The Retail & Hospitality ISAC Podcast 8.9.23
Ep 33 | 8.9.23

Discussion with Summit Title Sponsor, Synack, & Natura &Co’s CISO

Transcript

[ Music ]

Luke Vander Linden: This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center, and this is the RH-ISAC podcast.

[ Music ]

The RH-ISAC hosts regional workshops throughout the year, anywhere between six to eight of them. As a global, largely virtual organization, we do try to do what we can to get out there around the world to meet our members where they are. But our schedule of workshops for 2023 is over, so why am I bringing this up? Well, I got to go to a few of them this year, including one hosted by Natura &Co in London. And while there, I got to spend some quality time with Natura CISO Jonathan Lloyd White. I asked Jonathan if he could possibly join us on the podcast, and luckily for you and me, he said yes. Jonathan has a fastening background. He's held CISO and security positions in multiple different sectors, and his work at Natura is guided by a strong corporate identity and mission. We'll chat with Jonathan on this episode in a moment. A little intimidatingly, I'll also be joined by the host of another podcast. He's been doing this a while, Blake Sobczak. Blake hosts a podcast called "We're In." About what else? Cybersecurity. That's only one of the hats Blake wears. He's primarily the Head of Communications at Synack, the security testing company. And if that's not enough, Blake is also the Editor-in-Chief of Synack's cybersecurity publication, README. So, since I have a guy whose interest is in the news, we're going to talk about all kinds of current events. What's going on in Russia, what's going on in Washington, maybe even China. If we can avoid causing an international incident, it should be a great conversation. Between, the Synack is also the title sponsor of the RH-ISAC Cyberintelligence Summit, coming up in Plano, Texas October 2nd through 4th. The speaker lineup looks amazing, by the way. Two of the keynotes are Deneed DeFiore, CISO of United Airlines, talking about really how turbulent the last few years have been for United and her industry, with COVID, workforce issues, and weather events. And how she's navigated it. Lots of puns in there I think I intended. Another keynote is Keren Elazari, also known as the friendly hacker. She's a security analyst, researcher, author, consultant to security firms, government, Fortune 500 companies, really, there's nothing she hasn't done. And actually, I got to meet her when I was in London earlier this year as well. I know she's excited about coming to our conference, but anyway, lots of great speakers lined up. Check out summit.rhisac.org for more details. And it's not too early to register. But before we get to those two great conversations, there is some somewhat breaking news that we should discuss. At the end of July, the Securities and Exchange Commission voted to enact new rules for cybersecurity governance and incidence disclosure by the US public companies it oversees. This of course is not a surprise, these rules have been working their way through the SEC for over a year. A first draft was actually issued back in March of 2022. Overall, these rules establish the process and timing by which cyber incidents, that are quote, "material," must be reported to the SEC. And they also require companies to report annually on their cyber risk management and governance practices. There are some notable changes though from the original draft that was originally published back in March of 2022. The new rules narrow the specific types of information that companies are required to report in response to a material incident. Clarifying that a company need not, quote, "disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident." That's one. Two, they also narrow the scope of information that companies would be required to report about their cyber risk management activities. Removing proposed disclosure requirements related to prevention and detection activities, continuity and recovery plans, and previous incidents and narrowing the requirements for disclosures regarding third-party service providers. And finally, they modified the requirement for companies to report on specific cybersecurity expertise within their boards of directors. Instead requiring companies to report on such expertise within company's executive management team. Thank you very much to our partners at the National Retail Federation for helping us read through the text of the new rules. Importantly, though, the rules have a pretty tight deadline for when they must be implemented. Disclosure of cyber risk management activities will go into effect for any annual report issued on or after December 15th, 2023. And requirements for disclosure of cyber incidence will begin on December 28th of this year. That's for most companies, smaller companies have a little bit longer to comply. As we move closer to that deadline, we will have lots more on this topic. Without a doubt here on this podcast, also at the summit, we'll definitely have a session to discuss the implications and ramifications, and of course discussions will ensue amongst our members on our sharing platforms. But we'd like your thoughts as well about SEC rulemaking or anything else. Shoot us an email at podcast@rh-isac.org, or if you're a member, hit me up on Slack or Member Exchange.

[ Music ]

Now I'm joined by Blake Sobczak, Head of Communications and Editor-in-Chief of README from Synack. How are you? And welcome to the RH-ISAC podcast.

Blake Sobczak: I'm doing great, thanks so much for having me on, Luke.

Luke Vander Linden: So Head of Communications, that's pretty self explanatory. But tell me a little bit more about your role as Editor-in-Chief of README.

Blake Sobczak: Yeah. So at README, it's a really unique vehicle for getting out some of the most pressing cybersecurity stories of the day. Whether it's big breaking vulnerabilities, policy changes in Washington, we really cover it all. And I also edit and manage our weekly Change Log newsletter, which keeps our readers appraised of all the latest developments in cybersecurity. So it's funny, you know, as part of that role I do like to keep my finger on the pulse of everything happening. And sometimes what's old is new again. And you know, one thing I noticed recently is seeing a lot of Log4j, believe it or not, come back up.

Luke Vander Linden: Absolutely. So yeah, Log4j was one of those things that kind of sucked all the air out of the room a couple years ago. And then it seems to happen once a year or so, because we're dealing with CL0P now but tell me about how you deal with those big headline grabbing stories.

Blake Sobczak: Well yeah, that one set off quite a scramble of course when it first came to the fore in December 2021. And it's really interesting, because as you mentioned, you know, I have a dual hat role as Synack Head of Communications, so you know, part of that does entail getting a little bit of a peek behind the curtain at how members of our Synack red team of elite security researchers are actually tackling some of these vulnerabilities and finding them in our customers' environments. And you know, in a recent interview, one of them described that basically that was, quote, "a big party when Log4j broke," because it was just all over the place. But what's really been interesting in the long run on that story is that the National Cyber Safety Board came out and said that hey, this is actually going to be with us for years. And is an endemic vulnerability now. And so it just keeps coming up again and again. And I saw actually reading through some of the Retail and Hospitality Information Sharing and Analysis Center's fantastic response to the Verizon data breach investigations report that that's been an issue as well of just, you know, seeing this Log4j vulnerability that's, you know, still can pose headaches.

Luke Vander Linden: Yeah, these things tend to be sticky. It's a funny analogy, a party. It's not necessarily a party you want to be invited to.

Blake Sobczak: Certainly not. And of course, you know, on the Synack red team side, thankfully, you know, these are ethical security researchers who are carefully vetted and aren't having a party in any way that's going to damage organizations but are rather really helping everybody fix these problems before they can be exploited with bad actors. And honestly, from a news perspective, looking back, I will say, you know, being a cynical journalist background professional now, I was pretty impressed by the response to Log4j. It actually seemed like critical infrastructure organizations, retail hospitality organizations, there weren't too many headline grabbing breaches in the wake of that given its severity. And given that just about everybody was affected in some way or another.

Luke Vander Linden: Yeah, you know, just from my vantage point in our little corner of the world, it was absolutely one of those cases where everybody started working together. Just the sharing and collaboration, everybody coming together and discussing and solving problems for each other. You know, it occurs to me, maybe we should take a step back and tell us about your other hat. Synack's a great supporter of the RH-ISAC. Tell us a little bit about what Synack does and its role in our landscape.

Blake Sobczak: Sure, absolutely. So, at Synack, we do strategic and transformational security testing. And I mentioned that Synack red team, and they're really the power that drives our platform and our customers' interactions with finding the vulnerabilities that matter and making sure that they can, again, really be fixed before they actually cause problems or end up getting your organizations in those negative oriented headlines. So no, we're really proud to be sponsoring the Retail and Hospitality Information Sharing Analysis Center's upcoming Cyber Intelligence Summit. I think that's going to be a really great event. And in fact, our field Chief Information Security Officer, Wade Lance, is going to be engaging there with Mark Warner, a VP and CISO at Lowe's, for what's bound to be a really fascinating discussion on exactly what I just said, of you know, Synack's mission and enabling a resilient security posture with strategic security testing. Really elevating the security function to a strategic level where you're actually getting actionable data, measurable information coming through that platform, and of course, they'll be able to talk about it and describe it much better than I could. So, I'll stop there and just say be sure to tune into that conference because I think it will be a really good one. And attendees can stand to learn a lot about how to maintain that proactive posture that, again, worked for Log4j, got to make sure it's working for the next big vulnerability to drop.

Luke Vander Linden: Alright, well let's go back into territory where you are more comfortable discussing. And that is the news in the cybersecurity world. So what, other than Log4j, what's out there right now that's surprising or interesting to you?

Blake Sobczak: Sure. Well, I will say one thing that surprised me recently is related to the Russia-Ukraine conflict. Right? Because we had this just absolutely unbelievable, unthinkable war break out in Europe here in the 21st century. And we know that Russia has often bee a top tier cyber threat to US targets. And it's been surprising how that conflict hasn't really spilled over. You know, it's been described as sort of the world's first hybrid war, where Russia's really deploying, throwing everything they can at Ukraine from both a physical and a cyber perspective. And certainly there are lessons to be learned there from US organizations looking at it. But it hasn't had that sort of, you know, thinking back to some of the record breaking ransomware threats that just spread beyond their bounds. And the NotPetya malware that was really just destructive in nature. We haven't seen that. And so that was, that's been a little surprising. But you know, and also in the geopolitical front, I should add, you know, I don't think that just because we haven't seen those really concrete cyber throats from Russia as much, does not mean that organizations can avoid geopolitics. Unfortunately, it's just, it's a reality nowadays that you need to be paying attention to that.

Luke Vander Linden: Right, so what do you attribute, if you can, the lack of the cyber activity part of the Russia-Ukraine war that you just described.

Blake Sobczak: This is maybe a bit of a spicy take, and of course, keep in mind, caveat, I don't have any special vantage into like intelligence. Synack's co-founders are both ex-NSA, I have no such pedigree. I got a degree in journalism. But, you know, having followed this space for quite a while, I will say I got to wonder if maybe we didn't over-hype Russia's cyber capabilities a bit. You know? They're one of the few countries that has demonstrated an ability to cause like cyber physical impacts, to really build some tailored malware and deploy and succeed. And even causing physical disruption like they did when targeting Ukraine's power grid in 2015 and 2016.

Luke Vander Linden: Right. I was going to say they did have some successes at least attributed to them prior to their attack.

Blake Sobczak: Of course. But then guess what? Last year, they basically just dusted off some of the same malware they tried last time against Ukraine's grid and threw it at them again, and it was pretty easily rebuffed when it came to, you know. So it's either, you know, I think there are two sides to at coin, of course. It's also a testament to Ukraine's defenses that they were able to hold up and withstand some of these assaults. So, you know, maybe people shouldn't rest too easy with the Russian cyber threat. But I do have to wonder if it hasn't been over-hyped.

Luke Vander Linden: You know, it's interesting that maybe history's repeating itself. I think probably near the end of the Cold War, the Soviet Union was overestimated as well by the West. When it was really falling apart for many years before we knew that it actually did. We're both getting out way over our skis here with our analysis of geopolitical situation. But --

Blake Sobczak: I'm here for it.

Luke Vander Linden: Yeah, let's do it. So, I guess the other question I have related to Russia-Ukraine is do you have a vantage point into different sectors? Obviously retail and hospitality is what we focus on, but is there, are there attempts, you mentioned the power, the Ukraine power grid. Is the situation different for different sectors?

Blake Sobczak: Certainly. And you know, time's very hard sometimes to disentangle the cyber criminal nexus of the Russian cyber threat from the state backed one, right? And so I would say from a retail perspective, obviously pretty much everybody these days is operating almost as a financial institution. Right? And you have a lot of payment, you know, whether it's processing, whether it's apps or those APIs, you know, you're going to have some money that might be an attractive target to that criminal element that can ride right along with the state sponsored threat. So I would say, you know, putting myself in the shoes of some of your members, that's something that I would certainly be focused on for Russia is who's trying to extort me, you know? A lot of these GRU hackers spend part of the day doing, you know, something on a Ukrainian target set and then maybe try to make a quick buck on the side with some crypto currency. And that's a big danger.

Luke Vander Linden: Everybody needs a side hustle, right?

Blake Sobczak: That's right, that's right. You got to support whatever's playing out in Moscow.

Luke Vander Linden: So Russia-Ukraine's not the only hot spot in the world. Potentially China-Taiwan. China is one of those bad nation state actress that we know. Anyway, so where else should we be looking?

Blake Sobczak: Oh, well, I mean you just hit the nail on the head right there. I think every organization worth its salt needs to be thinking about and planning for what could happen if China did invade Taiwan. And this is something that came up at the recent National Security Summit, there was an intelligence summit in DC that really brought together leaders of all the major intel agencies and China was a central theme. You know, we covered that for README, again, where I'm Editor-in-Chief. And there was a providing sense that it's not if but when, actually, which is a little bit surprising to me. Similar to the run-up to Russia's invasion of Ukraine, how US intelligence telegraphed that, I feeling like they're kind of telegraphing that now with China even though it's on a little bit of a longer timeframe. And so, I think as organizations, you know, do some of these war games and you know, table top exercises, what does that look like? What does a Taiwan invasion look like? I mean that's going to affect every sector from retail down to, you know, the global financial networks to, you know, it's just going to be immensely disruptive. And we have seen China really, I hate to say, you know, come into its own as a top-tier cyber threat. To the extent that it's really started to eclipse Russia in all these intelligence estimates. So yeah, definitely one to watch.

Luke Vander Linden: Yeah, so you're based in DC. But Synack, of course, is a Silicon Valley company. So what's your view for Washington these days when it comes to cybersecurity policy vis-a-vis retail and hospitality or any sector that you want to mention?

Blake Sobczak: Sure. Yeah, no, it's funny because I'm actually based right down the street from the Securities and Exchange Commission. I'm right in Capital Hill here, which they have been keeping a very busy on a cybersecurity front lately. And in fact, just passed a rule requiring that publicly traded companies, including many RH-ISAC members, really disclose material cybersecurity incidents within four days. Now.

Luke Vander Linden: Four days, that's the rule.

Blake Sobczak: Four days. That's the rule. Now, what constitutes material? You know, how is that going to actually play out in practice? You know, how is it going to potentially conflict with rules coming out of like the Cybersecurity and Information Security Agency that's pursuing a three day reporting requirement? You know, it's going to be a big Capital Hill politics, policy mess, I think going forward. And it's certainly controversial. So I've been definitely following that. You know, again, I'll caveat this by saying I'm sure many RH-ISAC members have their own very capable government affairs teams, and you know, industry groups keeping their finger on the pulse of this. I really do think that this could shake up the way that we see cybersecurity transparency. And with some of these incidents coming to the fore, it's going to be a big challenge. I mean four days is pretty tight. A lot of organizations are still going to be in the throes of responding to an incident. And they're going to have these requirements come down.

Luke Vander Linden: Right, I was going to say, but if you were just gathering information, that's tight. But not to mention the response. You're still going to be in the middle of it.

Blake Sobczak: And then you're going to get all of the press scrutiny that comes with that. And so it's not surprising that there has been quite a bit of back and forth over this. Now, to pivot a little bit, I will say that another big news item I've been following is, and that we're all following really frankly at Synack, is this White House National Cybersecurity Strategy and its implementation plan. And that is, you know, sometimes it can be a little hard to quantify developments coming out of DC. As far as you have some of these really high level documents and strategic documents. And it's like okay, what really matters? Where the rubber hits the road, how is this actually going to change, say, again, how I do business as an RH-ISAC member. What's really going to happen? And I do feel like this one feels pretty different. I think you get a sense that the White House is really signaling that it's ramping up on the federal side first and then what follows is potentially on the industry side. And so, again, if I were in the shoes of one of your members, I would be paying very close attention to how this rollout goes. I will say there are also some unique things, of course, that the White House is positioned to do as part of this plan. Such as disrupting some of those threats from abroad, right? I mean, cybersecurity companies can play parlor games all day long trying to pinpoint where threats are coming from, but you're not actually going to hack back or arrest anybody. That's up to international law enforcement. That's up to the White House. So this, you know, these sorts of plans can really make a difference both on the domestic policy side, but also on the international enforcement, and apprehending side.

Luke Vander Linden: One of the buzzwords that the National Office kept using is harmonization. It's hard to say. Harmonization.

Blake Sobczak: Harmonization, yep.

Luke Vander Linden: What do they mean by that, and how do you think it will affect companies and our members?

Blake Sobczak: Well, I think a great example we just talked about, which is the SEC, you know, the Securities and Exchange Commission, pursuing its own reporting requirement. Well perhaps CISA, the Cybersecurity and Infrastructure Security Agency, pursues another, right? You've got to find that harmonization from the federal government perspective. Because if you have confusion and you have different agencies doing different things, I don't care if they're independent agencies or if they're, you know, White House cabinet agencies. They all got to be marching to the same tune, or you're not going to get the kind of results you want, which is improving critical infrastructure security, avoiding some of these bad outcomes in the cyber world for everyone.

Luke Vander Linden: It would seem very positive, when that message came out. But then again, as you say, different message potentially from the SEC more recently. And not to mention, by the way, if we want to extend this conversation into privacy laws, right now we have a patchwork of different states making laws. And there's still not movement as far as I can tell on the federal level of kind of merging all those laws into one policy.

Blake Sobczak: That's a really good point. No, that's another, just another item on the very small list that we've tackled so far here to pay attention to.

Luke Vander Linden: Well I have to say, you're well rehearsed as a podcast guest, and that's because you're also a podcast host. I'm looking at you on video and you've got all of the equipment there. So tell us about Synack's podcast and what you do there and some of your guests.

Blake Sobczak: Yeah, so our podcast is called "We're In," like the old hacker mantra. And we feature some of the brightest minds in cybersecurity. And you know, that includes anybody from renowned journalist and cyber advisor, Nicole Perlroth, to one of my most -- one of my favorite recent guests, actually, Corey Ball, who is kind of a specialist in hacking APIs in an API security. And you know, basically, it's an interview style podcast. So I kind of walk through similar to what we're doing here. Just back and forth and really trying to move the cybersecurity community forward and share valuable and insightful information. And you know, one thing I've learned so much from talking to these people, because again, I'm happy to expound on the Russia, you know, Ukraine cyber threats and whatnot, but ultimately, there are so many great people out there with just fantastic expertise. And Corey, again, of that author of "Hacking APIs" fame, is really just one such example. And he just helped me understand this new threat vector that's taking over. I mean, APIs now account, API calls account for 80 plus percent of all internet traffic.

Luke Vander Linden: Oh, yeah.

Blake Sobczak: Which blew my mind when I heard it because I'm thinking what the heck is an API on some level, right? Like I just didn't have a good sense of what this was. And you know, at Synack, luckily, we have SOT members who do understand that, Synack, right, team members. And you know, we have added API testing to our portfolio offerings, but Corey was really able to unpack, you know, he used a great analogy which is like a restaurant analogy. Where you go and you talk to a waiter and you try to get your order sorted. And then they go back to, you know, to the cooks and back to the kitchen. And then deliver it to you. And the waiter essentially functions as an API. And when you have so much going through these APIs, it's become its own beast of a threat vector. And you have, you have now the OWASP Top Ten just for API vulnerabilities because it's being exploited and costing so much per breach. So really, it was a really illuminating conversation and it helped me get a firmer grip on what certainly is going to be a trending issue for years to come here.

Luke Vander Linden: Wow, well talk about trending issues. Topic that comes up quite a bit. How about AI? I'll remove one letter from it. What are your thoughts on it? Maybe this has been beat to death, but give us your take.

Blake Sobczak: No, I think it's a great question. I don't think it's been beaten to death. I mean, of course, we are in the prime center of this hype cycle with AI, right? I mean, everybody's buzzg about it. Earnings calls are buzzing about it. You know, you just got to have some kind of AI facet. And there's a reason for that. This time feels different, right? We have these incredibly powerful generative AI platforms and programs just seeing widespread use. Honestly, I don't think we even have a firm grasp yet on what vulnerabilities could exist in these. We're just starting to scratch the surface on AI and AI security. I mean, you can get some of these programs to spit out sensitive data that perhaps somebody was accidently uploading in their own AI prompting. You know, you can get, there are just so many things that we have yet to wrap our heads around. Now, I do know that of course, the RH-ISAC members are no strangers to the AI trend and phenomenon. And of course, have been kind of on the cutting edge of this for years. So for example, I recently visited Indianapolis. And I stayed at a hotel where I'm a member of the loyalty program. And you know, as I understand it, there have been dramatic improvements to the customer experience in some of these programs, based in large part on AI. Again, the large hospitality companies are no strangers to this technology. But it is going to be very important to monitor for vulnerabilities to make sure that you're not delivering something that customers didn't expect. Or that, you know, the AI comes up with, you know, some facet of the customer experience that's maybe a little off or feels wrong. We're still struggling to wrap our heads around the full scope of some of these tools. And you know, I don't doubt that the opportunities are just boundless, and obviously worth so much more than the risks. But I think it's important to recognize that there are risks.

Luke Vander Linden: So, tell me, for Synack, what do you have next on your plate? Any events where we can meet you? I know other than our summit, I know you'll be there.

Blake Sobczak: Mentioned the summit, and yeah, that will be really exciting. We are also at Black Hat. Now I personally, unfortunately, couldn't make it this year. But Synack's booth is jumping the shark, we'll say, with literal sharks. So, I would definitely encourage any visiting RH-ISAC members to swing by and see them swimming. I think it's the first time that's been done in Black Hat history to my knowledge.

Luke Vander Linden: Or possibly at any show. So you have large tanks with sharks at the booth, or?

Blake Sobczak: You got to see it to believe it.

Luke Vander Linden: Okay, excellent. We'll be there. But again, not me. Like you, I'll be stuck here on the east coast.

Blake Sobczak: Well I will say I'm excited to kick off the next season of the "We're In" podcast coming up. And not to steal your thunder here with podcast hosting, but I would love --

Luke Vander Linden: Steal away. Take it.

Blake Sobczak: I would love to have some guests from the retail and hospitality sectors. Because I do feel like, you know, CISOs there have such a unique perspective gleaned from, you know, like, talk about like casinos, right? That's such an interesting security dilemma. I mean, you have, that's where the money's at, right? And so you're going to be targeted by all sorts of nation states, criminals, everybody. You know, hotels. We mentioned Mariott. There's just, I feel like so many of your members are going to be on that tip of the spear, fingers on the pulse of all these cybersecurity trends that I find so fascinating and I'm so lucky to get to really dive headlong into in my day-to-day work. So, I'll leave it there. But yeah, thanks again, for having me on the show to share some of my thoughts on these wide ranging topics here.

Luke Vander Linden: Well, I will agree with you that the guests are what make the shows work. And make the podcast popular. If someone is interested in being on your podcast, how do they get in touch with you?

Blake Sobczak: Well you can find me on all the big social platforms. You know, X, now, I should say rather than Twitter.

Luke Vander Linden: What's the verb going to be, by the way? When you post on X?

Blake Sobczak: You know, that's a good question. I haven't thought about it and I hope honestly to not have to think about it too much. But we'll navigate that. And yeah, feel free to reach out to me, I'm active on LinkedIn and just, you'll find me on Synack's site too, no problem. So.

Luke Vander Linden: Easily found. Well, Blake, thank you very much for joining me. This is Blake Sobczak, Head of Communications, README Editor-in-Chief, and host of the "We're In" podcast. All for Synack. Great supporter of the RH-ISAC, and the title sponsor of our summit coming up in October. Again, thanks for joining us on the RH-ISAC podcast.

[ Music ]

Jonathan Lloyd White, great to see you again. It's been a while since we were in London together. Thank you very much again for hosting one of our regional workshops earlier this year.

Jonathan Lloyd White: My pleasure, great to see you, Luke. Thanks for inviting me along.

Luke Vander Linden: So, you know, it seems like you know everybody. You worked in so many different sectors. But tell us about your role at, let's start with your role at Natura &Co.

Jonathan Lloyd White: Great. Yeah, I've worked in a few different sectors. And I'm very lucky to have done lots of different jobs. But I'm delighted to be part of Natura &Co. And I'm the group CISO at the moment. I have around 40 staff based around the world. So I've got team in Sao Paolo and London and Warsaw. And I report pretty much directly to the board. I've got a direct line to the CFO. But spend most of my time dealing with the board, talking to the board, execs, and non-execs. A very lucky position to be in.

Luke Vander Linden: That's terrific. We should talk a little bit about that. Because reporting structures are different pretty much everywhere these days. But like I said, we saw each other last month, or in June. You had a mini reunion of sorts with our aviation ISAC colleague, Jean-Francois Simons. So, like I said, you worked in so many different places, tell me a little bit about your history professionally.

Jonathan Lloyd White: Yeah, thank you. So yeah, that's right, I used to work in the International Airlines Group where I was the CISO and for British Airways in Iberia and Aer Lingus and other airlines which were a fantastic privilege. Love that job. But as I said when we met, I was the most environmental aviation CISO in history because I don't think a single plane took off the whole time I was there due to COVID. So. Challenging times. But great industry to be part of, I really enjoyed my time there.

Luke Vander Linden: And where else have you worked before? There and before Natura.

Jonathan Lloyd White: So before IAG, I was CISO in Simitomo Mitsui Banking Corporation. So, [inaudible] corporate bank. I was the CISO for EMEA, really enjoyed working with colleagues from Japan and from New York and being the man in the middle between those two cultures. Fascinating place to be.

Luke Vander Linden: Wow, yeah.

Jonathan Lloyd White: I really cut my teeth as a CISO in a highly regulated industry like that. So yeah, great learning curve for me. And then before that, I was a security director for HM Revenue and Customs. Which is the UK tax authority, like the IRS in the States. And I was there for four or five years as the security director. And that was my first big security job, really. So fantastic place to learn my trade.

Luke Vander Linden: Government's an interesting animal of its own. Any brushes with power while you were there?

Jonathan Lloyd White: Yeah, a few. I had a few frenetic phone calls with the Chancellor, to Tiberius [inaudible] and scrapes at the time. So one Gordon Brown. So dealt a bit with him and yeah, lots of other people as well. So I'm very lucky.

Luke Vander Linden: Excellent. Impromptu call with the future, at the time, PM. So all in a day's work for Jonathan Lloyd, right, yeah?

Jonathan Lloyd White: Oh yeah, that's right, yeah. It was a bit of a tricky situation. Incidents. And I was actually on a train when he rang to say what the hell's going on? And I had to say oh, I'm sorry, boss, I'm on a quiet carriage, I can't talk.

Luke Vander Linden: Rules are rules. Quiet cars are nothing to mess with.

Jonathan Lloyd White: More importantly, took me some time to find out what was going on and give him a proper call back. So yeah, that was a moment.

Luke Vander Linden: So moving back to where you are now at Natura &Co or "eCo," tell us a little bit about their business, their brands, what they do, and how they operate now.

Jonathan Lloyd White: Yeah, great. Well it's a company, I must admit, I didn't know much about when I started looking for this role. It's a cosmetics company based on Brazil. Very famous in Latin America. Very highly regarded brand, Natura. We're based in 100 countries around the world. We've got 2.5 thousand stores, 32,000 staff. So pretty big. And a brand that almost everyone will be familiar with. That we own. Including Natura as a brand. Avon. The Body Shop. And until recently, Aesop. High end brand that we've just sold to Loreal. So sorry to see them go. So now we're going to be three brands, as I say. And we're a fascinating company. Because we're properly purpose driven as an organization. And when you join a new organization, you're never sure whether the marketing is true or not. And whether it's going to live up to the hype. But what I've found since joining is that we really are a purpose driven organization. So, the aims are to drive real positive economic, social, and environmental impact throughout the world. And the slogan, which I love, is we want to be the best beauty group for the world, not in the world. We're not interested in being the biggest or the best. Except to drive public change. So really, really exciting and positive place to work.

Luke Vander Linden: So tell us a little bit about those values. It's interesting, I always, I often have to correct when we've written out the name of your company because people want to put that space between the ampersand and the Co. But that's on purpose, that they're smashed together, eh?

Jonathan Lloyd White: It is, yeah. And they're very, very clever sort of aesthetics. And ethics go together. So we're an organization that's really built on relationships. We want to do business in a better way for the world. And yeah, the &Co means of course Natura and the other companies, but it also means it's about eco. So "and" in Portuguese Brazilian is "e". So that then spells "eCO". So you've got Natura &Co reflecting that sense of environment. And we've done some really important things in the world. So we are founded on the principles of trying to protect the Amazon, or Natura was founded on that basis. And we have procured 2 million hectares of Amazon rainforest in order to conserve and protect it. And what we've managed to do is create the business model where we work with indigenous and local people in the Amazon to harvest in a sustainable way nuts and seeds and other plant products that we then use in our cosmetics. And what that does is it gives those communities an income stream that allows them to be sustainable. Therefore protect their livelihood against the loggers and the deforestation because they have an economic viability that depends on the sustenance of the forest, sustaining the forest and keeping it there. So it's a real brilliant virtuous circle. And that's just Natura &Co. The other key brands that you might be aware of, Avon, established 135 years ago.

Luke Vander Linden: Right. Iconic brand. Worldwide.

Jonathan Lloyd White: An iconic brand, everybody's heard of it. Yeah, absolutely. You know, and whenever you talk to someone they said, oh, my mom used to do that. And it's the same for me as well.

Luke Vander Linden: It's like you're quoting me.

Jonathan Lloyd White: Yeah, that's what everybody says. And that's a lovely thing to have. But Avon's roots run really deep. It was set up as an organization to give women financial independence. 135 years ago. So that's truly visionary. And it's still doing that today. All around the world. We have 8 million reps and consultants around the world. So a really big organization. And our business model is a business to business organization. So we sell to those micro businesses. Who then obviously sell on. So pretty unique business model. And really sort of transformational in people's lives. So more than just about selling make-up. It's far, far more than that really.

Luke Vander Linden: And of course, lots of data on all those people.

Jonathan Lloyd White: Yeah, lots of data. Absolutely right, yeah, that's right. And the other brand, I just mentioned, of course, is the Body Shop. And people might be familiar with the Body Shop. Again, they're the iconic brand from set up in the 80s by a visionary leader, Anita Roddick, in the UK. But now a global brand as well. And that was set up with the aim of doing business in a better way. So transforming the way in which cosmetics are produced. To stop testing on animals and such like. And many other campaigns and positive messages as well. So you could see how these three brands kind of work together as a set. They all have real purpose and drive at their heart. And that just shines through in all our, everything that we do. So, as I say, we're a relationships built business. And getting on within and with our ecosystem and our partners is really key to what we do. I saw an advertisement when I was walking through London that it's a B-corp. So what does that mean? I wasn't familiar with that term.

Jonathan Lloyd White: Yeah, so B-corp is kind of a badge of honor in a way. So for having the highest possible standards in ethics, governance, and social responsibility. So, Natura &Co is the largest B-corp in the world. But part of the founding group of companies that created B-corp. And once you start seeing the logo, you'll start seeing it everywhere. It's like a lot of those things. And it's really been at the high water mark of what we should all aspire to be as business people. So really, really good thing to be a part of.

Luke Vander Linden: So, when you work, and I've talked with other CISOs who have, who work for a company that have a very good set and a solid set of principles that they run their business around. How does that affect your strategy as you operate the infrasecurity department from a staffing, a strategics perspective, just a management perspective?

Jonathan Lloyd White: Yeah, it's been really fascinating. So in joining Natura &Co, my mission really was to create a single group entity around cybersecurity. To serve all our brands in one go. When I first joined, there were four separate teams who didn't really talk to each other. Who acted fairly independently, each in a very small way. And the mission was really to drive the power of the collective to work together and get much more from our individual efforts. So very quickly brought together the teams from around the world, shook them up, repositioned them to a new structure, and in that way, have managed to really learn the lessons and drive best practice across the group from all those different teams. For example, I got the former head of security for Natura is now my head of strategy. And he's, you know, learning and growing around the rest of the brand, but also bringing a lot of the knowledge and expertise and culture from Natura &Co to the other parts of the group. So it's been really fantastic. I feel like we're kind of trailblazing in that model for how we want to work as an organization. Bringing the best of each of the group companies together work on cybersecurity. Which is a unifying topic, isn't it? So a really good thing to kind of rally around. So it's worked really well.

Luke Vander Linden: So based in Brazil. Obviously, worldwide brands. You sit in London but you have staff all over the place. You mentioned Warsaw before. So it is truly not only in name and in product, but from your department, truly a global enterprise. So what are the challenges that come with having people sitting all over the place like that?

Jonathan Lloyd White: Yeah, well, so the usual things around language. And around culture. And around time zones. All those things make life a little more interesting. And those are things that you just have to enjoy. You have to get on with it and really sort of enjoy the cultural differences and the language differences and worker harder then. So I'm very lucky to get my whole management team together in person week before last. And it was just fantastic to get together. It's the first time we've all been together in a year and a half in that way. And just really cement those relationships. So, of course, we spend most of our time there working over, you know, Teams and Zoom. And spend a lot of time making sure we understand each other, I guess. That's one of the big challenges. But time zones, too. So I've had people in Melbourne. And you know, trying to connect those people emotionally to the rest of the team, constant issue. Constant thing to focus on.

Luke Vander Linden: That's fascinating. So, from a threat standpoint, do you see a difference based on geography, or is it more sector specific in your experience?

Jonathan Lloyd White: I think it's mostly sector specific. I don't think the regions make that much difference. The URL, the IP, doesn't make that much difference to the attacker, does it? So, they will go wherever the money is. So for me, I think that the threats are pretty global. They're the same around the world. I mean, there are some regional variations, I guess, that people might attack in Brazil. But the Philippines or Thailand. But broadly, it's immaterial. So I think the risks, feel of the threats, rather, feel rather universal. But the risks are different. We have very different IT maturity, cultural maturity in each location. So the risks are different but the threat's the same, if you see what I mean. And we spend a lot of our time working out how to do things in a standardized group way to drive efficiency. But then meet the needs of the local teams and the local risks. So that's a key factor of what we do. And our BISO network is really key to how we make that work.

Luke Vander Linden: You know, we just had a great chat with a BISO from one of our members on our last episode. And so tell me about the importance of having BISOs at all these brands?

Jonathan Lloyd White: Yeah, so for me, they're the kind of translators. They're the brokers or the diplomats that manage the group function. And work for us. They report to me. But they have strong connections, friendships, allegiances, with each of the business units. And they literally act as diplomats, managing the relationship between the kind of holding function, the group function, and the local people, the local teams. It's a very tough job, very tough job to do. But absolutely crucial to our model and I have to say, I'm super lucky to have the BISOs that I've got on my team who manage that, that superbly well.

Luke Vander Linden: So in your case, they serve a business relationship function but also a geographic function as well, because they are where they are?

Jonathan Lloyd White: Less so. A little bit, but less so. Because each of the brands is global. So it kind of doesn't matter where they sit because, you know, for Avon, for example, Carolina has Avon reps all around the world. So that doesn't matter so much. It's more connection to the business. And the brands that in themselves might be global as well.

Luke Vander Linden: So now that you've integrated your teams, perfectly, beautifully, without any hiccups at all, and you have this distributed workforce covering the globe 24 hours a day, what do you see as your next steps, next challenges for your role at Natura?

Jonathan Lloyd White: Well, one of the things that we've done over the last year, really, is not only build the internal team, but also make sure that we've partnered with the best partners that we can find that fit really well with our organization. So, at the start of this year, we've onboarded a new security operations center provider. A new vulnerability management service. A new third-party risk management service. A new identity and risk management service. So you can see we're just in the early stages of building those long-standing, deep partnerships that we will require for years to come. So I see my role as not only building the internal team but building the ecosystem of support around the organization. And really leveraging the best that we can get our hands on. And so I've put a lot of time and energy into finding the right partners. Not the biggest. Not the most specialist, but just exactly the right fit for us. You have the same values, the same culture, and the same ethos as us. And really now the job is to make sure that we grow those partnerships together and mature as an organization. So we measure ourselves against NIST maturity and my performance, my team's performance, is really benchmarked against that NIST heading. And I'm doing the same with my partners. I'm making sure that we're all driving towards that increased maturity, and then by proxy risk reduction at the same time.

Luke Vander Linden: And if you had to get out your crystal ball, where do you see -- since we've had your toe in so many different sectors. What do you see as the future of cybersecurity? And like what are the threats that we're going to be talking about a year from now, five years from now, and what are the ways that we're going to have to respond differently in those times?

Jonathan Lloyd White: Oh gosh, I wish I knew. I wish I knew.

Luke Vander Linden: We only have an hour left, so feel free.

Jonathan Lloyd White: That's right. So, well, I always say that security is additive. So nothing ever drops off the end. None of the risks ever go away. You can still get infected through, you know, a USB stick or something. So all those old risks are still there. We just keep adding to them, you know? And of course, the latest risks are all around exploitation of AI and things like wormGPT, which is the latest thing to hit the news in [inaudible]. So obviously that's going to be a big topic. You can only really see anything but an exponential increase in the speed of which malware is produced and attack threats increase. And I guess we're just going to have to try and keep up with that. No change there. I think really, you know, feet on the ground, though, my biggest challenges are the organization continually transforming itself structurally, but also, in moving continually away from old IT platforms and moving towards more modern ways of working. And that's what really keeps the job interesting up close and personal, you know? So the projects going on in the business to transform its digital space, its omnichannel approach, all those things are really what I think I'm going to be busy with. Probably for at least the next 12, 24 months.

Luke Vander Linden: Excellent, well, don't want to take up too much more of your time because you got to get back, being busy with those things. But Jonathan Lloyd White, thank you very much for joining us on the RH-ISAC podcast. Good to see you as always. Hopefully it won't be another year before we meet again, whether it be in London or elsewhere. But of course, I'll see you, you're on our membership committee. So I'll see you in our next meeting there as well.

Jonathan Lloyd White: You will indeed, Luke. Thanks very much. I really enjoyed chatting with you, thank you very much.

[ Music ]

Thank you to both of my amazing guests for a great couple of interviews. Jonathan Lloyd White, CISO at Natura &Co, and Black Sobczek of Synack. If you want to discuss anything you've heard today, or if you have an idea for a podcast segment or want to be on yourself, or if you want more information about membership in the RH-ISAC, shoot us an email at podcast@rh-sac.org. As always, thank you to the production team, we couldn't do it without you. For the RH-ISAC, that's Annie Chambliss and Marisa Troscianecki, and from the "CyberWire," Tre Hester, Jennifer Eiben, and Elliott Peltzman. Thanks as always for listening, and stay safe out there.

[ Music ]