All controls and tools should be linked to a reduction in the probability or likelihood of a risk that’s above the organization’s tolerance level, says Kayne McGladrey, CISO at risk management provider Hyperproof and a senior member of IEEE. If there’s no longer a need for a product, it should go.
During this Hyperproof live stream series, leaders in information security shed light on crucial topics that shape the modern cybersecurity landscape. This month’s episode features Carmen Marsh, President and CEO at United Cybersecurity Alliance, Confidence Staveley, Founder & Executive Director at CyberSafe Foundation, and our host, Kayne McGladrey, Field CISO at Hyperproof. Guided by Kayne and audience questions, Carmen and Confidence will share insights into their current work and past experiences in the field.
In the realm of cybersecurity, early-career professionals often prioritize the development and demonstration of technical prowess. However, as someone with nearly three decades of experience in cybersecurity leadership roles, I firmly assert that interpersonal skills wield a profound influence over one’s career trajectory. Unlike certifications and degrees, which may lose relevance over time, interpersonal skills persist and can be cultivated through deliberate practice. This article sheds light on these often-overlooked attributes, providing a holistic perspective on what it takes to excel in cybersecurity beyond technical acumen.
Although motivations like that mean any organization using AI could be a victim, Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), a nonprofit professional association, and field CISO at Hyperproof, says he expects hackers will be more likely to target the tech companies making and training AI systems.
But CISOs shouldn’t breathe a sigh of relief, McGladrey says, as their organizations could be impacted by those attacks if they are using the vendor-supplied corrupted AI systems.
Chris Denbigh-White speaks with Kayne McGladrey, Field CISO of Hyperproof.
Thursday, May 16, 2024
Risk assessments have moved beyond a check-the-box approach, especially with the SEC’s new disclosure requirements. Join us for our session, How to Operationalize Your Risk Assessment Process, to get practical guidance on navigating the complexities of risk assessments to drive tangible business outcomes. Kayne McGladrey, Field CISO at Hyperproof, will navigate through the essential steps required to operationalize risk assessments effectively within diverse organizational structures. From conceptualization to execution, participants will gain actionable insights into crafting and implementing tailored risk assessment strategies tailored to their unique organizational contexts.
The big picture: AI model operators don’t have a good way of reigning in these malicious use cases, Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), told Axios. Allowing LLMs to digest and train on CVE data can help defenders synthesize the wave of threat alerts coming their way each day. Operators have only two real choices in this type of situation: allow the models to train on security vulnerability data or completely block them from accessing vulnerability lists, he added. “It’s going to be a feature of the landscape because it is a dual-use technology at the end of the day,” McGladrey said.
Kayne McGladrey, IEEE Senior Member, noted that the use of generative AI models in business hinges on their ability to provide accurate information. He cited as examples studies of AI models’ abilities to extract information from documents used for financial sector regulation that are frequently relied on to make investment decisions. “Right now, the best AI models get 80 percent of the questions right,” McGladrey said. “They hallucinate the other 20 percent of the time. That’s not a good sign if you think you are making investment decisions based on artificial intelligence telling you this is a great strategy four out of five times.”
Algorithmic bias is one of the primary risks associated with emerging physical surveillance technologies. While the risks of facial recognition software are well known and documented, efforts are being taken to adapt computer vision to new and novel use cases. For example, one of the more deeply flawed failures was an attempt to detect aggressive behaviour or body language, which was unfeasible as there was not enough training data available. Other physical security systems will face a similar challenge of not discriminating against individuals based on protected factors due to a lack of training data, or more likely, a lack of gender or racially unbiased training data. Companies considering purchasing advanced or emerging physical security systems should enquire about the training data used in the development of those systems to not be subject to civil penalties resulting from discrimination caused by using said systems.
CISOs now face substantial personal risks, as seen in cases like Uber and SolarWinds where the SEC has taken legal action against the security chiefs. The primary risk is both personal and professional liability for the CISO, according to Kayne McGladrey, field CISO at Hyperproof. The problem, however, is that boards unaware of the business risks from poor cybersecurity are unlikely to include the CISO in the Directors & Officers insurance policy. “This exposes CISOs to substantial risk,” McGladrey told Cybersecurity Dive.
Prepare to laugh until your stomach hurts with our most hilarious episode yet, featuring the one and only theater kid turned cybersecurity guru, Kayne McGladrey, Field CISO at Hyperproof. Join us for a rollercoaster of emotions as we dive into the absurdity of security info in 10K filings, engage in heated debates over the polarizing cinnamon sticky bun ale, and champion the cause for more singing and dancing in cybersecurity. Think of it as the “Cybersecurity’s Got Talent” episode you never knew you needed! Kayne’s journey is packed with invaluable insights and captivating stories that are as unique as they are engaging.
Despite this guidance mandating only four disclosures (identifying and managing risks, disclosing material breaches, board oversight, and management’s role), over 40% of the 2,100+ 10-K filings I’ve reviewed between January 1 and March 11, 2024 disclosed eleven distinct topics.
Companies are disclosing more information than required in their 10-K filings for various reasons. One is that they lack a broad consensus how much detail to disclose in Section 1C. The recent civil litigation of SEC vs. Tim Brown and SolarWinds (case 1:23-cv-09518 in the Southern District of New York) significantly influences the disclosure requirements.