The CISO and The Cyberattack

Steve King: [00:13] 

Good day, everyone. This is Steve King, the managing director of CyberTheory. And today’s podcast is going to feature Steve Stone, vice president of Rubrik Zero Labs, which is a new cybersecurity research team that Steve leads. Their purpose is to give voice to folks on the front line of cybersecurity and provide organizations with the latest threat data from their security research activities. It’s called the state of data security and it tries to expose and it does, the effects that years of rising threats, and expanding threat vectors are having on organizations, people, and our confidence in their ability to protect the data. Steve, in addition to heading up Rubrik Zero Labs, teaches cybersecurity topics at McKendree University, was the vice president of adversary operations at Mandiant for five years, was also the global intelligence lead at IBM for several years and an engagement lead at FireEye for a few years, as well, and started out in the Air Force Office of Special Investigations as a senior investigator. So Steve has lots of background in investigation and discovery here. And so, welcome, Steve, I’m glad you could join us today.

Steve Stone: [01:51]

Thanks for having me, really excited to be on this podcast.

Steve King: [01:54]

Great. Thank you. So let’s jump in here. The state of data security report provides an important view into the realities that IT and security teams face on a moment-by-moment or day-to-day basis. Some findings were that 98% of IT and cybersecurity leaders have dealt with a cyberattack in the last year, which is amazing, to me. It shouldn’t be because we get at least one every day that we are aware of. And apparently, the average among those folks that were surveyed is 47 attacks per year. You’ve been around a while. Why do you think this keeps happening?

Steve Stone: [02:40]

Yeah, so I think there’s a couple of interesting things there. The first is, as you mentioned, Rubrik Zero Labs is our threat research element and we’re just getting off the ground. So the first thing we wanted to do before we jumped into talking about anomalies, or specific intrusions or specific trends, was use this opportunity to take a step back and hear from the folks that are having to address this every single day, and not coming to this with assumptions. So we did that. And we did that looking at the operational reality. Let’s look at the impacts from that. And then let’s look at things that we think are based on discussions with these individuals and some expert cybersecurity leaders. What are some takeaways to improve this situation? So that gave us an interesting viewpoint. And the first thing we talked about is exactly what you said, is we wanted to start with the premise of “Everyone’s talking about this cyber threat thing. But what is it like in the context of these IT and cybersecurity leaders?” and again, it’s just set the scene for who these individuals are. We talked to a little over 1600 individuals, about 800 of them, so about half, are at the CISO and CIO level. And the other half were at either the vice president or director level, and again, on a range of IT or SecOps teams. So when we talk about that audience having to deal with almost all of them, 98% of them at their level had to deal with a cyberattack in the last year, with an average of 47 cyberattacks in that timeframe. That jumped out at me. I’m not surprised that organizations are dealing with cyber events. We know that. I’m not surprised that there’s all kinds of events and investigations and breaches and all these other things that organizations deal with. We’ve known that. What jumps out is the seniority level. This is a topic that this seniority level was not dealing with that long ago, or at least, not in this kind of fashion. So I think that’s one of the biggest findings out of this report. And I think the reason that’s happening is simple. I think it’s down to two major factors. The first is organizations are more reliant on things that are within the cyber realm, and we’re creating more surface area to do these operations. So that trend is just going up demonstrably. And then, when we look at the cyber threat landscape, it’s going up in every measure, volume, impact number of actors, types of intrusions. You give a threat trend and I will likely tell you that it’s going up year over year. So this was inevitable. We’re doing more of our operations in this space. And there’s more bad actors doing more bad things in this exact same space. And we think that number is going to be up even more next year.

Steve King: [05:26]

Yeah, so do we. Retired general Keith Alexander is fond of saying that we live in the glassiest of glass houses. And, according to the folks that measure these things, we’re the most wired country on the planet. So from one point of view, as you said, it’s not surprising that the most wired organization would receive the most quantity of cyberattacks, either. So I also noticed in that report that a third of organizations that are surveyed had a leadership changed in the last year, apparently due to a cyberattack. And I am assuming this is at the CISO level. And if that’s the case, why, especially in the aftermath of Uber and Twitter and Drizly, would anybody take that job?

Steve Stone: [06:20]

So, there’s a couple of things. I would definitely love to dive into that question. The first is, we got to that data point because we asked the question: for those organizations that are dealing with these events at this level – 98% of the field – are there impacts? Because we wanted to test that assumption. And the answer I got back was 96% of those organizations dealt with a negative impact. And we had three elements that were clustered together, right about 40 to 42% around reputational damage, loss of customers, loss of revenue. And then right behind that was this leadership change. So about a third of organizations dealt with a leadership change internally, based on the cyberattack or the subsequent response to it. Again, that’s one of those numbers that we thought was important, because that number means a few different things. First is that’s a real impact. We’re talking about careers and organizations. So that’s a real thing that’s easy to look past in a micro sense. But we look at the macro level, that’s a big impact. The second thing is that produces more stress on the system, it is inevitably more difficult to deal with these cyberattacks. And again, let’s go back to the previous point, you’re dealing with an average of 47 of these a year, last year. If a third of these organizations just had to replace somebody, that’s the bandwidth you’re having to devote to that, you’re having to deal with losing somebody and the impacts of that in your organization and your people, you’re having to deal with hiring, which is effort, you’re having to deal with training. And now you’re having to deal with bringing someone in, and she or he may not have the corporate knowledge that the organization just learned going through these events. So there’s a lot there. The other thing I would say to your question about why would anybody be a CISO? I think that’s an interesting question. Because CISOs universally, I think we all agree that’s a difficult position to fill in any organization. I think you see a lot of individuals looking to be CISOs, though, because you can drive a positive impact, that’s still a fairly nascent C-suite level position. Lots of boards aren’t used to dealing with CISOs. I’m sure Steve, you’ve seen it in your work, like even where CISOs fit into a corporate structure vary widely. So there’s still a lot of ability to drive changes in organizations. And I think a lot of CISOs in my own experience, and there’s no metric or stat I can give you on this, this is just purely my own interactions. I think a lot of these CISOs want to make organizations better, they want to apply all the things they’ve learned along their career, when these structures didn’t exist, these roles didn’t exist, these resources weren’t there. So I think you have a lot of individuals trying to do their best, and apply their lessons learned and grow their own industries and help these organizations. But it’s a challenging job. No two ways about it.

Steve King: [09:19]

Yeah, it is. And that’s before the FTC decided that they had a new charter here, and God love them. And if you’re Joe Sullivan, I think Joe thought he was doing the right thing here. And then all of a sudden, he’s facing eight years jail time. And then you have to wonder … it’s hard. And when I did it, it was hard enough at the time as it was, and that was enough years ago, so that I didn’t have the kind of pressures that today’s CISOs are operating under. They’re just fewer threat vectors, period. So, it was, in many ways, it’s a lot easier and a lot less stressful. But I just can’t imagine today if under all that stress, and then you find out that you suddenly have fiduciary responsibilities that nobody told you about. So my take is that CISOs and senior practitioners are truly mission-driven. Everybody I know is. They’re not doing this for the money and a good CISO and an honest friend of mine just walked out in a well-paying job after only a few weeks, because the environment was so heavily toxic and she’s a tough kid, she’s not a shrinking violet here. So, your report says that 96% of individuals that reported significant emotional or psychological impact in the last year, it’s almost 10 out of 10. The way I see it is, it looks like this is only going to get worse, so what do we do?

Steve Stone: [10:57]

So, we saw similar impacts at the individual level that we saw at the organizational level, the metric came out the exact same. So we saw 96% of organizations dealt with a negative impact from a cyberattack in the last year. And then when we asked the same question, but to an individual, we saw, as you mentioned, 96% of the individuals said that they suffered a significant emotional or psychological impact from specifically cyberattacks in the last year. The number one element of that was increased anxiety in the job role. Right behind that we saw discussions around perceived loss of trust amongst their peers and their own teams, we saw concern over job safety, we saw loss of sleep or difficulty sleeping. So these are real impacts. And again, this is the last year, this is not ever, this is not a more far-ranging thing. So when we look at that, I think there’s a couple of things that we need to take for action there. The first is, we have to recognize that these are high-demand, low-density assets. So I come out of the military – that was my first career. And that’s a typical military term you look for, when you’re doing your mission planning, what are the things that you just absolutely need, but are razor thin, or are hot resources, and you start planning around that. And our people, I think, frankly, in this industry, are high-demand, low-density assets, there’s all kinds of discussions about workforce, we talked about that in this report, we’re not the only ones. Virtually, every major research organization is talking about the lack of a workforce and all of the capabilities that brings. So, we have to find ways to solve this, we have to take this for action, I think is the first part, we just cannot turn through these high-demand, low-density assets, and have our people feel this way. The second part is, we have to recognize that this is a layered effect, meaning this just didn’t start a month ago, these are individuals who are – let’s go back to that seniority level, this isn’t their first year doing this, this isn’t their second year doing this, they’ve been doing this year over year. And this wear and tear is becoming cumulative, we’re hearing that very clearly. So we’ve got to find a way to reverse that trend or pivot in a different direction. And the third thing I think we look at this is, and we talked about this in our report, what we think are some significant recommendations to address all of these challenges and this specific people, one, we’ve got to bring more resources to bear from organizations, we have to stop asking the small group of individuals and teams to solve problems that are existential threats to organizations. We have to do like we do in non-cyber aspects. And I think we’ve got good parallels. If you look at the aviation industry and the way they approach safety, that’s not the safety team’s role. That’s everyone’s role. All kinds of teams are involved. If we look at the automotive industry, some similar things, we look at the energy industry and how they work things, we have to start bringing more teams to bear and not just have this be problems to be solved. And we expect hero mode every night and every weekend from the same individuals. So I think there’s some ways that we can go after that. And then we also have to get at resourcing. This problem is not going away. If anything, it’s growing. And I don’t know what other data points we need to see that. So we’ve got to create more bandwidth for these individuals to deal with these challenges, as well as bring more resources to bear. So we create more resiliency in our individuals and in our organizations. Those are critical things, we think.

Steve King: [14:40]

There clearly isn’t a level of protection that’s afforded to the CISO or the lead security guy in any of these companies. And if federal regulators are going to continue to act as though those individuals have an ultimate responsibility for protecting the companies against cyberattacks, then somebody’s misinformed at the federal regulatory level. We all know that what I just said is impossible, that we can’t protect, and so we need to have an acceptance at the level of the prosecution, that it’s an impossibility. And we can’t hold CISOs accountable except where there’s malfeasance or intentional activity on their part. No one’s representing the CISO, at the moment, is what I’m saying. And I looked at the report that you had 92%, or nine out of 10 of organizations that believe that they’ll be unable to maintain business continuity if they have a cyberattack in the next year. And I think it also said that a third of their board or the executive leadership have little or no confidence in the organization’s ability to recover critical data and applications. The whole space is beginning to sound like a poster child for a dysfunctional family. What good is all of this cybersecurity spending and technology growth and training and all the rest of that? What good is out there if none of the organization supports have any confidence in their ability to pull it off?

Steve Stone: [16:31]

So I think there’s some good news amongst that. I think the first thing is, if we take a step back, the fact that this is even a conversation at the board level, I think is important. And I think a very positive step. We’ve both been doing this long enough where I can remember the first time I talked to a board, and I would be the first cyber person that had ever engaged with this board. I think those days are effectively done. Boards are involved. C-suites are involved. Are we where we want to be? No, we’re absolutely not. But I think we’re trending down that path. Just again, the sheer fact that we’re seeing this as a discussion point, it is important. Another thing I think is we’ve got to start looking at this as not just being the CISO problem, or even just the CIO problem. There’s tasks here for every C-suite executive, there’s tasks here for other teams, there’s all these other capabilities and responsibilities and expertise areas for these things to be tied in. We should be talking about the responsibilities of the CEO and the CFO, and our chief legal and all these other entities. And I don’t think that we’re near where we want to be for that. But we’re seeing that expansion, we’re nascent in that, as a collective. But I think that’s starting to grab hold a little bit. And then on the regulatory end, and we talked about this in the report, there’s good news, bad news there. The good news is, from a Rubrik perspective, we’re supportive of government efforts, we’re supportive of the whole of government, we’re supportive of partnerships and alliances and all these things, because that’s how we’re going to solve these massive challenges. We’re not going to solve them without other entities bringing their resources to bear, they can do things that we cannot, as a company. They’re going to do things that other organizations cannot, just like in every other realm. So cyber is not unique. This has been a topic in virtually every other industry. So we think that that’s good. The flip side is this is a challenge that we talked about quite openly, there’s a great term that we discussed quite a bit as the cyber poverty line. Wendy Nather, who is on the CISO panel at Cisco is the one that gets credit for coining that term. But it effectively means there’s some organizations that can deal with what they need to from a cyber perspective. And there’s some that can’t, and you’re either above that line, or you’re below that line. I think these regulatory motions are going to increase that. These organizations are going to have to get smarter on policy and regulations and interacting with government and all these other things. That’s challenging when you don’t have a lot of the resources to do those on top of the cybersecurity resources. So this is going to be a challenge for Fortune 100 companies. But what about the thousands of other organizations that that are IT shops, as a person doing it part time, or their head lawyer is also maybe their CISO. And there’s a range of these situations. This regulatory focus is going to have to address that. And that’s the thing that we want to be focused on at Rubrik, and how do we help solve some of those problems and help enable those organizations meet those needs?

Steve King: [19:45]

Yeah. And what you just described is – I hope you’re right, I hope that we’re moving in the right direction. But when you look at very specifically, look at the Uber case, and you trace the history of the initial motion, they had initially targeted the CEO and the chief legal guy. But at the end of the day, by the time they got down with a step Sullivan was the only guy that they felt they could build a compelling case against, which is interesting to me. It’s also interesting and depressing to me that the rest of the management team, essentially, were able to get non-prosecution agreements in exchange for their testimony. And they all turned around and testified against Joe. Whether Joe’s a good guy, bad guy, made mistakes, didn’t make is irrelevant, because there’ll be another – next week, it’ll be somebody else. It’ll be the similar sort of Wild West outing is the way I see this. And there’s not a legislative body that seems to be in control of this. So it could go on forever. I think there’s a big difference between CISOs’ best intentions and their actual ability to execute on those intentions. There’s no Caesar, and Joe didn’t create intentionally future, where he is facing eight years of incarceration for that, certainly, and I’ve got a book coming out in December called ‘Losing the Cybersecurity Wars.’ Totally in line with your findings in this report, one of our views, and lines up with what you found was that despite years of awareness around ransom events and responses, three quarters of IT and security leaders reported that they are likely to consider paying the ransom and half said extremely or very likely to pay the ransom. What’s your take on that? Why are folks anxious to ignore the FBI advice on ransomware?

Steve Stone: [21:57]

So that was another one of those discussions that jumped out at us. And you’re right with the numbers. We basically asked the same individuals a two-part question, which is, how likely are you to consider this as just part of due diligence of responding to these events? And the other part is, how likely are you to pay this? And we saw that about three out of four would consider it and just a little over half consider themselves likely or extremely likely to pay that ransom. We asked that as a hypothetical. But again, I think those data points line up, we recently had the FinCEN report come out about ransomware statistics that they’re seeing from banking transactions and all those things. And those numbers line up. There’s a number of other great research elements out there around how often are ransomware payments being made. And I think those numbers that we’re asking as hypotheticals match some granular touch points out there. So what I think is most important is the context around that. Ransomware, we’re not a year into this, this isn’t the first major year ransomware, we’re multiple years into this dominating threat landscape. And I’ve been doing this business long enough to have been wrong a bunch. And one of the things I was wrong on when we first several years ago started seeing the uptick in ransomware, I did not think it was going to be the dominant topic at this point at the end of 2022, going into 2023. I was wrong, I would not have forecast the preponderance of events and impacts and driving everything that is driving. So I think what that tells us is this: there’s still a lot of work to be done here. And what I mean by that is, I don’t think any organization wants to pay ransom, I have not talked to a single person that thinks that will solve their problems or would prefer that as a way out. They’re having to approach that as something that is just an option, they have to consider. The situation remains dire enough that they must consider it. And in some cases, that’s their only option for a range of reasons. What I think that tells us if we spend time stripping all that out, there’s a few things inside there. One is organizations are still struggling with the reality between what they need to run their operations and the cyber and IT requirements for that. I don’t think those two things are mapped well enough to each other. The second thing is when we talk about the vendor space, I think we’re still not providing enough cohesive solutions or solutions that work effectively together. So I think that we’re not doing a good enough job as an entire industry, providing real solutions to clients, otherwise they wouldn’t be in these numbers. And then the third part is, and I think this is where we’re seeing more touch points as the government is becoming more involved, is it’s one thing to say, “We don’t think an organization should pay this,” which I absolutely think is a valid position. But that is a policy and then you try to apply that into specific situation as a company is facing an existential crisis, there’s 100 examples in the public at this point around that. That might not be an option they can take. And that’s not unique to cyber, this stuff happens in other industries, there’s all kinds of trade-offs. So I think what that number tells us is that we are not near far enough along that path as a total community, we just have to get better as distinct organizations, we have to get better as vendors providing solutions, we have to get better as governments bringing government solutions to this, and we have to get better at integration and making this not be such a profitable business. Because I think that’s the flip side. Most of my background is in the threat side of this. This is a profitable model for cyber criminals, they get to choose a range of ways they can monetize their bad actions. And year over year, they’re choosing to go to ransomware, it’s meeting a lot of needs for them. We probably need to shift that dynamic. And that probably needs to be part of the conversation as well.

Steve King: [26:03]

Yeah, we need to shift the dynamic, but of the 4000 cybersecurity product vendors in the space, I don’t think people are having trouble sleeping at night, because their product doesn’t solve any of this. But that is the case. There’s no product that prevents ransomware. We know that. You had mentioned that operations teams and IT teams need to be aligned. But your report said that one-third of folks surveyed said their own teams were somewhat or not at all aligned when it came to defending the larger organization. I’m not sure what that means. Maybe you can explain that one. Because I stumbled around that. I don’t know what the implication of that is.

Steve Stone: [27:01]

Yeah. So what we’ve got there is, we heard that about 31% of these leaders said that their respective IT and security operations teams were either somewhat or not at all aligned when it came to defending their organizations. So what it effectively means is, you got two out of three saying, “Yep, different teams are prepared to work together” and about one out of three saying, “we’re not, we’ve got challenges there. And we still need to figure that out.” So I think there’s good news, bad news there. The bad news is, there’s one out of three that don’t think that they’re aligned. And that lack of alignment will play itself out when they’re dealing with one of these cyber events. You’ve got two-thirds that say they are aligned. So there’s two sides of that coin. The other thing I would say is, and you mentioned, no vendors losing sleep over this. I’ll use Rubrik as an example. We’re trying in a range of ways to help bring these teams together. It’s important for us that we’re delivering solutions that can help unite these teams and bring our capability and the capabilities that they might have with other technologies. We’re doing this through integrations and partnerships, and it’s all on the Rubrik website. I won’t go through all that. But I think those are critical things. And I think that’s a task that we have to look at, it’s not enough to just say, “Hey, this technology does x. And we think it does it better than any other vendor.” It has to be, “this technology does this. Here’s other ways other teams can use that. And here’s how this technology can work with other technologies you likely have.” And bring these teams together, bring these tools together, bring these resources together. And that’s going to have to be a way that that works, as well as – I’ll speak from the Rubrik standpoint – this comes down to organizations working together. We’re active in a number of partnerships with other organizations, we’re active in a number of working hands-on with other vendors. That wasn’t the case for vendors five years ago, 10 years ago, it was the exact opposite. We wanted to create isolated ecosystems. I’ve been in the vendor space for the better part of 15 years. And I’ve seen that change, demonstrably. So we’ve got to be good partners for our clients. And the better we are at that, the better off these organizations are going to be and statistics like that – 31%. We’re going to help them close that delta. Again, there’s no silver bullet, there’s no perfect solution. But there are things that we can all do better to help that.

Steve King: [29:25]

I apologize for that. It was sort of a broad brush statement on my part. You’re right. There are vendors and I know several of them, including you guys, that are sincerely mission-driven. So I apologize for that. We’ve had Anneka on the podcast as well, and she’s terrific. And I’m glad you guys have her and maybe before I get to the final question here, I know we’re getting short on time, give you an opportunity to say a word or two about Rubrik and what your product is and what your vision for the future is.

Steve Stone: [29:59]

Yeah, so thank you for that. What we do here at Rubrik is we want to focus on helping organizations in data security, we want to help provide capabilities around how can organizations secure their data better. We’re adamant believers in every cybersecurity situation ultimately comes down to data. That’s the most critical asset that needs to be secured. And that’s the most highly coveted asset that bad actors are going after. So we want to start there, we want that to be our main focus. And we focus on that. And again, we want to focus on that wherever data resides. And what we’re seeing is organizations are hybrid. So we, as Rubrik, need to be hybrid as well, we have to work on-premises, we have to work in the cloud, we have to work with SaaS apps, and then provide data security and visibility across all of those elements. And what we try to focus on is three main components. We want to focus on data resiliency, data observability and data remediation. In essence, the other folks that have put a lot of work in in making those profound messages will cringe a little bit when I strip it down. But can you understand where your data is, how it’s being accessed, and how it’s being secure? That observability piece is critical to decision making. The second part, can you be resilient? Can you be better prepared for the next breach? We believe that this is not that you’re never going to be under a cyber event or you’re never going to have an intrusion. We’re going to have to work with organizations to get better breach over breach, and focus on that resiliency and protect the most critical parts. And then the third part is that data remediation, how granular and fast can organizations remediate the threats that they’re under? Whether that’s a cyberattack or disaster recovery, or they just want to do their operations better, or they want to apply better context and policies? How do they build that remediation? And we talked about focus there, because we want to be very pragmatic. This has to work, there has to be actions here. So that’s, in a nutshell, what we’re at it for Rubrik.

Steve King: [31:57]

Yeah, and that’s a great three-point roadmap for approaching cybersecurity these days. The third point you made is the acceptance of the fact that you’re going to get breached. And then, we never focused much up until recently on the remediation part of this puzzle. And we need to, in addition to resilience. Final question, the report says that more than 89%, nine out of 10, respondents believe public and private partnerships are important to solve cybersecurity challenges, but less than half were involved in any sort of partnership. And from my point of view, that seems like a bigger number than what I’m used to seeing. And none of that’s changed in years. Do you see any progress anywhere around that?

Steve Stone: [32:53]

So, we see some progress. And what we ended up with was we were asking a number of questions about what are these decision makers want to apply their strategies, and this was one of those elements we ran across. There’s a section of report that basically outlines several different things to include this section around. It’s not that these leaders don’t have things that they think will be beneficial. They’re struggling to implement that. And so when we ask that question, almost nine out of 10 believe these partnerships between public and private organizations are beneficial, about two out of three felt they’re critical, but only about 44%, so a little less than half, are involved in at least a partnership. So what we see there is that real delta is between what they want to do and what they’re able to execute in the last year. I think this all goes back to these systems are overtasked. They’re facing such wear and tear, they’re not able to get to all of the things that will be beneficial. And so the good news is, there’s a desire to be there. And there’s efforts to be there. The bad news is it’s difficult. Especially, we look at all the other challenges. And I think another good analogy is every major threat research project or product I’ve ever seen, at some point, mix recommendation about go back to the fundamentals, update your patching, look at vulnerabilities, do better asset management, that has been in every report I’ve ever seen, that every credible researcher has ever put out. I know that’s adamant language, but I feel strongly about it. I don’t think it’s that organizations don’t see the value of that, or don’t know how to do it. It’s just hard. It’s complicated. It’s challenging, especially with the volume and the impact of everything else they are having to deal with. So I think that there’s a real capacity challenge, not a knowledge challenge, and that helps us understand where to go next.

Steve King: [34:51]

I agree. There’s definitely a capacity challenge, but I also think there’s a small knowledge challenge as well. We embrace complex technologies here with a minimal understanding of what those technologies are about. That’s probably a topic for another day. And thank you, Steve. I appreciate you taking the time out of your day. I’m sure it’s hectic, and to spend with me and our audience here. Again, this is Steve Stone, the guy that runs the Rubrik Zero Labs project for Rubrik. And I appreciate you joining us.

Steve Stone: [35:30]

Thanks, Steve, for having me on. I enjoyed this conversation. And just let us know if you want to have another one.

Steve King: [35:34]

I do want to have another one. And we’ll figure that out in the next couple of months because there’s much more to talk about here. And I think it gives our audience a good flavor for a couple of guys that have been around a little bit, see in terms of the slope of the mountain we’re trying to climb here. So in any event, thank you also to those listeners that I’m talking to you about and appreciate you guys taking time out of your day to listen to this and until next time, I’m Steve King, your host signing out.