Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello! I'm Anna Delaney, and welcome to the ISMG Editors' Panel at the end of our London Summit 2024. I'm very pleased to be joined by my colleague, Mathew Schwartz.
Mathew Schwartz: Hello.
Delaney: Hello! And CyberEdBoard members - Jon Staniforth, former CISO of Royal Mail, and Helmut Spöcker, vice president, chief security officer - ECS partner management at SAP.
Helmut Spöcker: Thank you!
Delaney: Thank you so much gentlemen for joining me.
Jon Staniforth: Thank you.
Delaney: So Jon, you started the day with a phenomenal panel conversation about lessons learned from ransomware attacks. Of course, Royal Mail experienced its own ransomware attack last year, and I thought that was invaluable commentary and insights from you. Tell us about how that panel went and any other insights you want to share.
Staniforth: The panel was good. We transitioned from the technical end of initial public responses and developed it into what it means for the teams involved in the rest of the company. The day itself also flowed quite well with a mixture of the technical end and the softer end. The final tabletop session helped people start to understand that these cyber-related issues are much more company-wide to deepfakes and the potential for CFOs to make payments. There are business processes, segregation of duties and different types of compliance. It's not just a CISO anymore. So, that whole journey I thought was quite well done during the whole day.
Schwartz: Yeah. One point on your opening panel, not to play to the current panelist to my right, but somebody turned to me after that and said, between you and Heather Lowrie, your co-panelist, who's former CISO at Manchester University, also suffered a cyberattack last year. He said how apparent it was that you were cybersecurity leaders. He said your leadership came through.
Staniforth: Oh that's nice.
Schwartz: Thinking about how you approached things and communicating that to others. He said that had been a good message. It was wonderful to see how you not only deal with it but how you inspire those around you.
Staniforth: Oh that's nice to hear. Thank you.
Delaney: Mat, also what you said at the end of that panel. You've been around a little bit, a little while in the industry.
Schwartz: We've all been around a little bit Anna in the industry.
Delaney: And before, it was harder to find these lessons learned. Maybe there was the reticence of sharing, but also there were a few lessons learned. Now, we've got a lot more lessons, and thank you so much for that openness and sharing. It's invaluable to the community. Helmut. How about you? Any insights that you want to share, or any highlights from the day?
Spöcker: Oh many. First of all, I was glad to see that many of my peers share the same thoughts, issues, problems and challenges - whatever we call it. They also have similar approaches to resolving their issues, problems and challenges. I enjoyed two conversations the most. The first one was Jonathan and Heather's, because it gave me a lot of insight, and I was very curious about that. I've seen ransomware attacks myself. So, I was curious to see and learn how other leaders in the industry would handle such a situation. I was in a lucky position that we could limit damage to a great extent. But, communication was a challenge to us as well, and so this was a big learning for me.
Delaney: Yeah, communication is so important. Mat, any favorite moments?
Schwartz: It's hard to pick favorites. It's very dangerous to pick favorites, especially sitting with some of the attendees. I loved the energy of the day. Your opening panel set a wonderful tone and note. It was very ably moderated by Ian Thornton-Trump. He brought a lot of energy, and he brought a lot of energy to the next panel discussion that I had the pleasure of moderating about "Hackers not hacking in - they're logging in." Talking about identity compromise, which is true. Again, we've been in the industry a long time - hacks, right? We always talk about hacks, but so often when you get the details of these attacks, it's a teenager phoning somebody up and sweet-talking their way through, or it's somebody guessing a username-password combo, and it works because there wasn't multi-factor authentication on the account. So, it's less sophisticated than it looks. If you're criminally inclined, it's a little easier to achieve perhaps. So, I liked getting the details that we got there. Some other wonderful sessions talk about AI. What does AI mean? It means too many things, probably to too many different people. But getting into the specificity of what do we mean when we say AI, what is it good for? And one of my takeaways from what was said on stage is humble ambitions, narrow the focus and know what you're putting in so that you can you verify what's coming out, especially in a compliance or a GRC context. I thought that was useful. So, lots of fun and interesting sessions today.
Delaney: Looking at the agenda here, AI regulation, the supply chain- these are not necessarily new themes. Was there anything new that you learned today? Was there anything that you will walk away with thinking that it's a new insight?
Staniforth: I quite liked the Rubrik discussion on AI, because it got rid of some of the hype and was a bit more balanced. So, that's where people are in the real-life journey, as opposed to the hype journey on AI. That brings a sense of realism that you don't always hear at some of the conferences or some of the talks. It's a little bit like all the bad guys are doing everything bad or the good guys can use it for everything. I'm in the same camp saying that the opportunity AI is bringing companies need to start getting more data governance, and that's always been a challenge for a CISO as we're only part of that puzzle. So, you've got the ICO, the data quality, and AI. As companies mature more, we are starting to realize they need better data governance and that can only contribute to better cyber hygiene.
Delaney: Thinking about AI first strategies. So, they came up. As you said, use cases, like specific use cases of where the benefits lie with AI and the challenges. But, it is good to have those concrete conversations. Helmut, anything you want to add?
Spöcker: AI was used to help our SOC, but it didn't. It created more work than it took away more time from us. That was an important aspect I will take home. The other one is, yeah, it also confirmed my conviction that AI is potentially helping the bad guys more than it is helping the good guys for now, because it helps exploit vulnerabilities faster than it did previously. So, time is our enemy. It has always been, but it's getting worse.
Schwartz: Well put. Less time to deal with anything.
Spöcker: That's a quote from Maverick.
Schwartz: Oh, very good. Here's to Maverick.
Delaney: Not to put you on the spot, but is there one word that defines where we're today in the AI industry?
Spöcker: Awareness.
Delaney: Awareness? Still awareness?
Spöcker: I found a lot of awareness in the audience - that was inspiring because it seems that the good guys are gathering around the flag.
Staniforth: For me, some continual learning. So, I've been in cyber for 20-odd years, and it is continual learning, which is why I got into this sector and area, and it's still that now. Sharing with other people and other sectors - that's continual learning.
Schwartz: Fantastic! "Resilience" - I don't mean to sound like an eternal optimist, and it was said better in the course of the day on the supply chain panel that I was moderating with Dom Lucas and Brian Brackenborough. And I forget which, or if both of them said this, but they said, "Never forget how far we've come." We focus on a lot of the problems that we're facing necessarily but look at where we are and look at all the things we can do now that we couldn't do before, as well as the level of discussion that we're having. And that was inspiring. From a resilience standpoint, we're in a much better place than we were. Based on the discussions I'm hearing, the discussions organizations are having and the discussions regulators are engaging in, we're in such a much better place than we used to be.
Delaney: I'm thinking about verification. That came up a lot. For example, verifying a deepfake. How can organizations do that and which tools are they using? But, it comes down to awareness, comes down to resilience and comes down to continuous learning. Maybe they all apply. But, also in your session earlier, "Hackers Don’t Hack In – They Log In," how do you verify who's authentic, and who's real?
Schwartz: And who's ChatGPT, I guess?
Delaney: On that note, thank you very much gentlemen for all your insights. Appreciate this and the rich insights you brought to the day as well.
Spöcker: Thank you.
Staniforth: Thank you very much.
Schwartz: Thank you.
Staniforth: Nice to meet you both.
Delaney: Thank you so much for watching. Until next time.