Welcome to the next installment in Wing’s Voices of the Market!
The purpose of the Voices of the Market series is to summarize our recent conversations with enterprise customers - their top priorities, areas of interest, and unsolved challenges - and to share these insights on an aggregated basis for founders and future founders building new technologies and companies.
This post is focused on cybersecurity. Wing is hosting our 5th annual security summit later today on the sidelines of RSA Conference 2023. We’re honored to welcome General Paul Nakasone, Acting NCD Kemba Walden, and Christopher Krebs, along with over 200 CISOs and government leaders in our closed-door, no-press, off-the-record setting.
In preparation, Wing spoke with 30 CISOs over the past 10 days. The CISOs came primarily from large enterprises, with 10 of the 30 from public companies with market capitalizations of $100 billion to $1+ trillion. The industries spanned telecommunications, consumer products and services, financial services and real estate, federal/state/local government, hardware and software technologies, and healthcare and pharmaceuticals.
Our takeaways are:
1) Generative AI and LLMs
The topic of the year is generative AI. As one CISO stated, “it is like blockchain 10 years ago and XML in the 1990s.” Another CISO stated, “everyone is talking about generative AI right now. Is it something as monumental as the smartphone or a flash-in-the-pan like self-driving cars?”
We found five CISO-specific threads in our conversations.
First, what is the IP risk? Samsung Electronics’ inadvertent data leak on ChatGPT has proven to be the posterchild warning for LLM input data. One CISO commented, “people say to talk to LLMs as a trusted friend, but I think it’s more prudent to talk like it’s an untrusted competitor. You are creating your own competitor.” On LLM training data, one CISO commented that LLMs are “the greatest disruption to intellectual property that we have witnessed.”
Second, given the IP and other risks, what policies should corporations adopt internally? Options included: blocking, standing up a committee for review and approval, providing user awareness, enabling DLP techniques, emphasizing tokenization and de-identification, and building self-hosted LLM capability. In our 30 conversations, about 40% of CISOs were blocking by default and permitting by committee review. Many other CISOs were permitting but reminding users to not share company-specific information. Interestingly, a couple had built Beta versions of self-hosted solutions, but they did not yet have full confidence in the data security.
Examples of responses included:
“We’re restricting access by default for typical users and setting up an internal review process led by a small cadre of experts to carefully review and approve projects.”
“We are standing up an AI committee. We’re not banning it. We’re monitoring it and we’ve put out guidance about company-specific information and connections and integrations.”
“We have not blocked generative AI. We have communicated some guidance on data use.”
“We haven’t announced a policy, other than restrictions on submitting IP. It is basically ad hoc.”
“We are working with proxy providers to block generative AI URLs. We’re telling users to use their personal machines if they want to play and to redirect to our internal ChatGPT and AI Lab if they have a business use case.”
“We are going to block it and handle it on an exception basis.”
“We’re permitting it on an exception basis and are standing up a committee. We are proceeding in a super safe way. It is not connected to our systems, and a very limited number of people have access to it.”
“We are building our own version and are building confidence. Microsoft is saying it’s safe, but we’re not bought into it yet.”
“We are building a safe sandbox in our global tech center right now. Microsoft is giving us comfort, but our legal team is worried. We’re providing dummy data now.”
Third, how will generative AI be used by threat actors? CISOs most often discussed the use of generative AI for social engineering and phishing. One CISO stated, “I’m a little concerned that generative AI will level the playing field a little more. Phishing education for users to look for misspellings will become irrelevant. Phishing research time for bad actors will go to zero. It gives the opportunity to phish the right content at the right time at scale.” Another CISO stated, “Social engineering research becomes easier and more threatening. A threat actor doesn’t need a chemist sitting right next to them. They can spend 5 minutes and come off just as smart as a junior chemist.” Another CISO broadened the conversation, “LLMs can be socially engineered and tricked to give up information that they shouldn’t. They are more organic than traditional, binary software.”
Fourth, how can generative AI be used for security organizations? The most often use case in our conversations was tier 1 SOC automation. One CISO asked, “we run our own 24/7 SOC. Can generative AI run it for us in 2-3 years?” Another CISO said, “our early results are mixed, but I believe it can automate at least 90% of our tier 1 SOC.”
Fifth, what is the accuracy of the systems? CISOs discussed concerns on LLM hallucinations and implications to companies’ executives and decision-making. One CISO stated, “my biggest concern is that I can’t control the hallucinations and how people make decisions based on them.” Another CISO stated, “the efficacy of what’s coming back is not really ready for prime time. Who is going to be responsible for the error rate that comes out?”
Other questions that came up in our conversations included a) the role of the government and b) other considerations such as ESG and heat production.
2) China and TikTok
A second debate topic in our conversations was the threat risk of TikTok and China broadly. One CISO stated, “I worry about the convergence of large language models and deep fake technology with the use of Tik ok as a video pipeline to influence CEO earnings announcements, consumer purchase decisions, voter viewpoints and elections, etc.” Another CISO stated, “we have a country risk framework for where employees are hired and travel to. We moved China up a notch recently with its rhetoric on Taiwan.”
On the topic of TikTok specifically, several in our conversations would ban TikTok, but a majority would opt not to. One colleague stated, “I take my government colleagues at their word that TikTok presents a national security risk.” Other colleagues stated:
“I would not ban TikTok. It’s a slippery slope.”
“It’s hard to consider banning TikTok. I want to see more education like Smokey Bear for today.”
“Foreign ownership and control is overblown. That isn’t required to subvert systems in cyber.”
3) State of Cybersecurity
Kevin Mandia on Wednesday at RSA is delivering a keynote presentation on the State of Cybersecurity. We asked CISOs in our meetings: Are we seeing the results we need and having the effects we want, or are new foundational approaches required?
Many CISOs were skeptical of our current state. One CISO stated, “Clearly, we’re not winning.” Another stated, “we’re horribly losing. We take bites at the elephant but it doesn’t solve the problem.” Yet another stated, “If I review the last 12-18 months, it looks like we are progressing but I don’t buy it. We are doing more than ever, but I question whether it is having the effect we were expecting it to have.” Another asked, “what is going to asymmetrically change the natural imbalance that forces the cybersecurity industry to exist, e.g. massive connectivity, high anonymity, and low accountability?”
As a more balanced note, one CISO said, “I feel like we are succeeding in some ways. I don’t feel like I am walking in quicksand like I was in 2019. We have caught the attention of decision makers in the companies and in the country to make positive change, and now we have to go make that positive change.” Another CISO said, “I’ve seen positive signs on ransomware - more companies with backups, fewer payments made. Outside of that, we are just churning out software and systems that are sub-par in security.”
When asked for new approaches, CISOs commented on identity, software standards, and crypto money flow, and attacking back. We discuss identity and software standards next in this post. On money flow, the FBI has been able to recapture crypto ransomware payments in some cases and to some degree, but one CISO stated, “if you could stop the money flow, that would make a difference.” On attacking back, one CISO stated, “we have not yet unlocked the power as a set of companies and a country to increase the cost of cybercrime on criminals. For example, we have asymmetric compute capability.”
4) Identity
Identity remains a major topic, investment area, and attack vector in cybersecurity. One CISO stated, “Identity is the #1 weakness exploited by bad actors. We as an industry think it’s about MFA but it isn’t.” Another CISO stated, “Identity is an area I am most concerned about. Most of our incidents have been bad actors getting administrative passwords.” And, another CISO stated, “identity, authentication, authorization that enables a seamless, frictionless environment doesn’t exist. I question whether it is as complex or more complex than 5-7 years ago?”
5) Software Security Standards
CISA Director Jen Easterly and Acting NCD Kemba Walden have made comments recently on the security standards for tech companies. These comments have resonated with CISOs and were even referenced to us during our research calls. One CISO commented, “Jen Easterly was quoted as saying we need to hold tech providers accountable for cyber hygiene. I would agree with the assertion that tech could be held a lot more accountable like traditional manufacturing companies.” Another CISO commented, “My vulnerability models always start with software quality. Tech companies are held to a lower standard and it’s worth looking at.” Another CISO added, “Patch Tuesday is an accepted practice in software. But, if you had to bring in your car even once a month, you would never stand for that.” Finally, a CISO stated, “I would like to see repercussions. PCI has teeth. GDPR has teeth.”
6) National Cyber Strategy
One of our topics at Wing on Monday is the National Cyber Strategy, issued last month by the National Cyber Director. Most, if not all, CISOs in our conversations had read, skimmed, or heard about the National Cyber Strategy. For many, the strategy was not a core topic of discussion. One CISO commented, “nothing struck me as net new.” Another commented, “I don’t see anything that moves the needle for the large enterprise.” And another commented, “It is a step in the right direction. We are positive and supportive.”
Numerous CISOs, however, were well versed and had questions on the National Cyber Strategy. The first concern was regulation. One CISO stated, “The tone is more slanted toward regulation, but there is an equal callout to partnership. Where it goes remains to be seen.” Another stated, “I’m glad to see the National Cyber Strategy, especially as it helps pull all of the government together. It looks like there’s a lot of regulation in it. To what degree is it a path to regulation or partnership?”
One CISO discussed the complication of a US-based global corporation in today’s geopolitical environment. The CISO stated, “the biggest challenge for me in a massive international company based in the United States is to balance the tension between globalization and nationalism. The more we link to the federal government, the more challenges we get overseas.”
Several CISOs reacted to the National Cyber Strategy with questions on the vast majority of businesses that are small- to mid-sized. One CISO stated, “for the very large healthcare companies, CISA adds limited value. CISA’s role could be very helpful for the smaller end of the sector. Could CISA become the SOC for small- to mid-sized companies?” Another CISO commented, “CISA is useful for organizations with dedicated security resources, but it’s not helping the 99% of businesses that do not have dedicated teams.” And another asked, “On the other 99%, are we leaving them behind? As solutions get more complex and more expensive, who is going to look out for the local real estate manager, local franchise owner, etc.?”
7) Intelligence
We continue to hear calls from CISOs for greater intelligence sharing from the government. One CISO stated, “the government has improved at this, but please keep releasing details from threat groups on which CISOs can take action.” CISOs continued as well to express frustration. One CISO stated, “the federal role in intelligence is almost negligible as we get almost all of our intelligence from Health-ISAC.” Another CISO stated, “when we have gotten information from the FBI, it is outdated, stale, and insufficient.” Yet another stated, “I feel like the government feeds are less trusted than the feeds from Crowstrike, Netscope, Zscaler. We tend to look for the backstory - what’s behind the intel and why it is being sent now - and we can’t find that on government feeds.”
8) Other Topics
Ransomware. Ransomware was the topic of the year last year. Although we did not focus on ransomware in this year’s calls, it remains a CISO priority. One CISO said, “ransomware is #1 for us. There has been an increase in smash-and-grab, rather than surgical and sophisticated, attacks recently driven by the Ukraine/Russia war, particularly in Germany.”
Harmonization. Harmonization was a key topic at Wing and RSA last year. This year, most CISOs expressed limited progress in the area. One CISO commented, “I don’t feel like there’s been much movement on harmonization over the past year.” Another CISO said, “incident reporting is getting quite overwhelming for any business at scale - how much to report, in what timeframe, and what are the penalties.”
Cyber Insurance. It appears that the cyber insurance market has stabilized, especially as compared to the volatility discussed at this time last year. CISOs’ questions this year focused on the value of cyber insurance and the maturity of the underwriting frameworks. One CISO said, “many organizations choose not to renew cyber insurance because they got back maybe 5% of what they expected from claims.” Another CISO said, “I just spent a week meeting several dozen underwriters for our renewal. The underwriters don’t have standardized surveys, much less data or control frameworks, to accurately understand and reflect the market risk.”
Supply Chain. One CISO commented, “For the first quarter of this year we have had more third party breaches than ever before. It’s made us rethink and evaluate our supply chain.”
OT security. One CISO said, “we need to shore up the software for our current OT inventory, which is in place on average for 25-30 years.”
NSA authority. One CISO emphasized, “FAA-702 is an important NSA authority. We need broad private sector support on a non-partisan basis for getting it reauthorized.”
Conclusion
We look forward to an exciting and productive RSA Conference 2023. It is apparent, in our view, that the security ecosystem is more advanced, more prepared, and more engaged than ever before. It is not clear, however, that our collective work is sufficient to change the current trajectory of cyber attacks, which seems to be only “up and to the right”. Fundamentally new approaches may indeed be called for.