Rachael Lyon:
Welcome to To The Point cybersecurity podcast. Each week, join Vince Spina and Rachael Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachael Lyon here with my co host, Vince Spina. Vince, how are you?

Vince Spina:
Good, Rachael. I am doing fantastic. How are you doing?

Rachael Lyon:
I'm doing well. Although, I didn't go to New Orleans last week for an event, so, dying to hear how that went.

Vince Spina:
Up. But stays in, New Orleans on Bourbon Street stays there. No. That's what they tell me. But no. It was good it was good time, great city, great people, great food, but, we did manage to get some really important and and fantastic, training to the team all week. So we stayed pretty busy.

Rachael Lyon:
That's nice. So a great location to go do that. I haven't been back to New Orleans in years, and I just I miss the food. You know? Really good.

Vince Spina:
Every day, it was either a po'boy or, seafood gumbo gumbo. So that's what I, I ate just about every single day.

Rachael Lyon:
Oh, that sounds delicious.

Vince Spina:
And my wife's from there, so she was very jealous, by the way. I was sending her pictures of

Rachael Lyon:
of what

Vince Spina:
I was eating for the day.

Rachael Lyon:
Oh, great. I know what I'm having later today. So let me introduce, today's guest. I'm so excited to welcome Ross Young. He is the CISO in residence for team 8. He's also served as the CISO of Caterpillar Financial and divisional CISO at Capital One. And amazing, amazing career has over a decade of experience with the CIA, NSA, and the Federal Reserve Board. And if that's not enough, he's also created the OWASP threat and safeguard matrix, which we'll talk about in just a little bit.

Rachael Lyon:
Ross, welcome.

Ross Young:
Hi. It's a pleasure to be here. I'm super excited.

Rachael Lyon:
Awesome. So, Vince, you wanna cut it kick us off today?

[02:01] Cybersecurity Trends and Remote Work

Vince Spina:
Yeah. First of all, Ross, thank you very much. I appreciate your time and very excited about this, this podcast. The first thing is kind of a seesaw and the fact that, you know, you communicate with a group of your peers on a daily basis. Obviously, in that world, hacking is, something that, you know, you and your colleagues have to think about, care about on a daily basis. And, you know, we've seen kind of an uptick, lately lately, especially when everybody kinda went home and are working remotely now and all those kind of things. 

So we're seeing kind of an uptick in, in hacking. And, just wondering, seems to be happening more often, sometimes more severe, but just wanted to understand, like, from a hacker's, behavior, the code of contact, what do you feel like has changed, since we've come out of this, you know, post pandemic kind of, environment?

Ross Young:
Yeah. Well, I think the biggest thing that we've seen is just really this huge uptick in ransomware groups. You know, if you think about let's go about 5, 10 years ago, you used to just ransom 1 individual person. Right? You would send them a malicious email, they open that, and then you would, encrypt their own laptop and say, hey. It's gonna be 500,000 or $500 to a $1,000 before we enable your laptop to get back. And from that, people said, oh, this this is a viable business model. Let's go after bigger fish, and then they went after corporations. And now what happens is, hey, it's 4 and a half $1,000,000 that corporations are paying these companies, these, you know, bad actor companies.

Ross Young:
It's not just one individual. It's a whole company of people. And now guess what? They get money to reinvest and build capabilities. So instead of just here's what one person could do against you, you're actually going up against companies that have spent time and money to build 0 day exploits and miss a trip infrastructure and everything else to make your life harder. 

And if you're a small company, you know, someone under, let's say, 500 people, you're you're lucky to have an IT staff of 5 people, let alone have a single security person on that team. And so that ability, it it's like me trying to stop an NFL lineman, and I'm you know, if anybody has known me, I'm a 5 10, 160 pound guy. It's just not gonna happen. Right?

Vince Spina:
You look chip, though. You look chip, Ross. Oh, thank you. Yeah. Hey. Listen. Follow-up on that. So, you know, to me, I kind of in my mind, things have really changed, since couple things about post pandemic, so we're all working remotely, the advent of cloud and all of that.

Vince Spina:
So now our environments are borderless, you know, there's no more notion of, you know, building a moat around, you know, your your company. But I also think, there's elements of generational change and wanted to just kinda delve into that a little bit. Like, is this, is the younger type hacker different than the older generation, or do you think it's these, you know, the, confluence of all these other things kinda coming together, today that's, causing that for you know, it's not about an individual anymore. We're going after corporations and large brands and things. What's your thoughts on that?

Ross Young:
Yeah. I mean, there's definitely been huge generational shifts. If you were to look at the earliest days, hacking, in was mostly considered pranking. Like, you'd have colleges where one would wanna, you know, kind of do something at the other college and and stir the pot a little bit, and it it was kind of all done in good fun. Right? And and you just think of, hey. 

Maybe you build an app where it just opens a 100 windows or makes an embarrassing photo or something, you know, on your desktop, and you do weird things like that. And then hacking kind of took a dark side, which is, okay, it's not just for fun. It's how do I turn this into a criminal enterprise, and and most people would use the term, let's call criminal activity or black hat hacking.

Ross Young:
I kinda use the generic media term of hacking, which I know some people might disagree with. But as we see, you know, it it went, there. First, you know, what we saw was government agencies really take interest in it because, hey. Maybe you don't wanna bomb a country, but it can I steal information, through hacking clandestine methods and computer network exploitation? So places and, you know, 3 letter agencies did that. 

And then, lo and behold, we started seeing where we had all of these leaks of how they were doing things. Right? And, those 3 later agencies, secrets became open source when you had Vault 7 leaks and other things that were happening. And now the bad actors got to say, oh, let me clone what governments have spent 100 of 1,000,000 of dollars building, and now that becomes more weaponized. And as I mentioned earlier, then we also had the criminal ransomware groups who really took advantage of this and saw this as a very fruitful business model.

Ross Young:
Some of the studies that I've I've seen have shown ransomware as, you know, almost like a top ten country, for how much it's stealing from companies these days. So when we start to look at it, it doesn't look promising. I think the only solution that we really have left is do we get to a future where we're banning ransomware payments because the enabling of future capabilities is just gonna be too high to to leave on the table for companies.

Rachael Lyon:
Yeah. That's that's a great point. It's and I think, you know, what I was always fascinated with is, you know, kinda you there's always that kinda lure of the hacker in the basement of their parents' house, but these are actually, like, incorporated businesses that have HR departments. You know? I mean, they're they're much more sophisticated, from a business perspective than I think, you know, people people recognize and, you know, what is it on the dark web now? 

You can you know, it's like ransomware, like the wine club ransomware of the month. You know? What what flavor do you wanna, you know, try to try to get out there? And, you know, kinda makes you wonder, you know, social media has been kind of a part of, right, this this whole culture, but particularly social media in the age of AI. I mean, how do we see that? Is that gonna exponentially accelerate hacks, or how are you seeing this out in the wild?

[08:37] Role of Social Media in Cyber Attacks

Ross Young:
So social media really makes it easy to connect to a lot of people and a lot of targets. Right? I can find people who look interesting to me. So if I was gonna go after a company today, I might look on LinkedIn to find database administrators because they're gonna have access to bulk data sources that I care about. And then do I craft some sensitive messages that says, hey. I just saw that you were at the last Boy Scout event. Cool. I'm looking to learn more. Let me show you some of the things that we're doing to help.

Ross Young:
Just open this PDF of our service offerings, and then I go to town. So it it it's a huge enabler, plus it also is very hard for cybersecurity organizations to stop. So, usually, we're used to bad actors targeting our employees through email. Very simple. We put email security gateways in place, things like a proof point to stop those attacks. But what happens when the bad actors start targeting our employees over SMS or if they start targeting over LinkedIn messages or over Slack? 

And if our employees are opening these services on their laptops, maybe these are things we can't actually put a security gateway solution in front of, and now it becomes very hard for us to stop when they click these phishing, smishing, other types of attacks.

Rachael Lyon:
Yeah. That's that's a really good point because it's you know, I being in cyber, I'm leery of everything, and, you know, you get those kinda, you know, postal service text messages with a link to track your package, and you just don't know. Like, is it real or is it not real? I don't know how to navigate these days, Ross.

Ross Young:
And it it only actually gets worse, and I'll just give you the example. Before, maybe the bad actor may have came from a country in Nigeria and they did a Nigerian scam. Well, their ability to know the linguist, the English language was limited based on how much they studied in school. But now if they go and they ask Chat GPT to rephrase this phishing email, it's gonna come out with better English than I have. Yeah. Right? And so that barrier to make it very enticing, you just put a phrase in there. It says, make this phishing email more catchy. Right? And and it's it's so easy for them to write these very carefully worded, enticing emails to open.

Rachael Lyon:
It's, what was I reading to that, you know, generative AI is kind of also open the door to some of the more difficult languages. Right? Like in Arabic or where you're starting to see in the Middle East that they're, you know, able to, exploit in countries that previously would have been very difficult to your point on on the language front. Another area that I think is really fascinating sorry, Vince. 

I love this topic. Absolutely. You know, it is hacktivism, and, you know, I I think we really saw, a sense of that, right, with the whole Ukraine, Russia when there was the cyber army of volunteers, right, you know, and kind of on both sides. But how do you see that kind of changing or evolving? Are we seeing more people getting politically motivated or socially activated, or are they kind of looking into expanding into other areas where they put their efforts?

Ross Young:
Certainly, I think there's always going to people who want to support a cause. You know, you could be pro Israel. You could be anti Iran. You could be pro, you know, Ukraine, anti Russia. What whatever it is, you're going to have people who support specific causes. And because of that, then they're going to do things that are borderline unethical and illegal. Right? And and it's it's hard to say where those lines truly are when you're going to war against a foreign country. You know, typically, hacking is considered illegal.

Ross Young:
But if it's against a foreign country that's invading you, there's probably, you know, some ends justify the meanness in the in this resolve. And so I I think we're going to see more of this. Right? There's certainly a lot of wars, and if you're any kind of believer in religion, there's probably a lot more wars coming before a second organizations understand if they're being attacked by all these hacktivism groups? What is it they need to do? Because now instead of it's just large entities that may be tracked, is this, you know, thousands of people that they have to now start protecting against?

Vince Spina:
Yeah. Ross, maybe that last question on, hackers and code of conduct and things like that. But, up until now, and it's been great information and great, insight. We're we're talking about hackers in a negative kinda way. And there's actually on the flip to that, in the world, bad guys are usually the black cats and the good guys are usually the white hats. When you're working with and there's value in that. There's bug bounty programs out there, things like that. But, you know, when you work with your peers, like, how are you guys seeing organizations actually adopt the white hat the, ethical hacking side of the, the equation?

Ross Young:
So first and and foremost, there are good tools that companies buy which bad actors also buy. And I'll just give you an example. Acunetix. It's a very common dynamic application security scanning tool that companies may use just like Burp Suite to scan their websites for vulnerabilities. Well, guess what? If the bad actors buy that same software and start scanning your tools, they can find the vulnerabilities that your team should have found as well. And so good tools can be used nefariously, and, certainly, this isn't just limited to commercial tools. It can also be open source tools. So what happens is you have someone with very honest, pure intentions that they're like, hey.

Ross Young:
I'm doing my PhD in cybersecurity. I'm researching. Here's a really cool way that, you know, Chrome is misconfigured and people can break into it. I'm sharing this with the world because I wanna improve Chrome security. Thank you. That's amazing. I'm glad we have smart people like those researching those things. Well, then bad actors says, well, let me weaponize this so I can get, you know, thousands of grandmas' Social Security numbers, credit cards, things like that.

Ross Young:
And that's where it's a really tricky line to say, did this good person with good intentions build something that can be used for evil, and is there a way we should have prevented that? And and it's a tough line because we want to encourage good security research, but at the same time, if that security research ultimately only causes harm, is that really good research we should be focusing on?

[15:30] Ross Young's Role as CISO In Residence at Team8

Vince Spina:
Thank you. Maybe, shifting gears, I'm trying to understand that you oversee a CISO village, which is a community of, from what I understand, 100 of CISOs that you're engaging with on a regular basis. Can you share with us, in that construct, like, what are some of the biggest issues that, you know, you and your peers are talking about and facing in that role? Because, it's that's a tough chair to be in these days. Yeah. Very valuable. But

Ross Young:
I work at a venture capital company called Team 8, and what we do is we build a village of CSOs. And so think of, hey. I'm constantly meeting 100 of CSOs and asking them, hey. What's going well in our industry? What tools do you wish were a little bit better? What things do we not even have tools for? And collecting all of that feedback. And then I also get a chance to meet with 100 of vendors at, like, RSA and Black Hat and and other events like those entities. And now we take all that and we say, okay. 

It sounds like CISOs generally believe that data loss prevention tools aren't working as as good as desired. Sounds like it's still very early days in AI security tools, and how are we going to stop, you know, let's say, malicious models in our LLMs or other, you know, secure things like corporate intellectual property from being uploaded? How do we look into those things? And so a big thing of what we do is we build this network of asking CSOs what's wrong so we can figure out what kind of companies we should be building to solve these problems.

Ross Young:
And then the other piece that I spend a lot of time on is creating content to help CSOs. And you just think about it. The CSO is really the only role in cybersecurity where you're not reporting to a cybersecurity leader. Right? And so you're kind of on an island. You know, at best, you may have a CIO or CTO in the c suite you can talk to about things technical, but you're mostly talking to nontechnical audiences, the chief finance officer, the chief revenue officer, you know, legal officer, those those other people. And so being able to see, hey. What are other CISOs doing in similar roles to me at other companies so I could learn those things? 

So problems like third party risk management, building an effective oil management program, things that are never going away, but how do we optimize those based on lessons learned and best practices in other companies? Those are things that I really try to share, And we have monthly webinars. We have position papers.

Ross Young:
We have a lot of things to bring content to CISOs to help them in that role.

Rachael Lyon:
Nice. I've heard of, also BSOs. Right? You know, kind of as the companion to the CISO. Are you seeing more of those kind of roles getting stood up?

Ross Young:
Yeah. So BISO or ISO or ISSM, kind of 3 synonymous names, a business information security officer, is someone who reports to cyber but is usually forward positioned into the developer armies. And so if you think about, hey. When I was at Capital One, I I had a essentially, a BISO role as a segment I, see so. And what I would do is I would meet with them and say, hey. Know, here's all of your developers. Here's how many vulnerabilities they have. These are applications that they're trying to do brand new launches on.

Ross Young:
Let's review the architecture of those things. Here's a couple things where they're going to violate a security policy, and sometimes it makes a lot of sense. Why would we spend, you know, $10,000,000 on a security policy implementation if the software never actually makes more than that? And so it's a negative ROI issue. And so you'll just accept the risk on some of those things where it doesn't make sense. And it could be things like, hey. We bought this software, which runs our MRI software at a hospital. Well, this vendor's gone out of business 5 years ago. We're not patching it.

Ross Young:
We're not doing anything to this Windows XP machine. It's terrible. We all know it. We all agree to it. We're gonna isolate it, but we're gonna keep it alive because the average cost of an MRI, which we can bill customers, is essentially worth, you know, keeping this thing around. So having those discussions and helping provide that cyber point of view is really, really key, and it really gives you an understanding of the role of the CISO without actually being a CISO. So I I think if someone is going to become a CISO, doing a tour as an ISO or a BSO is really, really important. It gives you those experiences.

Ross Young:
It helps you learn how to influence because that's really the role of a CSO. You have to convince people to do things Mhmm. Who aren't under your managerial control. Right? All the developers report to the CIO, not the CSO. And so because of that, having that influence and those things that you learn in those roles is really key.

Vince Spina:
Hey, Ross. I just wanna pull that thread a little bit too. Like, you're starting to see reporting lines change. They haven't changed massively, but, you know, usually, the CISO was a direct report into the CIO, and then that CIO either to the CFO or the CEO. I have the privilege of meeting with a lot of CSOs and I am starting to see them actually move more into the C suite, so to speak, and and more and more are actually, you know, reporting right into the CEO. Are you seeing that in your CISO village or are you still seeing, you know, mostly it's a a role sitting in the, IT side under a CIO, role?

Ross Young:
So I'm definitely seeing an up leveling of roles. And so if you just think about a large organization, you may have directors, you may have vice presidents, which actually tends to make you an officer of the company, then you could have, let's call it, an SVP and an EVP, a senior vice president or an executive vice president. And, historically, CISOs have been buried into the IT organization. Most of them have been up leveled because of their requirements to brief a board or to brief the executive leadership team. Now still today, I would say at least 50% report to the CIO. Some people like this. Some people hate it. There's pros and cons because of the conflict of interest.

Ross Young:
The CIO wants to keep high availability. And when you're focused on keeping high availability, you don't wanna always be patching and taking down systems. So that's where the conflict comes. Personally, one of the things that I like is what the banking industry has done. They have created a role called the chief rev the chief risk officer who's required to report to the CEO and have a report directly to the board. And I think that makes a lot of sense. I'd never think that the CISO should directly port report to the CEO because the CEO is so busy that you have very, very limited time, and it's hard to have effective change. And cyber is only one of many risks.

Ross Young:
There's the risk of the company going out of business. There's mergers and acquisition risks and all these other things. So I do think in a lot of organizations, that makes sense to move the role from the CISO from reporting to the CIO to reporting to the chief risk officer, where they have a opportunity to get broadened across all the other risks and even grow into that chief risk officer if they truly want a reporting authority role to the CEO once they have that broader business context.

Rachael Lyon:
Yeah. That's really great perspective, right, because it's it's such tricky waters organizationally, right, on on how to structure it and and for it to be, maximum impact. Right? I mean, there's just a lot of headwinds, that have to be faced, and I I'm a big fan of CSOs because it's just not an easy job.

Vince Spina:
It's not.

Ross Young:
You

Rachael Lyon:
know, and and speaking of risk, I'm I'm really curious, you know, as you look at today's landscape, you know, there's already, you know, tons and tons of, you know, kinda data and privacy, you know, compliance standards and, you know, with AI coming online and they're figuring out regulations there. You know, how can CSOs navigate compliance waters today? It it just seems it's getting more expansive. You know, I think I forgot like what 60% of countries or, you know, 70% of countries already have, you know, certain, you know, regulations in place that are that sting too, right, if you're in violation. And for any company that has a global footprint, you know, how how can you make sure that you're you're you're in compliance and, you know, you're not running a foul in in in one country and not another?

Ross Young:
So the first thing I will say is a CSO's focus on one particular standard is going away. And and I know you may say, well, why would we ever go away from NIST or ISO or GDPR or CCPA? And it's because if you're a global country and you're in or a global company in 200 countries, you have 200 standards. You don't have one to focus on. You have 200. And so because of that, you need to map to a universal compliance framework, something like secure controls framework, SCF, which does that mapping to all those standards for you. And then once you have this universal list of controls, you can say we're gonna do these controls, and then if we have evidence to show that we did these controls, and here's a mapping to any standard. So pick your random agency overseas who says, hey. We need to see you met our local standard.

Ross Young:
You can show them. And that's really the easy way to do things. But I will say it is extremely complicated because of data locality and privacy laws. So one of the hardest things that CSOs are now encompass, encountering right now is laws being passed that says you need to keep our data from our citizens and our country. Okay. Makes sense. Why would we want our data to leave our country? Totally get that. But what happens is the IT department is making decisions that says we're going to use SaaS based solutions.

Ross Young:
So they're gonna buy Workday, to do all of, HR and training and things like that. And now you have to go to Workday and say, hey. Did you realize we're actually in 200 countries? And they're like, yeah. I had no clue. I don't care about your company. Just buy our software. Okay. We want your Workday to have a local instance in China, in Russia, and Indonesia and India and all these countries that we're in.

Ross Young:
Yeah. Workday says, we're not gonna do that. Go pound sand. So now the CIO and the CISOs are stuck in this position where their local regulators are saying, hey. We want the data to only be in China, and yet at the same time, their third party SaaS solutions don't even offer those capabilities. And so that's a really weird place to be in and gonna be in a lot of legal hot water going forward because we have this thing where we're trying to reduce the IT cost by not having to build everything in house. But at the same time, the laws are not consistently giving that same direction.

Vince Spina:
I'm I'm gonna jump in, Ross. Like, up till now, you know, in my role, I have the privilege of speaking to a lot of CSOs, and I'm hearing some themes come out here in our conversation with you. Talked a little bit about tools, security tools, and I can tell you when I talk to CSOs, a lot of them conversation goes to the fatigue and the complexity of tools and how we have to simplify our environments to really get our arms around it. And then now, just recently, a little bit about the compliance part, Probably the 3rd topic that is pretty basic, but it's a big issue, in the industry still. It's getting a little bit better, but it's around just talent management. I mean, again, I go back to after the pandemic, there was a term coined the big quit. A lot of people just decided they weren't gonna come back. I think you're seeing more and more people want to be are in the workforce or want to be in the workforce.

Vince Spina:
But, folks sitting in, you know, roles like yours, the biggest issue is, do they have the actual experience and talent, necessary? Like, is that still a big topic for you and and the folks you talk to?

Ross Young:
So I think there's a lot of talent out there. And if anybody doesn't believe there's a shortage, or or there's a lot of talent, I I would say, imagine you're a CISO for a day, how many emails do you get from people offering to provide contracting services for you? You will literally get dozens of those emails every single day. So the I think the talent's there. Now where I think the disconnect is is in the executive leadership teams, and I'm talking the CEOs, the CFOs, and those executive leaders. Most of those people are in their fifties today, which means when they grew up as kids, they didn't have cell phones. 

They didn't have smartphones. They went over to their neighbor's house, and they played sports or whatever they did. Versus if you take these people who were born in the mid eighties, right, these kind of, senior directors, first time leaders in in the early c suite type roles, those folks grew up, you know, in their twenties using smartphones, you know, calling friends, playing on social media, and other things like that.

Ross Young:
And so they actually really enjoy these remote hybrid experiences. So we we kinda have some generational differences where the old generation loves the in person experience. They want to socialize. They wanna have happy hours and lunches and meet with people. And then you have the young kids who say, hey. I freaking hate this 1 hour commute to work. I wanna live where my friends live, where I went to college, in these small towns where, you know, there's not a lot of job opportunities. Just give me a remote opportunity that's a 100% remote.

Ross Young:
And so good companies that are not flexible on a 100% remote are losing out on really, really good quality talent. And so I think that's the the biggest generational difference right now, and I'm hoping that will change, but I'm starting to see this the shift back where they're starting to say everybody has to be in the office at Amazon and Microsoft and these big type places. 

And my fear is it's going to take another 15 years for this older generation of folks who didn't grow up with the remote first mentality of calling your friends on the phone. And and when that shift happens, then we'll see more of it. But it's it it was like it was a nice trial during COVID, but it wasn't lasting from my impressions of large companies.

Vince Spina:
Yeah. Where where do your well, the majority of, the CISOs you you work with on a daily basis, where do they fall in that? Because usually that's a policy that comes from very high up, but it and, as employees of a company, people at the top set the direction, and we're asked to execute against that. But what's the mindset of a CSO who's really looking for that talent? Are are they buying more into that remote is perfectly fine, for the right, person?

[30:59] Challenges and Solutions for CISOs

Ross Young:
So I think CSOs because we're much more tech focused and and leaning, we're very into this remote workspace, so I think we're very supportive of it. And the big thing I would say, and and I learned this from a really good friend of mine, is if you really want this a 100% to to work, you need to increase your travel budget because you still wanna have times when people can have in person meetings at large conferences or other things and do those connections, and it can be very, very successful. But that being said, oftentimes, these decisions are made at executive levels above the CISO, so the CISO just really has to salute and follow. 

And in those cases, what I'm seeing today is there's predominantly a hybrid solution that requires people to be in the office 3 to 4 days a week, and then they can flex from home 1 to 2 days a week. I think that's the most common model that we're seeing today.

Vince Spina:
Seeing that as well.

Rachael Lyon:
I like that model. It's kind of, you know, the best of both worlds, if you will. It's been fascinating to track this topic though, Ross. I mean, as you mentioned, some of these, you know, Amazon's been in the news a lot. Dell was in the news, you know, when they have been remote or, you know, you didn't have to come in the office for years, and then all of a sudden that changed. And I forgot how many how many employees basically said no. You know, we'll give up any kind of future career advancement or future raises or whatever it was because they just weren't willing to come back in the office. 

I mean, do you see kind of the employees, the you know, as they band together, is that the opportunity to try to, you know, kinda force the issue in a way with the senior management at some of these companies to keep good talent, or, or is good talent gonna walk out of the door at the expense of, you know, being being forced to be in the office every day of the week?

Ross Young:
I think good talent is gonna walk out the door. And a lot of times, we frame it as, well, the employees just don't wanna be in the office 3 to 5 days a week. And I I think we are oversimplifying some of these root causes people are leaving. And I'll I'll just share my personal example. I lived in Nashville for the last 4 years working at Caterpillar and had a great time working in that company. And then what happened was, my dad started having a lot of personal health issues, and I'm only child. Right? There's no other kids to take care of my parents, just me. And so because of that, there was a need for me to move back to Las Vegas if I wanted to spend more time and have more memories with my parents and create those memories for my children, to have those opportunities.

Ross Young:
And so I I told my company that, hey, I needed a 100% role where I could be permanently based here, or I was going to leave the company. And, unfortunately, that didn't work with Caterpillar. They still had a focus on being in these three locations of their big hubs. And so because of that, I absolutely walked out the door. And I think there's a lot of people who are going to have aging parent issues, and it may not just be their parents. It could be their spouses, you know, who have, their parents have health issues as we have these generations living longer and longer, and now we have to help our our families. And I think that's the right thing to do from a family perspective.

Rachael Lyon:
Agree.

Ross Young:
And so do you really wanna lose your best employees? Some companies are gonna say yes. Personally, I would not make those same decisions.

Rachael Lyon:
Yeah. Agree. Agree. The flexibility is nice, and I think you have happier workers, more productive workers, you know, when they have that kind of flexibility. At least what I've observed and, you know, like the folks that I manage and and what it's enabled them to do, I think, to your point to help family members, or otherwise, because time is precious. You know, you don't get that time back. And I think as as, parents, you know, get older, you know, every every year is precious, even more precious. So it's, I'm a 100% on board with that, Ross.

Rachael Lyon:
Absolutely. You know, earlier you had mentioned, you know, kinda DLP tools and and things like that, which is another fascinating topic today, right, with this whole explosion of AI and generative AI. And, you know, how can, you know, CSOs or companies, you know, how do they need to evolve their data security practices? Because it would be so easy to not even thinking about it. You know, hey, we got a product launch coming up. I'm gonna put some thoughts into, you know, chat GPT to help me with, like, a marketing plan or, you know, some kind of is it some development work for for example? I mean, how how can you wrap your arms around something that has just taken off and is just growing exponentially with new websites coming up every single day for for generative AI?

Ross Young:
Yeah. It it's really, really tough. The first thing I will say is as an organization, we can't even determine what an application is anymore. It used to be, oh, you had to go get a server. You need to go install, you know, Java or something as a web application, then you ran it. And now what the definition of an application is so hard to say, is every page on a Wiki page its own individual application, or is only the WikiOne app? And the same thing could be said for every SharePoint site that's out there. And what about an Amazon s three bucket? Is every individual s three bucket its own web application if it hosts code? And then are you gonna require every individual bucket to have a robust disaster recovery plan and meet all the different security compliance controls separately? It gets very, very difficult to to even determine what the minimum application is. And now after that, then you're going to say, well, even if we could understand what every application was in our organization, we now have to figure out which ones are talking to third parties, which might be sending data to LLMs, chat CPT, things like that.

Ross Young:
And so this is where staying in touch with a cutting edge ecosystem and venture partners is really, really key. You're gonna go and you're gonna start learning about companies that take things from a very, very different approach.

Vince Spina:
Mhmm.

Ross Young:
And so instead of, hey. How do I inventory everything? Maybe what we do is we look at companies like Grip Security and others that they look at all of your emails to say, oh, did you realize here's all these companies that are sending you EULAs and you haven't logged in in these, and then they can start inventorying all these LLMs that you're using, or you're looking at it from DNS logs and traffic. So there's a lot of different ways that we're going to solve this. Personally, I think it's gonna be too hard for one company to to focus on this, and there's it's gonna be something where we're buying solutions. And what I would say is because this space is changing so fast, it's really important you're going to these conferences where you can understand the changing ecosystem. Because what was good 2 years ago may not be the best mousetrap today that you need to really be buying and how it solves these things. So every 2, 3 years, when you're doing your your, let's say, new contract renewals, are you going and doing a really good evaluation to see who are these emerging startups that are bringing the technology to solve these problems.

Vince Spina:
Hey, Ross. I wanted to drill in on something you you said earlier when you're talking to your peers, and you talked a little bit about DLP. And, couldn't remember exactly your words, but, you and your community feel like, in that genre of technology, things are lacking. And, you know, on this podcast, you know, one thing Rachael and I try to do is keep, our own brands biased kind of out of it, but we are a kind of a leader in DLP. What we're finding in the field when we're having conversations is DLP is actually in vogue again. It was kinda something that was really important, you know, a decade ago or so, and then all of a sudden, it became kind of passe. But in this world of, borderless environments where, like you said, I mean, I love your your concept of what is an app, but, you know, most people, businesses and people are conducting, commerce over web channels, cloud channels, things like that. But what we're finding is DLP is actually there's an uptick, in the desire to use that technology, but it's being prepended with a technology called DSPM, data security posture management, where we're living in these borderless remote, worlds now where our data is everywhere.

Vince Spina:
What we're finding is, CSOs and companies are actually really putting an importance on discovering where their data is, classifying it, and then protecting it through DLP policies and then, you know, building kind of a, a whole monitoring environment around that to where it's not a one time. It's a 360 degree kind of view that they, you know, they continually, run and monitor. Do you do you subscribe to that thinking or, you know, do you have a different opinion?

Ross Young:
Yeah. So we we've really changed over the past 5 years. And what I'll say is before then, it was very abnormal to see a lot of data scientists in in most companies. And we love data scientists. They provide us new insights on our data, and they help, you know, help us understand how we can make more money, sell more widgets, and things like that. And so what has happened is these traditional places of our data only lives in these dev test prod, servers isn't the case anymore. Developers and, these, data scientists are taking the data, putting it on their local laptops, massaging the data, doing ETL, and moving it to all different places. And so the CIO and the CSO have no idea where all their data is today.

Ross Young:
Right? Which means it's very hard to protect it when you don't even know where in the network it is. And so if all of a sudden you have this giant unknown, you have to start with, okay. We need to scan all of our system locations to figure out where our PII, PHI data is being stored at. So that's really the first thing. We have to classify, and we have to have low false positive rates because, otherwise, we're chasing down millions of files that, you know, are are wasting everybody's time and costing resources and money. And then let's say you get to that place to where you've classified all of your data appropriately. Your next thing is, how do I actually make sure that data can't be stolen by some bad actor or by some, let's call it dumb intern, who doesn't know where to put the data, and and they put it in places it shouldn't go. And and that's another really, really tricky thing.

Ross Young:
We've we've had a really bad history of limiting access, And you can just think of, I'll I'll give you the example. Let's say Rachael here was on the accounting team and had all the access to the accounting data. Perfect. We love that. We want accountants to have access to that. Now she changes from the accounting team to go over to the comptroller team. Did we remove all of her Windows share drives, all of her, SharePoint, folders and access, and every other file that someone has manually shared with her? Probably not. We might have removed some application access, but maybe not every folder and every file.

Ross Young:
And so now if if Rachael gets spearfished because she clicks on that dodgy link, do the bad actors still have access to all of her old accounting data, which she shouldn't have anymore? And that blast radius only grows. I I think if you were to ask how many files does the average employee in a company have, you would see 100 of thousands of files once someone's been there for over a year. And so these things have got to change because it's not gonna be a positive outcome. And then, you know, our regulators are gonna hang us out to dry when they're like, why didn't you remove Rachael's accesses? There's no reason she should have still kept those. And you're like, you're absolutely right. And so I think we're gonna go into a place of what does least privilege really look like for data, for files, for access. If you haven't opened this file in 6 months, remove the access. We're gonna make a really streamlined process where you can get access to the files in 10 minutes when you ask for and you have a legitimate business justification.

Ross Young:
But if you haven't used it, you're gonna lose it. And so I I think that's the shift that we need to see. That's where the DLPs that are doing this automated, removal of access are really interesting. The hard thing is it's there's just a huge trust right now, which is, are you gonna take away files that I need access to, and how will I be able to recover that? And so that's kind of these internal politics that CSOs are having to to overcome right now if we're gonna go for a better, more secure future.

Rachael Lyon:
Yeah. That's a great point. I'm cognizant of time, but I I did tease this at the beginning, so I wanna make sure we have an opportunity to talk about it. What inspired you to create the OWASP threat and safeguard matrix, and and how could organ organizations use it?

Ross Young:
So I built the OWASP threat and safeguard matrix when I became a CISO at Caterpillar. Essentially, when I came into the role, I think like most other CISOs, you're like, oh my gosh. I don't wanna be the CISO who causes a breach because I didn't think all the things through and do all the smart things. And what I found was most of the guidance and recommendations were based on policies, and policies do not, reflect today's real threats. And if you just think about it, if you were to go and look at NIST or look at CIS 18, there's some good things in there, and they're gonna tell you, hey. We need to inventory all of your assets. That's like one of your first controls. Well, you could never finish that activity because we can't even define what an asset is in in in an application.

Ross Young:
But at the same time, we're seeing the bad actors pivot faster than our standards and our controls can be updated. And if you just go to look at the Verizon data breach report, you would see most actors are using identity based attacks, right, to really focus right now. And if that's the number one attack factor, I need to build a defense in-depth plan that says, how am I going to stop identity based attacks? Hence, why I came up with the OS Threat and Safeguard Matrix. What it you do is you put each of the threats on additional rows, and then you use the NIST functions of how would I identify where these things could happen? Okay. What are all the systems I have to worry about identity based attacks on? Then once I know those systems, what are the things where I could automatically stop the attacks, I e, the protect phase? And if I couldn't protect them and the identity attacks happened, how would I detect those things? You know? Do I have a SIM? Do I have logging monitoring? Do I have something where I would measure and notice? And so you go through these 5 phases of identify, protect, detect, respond, and recover, and use these threat based approaches. And when you do this, you have a robust defense in-depth plan. And and I just think this is so much better than what we were previously doing. Someone would say, hey, it's a material risk.

Ross Young:
Throw it on the risk register, which is like a three line thing that says, we will mitigate this risk. And and I can't imagine going to war, with a country and saying, oh, Russia is a risk. We're just gonna put them on a a little risk register that says, if they attack, we'll attack back. Like, I I just think that is totally trivial for material risk to companies. So building these defense in-depth plans of the identify, protect, detect, respond, recover is really how we start to think very creatively and build robust plans of defense. So if you haven't taken a look, please just Google search OWASP threat and safeguard matrix. I'm sure there'll probably be a link in the show notes, but it's some of the best work I've I've come up with in order to protect companies.

Rachael Lyon:
I love that. Yeah. Organizing, getting organized, and and having a plan is so important. You know, just just doing that work, right, can make such a difference, such a difference when things happen. Well, Ross, I really wanna thank you for your time today. This has been a very insightful conversation. I've really enjoyed it. I we hit on some of my favorite topics, particularly when we talk about hackers.

Rachael Lyon:
I can never get enough about hackers. So thank you so much for joining us today.

Vince Spina:
Thank you

Ross Young:
very much. It's been my pleasure. Really appreciate it. If anybody wants to learn more, please, reach out to me, connect on LinkedIn. Also, as mentioned before, OWASP threat and safeguard matrix or CISO Tradecraft are fantastic ways to learn more on cyber. And last but not least, if you are a CISO and you wanna get, more involved with the teammate, happy to help you and and show you all the cool things we're doing there.

Rachael Lyon:
Wonderful. And let's not forget to give a a plug for your own podcast, the CISO Tradecraft podcast, which you're a cofounder of.

Ross Young:
So Oh, thank you.

Rachael Lyon:
Folks can can go check out more there. Well, to all of our listeners, thank you again for joining us this week and for another awesome conversation. And as always, what do we like to do, Vince?

Vince Spina:
Smash that like button.

Rachael Lyon:
That's right. Smash it. Smash it. Subscribe and get a fresh episode Absolutely. Every single Tuesday. So until next time, everybody. Stay safe. Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint.

Rachael Lyon:
For more information and show notes from today's episode, please visit www.forcepoint.com/podcast. And don't forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

About The Guest

Ross Young, CISO In Residence, Team8

Ross Young is the CISO In Residence for Team8. Previously, he served as the CISO of Caterpillar Financial and a divisional CISO at Capital One. He has over a decade of experience with the CIA, NSA, and the Federal Reserve Board. Additionally, Ross has been an instructor at Johns Hopkins University and created the OWASP Threat and Safeguard Matrix (TaSM). His expertise includes attacking financial services for the federal government and automating defenses in Cloud Security and DevSecOps pipelines.

Ross holds master's and bachelor's degrees from Johns Hopkins University, Idaho State University, and Utah State University. Ross is also designated as a Boardroom Certified Qualified Technology Expert (QTE) and a Certified Information Systems Security Professional (CISSP).