2023 has been a headline-grabbing year for cybersecurity, from high-profile breaches to supply chain attacks and eye-watering ransoms. Dramatic shifts in the physical and virtual worlds have reshaped the threat landscape, causing enterprises to take another look at their cybersecurity strategies. Join Secureworks CISO Ken Dietz to review the big moments of 2023 – from the rise of AI to new cybersecurity rules. We’ll discuss the impact on the industry at large and how your business may be affected. And we’ll take a look at how best to ensure you’re ready for 2024.
Secureworks Interview with Ken Deitz
Sally: Hi everyone, and a very warm welcome to Let's Talk SoC. I'm your host, Sally Eaves, and today we're looking back really to go forward as we explore the key developments in cybersecurity in 2023 to better prepare for 2024. And to do exactly that, I'm delighted to be joined now by Ken Dietz, who is CISO at Secureworks. Welcome, Ken!
Ken: Hi, happy to be here.
Sally: Oh, fantastic to see you again, Ken. And perhaps to start, perhaps to share a little bit about yourself and your role at Secureworks.
Ken: Sure! So, I am the Chief Information Security Officer for Secureworks, and I am in charge of both our product security for our Taegis platform that we deliver security services to our customers on, and our corporate security. So, making sure that our employees are being as safe as possible with the data that our customers are entrusting us with.
Sally: Fantastic. Thank you so much. Love that holistic focus. And I almost don't know where to start in terms of what has happened to cybersecurity in 2023. You could take so many approaches here, but maybe you're kind of gold, silver and bronze, if I may. What's your biggest moments that we should be reflecting on now to go forward into 2024.
Ken: It's been a very, very busy year. Some of the big things that have emerged this year is obviously the emergence of AI, generative AI, that have taken kind of the industries by storm. There's been some big breaches around identity providers like Okta was a fairly big and ongoing breach that's impacting more companies as more information comes out. The MGM Grand breach was a fairly big and newsworthy event and shows the importance of employee training and all the vulnerable areas of where we interact with our users, as well as new regulations in the U.S. at least from the Securities and Exchange Commission publishing new rules around reporting of cyber security events and disclosure of cyber security risk management practices, as well as the SEC getting more aggressive around enforcement. They have filed a suit against the CISO of SolarWinds, which I believe is the first for this type of action.
Sally: Absolutely, I'll definitely come back to that if I may, Ken a little bit later as well. The MGM one, fun enough there very, very recently, I think that was Scattered Spider, the casino incident there. And I think that's a great example too, of another area we're seeing in terms of this evolution into networks in so many different ways, almost kind of OCG, organized crime grouping approach, very highly adaptive and organized. But equally, we've got the other approach where you've got kind of smaller less organized entities as well that are also collaborating on some of the dark marketplaces and forums too. So, such a kind of ecosystem approach in many different ways, but also this diversity and variety of threats that we're seeing and also kind of acts as collaborating together too. We've seen a lot of examples of that and reimagining old threats as well. But I love what you said there about AI, obviously at the fore of so many discussions at the moment, it is kind of this juxtaposition in many ways, isn't it? Opportunity and threat can support in so many ways for proactive threat intelligence, but could be weaponized in many ways as well. So, so much to talk about there, but I love those examples. Thank you. And obviously, the impact of this is multifold and depending on which example we draw on, but overall, how would you say this kind of collection of different types of incidents is impacting now on cybersecurity strategy as we look forward?
Ken: It's definitely having an impact. Obviously, from the AI perspective, learning new risk management techniques for how you're going to employ these. But not only that, but thinking about how you're going to manage the risk for AI that you're going to subscribe to. So is this what sort of environment are you operating in? What sort of information are you providing to the AI? What sort of information are you relying on the AI to give you? All those are areas of risk that got to be managed. And there's going to be a lot of learning as we're going throughout the next year or so around those risks, both from an accuracy, making sure the AI is providing the right data to you, that it's accurate, not hallucinating, and also that it's protecting the private data, all the privacy concerns that we normally have, making sure that none of that private data is leaking out to other AI users. All these are kind of challenges. And that doesn't even take into account some of the other safety factors where people are worrying what sort of decisions are you going to have the AI making? What sort of automation are you going to build into that? Those are a whole other set of kind of policy concerns around what we want AI to do. Whereas for CISOs, they're probably going to be focused a lot around the data management and the data protection. And then of course the breaches continue at a pace and there is no doubt that there is a global ecosystem of criminal providers out there that are providing tools and capabilities to anybody that wants to do crime on the internet. And they are having varying levels of success. And some of those are very big and very noteworthy. Some of those are pretty small, but it's still a healthy ecosystem, and there's still a lot of bad actors out there wanting to do crime.
Sally: Exactly. And the cost of entry for those types of dark services, should we say, has gone down so much as well, hasn't it?
Ken: Very low.
Sally: You know, like a ransomware kit. It's almost like you go for your regular coffee house, you know, five times a week or something, equivalent price of five coffees, you could have that kind of base entry type of kit. It really is quite staggering. So yes, so many different areas there. And I think the other implication, just as you were speaking there, is about skills as well. Again, we talk about shared responsibility, don't we, in terms of cyber security, but then again ensuring that we're doing that in the right way in terms of skills uplift and more focus on kind of experiential hands-on learning and that simulation exercises I think is so, so important. And also just like awareness around these topic areas because generative AI, I think sometimes it's kind of simultaneous with say just ChatGPT, but there's so many different flavors and obviously traditional AI in many cases is actually a very complimentary but actually more appropriate in certain ways. So, the education about when to use these technologies and how why. I think is so critical too. So again, so much to dive into, isn't it? But you also mentioned earlier on all things really to do with legislation and compliance and you mentioned the SEC rulings. I'd love to dive into that a little bit more as well because I think everything around compliance is just growing in terms of prominence but also a challenge area. You know, with some of the geographical differences is just one example. So, what are you seeing here in terms of the impact here, not just on transparency but on the requirements of the board and individual members and what impact you see next in this regard?
Ken: Yeah, so it is very clear that the SEC is, for US regulated entities, is trying to drive more transparency. That's what these rules are aimed at. There's really two big components to the rules. One is your annual disclosure, what we call a 10K form, including in that disclosure, more information about how the company is managing cybersecurity risk and who in the company is responsible for that and how the board plays a governance role in that.
That is information that the SEC thinks investors need to have, so they want to see it in that annual disclosure. So, there's going to be some changes with public companies in their annual disclosures talking a lot more about their cybersecurity risk program. And that's going to have a pretty big impact, because that's not normally something that companies talk about as publicly, but it is starting to happen more. And I think this is going to drive it even farther in that direction. And then the second part to the new rule, is disclosing cybersecurity incidents, material cybersecurity incidents. So, using traditional materiality calculations that the SEC has built up over the years for determining what's material and what's not material to a company, they want you to apply those kind of findings to individual cybersecurity incidents and determine if it requires a public disclosure. And if it does, they expect you to file that within four days of that determination. And that's a public disclosure that they're looking for, an 8K filing that goes to everybody, to investors, potential customers, everybody. So, it'll be interesting to see how the industry responds, how people determine materiality, and how much more incident disclosure we actually see from these companies and how that impacts the reputation of the companies, both for investors and for their customers. It's going to be a very interesting time and I anticipate that we're going to see more kind of targeted court cases from the SEC before the industry really figures out where they want to narrow in on those disclosures. I think the SEC is going to be trying to make some examples based upon any incidents that are not reported that they think are material. You can definitely see that coming down the line.
Sally: Oh, definitely. That really is in the pipeline, isn't it? You're making me think there as well. From a European perspective, say from the European Union legislation as well, we've got NIST 2.0. And I think it's 17th of October 24’, that has to be transposed into national laws across the European Union. And that has much bigger, wider obligations for cybersecurity right across new sectors. So, for example, across energy, transport, health, digital infrastructure, I think many more as well. But that scope has expanded, but equally what you were saying about reporting obligations that has expanded massively too. And again, the timelines and what's in scope of that. So really interesting synergies there. And of course NIST 2.0, although it's a European Union legislation, lots of implications globally as well, because from a supply chain's perspective, if you're in the U S and you're, you know, again, supporting one organization that is in scope, you will be too in many different ways. So again, hugely significant there. So, across the board, I think this onus on reporting.
Ken: Yeah, and I think that's important with cyber security. We are a globally interconnected economy, especially for these larger businesses. So, all these regulations are have a cumulative effect and have to be managed. Obviously, the EU has led the way kind of with privacy and the GDPR, and it's going to continue to evolve its legislation in those directions in the US, really, national level legislation has really been around things like the SEC and this type of disclosure enforcement, but states have built out pretty robust privacy frameworks similar to the GDPR that companies are complying to, but there really hasn't been a national level one for all states. So, it really depends on where you're doing business and where your customers are.
Sally: Absolutely, absolutely great points there and kind of putting these all together, this collective impact of regulation and we haven't even mentioned other areas as well like ESG for example, again another acceleration area in terms of compliance and again with geographical differences, so you can see this mountain to mountain can't you? So, how do you see this affecting kind of boardroom dynamics, particularly with some of the more say personal liability legislation this puts into place too, but equally perhaps changing the narrative, how can all of this be more of an opportunity for people in roles like yourself?
Ken: Well, it could be more opportunity. I anticipate the boards are going to seek out more cybersecurity expertise. Now, that doesn't necessarily mean a bunch of CISOs like myself are going to get board positions. Most CISOs probably are not ready for a board position or don't have the executive experience or the executive presence for a board position. But however, bringing them on as an independent advisor to a board member or seeking out executive board members that have experience running cybersecurity companies. Those are the types of things I would expect to see more on boards, something where they can focus on cybersecurity and show to their investors, to their customers, to the regulators that they're taking it seriously and that they are seeking out this expertise and that they're seeking to build their expertise in cybersecurity risk management that will include training to the board. More opportunities for CISOs like me to interact with their board to make sure you're bringing them up to speed and giving them the tools they need to govern the risk areas that you're managing.
Sally: Fantastic, Ken, I love that. I know we're out of time now. And again, such a pick a mix of areas we could have gone into here in terms of looking back to go forward, but I really appreciate your time. And for me, I love the fact that we're not just talked about kind of the technology that's being used, both proactively and kind of against us in terms of cybersecurity, but such a focus here on the human factors too, and around culture and around agency within roles and around skill development as well. I think that's so, so important. It really is that holistic focus that makes such a difference. Ken, thanks so much for joining us on Let's Talk SoC today. Really appreciate your time.
Ken: Thank you, it was my pleasure!
Sally: Thank you so much and thank you all for watching and listening too. We'll be back soon with another episode!