Sponsor Voice (11:51)

And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Dave Bittner (13:21)

Foreign.

Mike Hamilton (13:25)

Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Mike Hamilton is Chief Information Officer at cloudflare, and on today's sponsored Industry Voices segment, we discuss how TechSprawl emulates the old Snake game.

Dave Bittner (14:21)

I think the main challenge that all CTOs face these days is how to leverage artificial intelligence. Just in general, I think that that's the burning thought on everybody's mind right now. There has not been this is exactly as transformational as the invention of the computer was to business. If you rewind 30 plus years and you think about what businesses face back then, it's like, hey, there's this new thing called a computer. We should probably get one of those and Then you bring the computer into the business and try to understand, how do we make this work and do something transformational? Because our competitors are probably doing the same thing. Coming back to the present time, we're in the same situation today where we've got to figure out, how do we transform businesses around artificial intelligence? How do we think about this? What is our competitive advantage for leveraging artificial intelligence? And I don't think that there's any way around that, But I think CTOs, and quite frankly, anybody in the C suite also has to worry quite a lot about security still. And it never goes away. Security is always something we're thinking about, but in particular, security is a way of investing in your business to protect it from people who are also using a budget. So I think that the nature of adversaries in the security space is shifting as well. We're not just talking about someone who's trying to be a nuisance or experimenting with something. We're talking about organized crime. At this point, the adversarial relationship that businesses have with cybercrime has shifted into, hey, these people have budgets, they have economic models where they're using one attack to raise money to fund a different type of attack. And so that's top of mind as well. For every dollar that you put into security, where does that dollar need to go? How do I know that dollar is actually being as effective as it needs to be? And how are my adversaries spending money to. To attack, basically?

Mike Hamilton (16:16)

Can we touch on the issue of complexity here? I mean, it strikes me that as organizations grow, the complexity isn't necessarily linear. You know, a doubling in the number of employees. It could be an exponential growth in the complexity of your network and all the different interconnections. Is that an accurate way to look at it?

Dave Bittner (16:37)

I think there's really two. It is an accurate way. And I think that there's two lenses we can put on that. The first would be internal infrastructure and sort of company scalability. Every company faces how do we get our systems to work well together? How do we have our infrastructure serving our business? That's a challenge that everybody faces, and there's a natural sprawl that comes along with that. But then I think from an external perspective, we also have this. The. The nature of the industry itself. So in the. In the security space, a lot of companies have popped up to address a problem that they see coming. Like, security works a little bit differently than, say, Salesforce or. Or a product that's serving a different part of the business. Security products tend to work around very smart people, founding companies to solve very specific problems because they see the demand emerging. But what that creates is a landscape of products that are only solving individual problems and only solving individual area domains of risk. What that means over time, though, is that companies find themselves with a myriad of applications that are providing some value in theory, but it's difficult to articulate how much and comparing and contrasting with business for a second business applications. The sprawl that happens there is largely due to the way that the buying cycle changed. It used to be that companies sold to the CIO or to the IT department. And because somebody would have to figure out how to run this application behind the firewall. How many servers is it going to take? How much is it going to operational overhead? Is this going to add to our business, et cetera. But when SaaS came on the scene and took away that complexity, then the problem shifted to like, hey, I don't really need to sell to it anymore. I'll just sell directly to the line of business. But it changed the expectation the line of business has as well. They're like, oh, I need five applications for this, I need 10 applications. And not really getting them in the door with necessarily an integrated strategy or a way that these applications would work together. And so sprawl on the business application side is just really due to the number of applications available and the fact that buyers are enticed by hopefully solving problems of buying a bunch of applications. On the security side, the sprawl is caused by emerging demand based on the changing landscape of cyber threats in the cybersecurity space. And that creates a natural fragmentation. But it's largely the factor of companies trying to address being ahead of the curve. Can I get ahead of some of these threats as they're emerging by buying something that's innovative, that gets me there. And it's tough. It's really difficult for businesses to manage this.

Mike Hamilton (19:06)

Talking about that old classic Snake game where the more you eat, the longer the Snake gets. And it strikes me that that's a comparison with folks adding more and more point solutions here that over time it becomes more and more cumbersome and it's hard for you to navigate.

Dave Bittner (19:26)

Absolutely. I like the analogy for that reason. In fact, there's two factors of the Snake game that remind me of the world that we live in. The Snake gets longer. So every time a new product gets adopted, the complexity of our tech environment increases. But the Snake also goes faster. Our ability to handle all, to pay attention to all these different things also comes into play, and how do we focus in the right things at the right times to make sure that we're getting the value out of all these point solutions that we're buying? And the reality is it's just very difficult to do because what's also happening and the thing that makes the snake go faster in a lot of ways is that for every point security solution I've purchased, that company is trying to find its next feature or its next capability that keeps them relevant for longer. Right. So in every application, there's something new coming out or they're trying to emerge into a new space. And the Venn diagram of what a security applic covers just keeps getting bigger, which means not only am I dealing with having a lot of solutions, but these solutions are starting to overlap with each other, and they're not intended to work together. They're actually direct competitors in some cases. The more these, these solutions overlap with each other, the more they're actually competing with each other. And I'm not getting the benefit necessarily, as the buyer.

Mike Hamilton (20:41)

When you talk about purchasing and that cycle, can we talk a little bit about the timing? Why is important to. To time these things with each other? And I suppose there are a lot of challenges there as well.

Dave Bittner (20:55)

I think timing is best managed by really being honest about prioritization. If everything's a fire, then nothing's a fire. You know, if everything's a P0, nothing's a P0 is something you'll hear a lot of people in the industry say. And I think that that's true at the same time that there's. That emerging security products are often truly addressing an emerging threat. Sometimes they're also a solution looking for a problem. And as buyers, we can be convinced that, like, this is the most important thing. But I think it's really important to sort of take the solutions out of the landscape for a second and ask a really simple question. What's my security strategy like? You know, what's. What's the biggest attack surface area that I need to deal with and how do I have to address, as an example, for all of the products that we can buy in the world, the most common threat vector is actually compromising someone's credentials. With phishing, it's still one of the most effective ways to do it. It's one of the cheapest ways to compromise something. So that's an inherent great place to start. It's an excellent place to start in terms of, like, hey, let's protect our users first, and then the next threat landscape. It may be somewhere between how many servers are you running or it could be your entire laptop fleet. Like how do we protect this laptop fleet? How do we make sure that it's safe and that our users are protected? And so it's really important to have these hard conversations with yourself. I like to think about it as crown jewels. Like where, where are the crown jewels of the company and where is the biggest attack surface area? And how do I leverage a strategy to protect both equally?

Mike Hamilton (22:24)

Well, help me understand here. I mean, I certainly get that folks want to minimize the number of point solutions they have to decrease that level of complexity and to be able to stay nimble. At the same time, I could understand someone being hesitant to put all their eggs in one basket, to have one platform that does everything. How do you recommend that people balance those two impulses?

Dave Bittner (22:53)

I like to start with the idea of what's our user experience. So let's go back to human beings as being the weakest link in terms of any security strategy because they're the easiest thing to compromise and they have the most access, right? So let's start with the principle that the easy thing to do or the simple thing for a user to do is the most secure thing that they can do. So if I'm asking people to jump through 60 hoops just to authenticate, people are going to find a way around it and it's going to be painful and we're somehow going to be less secure. Think of all of the different authentication sequences you've been through your entire life, especially over the last 20 years, where logging in could be as simple as just I entered my password and I'm logged in. Or it could be as complex as well, I've had to do multiple multi factor methodologies, depending on the application, depending on the time, maybe I had a smart card at some point. From a user perspective, the simple thing is not necessarily the thing that they're asked to do. If we start with the principle of let's keep users lives simple, let's try to provide security transparently to them, then that to me is the first order of defense. That's with things like, hey, how do we protect them from phishing attacks, how do we make authentication as secure as possible while also driving still the authentication that we need to see, and that being a key part of the strategy. And then I think the next layer of it is which parts of the business are the most vulnerable. So thinking about what system being down or which bit of data that would be inaccurate would cause you the most headache and the most pain. That's the thing you need to protect the most. That's the crown jewels. A typical company these days has hundreds of SaaS applications and hundreds. If you were to rewind in time, go back 20 years and go, hey Mike, someday you're going to work for a company that'll have hundreds of applications running, I'd be like, wow, how am I going to run that? Because SaaS didn't exist 20 years ago in the same state that it is today. Now it's normal. People don't even think twice about it. Hundreds of applications. But really out of those hundreds of applications, the business is only really running on about 10 to 20 of them. That's really it. Those are the core applications. And thinking about how do we circle the wagons around these 10 to 20 applications and make sure that those are secure, such that we have a high confidence that we know those are secure. So let's start really two categories of things. Then let's make the user experience positive and such that the easy thing to do is a secure thing to do. And that's where I think zero trust. A good zero trust implementation is a big part of that. Good anti phishing is a big part of that. And then the next layer is from an application security perspective, how do I secure my applications as much as I possibly can within reason to give me confidence that the business is safe?

Mike Hamilton (25:34)

That's Mike Hamilton, Chief Information Officer at cloudflare. We'll have a link to a blog post with more of Mike's thoughts in our show.

Sponsor Voice (25:41)

Notes.

Mike Hamilton (25:57)

Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000 off. And finally, an article from Four Hundred and Four Media examines Meta's uneven moderation policies and how they enable harm on a massive scale. The company profits from ads promoting Crushmates, an AI app that creates non consensual nude images. Despite banning explicit content, Meta platforms like Facebook and Instagram have allowed crushmate to run thousands of ads featuring doctored videos of real women, including influencers and onlyfans creators like Sophie Rain and Michaela Demaiter. These ads violate Meta's policies, yet they remain live, exploiting loopholes that allow the app to evade detection. Crushmate's ads account for 90% of the app's traffic, according to SimilarWeb. They show how easily Meta's systems can be manipulated by bad actors who create fake profiles and redirect URLs. Although flagged repeatedly, hundreds of similar ads remain active, amplifying the app's reach and harm. Disturbingly, while individual users uploading explicit images face swift removal, advertisers like crushmate are held to laxer standards when they pay Meta. This double standard prioritizes profit over safety of those victimized by the app, including miners. As generative AI tools like this make it easy to target anyone, Meta's failure to proactively address this issue raises serious questions about its commitment to user safety. The harm extends beyond privacy violations. By allowing ads that promote the app, Meta not only facilitates exploitation but actively profits from it, making a mockery of its supposed community standards. Victims deserve better safeguards from platforms that claim to protect them. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Appreciate Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Delete me. I have to say, delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.