Evolving Industry
Cybersecurity has been a hot-button issue for businesses, both large and small, for years. But now, AI is rewriting the rules.
Cyberattacks are becoming more personalized and nuanced than ever before.
In this episode of Evolving Industry, Andrew Wilder, Board Member and Adjunct Professor in Cybersecurity at Washington University - St. Louis, argues cybercrime is no longer an IT problem.
It’s an everyone problem.
Andrew talked with us about:
- Why cybersecurity needs to be a shared responsibility across an organization
- The challenges of conveying urgency in data protection
- How to explain potential liabilities in a language executives understand
We Need to Turn Cybersecurity Policy Into Cybersecurity Culture
2023 may be the year of ChatGPT, but it’s also marked the rise of a new kind of cybersecurity threat.
According to Andrew, AI has changed the game. From deepfakes to phishing emails, AI-enhanced cyber attacks are becoming smarter and more prevalent by the day.
“If you can [use AI to] create every piece of ransomware or malware to be completely unique, then you can get past a lot of those controls that we have today,” Andrew said. “So from a defense perspective, we need to be a lot smarter.”
Andrew believes a significant cybersecurity gap in many organizations today is that they still view data transactions as an IT issue.
But everyone in the company who touches a work computer or smartphone is vulnerable to these attacks. So every employee needs to be aware of potential threats and how to deal with them.
"You’ve got to have a good policy. It's got to be up to date. You’ve got to communicate it to people regularly,” Andrew said.
Perhaps most importantly, cybersecurity standards must be digestible for the non-IT crowd.
“It can't be a 60-page document,” Andrew said. “It's got to be something that people can understand."
Leaders Need to Convey Urgency in Cybersecurity Matters
Of course, newer, more robust cybersecurity policies are all well and good, but how can leaders internalize them across their entire organization?
Andrew echoed this challenge in a quote from one of his old CEOs.
“The sense of urgency is very hard to cascade,” he said.
As new information about cyber threats is filtered down through leadership and across the organization, it often becomes lost or twisted in a “telephone game,” as Andrew put it.
“The message gets lost at some point,” he said. “Maybe the IT team, or the cybersecurity team, knows that it’s important. But when you get out to the general population of the rest of the organization, a lot of people are not hip to it.”
The solution? Put boots on the ground wherever blind spots may exist.
“I think the best way to address this is creating strategic relationships in each of those business units,” Andrew suggested. “Have cybersecurity champions in those areas, people who understand and know about the policy.”
Where Do Executive Responsibilities Start and Liabilities Stop?
The perplexing dilemma many businesses today face is they’re stockpiling excessive accumulations of data.
Often, it’s information that offers little to no practical utilization, but much of that data comes with tangible risk all the same.
In 2022, Uber’s former Chief Security Officer, Joseph Sullivan, was convicted of covering up a data breach of millions of his company’s user records.
While his dubious actions after the attack were undoubtedly a contributing factor to his indictment, the FBI Special Agent in Charge, Robert K. Tripp, said this about Sullivan’s case:
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur.”
Incidents like the one at Uber have caused major ripple effects in cybersecurity divisions across private and public organizations alike, and world governments are putting them on notice.
In July 2023, the U.S. Securities and Exchange Commission (SEC) announced new rules regarding cybersecurity risk management, strategy, and governance disclosures in publicly traded companies.
So how can data analysts and other IT experts help executives understand the risk factors associated with data management?
Andrew suggested using language that business leaders will understand.
"If you use quantitative risk assessment methods... it makes it very easy to translate the amount of data and the number of records into financial risk,” he said.
“You can say, ‘Look, we’ve got a million customer records. $1,000 per record is the maximum fine. We could have up to a one billion dollar fine if these records are breached.’”
By attaching a dollar amount to cybersecurity risk exposure, you should quickly get the attention of your executives and business partners.
Cybersecurity Touches Every Layer of Your Organization
The true grit of an organization isn’t just in its ability to fend off cyber threats but in its capacity to weave security consciousness through every department.
Andrew's insights underscore a critical cybersecurity component — in a world where data reigns supreme, cybersecurity policy needs to merge with organizational culture.
Now that AI is in the mix, it’s more important than ever for companies to be mindful of their data stores… and it starts at the top.
Craving more? You can find this interview and many more by subscribing to Evolving Industry on Apple Podcasts, on Spotify, or here.