Author: Kayne

of a growing number of regulations, today’s CISOs and their team members are spending a lot more time responding to questions about their security programs. Providing answers — whether to internal compliance teams who need the information to fulfil legal obligations or external business partners who want assurances — is now an expected part of the modern security department’s responsibilities. Yet it’s not the most effective use of worker time. “It’s not only frustrating, but it also sucks up a lot of time,” says Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), a nonprofit professional association, and field CISO at Hyperproof. There are strategies for meeting security’s obligations to provide information without tying up CISOs and their teams too much, he and others say. McGladrey says automation is one such strategy, saying that “evidence of control operations should be automated, and evidence of effectiveness can also be automated.”

Cybersecurity expert Kayne McGladrey speaks about why AI cannot do what creative people can, and the important role of generative AI in SOCs.

“End-to-end encryption is generally agreed upon as being a useful technology for protecting the data of businesses and consumers,” said IEEE Senior Member Kayne McGladrey. “Online shopping, for example, would not be as popular or feasible if a consumer’s payment information could easily be intercepted. Similarly, private video calls over the internet by senior executives or government officials would be far too risky if anyone could watch.”

In a world where compliance and engineering teams must work together to build compliant products, competing goals and philosophies can make collaboration frustrating for both sides. Join representatives from Instacart as they share their story on how they worked with engineering to build a compliant product, best practices for collaborating across teams to build scalable, compliant solutions and how to foster a culture of security and compliance across your organization.

After completing this session, participants will be able to:

• Build more credibility with engineering teams.

• Incorporate features that enable compliance into products.

•  Work with your engineering team—not against them—to build high-quality, compliant products.

•  Make long-term continuous compliance a reality with automation tools.

Did you miss Black Hat this year? Well you won’t miss the great conversations that were had, as Allan captured so many good ones for this special Black Hat retrospective episode.

Ever wonder why hackers wear hoodies? Or why should you be concerned if your government job has a good view? Or what the most money-sucking board game is? Well this is the episode for you! We met Kayne’s cat, talked about old computers, ethics issues in AI, funny stories from Kanye’s first job, comical failings of physical security from Kayne’s audit days, and of course board games again!

Kayne McGladrey, field CISO at Hyperproof, told ISMG that while there are jailbreaks to work around limitations in commercially available AI systems, they’re inconvenient for threat actors to run at scale. “Jailbreaks introduce friction into software developer workflows, forcing users to periodically adapt their prompts based on changes introduced by the AI toolmaker. One of the potential benefits of using an AI intentionally developed for malicious activities is that jailbreaks are not necessary,” McGladrey said.

Kayne McGladrey, field CISO at Hyperproof, hopes that a future version of the plan will get more granular. “Industry-specific guidance is missing, as hospitals, banks, and SaaS startups all have different cybersecurity needs and available resources,” he says.

As the regulatory burden increases, organizations and CISOs are having to take ownership of cyber risk, but it needs to be seen through the lens of business risk, according to Kayne McGladrey, field CISO with Hyperproof. Cyber risk is no longer simply a technology risk. “The problem is, organizationally, companies have separated those two and have their business risk register and their cyber risk register, but that’s not the way the world works anymore,” says McGladrey.

He believes the Securities and Exchange Commission (SEC), the Federal Trade Commission, FTC and other regulators in the US are trying to promote collaboration among business leaders because cyber risks are functionally business risks. McGladrey thinks most CISOs understand this, but that doesn’t necessarily extend to the other leaders in the business. “Can we just please have one risk conversation with people and plan that out appropriately,” he says.

On Tuesday, the White House announced that we’ll soon get those IoT labels: The US Cyber Trust Mark, which looks like a shield with a microchip on it, will be on products that have cybersecurity protections. Kayne McGladrey, field CISO for Hyperproof, expressed reservations about the mark. His concern is that Cyber Trust Marked devices could be sold at a premium to account for the increased cost of cybersecurity measures, which could lead to most consumers simply choosing whatever’s cheaper, rendering the program ineffective. He also noted that it won’t address all the devices that pre-date the Cyber Trust Mark and are already in people’s homes. “For example, LED light bulbs have lifespans of tens of thousands of hours, which means that insecure light bulbs will be a feature of the IoT landscape for the coming decade or longer,” McGladrey said in an email.

“Discord initially was used as a way for gamers to hold real-time voice and text chats in games that either didn’t support real-time communications or where the in-game system wasn’t robust,” says Kayne McGladrey, a senior member of IEEE, a professional organization for technology and engineering. But the platform gained popularity, particularly during the COVID-19 shutdown. “During the pandemic, Discord emerged as a free alternative to Zoom for gamers, friends, cryptocurrency enthusiasts, and other communities to host remote events,” McGladrey says.

Discord relies heavily on server moderators to enforce community rules, IEEE Senior Member Kayne McGladrey said via email. This moderation is done on a server-by-server basis.  

“In practice, this enables smaller private servers to feature far more informal conversations and rules than a public community server – it’s possible that kids can see hateful content, such as racism or cyber-bullying, happen on these types of servers where the moderators are less engaged,”  McGladrey added.