Exploring Cyber Warfare: Risks, Strategies, and Solutions | Interview with Steve Winterfeld
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I am Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today my guest is Steve Winterfeld, and he is a security consultant and fractional CISO and he is the author of the book called Techniques, Tactics and Tools for Security Practitioners. Now he has a very interesting career, and he was an airborne ranger in US Army and has built a regional security operations center for US Southern Command.
Dejan Kosutic:Also was a CISO for Nordstrom Bank and ran incident response and threat intelligence at Charles Schwab. And so, in today's podcast, you'll learn how cyber warfare is relevant to almost every company and actually what to do about it. So, to the show, Steve.
Steve Winterfeld:Yeah, excited to be here.
Dejan Kosutic:Well, great to have you here. So can you tell us a little bit what is actually your book about?
Steve Winterfeld:So Jason Anderson and I wrote a book on trying to blend a little bit about the doctrine, the tactics of cyber warfare. So, you know, we we cover what are the domains of war. You know, the first one was land and then sea and then air. And then space and cyber came in about the same times, but those are the domains of warfare. And so a lot of that we cover kind of the strategic doctrinal aspects, some of the legal aspects and the concepts of how the openness of the ocean, how that could apply to the internet.
Steve Winterfeld:And then we also cover things like how do people break into computers. So we took it from that strategic down to the tactical in our book.
Dejan Kosutic:Great. Now, can we just explain to our audience what actually is this cyber warfare?
Steve Winterfeld:So the term war is interesting. So I live in The United States. And if you ask the average person, what was the last time The United States was at war? Do you have a guess when was the last time The US was at war?
Dejan Kosutic:Besides Second world war, the last one will probably be Iraq war.
Steve Winterfeld:It was World War II. Because for The US to be at war, Congress has to pass a resolution. And everything since World War II was done on Congress passing a budget and the president executing it. And so what war is is very nebulous. You know, we have a war on drugs.
Steve Winterfeld:We have a war on terror. And so so when we talk about cyber war, it is it is very interesting. And then we have, you know, a general definition of state sponsored. To be at war, you need a nation involved. Now does it have to be two nations?
Steve Winterfeld:There you get into the the definitions again. You have cyber terrorism. You have weapons of mass disruption. So then you have individuals that could have large impacts. You have gray zone operations.
Steve Winterfeld:But really what I think we're talking about today is most of us in the commercial sector are worried about collateral damage. Are we going to be impacted by nation state operations or nation state sponsored? And what do I mean by that last? And I'll touch on that briefly. I'm talking about hackivism.
Steve Winterfeld:So if you heard the term advanced persistent threat, APT, those are typically state operators. Sandworm for Russia. If you look in the news under all the typhoon attacks for China, if you look at the Lazarus, that's North Korea. And yes, The US has operations out there as well. I don't know any country that doesn't have operations.
Steve Winterfeld:So those are state sponsored, but then you also have hackabas. So right now you have groups that are cyber criminals but act on the behalf of a nation. And so, you may have a denial of service attack that in the morning they're doing denial of service attacks for exorbitant and in the afternoon they're doing it for political reasons. And I equate this to privateers. Going back to the ocean in these days of sailing ships, Spain could have taken a pirate ship and commissioned it and put it in its armada.
Steve Winterfeld:And yesterday, it's a pirate. Today, it's part of the Spanish Navy. You see the same thing with some hacker groups or cyber criminal groups.
Dejan Kosutic:Okay. So then what actually is warfare? I mean, how do you really define this warfare or perceive this warfare from this commercial point of view, let's say from a regular company point of view, if not viewing this from the military point of view?
Steve Winterfeld:So let's talk about how it would manifest. So the first thing and probably the most common thing done by anyone, be it cyber criminals or nation state, is reconnaissance, intelligence, espionage, or let's just say spying. So one of the most common things you'll see out there is, it is a great way to spy. If you're trying to go compromise a person, that's a lot of resources. If you just break into a network, it's fewer kinetic resources.
Steve Winterfeld:The next is often be it cyber terrorism or terrorism in general and warfare, you want some kind of an impact. So the first is, you know, I use it for espionage. The second is I want to cause some kind of an action to make my enemy either withdraw or prevent them from taking an action. And so Mhmm. There you see sabotage, you see denial of service attacks, you see propaganda or influence operations.
Steve Winterfeld:And so let me give you some examples. The US lost Sukchnet. The Russians attack on the power grid during hybrid wars where they're combining kinetic and nonkinetic. Aramco wiper ware where they went in and and made a political statement and just took out an entire commercial entities, you know, infrastructure so they couldn't pump oil. And then the Sony Pictures, when they came out, with the movie about the leader of Korea, Sony Pictures was hacked and taken down.
Steve Winterfeld:And so those are some examples of how you might see collateral damage or cyber war impacts.
Dejan Kosutic:Now, when we speak about cyber war in this commercial, let's say, domain, is this really something that affects only, let's say, critical infrastructure companies or bigger companies with larger intellectual property like Sony? Or is this something that also affects, let's say, companies that are not critical infrastructure or not, I don't know, financial or not something that is big?
Steve Winterfeld:So there are a couple scenarios here. The first is your company may be smaller, but your CEO makes a statement about the war. Then, you know, you could get on the register, or on the radar. I'm sorry. Not register.
Steve Winterfeld:Get on the, you know, some nation states, radar for attack. If you have intellectual property that they want, if you're a startup with some capabilities that they just wanna steal those capabilities, then yeah, they're they don't really respect, any of those. For instance, the French intelligence service can turn over things that they've found to commercial French companies. That's within their legal system. And so there's this hybrid of, oh, I'm a small company.
Steve Winterfeld:Yes, your risk is lower. But going back to our earlier statements, I don't know that as a consultant when I'm going in, one of the things I'm gonna do is I'm gonna say, let's look at your risk register. Let's understand where you think you have risk and what crisis management plans should you have. And one of the ones I may say is, okay, if you somehow get elevated to the national stage, do you have a playbook to deal with that? And at the end of the day, I'm not sure what you're doing from a cyber perspective to find a hackivist, APT, cyber criminals or an insider threat. Some of those tools overlap.
Dejan Kosutic:Okay. And if I understood well, when speaking about cyber warfare, we are not speaking only about nation states. So as you mentioned, persistent threats, we are also speaking about hacktivists or criminal gangs that are in there for money. It's not only about warfare as we would think about in terms of, let's say, nation doing something. It's also about basically criminal organizations that want to pursue their goals, right?
Steve Winterfeld:Diplomatic may include law enforcement power, cyber is probably under informational. But if you took that ways to have power, So let's say that Europe and America put economic sanctions against Russia's financial institutions. Russia doesn't have the international financial power to effectively counter that. So how are they gonna counter that? Well, they can counter that through having hackivists do denial of service attacks against Australian banks and that recently happened.
Steve Winterfeld:Australian banks came under huge attacks because Australia came out and made a statement about that geographical conflict. And so that is a way to counter different types of power. And so if you go in and you say, okay, criminal group, I want you to focus on Australia and you can still do extortion, then it's a win win for them. Yeah.
Dejan Kosutic:Okay. Earlier when we had this email correspondence, you mentioned that there is basically a way to look at the cyber warfare from three aspects. One is this strategic and then operational and tactical. So can you explain why is it important to actually view it from these three perspectives and give some examples of each of these?
Steve Winterfeld:Well, that's what I You know, when I talk about strategic power, those are those huge dime kind of things. Then when I bring it down to operational, how do you execute that? And so, a nation has an intelligence organization. They have law enforcement organizations. They have military organizations.
Steve Winterfeld:And most of those military organizations now have cyber units. They have all of these abilities. And so they're going to say, operationally, how do we wanna use those? And then even at the operational level, okay, I I was just told I'm a military cyber unit, and I was just told that I'm either going to counterattack or attack something. Well, it's back to your typical, you know, what do I need to attack somebody?
Steve Winterfeld:And whether I'm attacking a town or a server, I've got to do reconnaissance. I've got to find a vulnerability. I've got to build the right forces, malware, tanks, and infantry to conduct that attack. After I conduct attack, I have to do operations on the objective. And then I have to maintain that control and have communications back to my higher headquarters.
Steve Winterfeld:And so those have to be implemented through typical tactics, techniques and procedures that you would see whether or not I'm breaking into steel credit cards or I'm breaking in to put in wiper wear. A lot of those operations at the very tactical level are going to be similar. Now, the tools I have may be more advanced. I would expect that a nation state brings better tools. Often what we see is they're getting in through legacy.
Steve Winterfeld:When they do the reconnaissance, they see legacy vulnerabilities and that's how they're getting in. So not everybody needs to use a super secret squirrel tool to break in. A lot of them are getting in through just poor hygiene of the victim.
Dejan Kosutic:Yeah, mean, it seems to me that all these things are not only highly advanced, but they are, I would say, very organized in a military way.
Steve Winterfeld:And some days, if I'm the CISO, do I care why they broke in? Do I care who broke in? You know, how much energy am I putting into identifying that? I'm not if a if a cybercriminal broke in or an advanced persistent threat sponsored by a nation state, in either case, do I have the recourse to do anything about it? I can notify the FBI, but nothing's gonna happen from a practical point of view.
Steve Winterfeld:So no matter where you are, we're talking a little bit about attribution here. And so I'm not sure how important attribution is to the average company. Now if I'm a defense contractor, if I'm critical infrastructure, if I'm a multinational Fortune 100 company, then maybe it would make a difference. But for law enforcement, I have to be able to tell them whose fingers were on the keyboard. For the military, I have to give them a grid coordinate to do a kinetic attack.
Steve Winterfeld:And for the politics, I've got to tell them what organization or country sponsored it. Those are all very hard to do. So I almost don't put a lot of effort into attribution and put more into active defense.
Dejan Kosutic:And then as a CISO or let's say as a consultant helping companies out in such situations, what let's say, approach is, I would say, which kind of approach brings in the most effect?
Steve Winterfeld:So I want to come to my client and I'm going to say, okay, so let's talk about where you have risk. And right now, risk of insider threat based on do you have proprietary information? Do you have regulated information? Financial, health care, or some kind of regulated information. You know?
Steve Winterfeld:So I that's the first kind of risk I would look at. Who are the most likely people target you? Is it cybercriminals? Is it an insider threat? Is it a nation state because you have some intellectual property or some image that would be good for them to take down?
Steve Winterfeld:And so then we start talking about that, what's the chance of being collateral damage to cyber warfare? What's the chance of being directly impacted by different kinds of attacks. So a denial of service attack, whether or not it's nation state or criminal, okay, I kind of have that on the radar. The other thing that could potentially put you out of business is ransomware. I haven't seen as much ransomware, so it's ransomware and wiperware.
Steve Winterfeld:Those are the two things we would talk about. And both of those are based on recovering through resiliency. And so as I talk through them about their risk, I'm not over focusing on one, I'm saying, listen, you have this bucket of risk up here of collateral damage and cyber criminals and activists and all of these. And there are some things that are unique, wiperware versus ransomware. But is my mitigation gonna be similar?
Steve Winterfeld:Yes, mitigation will be similar. And then based on my industry, I also have more likely to be impacted. Finance or critical infrastructure is more. If I'm in information operations, am I voting? Do I have news?
Steve Winterfeld:Do certain organizations depend on me? Am I part of a supply chain for somebody who is critical infrastructure? Okay, then, you know, there might be something there. So it is it is not folks can see exclusively on cyberware for it's including it in the threat portfolio you talk about it is how I would approach that.
Dejan Kosutic:Okay. And do you have some specific risk management methodology for doing this?
Steve Winterfeld:So I have a couple tools I love. The first tool I would talk about is an organization here in The United States called MITRE, M I T R E. It has the MITRE ATT&CK kill chain. And the MITRE ATT&CK framework, when I described attacking a server or a town, I literally was walking through the steps in that. And when I look at that, it says reconnaissance and then it says spread laterally, and then it says XFIL data.
Steve Winterfeld:Those are three of the columns of attack techniques. Well, if I have all of my security infrastructure and preventative, none in internal spreading to stop lateral movement and very little in stopping exfil of data, then I need to sit down and say, doesn't make sense. Rather than having seven tools over here, I should have two tools here, one tool in this column, one tool in this column, two tools here, three tools over here. And by spreading that out, I have multiple opportunities cause ultimately what my desire is as a defender is visibility. If I could give you two words to think about as a client, I would advise my client that we want to think about our general hygiene.
Steve Winterfeld:Are we doing the blocking and tackling right so somebody can't get in through legacy systems? And do I have visibility on things?
Dejan Kosutic:Okay. When speaking about cyber hygiene, is there some kind of a framework or let's say to basically define what this is because this is very often differently understood? Or is this simply common sense on what cyber hygiene should be?
Steve Winterfeld:I'm a huge fan of plagiarism. Having written a book, I shouldn't say that, but I am a huge fan of plagiarism. And so there are very smart people out there that have put together frameworks. So in The United States, in finance, all the financial regulations are built off the NIST documents, N I S And there's an eight hundred-two zero seven, which tells you how to do zero trust. And there's an eight fifty three and eight seventy two was just published.
Steve Winterfeld:And so all of these documents will list things you should do. And if I have a regulator come in or an auditor or worst case, if I'm breached and involved in a class action lawsuit, and I go say, but I followed these NIS processes, that is going to help in my defense. I've used industry best practices. Internationally, I would use ISO, 2,700 standards. And and again, by using these external standards, what I'm doing is I'm saying, okay, I've come up here and done this.
Steve Winterfeld:Here in The United States, we have ISACs, these information sharing associations. Internationally, there are a lot of information sharing. That would be the second thing I would encourage my client to do is I would say, what would our stakeholders, what would our stockholders, what would our investors want us to do? And they'd want us to collaborate with the industry information sharing center so we're getting the latest. And if there's a series of attacks going on, we're going to know it from that information sharing center.
Steve Winterfeld:And that's another best practice that's going to help me both defend in a class action lawsuit and quite honestly, do the right thing.
Dejan Kosutic:And is this information sharing equal to visibility that you mentioned a couple of minutes earlier or?
Steve Winterfeld:So really no. For visibility, I just need, so I consult with a company called Akamai. And Akamai does micro segmentation. And one of the things I love about the way they segment the internal network is it gives you visibility on lateral movement of data and data moving out of your network. Why should a HR system being talking out of our network?
Steve Winterfeld:Well, it turns out it's doing that for updates. Well, but I wanna restrict it to only go to the update channel and not just be an open connection to the Internet. But how do I discover that? So a lot of this is around discovery. Every time I turn around, the business is doing something new.
Steve Winterfeld:It is publishing APIs to do machine to machine interaction. It is leveraging some large language model. And so how do I have visibility on that and how am I securing those in real time? Am I working with my vendor management to understand the supply chain and how the supply chain is secured? Am I working with my business continuity team to make sure I'm integrated, my cyber resiliency is integrated there?
Steve Winterfeld:Do I have a crisis management plan when it all comes apart that I have good reactions. And I have a plan that the leadership will follow because to not have a crisis management plan in a crisis is a guaranteed for a disaster.
Dejan Kosutic:Definitely. And is there some kind of a framework that CSOs or consultants can follow with regards to this visibility?
Steve Winterfeld:Again, I would go back to that. There's not a framework just for visibility that I like. There are frameworks that talk about just visibility. I would go to a more holistic one that includes what are the critical infrastructures that we should have. And those are your NIST or your ISO.
Steve Winterfeld:Now, again, if you build towards compliance, you're not going to necessarily be as secure as if you build towards security and then just matrix your security controls over to your compliance requirements. So I think they're a good general guide, but you have to take care of a careful look at what kind of infrastructure you look, what is your board's risk appetite and what are your regulatory requirements? And so all of those come back to unfortunately, just the stresses of being a CISO.
Dejan Kosutic:And I mean, when you take into account all of these inputs, still, it doesn't guarantee you that it will raise a level of security. And by the way, this is the most common objection towards these frameworks is that, you know, most companies, I mean, many companies are using them only for, you know, box ticking. So how do you actually, you know, use all of the inputs that you mentioned and use all of these frameworks to really, I mean, really increase the level of security.
Steve Winterfeld:My job is not to secure the network. And I'll often have a security analyst come in and say, Oh, we need more money. Oh, we need more resources. Oh, we need more staffing. And so I always ask, okay, Nordstrom is a $13,000,000,000 company.
Steve Winterfeld:If I give you all $13,000,000,000 to secure the network, can you guarantee me nobody can break in? No? Well, then why should I give you a dollar? That's at the core what we're asking ourselves. Where between 13,000,000,000 and $1 should we be at?
Steve Winterfeld:And so my job is to make sure the board understands the risk and the board gets to decide whether or not they feel we've given enough resources to this. So every CISO has $20 worth of problems in a $10 budget. And so we go to the board and we say, hey, you know, right now, we have our our internal network is secure through, you know, this micro segmentation. Our our edge is secure through this web application firewall. Our external facing infrastructure uses Akamai's DDoS capabilities.
Steve Winterfeld:You list these 10 things you've done, which you think are the biggest security risk. And here's where we have legacy risk. We have legacy risk with our supply chain, with our insider threat, with our pick your flavors of internal risk. And then the board has to say, okay, are they okay with that insider risk? And if they answer a Charles Schwab, they're not okay with insider risk.
Steve Winterfeld:So then they're going to come back and say, okay, we're taking your budget from $10 to $12 fix insider risk problem. And hopefully that was a useful response. But that's kind of one of the stories I tend to tell when I'm asked that.
Dejan Kosutic:Okay, but let's say once hopefully the board actually approves the budget for security, how do we actually translate this money into something that really works? I mean, it really works in practice.
Steve Winterfeld:So there I go to my validation exercises. I'm doing tabletop exercises. I'm doing internal pen testing. I'm doing external red teams, both announced and unannounced. There are continuous abilities now, continuous pen testing capabilities.
Steve Winterfeld:There are these internal triggers for, I put up a server say, CEO salary and really cool proprietary data server. If anybody touches that, it's a red flag that we have unauthorized behavior. So I have some great honeypot alerts. So I equate all of that to my validation. And that validation includes compliance validation and audits.
Steve Winterfeld:But on the technical side, that's where I try to get my confidence if I understood your question correctly on doing that. The one area I'm always worried about is discovery. And that's where I would invest more tools in to make sure I found the APIs, the large language models, the lab that was put out and never taken down and is still a hole to the internet, all those legacy systems that are out of compliance and no longer even have a maintenance life, that technical debt. That's where I spend a lot of my time worrying. And so when I go talk to consultants, I try to ask, well, on your risk radar, where do you have technical debt?
Steve Winterfeld:Where do you have visibility risk? What activities are you doing to make sure that you have discovery? What activity are you doing to validate your current controls?
Dejan Kosutic:Okay. To go back a little bit, you mentioned this information sharing is very important way of discovering all of these threats and actually reacting faster. In Europe, especially in the European Union, there are regulations like NIS two and DORA, which basically prescribe this information sharing between these critical infrastructure companies and financial organizations. How about The United States? Is there some, let's say, prescribed way of information sharing about these threats or how does this work?
Steve Winterfeld:So in The United States, our equivalent to NIST would be the financial services ISAC. We have a healthcare ISAC. We have, I wanna say it 16 major critical infrastructure information sharing organizations. And when I was a CISO for Nordstrom Bank, the regulator asked, do you belong to the ISAC? So the regulator's applying pressure to make sure that we're collaborating in there since it's not a direct regulatory or legal requirement.
Steve Winterfeld:It is a expectation of the federal auditors that we would be collaborating across these kinds of organizations. And then again, our bank was very active in collaborating then. But I also paid for some external threat intelligence services that were looking in the gray areas in the dark web for my credit card information. And so not only was I doing that information sharing, but I believe in investing in threat intelligence, whether it's internal or an external vendor. And that goes back to some of my validation concerns.
Dejan Kosutic:Okay. And what about, let's say, that are not in these critical infrastructure sectors? So let's say this is a smaller company, maybe, I don't know, SaaS company, which is not really a critical infrastructure. These kinds of companies also share information or not, or just basically subscribe to some threat intelligence sources? How does this work really for these smaller companies?
Steve Winterfeld:So again, if you're small in The smallest is I have one IT person who's part time security. Okay, well, you're not going to get to threat intelligence there. You're really going to focus on hygiene and that's where you're to get your return on investment. But as you continue to grow, when you have dedicated information security staff, then the question is, what is the tipping point to invest in these kinds of things? And so, as soon as you feel like you have the foundations of hygiene built, is when I think you need to start moving into validation.
Steve Winterfeld:And so if you're worried about information being on the dark web, well then that's the right information to buy threat intelligence to go look for that. But that requires a need to find credit cards or customer data or something out there. So that's very business model related. If I'm a SaaS provider, I may get a better return on investment with just continuous pen testing. And so it unfortunately really does depend on the revenue generation model.
Dejan Kosutic:Okay. Now we mentioned a lot of, let's say, aspects of cyber warfare and cybersecurity and also lots of these frameworks that CISOs or consultants can follow. And what do you think from the consulting point of view or cybersecurity consulting point of view? What is the, let's say, best business opportunity for cybersecurity consultants? Which of these aspects to focus on or which of these frameworks to focus on?
Steve Winterfeld:Some of this depends, are you going out and trying to be an industry expert? Are you a capability expert? So there's some value to say, I can come in and lead fighter attack framework workshop. I can lead an OWASP vulnerability workshop with your coders. Focusing on going out and being a consultant that does a workshop or training or something like that.
Steve Winterfeld:I think those are great because you're talking about a resource that's good. Where I struggle is those are one and done. And I don't know the business models with the amount of time it takes to get one client under contract, one and done is not great. So both of those actually have great follow-up work. Cause you go in and you train the OWASP and then you're like, Oh, well, let me help you build procedures to make sure that you have OWASP natural protections in your development chain.
Steve Winterfeld:Let me help go in and help you select the right tools. And then you get a tactics, needs and procedures there's great follow-up work there. The same with the MITRE kill chain. You go in and do the workshop and then they discover where they have vulnerabilities. And then you've got those packages to help them fix where they saw those gaps.
Steve Winterfeld:Or you're going to help them understand which two tools to drop in edge protection and which two tools, one to add to lateral discovery and one to add to X fill protection. So those are kind of how I would see building models around some of the frameworks we've talked about. Going in and talking about cyber war threat, again, very industry specific. It is great then, we talked about some examples now, you can go in and you can talk about, hey, here's what's happened to other people. But again, $10 budget and $20 of problems, are you gonna convince me to go fight for another dollar to to do something with this nation state threat?
Steve Winterfeld:And that's why I said it has to be kind of critical infrastructure specific for most of them to sign off on that. And again, that's just my quick perspective. Neither one of those are fixed opinions.
Dejan Kosutic:So if I understood well, a combination, let's say, of some kind of training or discovery together with, let's say, organizational or governance, I mean, in writing policies and procedures and maybe helping with selection of tools. This could be one way to really grow in this market.
Steve Winterfeld:Yeah, I think really what we have is we've got some great impactful stories. Wanna bring those in, wanna get our initial entry in. And then I tend to from that initial, I build trust, I build my reputation. Once I have reputation and relationship established, that's where it can then expand how and when I'm helping that customer.
Dejan Kosutic:Great. And The United States, at least from the consulting point of view, which industries do you think have the biggest growth opportunity for consultants for consulting business? Is this critical infrastructure or maybe high-tech or IT industry or defense industry?
Steve Winterfeld:So right now I would say, you know, finance continues to be a very active sector. And they're probably one of the ones that have more money. Healthcare is very worried about safety and things like ransomware have huge safety impacts. But at the end of the day, it's a tough time to be a consultant right now. As budgets are tight, as the economy is, people still have a lot of questions.
Steve Winterfeld:It might be a great time right now to be on the edge. And as much as I hate to use these words, Gen AI is the next big risk. And I have a couple friends who have pivoted and they're really focusing on helping companies understand how to monitor and manage risk and opportunities around Gen AI. And so that's another approach is focus less on the protection and more on joining them in their transformational journey.
Dejan Kosutic:Okay. But when speaking about this transformation, are you speaking about business transformation or are you speaking more on the security aspect of transformation?
Steve Winterfeld:So I always want to focus on business transformation and helping secure that business transformation. At the end of the day, I want to help you secure your revenue. That's what you're going to pay for. It's either you have a compliance, which is a big stick, or you want to protect your revenue. And so if I'm going in, I'm saying, listen, you're betting your future on your implementation of large language models.
Steve Winterfeld:How have you secured that? Let me make sure that your big bet is a safe bet. And you can say that same thing for APIs. There are certain industries that are coming into APIs now. There are certain industries that are worried about quantum.
Steve Winterfeld:And they're looking for how to secure today's data against the quantum breakthrough in the future. Because a lot of information is being harvested now to be decrypted later when we have quantum capabilities. So is your data quantum safe today? Those kind of bets are where I see a lot of consultants trying to have discussions.
Dejan Kosutic:Yeah, actually, I noticed also that also in this podcast, I've hosted many security consultants that are turning towards AI and it's really an interesting trend. Know, but my question is always here, you know, are these clients so much concerned about security, I mean security when using AI, that they really want to kind of connect AI with security or they just want to focus on AI because of the innovation and they don't care about security. So what is your take here? This AI so much connected with security or are these two things rather disconnected?
Steve Winterfeld:There are three challenges when I talk about AI. The first is how are my users using AI? Do I have developers that are dumping my code into a public AI to get analysis? Do I have people in marketing that are dumping something that I don't wanna release that I I'm doing a new product until next quarter, but they're dumping all that information into AI now? So first concern is how my users are using AI.
Steve Winterfeld:And ideally, I want a private large language model that they're going through. But if I can't afford that, then I need policies and maybe security controls to manage that. The second thing I wanna do is how am I using AI internally? And this is where I'm almost pushing people. When I'm buying a new security tool, does it have natural language queries built into it so my lower level analysts can take advantage of it?
Steve Winterfeld:So I wanna understand how I can leverage AI to be a better security organization. And so I need somebody running with that ball. And then the last one is where am I offering large language model or generative AI as a service? And then that's where I want to secure it. And so for my web page, for my APIs and for my large language models, that's where I turn to something like OWASP.
Steve Winterfeld:OWASP has a top 10 vulnerabilities for all three of those infrastructures. And as a consultant, I want to come in and say, listen, there is an industry standard. Right now, you don't you have people implementing AI, but you don't have any security expertise around it. What I wanna do is I wanna quickly ramp your security team up. I'm gonna use an industry best practice.
Steve Winterfeld:I'm going to come out and in six months, train your people, have a strategy, have policies written and a technology approach for security controls going forward. I think that's a reasonable approach. But I do want to make sure that when I talk to them, I'm talking about the right AI problem because all three of those right now need external consultants to solve because very few companies have internal expertise.
Dejan Kosutic:And hence the opportunity for consultants, right? Yeah. And how do you actually balance this? Because ultimately AI is an innovative tool for, let's say, innovative business, innovative way of doing business. So how do you balance actually security with AI so that security does make sure that there are no bigger threats, but then on the other hand, that security doesn't slow down this innovation.
Dejan Kosutic:Do they make this balance?
Steve Winterfeld:Again, my job is to make sure that the business leaders understand the risks they're taking. I'm not responsible for securing it. I'm responsible for mitigating the risks they're not willing to take. And so by focusing on that, by saying, Hey, listen, you've implemented this. These are the three risks right now.
Steve Winterfeld:We're putting all our intellectual property. You have nothing to prevent somebody to come scrape all that intellectual property out. Are you worried about that? Yes. Well, then we need this AI firewall.
Steve Winterfeld:And so it's a discussion to make sure that the business understands what risks they have. And it's my job to make sure I come in and articulate that in a way they can understand. Cause again, I don't want go up to the board and talk about, oh, we have an API and we have this scraper problem and here's some more technical words and here's some geek speak and everybody's eyes have glassed over You've kicked me out of the room for being a technical consultant and not a business partner. My job is to be a business partner and talk about risk in ways they can understand and figure out what they want to accept.
Dejan Kosutic:Okay. Okay. Just to wrap up the discussion, so our last question. How do you see this cyber warfare, let's say, evolving in next three to five years? And how should CISOs or security consultants What should CISOs and security consultants do about these trends?
Steve Winterfeld:I think ultimately we need to make sure it's part of our risk portfolio and it is like all those others I rattled off. There's 25 threat vectors in my portfolio those 25 map to a 100 different techniques to break into my network. But those 100 techniques all are covered by 25 secondurity controls. And so I think ultimately, we're gonna continue to see cyber warfare expand. It's gonna be more espionage and it's gonna be industrial espionage.
Steve Winterfeld:It's going to be more collateral damage and there's going to be more opportunity for hackers to impact us. And so ultimately, I think it needs to be acknowledged as part of the portfolio. When we go talk to our clients, we need to bring that in as one of the aspects we're talking about. But again, depending on the company, if it's a small company with no deep intellectual property or no sensitive data that's regulated, then it's more of a mention than an emphasis.
Dejan Kosutic:Okay, great. Thank you for these insights, Steve. It's been a pleasure talking to you and I've learned a lot today.
Steve Winterfeld:Thank you. I really enjoyed it. Hope you have a great day.
Dejan Kosutic:Thanks again, Steve, and thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, you can check out various tools that can help your business. For example Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients.
Dejan Kosutic:White label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients' workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps with better ranking I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today, stay safe!
