ISF Podcast Information Security Forum Podcast

Today, Steve is speaking with investigative tech journalist Geoff White, who has been covering tech and financial crime for more than 20 years. Listeners may be familiar with his popular podcast The Lazarus Heist for the BBC World Service, and now his new book, Rinsed: From Cartels to Crypto: How the Tech Industry Washes Money for the World's Deadliest Crooks, will be available from Penguin Random House next week.  Steve and Geoff discuss current trends in organized cybercrime, how these criminals are—or maybe aren’t—adopting AI, and the difficulties law enforcement still faces in helping the victims of these crimes.

Key Takeaways:
1.  Nation states and government agencies have been known to adopt tactics from organized crime gangs and activists – a sort of trickle-up effect.
2. As technological advancements are presenting criminals with new avenues for money laundering, law enforcement is not always able to keep up and instead is having to prioritize high level crimes.
3. The law enforcement landscape is a fast changing world, as agencies adapt and gain more awareness of cybercrime tactics relating to AI and cryptocurrencies.

Tune in to hear more about:
1. Cybercrime evolution, nation-state involvement, and tactics (3:31)
2. AI use in cybercrime, potential for innovation and defense (8:29)
3. Cybercrime and money laundering, with a focus on the role of technology and law enforcement (11:45)
4. Cybercrime, crypto, and organized crime evolution (15:59)

Standout Quotes:
1. “Sometimes the tools of organized cybercrime, gangs, nation states have also learned from hacktivists. From leaks from people like WikiLeaks or from Anonymous, they've learned the damage that a leak can do a leak of information can do. And that's fed into that disinformation piece nation states now extremely astute at getting in stealing information and then weaponizing that information to change elections, to change people's attitudes, to influence world events, the nation states have got both feet in to this cybercrime game.” -Geoff White

2. “I think maybe it's worth thinking like a criminal and understanding how thinking like a criminal is different to thinking like a different type of enterprise. The reason I enjoy thinking about organized crime and covering organized crime is because it's organized. These are networks, as you say, of professional, organized people. But they're not out to win customers. They're not like Microsoft and Google who wants to come out with innovation and innovative new products to win customers in their competition. No. They want to make money from victims. And frankly, as long as you're making enough money from your victims month in month out, you don't change. There's no reason to innovate. Crime gangs innovate when law enforcement and the force of authority stop them from making the money they usually make. That's when you innovate.” -Geoff White

3. “I think there was a time when, frankly, explaining Bitcoin to sort of rank and file police officers was a struggle. I think those days are gone … There's been this realization that things like cryptocurrency is something that law enforcement needs to be on top of.” -Geoff White

4. “As cryptocurrency gets larger, as more financial institutions get behind it, as governments get behind it, yes, it can make it more legitimate, it can expand the legitimacy of it. But it also creates more noise, if you like, for the criminals to hide.” -Geoff White


Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

Recently, British journalist Juliette Foster interviewed Steve for a feature in The European, and today we’re listening to that conversation. Steve and Juliette explore a range of topics, including how to get buy-in to your security strategy at all levels of the organization, how much security should cost, navigating the regulatory landscape, and which industries and enterprises Steve believes could be templates for security.

Key Takeaways:
1. Good cyber strategy aligns with business strategy, is quantifiable, and involves all employees.
2. Durbin suggests involving security in project planning to avoid retrofitting security measures.
3. Durbin suggests that security teams need to spend more time explaining security implications to business leaders in a way they can understand.
4. Durbin suggests that leaders must create a personal investment in security by providing feedback and justifying costs in a way that resonates with each individual’s role and responsibilities.
5. Durbin highlights the evolving regulatory landscape, with a shift from standardization to protectionism and complexity for organizations.
6. Durbin highlights the evolving threat landscape, including malware, ransomware, and phishing attacks.

Tune in to hear more about:
1. Aligning cybersecurity strategy with business goals and outcomes (1:36)
2. Cybersecurity strategies, testing, and budgeting (10:42)
3. Regulation complexity and its impact on businesses (18:00)
4. Cybersecurity investment, risk management, and emerging threats (22:44)
5. Evolving cyber threats and the importance of resilience (26:58)

Standout Quotes:
1. “What is important for organizations is not to become over fixated on the threats — that’s necessary, obviously, to have a good defense — but also to figure out this whole notion of resilience. How quickly could we get our systems back up and running? How quickly could we get our organization functioning again? How are we going to recover our data? Where are we storing it? Those sorts of things.” - Steve Durbin

2. “... the crux of good cyber strategy is having an alignment with a business strategy happening in alignment with what it is that the organization is looking to do on a daily basis, which in the majority of cases is: increase revenue, increase shareholder value, deliver back to employees, customers, and to further the ideals of the organization.” - Steve Durbin

3. “So the role of the security leader in any budget cycle is to try to align whatever spend she or he wishes to have with the future direction of travel of that organization. And if you can start to do that, then the whole conversation becomes very much easier. But I'm not a huge fan of setting fairly random percentages, because I think it sends entirely the wrong message. You run the risk of overspend or underspend. And what you actually want to be doing is spending appropriately to deliver the right level of protection for your critical assets, for your company, for your employees, for your shareholders, so that you can continue to provide a thriving environment.”  - Steve Durbin


Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

Today, Steve is speaking about security leadership with executive coach and CEO and Founder of Serenity in Leadership Thom Dennis. Thom brings his expertise in psychology to bear in their discussion of the role of leaders in culture change, how to let go and trust your workforce, and practical tips for embracing the challenges leaders face day to day.

Key Takeaways:
1. Fast-paced change and unease about people being away from work for extended periods of time are impacting leadership development.
2. Trust and clarity are key to successful remote work, letting go of control and setting clear objectives.
3. Incorporating breaks into work schedules serves to avoid burnout and increase productivity.
4. Thom Dennis predicts a shift in leadership thinking, where society’s demands will be prioritized over corporate standards.


Tune in to hear more about:
1. Trust, fear, and delegation in leadership (3:56)
2. Creating space for focus, trust, and organizational leadership evolution (11:29)
3. Leadership evolution, prioritizing people over analysis, and fostering trust and community in organizations (17:22)


Standout Quotes:

1. Let people go. Tell them what you want them to achieve, tell them what the objectives are, and then let them get on with it. There's this sort of sense of fear that one isn't going to be in control. So I think people have got to learn to trust, and to be very clear about what it is that they're looking for. And then letting go. And I think often, you will get a far better result from that. Above anything else, I think, in forcing the briefer to be absolutely clear about what they want to achieve, that can save an awful lot of time and money in and of itself. -Thom Dennis

2. Some people who write and have incredibly busy jobs, they're up at five o'clock, or even four o'clock, and they’re writing for an hour, and then they go to the gym, and then they … and so on. Whatever your routine is. But if they're doing that, they're probably in bed at eight o'clock in the evening. So look, a part of this is self discipline, isn't it? It’s deciding on your routine, and then doing whatever it is that you can do to keep yourself to it. -Thom Dennis

3. I think we need to create quiet spaces for ourselves so that we can actually hear our inner knowing. They say that there's more signals that go from the heart to the brain than the other way around. And they've identified that there are brain type cells in the heart, and also in the gut. So all these things people have been talking about oh, well, I just go by my gut feelings, well, that's not as silly as it sounds. And I think that leaders of the future have got to become just a little bit less — not totally, but a little bit less cerebral, and more in touch with their inner knowing. — Thom Dennis

Mentioned in this episode:




ISF Analyst Insight Podcast


Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

Today, Steve is speaking with Erik Avakian, who served as CISO for the Commonwealth of Pennsylvania in the United States for more than twelve years before moving into the private sector, where he currently works as the technical counselor at Info-Tech Research Group. Erik brings his passion and experience to a lively conversation in which he and Steve discuss coping with change through multiple leadership turnovers, practical examples of how security leaders can demonstrate their department’s value to an organization beyond theoretical breach prevention, and overcoming challenges in the public and private sectors.

Key Takeaways:
1. Embracing change in state/local government requires technical architecture and common architecture.
2. Public sector security faces unique challenges, including political considerations.
3. It’s critical for public funds to be used efficiently while also reducing duplication of work and building knowledge sharing across agencies.
4. Security testing and phishing simulations can demonstrate return on security investment, saving time and money in the long run.

Tune in to hear more about:
1. Embracing change in security leadership in the public sector (0:00)
2. Building security foundations in public sector organizations (4:45)
3. Funding challenges in security, with tips for effective resource utilization, building strong teams, and collaboration (8:48)
4. Demonstrating security value to business leaders through cost-benefit analysis and service metrics (14:02)
5. Demonstrating security value to non-technical stakeholders through practical examples (18:33)


Standout Quotes:

1. One of the reasons I love the industry and I loved the position of CISO is you're constantly trying to just improve, right? You're not trying to rebuild every, all the time. You know that the business might want to rebuild, but you're there to constantly improve that foundation, continuingly building your team, and continually building your capabilities. So regardless of who comes and goes, you have that foundation, and you continue to grow it. - Erik Avakian

2. It's really about enabling the business. How can we say yes, but do things more securely and put a positive spin on it? Whereas, you know, in the past, you know, security is looked at oh, these are the guys that say no. So really, a CISO's a partner to the business, a collaborator building relationships, and really, that's been the change, right? It's gone from less of a technical kind of a thing to being a coach, being a leader, and really working and building those relationships at the business level. - Erik Avakian

3. I look at it as almost like a baseball team. So in the baseball world, you have a catcher, you have a pitcher, you have all these people on the field. And it's identifying what are the strengths of your team, and letting those players — if we look at it from that perspective — letting them thrive, letting them grow in the position that they're passionate about. And then you can just grow in that passion, give them the training, give them extra training, helping them build where they're really good at and what they really like to do. And then the baseball world is that example. We wouldn't necessarily make the pitcher catch — they might not be comfortable with that — or the catcher pitch, and all sorts of other things. Because they do what they do well, that's their position on the field. And what I've found is that if we can do that, we can build our teams and build rock stars out of them in the places where they really are passionate about, then we have retention.

I think my retention throughout my tenure was almost 99%, because I looked at people as to what drives them. - Erik Avakian

Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leadi

Today, Steve and producer Tavia Gilbert discuss the impact artificial intelligence is having on the threat landscape and how businesses can leverage this new technology and collaborate with it successfully.

Key Takeaways:
1.  AI risk is best presented in business-friendly terms when seeking to engage executives at the board level.
2. Steve Durbin takes the position that AI will not replace leadership roles, as human strengths like emotional intelligence and complex decision making are still essential.
3. AI risk management must be aligned with business objectives while ethical considerations are integrated into AI development.
4. Since AI regulation will be patchy, effective mitigation and security strategies must be built in from the start.


Tune in to hear more about:
1. AI’s impact on cybersecurity, including industrialized high-impact attacks and manipulation of data (0:00)
2. AI collaboration with humans, focusing on benefits and risks (4:12)
3. AI adoption in organizations, cybersecurity risks, and board involvement (11:09)
4. AI governance, risk management, and ethics (15:42)


Standout Quotes:

1. Cyber leaders have to present security issues in terms that board level executives can understand and act on, and that's certainly the case when it comes to AI. So that means reporting AI risk in financial, economic, operational terms, not just in technical terms. If you report in technical terms, you will lose the room exceptionally quickly. It also involves aligning AI risk management with business needs by you know, identifying how AI risk management and resilience are going to help to meet business objectives. And if you can do that, as opposed to losing the room, you will certainly win the room. -Steve Durbin

2. AI, of course, does provide some solution to that, in that if you can provide it with enough examples of what good looks like and what bad looks like in terms of data integrity, then the systems can, to an extent, differentiate between what is correct and what is incorrect. But the fact remains that data manipulation, changing data, whether that be in software code, whether it be in information that we're storing, all of those things remain a major concern. -Steve Durbin

3. We can’t turn the clock back. So at the ISF, you know, our goal is to try to help organizations figure out how to use this technology wisely. So we're going to be talking about ways humans and AI complement each other, such as collaboration, automation, problem solving, monitoring, oversight, all of those sorts of areas. And I think for these to work, and for us to work effectively with AI, we need to start by recognizing the strengths both we as people and also AI models can bring to the table. -Steve Durbin

4. I also think that boards really need to think through the impact of what they're doing with AI on the workforce, and indeed, on other stakeholders. And last, but certainly not least, what the governance implications of the use of AI might look like. And so therefore, what new policies controls need to be implemented. -Steve Durbin

5. We need to be paying specific attention to things like ethical risk assessment, working to detect and mitigate bias, ensure that there is, of course, informed consent when somebody interacts with AI. And we do need, I think, to be particularly mindful about bias, you know? Bias detection, bias mitigation. Those are fundamental, because we could end up making all sorts of decisions or having the machines make decisions that we didn't really want. So there's always going to be in that area, I think, in particular, a role for human oversight of AI activities. -Steve Durbin


Mentioned in this episode:





ISF Analyst Insight Podcast




Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

This is the second of a two-part conversation between Steve and Brian Lord, who is currently the Chief Executive Officer of Protection Group International. Prior to joining PGI, Brian served as the Deputy Director of a UK Government Agency governing the organization's Cyber and Intelligence Operations. Today, Steve and Brian discuss the proliferation of mis- and disinformation online, the potential security threats posed by AI, and the need for educating children in cyber awareness from a young age.

Key Takeaways:
1. The private sector serves as a skilled and necessary support to the public sector, working to counter mis- and disinformation campaigns, including those involving AI.
2. AI’s increasing ability to create fabricated  images poses a particular threat to youth and other vulnerable users.

Tune in to hear more about:
1. Brian gives his assessment of cybersecurity threats during election years. (16:04)
2. Exploitation of vulnerable users remains a major concern in the digital space, requiring awareness, innovative countermeasures, and regulation. (31:0)

Standout Quotes:

1. “I think when we look at AI, we need to recognize it is a potentially long term larger threat to our institutions, our critical mass and infrastructure, and we need to put in countermeasures to be able to do that. But we also need to recognize that the most immediate impact on that is around what we call high harms, if you like. And I think that was one of the reasons the UK — over a torturously long period of time — introduced the The Online Harms Bill to be able to counter some of those issues. So we need to get AI in perspective. It is a threat. Of course it is a threat. But I see then when one looks at AI applied in the cybersecurity test, you know, automatic intelligence developing hacking techniques, bear in mind, AI is available to both sides. It's not just available to the attackers, it's available to the defenders. So what we are simply going to do is see that same kind of thing that we have in the more human-based countering the cybersecurity threat in an AI space.” -Brian Lord

2. “The problem we have now — now, one can counter that by the education of children, keeping them aware, and so on and so forth— the problem you have now is the ability, because of the availability of imagery online and AI's ability to create imagery, one can create an entirely fabricated image of a vulnerable target and say, this is you. Even though it isn’t … when you're looking at the most vulnerable in our society, that's a very, very difficult thing to counter, because it doesn't matter whether it's real to whoever sees it, or the fear from the most vulnerable people, people who see it, they will believe that it is real. And we've seen that.” -Brian Lord


Mentioned in this episode:
• ISF Analyst Insight Podcast

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.