Editor's Note: This article was originally published in Authority Magazine on Medium.
Vendors remain one of the weak links as we become increasingly interconnected. The first hurdle I see when establishing good cyber awareness is a lack of visibility into which vendors have access to data and systems and what the impact is in the event of a breach or outage. Organizations can’t respond effectively to threats with meaningful immediacy without a clear, documented vendor inventory.
In the ever-evolving landscape of cybersecurity, keeping abreast of the latest threats, vulnerabilities, and emerging trends is paramount. This becomes increasingly significant as malicious AI poses new challenges. How do Chief Product Security Officers (CPSOs) stay informed about these factors relevant to their organization’s products? More importantly, how do they integrate this vital threat intelligence into their security strategies? As a part of this series, I had the pleasure of interviewing Alastair Parr.
Alastair Parr is the Senior Vice President of Global Products & Services at Prevalent. He is responsible for ensuring that customer and market demands are considered and applied innovatively within the Prevalent solution portfolio. He has a 16-year background in governance, risk, and compliance and has been instrumental in developing and implementing solutions in the constantly evolving risk management landscape.
Certainly, having grown up in the leafy suburbs of Windsor in the UK, the perpetual cloud and rain cover drove my interest in the broader world, both virtual and physical. I studied Politics and International Relations at University before realizing that the skills I fostered were well suited to managing the interpersonal relationships sorely missed in cyber security.
Some of us may feel nostalgic about a certain household video retail store that is no longer with us. At the very advent of my career, I was fortunate enough to be distributing VHS tapes and, in the process, leveraging their customer databases. It quickly became apparent that the IT administrator accounts were common knowledge and shared regularly. In turn, I could bring down their national infrastructure from a small retail outlet or wipe the late rental fees of millions of households in a single command. While I didn’t use this newfound power, it spurred me to consider how companies protect their most critical assets, from penetration testing to data protection and broader risk management.
I have been exposed to many wonderful, equally fascinating, and concerning stories in this space. Having performed hundreds of audits and overseen thousands of penetration tests, it became apparent that the organizations we entrust struggle to protect their ecosystems adequately. One event in particular resonates.
A global financial institution in London nearly suffered a major breach, only to be foiled by a suitably prepared CISO. The organization subcontracted cleaning of the facilities to a third party, who in turn subcontracted to an agency without adequate vetting processes. An organized crime ring took advantage of this to install keyloggers on terminals while onsite before leveraging captured privileged credentials to attempt a financial transaction worth hundreds of millions of dollars to offshore accounts.
Thankfully, the CISO had recently implemented a time-delayed secondary validation step, much to the dismay of the operations teams. The organized gang masquerading as third-party cleaners failed to spot the secondary step and left, assuming their job was done. When normal business hours resumed, the team spotted the pending transaction, merely three clicks away from costing the company a hefty proportion of their margins for the year.
This event was a real-world example of why adequate risk management, internally and across the supply chain, is more than just a checkbox exercise.
The skills needed to be a successful leader must complement the aspirations and motivations of clients and internal teams. I feel that passion, responsiveness, and empathy are by far the most important qualities.
Teams expect a leader to lead from the front, and passion provides the energy and mindset to remain engaged and an active participant. If the lead isn’t passionate about a project or mission.
Responsiveness and empathy go hand in hand in a business setting, and the skills developed impact our personal lives and relationships. Being seen as reliable and approachable pays dividends, especially when driving complex projects. If your teams feel they can communicate with you regularly and get active support without judgment, they will be loyal and go that extra mile.
I have been blessed to have worked with some fantastic teams and clients and watched conscientious, considerate leaders achieve great things once they understood they were only as good as those around them.
Third-party risk management remains an exciting focus for me, and I endeavor to make the daunting task as easy as possible for organizations across the globe. With the advent of machine learning and AI, we can simplify the analysis and remediation workflows by achieving enterprise-scale automation. I feel that third-party risk management is starting to become a true business enabler rather than a security mechanism by providing performance and resilience visibility to teams such as procurement and legal. There is a wealth of knowledge and insight in the reams of data we have captured from third parties, which, when queried adequately, helps support service consolidation, regional resilience, operational efficiencies, and even marketing collateral.
Cybersecurity, specifically third-party risk, is a perfect AI and machine learning target. Large volumes of data are being captured, close to real-time, requiring immediate analysis to react to emerging threats. Data includes structured and unstructured data, which need reconciliation to identify anomalies and trends. Until recently, this analysis was limited to humans, which is costly and inefficient. Over the next few years, we will see these repetitive and large-volume analysis exercises performed by AI and ML technologies, while skilled resources take more of a trust but verify role. This exciting transition frees up an otherwise limited pool of skilled cyber specialists to begin focusing on business interactions with the broader internal community and stakeholders. This will allow more cohesive workflows with embedded cyber security awareness.
Naturally, I find third parties the weakest link in the chain. Most organizations are aware and diligent regarding their internal cyber posture, as they have visibility and control. The reality is that every organization relies on tens, hundreds, or thousands of third parties every day and presumes they are equally diligent. Whether it is a zero-day vulnerability in a technology or a compromised critical partner subject to ransomware, there are events outside of our control. Every organization will be hit by a third-party event at some point in its lifecycle, and how we prepare governs how impactful that will be.
From my experience, considering the limited adoption of AI across business ecosystems so far, detrimental AI impacts more commonly stem from dataset hallucination and bias. Good examples include the Defcon generative red team challenge, where participants could get large language models to state clear falsehoods, such as inaccurate math calculations.
While this remains an issue for the trust but verify model when analyzing large-scale datasets, we equally face the challenge of how AI enables automation for malicious actors. At the same event, Sophos analysts created a fraudulent retail spoofing site in 8 minutes for $4.23. We will see increasing numbers of attacks, spoofing, and phishing due to AI. Technologies such as deepfakes can make this incredibly personal with minimal input, for example, creating a custom soundboard of an individual based on 30 seconds of recorded dialogue.
The first step is to create some degree of hard and soft policy for AI usage. A clear AI Policy needs to be authored, specifying how the organization can validate and adopt technologies, including data flow and processing limitations. Sending the crown jewels to a large language model to be incorporated into their dataset isn’t necessarily a good idea.
Once established, it is important to consider what shadow AI exists already. Many SaaS companies have already embedded AI tools in their solutions, with varying degrees of complexity. These have likely begun to be adopted by internal teams and providers without clear consideration of the impact.
Generally, the same principles of security and hardening apply to every technology before AI. Security by design, regular penetration testing/prompt injection testing, bug bounties, forensic reconstruction, and employee training are all key.
Once an event has occurred, I recommend leveraging the organization’s latent security technologies. Check egress filtering and scan the internal network for data/malicious code proliferation while isolating impacted assets. Prevention is the best strategy, and focus on ensuring visibility is immediate when it does occur.
Cybersecurity has become a very complex and broad topic, and effective management requires visibility and a capable set of technologies and team members. Some of the more prominent areas to stay informed about include:
Vendors remain one of the weak links as we become increasingly interconnected. The first hurdle I see when establishing good cyber awareness is a lack of visibility into which vendors have access to data and systems and what the impact is in the event of a breach or outage. Organizations can’t respond effectively to threats with meaningful immediacy without a clear, documented vendor inventory.
When we refer to real-time for vendors, this means being aware of an incident before your clients, customers, or, worse, the regulators, ask you about it. Whether zero-day vulnerabilities, cyber posture, hacks, business operational intelligence, or localized geopolitical issues, we need to develop a response plan before we get asked what our response is by those who depend on us.
Remaining on the third-party track, when an event occurs, we need the ability to take action to resolve it. This is more straightforward regarding our internal systems and processes but becomes restrictive when our broader vendor ecosystem is involved. We must ensure our relationships have the necessary obligations embedded in agreements and formal contracts, or our agility is greatly reduced.
While the periphery of third parties constitutes an increasing percentage of most organizations’ IT systems and applications, we often presume due diligence is being performed on technical innovations and evolving infrastructure. Regular, demonstrable penetration testing and scanning are necessary for our partners and internal assets. This should ensure that technologies are known in the event of a zero-day response.
All the technology in the world won’t protect us from the most unpredictable element: our workforce. Whether deep fake social engineering/phishing or shadow AI usage, our users can circumvent our controls and become the cyber security threat we all seek to avoid. Regular, bite-size, jargon-free user training is the best way to address this. All users must feel empowered to escalate incidents, concerns, and challenges accordingly.
I’d tie my movement back to the characteristics of a good leader. The most influential people to me have been conscientious and empathetic. With increasing complexity and workloads, compounded by more remote work post-COVID, it is easy to become isolated and unapproachable in the IT and security space. I’d encourage people to remember the interpersonal requirements our sector needs so that it can be a healthy, interconnected community.
I regularly speak at events and often host webinars with Prevalent on third-party risk management and associated developments. Please feel free to join us via www.prevalent.net.
Thank you so much for joining us. This was very inspirational, and we wish you continued success in your important work.