Afternoon Cyber Tea with Ann Johnson 3.21.23
Ep 71 | 3.21.23

Navigating Current Cyber Challenges


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson.

Ann Johnson: On today's episode of "Afternoon Cyber Tea," I am joined by Adam Malone, principal at EY. Adam currently leads the private equity sector within EY's cyber consulting practice. He has also led EY's globally recognized threat resiliency capability, and prior to joining the private sector, Adam was a supervisory special agent for the FBI, where he led teams investigating cybercrime, acts of terrorism and cyber-enabled economic espionage by nation-states. He has also spent time as a senior systems engineer for BAE Systems, and he's a veteran of the U.S. Air Force. 

Ann Johnson: Welcome to "Afternoon Cyber Tea," Adam. I am absolutely thrilled to have you on today. 

Adam Malone: Thanks, Ann. It's great to be here, and I really appreciate the opportunity to talk to your listeners. 

Ann Johnson: Yeah. So, you know, you have this really diverse and impressive background. And first, I want to start by acknowledging and thanking you for your service in the Air Force. It's always great to talk to a veteran. 

Adam Malone: Thank you. 

Ann Johnson: And as we think about this, though, let's hit the rewind button a bit because I'm fascinated by the journey that people take to get into cyber. So tell me how you're interested in cybercrime and why you've dedicated your career to helping businesses navigate cyber challenges. 

Adam Malone: Absolutely. You know, looking back on it, it has been an interesting journey, right? Sometimes life takes us in certain directions that we can't predict, and that was a little bit of the story for me. I joined the military as a young man trying to find my way in the world, and the military gave me some great opportunities to learn a lot of neat things. You know, I started out as an EOD technician, which is a bomb squad... 

Ann Johnson: Wow. 

Adam Malone: ...And had the chance to shift into IT, you know, when cyber was still, you know, somebody sitting in a closet looking at proxy logs for the users. So I got a good technology background. I had some great training from Microsoft and the world of technology, helped a lot of organizations shift into Active Directory as a directory services structurer in Exchange early on. And when my military career was done, I got hired as a defense contractor, and my first contract was working on modernizing the FBI's IT systems. So that was under Director Robert Mueller at the time, right after he had been appointed. And I got to meet a lot of the agents in the field offices. I always wanted to be an FBI agent. They recognized the tech experience, and they were starting a cyber division, and so I got recruited to come into the bureau and be a cyber special agent because of my tech background, and then they taught me about cyber. I got to go through a lot of really cool training with some great organizations and witness cybercrime firsthand when it was still in its nascency, and it's been a great career for me ever since. 

Ann Johnson: That's fantastic. And I - EOD technician. That is a really - I guess you're not risk adverse at all. You're definitely a risk taker. 

Adam Malone: (Laughter) Maybe I'm not smart, Ann. 

Ann Johnson: I don't know about that. I have family and some close friends who are military, and they talk about EOT techs in the same vernacular they talk about helicopter pilots. I think you can appreciate that. Yeah. 

Adam Malone: Oh, my goodness. Yeah, absolutely. 

Ann Johnson: So I know your time in the FBI, you were involved in several high-profile cyber investigations and a lot of events. When you were leading these investigations, were there any surprising trends you were seeing again and again, and are you still seeing the same type of trends today? 

Adam Malone: I think the answer to both of those questions is yes. You know, I think the first observation that I had is it really all comes down to people at the end of the day. And so, you know, people always played a pivotal role in either preventing a crime occurring or advancing a crime, sometimes intentionally or unintentionally. But that was a big piece of it. You know, I think today we still hear about the threat of business email compromise, and that's been the most significant financial technology-enabled crime, I think, over the past two decades. And it was a big thing then, right? And that really relies on people preying on our comfort with one another and our communication skills and sometimes our willingness to bend process to ease our actions. 

Adam Malone: And so that was a big thing that I saw a lot in the FBI from my early career to my later career. I think the other piece, you know, we've seen a lot about what's happened with malware and how it became very prevalent, and sometimes it kind of shifted to being less prevalent when we went to thinking about how attackers use technology against us. But it always required people to get the malware in place, clicking on a phishing link or forgetting to patch a system or using poor security practices, not changing a password. So I think I saw those again and again in the FBI, and I've seen them since in my consulting career, and they're still some of the same challenges that we deal with today. 

Ann Johnson: Do you see people who actually end up, unintentionally, and they're actually victimized by cybercriminals into doing criminal-type activities themselves? 

Adam Malone: You know, I think yes is part of an answer there, especially when you look at the economic ecosystem of cybercrime, right? At the end of the day, cyber is about - cybercrime at least is about economics and power, whether it's a criminal group or a nation-state. While there are great - we'll use the term hackers, right? There are great hackers out there that are great at breaking a control, you know, getting a piece of malicious code into a system - for example, to steal credit card numbers off of a PCI network. They still have to cash that money out, right? They got to take it from digital to hard currency. And where we used to see a lot of interesting - let's call it unintentional crime that was committed was in people preying on - or criminals preying on, you know, regular people that are trying to make it in life and advance their careers. And so they might get employed somewhere in these cash-out schemes as a, you know, unwitting money-laundering accomplice - right? - taking fake orders, you know, cashing checks into an account they created because they understood that to be part of their job. 

Adam Malone: So I think we got to see that quite a bit down the food chain, where people were part of the crime but had no intention to be, and the government didn't think about them that way. But that's always been kind of a part of the bigger ecosystem, right? So it does occur, but not as often. I can't think of any good examples kind of further up that intrusion sequence where people are unintentionally committing a crime. You know, I think we've seen some attempts where people, you know, may call in to have a password reset or something of that nature, pretending to be someone, and an IT person kind of does their job - maybe they bend policy a little bit to make it happen. But that's about the extent that I can think of some of those situations. 

Ann Johnson: Yeah, I could actually potentially see that happening. There's a lot of folks that aren't necessarily tech-savvy, and that could easily be taken advantage of - right? - without even realizing. 

Adam Malone: Absolutely. 

Ann Johnson: So one of the things I'm seeing today in cyber trends is this need for business and cyber leaders to be more aware and proactive mitigating against all of the geopolitical events we're seeing around the world. What's your take on this trend, and what are you hearing when you talk to your customers? 

Adam Malone: That's a great question. You know, I think never has it been more apparent than in today's global economy, kind of starting with the supply chain. It's everywhere, right? And we can see from some of the recent Russian and Ukrainian conflicts that there are businesses that had suppliers - maybe digital suppliers; maybe they were coders; you know, they were in the agricultural industry - that they relied on to make their businesses run. Luckily, we've gotten smarter over the past several years, but we still have a ways to go. Understanding where your supply chain is, where it shifts - right? - and how those geopolitical events or conflicts can impact them is huge. You know, one of the things I got to see in my previous career with the government and the FBI specifically was that nation-states love cyber, right? The targets of cyber are very different than they are in traditional warfare. Collateral damage is thought of differently in the world of cyber than it is in the world of launching munitions and using weapons. And the business world's become more politicized over the past, you know, decade, and so that really starts to put businesses in - right in the crosshairs of geopolitically motivated individuals and groups, right? And this isn't advocating for one way to be right or wrong, but it's absolutely shifting. 

Adam Malone: And so more of our companies are asking those questions today, right? What have I said? What have I done? Where have we spent money? Where is our supply chain? How is that impacted by this changing geopolitical climate? They're spending more time understanding it - right? - discovering where their supply chain is and what its impacts are, making contingency plans. They're spending more time rehearsing it. They want to bring in experts to talk about how these events could occur and how they may occur and how it could impact them. Help us figure that out, and let's rehearse what we're going to do as a business from a regulatory perspective, from a communications perspective, from an investor relations perspective, not just cyber and technology. So, you know, more and more, that's with the CXOs, it's with the board, and they want to know what it means. And cyber is just one more way that we've seen that manifest itself over the past several years with some of the large cyber-style attacks that have a lot of downstream impact. 

Ann Johnson: That's fascinating. And I do think that businesses - it's a unique time because I think coming out of COVID, people understand now how frail our supply chain - global supply chain actually is, whether it's a part to manufacture something or it's a whole piece of something, right? I'll give you an example. You know, we're three years in, right? And we're remodeling one room of my house, and apparently, we have a global glass shortage still, which was shocking to me. 

Adam Malone: Wow. 

Ann Johnson: It's, like, significantly delayed because of one piece of glass. And I'm like, OK. But I think that's the wake-up call that people needed. And then you add on top of the frailties of the supply chain - you add just geopolitical events, right? And suddenly risk and resilience, which is the world you live in, it becomes very different for customers. So as you spend your days talking about this risk and resilience, in addition to mitigating from the events we just talked about, what other themes right now are top of mind for customers? 

Adam Malone: There's a lot of them, right? And kind of staying within the cyber domain, you know, one is this shifting regulatory landscape, right? We've seen a lot of increased interest from the regulators to kind of get their hands around more transparent cyber risk management behaviors - right? - requiring qualified oversight, right? So if you think about what they're asking of the boards of directors now, they want more cyber expertise - and that's been put in writing - stronger notification to constituents, right? A cyber event, you know, 10 or 20 years ago, it was kept quiet, right? It was kept under tight wraps. It wasn't talked about if there wasn't a direct impact. And that expectation's changing because of what cyber could mean to the bottom line or its materiality to a company's financial performance. Stronger governance in general - right? - setting good standards, managing to those standards, bringing in independent perspectives, and the heavier enforcement of the shifting regulatory landscape, right? We've seen some pretty significant penalties and public statements being assessed against corporations that haven't had a strong cyber program. So that's absolutely probably been the top thing right now that most people are talking about. 

Adam Malone: I think the other piece of that maybe is resilience, right? Understanding how cyber can truly impact the business and being able to quantify that risk, right? We're moving away from qualitative approaches to understanding what cyber means, and we're thinking about quantifying that - you know, building out real risk scenarios and spending some time and effort to understand how it's going to impact the business, its ability to deliver outcomes, to generate profits for its shareholders. And so that becomes really, really important - and how fast can it recover and preparing for those eventualities. You know, ransomware has done a lot for us in cyber in helping us think differently about the urgency and the resilience of cyber programs across our companies. 

Adam Malone: I think the last one probably is just the risk transference space. The insurance landscape is changing. You know, I think a lot of leaders used to think about having good cyber insurance and its ability to help them recover in the event of an attack, and, you know, those economics have shifted. And so there's an understanding that there needs to be less dependency on planning for having good insurance that can cover all the eventualities, which brings more insight into third-party risk management and getting more proactive. And just like in cyber risk management, it's not just a qualitative process; it's quantitative. So we're seeing people ask better questions, down to technical control levels and playing those against scenarios so that they understand kind of what's at stake should something occur. 

Ann Johnson: Yeah, and I like the direction of talking about regulatory, right? Because, you know, as you know, the current administration just released its national cybersecurity strategy, which has the potential to drive, you know, more - even more regulation and I think that, you know, if you talk to us at Microsoft here, the right regulation, right? We want to have informed regulation, but it definitely - there needs to be more. And then just today, as we're recording, there was an event, you know, with a large bank in the valley that's likely going to draw more financial services regulation. So I think it's something that our customers have to be cognizant of on a global basis. 

Adam Malone: Absolutely. Absolutely. 

Ann Johnson: So when you think, then, moving back to just threats and attacks - right? - we still find in the research we do with our incident response team. So the vast majority of attacks and events are a result of what we call poor cyber hygiene. Why do you think cyber hygiene continues to be an issue? And customers do struggle with it. What advice would you give customers about how to prioritize? 

Adam Malone: That is a great question. And again, I think, you know, as we've seen, the technology ecosystem has evolved so much over the past decades. You know, our digital footprints are getting larger. You know, we used to have laptops or desktops and switches and servers, and it doesn't look like that anymore. You know, there are multiple variations of compute assets. The world is digital. Software is more prevalent than ever. So, you know, the world of things that we have to manage has grown more and more complex. You know, there is risk within those things that it's harder and harder to quantify when we think about the digital supply chain. So, you know, that's shifted, and that's required more of us. 

Adam Malone: Business moves at a great speed, so what you knew yesterday suddenly is inaccurate today. So I think we see a lot of that. That's been one of the challenges with cyber hygiene is the amount of things that you have to manage and the shifting nature of them on a day-to-day business is sped up. But people in process have just never been able to move at the speed of the threat, right? What I've at least seen in my previous life - and I still think it holds true today - is the individuals in the criminal ecosystems that we're concerned about today are really good at finding the successful parameters that they need to do something, right? And they're very opportunistic. And so, you know, they may have an organization in their crosshairs that's doing something really good this quarter. Maybe they have some economic downturns, and they have to go through some rifts that affect the cyber organization, and then suddenly, they're not patching with the same cadence, right? And that opportune time has come up where they can launch an attack. So that's always been a big piece of it. 

Adam Malone: I think the other half is, you know, it's - some of this is on us as cyber professionals, right? There's never - not never. Sometimes there is not enough urgency with the business, right? Cyber has always kind of been seen as this cost center, right? I've got to spend money. It keeps going up. But why am I doing of it? Why am I spending money? Why am I hiring more people? Why am I buying new technology? So the ROI of cyber in its integration with a good management program still isn't understood well by the business in a lot of cases. And that ties back into the need to shift further left in security, right? I think there's plenty of great surveys out there and perspectives on the mindset of cyber management and not necessarily - their perspective not being well integrated into the moves of the business, right? And as a business moves digital to gain efficiencies and to gain new markets, cyber is sometimes late to the table, if left off altogether. So I think those two things really lead to what we think of as poor cyber hygiene, which becomes a very opportunistic target for these really enterprising and hungry cybercriminal groups, right? This is how they make a living. So they're waiting to find their time to strike and generate a little profit for themselves. 

Ann Johnson: Yeah, and I like what you said. Look; the most successful CISOs are the ones that are learning how to work with their business peers. They're learning how to speak business. They understand that the cyber has to drive business and be a business enabler, right? And we're seeing that evolution of CISOs from being, you know, folks that were sitting in a corner by - deeply technical folks that were sitting in a corner by themselves, considered a cost center, to folks who are really being sort of a business enabler. 

Adam Malone: Absolutely. 

Ann Johnson: I'm excited to see that evolution. You know, as we talk about - it's an interesting day for us to talk about that part of your day job is helping private equity firms think through the risk. And of course, there's an interesting challenge in the private equity sector right now, where portfolio companies are becoming a more valuable target for cybercriminals. Can you - this is a new topic for "Afternoon Cyber Tea," so thanks for joining us to walk us through. I'm quite serious. It's something we haven't delved into before. Can you walk us through this challenge and explain this a bit for our listeners? Why do cybercriminals find startups or PE portfolio companies so valuable? 

Adam Malone: Absolutely. And I think if we can put our minds in the headspace of a criminal for a little bit, I think the answer becomes very apparent, right? This is their job, right? They're looking for an access to funds to support their means of living. And they're very opportunistic, right? They move at a little bit more nimble speed than a lot of us do. And so when you think about the world of transactions in private equity, a lot of these companies, you know, they could be distressed. They're smaller, right? Their cyber spend may not be as robust and cyber maturity be as robust as traditional corporate organizations. So they're ripe for targeting, right? There's a potentially high reward to the risk that they take. 

Adam Malone: The other piece of it is that there's a lot of money tied to this transaction, and so it's potentially, at least in their view, a rich environment to potentially get access to funds quicker. I think they've seen evidence maybe that insurance may not be part of the calculus. They may not have the right amount of skilled people dealing with the cyber problem. And oftentimes, it's ripe with cyber hygiene issues, which is just kind of a part of it. That's not always the case, but they have a higher probability, I think, of having success. So we've seen a shift in that, right? I think it's been observed by a few people in the industry that there have been attacks that are tied to public transactions, right? When something is announced, there's been an increased prevalence of targeting and successful attack, sometimes with ransomware, many times with the old business email compromise scam, where they're getting access to funds quicker because money's being moved around in a lot of unique ways. 

Ann Johnson: Yeah. Absolutely. 

Adam Malone: So it's definitely a trend. 

Ann Johnson: Yeah, I know when I had my startup, I mean, my CFO received an email that really looked like it came from me - move money here, you know? 

Adam Malone: Yeah. 

Ann Johnson: And he had the sense to come ask me. I was in the office next door, and I was like, nope, we're not sending money there. 

Adam Malone: That's right. 

Ann Johnson: But for PE leaders, what are - you know, it's probably not a lot different than other parts of the industry. 

Adam Malone: Yeah. 

Ann Johnson: But what's unique, right? What are the questions you ask them to think through and mitigate the risk they have, and what advice and action do you typically recommend for them? How do they start? 

Adam Malone: Yeah, that's a great question. I will say it's probably a little bit different in the entire sector. There's not necessarily one standard way, and I think there's a lot of opportunity in the private equity space for cyber risk management to continue to grow and find the right balance for their portfolio in the way they lead them. You know, the first question I would ask is, did you have diligence done in this deal, right? Some organizations are good at conducting cyber due diligence; some aren't. And if you did, did you address the red flags? You know, sometimes it's part of that transactional process. So they can understand the risk, but do they actually address it? How do they know? That's kind of where we start, right? That's table stakes. Once that asset is acquired and it's brought into the portfolio, how do they start to measure the riskiest assets in their portfolio, right? Who's the most mature? Who's the least mature? Who's got the operating budget to deal with something? Who doesn't? How is revenue generated in these organizations, right? Because that's typically where the risk is going to present itself the greatest. And why are they the riskiest assets? How are they starting to quantify that? How do they engage with their CISOs? I think we've seen a lot of great movement in the private equity space as a whole, where they are building those relationships within their - the cyber constituents within their portfolios. And so that information sharing is a great practice. 

Adam Malone: I think the other element is balancing. In the effort to realize their deal thesis in any given deal, costs have to be controlled. So where does cyber fall on that range? Is it an up or down, right? How are they investing in it, and how does it align to the risk parameters the company could be facing? You know, we've all seen in the cyberthreat space and the intelligence community for a while - right? - sectors tend to be targeted, right? Every research organization out there puts out a sector view that says, hey, health care has - and this is just an example - 55% of the ransomware attacks over the past year targeted health care organizations. So that's a good indicator that maybe you should, you know, start to look a little bit closer at the risk presented within each of your sectors because a lot of these firms own companies across multiple sectors. And so sometimes those clues can help drive them to spend more time with those assets compared to others where there's a greater risk profile. 

Adam Malone: I always get back to - I love cyber technology. Huge fan of where the industry is going. But it's nothing without good people and the right amount of them, right? And I think that the biggest challenge that we see sometimes - and it's not just in private equity. It's in all sectors. But, you know, you're spending enough effort and time and capital to get great technology, you know, but maybe there's one person wearing half a hat that's got to manage six products and may not have had them deployed effectively and all the controls tuned, right? So there still has to be an investment in people to make cyber work the way it's intended. 

Ann Johnson: Do you - you know, as we talk about that, the investment people - and as I know you have a broader view than just PE on the industry - that people element. Do you see there being more opportunity for managed section response and managed service providers because of the people element, particularly with those, you know, environments where an organization may have a couple people and they're doing IT in, like you said, half a cyber hat? 

Adam Malone: Absolutely. I mean, I think that that is - you know, that is a market that has not been completely filled yet. There's a ton of opportunity. You know, there are a lot of great organizations in the industry that are providing those kinds of service. And, you know, I think what we're seeing is - just like on the tech space, where one technology is becoming a platform of things, so are these managed services, right? I mean, you can get out in the market today, and you can buy an MDR provider, but you can also buy a third-party cyber risk management service. You can buy a vulnerability management managed service - right? - an identity and access management managed service. So, you know, we're seeing that industry grow when those requirements grow from the business community. And it's a great place to focus - right? - to kind of get that ROI, make sure you have the right amount of people, especially as your company can grow, right? You may get to the point where it makes sense to bring that back in-house when you hit a certain market share, but it is a fast-moving industry with a lot of really neat and novel solutions coming to market on a yearly basis now. 

Ann Johnson: Well, this has been a great conversation, and I love the insight you shared, and your perspective is definitely incredibly unique. We always like to send our listeners off with one or two key takeaways and some inspiration for the future. So what do you think is important for our audience to know, and why are you optimistic about the future of cyber? 

Adam Malone: That's a great closer. You know, I think the first thing I would tell them is ask good questions, but then have those answers backed up with data, right? The days of qualitatively determining risk of an organization are, dead. Right? For every 4.5 maturity out of 5, there's a significant cyber event. So we're really shifting to the world of data. And the industry, luckily, is - the technology industry is moving in that direction. You know, the technology we're using today is getting really good at giving us clear and transparent access to data at a management layer so we can quantify the risk to the business. 

Adam Malone: I think in terms of why to be optimistic, look; AI is going to solve all of our problems. No, I'm just kidding. You know, it won't, at least not in the meantime. But we - you know, we as a community, I think we're getting better together. We're working together more. We're sharing our lessons learned now more than ever. The community is growing stronger, right? I think we're getting a lot smarter. You know, there used to be silos of knowledge, and people kind of kept a stranglehold on their knowledge and what they could do to separate themselves from their peers, and I see those barriers breaking down. So cyber empathy is alive and well, and that's my reason for being optimistic. It's the community. It's the people I work with. It's the people like you that are bringing a great message to the market every day and to the people that sit in our seats. So I look forward to what we're going to accomplish in the future. 

Ann Johnson: Well, Adam, thank you so much for making time. I know you're incredibly busy. Thanks for making the time to join me today. 

Adam Malone: Absolutely. Thank you, Ann. And I was very glad to be with you and take part in your "Afternoon Cyber Tea." 

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: So I chose Adam to join me on "Afternoon Cyber Tea" because he has such a unique perspective, from starting his career in the military as an EOD, so a bomb technician, through working at the FBI and having significant experience with cybercrime, through now being at EY and leading their private equity cyber practice. He just has this, like, blend of background that's incredibly compelling, great storytelling. And I know folks will get just a lot of wonderful tidbits out of this episode.