Ep. 4 – Unveiling the Future of Cybersecurity

Key Takeaways from the Episode

• Insights into the most significant cybersecurity threats
• Future predictions for the evolving cyber landscape
• The impact and proliferation of ransomware
• The top three actions to prevent a cyber incident

Unveiling the Future of Cybersecurity with Chris Novak – Episode Transcript

Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to keep your data safe, your operations sound, and your business ready for whatever comes next.

This is Logically Speaking.

STEVE RIVERA

Today’s guests we have a really special guest, an old friend, co-worker of mine, Chris Novak,  who’s the managing director of Verizon Cybersecurity Consulting.  He’s had over 20 plus years of cybersecurity industry experience, ranges from field work  to working with Fortune 100 C-suite and board advisory roles.  In 2022, he was appointed to President Biden’s cybersecurity review board.  He was named a top security leader by Security Magazine.  He has been a contributing offer to the Verizon Databreach Investigations report since 2008,  as well as featured in TV, radio, print ad, still waiting for him to get on Joe Rogan’s  podcast.  But he’s also a member of Forbes Technology Council, where he frequently writes on the topic of cybersecurity.  Chris holds a Bachelor of Science degree in computer engineering from Rensselier Polytech, which I didn’t get accepted to Chris.  I applied, but I didn’t get accepted to.  I had to settle for NYU computer science.  He’s got a CISO certificate from Carnegie Mellon, and he actively maintains a CISSP, CISA, PCI, QSA, PFI, and a litany of other certifications.  Chris, thank you for joining us today.  You can probably, you know, I’m sure that you have your choice of podcasts, and so I’m glad that you chose us. Thanks for joining us today.

CHRIS NOVAK

Yeah, my pleasure.  Happy to be here.

STEVE RIVERA

So I know that we have just a short amount of time.  I wanted to talk a little bit about, maybe you could share, start with your experience  outside of what I discussed, and maybe we can start there.  And then I’ve got some questions specifically about our listeners are in that mid-market  space.  And so open to hearing about your experience, and then we can talk a little bit about that.

CHRIS NOVAK

Sure.  Yeah.  So I mean, you know, you got the background just right there.  I’ve been in cybersecurity now for well over 20 years.  It’s been a passion of mine since the very beginning.  And actually, I’ve always found it interesting when I talk about kind of how I got into the  field because, you know, I think people hate it and love it at the same time because I  say it’s kind of an accident.  And that’s because when you go back that far, cybersecurity wasn’t a thing.  There were no degrees or anything like that you can get in cyber, you know.  To your earlier point, it was basically computer science or computer engineering or some kind  of derivative of one of those two.  But you couldn’t get a degree in it and most people, if you asked, would have thought it  was something from like science fiction movies at the time.  So it was kind of an interesting wild ride.  And obviously it’s been fun to watch the industry kind of grow, develop and, you know, innovate  over that time period.

STEVE RIVERA

Yeah.  No, it’s funny you mentioned that because I got my start deploying Raptor firewalls  back in late.  And those at the time were the DOD standard.  They were viewed as the un-hackable firewall and firewalls were all the rage back then.  And then this cool thing called intrusion detection.  Yes.  We were like, what?  You know, so it’s so funny to kind of be in the industry as long as we have and to be  able to, I like you stumbled upon it.  I had a CEO of one of the largest bars in New York City who said, I don’t know anything  about cybersecurity or we call it InfoSec back then.

CHRIS NOVAK

That’s right.  Yeah.  In fact, if you called it cybersecurity, people would kind of smirk at you like, all right,  what are you trying to make this into being?  It was always InfoSec.

STEVE RIVERA

And she had the fourth thought to say, well, I don’t know much about this InfoSec, but  if you can make a couple of bucks out of it, go ahead, build a pack.  Yeah, neat.  So I appreciate your time.  Look, I want to know a little bit about what your team is doing today and maybe like the  biggest cybersecurity threat that you see out today in this mid-market space that our  listeners are in.

CHRIS NOVAK

Sure.  You know, I’d say, you know, when you look at it from a pure threat landscape standpoint, there’s a number of things that hit the mid-market.  And honestly, I would tend to argue that the mid-market’s going to see a lot of the same things that the rest of the world and the rest of the markets are seeing.  Probably areas where maybe they’re a little bit unfairly hit isn’t a lot of things like ransomware and more of the, I would say, kind of automated attacks. Because generally speaking, we find that they’re more challenged as it relates to getting budget and resources, right?  Two of the things you need most.  And in a world where we both know cybersecurity is a hot market, so maybe you can get budget, but finding resources is extraordinarily hard.  Keeping those resources can be just as hard if not harder.  So usually what we find is kind of striking that balance of getting what they need to  deploy adequate protection against some of these attacks, which, you know, when you think  about it, it’s kind of like a regular kind of kinetic war in a way that, you know, can  you lob an attack that is very inexpensive for you to lob, and very expensive for the  other side to defend or vice versa, right?  That can really impact the economics of war, if you will.  And, you know, I think cyber, we see a lot of the same thing and the mid-market typically is challenged in a lot of those regards.

STEVE RIVERA

So you brought up an interesting, and you put it in kind of warlike terms, right?  So, what is someone like the attack vectors that you’re seeing that are most successful?  I mean, we hear about ransomware, we hear about fishing all the time.  Is there anything out there that you can kind of look out on the horizon that could be as  like, you know, if you had your crystal ball, what you’re starting to see, trends, you know?

CHRIS NOVAK

I’d say probably the biggest thing if I were to kind of look out there on the horizon, and we’re already kind of starting to see this develop a little bit, but I think we’re going to see more of it.  And that is the use of AI, and I know it’s become very buzzwordy.  But the fact of the matter is, you know, you were mentioning earlier when we were talking about RSA and, you know, all the different things kind of being shared on the show floor  and all the different technologies that vendors are using.  But at the same time, we also see that the threat actors are exploring how they can take advantage of it, right?  And, you know, a lot of times people will say, oh, some key identifiers of, you know, fishing or social engineering attacks are, you know, misspelled words, grammar, you know, something sounds too formal, too casual.  The ability for you to go to one of these platforms and say, write a message that looks like this using this style of language, it can do it fairly easily.  And I think as we see that evolve over time, there’s an opportunity, opportunity, unfortunately, for the threat actors to leverage that to automate and expedite the crafting of that.  You know, for example, a lot of the things that we look at on the defensive side or the  detection side is patterns, you know, where we see things that a threat actor is doing  common from attack one to two to three to four, it makes it easier to block the subsequent  attacks because they’re just repeating it.  If they’re able to leverage something like generative AI to be able to create more nuanced and scalable versions of that, all of a sudden, maybe many of these attacks don’t look as  common as they used to, which makes it harder and harder for the defense to be able to detect.  And so I’d say if I was looking out on the horizon, I don’t think that’s mainstream by any means yet, but I think we’ll get to a point where it will become more mainstream,  unfortunately.

STEVE RIVERA

Yeah, I was, I was listening to the testimony of the CEO, I believe it was of open AI.  Oh, right.  Yeah.  And he, he shared about the, you know, his concern about the malicious use and the harm that it could, I mean, that was pretty, I mean, to me, that was pretty telling.  And you gave one use case.  It’s interesting because we’re using it in a way where, you know, we’re using AI, Open AI to like target and prospect and to, you know, from a sales standpoint, which is really,  you know, from a marketing and a content.  I mean, it’s actually pretty, pretty encouraging to see that it’s creating that window. But I guess on the flip side of that, malicious actors can also do that and be very, very targeted in kind of how they’re scripting these phishing emails and such.  And so how do you counteract that?  Because I always feel like we’re in this cat and mouse, you know, mode where a malicious actor can leverage something like AI.  How could we leverage AI to counter that?  Is that, is there anything that you’ve seen?

CHRIS NOVAK

So I mean, I do think that there’s more opportunity for us on the, the defensive or the, the, the  good, the good side of the equation than there is for the kind of offensive or, you know,  ill will use of the technology.  And I think part of it is, I think there’s a better ability for us to collaborate, invest and build bigger, better, scalable solutions.  Whereas I think the threat actors, the cost of building something like this is tremendous.  I think, you know, nation states will be able to leverage it and be able to advance it.  But I think you’re more individual threat actors, you’re more organized crime groups.  I think it’ll be more challenging for them to scale it in a similar way to what the defensive side can do.  I think it’ll be harder for them to, you know, harness that power, expand their resource pool.  A lot of the challenges that we all face, but obviously they’ve got to be able to do that on the criminal side and be able to engage more people in order to further that.  And I do think we’ll have an opportunity to overcome that.  But I think like everything with security, it’s always a cat and mouse game, right?  We come out with a better firewall.  We come out with some kind of exploit to try to take advantage of a vulnerability.  And we go back and forth.  And I think it’s more about, you know, hey, how do we kind of look ahead?  Where do we see the future going?  How do we invest in those right places to try to make sure that we stay in front of it?  So, I do think that the future is still bright, even if some of the AI opportunities may have some bleak uses as well.

STEVE RIVERA

Yeah.  I want to shift focus just a little bit and talk about industries.  So, you’ve been in the industry a long, long time.  And what industry do you see investing the least amount in cybersecurity?  Is there industry that’s lagging in terms of cybersecurity investment that needs to catch up based on, because you serve all markets, right, in your role?  What industry do you see, and, you know, vertical industries that I’m referring to, which ones do you think invest the least amount in cybersecurity and kind of need to focus on it more?

CHRIS NOVAK

Yeah.  So, I mean, I would say this kind of ebbs and flows a bit over time.  The areas where I think we’d say we see more of the challenges, for example, would be in things like education, health care, they’ve been hit very, very hard.  And then I think also, you know, if you look at it from a size and scale perspective, generally speaking, you’re smaller and more medium to mid-sized businesses typically struggle more because the large enterprises, they generally have large IT teams, large InfoSec or cybersecurity  teams.  But usually if you kind of look at it like a pyramid, you start getting about halfway  down that pyramid, there’s a tremendous amount of organizations that live in the bottom half  of the pyramid, but they don’t necessarily have the same level of resources to apply  toward cybersecurity, or maybe in some cases, as you move even further down to the small  business arena, they may not even be tracking on it at all.  There was a study I was reading just the other day, and I don’t remember the exact study, but the numbers were surprising in terms of the amount of organizations that said cybersecurity and cybersecurity resiliency weren’t even really on their roadmap.  Now, again, these were more of your small to mid-tier businesses, but again, it tells you that they’re still not entirely tracking on this as being a need.  And I think it’s also complicated by the fact that, you know, the economy is in a weird kind of rocky, questionable state, right?  Nobody really knows where we are or where we’re going.  And I think that also creates challenges for more of your small and medium-sized businesses to struggle with figuring out where are they going to make investments.  Your larger organizations typically are better capitalized and have more of a longer term, you know, roadmap and strategic planning and vision.

STEVE RIVERA Yeah.  I mean, it doesn’t strike me as odd, right?  No.  I mean, you have the small organizations with the more finite budgets, they have to choose where they put their, you know, their limited resources.  However, and I want your opinion on this, I’ve found that the small organizations are incapable of recovering from an event, an outage, disruption when it comes to ransomware, cyber-attacks or, you know, anything like that, that their recovery or their impact is greater from an overall business standpoint.  Like some of them quite possibly could not recover enough to actually be back in business in a reasonable amount of time.  Are you seeing that as well or is that just, what do you see in instances like that where a small to medium business gets shut down for two weeks, three weeks at a time and then recovering that loss revenue?

CHRIS NOVAK

Yeah.  So, I mean, it’s unfortunate, but we’ve seen cases like that where organizations have not recovered from, you know, an incident to our breach.  And obviously, we never want to see that happen, you know, and that’s obviously why we try to be very proactive, you know, kind of share the information and the research that we do like the data breach investigations report and such.  But you’re right.  There are circumstances where organizations, they’re just, I’d say, a combination of not being well prepared, not having the right, you know, say partner ecosystem in place to help them either in advance or when an event occurs, or they think that it’s not going to happen to them.  There’s somebody else that they believe would likely happen to first.  And so, as a result, they don’t take the necessary steps.  And, you know, to your point of the impacts of these events, you know, for a small to medium sized business, the impacts of a cyber event can be very oversized.  You know, if you get hit with a multimillion dollar ransomware demand, then you don’t have the resources in place to either pay the ransom, do it quick enough or have the appropriate backup and resiliency functions in place.  There may not be a recovery option for you or the recovery timeline might exceed what your capabilities are.  And that definitely creates issues.  We’ve also seen organizations lean on things like cyber insurance.  But again, that’s, I would say that’s maybe that’s kind of like a crutch, you know, and like a crutch, you still need to have some strength in you to be able to move, right?  The crutch doesn’t walk you.  The crutch helps you walk, right?  And so I think that is a tool or an enabler.  But again, it’s not everything.  Organizations still need a fair degree of, you know, robust, you know, infrastructure processes, etc.  And, you know, everyone will tell you that that’s not going to be the end all be all that’s just going to be kind of one of the tools in your toolbox, if you will.

STEVE RIVERA

Yeah, it’s interesting you brought up cyber insurance.  So yesterday I was meeting with the mid-sized company about 2,000 employees and asked them about their incident response plan.  And I got this sheepish look on their face like, we need your help on that.  And I said, well, what about, you know, who do you have for digital forensic investigations?  Because, oh, we rely on our cyber insurer.  Okay, you have cyber insurance.  That’s great.  What about local law enforcement, right?  Do you have the contacts with federal and local law enforcement should you need to?  And she just, again, just looked at me like with this blank stare.  So we walk through and I have to admit I learned this from you is to have that three-legged stool, right?  You need to have your legal counsel.  You need to have law enforcement.  And then you need to have a third party incident response company on retainer to be able to respond no matter how large or small an organization because you’ve always said it’s not a matter of if it’s a matter of when.  And so being aired, right?  That proactive.  So, I appreciate that.  I’ve carried that message on.

CHRIS NOVAK

And if I could just add on to that too, Steve, that, you know, and I always tell organizations that, you know, it’s funny because sometimes I’ll speak with the smaller organizations and they’ll say, look, excuse me, the large organizations have it easy because they’ve  got all these resources and budget and all these things.  And, you know, they’ve got the, and, you know, an entire in-house staff that may be larger than a small business, right?  They could have 100 people on their incident response team.  But even still, those large organizations will have third parties that they lean on.  And what I always tell people is it doesn’t matter the size because at the end of the day, you could have one massive incident that out, you know, outweighs your capabilities  or you could be faced with multiple incidents on multiple fronts and you can only scale  so much, you know?  And so kind of having, you know, almost like a mutual aid agreement of sorts, you know,  having, you know, incident responders or even in some cases more than one firm that you  can lean on, I think is really beneficial because nobody wants to be caught in that  position where an event occurs and you have to go to your CEO and say, hey, you know,  unfortunately we never plan for a contingency for what might happen here and now we’re really,  really stuck or, you know, we have to engage someone but it, you know, we don’t have an  agreement with them so it’s going to take, you know, a week to get something done and  that’s not a situation anyone wants to be in.  (00:18:15)

STEVE RIVERA

Yeah, yeah.  No, those are cautionary tales for sure.  Sure.  So I want to shift again and ask you kind of again to open your crystal ball and see  how do you think the cybersecurity landscape will change over the next five years?  I won’t ask you to look out 10.  If we looked back 10, we would go, wow, we never anticipated some of these things.  But in the next five years, how do you see the cybersecurity landscape changing in this  market that we’re kind of talking about, this mid-market?  And again, you know, I won’t hold you to it.

CHRIS NOVAK

(00:19:00) That’s fair.  So I would say, you know, kind of continuing from the previous kind of conversation we had around generative AI, I think that is going to continue to be a challenge and I think that’s only going to get more challenging as time goes on as the capability becomes  more readily available to everybody.  And I think that, you know, kind of your small to mid-market organizations are going  to struggle because like anything, generally speaking, when there is newer, more innovative  technology kind of going back to that pyramid, generally it’s the organizations at the top  of the pyramid that can afford to beta test and try all that stuff out and really kind  of get their arms around what’s involved with it much more quickly than organizations may  be further down that pyramid.  So, I think we’re going to continue to see threats on that landscape.  I think the other thing too, if we’re looking out into the future, I think there’s also risk around things like quantum computing and the potential for that to impact, you know, cryptography.  There’s also risk for folks who may not be familiar with it.  Obviously, the world of what we revolve around and everything that’s important to us exists largely because of strong cryptography or encryption.  It protects that information, right?  The conversation we’re having here is going over an encrypted connection.  You know, you pick up your phone, you send a message, you know, whatever it is you’re doing, you interact with your bank, it’s all encrypted.  And obviously the concept or the concern that exists here is thinking out into the future with the advancements of quantum computing, there’s a much greater ability that at a future state we’re going to be able to break the encryption of today in a relatively short period of time.  And, you know, what’s given most people comfort is historically we’ve thought it’s going to take hundreds or thousands of years to break the encryption.  By then you and I aren’t going to care if someone has access to our data because we’ll be long gone.  But with quantum, there’s the potential that that can happen in a much more real time fashion.  So obviously there’s a need for us to be looking at things like quantum resistant encryption in order to make sure that communications and data remains, you know, safe and protected.  So if I was kind of looking out there in the future, I’d say those are probably some of the more kind of substantial, but maybe a little bit more reaching concerns.  I think we’ll continue to see evolutions of also more of the traditional current day events like ransomware, extortion, you know, targeting of individuals, you know, one of the other  trends we’re starting to see pick up is targeting of executives, you know, historically we’ve  seen, you know, more of the end user population or the consumer population being hit.  Now we’re starting to see that kind of bubble up where the C-suite is actually being  targeted now because threat actors are looking at them as being, you know, either less protected  in in an odd twisted sort of way or organizations are making more exceptions to the rules and  the policies for them, you know, a CEO or a CFO doesn’t want to have to change their  password every 90 days or, you know, they want to be able to use a personal device instead  of a corporate device.  And so all of these things bring about risk to individuals in the organization that have access to a lot of really sensitive information. (00:22:02)

STEVE RIVERA

Yeah, you bring up an interesting point in terms of like top executives because most  of the time they tend to be the ones who want to be the exceptions of the rule.  And so that opens up a vulnerability that seems to be exploited.  And so you have more exposure from that standpoint.  I couple of weeks ago, I got a text message and this is I see this happening more and more, I got a text message from our CEO saying, Hey, this is this is Josh.  And I got a new phone.  Can you call?  Can you text me back on this line?  And I was like, it’s Saturday morning.  Never reaches out to me on a Saturday morning this early.  And so I texted Josh on the cell phone that I had.  And I said, did you get a new phone?  He goes.  I go, you want to play with a threat actor?  You know, it was pretty funny.  I just blocked it.  But it’s right.  It’s true that that becomes the, you know, the attack pattern becomes more fear fishing and targeted in nature.

You’re right, because I remember when we first started with the DBIR, it was all about credit cards.  It was all about social security numbers.  It was all about, and that was where the breaches were happening most frequently.  Now they tend to be more surgical in nature.

CHRIS NOVAK

(00:23:30) Absolutely.  Yeah.  I think when you look at things like AI and the ability to, you know, I mean, you saw that message and obviously it triggered you to respond as you did, which I think is great.  I think a lot of people would be fooled by something like that.  The other thing also is for individuals where there’s a lot of information about them out there, you know, the other thing that we’re also seeing are things like deep fakes.  And so, for example, someone will get a phone call that sounds like you or me because they’ve used AI to generate a voice that sounds and speaks like you or I.  And so they’ll say, Hey, this is, you know, this is Steve Rivera.  I need you to do this.  And someone’s going to say, okay, it sounds like Steve and this is the way Steve speaks.  So, I’m going to listen to it.  Right.  And so there was actually an interesting, there was an interesting segment on 60 Minutes  where this exact situation had played out and they’d showed a demo of someone getting  a spoofed phone call.  So the caller ID looked like it was coming from that person.  And then they used AI to generate a conversation with that person using essentially a deep  fake version of their voice, which, you know, it’s scary.  And, you know, there’s a lot of organizations now too that are using voice prints for authentication.  You know, there’s a lot of financials that are starting to use that as a way to try to  simplify and reduce friction, but now there’s the challenge of if we can deep fake someone’s  voice, then there’s the potential we can get into, you know, their bank account brokerages,  things like that.  So it creates a lot of interesting challenges.  (00:24:59)

STEVE RIVERA

Wow.  You brought up something that absolutely scared me now that we’re doing a podcast, right?  And we’re recording our voices.  You’re like, maybe I got to use one of those voice changers.

But then how would you recommend countering that?  Is it multi-factor?  Is it challenge and response?  I mean, how do you propose to educate your user community with something like that?  Because now it truly is zero trust, even voice, right?  So that’s right.  So how would you recommend that our listeners kind of tackle that?  Or anything?

CHRIS NOVAK

So, I think, you know, to your point, zero trust, I think is kind of where we’re heading, you know, whether we were intending to be there or not.  I think that all of this just as further evidence of the need for that, especially when you’re not necessarily in the presence of the individual to be able to verify that it’s really them, right?  And I think it’s more and more challenging nowadays because of the fact we’re doing more things remote.  So you know, you trust that I’m me and I’m trusting that you’re you.  For all we know, this could be an AI conversation that is happening between two computers.  But you’re right that I think, you know, ultimately it comes down to a combination of zero trust and a combination of multi-factor authentication and strong multi-factor authentication, I  think is really the only way to really, you know, adequately be able to tackle that kind  of problem.

STEVE RIVERA

Great.  No, I appreciate that.  So I did want to ask because you have a certain visibility into because of the partnerships  that that you have forged and your experience.  What are some of the threat actors that you’re starting to see that are becoming very prevalent?  And you know, and maybe you can share a little bit about their methodology and the process that they use.

CHRIS NOVAK

Sure.  Yeah.  I would say that a lot of it comes down to financial motivation.  You know, you mentioned earlier some of the things that we have historically seen targeted and since the beginning of us collecting data, right?  And if you think of the DBIR now we’re about to come out with our 16th iteration of it, right?  So, it’s 16 years running even longer in terms of data collection.  And since the beginning of our data collection, one of the things we’ve always found is that the majority of threat actors are motivated by financial gain.  Now that’s not to say that’s the only motivating factor.  We do see a small percentage that is espionage.  And you know, I always tell people to kind of caveat because the news typically is much more interested in espionage related cases that makes for better TV, right?  But the reality of it is if you think about the kinds of crime that you might encounter in your normal everyday life, you’re probably not regularly encountering, you know, espionage types of incidents as you walk through your neighborhood, or at least I hope you don’t.  Most of the crime that we all experience is financially motivated.  It’s, you know, petty theft.  It’s you know, breaking into someone’s car, breaking into someone’s home, breaking into a business, but even in all of those physical cases, typically the goal of the actor is what  can they steal that they can sell?  And, generally speaki