Cybersecurity Christmas Wishes: Expert Insights for a Safer Future - Ep 129

Show Notes

Join Reimagining Cyber for a festive special filled with cybersecurity Christmas wishes from industry experts. Hear from Mike Echols on the importance of human error management, Ashley Jess on combating sophisticated scams with AI, Jim Routh's call for passwordless authentication and improved identity access management, Brett Thorson's plea for simplified cybersecurity products, Arun DeSouza's emphasis on IoT security, and Tammy Klotz's reflection on vigilance and proactive protection. Rob Aragao wraps up with thoughts on the convergence of identity and data, as well as the role of AI in enhancing threat detection and responses. Tune in for thoughtful reflections, expert insights, and a look back at the major cybersecurity themes of 2024.

As featured on Million Podcasts' 

Best 100 Cybersecurity Podcasts  

Top 50 Chief Information Security Officer CISO Podcasts 

Top 70 Security Hacking Podcasts

This list is the most comprehensive ranking of Cyber Security Podcasts online and we are honoured to feature amongst the best!

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

[00:00:00] Producer Ben: Hello, my name is Ben and I produce the Reimagining Cyber podcast. Your normal host, Rob Aragao, is out of office at the moment, hard at work finishing off the knitting of his Christmas jumper, so it's fallen to me to deliver this festive special. The team at Reimagining Cyber have taken the time to get in touch with a number of our former guests and invite them to come up to the studio.

[00:00:27] with their own cyber security Christmas present list. In other words, if on the big day they were to unwrap a cyber security gift, what would it be? Not an actual physical thing, but perhaps a change in attitude, or policy. So gather round, grab yourself a glass of something warm and comforting, and find out what goodies are under the tree.

[00:00:49] The first person you're going to hear from is Mike Eccles, CEO of Max Cyber Security and author of books such as Secure Cyber Life, The Government is Not Coming to Save You. 

[00:01:01] Michael Echols: Okay. So let's see if I could unwrap any cybersecurity present this holiday season, it would be the widespread realization among businesses and organizations that more than 75 percent of cyber incidents are caused by misconfiguration and human error.

[00:01:15] These aren't high tech mysterious hacks. They're preventable mistakes. Yet many organizations fail to ensure that their teams are following best practices or even the most basic cybersecurity policies. This gap between policy and practice is where vulnerabilities are born. What often overlooked is that cybersecurity isn't just the responsibility of the IT department or cybersecurity professionals.

[00:01:40] True cybersecurity is a team effort. And anyone with access to electronic systems plays a critical role, whether it's configuring software correctly, recognizing efficient attempt, or simply following password guidelines, every individual's action or inaction can strengthen or weaken the organization's defenses.

[00:02:01] Cybersecurity really is a team sport. It's about collaboration, shared responsibility, and creating a culture way. Everyone understands that their contribution matters. When organizations embrace this mindset, when they really take it to heart, they're not just protecting systems, they're building resilience.

[00:02:21] So, let's make this the holiday teamwork wish. It's a gift that can keep on giving all year long and into the future. Hi, 

[00:02:29] Ashley Jess: my name is Ashley Jess, and I'm a Senior Intel Analyst at Intel 471. For this holiday season, my cybersecurity wish is simple, but important. Too often, we hear people ask, how can anybody fall for a romance scam or a pig butchering scheme?

[00:02:46] And the truth is, these threats are sophisticated, they're manipulative, and they're designed to exploit human emotion. My wish is that more people shift their perspective, from one of skepticism and blaming the victim, to one of understanding that the cybercriminals behind these scams are experts at what they do, and it's crucial we recognize just how complex their tactics, techniques, and procedures have become, especially as they adopt AI at an increasingly rapid rate.

[00:03:11] As AI continues to evolve, so will the tactics used by threat actors, who are becoming increasingly sophisticated in how they are targeting individuals and organizations. This means that our defenses need to evolve just as quickly. In 2024, we saw some important frameworks emerge to protect data and begin addressing the regulatory challenges around AI.

[00:03:30] In 2025, I hope to see a stronger emphasis on implementing these frameworks and creating clear, forward thinking regulations. We'll need to stay ahead of the curve, proactively building AI driven defenses while ensuring that privacy and security remain at the forefront. In this new era of cyber threats, the goal is simple, innovate to stay secure, and build systems that can adapt as fast as the threats themselves.

[00:03:53] Happy holidays, and stay safe online. 

[00:03:57] Jim Routh: Hi, I'm Jim Rouse, and these are my three Christmas wishes for cybersecurity. Wish number one, that we finally get rid of passwords and move to passwordless authentication across the industry, across all cloud accounts, uh, and, uh, just implement it. It's cheaper, it's better security, and it's a better digital experience.

[00:04:20] Second, that, uh, we combine Identity access management, third party governance and third party risk management. Those two functions need to be in lockstep together to deal with all of the cloud accounts and the provisioning of cloud accounts and the configuration of cloud accounts effectively to do secrets management.

[00:04:42] The third, hmm. Privilege access management system that's activity based that finds deviation and pattern flags it and revokes the privilege or entitlement based on what the model score is. So those are my three Christmas wishes for this year. I hope everybody has a very happy holidays. 

[00:05:08] Brett Thorson: Hello to all my friends on the Reimagining Cyber podcast.

[00:05:11] Thanks for having me back. My name is Brett Thorson. Last time I was with you, we were talking about the Colonial Pipeline damage, and I was with BCG. Now I'm on my own, doing some work under my own LLC as Cranial Thunder. So thanks for having me back. So what's on my present list for this holiday season?

[00:05:33] You know, if I could unwrap anything, it would be the simplification of cybersecurity products. I think that there are way too many of them out there, and some of them are niche, and some of them are very complicated. And while all these vendors say that they integrate well with other vendors, maybe it's just data passing.

[00:05:54] I think we really need to start working on, I want this tool, or service, or whatever, to be functional out of the box. And I think that's going to require producers of Services and products to really get to know their customer and how they're using it and to pull back some of that information and say look we have a few archetypes and if you want to get going quickly, choose A, B or C and that'll at least get you 75 percent of the way.

[00:06:27] And then you can start to see real impact and real value for the products that you're doing. If I could unwrap another present for the holiday season, I think it's just the realization that as organizations grow, Your default IT person who helped you set everything up is not going to be able to be your de facto security person as well.

[00:06:53] I've seen too many organizations that scale, and as they're getting bigger, they figure, well, So, Pat is going to be automating everything, and he or she will be able to script it all and deploy the laptops and do all the things. And before you know it, you have this one person who doesn't want to say no, wants to be happy and satisfy all the requirements, and things start falling through the net, and that's exactly when you get Developers doing odd things or, you know, a power user who has administrative access doing something that they shouldn't be doing.

[00:07:33] So I think it's really important that the leaders of organizations look. Internally at themselves and say do we have enough human resources dedicated to these very important positions That will not only help us grow and scale and be efficient, but also be secure 

[00:07:53] Arun Desouza: Hi, my name is Arun D'Souza I have over two decades of experience as an award winning global CISO my cyber security Christmas wish list I wish that security training and awareness In addition, IoT devices become top of mind for all companies, and they embrace a culture of security.

[00:08:12] People are the first line of defense and tuning the human firewall can help reduce security incidents significantly. Currently, an overwhelming majority of security incidents are attributable to human error. The exponential rise of IoT devices has me concerned, as it results in an increase in risk due to vulnerabilities in IoT devices.

[00:08:39] which expands the attack surface for enterprises. I anticipate that there will be many more IoT attacks in the coming year. The security and risk nexus of the IoT is a clarion call due to burgeoning data privacy regulations and regulatory compliance mandates. Fines and penalties for breaches of non compliance are significant.

[00:09:03] In addition, there are brand and reputational impacts to consider. A lack of data hygiene and governance Can and will lead to exploits and breaches. This necessitates a strong data classification and characterization program for both cloud and on prem data. Protection of data at rest and in transit via a holistic, cost effective cloud security platform is essential.

[00:09:32] Tammy Klotz: Hi, this is Tammy Klotz. I am currently the Chief Information Security Officer at Trendio, which is a chemical manufacturing company based in Wayne, Pennsylvania. As I sit here this evening and reflecting on this past year, I look back and think about All of the things that I have had the opportunity to experience and learn from as part of my cybersecurity career.

[00:09:56] Looking forward, I think about how I can continue to not only educate myself and others about how to keep them safes online, both themselves and others. their companies and their families. If I think about what would be on my cybersecurity Christmas list, one of the things that I would wish for is that everybody would be aware and take notice to things around them that are suspicious and may in fact, Um, cause them harm in some way, shape or form, very much, not necessarily a message specific to cyber, but also just general daily life.

[00:10:39] I also would hope that those responsible for protecting their companies do so with their best efforts and intentions, and that everyone has the ability to stay ahead of the craziness that is happening in our world. And sleep well tonight and every night. 

[00:11:04] Producer Ben: So that was Tammy Klotz, you also heard Mike Eccles, Aaron D'Souza, Ashley Jess, Jim Routh and Brett Thorson.

[00:11:12] You'll find links to all of their previous episodes in the show notes. And this news just in, it turns out that Rob Araigo has finished knitting his Christmas jumper and has been able to send us a special message of his own. So Ben, you're asking me. 

[00:11:28] Rob Aragao: For my own cybersecurity Christmas wish as well. This is awesome.

[00:11:32] I'm glad I'm able to participate. We have great guests, obviously they've come back on to share their perspectives. Let me tell you my, you know, we've talked about this just recently. So there's a couple of things I want to talk about the first one. First one's around. That convergence of identity and data, and I'm going to amplify it one more time.

[00:11:50] Again, this is my Christmas wishlist. We need to get people working closer together, understanding that there is a true interdependency and interconnection between identities and their interaction, not only in access, but using of data. And what that drives us towards is much better security. Again, on the front end of how we're dealing with privacy issues.

[00:12:14] Who the users are, not just the humans, but the non human as well, right? IOT devices is an example, gaining access into data, ensuring that the access is appropriate, being able to also assess and measure the purpose of why they should actually be gaining access. Is another element to tie into play and then the back end of it is the data and the sensitivity of the data, which also provides us different mechanisms on how we actually ensure that who has access to this information flows accordingly.

[00:12:49] What does that do? That helps us, obviously, from a security perspective, but also helps us, by the way, from all the different regulations that we've discussed in the past. And probably going forward as well. So that's why I continue to harp on, you know, we've got these two different silos that we're dealing with today on systems, people managing the identity security, and then you have people on the other side in another silo dealing with the data and how we deal with it.

[00:13:15] secure that data, they need to be working much more collaborative. They need to be leveraging tools that cut across and look and provide the visibility across both of those. That's my first. I do have a second, of course, Ben. And that second is, I'd love to see that we get to this point of going into the new year where AI is starting to really drive that much more efficiency gains and efficacy, of course, as well in powering what it can do.

[00:13:48] Around things like threat detection, around things like being able to predict the different types of security instances that may be coming and impacting one's organization, one's network environment. But doing so in a way where it absolutely is better empowering the human, right? The human still sits behind to be able to ask the right questions, right?

[00:14:08] Around prompt engineering, what am I trying to get the answers to? What am I asking it to build logic for, rules to support and protect? My environment is an example as it gets that much more high powered in its capabilities. So again, seeing the values really drive towards much better threat detection capabilities, much better opportunities to drive efficiencies around automated response around incidents that are occurring that low hanging fruit we've discussed in the past.

[00:14:39] at this point for us to let the machines actually take the action for us. Again, the low impact stuff, it's not going to break something operationally if we allow the automation for those particular types of environments to take effect. We can mature that over time as it continues to learn the human driving a lot of that behind the scenes, of course.

[00:15:01] Um, other aspects are, you know, around again, the. Analysis of behavioral patterns. We've been doing this for a long time looking at building a baseline of behaviors and understanding kind of what the differences are Ai is going to help us drive that much more again Efficacies behind what is really happening out there and helping make the right decision So those are really my two key wishes going into the christmas season here about 

[00:15:26] Producer Ben: thanks for listening to the show My personal wish is for you to tell people about reimagining cyber There is no marketing strategy that is quite as powerful as word of mouth and personal recommendation.

[00:15:38] Merry Christmas.

[00:17:18] Jim Routh: Now 

[00:17:18] Rob Aragao: another thing I wanted to kind of bring up is just reflecting back on the key topics, kind of themes, that we discussed with all the great guests we had over the course of this past year in 2024. You know, we started off going into the new year with heavy discussions around regulations and it just seems like there was just so much coming at us, right?

[00:17:39] We talked about what Dora. Then this two directive, uh, the SEC cyber rule, right? All these additional privacy regulations, uh, the EU AI act spanned so many different areas of looking at, uh, privacy regulations, privacy elements, of course, tied into those things. So that was, that was another kind of area that I just found so interesting to, to watch and see how they continue to expand.

[00:18:05] Um, you know, How heavy those levers were being pulled, how people were, you know, really paying attention to it and acting or kind of doing a wait and see and, and deciding, you know, kind of, would they take the action once it was out there and they saw examples of what penalties really were, right? So that, that's always kind of an interesting, you know, way to balance things out.

[00:18:25] Uh, another area was just some of the security incidents. The one that really stuck with me was early this year around the, the change healthcare. security incident and the impact, uh, downstream that, that, uh, that cost, right? Where people literally could not get, uh, their prescriptions filled, as an example, uh, and how long it took for different systems to be able to come back online.

[00:18:46] So there's the sheer impact. Um, I think that was a major, uh, Major eye opener, especially for the healthcare, uh, segment, but also critical infrastructure, you know, across the board and just people being able to see just how these 30 party relationships could be so kind of negatively impacted by, um, you know, one of the downstream providers.

[00:19:07] Obviously this was year, the year of, uh, we called securing the vote. So many elections happening globally and all of the different concerns relative to cyber security and you know how people could go in there and kind of disrupt voting systems across the globe and especially here in the US, the major elections.

[00:19:25] Um, And also we had the Olympics. Let's not forget the Summer Olympics, right? And just looking at how that could have potentially been a, uh, an opportunity of disruption from a digital perspective too. But again, we didn't really see anything happen, uh, majorly on either front, which is, which is good.

[00:19:41] That's great news for the cyber fighters out there. Um, I will also call out another episode that we had with John Brickey from MasterCard specifically that really stood out to me is, is, you know, I'm a keen proponent of collaboration, not only across, um, you know, within kind of commercial sector, but also into the public sector.

[00:20:00] And I think the great work that they've done there at MasterCard in their cyber defense collaboration efforts with, Um, the, you know, the other sectors within critical infrastructure, as well as cutting across into the federal government, um, support in true, again, working relationships, running through exercises together, um, and just, again, going through kind of back and playing his episode that, that was really a, a night opener for me as a very positive outcome.

[00:20:27] Something that, um, again, I've been a major proponent of, especially like the information sharing analysis centers across different verticals. This was a great example of, uh, The reality of, of what it can actually provide, you know, another one, Ben, that was really intriguing to me was our conversations, um, as related to cybercrime and Interpol, I think things, those are, those are pretty eyeopening and, um, a great, you know, set of conversations actually had, um, back then with Craig Jones and, um, Um, We also went outer space, right, Ben?

[00:20:58] We actually went and talked to folks from NASA, Tiffany Schneider specifically, and some great discussions there about, you know, yeah, the elements of what you have to, um, secure, probably protect, that are part of the ground control systems, um, but how about Level of communication into the outer space, um, components, the ways that we within the U S need to work with other nations and, um, you know, again, collaborate, but yeah, what information you're sharing.

[00:21:31] And so again, just shining the light on that side. I thought that was really interesting. Uh, and then kind of rounding out the year. Also another one was, um, we've been talking a lot about this lately is, is deeper diving into the Potential impacts of critical infrastructure, which is, you know, I, I'm, I'm a bit of a concerned about where that can potentially take us.

[00:21:49] Um, going into next year, just seeing the additional ramp up and, you know, type of attacks and areas, I think, again, a test drives that we're seeing out there happen. And, um, you know, we just need to obviously be, Be much more cognizant of that, tightening the screws on our control mechanisms. Um, and just overall doing much better.

[00:22:11] So Ben, you know, that's, that's what I would kind of look at as some key reflections of this past year. Some of the key themes I kind of hold back from when I reviewed the different guests topics episodes, you know, as a whole for the year 2024, it was just a great year, a great set of guests, so many awesome discussions and looking forward to so many more going into 2025.