KXL-FM (Portland, OR) Radio Interview

CISOs now face substantial personal risks, as seen in cases like Uber and SolarWinds where the SEC has taken legal action against the security chiefs. The primary risk is both personal and professional liability for the CISO, according to Kayne McGladrey, field CISO at Hyperproof. The problem, however, is that boards unaware of the business risks from poor cybersecurity are unlikely to include the CISO in the Directors & Officers insurance policy. “This exposes CISOs to substantial risk,” McGladrey told Cybersecurity Dive.

Kayne and Tom are joined by special guest Michael Chaoui, the Founder of Atlas One Security. Michael pulls the covers back on some of the challenges of companies going through the ATO process. We also discuss recent legislation and draft memos intended to modernize the FedRAMP process, all while enjoying one of Michael’s favorite stout beers.

“Viruses are most commonly spread through phishing, which is a technique of sending emails designed to prey on a person’s emotions to make them click a link or open a malicious attachment,” says Kayne McGladrey IEEE member and director of security and IT for Pensar Development. “Besides running up-to-date commercial antivirus software, the easiest way to avoid viruses is to pause before acting on messages. Get a cup of coffee, or at least get up and stretch, before deciding if the email is trying to manipulate your emotions through a sense of authority (someone impersonating your boss or a police officer), a sense of urgency (because of an artificial time constraint), or scarcity (supplies are limited, act now).” These are the same psychological techniques used by con artists since time immemorial, with the only difference being that con artists had to con one person at a time. “With email, social media, and text messages, threat actors can con thousands of people. No antivirus software is perfect, but pausing before acting can stop most of today’s viruses.”

“After all, AI serves as both a force accelerator, as it will allow those threat actors to operate at large scale without having to increase the size of their workforce. At the same time, the ability of AI to generate convincing-enough speech in another language will serve to open new markets to threat actors who might have previously employed linguists,” says Kayne McGladrey, IEEE Senior Member.

“There’s a perception that it is all hands-on-keyboards — people sitting in a basement somewhere drinking soda,” McGladrey said. “That perception, unfortunately, drives a lot of talented individuals who would have made a lot of meaningful contributions to the field to make other career choices.”

McGladrey wants security pros to talk to their colleagues, friends and families about the field and its diversity of roles. He also urges organizations to widen their candidate pools to include those with more varied backgrounds and life experiences.

“Right now in cybersecurity, we’re doing the same thing over and over and expecting a different result — the definition of insanity,” he said.

“These threats are not merely theoretical, although, at the moment, they are still relatively limited in their application,” McGladrey said. “It is reasonable to expect that threat actors will continue to find innovative new uses of generative AI, extending beyond business email compromise, deepfakes, and the generation of attack code.”