As we head into the end of 2022, it’s important to reflect and reflect on what has been another busy and challenging year for the cybersecurity industry.
To learn more about the biggest cyber threats and challenges of the past year, visit Information security Magazine interviewed many high-profile executives, including industry veteran Larry Whiteside Jr., CISO of RegScale and co-founder and president of the nonprofit Cyversity. Whiteside also spoke about whether the industry has made any progress in diversity, a subject he is passionate about.
A full audio interview can be heard on the December episode of the IntoSecurity Podcast.
Information security Magazine: What are the biggest cyberattack trends for 2022?
Larry Whiteside: I would count the number of spam emails and social engineering emails. I remember social engineering contests at events like Black Hat in the late 1990s and early 2000s. Social engineering was huge at the time, but seemed to take a nosedive in a few years. But today, almost all hacks coming in via email are social engineering. All aspects of email phishing are fundamentally new social engineering.
The growth of social engineering is amazing. Because I thought people got smarter. We have invested heavily in cybersecurity awareness training and education through initiatives such as Cybersecurity Awareness Month. Still, people are clicking on these malicious emails. This is because of social engineering. I can’t tell you how many private stories I’ve heard from CISOs who made their employees buy a bunch of gift cards because they received an email claiming they were asked to do so by the Chief Executive Officer (CISO).
What many CISOs recognize is that education is no longer just an issue. You’ll have to go back and consider other approaches to protect your end users from yourself.
There are many approaches we can take. Identity and access management has become very important and we will require more credentials and authentication to enable users to access sensitive data and applications. We have started to use many other mechanisms, and we need to recognize that this overarching protection should be applied to our users.
IM: What were the biggest cybersecurity challenges for your organization this year, and what lessons can you learn for 2023?
LW: Ransomware is still on the rise and so are payments, so I think organizations still have challenges when it comes to responding to and recovering from ransomware incidents. Having to quickly identify that you’ve been hacked, find out what happened, and then go through that recovery process by paying to get your keys back or whatever, is life. is the entire circle.
We have had ongoing discussions about whether we should or should not pay.
Another challenge is improving mean time to detection and remediation. We recently talked about the “1/10/60 model” that many CISOs have been talking about. This means identifying a cyber incident in less than a minute, figuring out how it happened in less than 10 minutes, and remediating it in less than 60 minutes. Achieve. I understand that as a leader you should set goals for your team, but these must be achievable.
At this point, many organizations are still suffering from these attacks, which brings us to the final part: governance.
If you think about the cybersecurity industry, it is very technical on the one hand and non-technical on the other. The other hand is usually about governance related to the governance, risk and compliance functions of an organization. I think these divisions are about to step into the limelight. If an organization has in place a sound governance, risk and compliance program that identifies risks, classifies them based on data, and aligns them with controls, it can focus on those that have the most adverse impact on the organization. increase.
IM: Has the cybersecurity industry made progress in improving diversity this year? What initiatives would you like to see more of in 2023?
LW: I believe diversity across the sector has improved. In particular, I think we’re improving on the sales side of cybersecurity, a component of the industry that many people don’t think about. Every tech company that sells cyber has a global team of salespeople and I think that’s why they employ more women in that department than anything else. I’ve seen
On the corporate side, diversity has also improved, but not at the speed we would like.
My hope for 2023 is that organizations will begin to recognize the barriers to diverse employment. Organizations are still trying to take advantage of old mechanisms and adapt them to this new era. For example, asking for her CISSP for an entry-level job. A CISSP requires a minimum of 5 years of experience, but entry-level jobs are 0-1 years of experience, so you cannot have both.
Ultimately, you should look at the job description and understand what is important to the role. Do you really need people trained in every toolset on that team? Or are you willing to train them by running cognitive tests as part of your hiring process to show they’re apt for what you can do? Are you looking for someone with a can-do, curious mindset?
Unfortunately, we still deal with many organizations that have published job descriptions with many hurdles. It means that diverse candidates cannot meet the requirements.
From conversations I have had with the CEOs of these certified companies, they all agree that certification is not meant to be a barrier to getting a job. They were meant to show that a person has the aptitude to achieve something. So how does someone from a poor socioeconomic background pay for a certification to enter the industry?
So we have this dichotomy that we need to address as an industry and I hope more companies realize this and change their approach to hiring.
IM: What advice do you have for organizations to maintain strong cybersecurity in the face of economic headwinds?
LW: Governance and risk become more important when funds are tight and all teams are asked to tighten their belts and see how much they spend. We are stuck in this mode of buying more and more operational security technology. But we are so focused on this defense-to-detection stage that we lose sight of the importance of governance.
Governance and risk should be the determining factors in where we spend our resources – time and money. As money dries up, we have to act the same way we manage our finances.The same principle applies in business. The problem is that many organizations don’t use these muscles very well and often only use them for annual audit reports.
Based on your organization, go back to identifying what is most important from a risk perspective. It sounds simple, but it’s not something we’ve done well historically, and it’s not as fun as threat hunting. But I think that’s what has to happen if you want your organization to be able to make the most of the resources it has.