As we reach the end of 2022, it is important to take stock and reflect on what has been another hectic and difficult year for the cybersecurity industry.
To find out more about the biggest cyber-threats and challenges in the past year, Infosecurity Magazine caught up with industry stalwart Larry Whiteside Jr., CISO at RegScale and co-founder and president at the non-profit Cyversity, among many other prominent roles. Whiteside also discussed whether the industry had made any progress in diversity, a subject he is passionate about.
The full audio interview can be heard in the December episode of the IntoSecurity podcast.
Infosecurity Magazine: What have been the biggest cyber-attack trends in 2022?
Larry Whiteside: I would say the number of spam and social engineering emails there’s been. I think back to the late 1990s and early 2000s with events like Black Hat where they had a social engineering contest. Social engineering was huge at that time but seemed to take a nosedive for a few years. But right now, most of the hacks that are coming in via email are all social engineering. Every aspect of email phishing is basically the new social engineering, whether it is about a prize or your credit card bill is due, etc.
The growth in social engineering is surprising because I thought people had got smarter – we’ve been putting so much effort into cybersecurity awareness training and education, with initiatives like cybersecurity awareness month, and we talk about these things all the time. And yet, people are clicking on these malicious emails because they’ve been socially engineered. I can’t tell you how many private stories I’ve heard from CISOs who’ve had an employee go buy a bunch of gift cards because they received an email claiming to be from the CEO asking them to do so.
What a lot of CISOs have realised is that it’s not just about education anymore. We’ve got to go back and look at other approaches to protect our end users from themselves.
There’s a number of approaches we can take – identity and access management have become a huge thing, and we’re going to ask for more credentials and authentication in order for users to access critical data and applications. There’s a number of other mechanisms that we’re starting to use and we have to recognize that we’ve got to put this umbrella protection around our users.
IM: What have been the biggest cybersecurity challenges for organizations this year, and what lessons they can take into 2023?
LW: Ransomware is still on the rise with payouts going up so I think organizations are still experiencing challenges around ransomware incident response and recovery. It’s the entire circle of life where you have to identify that you got hacked quickly, find out what happened and then have that recovery process, whether it’s paying and getting keys back or something else.
We’ve continued the debate on whether to pay or not to pay – you’ve got countries saying that you can’t pay, with some states in the US considering going down the path of making these payments illegal.
Another challenge is improving the mean time to detection and remediation. I recently had a conversation around the ‘1/10/60 model,’ which many CISOs are now talking about. This means identifying a cyber incident within one minute, working out how it happened within 10 minutes and remediating it within 60. When I look at the numbers around ransomware, I love the idea of it, but I’m not sure how realistic it is to achieve. I understand that as leaders we should set goals for our teams but these must be attainable.
At the moment, many organizations are still struggling with these attacks, which leads me to the last piece, governance.
When you think about the cybersecurity industry, it’s very technical on one hand but non-technical on the other. That other hand is typically around governance, which often comes in organizations’ governance, risk and compliance functions. I think these departments are about to enter the limelight; if organizations have good governance, risk and compliance programs in place where they are identifying risk, categorizing them based on data, aligning them to controls, then they can focus on the things that are going to most negatively impact their organization.
"When you think about the cybersecurity industry, it’s very technical on one hand but non-technical on the other"
IM: Has the cybersecurity industry made progress in improving diversity this year? What other initiatives would you like to see more of in 2023?
LW: I do believe that diversity in the sector as a whole has improved, and particularly in the sales side of cybersecurity, which is a component of our industry that not a lot of people think about. When you think of cybersecurity, you think about corporate cybersecurity and the technology companies in the field, but there’s also a huge group of salespeople. Every tech company that is selling cyber has a global team of salespeople and I’ve seen more women hired in that function than anything else.
On the corporate side, diversity has also improved, but not at the rate that we would like it to. That goes for both women and people from other diverse backgrounds.
What I’d like to see going into 2023 is for organizations to begin to recognize the barriers they have in place to hiring diversely. Organizations are still utilizing old mechanisms to try and still hire in this new age; for example, asking for a CISSP for an entry-level job. A CISSP requires a minimum of five years’ experience, whereas an entry-level job is 0-1 years’ experience, so you can’t have both.
It comes down to looking at the job descriptions and understanding what’s important for the role – do you really need someone who has trained in every single toolset that you have in that team? Or, are you looking for someone with a curious mindset who you can put through some cognitive testing as part of the hiring process to show that they have an aptitude for what it is you can do, and then be willing to train them?
Unfortunately, we are still dealing with a lot of organizations who are putting job descriptions out that have many hurdles in them. This means that diverse candidates who are trying to enter the field for the first time or transitioning from another career field can’t meet the requirements.
From conversations I’ve had with the CEOs from these certification companies, they all agree that certifications were never meant to be the barrier that they’ve become for entries into roles. They were meant to show that a person had an aptitude to be able to accomplish something. Now, there’s so many certifications and they cost money. So, how is a person from a poorer socio-economic background going to pay for the certifications to get into the industry?
Therefore, we’ve got this dichotomy that we need to deal with as an industry and I want more companies to recognize this and change their approach to hiring.
IM: What advice do you have for organizations to maintain strong cybersecurity amid economic headwinds?
LW: As money gets tight and every team is asked to tighten their belt and look at how much they spend, governance and risk becomes more important. We’ve been in this mode of buying more and more operational security technology. But because we focus so much on this protect-to-detect phase, we have lost sight of the importance of governance.
Governance and risk should be the determining factor on where you spend your resources, which is time and money. As money dries up, we’ve got to act like we do when we manage our home budgets – when things get tight at home, you cut back and focus on the things that are important to your family. It’s the same principle in business. The problem is that a lot of organizations haven’t used those muscles well, and are often only used for an annual audit report.
It comes back to identifying, based on your organization, what is most important from a risk standpoint. It sounds simple but it’s not something we’ve historically done well and it’s not fun like threat hunting. But I think that’s what’s going to have to happen if organizations want to be able to utilize the resources they have to the best of their ability.