Cloud, Assurance, Forensics, Engineering

Category: Uncategorized

Observations from RSAC2024 – A Security Roadmap for AI

Most of us have fully recovered from our very busy week at this year’s RSA Conference. The massive cyber security event which takes place in San Francisco with over 60k of my closest cybersecurity friends. As most of us already figured would be the topic de jour, there were very few if any in attendance, who were not talking about GenAI. Specifically, the impacts it is and will have on our industry and the rest of the world as we know it.

I have written about Artificial Intelligence (AI) in the past and how it’s going to be the integration of GenAi and different other solutions which will truly cause significant disruption. GenAI and the combination of other technologies such as robotics, medical, oil and gas exploration, retail delivery, fast food experience, and even tier 1 and 2 security operations center functions. This all sounds really cool and fascinates me with the massive potential GenAI has to impact the world.

Boston Meridian Partners, the company I work at, hosts a reception on Sunday evening each year prior to the conference. We host this meeting for numerous startups and friends from the private equity and venture capital world as well as many C suite executives with interest in cyber security. Our goal the past few years has been to get some top-notch speakers to share their wisdom with the crowd and this year’s speakers did not disappoint.

We had Chris Krebs from SentinelOne, Brian Finch from Pillsbury Winthrop Shaw Pittman LLP, and Kate Kuehn from WTI who shared key points on regulatory issues (Note: Thankfully we have the EU who have established many key requirements for the world to follow as our own US government has been slow to pass any legislation with real teeth). They also spent time talking about risk and the importance of collaboration and coordination. While we discussed many key investor topics around GenAI it couldn’t have been a better way to set the stage for the RSA Conference and our very full week of over 150 meetings from across the community. 1

I took away quite a few pointers as I met with startups, CEOs, speakers at numerous events, and in general discussion around a good craft beer or cocktail in the evenings. Here are some take aways from and things to ponder as we push GenAI initiatives in our companies and industries we support.

  1. As mentioned above, collaboration and coordination are key to success. It might seem like a no brainer but many of us are hardheaded and like to “go it alone” which can be a big mistake. It’s imperative we work closely with industry partners, government agencies, and relevant councils to manage AI-related risks and incidents. Fostering this collaboration will enhance GenAI security across the collective.
  2. Risk – I have spoken on this, written about it, and will shout it from the highest mountain as long as I have air in my lungs; “It’s about the data”. It’s super critical to conduct thorough risk assessments specific to GenAI deployments and focus on the data risk. It’s being sucked like a vacuum into these Large Language Models (LLMs) with little to no understanding where the data is going or how it is being used. It is critical for CIO’s and CISO’s to identify potential vulnerabilities, threats, and attack vectors related to AI technologies.
  3. Zero Trust and/or Secure by Design – We use the term “it’s easier to bake it in than spread it on like peanut butter” but often we find companies doing this very thing. Prioritize security from the outset. Ensure those GenAI systems are designed with zero trust (we trust nothing and no one without verification) and with security in mind, incorporating Multi-Factor Authentication, encryption, and access controls.
  4. Supply Chain and 3rd party security – Extending security considerations throughout the entire GenAI supply chain is now a must do these days. One cannot assume the suppliers are doing the right thing or have you in their best interest. They should, but it’s up to you to verify and set up the appropriate controls and service level agreements. This goes back to the “collaborate” discussion above and ensuring safe and responsible use of GenAI.
  5. Finally, we have the geek moment and have to allow technology and or the “hunters” to red team. This should be performed regularly as GenAI exercises and tabletops with the executive team’s involvement. By simulating attacks organizations can identify weaknesses and improve defenses. Since it’s often illegal to go on the offensive against adversaries we must have strong defenses in place.

Overall, it was another amazing week in San Francisco, and I enjoyed meeting so many innovative companies on the show floor. While GenAI is still in its infancy it has quickly become a show of force from all thing’s cybersecurity. GenAI will speed up our ability to do our jobs (but also the adversaries) but we have to be strategic and work faster through the traditional “blocking and tackling” abyss we so often fall into. Teamwork makes the dreamwork!

If you missed us at RSA, I along with the team at Boston Meridian Partners will be at Blackhat, Las Vegas this coming August so please reach out to us via our webpage and LinkedIn below.

www.bostonmeridian.com

Boston Meridan LinkedIn Page <- Follow this company!

Learn More: CISA Roadmap FAQs, CISA AI Roadmap, Cam Sivesind article on “cisa-roadmap-for-ai”, Grayson Milbourne – Forbes Article on “Small Business Roadmap for AI”

About the author

Shawn Anderson2 has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

  1. https://www.linkedin.com/in/christopherckrebs/
    https://www.linkedin.com/in/brianfinch-cybersecurity/
    https://www.linkedin.com/in/katekuehn/
    ↩︎
  2. www.linkedin.com/in/shawnanderson/ ↩︎

Due Care….Due Diligence…did you know and what did you do?

I’ve been in this industry for more than a few decades and many times have come across cyber professionals and organizations who do not have a clear answer to this basic question: Why do we approach security the way we do? People have varying answers from “it’s my passion”, “bad guys are bad”, “the money”, “I love technology”, and many more. Rarely do I get the answer of “Because protecting our “fill in the blank” is the right thing to do.”

Many professionals I work with are in this because they see bad actors for what they truly are. Bad, not good, very low down, and sometimes outright evil actors. The adversary wants to own you, manipulate you, control you, or in the case of many nation states eventually break you. The terms of “Due Care” and “Due Diligence” are legal terms every cyber security professional should know on day one. These terms are drivers for everything we do. If we know we have an issue, then it’s important to protect and do something about it.  

Most cyber security professionals do not have a legal background so it is a good idea to brush up on these key terms so one can navigate the profession a little bit easier. These are as critical to me as confidentiality, availability, integrity, and non-repudiation. Topics I will discuss in a future blog because people need to be reminded from time to time.

Cybersecurity is a critical concern for organizations across all industries, with data breaches and cyber-attacks becoming increasingly common. Let’s face facts; the bad actors are bad, and they want to take companies down for reasons ranging from fame, they are mean, or worst case they represent a nation state who is in a digital war with the other country. In this context, due care and due diligence are two concepts often discussed in relation to cybersecurity. While both are important, they are distinct and serve different purposes.

Due care refers to the level of care that a reasonable person would take to protect their own personal information and that of others. It is a legal concept that obligates organizations to take reasonable steps to protect the personal information of their customers and employees from unauthorized access, use, and disclosure. Due care involves establishing and implementing reasonable security measures to protect data, such as using firewalls, encryption, and access controls. Due care is a proactive approach that emphasizes the prevention of security breaches and data loss.

Due diligence, on the other hand, is a process of conducting a thorough investigation into a company’s security practices and assessing the risks associated with a particular transaction or activity. Due diligence involves evaluating the security posture of a company and identifying any vulnerabilities or gaps that may exist in its security infrastructure. Due diligence is often conducted before entering a business relationship with another organization or acquiring a new company.

In the context of cybersecurity, due diligence involves reviewing the security policies and procedures of a company, as well as conducting vulnerability assessments and penetration testing to identify any weaknesses in the security infrastructure. Due diligence also involves reviewing the security training and awareness programs in place for employees and evaluating the incident response and disaster recovery plans of the organization.

While due care and due diligence are distinct concepts, they are both important for maintaining effective cybersecurity practices. Due care is essential for establishing a baseline level of security and implementing best practices to prevent security breaches. Due diligence, on the other hand, is critical for identifying potential risks and vulnerabilities and developing strategies to address them. Together, these two concepts help organizations to maintain a strong security posture and minimize the risk of cyber-attacks and data breaches.

In conclusion, due care and due diligence are two critical concepts in cybersecurity that serve different purposes. Due care is a proactive approach that emphasizes the prevention of security breaches and data loss, while due diligence involves conducting a thorough investigation into a company’s security practices and assessing the risks associated with a particular transaction or activity.

Both concepts are important for maintaining effective cybersecurity practices and minimizing the risk of cyber-attacks and data breaches. Down the road I will address how these two very critical terms and corresponding activities can help leaders build out their risk posture and program.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

Cybersecurity Trends from a CTO/CISO perspective

It’s been a fast 15 months since I started on this journey working as the CTO for an investment bank. I’ve traveled all over the United States, held conversations with 100’s of Venture Capital, Private Equity, and exciting newer security startups. There have been a few trends which keep bubbling to the top that I wanted to share with all of you. As we all know cybersecurity isn’t anything new but something all companies, large and small, need to be doing. Cybersecurity has become an increasingly important area of focus for businesses and governments, with the rising frequency and severity of cyber-attacks as well as the renewed governance focus at the board level.

As a result, there has been a growing interest in investing in cybersecurity companies and technologies. Here are some of the investment trends in cybersecurity:

Cloud Security: With more businesses moving their operations to the cloud, cloud security has become a top priority. Investors are looking for companies that provide cloud security solutions, such as cloud access security brokers (CASBs), cloud security posture management (CSPM) tools, and cloud workload protection platforms (CWPPs). Using rough numbers from quarterly earnings of the top 3 cloud providers (GCP, AWS, and Microsoft) they are roughly $350b annual revenue which is a small percentage of the overall global IT spend of $4.2T. This area will continue to grow.

Identity and Access Management (IAM): IAM solutions have become essential for managing access to corporate networks, applications, and data. Investors are looking for companies that provide IAM solutions such as identity governance and administration (IGA), multi-factor authentication (MFA), privileged access management (PAM), and User access management.

Artificial Intelligence (AI) and Machine Learning (ML): AI and ML are being used to enhance cybersecurity by enabling faster threat detection and response. Investors are looking for companies that provide AI and ML-powered solutions such as security analytics, threat detection and response, and fraud prevention. This area spooks me a bit as it’s moving so quickly and from what I’ve seen without any guardrails to keep it 100% safe, ethical, and working in the best interests of it’s creators.

Internet of Things (IoT) Security: As more devices become connected to the internet, IoT security has become a critical concern. Investors are looking for companies that provide IoT security solutions such as device management, data encryption, and firmware security. Other areas are Operational Technology (OT) which is a term defining a specific category of hardware and software whose purpose is to monitor and control the performance of physical devices. The other is Industrial Internet of Things (IIoT) designed to incorporate technologies such as machine learning, machine-to-machine (M2M) communication, sensor data, Big Data, etc.

Cyber Insurance: Cyber insurance has become increasingly popular as a way for businesses to mitigate the financial risks associated with cyber attacks. Investors are looking for companies that provide cyber insurance policies and risk assessment services. This is a growing area with a lot of unknown variables. Unlike traditional insurance such as life and auto the data available on cyber is limited to the past 40 years and is always advancing. This area will continue to mature and be extremely important as companies try to defer and manage their risk.

Cybersecurity Consulting and Integration: With cybersecurity becoming more complex, businesses are seeking the expertise of cybersecurity consultants to help them develop and implement effective cybersecurity strategies. Investors are looking for companies that provide cybersecurity consulting services. An offshoot of this is Cloud System Integration or Cloud SI. Companies who can help other companies to deploy the cloud solutions they have acquired to get it deployed in the quickest way possible. These companies who are “born in the cloud” have an advantage today because they have the ability to move at “cloud speed”. The issue is training the talent to do the work.

Overall, the cybersecurity industry is expected to continue to grow, and investors are expected to continue to invest in companies that provide innovative and effective cybersecurity solutions.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.