The Rising Ransomware Risks
Ann Johnson: Today, I am joined by Rinki Sethi. She is the vice president and chief information security officer for one of the world's most popular social media sites - Twitter. With hundreds of billions of users around the world, Rinki is responsible for protecting Twitter's information and technology assets, in addition to directing the company's continued product innovations in the security space. Rinki has been in the helm of developing cutting-edge online security infrastructure for several Fortune 500 companies, including IBM, Palo Alto Networks and Intuit, carrying several distinguished security certifications and serving as a mentor for many students and professionals. Welcome to "Afternoon Cyber Tea," Rinki.
Rinki Sethi: Thanks for having me, and it's a pleasure to be here.
Ann Johnson: So you know I love Twitter, and I'm an avid user. It is this amazingly powerful tool for obtaining information quickly. And it's also a tool that many people rely on, especially in times of crisis, even cyber crisis. This summer, of course, was no exception. In June, we learned the FBI seized $2.3 million worth of cryptocurrency wallets used in the Colonial Pipeline ransomware attack. And in July, Kemba Walden, the assistant general counsel for Microsoft's Digital Crimes Unit, testified before the House Energy and Commerce Committee's Subcommittee on Oversight and Investigations for a hearing called Stopping Digital Thieves - The Growing Threat of Ransomware.
Ann Johnson: So with the rapid increase in attacks we see month after month, I've been referring to this summer as the summer of cyber. One of the biggest trends we saw was a significant uptick in ransomware attacks. Do you believe ransomware attacks are truly rising or are they just becoming more high-profile?
Rinki Sethi: Yeah, I think it's an interesting one. I believe more and more of our critical infrastructure is getting hit by ransomware because prior to Twitter, I worked at Rubrik, and a huge part of their business was to protect companies from ransomware. And, you know, at the time, it may not have been huge stories and huge headlines, but we saw a lot of ransomware attacks, and companies really wanted to solution around it because they were hearing one of their peers in health care or whatever it would be that was getting hit by ransomware.
Rinki Sethi: I think the high-profile nature in hitting critical infrastructure - we saw companies basically come to a standstill. That's the big thing, and the bigger part of it is that not having the appropriate resiliency and the right crisis management plans around that. So I do think they're more high-profile in that companies are - I think now we're going to see a shift where companies are going to start to get into more of how do we prepare for crises in general. And definitely ransomware will be one of those playbooks that they try to do test exercises with.
Ann Johnson: So as you think about cybersecurity - like, you've put in a lot of different companies, you have a tremendous amount of expertise and you work with a lot of mentees, so what is your strategic approach to cybersecurity and what should companies be thinking about right now as best practices to keep companies and their customers safe?
Rinki Sethi: Yeah. I mean, as you mentioned, I'm a huge Twitter fan, too, of course, and I follow you, Ann, on Twitter and get news from you all the time. But you can get inundated with just the information around cybersecurity and what's out there. And I'm a strong believer that no one person can nail a cybersecurity strategy on their own.
Rinki Sethi: And so there's a lot of things that go into it, and my biggest approach has been that I go into companies understanding the biggest risks to their business, whether those are security or not. And most companies now, cybersecurity is one of the top risks for the company. But just understanding what are the big challenges that the company has, the business has - and I think that being a CISO is more of an art than it is a science.
Rinki Sethi: One of the things that I think is my responsibility is how do I touch the minds and hearts of people in the company so that you can really bake in security into the DNA of a company. And I know it's a little cliche and you hear it all the time, but if you're just going around and trying to put policies and try to put technologies in place, I don't think you really move the needle unless folks feel that it's their responsibility to not just the security team.
Rinki Sethi: So my approach has always been understanding the risks of the company, really building strong relationships with executive teams so that they become my strongest champions around security and then building a team that complements each other that has varied backgrounds and experiences that can really tackle some of the craziest challenges we have yet to see in the security industry. And I think at the same time, as you're - you know, a lot of times when you enter a new role or a new company, you say that, hey, there's a lot of security debt and the team is working through that security debt that needs - you need to start bringing risks down on. But I think it's equally important in order to retain talent and then in order to just have a strong security strategy that you're in parallel looking at, how do I stay ahead of the curve, how do I innovate, how do I look at new technologies that might be coming while I'm still focusing on burning debt down, security debt down as well?
Ann Johnson: You know, I think that's a fascinating approach. And we're talking to guests on this season of "Afternoon Cyber Tea" about the culture of cybersecurity and developing a company culture of cybersecurity largely - for a few reasons. But two of the top ones that come to mind are we need everyone to be on the frontlines of the defense, and we can't hire enough, you know, pure security defenders. So by having this culture of cybersecurity in the company, it becomes everyone's job to learn how to protect the company. I think that's what you're - where you were going with that, but I'd love if you could expound upon it just a little bit more.
Rinki Sethi: You know, I've always said that if it's just the security team that's running and doing security at a company, you've already kind of failed because they're - every single - the security team is not ever going to be large enough to be there for every single problem, for developing every, you know, product that's being developed for a company or feature. And so what you do have to do is arm folks with the right tips and tools and training.
Rinki Sethi: But the only reason I believe that people will adopt that outside of the security organization is if they feel a responsibility and they feel that, hey; there's a lot that is on my shoulders around doing the right thing and having that culture of people really feeling like they have a shared responsibility. And I'm on the forever pursuit of that. I have not nailed it by any means, but I think there's some interesting approaches in doing that and setting the right culture.
Rinki Sethi: I think a lot of it is right - bringing the right data to the right people at the right time. And what I mean by that is, you know, a developer might really be impacted if you can show them that an app that they built or, you know, a line of code that they wrote that had issues with it that didn't go through proper checks - that you're able to attack it and show them what impact that then had to that app and what a security researcher or a hacker may have been able to do whereas with an executive team, like a finance team, you might be able to showcase to them another finance team that was spear-phished and how personal information or personal data or even money went out of the organization because of a social engineering attack that was geared towards a finance team.
Rinki Sethi: So I think it's really important to understand the different teams, how they work. And then bring the right data. Bring the right information to them, and really kind of make sure that they feel what the harm could be or what the upsides could be, too, if they had the right practices in place.
Rinki Sethi: And, you know, it takes a long time. It takes time to build this culture. You can't expect that everybody's a security expert out there. And so, you know, you've got to kind of keep going around and really kind of educating and communicating to folks what is out there in terms of threats and threats specific to them but then what they can do about it as well to avoid falling victim to those kind of attacks.
Rinki Sethi: So I think that's how you start then changing the culture. And I mentioned, too, it's also executive championship, and that top-down messaging can go a long, long way when the leaders of the orgs are really saying that I am advocating security when they start putting security as goals and individual goals and so forth. So - or team goals. So I think all those things can help really shift the culture.
Ann Johnson: Yeah. I love that approach, and I love that just having that culture of cybersecurity and getting everyone on board by highlighting the problems specific to their area. And it goes to the - you know, we recently learned via study that 80% of senior IT and IT security leaders believe their organization lacks sufficient protection against cyberattacks. And when you think about, you know, even cloud-based computing service, there's a whole nother trend of cloud services and attacks on cloud services. So given that only 20% of organizations feel prepared, I do think that the culture of security lends itself towards helping those organizations feel more prepared. But what other guidance would you give them?
Rinki Sethi: Yeah, there's a lot - I mean, I think having the right kind of design reviews and ensuring that you have the right tech in place. But I think also going through crisis exercises has been just immensely helpful not just from a security perspective to see where there might be gaps but, I think, giving the confidence that you're going to be able to respond to these effectively, that if anybody in the organization is involved or is asked about, hey, how did the security incident happen, or, what are the gaps in cloud security, or whatever your posture might be, it's - I think having that crisis management plan, knowing that folks at the senior-most levels plus the folks that would be dealing with this on the ground really are aware of, hey, this is who I should call. This is who I should contact. They have a communications plan in how you're going to deal with an incident. I think that all those things are super-important in giving that - I think giving the company more confidence.
Rinki Sethi: I say all that, but I also think that - I keep mentioning executive championship. But I think companies do need the right funding and the right budget and the right investments put into security upfront so that they can feel prepared. It's sad to hear those stats, right? When you have these IT security teams or IT teams, they're working so hard. They probably are aware of the risks and have flagged them but then not having that, you know, support and, you know, scalability support to go and build the right things that they're already - they already know they need to do.
Rinki Sethi: One eye-opener has been do some crisis management exercises and kind of push the company to go do that. 'Cause if everybody's eyes are open to, oh, my gosh, this is something that might happen to us, they may be more willing to put budget there so that those leaders do feel more prepared.
Ann Johnson: Yeah. And I think the statistics that we've seen just for 2021 are, you know, an invitation for executives and companies to take security and to take risk control even more seriously. So how do you think, you know, as they look at the new data - right? - and I guess my question for you is - because you've worked with a lot of companies is, do boards and at the executive level - how much are they paying attention to the data? How much are they pushing leaders to take a different cybersecurity approach and to report out to them? And what do you think that we could have done differently that might have had an impact in the last year?
Rinki Sethi: Yeah. You know, one of the things that I think is awesome is we're seeing more risk committees form now. So there's the board. There's the audit committee. And now - and, you know, security kind of didn't have a home, so it would sometimes present to the board. Sometimes then you heard them presenting to the audit committee. But the audit committee doesn't always have the expertise needed to review security 'cause it's more of a financial background.
Rinki Sethi: But you're starting to see risk committees form, which I think is really interesting, and it's dedicated to infosec and other, maybe, risks in the company. And that's where they're starting to bring on the right board members to go in and kind of help and support and ask the right questions around this. And so I see a real shift and a real interest at the top levels. And a lot of this is happening because they're getting guidance from other companies that have gone through breaches and the, you know, pain that they suffered through that we need to really raise this to the board. And I think boards are hearing this and taking it more seriously.
Rinki Sethi: I think one of the shifts that need to happen and, you know, this may be somewhat controversial, what I'm about to say - there's no standard presentation right now for a CISO to provide to the board. Every CISO and every company does it different, and every board wants it done differently. Now, having, you know, either presented myself or helped with board content over several companies, it's not been consistent in any way, shape or form.
Rinki Sethi: And I think because you're preparing so much for a presentation, like, what should that conversation look like so that the CISO gets the right support and the company's protected in the right way? And a lot of times, CISOs are really, like, walking this fine line as to what do we want to tell the board versus what might I get in trouble for sharing with my management team because I want to show full alignment there? And I wish we'd walk away from the presentations and it was more of a conversation at that level to say, like, what's keeping you up at night? Where might the CISO need more support?
Rinki Sethi: Because it's great where the risks are trending downwards. That's where you have the right investments. But I think talking about not just what I've accomplished as a CISO, but really, here are the areas that I think that - that do keep me up at night, areas where I do think we need more investment and how do we open up that dialogue for mapping? And I think that's where the needle could move really, really, like, in a really significant way if we're able to get to that point. And I understand we'll still need those presentations and some kind of documentation, but I think there's also this conversation piece that needs to happen so we're not just looking at what's on the slides, but what is it really that the company needs to go and focus in on as it relates to security?
Ann Johnson: If you were that person sitting on a board, what's the top question or, you know, two questions that you would ask a CISO presenting to you?
Rinki Sethi: Yeah, and I do sit on a board now, and so I do get to ask that question. It's, are you getting the right support from the management team? I think that's a really important component. And I'd like to hear about the security incidents and how the company handled them. And I think because of the background that I have around security, I'm obviously biased here, but I think it could - that could tell a lot about the story, I think, around, hey, are they getting the right support, where they might have big risks that aren't maybe being addressed in the right way?
Rinki Sethi: And, you know, not just the CISOs saying that, yes, I have support from the team, but I'd like to understand, like, what kind of support do you have? How is the executive team really partnering with them? And I think there's a lot that can - and so those two questions, I think, around incidents and just are you getting support I think are probably the two most important things.
Ann Johnson: So let's switch gears away from the executives and the board a little and talk about the fact that cyberattacks do occur and they just succeed to that lack of, you know, organizational knowledge going back to that culture of cybersecurity. For us to continue to protect consumers and different organizations, there is a need to measure not only the understanding of cyber, but also the awareness and organization. And as we think about creating that culture, it doesn't mean you're going to be completely eradicating the risk of data theft or cybercrime.
Ann Johnson: So tell me, you know, some best practices about raising awareness. And do you believe we're moving in the right direction when it comes to educating others? And I'll just give you an example that, you know, I'm old enough to remember the Cold War. And I was young at the time, but I was in school, you know, and there were signs everywhere, right? I don't ever see that around things like cybersecurity. So what could we be doing to educate people more broadly, people that aren't even technology professionals?
Rinki Sethi: Yeah. I mean, there's so much. I - you know, similar to yours, the one that always sticks in my brain was the, you know, the drugs campaign that happened in the - I forget if it was the '80s or the '90s. This is your brain, and then this is kind of what it looks like on drugs, and there was a cracked egg. And so I think those kind of messages, they get embedded in your brain, and you never forget, right? And I think we need to do more of that - much, much more of that.
Rinki Sethi: You know, one of the things I think is really important - and I'm very passionate about this outside of the workplace - is how do we get - you know, our kids have technology in their hands before they learn anything about security or privacy, before some of them can even speak, right? And so how do we - and I had this with my own daughter, which was - she got a hold of a device and started texting an automated message where it was about coins. And I had to really take a step back and say, wow, like, I haven't taught my own kids about security and privacy. And so I think we need to start at that level. And if we teach kids this stuff, I think they teach their communities, they teach their parents, they teach their grandparents around this.
Rinki Sethi: I'm really proud that I was - while I was at Palo Alto Networks, we built a partnership with the Girl Scouts to get security in the hands of girls in every ZIP code across the U.S. And some of them are now even pursuing careers in cybersecurity. But the ones that didn't pursue careers, they learned about it to be better employees in whatever they end up doing and taught their communities - right? - about this kind of thing. So I think that's one way of doing it.
Rinki Sethi: I also think those national, you know - I mean, I guess it needs to be a worldwide, international campaign. But those kind of campaigns, even on TV as public service announcement - I think that needs to happen so this gets embedded in kids' brains in the same way they did it for smoking. They've done it for drugs. You kind of mentioned what they did around Cold War. I would love to see more of that happen, even from a government perspective.
Ann Johnson: I think that's fascinating. And I always liked that drug campaign 'cause it was visual, right? And it was visceral. And you could see this is your brain. This is your brain on drugs. And it was the - you know, the fried egg in the pan soon as you think about it.
Ann Johnson: So let's pivot. In cybersecurity, we often focus on the negative, but it's actually a really exciting time for the industry as we think about new solutions and bringing new talent in. I'd love to hear from you what you've most enjoyed about your career in cybersecurity.
Rinki Sethi: It always comes down to the people for me. I'm really fortunate to have, like, amazing folks that I've worked with, and I love seeing folks, like, their careers rise. And like I said, I talked about the Girl Scouts a little bit. It warms my heart to think about these new girls that learned about cybersecurity, that entered the Girl Scouts now are pursuing careers in cybersecurity, and hopefully at one point we'll see them as CISOs that we're working for. And so that's what makes me the most proud. It gives me goosebumps just as I'm talking to you about it.
Rinki Sethi: And I think, you know, seeing, like, just us being able to solve really challenging problems, bringing diverse teams together - I mean, I talk about this a lot. And Ann, you've heard me say it in so many different forums that we've been together in. But you know, I think with the number of challenges that we're going to face in information security, we're just not even - like, we're not close to prepared for it, and we don't have the talent pool that we need right now. And so we got to start thinking outside of the, like, boundaries around - hey, how many years of experience does someone have in cyber? - and start really investing in bringing talent in.
Rinki Sethi: And I'm fortunate that I get to drive some of that, and that's what makes me the most proud. And that's one of, I think, the biggest accomplishments that I've had and that I'm - you know, makes me the most happy.
Ann Johnson: That's fantastic. Well, I really appreciate you chatting with us today. And we always want to send our listeners off with one or two key takeaways about how you think we can overcome future trends and, what are the one or two actions they could actually take today and the things that make you really hopeful about the future?
Rinki Sethi: Yeah. I would say if you're a security practitioner that's listening to this, please, like, continue to invest in talent out of college and bring new blood into the cybersecurity space. I think we need it. And only if everybody joins that mission are we really going to make a dent in what we need to go and solve for. So that would be my one big ask. The other one is protect yourself online. Teach kids about cyber safety. And, you know, let's make the world a safer place to be online.
Ann Johnson: Rinki, thank you so much for taking the time to join me today.
Rinki Sethi: Thanks for having me on.
Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea."
Ann Johnson: I chose Rinki Sethi as a guest for "Afternoon Cyber Tea" because she has such a broad and diverse background of working in cybersecurity across a lot of large companies. I also do a lot of work with Rinki outside of just the core work of cyber and doing work in the diversity, inclusion part of cyber and really trying to build up from having just 25% of cybersecurity be women. She's just this amazing advocate in the industry and very, very, very qualified and really a great person. So it was fun to have her on the show. And she brings a unique perspective to everything she talks about when it comes to cyber.