee it,” Makin says.

Down Payment Blues

Ultimately, it all comes down to money. Around the room were CISOs, BISOs and senior security practitioners whose experience spanned numerous different companies and several different sectors. Getting together to talk through these challenges and share experiences and ideas of best practice is vital. But boards usually view security as a sunk cost, and talking them into putting extra resources into a new service is always difficult. It will be even more difficult if the service you are asking them to acquire will appear to show that much of what they have already paid for has had a more limited effect than expected.

   “As a community, we’re here tonight to try to work out the best approach,” one attendee said. “We get the sales spin; there’s lots of tools. We’ve all invested so much money, and I wonder if it’s been spent wisely. Is this the best bang for our buck? The issue is: are we really, truly understanding where the risk is? This [an attack-path mapping capability] sounds like it could do some real good – but I don’t just want people to spend money on it. Do we really understand our risk?”

“Personally, I don’t think we do – often, we just install the tool,” Quinn replied.

“We invest so much money, but do we truly fix the problem?” the first leader asked. “I genuinely want everyone in this room to do that. I think everything comes back to risk: assessing it, getting that right, so you can focus your resources and your money.”

“This is a fantastic perspective,” Daskalakis said. “Why? Because it ties in 100 per cent with where we are and where we should be. You’ve put it right: there’s a load of money spend on detection, but when you look at the attack timeline, that’s during the attack – it’s not before. We need to sink some of that money into prevention. That means clarifying what is a risk, limiting the unknowns, knowing what asset risk looks like.”

But it’s that mindset shift that needs to happen before anything is going to start to change. As Makin noted, cybersecurity budgets usually only get raised after something bad has happened. Companies need to be looking at spending in ways that will prevent incidents, rather than spending after those incidents have caused damage.

   “You can’t just rely on what you’ve historically got on your system to understand what your attack paths are,” Quinn said. “When people can move from initial foothold to dominance, relying on EDR and MFA is not going to work.”

“We see billions of attack paths – an attacker only needs one,” Wilson said. “My only advice is to get visibility over it.”

“There are qualitative factors you need to take into account, but there are quantitative factors you need to assess risk, too,” Daskalakis added. “BloodHound Enterprise helps you do that. It’s not about telling you what the risk is, but it does tell you how many identities have risks associated with them – and you can create a map to see the risk before it happens.”

Find out more about SpecterOps here!

The post Direct Route: How To Stop The Path Of Least Resistance Becoming The Highway To Hell appeared first on RANT Community.

But then one security leader raised the important topic of the next generation soon to be entering the workforce. In light of all the developments with genAI and the way its adoption is transforming the world of work, they wondered, what should we be advising young people to concentrate on?

There was a brief moment of silence, while the dozen or so leaders around the room, and representatives of the event’s hosts, Mimecast, gave that some serious thought. Then the answers came thick and fast.

 “Carpentry,” said one CISO.

“Farming,” suggested another.

“Subsistence. How to live off the land,” a third offered.

“Poetry,” another mused.

While they all gave the lie to any suggestion that security people are overly serious and lack a sense of humour, the speed and alacrity with which those around the table jumped on this train of thought did seem to speak to a legitimate concern. GenAI may not be all its boosters claim, and it certainly will not be the answer to every prayer. But it has captured the public imagination and its use is mushrooming far faster than guardrails can be put in place to prevent its misuse. And that misuse – which is happening and expanding in lock step with the rate of adoption – poses serious risks of significant harms, which could, ultimately, lead to the collapse of entire businesses, if not whole industries. And in the meantime, automated processes taking actions independently of humans could conceivably usher in some kind of techno-apocalypse which sends us all back into hunter-gatherer mode.

Cheery stuff!

You Must Learn

The evening had started off a little more optimistically, even if those early discussion points derived from challenges security leaders are having. Mimecast’s director of new solutions, James Hathaway, welcomed attendees by saying he was keen to hear about the areas they felt genAI could make them more efficient, but also where his company might be able to deploy these tools to aid defensive operations. After some initial discussions about enhanced phishing campaigns and the difficulties of ensuring security of supply chains, talk turned to preventative measures.

   “I worked somewhere previously where we assumed everyone’s laptop was infected anyway, and focused much more on their ability to hand over credentials,” one CISO recalled. “So if someone did give away their credentials on WhatsApp, can we prevent that being exploited?” Rather than trying to prevent the leak of data occurring, they argued, there may be more chance of preventing that leak having negative consequences.

One way in which security vendors could leverage genAI tools to help with this would involve obtaining a reliable picture of a business’s network and the activity on it. Over time, tools can then be trained, through recognising what constitutes standard behaviour and activity, to then flag up anything that appears unusual. But this requires a high degree of trust from the customer – and although this may appear to be a technology question, the answer will be cultural or legal.

   “This is one of the things we struggle with,” said Mimecast’s field CTO, Khetan Gajjar. “You want AI to understand what normal is, so you can pick up what isn’t. But how many of you are willing to share what normal looks like? This is not a tech problem. One of the workarounds we have is we’ve built connectors. You don’t have to give it to us, but if you already trust INTTRA or Opta, then we can get it from there.”

Word From Our Sponsor

It was only seconds after Black moved the discussion on to “shadow AI” – all the large language model tools that get used by staff, but which are not part of the business’s own technology stack – and employee usage of genAI tools that the first whole-room guffaw of the evening took place. All he had to do was ask where each attendee’s company was at on their genAI policy journey. Hathaway added a codicil to the question: “On top of that – how concerned are you that corporate data gets fed into AI and then is out there?” he asked.

   “Hugely concerned,” one CISO admitted. “It’s challenging. At the same time, we want to enable the business and be pragmatic. One big challenge is, what are the use cases? We’re avoiding things that could have bias, because we don’t want to become a case-study for our regulators.”

Different companies have adopted different approaches, running the gamut from allowing employees to use whatever tools they feel will help and worrying about the consequences later, through to locking down every genAI completely and instructing staff not to circumvent network blocks by using tools like ChatGPT on their personal devices. Several companies have established committees to assess the ways forward, but for every firm that views this as a pragmatic and nuanced approach to a complicated issue, others will feel that it adds a cumbersome additional layer onto an already sclerotic management system, with the risk that any policies that result will arrive too late to be of use.

   “It reminds me of when the cloud first came out,” the hugely concerned CISO added. “Suddenly you’ve got 30 decision-makers. Our developers want to develop a model, but you have to put it into a governance process that takes weeks to get a decision made on one. So they go ahead and play around on their own. We’re driving people to go and do things with AI themselves.”

“We’re trying to do it more on a principle-based basis,” another security leader said. “We want to encourage innovation, but we don’t have the technology to go around it. You have to encourage usage, but also encourage people to think about what they’re doing.”

There was some enthusiasm in the room for pop-up warnings – the system telling a user that an action they are about to take would result in data being sent outside the corporate network. Another security leader explained how their company was adopting a three-pronged approach, with warning messages part of a broader plan.

   “One point was awareness,” they said. “Data isn’t going to jump on its own – someone will click a button. Do they understand what they’re doing? The second was to turn a lot of our people into security partners. We gave them a helpline number and said, if you’re not sure about something, come and ask. And the third was the message – and a disclaimer – if they try to complete the action. While you’re building up the long-term governing body, or a technical solution, this will help – educate them and trust them.”

Gajjar pointed out that, although the technology and the pace of its adoption appears to be new, a lot of the issues it raises still fit into existing processes and priorities.

   “From most perspectives, it’s just another way data’s being used,” he said. “So a lot of the principles around how we use it, who we share it with, should be a guiding light.”

Ya Know The Rules

Rob got another round of laughs with a question that surely wasn’t intended to raise any. He wondered whether the security teams represented around the room had good visibility of genAI use inside their different businesses.

“Did anyone ever answer that with a ‘yes’?” one CISO asked, after they and a few others had collected themselves following their bout of cackling.

   “We have technical tools to block usage, but I’ve no idea how effective they are,” one leader said, quickly homing in on the heart of the challenge. “Different things are being spun up every five minutes. If all your internet traffic goes through a trusted proxy, do you know if they’ve classified every AI provider out there?”

“We did API impressions, to see what people were doing, which was useful,” another security team leader said. “But then there’s all the other AIs that pop up everywhere else. We use Mirrorboard – it’s got its own AI. Excel’s got AI.”

“We have an enterprise Chat GPT, and we block everything else – but I wouldn’t rely on that,” a third leader said. “You’re effectively relying on someone else to recognise the unknown.”

Another challenge comes when other entities that the business connects with use genAI tools, entirely innocently, but without necessarily notifying their partner businesses of it. The growing use of meeting assistants is a particular bugbear for many security leaders.

   “For example, let’s say I have a meeting with Third Party A, and they use an AI to take notes,” one CISO postulated. “There’s should be a policy where we say, ‘We won’t take the meeting if you do that.’ But even if we had one, I’m pretty sure that, somewhere in the organisation, someone would take that meeting – and company information ends up in those AIs.”

Who Protects Us From You?

Another round of hilarity – though muted this time, as if everyone was running a 10-second gif inside their heads of tumbleweed blowing across a desert – was occasioned when Black asked this question:

   “How many of you have been empowered by the board to do something about AI, and where are the budgets coming from?”

“We’re being forced to use AI – it’s part of our performance review now that we do use it,” one leader said, after shaking themselves out of the shock that the question prompted. “New budgets? Ha!”

“There’s a fair amount of hysteria, and we need to show that we’re doing something,” another CISO said. “There’s less scrutiny of the material benefits.”

This issue appeared to be widely shared, even if not everyone put it into the same form of words. Businesses’ leaderships are so convinced of the benefits of AI adoption, and so concerned about the possibility that slow uptake might cede advantage to a competitor, that it’s not just the security of the tools that is being overlooked – so too is identifying the ways in which the company will actually derive those benefits from using genAI. Another gif sprang to mind: Jeff Goldblum in Jurassic Park, lamenting that things get done because they’re possible, not because anybody has really stopped to work out whether they’re a good idea or not.

 “Within about 18 months, we’d set up a defined programme where we did analysis [of AI adoption]: there was a set of criteria, very tightly managed, and the ROI was tracked,” another CISO recalled. Those days have gone, though. “Now it’s a free-for-all,” they continued. “Everyone’s doing whatever they want. It’s much more accessible, and people have been enabled to do their own business process engineering…”

The thought tailed off; nobody in the room needed to be told what that could lead to.

 “But it worked well for about 18 months,” they said, looking desperately for an upside.

“For us it was about six,” another CISO with a similar set of experiences said. “If we’re going to use any business data in any AI system, we have to run it through a responsible AI committee, just to make sure they’re not doing something crazy. I’m not on that committee – no-one in my team is. But in IT, we have a performance requirement to use AI. I don’t know how that works. We work with a lot of sensitive information.”

By All Means Necessary

And so to the final round of thoughts. What would security leaders like to see automated? And what are the key concerns and challenges more broadly? The overall tone was of grim gallows humour, some blurts of muted optimism occasionally rising to the surface.

 “I’m too miserable to even answer that question,” was the first response.

“Everything!” was the second.

“People,” was the third.

There was some enthusiasm for setting automated systems loose on filling in due-diligence questionnaires, though even there, the most beneficial long-term solution would probably be to get sector organisations to come together and standardise what are at present entirely individual, but very repetitive, questionnaires and processes.

And then we were off into how to prepare for a return to a pre-industrial world.

 “We’re all feeling it,” Hathaway acknowledged in his closing remarks. “We’re being drawn to use AI more and more and more, because it can have benefits. But we’ve all got to keep one eye on the threats it can bring. What tonight has done is to cement that theory. There’s great things that can happen, but we’re not being able to address the concerns to take advantage. We’ve not been able to control AI properly to be able to use it properly.”

“If it helps to give a sense of perspective, this is the type of discussion that all of your peers are having,” Gajjar said. “You are not alone!”

The post From Prompts To Poetry: How Should Security Teams Respond To The Rising AI Tide? appeared first on RANT Community.

A RANT roundtable held just before the Christmas break proved to be one such. Sponsored by investigation and response automation specialists Binalyze, and with attendees briefed to expect a chat about whether the long-established “assume breach” concept was still worth the candle, the discussion began in one detailed corner of the topic and progressed outward via some apparently random leaps, as the underlying concepts continued to move and flow forward regardless – a bit like a frog jumping from lily pad to lily pad on the surface of a slowly moving stream.

Partly, perhaps, timing was a factor: nearing the end of another difficult year, with all the elements of looking back and taking stock that inevitably colour our thinking, a December dinner maybe encourages more musing atmosphere than might be the case at other points on the calendar. Partly, too, the overarching topic contains many complicatedly interconnected moving parts, each worthy of detailed discussion, so some dotting around from point to point was perhaps inevitable.

But what felt particularly critical – at least to the hack with the laptop in the corner, tasked with taking notes and later trying to condense them into this report – was the huge degree to which the specific contexts of the individual business affect the highest-level strategic considerations. Clearly, every organisation is unique: but even when challenges are widely shared, and there is broad agreement that a particular approach will benefit more or less everyone, the most urgent and important aspects this throws up for an individual security leader can often be entirely different, and are entirely dependent on the specifics of their business.

So, after a wide-ranging and engaging set of opening remarks from Binalyze’s senior vice president of growth, Steve Jackson, what followed was not a series of different specific perspectives on a shared central problem, but a series of individual questions about specific problems experienced by different organisations. This presents certain difficulties for your summariser, since the discussion – as with all RANT events – was held under the Chatham House Rule, and even revealing the sector an organisation operates in could give certain readers enough information to identify them. But some common areas of concern did emerge.

Think For Yourself

One shared challenge appeared to be how best to conduct cyber due diligence during mergers and acquisitions. This came up after a couple of attendees had lamented how the organisational structures within their businesses limited their room for manoeuvre when deploying security controls pre-emptively, and when thinking about the respond-and-recover phase.

   “For us, the challenge is that we tend to think about critical systems rather than critical processes,” one security leader said. “That level of maturity, for us, may be behind other businesses.”

“We operate at different data classifications, and that gives people an excuse not to tell you about something,” another CISO added. “It’s always quite siloed. It becomes quite hard to join the dots.”

Although usually conducted prior to an acquisition or a merger, cyber due diligence may well help with problems such as these even in a business which isn’t in the middle of such a process. Jackson, who pointed out that Binalyze’s platform is being used by customers to assist with pre-acquisition forensic due diligence, was keen to hear how this work was being done in different organisations.

   “It’s quite light touch, and varies depending on the sector: everyone does it slightly differently,” one security leader, whose experience was drawn from different businesses in different industries, explained. “My first step is, let’s have a standard framework, and get those costs and challenges [identified] up front. When you’re buying smaller companies, they want you to leave them alone, not corporatise them. [But then you may] have to buy bolt-on solutions,” which can happen without proper oversight, they warned.

That’s assuming such a process is allowed, of course. Using forensic tooling during an acquisition could be problematic, another senior security leader argued. “There’s competitive disadvantage to sharing some information prior to an acquisition,” they said. “The idea of deploying forensic tools is alien.”

Jackson described how Binalyze can square some of these circles for customers. The firm supplies an agent “that sits on the network access,” he explained. “The company [can then] deploy that into the target environment, and once it’s there, we provide forensic visibility – basically run a compromise assessment.”

But even if it can be done for or by one firm, others around the table said, that doesn’t mean it will be possible for everyone.

   “That use case will not work in our enterprise,” one security leader said. “There is a level of competition law that would prevent us from doing that.”

Jackson also added that another way in which Binalyze is being used in due-diligence projects is in cyberinsurance, where the due diligence is performed prior to the policy being issued. Still, other CISOs suggested that if they were to attempt to do this on the systems of a company their firm was looking to acquire, it would not go down well. This part of the discussion was drawn to a close by one participant, who noted that “nobody does M&A because of security: they do it because of the business.”

Fixing A Hole

The conversation headed down a different but adjacent avenue when RANT’s co-host for the evening, Matt Summers, divisional CISO for Philip Morris International, asked about regulatory requirements. Acknowledging that there may be reasons why detailed access to systems ahead of an acquisition may be problematic, he suggested that in certain contexts, such access may well be mandatory. Indeed, access requirements may be considerably more detailed than simply getting a decent picture of the network, with red-teaming – simulated attacks, designed to test defences with realistic threats – sometimes being mandatory.

   “From a regulatory perspective, [some processes] require red teams,” he noted. “In finance, for example, the threat intelligence phase and the red-team phase, they’re required to do it.” This sparked some spirited exchanges around physical security maturity, though these were inconclusive.

Various participants noted the slow pace of gathering data during due diligence, red-team campaigns and through security tools, never mind understanding it. Summers stressed the importance of providing visibility of areas that SOC analysts would not normally have oversight of. What those teams can do with that information emerged as a problem for many around the table, but, Binalyze argues, their tool can not just help to triage this information and make sense of the flow, but also enables analysts, who presently may be confined to lower-level tasks, to carry out work usually devolved to more senior team members. In effect, the company says, this will help both to advance the maturity of the organisation, and ensure that junior staff are given compelling enough work, and opportunities to advance, which ought to help the business with the ongoing challenge of staff retention.

   “We give [SOC teams] access to more guided forensic data,” Jackson explained. “We don’t just give them data without context – we prioritise it. If you give that to your Level One and Level Two analysts, it shifts them up and to the right a bit. The outcomes are generally good. Of course, there’s some initial training we have to provide, but it’s not particularly extensive.”

You Never Give Me Your Money

The clash between regulatory requirements and meaningful business outcomes was a prevalent undercurrent to much of the conversation. In response to a question from Summers about whether any attendees took data from red-team activity as a basis for testing their respond-and-recover controls, one CISO summed up their view pithily.

   “Knowing I can rebuild a server is great – but if you don’t tie it back to business outcomes, it’s crap,” they said. “You need to understand the value chain that’s supported. It’s a waste of time, effort and money, unless it’s to comply with a regulation.”

The vital importance of having a detailed and nuanced understanding of the specifics of what is important to each individual business – and the likelihood that, in most cases, this understanding is lacking – was raised in this context by another security leader.

   “If you ask a business, ‘What are the Top Ten systems that’ll bring you to your knees?’, they wouldn’t be able to tell you,” they argued. “How can you protect the business if you don’t know what it relies on?”

Business priorities and detailed understanding of security may not be one and the same thing, another CISO warned.

   “Top of mind for our board is: ‘What happened to Jaguar Land Rover – could it happen to us?’,” they acknowledged.

“There’s a good point about disparity between investments across the different business processes,” Summers agreed. “Do you think we’re not investing enough in understanding the business context around controls, and perhaps over-investing in the wrong respond-and-recover tools?”

This question prompted a response which seemed to unite and crystallise a number of the different strands of the discussion.

   “I think, generally, the cyber world is disproportionately funded,” one CISO replied. “Most of our loss events are due to bad luck – people pressing the wrong button and doing the wrong thing. We lose far more from people screwing up than from people trying to screw us. There are tools that tell me there’s stuff that’s misconfigured, and there’s lots to patch – but I’ve been hearing that for 20 years.”

“Why don’t you fix them, then?” asked another leader, pointedly, to laughter around the room.

“Because the likely loss will be less than the cost to do it,” the CISO replied. “It’s literally not worth it.”

Tomorrow Never Knows

With the hour of discussion nearing its end, Summers brought the conversation back to the original objective. It has been some years since cybersecurity moved, conceptually, from being about building robust defensive walls to keep threats out, and on to assuming that threat actors would gain access and therefore prioritising limiting their ability to extract anything of value. But since adopting that position, has anything meaningfully changed? Threats still get through; ransomware and other attacks still succeed in their aims and objectives; businesses are still investing heavily in security tools yet still suffer breaches, losses and service interruptions. Is it time to let this shibboleth slide away into the background?

   “I don’t assume my car’s stolen or my house has been burgled,” he noted. “Is saying ‘assume compromise’ just something we say to make ourselves look smart?”

“I’m going to take this back to regulatory compliance,” one security leader replied. “Times for mandatory reporting are reducing, yet most of our suppliers are not finding out [that they have had an incident] until very late. How can you prove you weren’t aware until six hours beforehand?”

“Boards are paranoid about this,” another leader agreed. “How can you prove you didn’t know? And will this make you liable for a fine?”

“Who’s going to ask you to prove that?” another CISO pushed back. “You can only report something when you know it.”

“Exactly,” another leader replied. “But how do you prove that you didn’t know?”

“The kind of tooling we’re talking about can help,” Summers said. “Because it can give forensic data, it has chain of custody, and you can produce the report faster. And if you can get to the root cause, [stopping the incident from spreading] becomes easier. You can remediate it once you know what the root cause is.”

Summing up, Jackson agreed that “the assume-breach mantra is a little tired these days,” and proposed a refinement of it as perhaps being more appropriate to today’s realities.

   “We should assume we’re under scrutiny, and that there’s risk there,” he said. “But it’s clear from what we’ve heard that there’s a lot of complexity.”

Binalyze is a cybersecurity company delivering AIR – Automated Investigation and Response. Binalyze builds on the threat intelligence and alerts from your security stack – using AIR to dive deeper into systems, uncover root cause, and deliver the visibility and forensically sound context your tools alone can’t provide. This empowers security teams to investigate both proactive and reactive threats faster, respond with certainty, and stay ahead of attackers with precision. Find out more here!

The post On The Long And Winding Road Towards Better Data Security, Is “Assume Breach” A Dead End? appeared first on RANT Community.

“Can we not use heuristic tools like AI to predict future attack paths?” one CISO wondered, a wry grin perhaps visible as they asked a question which, if not straying into territory we could quite categorise as trolling, was certainly designed to cajole and provoke some forthright responses. For all that large language models and generative AI applications are causing conniptions across the security-leadership landscape, business leaders seem to remain gung-ho on deploying them inside businesses – so folks like this senior network defender are understandably keen to come up with ways to use them to help, rather than hinder, the security mission.

Unfortunately, the replies were not particularly encouraging.

“You’d need to go and proactively identify [the attack paths], which was what a threat actor would do: they’d find out how to escalate their privilege,” said Stephen Tate, global head of incident response at the London Stock Exchange Group, who guest-hosted the event on RANT’s behalf. “There is a case, I guess, to use AI, but personally I don’t think you can use AI to map out what the attack path is if the attack hasn’t already happened. You can use it to go through the logs and understand what’s gone on already – but I don’t think you can use it for the proactive part.”

“You can possibly use it to predict the next points in an attack path,” another CISO suggested, arguing that the technology as it stands at present might prove capable of projecting possible pathways a single step forward. “But the problem is, you’ll end up with too many permutations. It can be useful for a lot of things, but it’s not a silver bullet.”

“Nowhere near,” another leader agreed. “It can speed up trend analysis, but if you don’t know how it’s come up with that analysis it can send you off into a whole different forest.”

“You can ask it the same question twice and it gives you a different answer each time,” someone else moaned.

“And if you challenge it,” another leader agreed, “it goes, ‘Oh, yeah! You’re right!’.”

“We’re keen for our analysts to use it,” Tate said. “Logs are very complex when you’re doing analysis, so it’s useful to say, ‘Describe what this event means.’ The bit it’s not good at yet, in my opinion, is being able to tell me why I should care, and why a threat actor might want to do something.”

Kingdom Of Fear

While discussion of generative AI in this context might appear gratuitous or tangential, there is clearly some need for assistance when security teams are using a tool that does as much as SpecterOps’ BloodHound to reveal hitherto unknown routes attackers could use to compromise businesses’ most sensitive and closely held data. The company’s director for Europe, the Middle East and Africa, Tony Sheldrake, said that, when the tool is first deployed in a company’s systems, the effect on those inside the business is “shock and awe. We sometimes find millions of attack pathways.”

Another reason why bringing AI into the conversation makes sense is because that’s the direction some of the big players in the network-defence space have gone. In its E5 licenses, for instance, Microsoft seeks to leverage its Copilot LLM for AD security. This is the sort of work which BloodHound was specifically developed to help with, and helping to automate security of Entra ID – formerly known as Azure AD – is among the benefits touted of upgrading to the more expensive licenses.

“AD has grown and grown,” said one CISO, who described themselves as “a big fan” of BloodHound, having used it in several previous roles. “Part of the problem is, even if you have huge powershell capabilities, with the existing tools it’s impossible to see what you’re exposed to. Even with the E5 license it’s not there. Secure Copilot doesn’t do this.”

“I agree,” another CISO said. “We’re a big Microsoft house, and every time I’m looking at [Entra ID security] it’s all within this bubble. It can only see what Microsoft can see. It’s really valuable to get something external looking at it. I’m always having this challenge with my board! They say Microsoft can do this, but they can’t.”

“Interestingly,” said Sheldrake’s technical colleague, Colin Makin, “Microsoft is a customer.” So, he noted, are OpenAI, and the data-analysis platformer Palantir. Even companies as deep as those firms are in managing data, understanding connections, and securing businesses and governments, are turning to SpecterOps to help them with the parts of their mission they can’t carry out themselves.

The Proud Highway

SpecterOps are open about the organisational challenges that deploying their technology may pose. And, at least for security leaders, the advantages in being made aware of the myriad ways an attacker could access sensitive data far outweigh the problems that appear to be raised when the business is suddenly confronted with the knowledge that there are many more of them than were previously thought possible. But the journey from denial to acceptance is one that the business will have to map for itself.

“A lot of what I do is running proof-of-values, and every time I run one it comes as an absolute shock for anyone who’s had AD for any length of time,” said Makin. “I just ran one recently, in an organisation of around 8,000 people, and we surfaced 25 million attack paths.”

“The problem I have with that,” one CISO said, “is that I end up with 25 million things to fix.”

“We totally recognise that, and we flip it on its head,” Makin said. “You’re never going to fix 25 million paths. That’s why the concept of cyber hygiene is really flawed. I’m not saying you shouldn’t do it, but if you do, you don’t have a measurable reduction of risk. Our whole enterprise solution works on an attack graph. We work out which is the final path that takes an attacker to your critical assets.”

“I often say, it’s like going from Manhattan to Brooklyn,” suggested Mark Wilson, SpecterOps’ sales engineer. “There’s millions of routes to go from one to the other. But if you take away the bridges, most of them are pretty irrelevant.

“We focus on chokepoints,” he added. “After you surface loads of things and realise you’ve got the biggest to-do list in the world, we have a playbook – a remediation plan – which helps you to close those routes down.”

Sometimes, though, the attack paths revealed by BloodHound aren’t obscure routes an attacker could use to compromise the business and which should therefore be blocked. Sometimes they’re part of why the business works well.

“It [BloodHound] can surface so many things it can be overwhelming,” Sheldrake acknowledged, “but it also surfaces things that are necessary. If certain paths didn’t exist, then the business wouldn’t function.”

The fact that there may be many pathways that have to be kept clear could, therefore, simply be a function of the nature, scale and requirements of a successful enterprise. While some of the leaders around the table wondered whether this implied that the solution might lie less in tooling or technology than in recruiting, training and retaining sufficient specialist staff, Sheldrake argued that both are necessary.

“It’s twofold,” he said. “Having people who can interpret [BloodHound’s output] and who can understand what they can improve, [is important]. But also, for the SOC and for incident responders, it’s about having an awareness of those attack paths – so that, in an incident scenario, a defender can say: ‘OK, there’s an alert on this asset – what’s possible for an attacker to do from there, and what should we be concerned about?’ There are things [the business] should be able to concentrate on, in terms of strategy.”

The Great Shark Hunt

But to use an attack-path analysis effectively, there’s one other important piece that has to be in place. The business needs to be clear on its priorities, and – while this might seem like a separate issue, they tend to be linked – it needs to have clear, cogent and useful policies in place to support not just the security teams, and the rank-and-file users, but the decision-makers, too.

“You can keep your existing policies and process, and use BloodHound to check” whether everything is working well, one leader suggested. “Part of the problem,” they added, “is that policies often don’t let people see what’s going on. If you’re a domain admin you can’t find [the necessary information] so you can’t ask the question. And the people approving the process have no idea what it means.”

“There are so many players, and they can break policies without you knowing,” another said.

“In my organisation,” a third offered, “we’ve just done the vulnerability-management stuff, using discovery tools. We have two tools doing that, and they’re telling us different things. And then there’s the separate thing about attack paths, from an identity perspective.”

“You need someone to make a clear decision about what’s a priority,” one CISO said. “Too often I don’t see that. They’ll say, ‘They’re all a priority’. That’s not a decision. Well, it is, but it’s a crap decision.”

After another digression into genAI territory, a conclusion of sorts was reached. Not that it was anybody’s idea of a perfect solution.

“Everybody has to go back to basics,” was the way one CISO summed it up.

“I don’t think anyone’s saying BloodHound is going to fix all your problems,” Tate said. “But, by using it in tandem with all your other controls, you can reduce your attack surface and make it harder for the adversaries. And that gives your SOC team and defenders more time. There’s a really important point around needing the right people and the right skills, so you can apply context, interpret and contextualise effectively. Without being able to do that, you can see all your problems, but you can’t solve them. I have a bit of a love-hate relationship with people who say this, but it’s ultimately about making your defences harder to get through than your neighbours’.”

Find out more about SpecterOps and what sets them apart!

The post Fear And Loathing In The Active Directory: Can Mapping Attack Paths Point You In The Right Direction? appeared first on RANT Community.

Compliance is a baseline, not the destination

Compliance provides assurance. It does not guarantee resilience. Too often, organisations focus on passing audits rather than addressing real threats that could disrupt operations.

As one participant put it, “Compliance is second line assurance.” Another noted that audits can become a tick box exercise when external teams do not fully understand how the business operates. This exposes a broader tension. Are risk decisions being made in line with business objectives, or are frameworks driving the agenda on their own?

The consensus was clear. Compliance sets minimum standards. Effective risk management protects continuity, supports growth and aligns decisions with what matters most to the organisation.

The reality of tooling: clarity before complexity

Many teams still rely on spreadsheets to track risks and evidence compliance. For small environments this can be workable. Scale introduces fragility.

“All it takes is for someone to delete the Excel,” one attendee observed. Others highlighted a disconnect between vendor promises and practical needs. “The dream is sold as one tool,” said a participant, while another added, “Policies can map and do assessments and have action plans, yet we still end up in Excel.”

GRC platforms can help prioritise risks, document activity and maintain a reliable source of truth. But success depends on clarity of purpose. A single tool rarely solves every challenge. The roundtable highlighted how overambitious rollouts often fail because expectations do not match reality. While some teams expect full maturity within 12 to 16 weeks, experienced practitioners cautioned that meaningful implementation often takes two to three years.

The advice was consistent. Start small. Define what you want the tool to deliver, whether that is visibility, accountability or stronger alignment with business objectives. Build momentum through measurable, incremental wins.

Sector context shapes priorities

Risk and compliance priorities differ by sector. Some organisations emphasise continuity and operational resilience. Others focus on enabling faster delivery and supporting rapid scaling. The roundtable chair noted that a CISO’s priorities often reflect the organisation’s tolerance for disruption and the pace of its growth strategy.

Participants also highlighted challenges working with auditors who lack full context on the organisation’s business model. When audit expectations diverge from operational realities, security teams can be pulled away from addressing high impact risks. Bridging that gap requires better internal alignment and a shared understanding of what the organisation values most.

Leadership and language matter

Technology alone cannot close the gap between compliance and effective risk management. Engagement from senior leadership is essential.

“The business has got to want to be engaged,” one attendee said. Another noted that leaders do not want to be told, “You are doing it wrong.” They want clarity on trade-offs, not roadblocks.

The discussion also surfaced a language problem. Different teams often use different terminology to describe issues, risks and controls. Without a shared vocabulary, assessments do not translate into clear decisions.

When risk is framed in business terms, engagement improves. Leaders want to understand the commercial impact of inaction. They respond to clear evidence of which risks could halt operations, delay high priority initiatives or damage customer trust, and what pragmatic steps will strengthen resilience without slowing delivery.

A practical playbook for progress

The roundtable surfaced a set of practical steps that any organisation can apply, regardless of size or sector.

1. Start with one priority area
   Select a process or unit with clear impact on the business. Map risks and controls, establish a simple reporting rhythm and build from there.
2. Define outcomes before choosing tools
   Decide what success looks like. Visibility of risks, better alignment to objectives, faster evidence collection or clearer accountability. Choose tools that serve those outcomes.
3. Standardise language
   Create shared definitions for issues, risks and controls. Align scoring so that assessments convert into clear decisions.
4. Set realistic timelines
   Expect incremental progress. Use phased implementation rather than a big bang approach. Review adoption and impact quarterly.
5. Prioritise risks that move the business
   Focus on exposures that could disrupt operations, delay initiatives or erode trust. Avoid trying to address everything at once.
6. Build leadership engagement early
   Frame risk in terms of commercial impact. Present scenarios, trade-offs and measurable improvements to secure ongoing support.
7. Measure and share results
   Track time saved, reductions in repeat findings, improvements in closure rates and changes in exposure levels. Sharing progress reinforces momentum.

What good looks like

Participants who reported success described a disciplined focus on outcomes. They resisted making platforms do everything. They agreed success measures upfront. They concentrated on creating a reliable, shared source of truth for risks, controls and evidence. They used data to prioritise action and demonstrate improvement over time.

One attendee summarised the reality well: “Risk is obvious if you have not done the basics.” The message is not to chase complexity. It is to get the fundamentals right, show progress and keep risk aligned with what the business needs most.

The bottom line

Compliance frameworks will continue to evolve. Resilience depends on understanding and managing the risks that matter most. Integrating compliance into a broader risk strategy allows organisations to protect operations, maintain trust and move forward with confidence.

The discussion made one thing clear. Compliance is essential, but it is not the strategy. Focus on fundamentals, build incrementally and keep risk aligned with business objectives. That is where resilience starts.

Ready to transform cyber risk oversight with integrated GRC capabilities? Schedule a demo to see how Diligent’s platform delivers comprehensive cyber risk intelligence to boards.

The post From frameworks to fundamentals: rethinking risk in 2026 appeared first on RANT Community.

“I’d never say any risk is wrong to focus on, it all depends on the organisation,” said Sapna Patel, head of cyber at the King’s Trust, and one of RANT’s two invited panellists for the event. “In my organisation, I’m not as worried about shadow AI as I was a year ago, but I’m worried about embedded AI that pops up without us knowing about it.” Security leaders need to balance competing demands, she argued – from those within the workplace who want to ramp up use of these tools, and those within the workplace who remain at best sceptical, at worst actively distrusting of the technology.

“There’s three broad areas of risk associated with the use of AI,” said Joe Mulhall, Technical Information Security Officer with the Financial Conduct Authority. “Data leakage is a huge one – and while it was certainly bigger last year it’s not gone away yet. Then there’s the security of the large language models built within our organisations, which could introduce risks of model theft and data poisoning as well as data leakage. And the other area of risk we’re all looking at is productivity risk. How do we leverage this to keep on top of all the other risks?”

“I don’t think we’re focusing on the wrong AI risks, because there’s so many of them,” Ben van Enckevort, chief technology officer and co-founder of Metomic, the night’s sponsors. “There are today risks and tomorrow risks – and today there are three ways I’ve seen individuals adopt AI. First, people are going to integrate something like Chat GPT, or employees are using it – and then we get worried about employees uploading sensitive data. That was a year ago: now they’re saying, ‘OK, we’re not really that worried about shadow AI – we’re going to plug our data into various systems because we want our employees to do the best job.’ This is where the biggest risk is, because they may introduce risk accidentally.”

More troubling, though, van Enckevort argued, are the challenges that become amplified when automation is applied to the picture, and AI agents are authorised by companies to take actions without human intervention.

“People want to automate things; companies want automatic employees,” he added. “At that point, the visibility on what’s sensitive data, where it is, and what people are doing with it, is the biggest risk. And going on to the tomorrow risks: tomorrow, it’s about when agents are acting on instructions that may not come from your employees.”

Build It Up, Tear It Down

Immediately, as so often at a RANT Forum, the first speaker from the floor took issue with the parameters of the discussion as just outlined by the speakers.

“Never mind today and tomorrow risks – let’s talk about 10-year risks,” they challenged. “The rise of agentic AI means we get rid of all the entry-level jobs we use to train our juniors, who, over time, become our seniors.” The eventual hollowing out of the experience base of the enterprise, they suggested, was inevitable. “It’s all utterly predictable,” they said.

Not so fast, the panel cautioned.

“Automation is kind of what we in the cyber security industry do – or what we protect,” Mulhall replied. “I don’t see less people in IT, I see more. We’ll be doing different jobs. Do people need to come in and do the jobs we already do? I’m not sure.”

“I share the concern, and I agree, though I don’t know the answer,” van Enckevort said. “Looking at patterns over time, the jobs we have to do will completely change. Things juniors are being trained to do now will be right at the edge of what we once needed them to do. The only thing I’m confident about is that in 10 years the jobs will be different.”

“I think there’ll be a lot of regret,” Patel acknowledged. “And after we regret, we will see the need to humanise everything” – to bring things back to the way things are now, she added.

“It’s an interesting thing to explore,” Mulhall added. “Thinking of security – not any other job – I look at history for inspiration. Cities have traded for thousands of years. There’s always been security problems. We’ve always worked to solve them. We’ll still need security professionals to solve them.”

Going Out Of My Head

Talk turned to knock-on risks – risks associated with AI use, but that do not arise directly from it. For example, the risk of a company being sued because of actions taken by AI agents which had carried out those actions without any direct instruction to do so from a member of staff. The first response, from Mulhall, garnered a spontaneous round of applause from the majority in the room, when he said that he didn’t view this as a cybersecurity problem. Yet there was rueful acceptance that, whether it was properly a challenge for security teams or not, it was likely to end up in their in-trays.

Future regulation of AI – in the European Union and the UK in particular – was also an issue that had been on people’s minds. In answer to a question about preparation for those, Patel said “I’m keeping an inventory and just making sure I’m keeping ready”.

Clearly, how AI risk will be assessed is going to keep on changing, as both new products and new regulations emerge. Preparing a business for all of that may be challenging, but it should not be impossible.

Patel said: “I treat it in the same way I treat everything right now – dissect it, look at it more, then decide.”

Van Enckevort suggested that there may be some useful examples to be found in recent data-protection history. “What kickstarted companies taking GDPR [the EU’s General Data Protection Regulation] seriously was real risk. I think we’re driving head-long into some large lawsuits, and that will start focusing attention.”

Mitigating these kinds of risk is possible by enhanced, focused and forensic attention on precisely what you’re using in your organisation, and minimising exposure by shutting the door on redundant or unnecessary tools, he argued.

“Personally, we drill very, very strongly into the employee base, to understand what’s appropriate,” he continued, “and if you generate something you don’t use, that’s something that’s inappropriate. But that won’t last long. What I see coming is greater focus on what’s appropriate to use. This is something we see in our customer base. I think the answer will change over a couple of years, but I expect this will still be an issue.”

Yet where these risks arise from using a tool supplied by a third party, the responsibility will likely depend on the precise contractual terms the customer company has agreed with the AI vendor. And the more companies are reliant on wide-ranging AI technologies, the less likely those contracts are to be worded in a way that is particularly helpful. And, when one wag wondered whether anyone in the room had a data-processing agreement with Chat GPT, the chorus of “No”s was close to unanimous. Whether these kinds of risks will be considered jobs for the security team or not, they will represent threats to the business, and someone will have to bear them in mind.

Slash Dot Dash

Perhaps surprisingly, data protection issues – and the governance, regulation and compliance questions they raise for businesses – went on to become a major talking point. One attendee told a story of being asked to input their passport and other details into the automated chat feature of a large airline’s website. They declined, and when they asked the airline how those data were being protected, the airline said they didn’t know.

“Should there be measures in place to make sure that when you put data into a form on an automated chat that it’s protected?” they asked. “And who should be responsible? If I park my car at my own risk, I know it: do we input our data into automated web chat forms on the same basis?”

Patel, her role as the voice of reason for the evening already well established, pointed out that “how they use such information should be on the privacy policy of the website. You should know that up front.”

“Unfortunately, this is very common,” van Enckevort said. “I moved into an apartment recently, with a company I’d used 10 years ago. They needed me to prove my identity. I said, ‘Haven’t you already identified me?’ And they said, ‘Oh yes, here’s your passport from 10 years ago’.”

Mulhall was optimistic that common sense may, eventually, prevail – “I think what will happen is that people will stop asking for data that they really don’t need,” he said – but did not venture a guess as to when that may happen.

Praise You

The conversation began to coalesce around what might be termed the pragmatic solutions or approaches that businesses and their security teams can meaningfully and usefully start to adopt. And the first step to assessing what is viable as a security posture (as opposed to what would be great to have but will be unaffordable, impractical or otherwise unachievable) may lie in deciding to what extent the challenges posed by this new technology are, in and of themselves, novel or unprecedented.

“I’ve been in security for quite a while,” one attendee admitted, to sniggers from among some friends and colleagues. “We’ve always got something new to deal with. It’s always a major issue, and we need to fix it, so our focus goes on it. And then eventually all these things move into the organisation and they become part of normal cybersecurity hygiene – part of the default minimum requirements. What do we think, at the moment, is AI security hygiene? To me, it’s all over the place. We attack everything as a priority. It some point, I guarantee, it will settle down, and there’ll be AI security hygiene requirements that you do as part of your normal work. What will those be, by default?”

It was a good question, and occasioned some brow-furrowing and visibly evident deep thought. And the first response, which arrived surprisingly quickly, felt both achievable and inspired.

“We need to apply GDPR wherever we use AI, and apply it as deeply as possible,” Patel said.

“Classification as standard – classification for all your data,” van Enckevort then suggested. “Classification is the thing that stands out to me, where you have to understand what’s inside each piece of data. Classification comes first.” Such classification would, he added, need to be done automatically.

“I agree about GDPR. But if you put information into an LLM, you can’t delete it – so GDPR is an issue,” one attendee argued. “Automation of classification systems – that hasn’t worked so far. And AI systems are non-deterministic, so you can’t test them in the way you normally do.”

“It doesn’t have to be perfect to deliver value,” Mulhall said. “We have to remember that. If we as an industry get the majority of security right, we’re still far better than we are now.”

The post Right Here, Right Now: Is Cybersecurity Focusing On The Most Important AI Threats? appeared first on RANT Community.

To find a way through this impasse, Cato Networks recently convened a group of 15 like-minded security leaders with skin in the game.

Kicking off an evening of robust discussion as only RANT knows how, Cato Networks VP Northern Europe & MEA, Kanwar Loyal, articulated the challenge facing NetOps and SecOps teams.

“Only 10-15 years ago, everything was point products, on-premises and best of breed. We created complexity that’s actually now causing a problem,” he said. “We consume technology very differently now. We’ve seen an inflexion around traditional networking and security. Enterprises want to consume network and security services exactly the way they’re consuming other SaaS-based applications.”

The first task for CISOs hoping to embark on this journey, is to break down traditional silos that exist between security and networking.

It’s good to talk

Our speaker for the evening, Grant Thornton UK Head of IT Security, John Dunne, highlighted the scale of the challengeA show of hands revealed that four security leaders around the table had discussions with their network team in the previous fortnight about the need for holistic security approach.

“My network team recognise the size of the challenge” he admitted. “But it is a continual process to bring all of the disparate streams on-board so they understand what we are trying to achieve..”

Silo-isation can be one of the reasons preventing departments from working harmoniously together. One security leader suggested a reason why the walls between both functions are so hard to break down. Networking teams traditionally focus on availability, while their security counterparts are more bothered about confidentiality and integrity. “When they say ‘no’, it’s not because they think you’re horrible, it’s because they’re worried you will break something,” he argued.

Another factor is that networking is becoming increasingly marginalised in some organisations as more infrastructure moves to the cloud. One attendee explained that if he wants to talk about cloud services, he speaks to the DevOps team. “The cloud isn’t a network-supported entity,” he added.

So how can security leaders evolve the relationship to a more collaborative one? One CISO shared that he built trust with his networking team because he had previously worked as an engineer installing routers and switches. “It’s about demonstrating that trust and understanding what an engineer goes through,” he said.

Another claimed “friction doesn’t exist” in his organisation because he has had “grown up conversations” about who is responsible for what, and all functions understand there will inevitably be overlaps. Ultimately, they know that “if we don’t work together we’re going to fall apart”, he explained.

Skills, silos and budgets

Technology can also play a role in spanning the network-security divide. For Cato Networks, Secure Access Service Edge (SASE) platforms can be the ideal bridge between the two, by converging networking and security functions in a unified cloud-delivered service. So why aren’t more organisations embracing it? Budget constraints were cited by many around the table, as was the perceived threat that SASE may pose to traditional teams.

Skills gaps were also mentioned by several CISOs as a challenge, especially as organisations build out their cloud infrastructure.

One opined that even cloud engineers “still need to understand” the networking basics. Another, who is the security lead at a cloud-centric organisation, admitted “that’s where we come unstuck”. She shared that she has product security engineers, cloud security engineers and IT engineers, but no network engineers, because “we don’t have a network, we have a mesh of interconnected cloud services and SaaS.” She urged her peers around the table: “Don’t let go of all your network security engineers.”

Basic networking skills are especially vital in a modern SASE environment given the shared responsibility model for managing cloud security.

“It’s a nice way of saying, ‘we’ll do a bit of it then over to you guys’,” explained one CISO. “The problem is finding people that have the experience – finding enough people that know about these things. Because with the shared responsibility model, if you mess up in the way you’ve configured your cloud, it’s your fault.”

Starting the journey

Whatever the challenges, change is coming, according to Cato Network’s Loyal. “There’s always been change,” he argued. “Today’s innovation becomes tomorrow’s commodity. All of us are being driven by change, but we’re being stuck with traditional constraints.”

Traditional mindsets can actively harm an organisation, one attendee warned. “The castle and moat thing is no more,” he said. “But there is still a bit of clinging on to that. It’s a bit dangerous … because all the sensitive stuff is in Workday and Salesforce, not inside [the corporate network].”

This new world of distributed workforces and multi/hybrid cloud environments is one that Zero Trust and SASE were built for. Both require multi-year transformation journeys that put some IT leaders off. But Cato Networks’ Loyal was keen to point out that SASE can be split into more manageable, modular projects depending on which use cases are most urgent.

Even then, plans are often scuppered by unrealistic expectations about time to value, and a desire for a uniform approach that will cover even “niche and edge cases”, attendees argued.

To leap these obstacles, security leaders will need to learn how to speak the language of networking as well as the business, in order to win hearts and minds. One CISO spoke of the need to manage expectations with the board. “Take small steps to win people’s confidence, and the rest will fall into place,” he added.

Another signalled the importance of covering third-party risk in any SASE/Zero Trust discussions, as these are often the edge cases that can make or break a project.

Time for change

Whatever happens, sticking with the status quo is not an option.

“Everyone round this table wants to deliver connectivity, security, control and visibility to every edge and identity,” concluded Loyal. “It needs to be seamless. But how do I deliver a service for the business that accelerates the way the business wants to go?”

SASE may well be the destination. But CISOs will need to think carefully about how they start their journey.

The post Change is coming, but can networking and security get their act together? appeared first on RANT Community.

“One emergent threat we’re seeing is AI being weaponised, especially around deepfakes,” Findlay Whitelaw, Exabeam’s security researcher and strategist, said. Whitelaw recounted how, as an exercise, a friend managed to construct a convincing deepfake video of her from only 30 seconds of footage shot on a phone. She then recalled the notorious example of the UK company in which an employee was socially engineered to transfer £25 million out of the business following a videoconference with the chief financial officer – which turned out to be a deepfake.

“The CFO was putting pressure on the accidental insider to transfer the money, but what they did that was really clever was to deepfake two other board members who were sitting in on this Teams conference call,” she said. “They were giving reinforcement through nodding of heads. The accidental insider had no idea – they trusted every element of it, and they made the payment. That’s what we’re going to be seeing more of: it’s not just the technology that’s being exploited – the human element is being exploited.”

While there was agreement around the table that such episodes are clearly very worrying, there were several high-level security staffers in the room who took issue with the extent to which such highly targeted attacks could be easily repeated. And one CISO wondered whether, in fact, this was even a security issue at all.

“That’s not a cybersecurity failure – that’s a financial-controls failure,” they argued. “There’s no way anyone should be in a situation where a senior leader in the business comes to them and puts them in that situation. I’m putting the blame for this one on the CFO! It’s nothing to do with cyber, yet very often the cyber team are brought in to deal with any failure like this.”

In turn, they argued, this raises another human dimension in the cybersecurity debate: the pressure that is being placed on security staff by failures that may be enabled by technology but result from ineffective policies or patchy implementation in other parts of the business.

“It’s why so many people here are worn thin,” this security leader suggested. “They’re dumped into everything that happens like this, even though it’s nothing to do with cybersecurity.”

(Don’t Worry) If There’s A Hell Below, We’re All Going To Go

Alsa Tibbit, an advisor and researcher on AI cybersecurity with Sheffield Hallam University – and RANT’s guest co-host for the discussion – raised other ways in which AI and deepfakes are being used to manipulate human behaviour. AI agents, she argued, will “create a huge revolution in cybersecurity because they don’t have a hierarchy of needs” that apply to, and affect the behaviours of, every human being.

“Why do we think the human is the weakest link in cybersecurity? Because the human has that hierarchy of needs,” she said. “Food, family, health – so many things. These elements can all at some point be shaky. Due to stress you might click a link, then feel guilty, so you don’t tell anyone about the mistake. AI agents just have one aim.”

This ability to focus on the task in hand is what makes generative AI such a potentially powerful tool, but also what makes its deployment in the workplace such a challenge from a security perspective. Tibbit mentioned, also, genAI’s capacity to amplify other problems faced not just by businesses but by entire societies, such as the spread of misinformation – whether deliberately or by accident. Again, though, such challenges, because they are technology-enabled, are being turned into cybersecurity staff’s problems – even though, the leaders in the room agreed, they are not actually cyber challenges.

“This is the perennial problem with cybersecurity people: we take on everyone else’s burden,” one CISO lamented. “Misinformation is not a cybersecurity problem.”

“Phishing, absolutely, is a security problem,” another security leader acknowledged, adding that genAI was putting “phishing on steroids”. However, they pointed out, genAI has not created a new challenge here, just amplified an existing one.

Hard Times

Another problem that is being felt by security teams, even if it is not strictly speaking their responsibility to solve, is around how businesses are encouraging their staff to feel comfortable with genAI tools. In general, the approach seems to be to humanise the technology by giving it a name, a role or a title that would normally belong to a human member of staff.

“Now we’ve got call centres using AI, giving the AI assistant a name: ‘This is Gemma from wherever, how are you today?’,” another CISO said. “The more we start doing that, the more normal people think it is. We’re humanising interaction with AI.”

“And we’re becoming over-familiar with it,” Whitelaw agreed. “AI is not going to go away. People like it. It’ll bring its own benefits. But where we are in security, companies aren’t writing AI into their policies and standards. Colleagues and employees are not being trained on the implications of the damaging impacts. There is a gulf between the individual and the corporate stance.”

Bridging that chasm is going to take not just a major education effort – but may well require a wholesale retraining of the attitude of the average employee. Attendees were quick to highlight the kind of mindset shift that is needed: encouraging employees not just to care about security, but to care about the future of the company in order to promote the idea of security as being a shared task that every staffer needs to feel fully invested in.

“Until the person cares about what they’re protecting they’ll carry on” accidentally putting data at risk, one CISO argued.

“It’s not just about caring – it’s about knowledge,” another suggested.

“And impact,” pointed out Dharm Vashi, Cybanetix’s sales lead.

“We all understand the impact of clicking on something, but is it sustainable?” Whitelaw asked. “In different roles I’ve had, the consequences were never consistent.” Neither, therefore, she suggested, were the interpretations staff would draw over what the company’s standards and policies actually mean. In such an environment, the best training programme in the world will struggle to gain much purchase.

Power To The People

The conversation began to explore ideas that might start to move the needle on effecting that kind of change. Throughout, there was recognition that these, in and of themselves, are not security issues: but among the many qualities required by cybersecurity professionals, pragmatism is among the most paramount. So regardless of how reasonable it may  or may not be, everyone in the room seemed to accept that it would likely be them who were left to pick up the pieces from failures elsewhere in the business.

“Going back to human needs – they’re not thinking about security: they’re thinking about how to feed their family, and how to be more efficient,” another security leader said. “So the training isn’t going to stick in people’s minds. Once they’re outside that environment, it goes out of their heads.”

“We’ve been trying to say that security is everyone’s responsibility, not just mine or my department’s,” another CISO said. “But you’ve got to keep doing it. Annual training isn’t enough. Most people don’t want to do it, or they do it begrudgingly, and they don’t take anything away from it. We have training and then we have short, sharp nudges; reminders; newsletters. We try to balance it so we’re not overloading people but we’re also not just doing it one time and they forget. But it’s getting across that it’s their responsibility, too, not just ours.”

There was interest expressed by others around the table as to what extent that message was resonating within the company’s workforce. Cybanetix takes the view that the responsibility should definitely be shared. The firm’s head of presales, Martin Luff, was optimistic about the ability for emerging technologies to help, but not without joined-up thinking within organisations.

“Whether it’s finance, cyber… actually, it’s everybody’s problem. It’s got to be a joint effort,” he said. “There are things you can do in terms of technology, some guardrails you can put around the use of AI, but there’s no perfect answer yet.”

We’ve Only Just Begun

Of course, it has long been understood – however ruefully – that there is no better corporate learning experience than a major data breach. When the business struggles to get back on its feet after a serious incident, or when that incident results not just in increased workloads but perhaps even redundancies – that is generally when the penny drops among the rank-and-file staffers for whom security had felt like someone else’s job. The ideal situation, attendees agreed, would be to be able to get into that post-attack mindstate without having had to go through the incident in the first place. Whether that is achievable is another matter.

“Do we need the horse to bolt before we close the stable door?” one attendee with experience of trying to inculcate better security cultures in multiple businesses mused. “You go into organisations and you’re trying to preach to the ones who aren’t converted. They work on old systems that aren’t secure, they share credentials, and they say, ‘It’s always been like this and we’ve never had an incident.’ They just don’t know.”

“It remains complex,” Whitelaw said. “Humans are diverse, unpredictable, multifaceted. While I agree not everything we’ve discussed is cyber directly, everything we do that uses these tools and digitised platforms is, by default – rightly or wrongly – going to be seen as an element of security. Cyber, legal, HR, business units – it’s an everybody issue. But I don’t think we’re there yet. And I’ve not seen any company get it right.”

Interested in learning more from experts at Exabeam and Cybanetix? Find out more here: Exabeam & Cybanetix

Connect with Exabeam’s Findlay Whitelaw.

The post People Get Ready: Like It Or Not, The Human Perimeter Is A Cybersecurity Challenge appeared first on RANT Community.