Interview: What REALLY worries this global cybersecurity leader

1
00:00:04,019 –> 00:00:07,320
Sean Aylmer: Welcome to the Fear and Greed Business Interview. I’m Sean Aylmer.

2
00:00:07,590 –> 00:00:11,279
Sean Aylmer: AI technology has evolved extremely quickly. Just look at the

3
00:00:11,280 –> 00:00:16,799
Sean Aylmer: spectacular growth of generative AI platforms, like ChatGPT. But for

4
00:00:16,799 –> 00:00:19,380
Sean Aylmer: all the benefits of this new technology, and there are many,

5
00:00:19,620 –> 00:00:22,739
Sean Aylmer: there also some major risks. Chief among them is the

6
00:00:22,739 –> 00:00:26,340
Sean Aylmer: use of AI in cyber attacks, making every organisation in

7
00:00:26,340 –> 00:00:29,070
Sean Aylmer: the world more vulnerable. It means a new approach to

8
00:00:29,070 –> 00:00:32,009
Sean Aylmer: cybersecurity might be needed. I’m joined today by one of

9
00:00:32,009 –> 00:00:36,090
Sean Aylmer: the world’s leading experts in the space. Kris Lovejoy has

10
00:00:36,090 –> 00:00:39,210
Sean Aylmer: worked as the General Manager of the Security Services division

11
00:00:39,360 –> 00:00:43,290
Sean Aylmer: at IBM, Global Cybersecurity Leader at EY, and as a

12
00:00:43,290 –> 00:00:46,979
Sean Aylmer: member of the World Economic Forum’s Center for Cybersecurity. She’s

13
00:00:46,979 –> 00:00:51,809
Sean Aylmer: now the  Global Security and Resilience Practice Leader for Kyndryl, the world’s largest provider of IT

14
00:00:51,960 –> 00:00:55,560
Sean Aylmer: infrastructure services, and a great supporter of this podcast. Kris Lovejoy,

15
00:00:55,560 –> 00:00:56,670
Sean Aylmer: welcome to Fear and Greed.

16
00:00:57,180 –> 00:00:59,400
Kris Lovejoy: Thank you so much. I’m really excited to be here.

17
00:01:00,480 –> 00:01:02,939
Sean Aylmer: Where do you start on this topic? There is so

18
00:01:02,940 –> 00:01:06,569
Sean Aylmer: much to talk about, but let’s start with AI. Just

19
00:01:06,569 –> 00:01:10,260
Sean Aylmer: how big is the cyber risk from AI?

20
00:01:10,949 –> 00:01:14,970
Kris Lovejoy: It’s emerging. I’d say we haven’t seen the best of

21
00:01:15,240 –> 00:01:19,709
Kris Lovejoy: generative AI being used in cyber attacks, just yet; however,

22
00:01:19,709 –> 00:01:22,860
Kris Lovejoy: we’re beginning to see the first indications of the fun

23
00:01:22,860 –> 00:01:23,400
Kris Lovejoy: to come.

24
00:01:24,209 –> 00:01:27,691
Sean Aylmer: Okay, so what is it that you are seeing?

25
00:01:27,691 –> 00:01:30,929
Kris Lovejoy: So for a few years now, we’ve been talking about

26
00:01:30,930 –> 00:01:34,170
Kris Lovejoy: this concept of omnichannel marketing, which is your ability to

27
00:01:35,069 –> 00:01:39,240
Kris Lovejoy: actually log in, talk to somebody and text at the

28
00:01:39,240 –> 00:01:43,439
Kris Lovejoy: same time. Well now imagine that attackers are using generative

29
00:01:43,440 –> 00:01:48,210
Kris Lovejoy: AI to create these very, very sophisticated, what we call

30
00:01:48,210 –> 00:01:51,930
Kris Lovejoy: phishing and social engineering campaigns. So once upon a time,

31
00:01:51,930 –> 00:01:55,080
Kris Lovejoy: you’d get a email and the email would say, I’m

32
00:01:55,080 –> 00:01:57,480
Kris Lovejoy: your boss and I want you to buy me a

33
00:01:57,540 –> 00:02:01,020
Kris Lovejoy: gift card. Well, the attacks have evolved now that you’re

34
00:02:01,020 –> 00:02:03,059
Kris Lovejoy: going to get a message on your phone, it’s going

35
00:02:03,059 –> 00:02:05,669
Kris Lovejoy: to sound exactly like your boss, and at the same

36
00:02:05,670 –> 00:02:07,350
Kris Lovejoy: time you’re going to get a text message, and at

37
00:02:07,350 –> 00:02:09,510
Kris Lovejoy: the same time you’re going to get an email. And oh,

38
00:02:09,510 –> 00:02:11,940
Kris Lovejoy: by the way, your colleagues at work are also going

39
00:02:11,940 –> 00:02:14,010
Kris Lovejoy: to get a phone call from your boss saying, “Hey,

40
00:02:14,220 –> 00:02:16,889
Kris Lovejoy: I just called Bill and I asked Bill to get

41
00:02:16,889 –> 00:02:19,380
Kris Lovejoy: me a gift card. Can you call him and remind

42
00:02:19,380 –> 00:02:21,240
Kris Lovejoy: him to get me a gift card?” So that’s what

43
00:02:21,240 –> 00:02:25,650
Kris Lovejoy: we call an omnichannel, social engineering or phishing attack, and

44
00:02:25,650 –> 00:02:29,730
Kris Lovejoy: these are becoming more common. And what we’re seeing is

45
00:02:29,730 –> 00:02:33,449
Kris Lovejoy: that unfortunately, it’s very, very hard to disregard, as an

46
00:02:33,450 –> 00:02:35,849
Kris Lovejoy: end user, these kinds of attacks, and so we’re seeing

47
00:02:35,849 –> 00:02:37,380
Kris Lovejoy: a lot of folks get caught up in them.

48
00:02:38,460 –> 00:02:41,910
Sean Aylmer: Okay, it’s complex. I’d imagine that we probably need to

49
00:02:41,910 –> 00:02:44,790
Sean Aylmer: rethink the way we approach security as a result of it.

50
00:02:45,810 –> 00:02:49,470
Kris Lovejoy: Oh, absolutely. I think, historically, the way to approach it

51
00:02:49,470 –> 00:02:53,760
Kris Lovejoy: is it’s like taking the model that we use for immunisations.

52
00:02:54,000 –> 00:02:57,270
Kris Lovejoy: It’s a herd mentality. You’re never going to get everybody

53
00:02:57,270 –> 00:03:00,510
Kris Lovejoy: to not click, but if you could limit the damage

54
00:03:00,510 –> 00:03:03,210
Kris Lovejoy: by limiting the number of people that double clicked, you’d

55
00:03:03,210 –> 00:03:08,880
Kris Lovejoy: get somewhere. Well, unfortunately, this particular attack makes phishing education,

56
00:03:09,059 –> 00:03:13,110
Kris Lovejoy: the do not double click education, not as useful as

57
00:03:13,110 –> 00:03:15,659
Kris Lovejoy: it has been before. And so we now we really

58
00:03:15,660 –> 00:03:19,920
Kris Lovejoy: do need to turn to technologies and the capabilities that

59
00:03:20,220 –> 00:03:24,600
Kris Lovejoy: keep dangerous forms of malware, like ransomware, from propagating inside

60
00:03:24,600 –> 00:03:28,560
Kris Lovejoy: our organisations or even affecting us as individual consumers.

61
00:03:29,250 –> 00:03:33,929
Sean Aylmer: Okay, so it’s less about educating end users, it’s more

62
00:03:33,929 –> 00:03:36,509
Sean Aylmer: about doing something at the source of the problem. Is

63
00:03:36,510 –> 00:03:37,140
Sean Aylmer: that what you’re saying?

64
00:03:37,800 –> 00:03:40,470
Kris Lovejoy: Yes. Well, it’s a combination of both. Education will never

65
00:03:40,470 –> 00:03:43,230
Kris Lovejoy: go away, so you have to be very wary of

66
00:03:43,230 –> 00:03:46,170
Kris Lovejoy: what you could double click on, but also recognise that

67
00:03:46,530 –> 00:03:49,709
Kris Lovejoy: there is a good probability that you’re going to be

68
00:03:49,710 –> 00:03:52,738
Kris Lovejoy: scammed and you’re going to fall for it. And so

69
00:03:52,740 –> 00:03:56,970
Kris Lovejoy: the controls in the background, like technology controls or identity

70
00:03:56,970 –> 00:04:00,240
Kris Lovejoy: theft protection, those really should be something you invest in.

71
00:04:00,810 –> 00:04:04,020
Sean Aylmer: Okay, yeah. Your title, Kris, is Security and Resilience Leader

72
00:04:04,050 –> 00:04:06,720
Sean Aylmer: at Kyndryl. It’s not a typical title, should we say,

73
00:04:07,259 –> 00:04:10,350
Sean Aylmer: is it all about becoming more resilient and responding the

74
00:04:10,350 –> 00:04:13,440
Sean Aylmer: right way attacks? Is that why that’s your job title?

75
00:04:13,860 –> 00:04:17,820
Kris Lovejoy: Yeah, absolutely. In fact, we’re seeing this change in the marketplace, generally,

76
00:04:17,820 –> 00:04:22,559
Kris Lovejoy: is that security has actually been largely about that guns, gates,

77
00:04:22,559 –> 00:04:25,889
Kris Lovejoy: and guards of we’re going to protect everything and everybody

78
00:04:25,889 –> 00:04:28,919
Kris Lovejoy: from the bad folks out there, and it just doesn’t

79
00:04:28,920 –> 00:04:32,190
Kris Lovejoy: work that way anymore. So the market is really changing

80
00:04:32,250 –> 00:04:34,920
Kris Lovejoy: and titles are changing with it. Now people are talking

81
00:04:34,920 –> 00:04:38,789
Kris Lovejoy: about this concept of business resilience, and the concept is,

82
00:04:38,849 –> 00:04:42,150
Kris Lovejoy: a lot of bad things can happen to disrupt or

83
00:04:42,150 –> 00:04:47,879
Kris Lovejoy: otherwise impact negatively our digitally enabled business, our digitally enabled lives.

84
00:04:48,270 –> 00:04:51,120
Kris Lovejoy: And so a resilience officer or a leader in this

85
00:04:51,120 –> 00:04:56,219
Kris Lovejoy: space is really about helping organisations in prioritising what to

86
00:04:56,220 –> 00:04:59,609
Kris Lovejoy: care about, because you can’t protect everything. So identifying what

87
00:04:59,610 –> 00:05:02,219
Kris Lovejoy: I should be investing in, where I should be investing,

88
00:05:02,219 –> 00:05:05,729
Kris Lovejoy: why I should be investing, and making sure that whether

89
00:05:05,730 –> 00:05:10,620
Kris Lovejoy: it is a fire, flood, natural disaster, a cyber attack,

90
00:05:10,620 –> 00:05:14,699
Kris Lovejoy: a hardware failure, software failure, network outage, whatever it can be,

91
00:05:15,029 –> 00:05:18,539
Kris Lovejoy: the job of somebody like me is really thinking through

92
00:05:18,540 –> 00:05:21,150
Kris Lovejoy: how do I protect my organisation from all of those

93
00:05:21,150 –> 00:05:24,539
Kris Lovejoy: bad things, and making sure that I’m putting my investments

94
00:05:24,539 –> 00:05:25,410
Kris Lovejoy: in the right place.

95
00:05:26,550 –> 00:05:29,339
Sean Aylmer: Is this something that is particularly… Is it prevalent across

96
00:05:29,339 –> 00:05:32,760
Sean Aylmer: all businesses or are there some particular types of organisations

97
00:05:33,178 –> 00:05:35,309
Sean Aylmer: at particular risk? And I suppose I’m coming back more

98
00:05:35,309 –> 00:05:37,770
Sean Aylmer: specifically to the AI related cyber attacks.

99
00:05:38,790 –> 00:05:42,119
Kris Lovejoy: It’s interesting because a lot of organisations, I talk to, say,

100
00:05:42,119 –> 00:05:45,630
Kris Lovejoy: “I’m too small, I’m not important enough.” But the reality

101
00:05:45,630 –> 00:05:49,560
Kris Lovejoy: is that the bad guys, the bad actors, tend to

102
00:05:49,620 –> 00:05:54,570
Kris Lovejoy: go after the smaller organisations who are less able to

103
00:05:54,570 –> 00:06:00,240
Kris Lovejoy: fund good security protections. They’re the weakest link. So while

104
00:06:00,240 –> 00:06:03,450
Kris Lovejoy: you would think that if I’m a major brand name bank,

105
00:06:03,510 –> 00:06:06,810
Kris Lovejoy: I’d be the target, it’s really not. It’s the supply

106
00:06:06,810 –> 00:06:11,250
Kris Lovejoy: chain partners. It’s the small technology organisations that are building

107
00:06:11,250 –> 00:06:15,779
Kris Lovejoy: and developing technology for that bigger organisation. It’s the organisation

108
00:06:15,779 –> 00:06:20,040
Kris Lovejoy: that is providing shipping services on behalf of a large

109
00:06:20,040 –> 00:06:25,140
Kris Lovejoy: packaged good manufacturer. It’s that kind of institution that’s the target.

110
00:06:25,140 –> 00:06:27,510
Kris Lovejoy: It might be the accounting firm or the law firm.

111
00:06:27,870 –> 00:06:31,678
Kris Lovejoy: It’s those that are act as the back door into

112
00:06:31,678 –> 00:06:34,080
Kris Lovejoy: the bigger organisation that I really worry about.

113
00:06:34,920 –> 00:06:36,990
Sean Aylmer: Stay with me, Kris. We’ll be back in a minute.

114
00:06:43,170 –> 00:06:47,910
Sean Aylmer: I’m speaking to Kris Lovejoy,  Global Security and Resilience Practice Leader for Kyndryl, a supporter of

115
00:06:47,910 –> 00:06:53,759
Sean Aylmer: this podcast. Okay, so that’s AI we’ve been focusing on there.

116
00:06:53,760 –> 00:06:56,550
Sean Aylmer: What are some of the other key security risks for

117
00:06:56,550 –> 00:06:58,860
Sean Aylmer: organisations going forward?

118
00:07:00,240 –> 00:07:02,760
Kris Lovejoy: If I look at this particular marketplace, one of the

119
00:07:02,760 –> 00:07:07,440
Kris Lovejoy: biggest issues, right now, is legacy technology. If you look at,

120
00:07:07,830 –> 00:07:11,129
Kris Lovejoy: on one pole, you’ve got India, and India has been

121
00:07:11,129 –> 00:07:16,350
Kris Lovejoy: engaged in really extraordinary amounts of innovation. On the other side,

122
00:07:16,350 –> 00:07:19,500
Kris Lovejoy: you have some nation states like Japan, where there is

123
00:07:19,500 –> 00:07:24,330
Kris Lovejoy: a concern about the risk associated with modernisation. I would

124
00:07:24,330 –> 00:07:29,429
Kris Lovejoy: put Australia in the middle. And so the problem with

125
00:07:29,430 –> 00:07:33,420
Kris Lovejoy: Australia is that during the COVID period, all the technology

126
00:07:33,420 –> 00:07:37,710
Kris Lovejoy: investment went into enabling new ways of working for clients,

127
00:07:37,770 –> 00:07:42,209
Kris Lovejoy: and new ways of communicating with employees. This was done

128
00:07:42,210 –> 00:07:45,299
Kris Lovejoy: on top of a very, very large real estate of

129
00:07:45,299 –> 00:07:50,850
Kris Lovejoy: legacy infrastructure and those modernisation programs that happened pre-COVID, it

130
00:07:50,850 –> 00:07:53,850
Kris Lovejoy: was really taking legacy infrastructure and putting it on cloud,

131
00:07:54,240 –> 00:07:59,459
Kris Lovejoy: not necessarily thinking about security complexity that is added by

132
00:07:59,520 –> 00:08:02,880
Kris Lovejoy: taking a legacy application, putting it on cloud. So the

133
00:08:02,880 –> 00:08:05,730
Kris Lovejoy: dynamic that we have here is, we have a lot

134
00:08:05,730 –> 00:08:08,220
Kris Lovejoy: of new stuff that was introduced during COVID, that wasn’t

135
00:08:08,220 –> 00:08:10,500
Kris Lovejoy: really properly secured because we didn’t think it was going

136
00:08:10,500 –> 00:08:13,230
Kris Lovejoy: to go away. Then we have a lot of legacy

137
00:08:13,230 –> 00:08:19,350
Kris Lovejoy: infrastructure that was not securable because it is so old.

138
00:08:19,889 –> 00:08:22,919
Kris Lovejoy: So at this point in time, we’ve got a situation

139
00:08:22,920 –> 00:08:26,430
Kris Lovejoy: where lots of legacy, lots of new stuff that hasn’t

140
00:08:26,430 –> 00:08:30,540
Kris Lovejoy: necessarily been secured, CISOs (Chief Information Security Officers) that are under a lot of

141
00:08:30,540 –> 00:08:33,809
Kris Lovejoy: budgetary pressure because hardware, software costs have been going up

142
00:08:33,809 –> 00:08:38,130
Kris Lovejoy: so much that the net impact of inflation, despite the

143
00:08:38,130 –> 00:08:40,229
Kris Lovejoy: fact that their budgets are going up, has been a

144
00:08:40,230 –> 00:08:45,328
Kris Lovejoy: net decrease in budget by about 1%. So it’s pretty

145
00:08:45,330 –> 00:08:49,920
Kris Lovejoy: tough situation for organisations in Australia to be in right now.

146
00:08:50,309 –> 00:08:54,089
Kris Lovejoy: And so, one of the recommendations that we have is

147
00:08:54,090 –> 00:08:56,610
Kris Lovejoy: going to be strange from a security person, but is

148
00:08:56,610 –> 00:09:01,050
Kris Lovejoy: not necessarily to spend the money in securing the infrastructure,

149
00:09:01,230 –> 00:09:04,170
Kris Lovejoy: but is really in modernising the right way so that

150
00:09:04,170 –> 00:09:08,280
Kris Lovejoy: security and resiliency can be achieved through the modernisation objectives.

151
00:09:09,030 –> 00:09:11,309
Sean Aylmer: It’s quite frightening what you’re talking about. Do you think

152
00:09:11,309 –> 00:09:15,660
Sean Aylmer: boards and management are, across this idea, that they just

153
00:09:15,660 –> 00:09:19,319
Sean Aylmer: have to do something particularly about their legacy systems which aren’t fit

154
00:09:20,040 –> 00:09:20,939
Sean Aylmer: for purpose anymore?

155
00:09:21,840 –> 00:09:25,800
Kris Lovejoy: I think in the public companies, those that are listed,

156
00:09:25,800 –> 00:09:30,869
Kris Lovejoy: the awareness is becoming a bit more acute, because particularly

157
00:09:30,870 –> 00:09:35,159
Kris Lovejoy: within the critical infrastructure, there has been some notifications that

158
00:09:35,160 –> 00:09:38,910
Kris Lovejoy: have gone out which suggest that the non- executive directors

159
00:09:38,910 –> 00:09:43,199
Kris Lovejoy: will be personally liable for failure to implement controls. In

160
00:09:43,200 –> 00:09:47,460
Kris Lovejoy: other jurisdictions, outside of Australia, it is becoming much better known

161
00:09:47,520 –> 00:09:49,590
Kris Lovejoy: because in the US and then through some of the

162
00:09:49,590 –> 00:09:53,369
Kris Lovejoy: legislation that’s coming out of Europe and the UK, the

163
00:09:53,369 –> 00:09:58,980
Kris Lovejoy: obligation for non-executive directors more broadly to attest to cybersecurity,

164
00:09:58,980 –> 00:10:02,519
Kris Lovejoy: as if they’re attesting to Sarbanes-Oxley. These are hitting the

165
00:10:02,520 –> 00:10:05,340
Kris Lovejoy: books as well. So I think that in pockets of

166
00:10:05,340 –> 00:10:08,849
Kris Lovejoy: the world, there is a better understanding. More generally in

167
00:10:08,849 –> 00:10:11,999
Kris Lovejoy: Australia though, I would say the answer is no. Boards

168
00:10:12,000 –> 00:10:15,930
Kris Lovejoy: of directors tend to think about it as somebody else’s problem,

169
00:10:16,140 –> 00:10:18,630
Kris Lovejoy: and if it is somebody’s problem, it’s the problem that

170
00:10:18,630 –> 00:10:21,900
Kris Lovejoy: the security person, that’s somewhere buried in the organisation, that has

171
00:10:21,900 –> 00:10:24,899
Kris Lovejoy: a cape and is opposed to protect the organization. So

172
00:10:25,230 –> 00:10:29,160
Kris Lovejoy: long way of answering, in some pockets, yes, but in

173
00:10:29,160 –> 00:10:33,840
Kris Lovejoy: the broader marketplace, no. Boards really don’t understand the issue,

174
00:10:33,840 –> 00:10:37,350
Kris Lovejoy: nor do they understand their governance responsibilities in the issue.

175
00:10:38,190 –> 00:10:41,160
Sean Aylmer: And I presume businesses aren’t really equipped to do it

176
00:10:41,160 –> 00:10:45,509
Sean Aylmer: either. Presumably, that’s what Kyndryl’s all about too, helping businesses

177
00:10:45,509 –> 00:10:45,779
Sean Aylmer: do this.

178
00:10:46,679 –> 00:10:51,480
Kris Lovejoy: Yeah, I think there’re any number of product companies out there. I think

179
00:10:51,809 –> 00:10:54,480
Kris Lovejoy: if you look at the marketplace today, I mentioned before,

180
00:10:55,110 –> 00:10:58,920
Kris Lovejoy: a lot of organisations will buy security because they’ve had

181
00:10:58,920 –> 00:11:02,160
Kris Lovejoy: a crisis or there’s a compliance requirement. And what that’s

182
00:11:02,160 –> 00:11:06,000
Kris Lovejoy: led to is this, the auditor comes in or the

183
00:11:06,000 –> 00:11:07,949
Kris Lovejoy: crisis manager comes in and says, “You need to buy

184
00:11:07,950 –> 00:11:10,710
Kris Lovejoy: this to fix the bleeding.” So people will spend as

185
00:11:10,710 –> 00:11:14,370
Kris Lovejoy: little money as they possibly can to solve that problem

186
00:11:14,370 –> 00:11:17,040
Kris Lovejoy: that’s staring them in the face. And what that’s led

187
00:11:17,040 –> 00:11:20,910
Kris Lovejoy: to is a big market, with lots of fragmented technologies,

188
00:11:20,910 –> 00:11:24,809
Kris Lovejoy: that don’t really fit together. So I think what’s really interesting,

189
00:11:24,870 –> 00:11:27,960
Kris Lovejoy: it’s happening now is the recession is actually had a

190
00:11:27,960 –> 00:11:31,920
Kris Lovejoy: positive side, or not recession, but some of the economic headwinds,

191
00:11:32,280 –> 00:11:35,670
Kris Lovejoy: has had a positive side for us. In so much,

192
00:11:35,730 –> 00:11:38,400
Kris Lovejoy: companies are saying, ” To solve the security problem, I need

193
00:11:38,400 –> 00:11:41,189
Kris Lovejoy: to simplify. I’ve got too many tools, I’ve got too

194
00:11:41,190 –> 00:11:44,670
Kris Lovejoy: much technology, I’ve got too many legacy systems.” So the

195
00:11:44,670 –> 00:11:47,400
Kris Lovejoy: time is for us to really take a step back,

196
00:11:47,460 –> 00:11:51,029
Kris Lovejoy: build an enterprise strategy and architecture for how we want

197
00:11:51,030 –> 00:11:54,150
Kris Lovejoy: to move forward, simplify the number of vendors, simplify the

198
00:11:54,150 –> 00:11:56,880
Kris Lovejoy: number of tools, and then make sure that we’re building

199
00:11:56,880 –> 00:11:59,519
Kris Lovejoy: for the future with security and resiliency in mind.

200
00:11:59,909 –> 00:12:01,650
Sean Aylmer: Kris, thank you for talking to Fear and Greed.

201
00:12:02,100 –> 00:12:04,410
Kris Lovejoy: Thank you. I’m really thrilled to have been here.

202
00:12:05,220 –> 00:12:10,710
Sean Aylmer: That’s Kris Lovejoy,  Global Security and Resilience Practice Leader for Kyndryl, a supporter of this podcast.

203
00:12:10,860 –> 00:12:13,259
Sean Aylmer: This is the Fear and Greed Business Interview. Join us

204
00:12:13,259 –> 00:12:15,239
Sean Aylmer: every morning for the full episode of Fear and Greed,

205
00:12:15,240 –> 00:12:19,170
Sean Aylmer: Australia’s best business podcast. I’m Shauna Aylmer. Enjoy your day.