April 16, 2024
7
minutes

In Security: Lessons on Security & GRC from Episodes So Far

In February of 2024, we launched the first episode of the “In Security” podcast. Our goal was to cultivate conversations about cybersecurity and Governance, Risk, and Compliance (GRC) among industry leaders. Halfway through the first season, we look back at some key lessons we’ve learned from industry executives and leaders about the ever-evolving world of security and GRC.

Lesson 1: Understanding Modern Cybersecurity Threats

In today's rapidly evolving threat landscape, challenges such as remote work, the widespread adoption of Artificial Intelligence (AI) and increasingly sophisticated cyber threats pose significant risks. As organizations digitize and become more interconnected, they become more vulnerable. Understanding and communicating these risks to leadership and boards has become crucial for securing the necessary investments in cybersecurity measures.

In episode 5, Kaushik Hatti, CISO at Pinochle.AI, highlighted how bad actors can leverage AI and machine learning for more effective social engineering. As a result, defensive strategies need to adapt to these threats continually. Attack surfaces have also broadened, with more digital interconnectedness on top of remote and hybrid work environments.

Although AI introduces new vulnerabilities, it also offers solutions. AI-driven tools can help organizations identify and mitigate threats, effectively turning the tables on adversaries. The key lies in leveraging these tools while maintaining a robust, proactive security stance.

“There are many systems already in place where any unusual activity can be detected,” Hatti explained in the episode. “There are algorithms built to identify and flag that this is unusual quickly, but if I know what is flagged, then I can use AI algorithms to blend in and ensure that I’m never flagged. It was meant for an era where AI was not as advanced. [...]  People have to raise their own awareness; whatever best technology or resources I have with respect to algorithms might not be sufficient in current fields. Then, we have to set processes in place, such as compliance auditing. Underlying all these things, we must also adapt and use AI against AI.”

Lesson 2: Navigating the AI Landscape in Cybersecurity

AI's dual nature serves both as a tool for cyber threats and defense in cybersecurity. Businesses actively leverage AI to enhance defenses and flag intervention-requiring patterns effectively. Current strategies and tools evolved within a threat landscape unexposed to today's advanced attack strategies and techniques. Cybersecurity has a lot of data, but it can be hard to make sense of it all. This can sometimes mean threats are spotted too late. However, AI can help by creating algorithms and simulations that can find possible weak spots in an organization before they are exploited.

In our third episode, Matt Sharp, CISO at Xactly Corp, said: “There are people who are going to ask for permission and people who will ask for forgiveness.”  Risks can exist beyond malicious usage of tools, potentially leading to unauthorized access or even data breaches. It's crucial to communicate the acceptable boundaries within which individuals are expected to operate.

The rapid development of AI has necessitated regulatory oversight. The European Union (EU) has shown its commitment by actively working towards developing standards for AI regulation, as evidenced by its introduction of the AI Act and the AI Liability Directive.

Lesson 3: Managing Shadow IT and Balancing Innovation with Security

Clea Ostendorf, the Field CISO at Code 42, emphasizes the need for clear cybersecurity policies, employee education, and open communication to mitigate risks posed by shadow IT.

Shadow IT refers to the use of unauthorized software or systems by employees, which can inadvertently expose sensitive data. This becomes increasingly complex when employees, juggling multiple roles across organizations, unintentionally share sensitive information. These situations can lead to data breaches. In this context, it's essential to strike a balance between security objectives, legal considerations, and individual liberties.

While it is one thing to set and communicate expectations and boundaries as part of proactive security strategies, it is another to handle the “people” side of security missteps. Balancing innovation with security requires a clear understanding of the organization's risk tolerance. Although the use of tools and the introduction of new processes and strategies can help speed up and enable progress for a business, they also have the potential to outpace how well IT and security teams can keep up with them. In this episode, Ostendorf advocates for setting clear expectations around data collection and usage which plays a vital role in addressing employees' privacy concerns.

Lesson 4: Collaboration for Better Security

Throughout the episodes so far, we have recognized that people — as individuals, decision-makers, and owners of roles in organizations — are central to how strong security programs are built. Collaboration fosters transparency, encourages knowledge sharing, and facilitates the development of comprehensive security measures. Collaboration between security vendors, customers, and employees allows for a holistic security approach that leverages innovative technologies such as AI, as highlighted by Ostendorf.

This collective effort enhances the organization's ability to detect and prevent security threats, leading to a robust security posture. Our first episode is an excellent example of this. Chris Cruz, CIO for the public sector at Tanium, discusses how Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) can work together — with what he calls a “coopetition” meaning collaborative effort between CIOs and CISOs for robust cybersecurity, aligning strategies with business goals through standardized processes and unified tools.

Through a standardized and unified set of processes and tools, the alignment and interactions of these roles become crucial for aligning cybersecurity strategies with business goals. Cruz highlights how he approached bringing this idea to practice in our first episode.

Lesson 5: Talent and People in Security

Companies are addressing the urgent need for cybersecurity talent by investing in training, partnering with academic institutions, adopting skills-based hiring, and reevaluating traditional hiring criteria. Despite these efforts, the cybersecurity talent shortage remains a pressing issue, necessitating continued collaboration between industry, government, and academia.

On the other hand, David Cross, Senior Vice President and CISO at Oracle, discusses meeting talent needs in security — specifically, closing the talent gap by tapping into the veteran community. David notes that veterans are ideal for security roles, bringing in characteristics such as passion, honesty, integrity, attention to detail, commitment, loyalty, and the ability to learn, follow orders, and operate underpressure.

To help veterans transition to civilian roles and gain cybersecurity experience, Oracle has launched the Veterans Internship Program. This program not only supports the veteran community but also addresses the cybersecurity talent gap.

“Do whatever it takes to get your foot in the door and from there,” Cross says, encouraging military veterans seeking civilian roles. “That's how you can grow and find your major opportunities.”

This line of thinking also resonated in the first episode, where Cruz emphasized the value of diversity and continuous learning in the cybersecurity landscape, especially for professionals transitioning from various backgrounds.

-

The “In Security” podcast offers valuable insights into cybersecurity and Governance, Risk, and Compliance (GRC) from industry leaders, with discussions ranging from effective cybersecurity governance and modern threats to the role of AI and the importance of people in cybersecurity. You'll hear from experts like Chris Cruz, CIO at Tanium, and Matt Sharp, CISO of Xactly Corp, who delve into the complexities of cybersecurity. They discuss emerging trends like AI and machine learning-based threats, the implications of Shadow IT, and the importance of a proactive security culture within organizations. If you're interested in learning about the dynamic landscape of cybersecurity and GRC, tune in to the podcast for key takeaways and lessons learned from top industry leaders.

Subscribe to our newsletter for the latest in Security, GRC and GTM:

No items found.
No items found.
Nirvana Karkee
Content Writer