The Cyber Why: What We Read This Week...
... and why you should too! (11/1/23)
It’s been an exciting week. Executive orders and CISO-targeted civil lawsuits take the headline in this week’s TCW newsletter. How will these changes affect the daily lives of top cybersecurity executives - will they run scared or lean in to defend themselves from a new existential threat? Twitter and Mastodon were alive with discussions, but no real easy answers emerged. In addition to this dangerous drama, we cover the unique attributes of cloud security that made the market explode, Biden stopping Skynet from becoming aware, Charlie Munger hating on VCs, and a plan to rein in the gilded tech bros of today!
Please visit our sponsor, Nudge Security, and forward this to at least one friend. Your forwards are magical and really do mean a lot! Have a great day, and read on…
Get a free shadow IT inventory in minutes.
Discover all SaaS and cloud accounts ever created by anyone, anywhere in your organization, in minutes. No agents, browser plug-ins or network proxies required.
View all apps, user accounts, SSO & MFA enrollment status, OAuth grants, and more. Get alerted as new apps are introduced and view up-to-date intelligence on your SaaS providers’ breach histories and security posture. Start your free trial now.
Chief Impending Sacrifice Officer - CISO
SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Rick Pick - SEC)
Since the SEC issued Wells notices to SolarWinds late last year, we knew "something wicked this way comes" might be on the horizon. On Monday, the SEC charged SolarWinds CISO Timothy Brown for "fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities." The SEC alleges that "Brown was aware of SolarWinds' cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company." I prefer to see regulatory bodies and attorney generals go after executive leadership, not just CISOs. Security leaders don't work in isolation. They don't own the risk. They communicate the risk, and then the business decides how to act. CISOs shouldn't become scapegoats. In this case, the SEC alleges Brown didn't accurately communicate risk up the chain of command, and they also sent Wells notices to other leaders. There is much we don't know about this case, but on the heels of the Joe Sullivan conviction, it portends an ominous future where CISOs not only have to deal with cyber threats and risks but also risks to their livelihood.
Ready, Fire, AIM! Cloud Sec’s Unique Attributes
Cloud Security: factors that make it a unique market (Venture in Security)
Once again, the great Ross Haleliuk is back with some deep analysis. This time, he sets his sights on cloud security, explicitly trying to understand the factors that make cloud security a unique market. As a practice, cybersecurity really hasn’t been around for that long. There was no such thing as a cyber security market when I was an undergrad, and I have been around to see most, if not all, of the modern innovations in cyber take place. Ross’s analysis is spot on. In the article, he articulates a few key factors that accelerated the emergence of the cloud security market:
The desire of customers to do everything in one place - do all the things.
The powerful APIs of cloud providers - speed up the pace of engineering.
The ability to leverage existing concepts - what has worked in the past will work again.
One ring to rule them, the interconnectedness of modern systems and architectures, and standing on the shoulders of giants have all contributed to what so far has been the fastest-growing market in cybersecurity history (all 30ish years of it, lol). Wiz made a run at being the fastest company in history to hit 100M in ARR for a reason - the technology moat in modern technology has nearly dried up thanks to the factors above. “Blitz the market and win” is now the only correct strategy.
Biden Keeps Skynet From Becoming Self-Aware
President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (Rick pick - The White House)
Joe Biden’s Sweeping New Executive Order Aims to Drag the US Government Into the Age of ChatGPT (Wired)
On Monday, the Biden Administration issued a new Executive Order "to ensure that America leads the way in seizing the promise and managing the risks of artificial intelligence." The Executive Order focuses on establishing safety, security, and testing standards for AI, protecting Americans' privacy, equity, and civil rights, and standing up for consumers, patients, and workers. It claims to be the "most significant action ever taken by any government to advance the field of AI safety." A risk here is that the actions laid out in this EO stifle domestic innovation, giving other countries a competitive advantage in the new AI "space race." The order does include a section on promoting innovation and competition. I'm always skeptical of Executive Orders; without Congressional support and funding, the results won't be as successful as outlined. Executive Orders can have short life spans as administrations change every four to eight years. Speaking of Skynet, the UK is hosting the AI Safety Summit this week at the famed Bletchley Park. The summit aims to develop a set of global principles to develop and deploy "frontier AI models."
When Charlie Speaks People Listen
Billionaire Charlie Munger, right-hand man to Warren Buffett, hates venture capitalists. “To hell with them! You don’t want to make money by screwing your investors, and that’s what a lot of venture capitalists do. You really shouldn’t be in the business of charging extra unless you really are going to achieve very unusual results.” That’s quite a scathing review. According to Cambridge Associates quoted in the article, over the last 20 years, the average annual return for venture capital investments was 11.8% versus 12% for the Nasdaq Composite. In the first half of 2022, venture capital investments reflected an average loss of 13%. Maybe there really is something to Charlie’s vitriol around the application of venture capital.
Tear Down The Tech Bros - Save The World
Here's a New Plan to Rein In the Gilded Tech Bros (Wired)
If you are a history buff, this story is for you. Former FCC chair Tom Wheeler makes the analogy that the tech giants of today are a reincarnation of the 19th-century robber barons of the past. They line their pockets regardless of the impact on society at large. Here’s a direct quote from Mr Wheeler:
“The digital platforms collect, aggregate, and then manipulate personal data at marginal costs approaching zero,” he writes. “Then after hoarding the information, they turn around and charge what the market can bear to those who want to use that data … It is, indeed, the world’s greatest business model.” While the subtitle of his book is a question, the answer is obvious and depressing. “Thus far it is the innovators and their investors who make the rules,” he says. “At first this is good, but then they take on pseudo-government roles, and start infringing on the rights of others, and impairing the public interest.”
The real question is what can be done actually to solve the problem (if anything). The recent executive order on the security and safety of AI is a good start, but enforcement is always a more complex problem. Government intervention will have to come at some point in the future!
Quick Hits and Hidden Gems
Alan Turing and the Power of Negative Thinking (Wired) - If you are into complexity theory and theoretical computer science, this article is for you!
GM’s Cruise Halts All US Robotaxi Service After Suspension for Pedestrian Who Was Dragged (Wired) - When drug trials hurt someone, we put it in a disclaimer. Self-driving cars will save WAY MORE lives than they will hurt.
Cost of a Data Breach Report 2023 (IBM and Ponemon) - USA up to $8.4M average breach cost. $840K higher than 3 years ago.
Security needs to shift away from risk and focus on trust (Franky Wang) - While trust is essential, if we don’t reduce risk, then trust will go to zero. Trust + risk reduction = a proper cybersecurity win!
Massive cybercrime URL shortening service uncovered via DNS data (Bleeping Computer) - Automation is king (and drives underground revenue).
Why Starting a Business for a Big Payout is a Big Mistake, Part 1 and 2 (The Reformed Analyst) - Katie takes a shot at why you should really be an entrepreneur. Spoiler alert - it’s not for money. Chances are you won’t make it!
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!
The CISO sacrificial lamb would have been really funny if it were not true... :D