ISMG Editors: London Summit - AI Tech and Incident ResponseAlso: The CISO's Role in AI Rollouts; Responding to Ransomware; Liability Concerns Anna Delaney (annamadeline) • September 20, 2023
This week, Information Security Media Group editors covered the hot topics at ISMG's London Cybersecurity Summit 2023, including the technical landscape of AI, executive liability, incident response strategies in the face of a global ransomware attack and how to build personal resilience to avoid burnout.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Akshaya Asokan, senior correspondent, ISMG; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discussed:
- Best practices for preparation and response to ransomware attacks;
- Navigating executive liability and practical steps security leaders should take to protect their own liability;
- The technical intricacies of AI systems and the pivotal role CISOs play in ensuring secure and responsible AI implementations.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 8 edition on reasons to cheer about the cybersecurity market and the Sept. 15 edition on the risks of frequently used usernames.
This transcript has been edited and refined for clarity.
Anna Delaney: Hello, I'm Anna Delaney, and for this week's ISMG's Editors Panel, we are live at ISMG London Summit 2023. And what an event it's been. I am joined by my colleagues, Mat, Akshaya and Tony. Great to be with each other; it's the end of this brilliant day. Mat, I know you moderated a few panels on AI, budgeting. You hosted a roundtable. What can you share with us? What were some of the highlights?
Mathew Schwartz: Well, the highlights for me were the budgeting secrets of our cybersecurity all stars. That was fascinating discussion. I said how fun it was going to be. And I think there was laughter from the front of the audience, but we had them cowered by the end. It was a great discussion about how you think about budgeting. And it is such a challenge for security teams, because you need to be strategic. Unfortunately, sometimes, you're going to need to be reactive when you've got a breach. There's vendors to manage, there's people and hiring, of course, and trying to keep them skilled, great discussion, as was the discussion we had on AI and machine learning, and what security teams, what CISOs, need to be doing to stay current on these sorts of things. And just to fast forward to the end, how they need to be understanding it, communicating what the possibilities are, and promising what those capabilities might deliver, at least today. And just keeping an eye on it. Because it's not just a buzzword. It's been widely used.
Delaney: And they are, or were, very much navigating. They are navigating through the space, which was the title of the session. But I thought, I loved how refreshingly honest they were about where they are, the frameworks they are following, and how they're using this as an opportunity to share the responsibility model with everybody because security is everybody's responsibility. This is an opportunity, perhaps with AI.
Schwartz: It's the latest in a long line of technologies that have been widely adopted, possibly with minimal to no forethought in a manner which if we're lucky, has got some loose security framework monitoring, and oversight, meaning we've been here before, with practically every major technology adoption that we've ever seen. It gets adopted. The business says we need this in order to make money. And the security team says great, please let us help you. So it's just the latest. But I think CISOs are in a much better position these days to rapidly deploy, if you will, and to say, look, we need to use this in a careful manner. We're here to help you.
Delaney: Well-said. Akshaya, you had a bit of a bird's eye view of the events. And you were going through to a few sessions, reporting on them as well, live reporting the articles that are already up on our website. So how was it for you? Anything that stood out?
Akshaya Asokan: Yep. So this was the first event that I'm attending in London. I was very excited. And it was packed. And it was buzzing, and the first session was that of Google Cloud chaos coordinator, John Stone. And he spoke at length about AI security, Google's safe AI frameworks - SAIF, and how companies can deploy. And everybody all eyes were on him, everybody was taking notes. And he did talk about how there is a tendency among practitioners to just jump on to sort of buzzwords like prompt injections, and hallucinations. So before getting or worrying about algorithmic risks, so he said, the focus must be on getting the basics of security right, which is your basic cyber hygiene practices, which is patching, looking for bugs in your source code and all of that. So I found that very fascinating. And he had a very in-depth presentation on how companies can sort of deploy AI to their solutions. So that was very interesting.
Schwartz: A lot of enthusiasm and excitement for that.
Asokan: And a lot of questions. So that was good, very informative. And on the sessions that Mat coordinated on AI regulation, and Andy Chakraborty and Ian Thornton-Trump and their discussion about governance and how sort of privacy-focused governance is sort of pushing companies to opt for more AI solutions that's trained in private data as opposed to public data because it can invoke fines with the EU's impending AI Act and other AI regulations that would soon come about in the U.S.
Schwartz: Or can spill your secrets, if you train a public model, and it regurgitates it for somebody else, which we've seen. I think they cited Samsung as a recent example. So yeah, it was interesting. They were relatively bullish, I thought on private AI, that they could get the model and then train it, but keep the training inside. And I thought there would be some hesitancy there. But they were talking about how they might want to adopt that.
Asokan: Yeah. So I found that very fascinating, and how financial sector, where there are a lot of PIIs - personally identifiable information - where they have to be extremely careful. So that was very interesting and new to me.
Delaney: Great discussion. So, Tony, you, manned, you were the master-in-commander of the solution room today. Tell us about it.
Tony Morbin: I mean, I thought that was interesting. And people were pretty enthusiastic. But the solutions that came out, were not particularly a surprise. In fact, I would go back to Baden-Powell, with the scouts had it right to have his motto, Be Prepared. And that sums it up. I mean, particularly, playbooks making sure that they are practiced, making sure that they're well communicated as well, and that they're updated to deal with changing circumstances.
Schwartz: So what were you solutioning? Because I was stuck in a roundtable. Otherwise, I would have liked to have ended in the session, but it was incident response, right?
Morbin: It was incident response. So it was running through a scenario that you're a global logistics company that has been hacked. It suspected that it's a ransomware. And one of the issues that came up was, is it ransomware or not I was a bit shocked to see the total negative idea of no, we wouldn't bother communicating to the police, because law enforcement doesn't do anything. And they might even restrict us because they'll want to retain evidence and so on, and it might slow us getting down. I mean, there's some other questions that had come up, slightly earlier. But should we pay a ransom, and it was very much it depends on your circumstances you have to do what is best for you, even though the recommendation is always not to pay the ransom, if you can at all avoid it. So it was, in that sense, was predictable, but there was also don't panic, don't go running around finger pointing. Make sure that you go through this slowly, methodically, all the things about who you should contact, does your CEO have your phone number, so that he can contact you if all your systems are down.
Schwartz: Or if ransomware attackers are monitoring your ...
Morbin: Because they're monitoring everything and you don't know what they've already got maybe you need another channel of communication, separate from your normal systems. So all that was there, but it was about get it all in the playbook, including your response to regulators when you need to respond, who needs to respond, what everybody's responsibilities are. And all those priorities should be in your playbook. And do practice them. Because if you don't practice, well, unfortunately, the other comment was, you only learn if you've been through an attack. So all those who've been through the real thing, are suddenly a lot better at response, because they now have identified their failings. But they didn't know who to deputize to, who had what authority in the actual circumstance of having been attacked. So there is that emotional response. And you need to get that out of the way, work through step-by-step and maybe look at other people in your sector, how they have dealt with it, and steal their playbooks because they would have gone through the same thing.
Delaney: Very good. So was there a particular speaker that stood out for you?
Morbin: A particular speaker, it's difficult to put one person above the others because it's a bit unfair. I know, Angus from MasterCard was saying how one of the other issues with paying ransoms is you might not even have the wherewithal to be able to pay a ransom if the ransom has to be paid in cryptocurrency, if you don't have a system in place to be able to pay a ransom if that was what you decided. And it was also asked is there a checklist you can run through? As to whether or not you should pay a ransom, and frankly no, there isn't. Because it's going to depend on every circumstance.
Delaney: Akshaya, particular conversation or speaker or theme?
Schwartz: You've already highlighted a couple.
Asokan: John Stone. Found him very interesting, very, very informative and lots of new information nuggets.
Schwartz: I want to highlight Don Gibson for the closing keynote that he delivered. I saw people taking pictures and he said, contact me, I'll send you my slide deck. I'm not precious, but just looking at his lessons learned from a life in security. What burnout looks like, some lessons learned from responses, and what that does to you and how you need to think about getting through that sort of thing. Really well-received. He had a great example as well, in the panel, when we were talking about budgeting. He looks at recent incidents, and circulates those maybe monthly, picks an incident, gives it to his executive team, the board members and says, here's something from our industry, usually, here's how we would have fared. And here's some thinking that I have on the matter. I would also highlight as I suspect, you might, the opening speaker, Helen Rabe from the BBC, who was great, I got to interview her. Wonderful details, insights and a great way to start the day.
Delaney: Yeah, on leadership and how emotional intelligence plays a big role in how she navigates as a leader. So that was that was excellent. I also loved the Navigating Executive Liability panel and our good friend Jonathan Armstrong, partner at Cordery Compliance. Great to have that legal aspect. A lot of questions directed to him. There was this, I think it was Quentyn Taylor, CISO for for EMEA at Canon, was saying, we've been fighting for a seat of the board. It's time to grow up. You need to take responsibility. There's a great, great conversation there. And Jonathan was saying he was warning leaders to take note of these examples. Former TSB CIO, Carlos Abarca, and then a former CSO, Joe Sullivan, take note, because these are the trends. They're not just flukes, not fluke cases. And he likened these cases to the medieval tradition of having heads paraded on spikes. I love that. I think he was the best anecdote maker of the session. He also said, the supplier breach has become a competitive sport, almost like an Olympic game. So I love that. But what a great, great day. I've had a lot of fun. And if there was one word, just very quickly, to encapsulate the day, what comes to mind or image?
Schwartz: Don had a - what was it, as an American, the nature of well-being, something like that. I will just say self-care. I thought there was a great note being sounded, not to be touchy feely, but about how all of these things are empowering. And it's not this fear, uncertainty, doubt. It is to equip you so that when you're in these situations, be they ransomware incident response, or something to do with your career or whatever, that you're in a better position. And I'd like to think that everybody is in a better position after today.
Asokan: Large language model. For the enthusiasm that it created. So yeah, definitely.
Morbin: I'll probably, unfortunately, use two words, which was emotional intelligence and again, talking Helen's comment on how the emotional intelligence allows you to articulate risk better to the board. And the opposite of taking responsibility, being able to articulate the risk without necessarily saying, just because I've spotted this here doesn't mean I have to take responsibility for it. It could be somebody else's responsibility. And so you don't go in in a confrontational way. You explain it. And then who's the risk? So yeah, that whole emotional intelligence, which follows up on your area of as well and the whole not panicking and dealing with things calmly, rationally.
Delaney: Very good. For me it was engage. I had so many questions from the audience. I loved that. We came back to live events maybe last year. And I think the spent felt more sort of pre-pandemic time. I think everybody's just happy to be here, happy to connect. Energy and enthusiasm. So great. Well, I've had fun. Thank you so much for this wrap up. I hope you've enjoyed it. Thank you so much for watching.