In the latest installment of Cyber Talks, CYE Founder and CEO Reuven Aronashvili and Field CISO Ira Winkler joined forces to talk about the budgetary cuts on the horizon as a possible recession sets in, the new kinds of crimes we can expect to see involving Web3 and blockchain, and what CISOs should be telling management. Here are some key takeaways from their discussion that left listeners inspired.
The Crimes of 2023
Looking to 2023, Aronashvili and Winkler agreed that cryptocurrency theft and NFT attacks against Web3 are going to feature prominently, “because they are easy money,” explained Winkler. As for what else companies should be worried about, the two agreed it won’t be revolutionary crimes but rather evolutionary ones.
“Whatever the criminals are doing successfully today, they will find ways of doing more successfully tomorrow,” Aronashvili said.
Unpacking the great promise of Web3, Aronashvili and Winkler discussed blockchain technology and how it is not all it’s cracked up to be in terms of security. The duo weighed in on the common misconception of the blockchain providing bulletproof security. The blockchain, they said, is a single platinum card in house of playing cards; it is very secure but everything around it is exposed to threats. This metaphor served as the backdrop to experiences the two have had with major internet-based clients who hadn’t thought cybersecurity into their products because they figured blockchain technology was enough.
In the context of cryptocurrency, Aronashvili and Winkler touched on the latest attacks on blockchain environments which are coming from newer, less secure areas, such as fledgling trading platforms that lack the maturity and security of the blockchain. The cyber crimes happening in these trading platforms are beyond the account hijacking and DNS poisoning we are used to seeing. These crimes are about hackers targeting the open-source code used to create the trading platforms.
The Scientification of Risk Management
When it comes to security budgets in 2023, Aronashvili predicted that in light of the economic downturn, they will either stay the same or be slashed. CISOs that don’t adopt a scientific approach to security risks will fail to explain to management the implications of budget cuts to cybersecurity.
Security leaders need to learn how to speak to management about their budgetary needs based on numbers that the C-suite cares about, and not based on hunches and gut feelings, the two said. They need to understand the numbers, attach quantifiable value to cyber risk, and then talk about the budget they need to reduce the risk. That is risk management. But instead, Aronashvili and Winkler explained, many CISOs still approach management with a guesstimation of what they need and what level of security they can provide.
The Risk of Overpromising
Aronashvili and Winkler agreed that the problem really starts with CISOs overpromising. Security leaders tend to think of themselves as preventers of security breaches, rather than managers of incidents. They promise management they are “doing security,” which implies the absence of risk, which is obviously misleading and impossible. Incidents will happen, that’s a given, and CISOs need to be able to say that to management. Mature CISOs know to say their job is to mitigate and manage risk—not eradicate it.
Shared Accountability for Security
Monumental breaches like Equifax and Target have changed the power dynamic around cybersecurity in organizations. Some 10 years ago, it used to be that a company was hacked and the CISO’s neck was immediately on the line. In firing the CISO, management thought they had taken care of the problem. Things are obviously very different today, Aronashvili and Winkler said. And while the CISO is still the point person for all things security, as the attack routes increase and the costs of breaches grow, security is becoming a company-wide responsibility.
You’ll find more threat forecasts and insights on cyber risk management in the full discussion, where Aronashvili and Winkler also touch on the reality of ransomware and how companies should be prepared for it, as well as on the age-old question of defensive security versus offensive and how companies should do both. All these and more in the latest Cyber Talks.
Cyber Talks is a space to bring CYE’s security leaders and experts together to share their stories, insights, and forecasts with our community and beyond. Visit Cyber Talks for the full discussion.