InfoSec Team Organizational Charts, Founding RH-ISAC, and the Intelligence Briefing
Luke Vander Linden: Hello there, this is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center, and this is the RH-ISAC Podcast. [ Music ] I'm very lucky that I get to host this podcast, and sure, it raises my personal profile with you and our tens of listeners, but we have an amazing team at the RH-ISAC. I'm forever in awe of the work they do, and I'm happy that from time to time we've gotten to use and showcase their talents on our little show. This episode features several of my colleagues. We welcome back to the podcast Kristen Dalton, Director of Strategic Engagement, Research and Analytics, and she'll welcome back Piyush Jain, a Global Managing Director for Security at Accenture. Kristen and her team and Piyush and his team just collaborated on a new research initiative for the RH-ISAC, our first ever organizational benchmark, which was published earlier this month. For the study, we and they collected more than 70 organizational charts to better understand how information security teams are structured in terms of capabilities and reporting, and Accenture's analysis wrapped it all up. I'm sure Kristen and Piyush will be discussing that initiative, plus many of the other security issues facing retail and hospitality and the travel industries today. And of course, we're all well acquainted with the incomparable, the one and only Suzie Squier, RH-ISAC President. She continues her series of interviews with the CISOs and cybersecurity professionals who had a hand in getting the RH-ISAC started 10 years ago. This time, Suzie sits down with Richard Noguera. Rich is now CISO at Cisco AppDynamics, but back when he was a member of the RH-ISAC Board of Directors, he was CISO at The Gap. And finally, since this is the second episode of the month, we'll welcome back Lee Clark, Manager of Cyber Threat Intelligence Production for "The Briefing". So a star-studded episode, at least in my view. You know, our office is entirely remote. You may see a Virginia address on our website, but no one actually lives near there or goes into that office. So I only get to see my co-workers a few times a year in person. The next time I see them, we'll be at the RH-ISAC Cyber Intelligence Summit in Denver in April, and I'd like to see you there too. Go to summit.rhisac.org to register and get more information. As always, if you have something cybersecurity-related you'd like to contribute, shoot us an email at podcast@rhisac.org, or if you're a member, hit me up on Slack or Member Exchange. [ Music ]
Suzie Squier: On this podcast episode, I have the pleasure of catching up with Rich Noguera, who was one of our founding board members. And we'll go back to the old days in a little bit and talk about what those times were like from your perspective. But in the meantime, Rich is the CISO of AppDynamics, which looks really interesting. So I thought, can you just give us a little bit of info about what AppDynamics does?
Richard Noguera: Yeah, so AppDynamics is an application performance management platform, APM for short, right? And it's part of a larger observability portfolio where we basically take all data, starting first with application performance, where can we optimize it and help it out? But secondarily, the product part that I own is actually the real-time application security capability of that. So what threats are there and how can we secure business transactions in real time, which is great. I've been here, you know, a good three years and right after Gap, which we'll spend some time on, I did a couple of stints with a fintech startup and a different observability startup. So it all lined up pretty well.
Suzie Squier: Oh, good. Good. You like where you are? You like what they're doing? Good stuff?
Richard Noguera: Yeah. Big news today is that we're making moves to acquire Splunk, which is huge for us in the sense of the data and the capabilities that that gives us access to. So I'm super excited about that. So yeah.
Suzie Squier: Splunk is in the news today with those kind of pieces of information.
Richard Noguera: So yeah, huge.
Suzie Squier: Yeah. Yeah. Oh, good. Well, good. Well, thanks. That's good. Good luck to you. And thanks for joining us. It's great to see you again. It's been a while.
Richard Noguera: It has been a while.
Suzie Squier: It has been a while. So let's go back to 2014, as we all know, kind of the start of the then-RSISC, but also kind of a key, a pivotal point for information security officers, at least within the retail world at that time, and I think was the growth probably of the position, I think, and many would say. Yeah. So you were with Gap. Tell me what it was like, if you can remember, within Gap at the time that news of the Target breach came out, and then subsequently down other retail breach going on that year as well with Home Depot. But tell me where you were, were people coming up to you, were you being flooded with questions? Do you remember what it was like when you were there?
Richard Noguera: Oh, yeah. It's hard to forget, right?
Suzie Squier: Okay.
Richard Noguera: So I landed at Gap right within weeks of the Target breach.
Suzie Squier: Oh, I didn't know that.
Richard Noguera: Yeah, there was a lot of fanfare about, like, we cannot be the next Target, unfortunately. And just months before the Home Depot breach. So that was a really sensitive time, because when I started at Gap, it was, like most retailers, very PCI-centric, very just, I don't want to say minimalist, but it's not a core function of the business. Security actually slows things down if done incorrectly. And so once the Target breach hit, and then as details of how it actually happened, in-store local access, abuse of the Wi-Fi, then it became a much more prominent deal, right? And so for me, what was really interesting, and to your point on the growth of the CISO role and the security role at Gap is, I started off as the head of security. Tell us what's wrong, keep us PCI compliant, okay? And even before Target broke, right, it was like, hey, there are things here that we need to address, kind of like the pre-sweeps that I was doing. And then Target happens. The internal audit team takes the, you know, let's go, let's take a hard look. Everything I said was going to happen or could happen. They said, yeah, everything could happen. And that began the relationship that I built with legal, with the board of directors, with the C-suite, in terms of what does it look like, why does it look like this, and, you know, helping them understand what cyber looked like, the implications of it across both the physical stores, the e-commerce platform, and basically supply chain logistics. Bringing that full circle for them was a great ride, but also, of course, a lot of stress because everyone was worrying, are we next, are we next, are we next? But huge visibility gains for security in retail.
Suzie Squier: So what's interesting was, it wasn't the first breach that happened in retail, but we all know that there are ones that happened, you know, in previous years. So why do you think -- was it just the size of it? You know, why was this kind of that crucible moment that, you know, elevated security into the eyes of the board and everybody?
Richard Noguera: Yeah, it's a great one. I think, I mean, candidly, I think it's because minimally the CIO was released out of Target. Minimally, I think they did not have a strong security structure at the time at Target when it happened, and because tech was this emerging capability within Gap, they just did not want to have that happen to them, right? And it was a known and accepted weakness because retail is retail. But then, you know, this is also the time of digital transformation was really the big thing. So just like online banking in its nascent times, let's use tech for what it can bring to us, but not really understanding it and the threats that come with it. It became real with Target and even more real with Home Depot, the second piece, because, you know, the retail CEOs are all really tight. And so once it happened, you know, it was like, okay, what do we do about it?
Suzie Squier: Yeah, yeah. And I remember, you know, we had meetings here and at CFTA and I think we had a meeting in Washington. Did you come to the meeting in Washington? Do you remember when you first got plugged into these discussions that we had?
Richard Noguera: That's a good question. I think I was remote because you guys were out in Washington. I was down in Intermont, yeah. And so I wasn't physically there, but we started teasing the idea of like, how do we get the intel exchange in an ISAC way? Because we're all in the blind, right? So I think between myself and Colin, we've had experience with this in high tech world, you know, it's just like, okay, so what do we need to do? And we were quickly, you know, jumping on that train because just, I know for him at Levi's and me at Gap, it's just like, really? Like, okay, cool. We're here to drive transformation and now we have, you know, you never let go of a crisis where you take advantage of it. This is a big one. So, yeah.
Suzie Squier: So you know, you were one of the first board members we put together and we're driving it and putting together this organization. And I've talked to, you know, Scott and David and Colin, you know, some others, you know, and it was like, it was a heady time, it was a crazy time. And there was a lot of work that we had to put into this and creating this, you know, information sharing. Do you remember being part of the board and just being, you know, about building this entity?
Richard Noguera: Oh, yeah. It was great because, you know, working with everyone you just mentioned, it was very, you know, eye-opening. And we all kind of knew, but the range of maturity of security in retail was so varied. So, how do you even do, you know, intelligible data exchange, right? Because if you're still working in just base scanning capabilities, but we have correlation rules, you know, straight out of the spunk that we can provide you data dumps of like, here's the activity, that wasn't very consumable across all board members or even just the broader, you know, ISAC members at that time. So just working through how can we get it out in not just an intelligible, but also an actual way was, you know, hard, but also exciting and fun because this is information we clearly have to get out. Something more effective than, hey, Colin, hey, Scott, hey, Kevin, did you see this? Right? Like, you know, it's like, how do we provide the data so that things can take off? And it was really exciting, you know, I think it was at our first big meeting at Target when we started talking about tooling and just locking down, you know, base indicators of compromise that we can all commonly get on. That stuff was fun and to drive those convos was great.
Suzie Squier: Yeah, it was a fun time. It was like, you know, it's always a bonding time when you're building something and you're in the, you know, the heat of it all. But I know, you know, you all also had day jobs. So it was really -- and I knew nothing about what I was talking about. So I really appreciated you guys jumping in.
Richard Noguera: You don't give yourself enough credit. You knew exactly what was going on.
Suzie Squier: It was great. It was great. It was a great group of folks to pull together and to, you know, just like you said, create this for the industry. And I know when, you know, when you were at Gap, you got your team involved and we just started kind of building it from there, right? It was this kind of an organic -- it was hard. It's still, you know, we're still getting the word out. And then changing our name to Retail and Hospitality, bringing in the hospitality group. I think you were on the board when Scott brought the Hotels and Gaming group and we were like, absolutely.
Richard Noguera: Which is crazy, right? Because he was MGM and now MGM's all over the news. So you know, it's good on Scott that it didn't happen on his watch, but also it's kind of indicative, right, of you can't stop, you know, looking at it. It's always there. It's always there.
Suzie Squier: Well, and the other kind of interesting similarity is that similar to the Target, it came in through a supplier of some sort, right?
Richard Noguera: Exactly. Phishing to get into like, you know, the whole classic, you know, social engineering to targeting an individual, playing the help desk to provide access and then abusing what rights you could get at that point. Right? It's just, you know, same pattern of activity in a new environment.
Suzie Squier: Yeah. Yeah. Very, very fascinating. And you guys are big into the cloud security where you are now. Is that right?
Richard Noguera: Oh, absolutely.
Suzie Squier: Yeah. And how do you see that all playing out? You know, a lot of, you know, original security concerns, mostly with configuration, a lot of it getting staff trained into this new cloud security. What do you see in terms of cloud security moving forward? And just the use of it, you know, is it growing? Any thoughts you have in that world?
Richard Noguera: Yeah, I think it's -- how can I say, I think the initial adopters were very much, okay, this cloud thing is a thing. Now there's AI as a thing, like they're all buzzwords. But effectively it's, how do I outsource my capabilities, whether it's core infrastructure or the software capabilities? And from a business direction, there are some gains, but from a technical perspective, it's, I think the notion of risk transference is kind of like, oh, that's their problem. No, it's still our problem because those are our customers. And so the security problem in cloud space where I think that's the business and risk problem, but then when you get into the actual cloud space, you know, now it's highly distributed computing and software services that you're kind of putting together in your own value add package. From a technician's perspective and a security person, like, you know, that's threat modeling. That's where I get excited. Okay, so how do we do this? But because security, and I hate saying this, but still even today, despite the need for all these security practitioners in the market, there isn't a cohesive -- you know, security is part of the business problem, right? It's like, okay, we'll deal with it after. It's a compliance thing. Well, we got to think about where are we doing the business? How are we doing the business? How are we delivering value to our customers? How do we ensure that our customers can continue to trust us? I think a lot of companies have the notion, but they don't necessarily know how to execute, because cloud is ever growing at this point. I think cloud security is the, you know, especially in the e-retail and even the social retail spaces, it's going to get even bigger and more concerning, especially when you start throwing in on the social side, the privacy aspects of it.
Suzie Squier: Yeah, locking down all the privacy controls and everything that are coming at us fast and furious. And then you have the AI coming in as another addition to it. Is that something that your company is trying to harness at all or, you know, there's the pluses and minuses to it, right? I mean, AI and machine large learning have been around. It's the generative AI, you know, that's the little Pandora's box that's now been opened, right?
Richard Noguera: That's exactly right. And yeah, AI is a big investment area for not just FT, but all of Cisco. And it is an interesting one because, you know, at least in my experience with generative AI, it creates that content based on data patterns of, you know, historic data, data that you supply it, right? And so in a pure security sense, I'm now creating more risk by giving the algorithms now access to historical data when if I want, you know, a mix of predictive and generative capabilities, I have to give it data, right? And that data has become like, you know, the source of everything, the centerpiece. So now it becomes a data security model. And when you think about, again, cloud and all the different aspects of cloud from services to social, how do you protect it all? So it's an interesting new vector, but it's still to me like it just exposes how much more we have to do on data security.
Suzie Squier: Yeah, yeah, you're right. Yeah. You know, as we were talking about the RH-ISAC and the RSS back in the day, you know, we created this community, you know, and you were part of this community. Do you find that -- do you have that now that you've kind of left and gone into kind of the venture world, the fintech and now this is that you still have that kind of community in those circles as well? I know you're a big community person within like the Bay Area and things like that. So you like that collaboration.
Richard Noguera: Yeah, definitely in the Bay Area, CISO-style, you know, the high tech ISAC, I am not as, you know, interactive or, you know, a seat holder as I used to be with the retail side. For one, it's just like now I'm actually interested in like, okay, the ISAC here is up and running. Give me the Intel. I like kind of getting the shadows, getting the intel and driving it out. And yeah, I think the community base is still very much the, you know, pick up a phone and, you know, within three degrees of separation, you'll get, you know, the juice, right? You'll know what's really going on. So for sure, I miss the camaraderie of, you know, now the RH-ISAC, because I think for that community, building and establishing those bonds, that's the fun time as well as like establishing the standard versus in the high-tech space, I'm more of just a participant. It's here and it's pretty hard set in its ways. And so a consumption model for me is the easier fit, but I wish it was at the same energy and excitement level that we had with the RH-ISAC.
Suzie Squier: You know, and as we grow, we're trying to bake in keeping that community feel, you know, because I think that's a huge value. And you know, we always say one of the big things, this is like you're saying, like, we're like the ultimate phone a friend, like, you've got an issue, you've got people who can help you. You're not in it alone, you know? And even with like the recent incidents that have gone on, you know, we're like, look, we're here to help whatever we can do. And it's been wonderful seeing the outpouring of our members reaching out to me and I've forwarded this on to, you know, affected companies that like, you know, like if they need somebody, I can lend them an analyst. And it's just really great to see that part of the community coming together when folks are in a dark hour. And I think everybody knows at any time, as you said, you know, it could be you, you know, could be me.
Richard Noguera: Exactly. That's the stress of the world we're in.
Suzie Squier: Yeah, exactly. But I think there's less of a stigma attached to it now. Don't you feel like, you know, like you said, you know, with the Target breach, there was a lot of detritus left on the road after that happened, you know. But I think now we've come to like not shaming people, but just we all are in this boat together. How do we continue to, you know, work together to protect each other and ourselves, right?
Richard Noguera: Yeah, I agree. Don't get me wrong, there's always, at the large enterprise level anyway, there's still the don't ask, don't tell kind of mentality, don't expose because we don't want the liability associated with that. That I understand. But at the level down from that and the informal, the back-shelling, it's much more open and the acceptance of, you know, it's not an if, it's more of a when, and how do you brace for that? There's a lot more maturity and, you know, professional maturity in the market for that now. Of course, you don't ever want it on your watch, and I think it's more of the, how prepared are you in the case of it happening, right? And I think where the big difference now versus back in 2014, you have no excuse to be caught flat-footed, right? So now it's, okay, I was capable and built up to this degree. And the analogy is it's the Cold War in cyber, right? Our defenses are getting better, their attacks are getting better, right? So I think there's that acceptance and it's the time to detect and resolve and just accept, okay, did you fall prey to something silly or was it really advanced? If you fell to the silly things, then what happened, right? That's just like, you know, that's like a duh moment. But if it's the advanced stuff, then that's when you're winning. And I think there's just, get to the advanced, long-burn kind of attacks that you can detect and play against as opposed to saying, don't fall for phishing. Don't fall for, you know, the passwords being shared, that kind of stuff. That kills me. You know, I feel bad.
Suzie Squier: Yeah. I mean, at the end of the day, a lot of it is our users.
Richard Noguera: Yes, exactly. A hundred percent. Which is why I think in the RH-ISAC perspective, looking into social and the threat avenues that that creates is a huge -- you know, that's something to consider because retail now, the partnerships they have and the, you know, between influencers on these large social engines by market, it's crazy how many impersonations are out there. It's there.
Suzie Squier: Yeah, it's come up.
Richard Noguera: Yeah.
Suzie Squier: Members are bringing it up. Like, how are you dealing with these things? So just like you're saying, and of course, you know, the phishing is in the social engineering and this is where I think generative AI hurts us, because they're getting so good because they can pull out so much information and make that phish look and sound even more real, you know, more legit. So it's like you said before, like now we have to keep upping our game, you know? So it's like a thing. Thank you so much for your time. And thank you -- if I never said it, I think we did, but thank you so much for your time back then. I think we got everybody together in Chicago and, you know, gave out, you know, the awards.
Richard Noguera: That was great.
Suzie Squier: Yeah, that was fun. And we're hoping to gather as many of we can next year when we do celebrate our 10-year anniversary. So we'll be sure to give you an invitation if you can make it.
Richard Noguera: That's be great, yeah.
Suzie Squier: We'd love to have you, get the gang back together. And we still have a lot of folks who are original, a lot have moved on, you know, as you know, like Colin and Scott and those guys and, David, but still have a lot of folks hanging in there that we'd love to see and talk to about and still remember back in the day.
Richard Noguera: That's right. I'm for it. Just let me know when.
Suzie Squier: Well, it was great chatting with you. Thanks for your time, Rich.
Richard Noguera: Thanks, Suzie. [ Music ]
Kristen Dalton: Hi, everyone. My name is Kristen Dalton. I'm the director of strategic cyber engagement research and analytics with the RH-ISAC. One of my primary responsibilities is to oversee our associate member program, which is our portfolio of strategic partnerships that add valuable expertise to our community, whether that's supporting our working groups, collaborating with our cyber threat team, or conducting joint research efforts together to learn more about the retail and hospitality sectors. Accenture is one of the 30-plus cyber solution providers that we work with. And I'm so happy today to spend some time talking to Piyush Jain, the global managing director of security for the retail consumer goods and travel verticals at Accenture. Piyush, welcome. Could you start off by telling us a little bit about your role at Accenture and what you feel are the top security risks facing the retail, travel, and hospitality industries today?
Piyush Jain: Thank you so much. So my name is Piyush. I am a global lead for retail, travel, and hospitality at Accenture. So in terms of what I do in my day-to-day job, I work with a number of our clients as a strategic advisor for them. And I have been working with many retailers and travel companies as well in the past few years. Recently, we have been working quite closely with RH-ISAC to publish our security organogram analysis, which are org charts for the cybersecurity function for the various organizations, how the teams are structured, what are the capabilities, and where does the CISO report. Right? The reason I'm bringing this in is this is linked to the trends questions that you have asked, right? We have looked into the org charts of around 66 organizations, 37 of which are RH-ISAC members. And we prioritize the sectors with small, medium, and large sized organizations based on their financial performance. And there's some key takeaways, and that is pretty much in line with what we are seeing in industry as well. So the first thing I would say is most of the organizations that we have seen universally prioritize cyber protect function. And this is the function which basically organizations have to protect against the cyber incidents, cyberattacks. The number of sub functions within the cyber protection is like identity management, security architecture, cloud application, network, endpoint for the number of functions in there that you will be able to see in the report that's published as well. The key highlight of the finding here is the organizations which are high-performance, who has outperformed their peers in terms of profitability over the last three years, we have found that 34% of these organizations are likely to prioritize identity and access management. The second finding is in the area of fraud. Fraud is a focus area for all the retailers, right? So this is an interesting one. Despite a 25% increase in digital payment fraud over the last three years, we found only 12% of the organizations have a function allocated to fraud. However, if you look at the financially high performers in retail growth, there are 39% of those that have got a dedicated fraud function. Even when we look into the sizing of the sectors and sizing of the organization by revenue, the small and medium-sized organizations have placed a high emphasis on security architecture as compared to their larger peers, whereas the large organizations, they have prioritized more on threat detection and forensic functions, which is quite unique insight into how organizations are looking into things. Also, supply chain is the key concern, right? We do annual CEO survey for security in that the CEO ranks supply chain disruptors as the second highest external risk, while 41% of the organization that has suffered a material impact from cybersecurity said that it is originating from their third parties. So supply chain is one of the key threats or the key areas where our retailers, travel and hospitality organizations are facing. And keeping up with the latest trend on Gen AI, 56% of the organization believe that Gen AI will provide advantage to attackers in coming two years. And 67% of the CEOs say security is the major consideration when it comes to adoption of Gen AI. So whilst the retail, travel and hospitality organizations are making full use of Gen AI and it's part of their key plans, key growth plans, but the CEOs in the C-suite are very, very concerned about the security implication of Gen AI.
Kristen Dalton: Thank you so much, Piyush. These were some really great findings. I'm glad you brought it up and we're able to talk into some depth about it. Just for a little bit of background about the org chart benchmark that we did, so we recently published this in February 2024. This was a long-time request from our many CISOs in our CISO community. So to be able to partner with Accenture on this type of benchmark and this type of analysis was something that we have not been able to do before for our members. So some really interesting findings there. I also wanted to talk a little bit about the growing inequity between organizations that are cyber resilient and those that are not. So what's your take on this? How are you defining cyber resilience and how should security leaders be thinking about this in 2024?
Piyush Jain: I'll start with some statistics based on the cybersecurity outlook survey that we did with the World Economic Forum. 36% of the organizations, they believe their cyber resilience is inefficient or they are not cyber resilient. Whilst the same survey in 2022, only 17% of these organizations believe that their resilience is inefficient. So this number is more than double in two years' time. In 2022, some 83% of the organizations said that they meet minimum requirements to operate under resilient conditions, where in 2024, only 36% of organizations say that, whilst it's not all that bad. In 2022, no organization claimed that they are good with their cyber resilience, they have the right operation plan in place, but 28% of the organizations in 2024 say their resilient cyber resilience plan exceeds their operational requirement. But there's still room to improve. As you know, the cyber threats are not static in nature, they're dynamic in nature, so organizations are really focusing on making sure that they are ahead of the curve. In terms of the second part of your question, what is my advice? What is it that the organizations are doing? What is it that we are seeing? So first of all, cyber resilience is not the resilience of just your system, right, or a few systems in the organization. The way the structured organizations are looking into it, they're looking at their business, they're looking at their core business objective, their core business plans, and working it backwards to see that what is that, in terms of security, that is of utmost importance for them. So basically, the organizations are prioritizing the functions, the technology, based on their business value, based on their future plans, and they're taking that prioritization as a pivot for cyber resilience.
Kristen Dalton: So I want to dive a little bit back into what you were starting to talk about around Gen AI, and if there is a correlation between Gen AI and even the cyber resilience piece of it. As retailers are adopting AI as part of their marketing and business functions, can you talk a little bit around what they're doing to secure their AI investment, and if there is a resiliency piece to this that they should also consider?
Piyush Jain: So let me start with why all of a sudden AI, and what is that our retailers are doing? You know, retailers are always looking out to improving customer experience and rich personalization. That's one area they're using AI quite a lot. Intelligent merchandising, as you would see, growing customer DNA through the products that the customers are recommended to. Then third is intelligent supply chain, that how do they enhance their supply chain to the real-time insights using the accurate demand forecast models, you know, the plans for productivity improvement, that's where we see a lot of usage of AI coming. Then a number of retail copilots that provides answers to any question in the real time. So these are the number of areas where we see our clients really focusing on in terms of using Gen AI and AI machine learning into their business. Now when it comes to security concern, three out of the five CEOs worry about employees exposing sensitive and proprietary enterprise data while interacting with Gen AI. Based on our survey, CEO survey, 60% of CEOs say security is a major consideration for that action of Gen AI, while only 6% of the organization believe that, yes, they have the right security measures taken when it comes to AI. So data protection and privacy is being worried for the organization when it comes to AI, Gen AI. So, you know, as AI models, they use vast amounts of data. So therefore, prioritizing your data protection and privacy is a paramount. And they're implementing measures such as data anonymization, encryption access control, you know, complying to legislations and regulations like GDPR, CCPA. Then threat detection and monitoring is the second part where retailers are deploying AI-driven security tools to detect and respond to potential threats and vulnerabilities. So traditionally, what will happen, a typical SOC will register a number of incidents and we'll see the SOC analysts will keep picking up on access violations, but they really want to see that, you know, the things that are important for their organization, for their business priorities, for the growth, they picked up and that's where they're using a lot of AI in terms of analyzing patterns, potential security breaches across the network applications and devices. Then you would have heard a lot about ethical AI practice. Whilst AI is exciting and a lot of organizations started making use and they, you know, potential is unlimited for these organizations, but they also want to make sure that they employ ethical AI practice, right? Which are when AI is developed in a responsible and transparent manner. So this includes things like, you know, addressing biases in AI algorithms, ensuring fairness in the decision-making process, providing transparency, accountability to the stakeholders. And also this ties back to the data as well, that, you know, that right amount of data and only correct data is exposed to the AI systems. And when it comes to AI, employee training and awareness is quite big, right? Whilst there is an excitement in the industry, but not many people within the organization understand the true implications of the security implications of AI. So providing training and awareness programs to the employees that many, many organizations are doing. This includes things like educating employees, bringing best practices using AI, recognizing potential security threats and reporting them promptly, means you would see a number of phishing attacks because whilst the organizations are using AI to augment their business, the attackers are using AI to generate, you know, phishing attack that will very much look like, you know, a normal email if somebody would receive an email from the organization. So there is a lot of focus on training employees into identifying these threats and reporting them promptly. And the supply chain. So whilst, you know, a large organization would take every measure to make sure that they secure their Gen AI investment, but their ecosystem is very, very large. And there are some smaller organizations, midsize organizations that are part of their ecosystem. So making sure that they do the right due diligence, right assessments, implementing contractual agreements to ensure the vendors that they deal with, they work with adhere to security standards and the practices in line with the organization requirements. So that's very important.
Kristen Dalton: That was an excellent breakdown of all the Gen AI use cases across, you know, that a typical organization might have for AI, as well as, you know, the security measures. And, you know, like you mentioned, some of the phishing attacks becoming more sophisticated. I think switching gears a little bit, I want to talk about quantum security. We've seen that emerge as an area of interest for retailers. And so as these quantum computing technologies advance, how might quantum security itself impact the retail industry?
Piyush Jain: Great question. Right. There's a lot of excitement in the retail side. And there's a lot of nervousness as well when it comes to quantum. The excitement is, you know, the sky's the limit what you could do with quantum, how you can secure your organizations. And as I said previously, whilst the organizations are using quantum, attackers are using quantum as well to try to break encryptions. Right. So the quantum computers, they have a potential to break many, many encryption algorithms. And that's what, you know, attackers are trying to use, including customer information or financial information, any proprietary data they may have. So post-quantum cryptography is what the organizations are looking at. And this is in response to the threat that's posed by quantum computing to the traditional encryption methods. So post-quantum cryptography algorithms are resistant to these quantum attacks that we are seeing more and more. So the retailers are looking to transition to these new cryptographic algorithm to ensure that the security of their systems in the quantum computing era is maintained. Then securing the network, that's important as well, and making sure that the network is ready for quantum. A lot of time you would hear quantum may introduce some latency into the network. So organizations are looking at, you know, how to make sure that their network is right up there to use the quantum technologies, like secure distribution of keys and cryptography over communication channels. And retailers are exploring the use of quantum to enhance their communication networks, which includes point of sale system, organization -- sorry, online transactions and communication channels. So post-security, which is point of sale, is something very important for our retailers, and using quantum to connect with their communication network through point of sale is something that the retailers are looking at. And supply chain. So quantum technology, if you see, is leveraged to enhance the supply chain security. As I spoke previously about, you know, the real-time data, real-time threat that the organizations are trying to get the telemetry on when it comes to supply chain. The quantum sensors and encryption methods can help detect and prevent counterfeiting, tampering, and security threats throughout the supply chain. So maintaining authenticity and integrity of the products on the supply chain at the various stages is something important, and that is something the retailers are looking to employ quantum on their supply chain. And they're working in collaboration. There are a number of research going on. They're collaborating with the key product vendors, as well as the number of retailers are doing a prototype that how they can use quantum in a safe and a secure manner. So whilst there is a lot of excitement in the industry, it's kind of a wait and watch when it comes to retailers, but some of the large retailers have already started, you know, thinking implementing quantum across their supply chain or to the post-quantum cryptography side of things.
Kristen Dalton: Yeah, we've covered a lot of ground today in terms of topics from the quantum security to Gen AI, and then, you know, some of the highlights from our benchmark that we've done together. I want to end today with one last question that really has to do with maturing information security teams via, you know, training and education of cyber personnel. So we know that the cyber skills and talent shortage continues to widen the gap at an alarming rate among product organizations. What are your thoughts on this? And what can companies do from a personnel perspective in providing training and education to their employees?
Piyush Jain: This one is a good old friend, because if I were speaking in 2016, this question would have come in more so relevant now when it comes to the training and skills and the talent shortage in the organizations. Based on our latest research which Accenture did, 44% of the organizations, they are looking to fill the gap through upskilling of their current employees. So there's lots of focus, emphasis on training, cultures and behavior. 20% of the organizations, they say that they have required skill. However, 52%, a large number, admit that they have a severe skills and talent gap. So what are the organizations doing? The organizations are carefully looking at the functions that they want to retain in-house. They're also looking at the functions which are dynamic in nature, where the threat landscape changes quite rapidly. And they're looking to make sure that they outsource or use managed services or, you know, short-term skill gap, as you say, that go to market and hire contractors or third parties. But in the long run, upskilling and managed services is the trend that we are seeing that organizations are taking in bridging this skill and talent gap.
Kristen Dalton: You know, this is so timely, because at the RH-ISAC, from a community perspective, we recently partnered with the SANS Institute and ICF International to provide free training for junior level security analysts who are looking to advance their careers, as well as IT practitioners who are looking to upskill into a cybersecurity role. So we actually just kicked off that pilot last week. There's 37 individuals from 22 member companies who are participating. So I did just want to give a quick shout out to SANS and ICF on being able to, you know, provide this upskilling opportunity to our members. Piyush, any closing thoughts for today?
Piyush Jain: The closing thoughts for me is very simple. Security needs to be part of organization culture. Security cannot exist in silos. So security should be in line with your business requirements and your business plans, depending on what your business plans are, what your core business drivers are. Do we have the right amount of security or right prioritization of security to protect what matters to the organization is something which is very, very important. So whilst some of the better performing organizations have started looking into it, so my recommendation will be to make sure that security plan flows through your business plan and vice versa.
Kristen Dalton: Excellent. Well, Piyush, thank you so much for being our guest today. Thank you and your research team for the joint benchmark that we did and for all your continued support and expertise that you bring to our community. Thank you so much.
Piyush Jain: Thank you. [ Music ]
Luke Vander Linden: All right. I know you're as excited as I am to welcome back to the podcast, RH-ISAC Manager of Cyber Threat Intelligence Production, Lee Clark, for "The Briefing." Welcome back, Lee.
Lee Clark: Thank you, Luke. Great, as always, to speak to our listenership.
Luke Vander Linden: Excellent. And this is a well-timed appearance by you because you have recently published the now quarterly Intel Trends Summary Report.
Lee Clark: Yeah. This is the last one that will be tri-annual. We are moving to a quarterly cadence here moving forward.
Luke Vander Linden: Terrific. So what did you find?
Lee Clark: Yeah. So this one was particularly interesting. I know we've spent the whole episode sort of bragging on our colleagues here at the RH-ISAC, so I'll pile on that a little bit. In our research department, we've got a wonderful data subject matter expert named Sierra. Sierra has been working for like the past year to really hone, develop, streamline, and really make efficient a lot of our data collection efforts, and that's ended up making this report easier to produce, easier to read, and more valuable for membership as we move forward. And this is the first report that we've been able to make use of some of the advanced capabilities that Sierra has been building for us, so a huge shout out to her for making this report and all of my reporting really better and more data-driven. So historically, we see phishing, credential harvesting reported as the most active threats that our membership reports to us. These are the threats that they see and stop the most, phishing and credential harvesting. Universally, every trend report I write, they come in at the top one, two spot, until this report. This report, we actually see phishing in the second seat, and credential harvesting has fallen off the top five list completely to be replaced by a huge spike in ransomware reporting. This coincides with a sort of global surge in activity that basically everyone who's in cyber threat intelligence has been reporting and seeing. So specifically for this period, we saw a huge reporting for CLOP, right, BlackCat and ALPHV, and then taking sort of third place would be like Okta-related vulnerabilities. Right? So for the current period, ransomware reporting is at 26%, which constitutes a 13% or 14% increase from the previous reporting trends. Generalized credential harvesting ended up falling off the list completely, and this sort of generalized increase in ransomware includes specific and sort of the global trend, right, which becomes interesting. So we break these trends down in a granular way based on threat actor, based on MITRE CTP type, based on malware that we track, right? So if we look at what major malware we see reported by members, Cobalt Stripe remains far and away in first place, but BlackCat, the ALPHV BlackCat ransomware strain has actually taken second place, whereas previously it wasn't on the list at all, right? Other top malware include well-known threats that our members should have been reporting for a long time, right, Agent Tesla, Amity, IcedID, Qbot. They all appear at the top of our list, but Cobalt Stripe and BlackCat end up taking the cake for the current reporting period in terms of malware. Now, long-time listeners will remember that in the last year, we've been launching a threat actor tracking project here at the RH-ISAC that's based entirely on major threat groups that we see targeting our membership a lot. It's based entirely on membership reporting to us, right? Previously, FEN6 and APT32 led the pack of the most reported, right? FEN6 has now moved to second place, replaced by Scattered Spider, right? So Scattered Spider is a name that probably a year or two ago you didn't hear at all, and now they're one of the most prevalent threats we see, not just to the retail and hospitality group, but to a number of other industry verticals as well. Scattered Spider primarily operates first as an access broker through tactics like impersonation domains, spear-phishing campaigns, things like that, and once they have that initial access to a victim organization, they sell that access. Specifically, they're really closely tied to BlackCat and ALPHV, right? You will occasionally see threat reports that equate Scattered Spider with ALPHV and BlackCat. I would caution against making that type of comparison because they do do other freelance work as well as their own threat activity, right? But they do have a really close relationship with the ALPV, BlackCat Ransomware Group as an initial access broker. And we see heavy targeting of our membership by this group, right, using their tried and true tactics, yeah. So if we move on to TCPs, speaking of how threat actors actually leverage their capabilities against membership, we don't see a huge change in this report from previous trends, right? Spear-phishing links, phishing domains remain far and away the most common leveraged TTPs by threat actors against organizations in the hospitality community, right? One thing I will note, in the TLP clear version of the report, you will see various versions of spear-phishing links and spear-phishing attachments up here on the top TTP list. They're presented more than once because they represent identical minor TTPs that occur at different stages of the cyber kill chain and thus get tracked separately and designated by different numerical identifiers. That's why they appear on the list more than once. These are different stages of the kill chain, the same sort of tactic being leveraged at that place and it's tracked differently by MITRE, so we track it differently as well to sort of match up with the industry standard of how to track TTPs, right? And then the final sort of highlights that I'll give are from our research department. Again, these numbers are actually tracked by Sierra and by everybody in the research department run by team Kristen, actually. So we track surveys, we track RFIs, we track major benchmark reports that we put out, right? So if we look at RFIs, we usually break them down by community and our communities are often job function-based. So the ones I'll highlight here are for analysts and CISOs, right? So for the current period, we saw analyst RFIs overwhelmingly, requests for information from cyber intelligence analysts focused on requesting feedback on different tools, different vendors for doing their jobs, requesting feedback on major fraud indicators or major trends in the fraud space. And then number three coming in a little bit behind is on identity and access management, right? The best practices, tools, vendors related to identity and access management. Now, we compare this to what CISOs ask about. The number one spot for CISOs is vulnerability management, right, specifically, usually talking about patches, mitigations for big zero days, big one days that are coming out, that are affecting major third-party applications that are used ubiquitously across different enterprises. And then in second place and third place, we have fraud and identity and access management, exactly the same things that analysts are asking about, which surprises no one, right, that people are concerned about the same things their bosses are concerned about, right? Vulnerability management, interestingly for analysts, comes in in fourth place. I think this is due to CISOs being responsible for the entire enterprise, right, and vulnerability management being a huge threat vector for threat actors. It becomes a major concern for CISOs. But a lot of our analysts are not specifically vulnerability management analysts. So a lot of them are threat analysts, some of them are security engineers, right, some of them are fraud specialists, some of them are BSOs, right, business security officers. So not all of our analysts are distinctly worried about vulnerability management as part of their job functions, but CISOs for sure are specialists in their jobs, oftentimes right on making sure that the enterprise is safe and vulnerability management being one of the biggest places where you can get hit, right? Continuing the sort of outline of what we've been tracking from Team Kristen and our research department, we put out a big report on phishing programs that is available for membership. And then we conducted two big benchmarks, the first one being the organizational chart benchmark, which we just did a couple of presentations on, right?
Luke Vander Linden: Yeah, we just heard Kristen talk with Piyush at Accenture about that as well.
Lee Clark: Yeah, exactly. So we collected the org charts to better understand how information security teams are structured in terms of capability and reporting, right? And then the second is going to be our signature CISO benchmark report. We've now been doing this a couple of years in a row, it's getting better every time. We get great responses from CISOs on these, and it measures their place in the industry. We break it down by annual revenue budget, and then that's one of the big ways we look at what CISOs are majorly concerned about in terms of topics for their exercises. So those are sort of the major trends that we see out of this particular report. And a lot of the improvements we've been able to make to our data collection and analytics capability has helped us out in making this report more accurate and more valuable for our membership, right? And then based on that, we're able to make it quarterly moving forward. So yeah.
Luke Vander Linden: Makes sense. This is great. And, you know, it's interesting, the ransomware stuff in particular, that's consistent with a lot of the reports I'm seeing from the greater cybersecurity world that shows that the number of ransomware incidences doubled in 2023, and the amount that's been paid out now, over a billion dollars, if you look at it across all sectors, which also more than doubled in 2023, a huge issue for both our members and the cybersecurity world in general.
Lee Clark: Yeah. So two big points on this. One, it's interlinked to everything else. CISOs, and analysts to a lesser degree, are worried about vulnerability management because one of the biggest ways ransomware operators and access brokers or ransomware organizations are hitting organizations is via zero days and third-party software, right? It's one of the biggest roads and that's one of the major reasons it comes up, right? And then second, it is across industries and our industry we see especially targeted, right? I think I saw a recent report from a major cyber threat intelligence organization doing their 2023 review, they saw a 50% increase in targeting, right? So that also translates to massive amounts of revenue for these organizations, right? We've talked before on the podcast about how sophisticated and organized ransomware operations are. We've seen a number of law enforcement actions recently, right? They just put out a mass -- so when I say that, excuse me, let me be specific, the federal government, the US federal government just put out a massive reward for any information leading to the disruption of ALPHV and BlackCat operation. They just did a big disruption of some LockBit infrastructure. Now some of LockBit is still online, but other additions of their infrastructure have been sort of taken offline, right? Yeah, it's likely that LockBit will reappear as LockBit 4.0. They've experienced major disruptions in the past, including a disgruntled employee leaking their source code, right? But we've also seen that happen in the past, Conti ends up turning into other ransomware strains, ALPHV ends up rebranding, right? And we see these over time only increasing in prevalence because it works. It makes mad money, especially whenever you don't even have to worry about trying to encrypt people's data. You don't even have to build a specialized program and worry about encrypting and unlocking anymore. Most ransomware organizations are moving to a purely extortion-based model, we'll publish all of your clients' data if you don't give us money, right?
Luke Vander Linden: No longer double extortion, just the single extortion.
Lee Clark: Yeah, it's enormously profitable, and that's why it's become such a huge crisis across the cybersecurity industry, right? And we've done a little bit at the RH-ISAC here. At the last summit, I gave a TLP Red presentation on how ransomware has been affecting the membership. We've started a couple of response projects, right? We have a daily dark web summary that we give to membership, and that includes an update of what ransomware organizations have been talking about on dark web forums as it relates to the industries that we cover. And then we've sort of alternated our incident response process for how we handle talking to especially the leadership of our membership whenever we have a ransomware that affects the community, right? It's forced the ISAC to really step up to change the way we respond to this as well because it's at an epidemic level, right?
Luke Vander Linden: It is. You guys do incredible work over the intel side of things as evidenced by what you just discussed in the presentations in the new IR plan, but also the subject areas that the RFIs that you just reported on from the report are most popular aligned with our most active working groups. You guys are very responsive to member demand and what they want to talk about. Great reports. Glad that the intel summary report is now quarterly. It makes a lot more sense. The TLP Clear versions of all these reports are available for downloading on our website. If you just go to rhisac.org and look up in the navigation under Resources and then Reports, you can see the TLP Clear versions. Of course, the TLP Amber Plus versions are available only to our members, not because we're trying to exclude people, but because it's subject to privileged information that only our members should be able to see. Lee Clark, thank you very much for joining us on the podcast once again for "The Briefing." [ Music ] Thank you to my great guests, my coworkers, RH-ISAC President Suzie Squier, who interviewed Rich Noguera, RH-ISAC Director of Strategic Engagement Research and Analytics, Kristen Dalton, who interviewed Accenture's Piyush Jain, and RH-ISAC Manager of Cyber Threat Intelligence Production, Lee Clark, who briefed us on all current and relevant threats. Speaking of my coworkers and colleagues, thank you to the RH-ISAC's Director of Marketing and Communications, Annie Chambliss, Producer of the RH-ISAC Podcast, as well as the N2K Network's Jennifer Eiben, Trey Hester, and Elliott Pelzman. If you're listening to this and your company is not yet a member of the RH-ISAC, what are you waiting for? To find out more about membership, go to rhisac.org/join. This is Luke Vander Linden, RH-ISAC's Vice President of Membership. Thank you for listening and stay safe out there. [ Music ]
