The Retail & Hospitality ISAC Podcast 5.24.23
Ep 28 | 5.24.23

Hyatt’s CISO, Intel Briefing, & Third-Party Risk Management with Cyber GRX


[ Music ]

Luke Vander Linden: I'm Luke Vander Linden, Vice President of Membership and Marketing at the Retail and Hospitality Information Sharing and Analysis Center. And you're about to listen to the RH ISAC podcast.

[ Music ]

Thanks for joining us once again. I hope you had the chance to download and listen to the last episode of the RH ISAC podcast. If you did, you would have heard the first half of a terrific interview with Ben Vaughn, CISO at Hyatt RH ISAC board member and 2022 CISO of the Year. We split it into two segments, the second of which is on this episode. You don't have to listen to them in order, of course. But if you haven't listened to that one, you probably should. Now back to this episode, I will also be joined by another CISO, Dave Stapleton of Cyber GRX. Cyber GRX is a great supporter of the RH ISAC and one of our associate members. You heard me wax almost poetic about third party risk a couple episodes ago. And I'm going to do it again today. According to Cyber GRX, 60% of all retail security incidents come from third parties. Dave and I will talk about how to evaluate third parties well, with the sheer volume of incoming suppliers retailers face, and the pressure to get them onboarded quickly. And then finally we'll be joined by the RH ISAC's own cyber threat intel analyst and writer Lee Clark for the briefing. As he does every other episode, Lee will give us a summary of recent threats and trends. As always, please let us know what's on your mind. Shoot me an e mail at podcast@rh Or if you're a member, find me on Slack or Member Exchange.

[ Music ]

My conversation with Ben Vaughn, CISO at Hyatt, was really framed by Hyatt's six guiding principles of cybersecurity. But that led us from everything to how cybersecurity is an extension of Hyatt's overall purpose of care to the importance of diversity in cybersecurity. If you haven't listened to it yet, do check it out. We got to just four of those six principles. But now here's the second half of that conversation with Ben that gets to the remaining two principles. And that's not all. So, that was, believe it or not, only four of the six guiding principles you told us about. Number five you said was stay close.

Ben Vaughn: It's a hard job. You walk a knife's edge. Like we said earlier, you have an enemy, somebody who wants to do you harm. And that weighs on you. It's hard. The way that we can get through is to know one another and to, and to be close to one another. That's also the way we can exceed. You know, our adversary, they know each other. They go on smoke breaks together. They go to baby showers. For them, often I think that's an operational advantage because they can, they can work together so well on the activities that they want to engage in, whether that's deploying ransomware or, you know, theft of secrets or whatever. If you think about a group of threat actors of any kind, whether it's e crime or state sponsored or anything like that, I've always had the feeling that they know each other well. And how can, how can we defend ourselves against them? To me, an important part of that is knowing each other, to stay close, not just to treat this like a job. That's how we get through the hard days. But also how I think we win when we're stacked up against those people who wish us harm.

Luke Vander Linden: Yeah, you know, it's interesting. I think the perception in the outer world is that these threat actors are individual operators sitting in their basement in a hoodie. But reality, these are collectives, these are businesses, these are, you know, people sitting in cubicles, chatting at the watercooler, heating up last night's leftovers in the kitchenette microwave. These are people, just as you said, who have relationships with each other. And so we have to do the same on our side of it.

Ben Vaughn: It's absolutely true. You know, you'll see periodically a Mandiant blog about an intrusion that they had investigated. They'll periodically tie back. They'll say, well, the threat actor disappeared on this national holiday. And you go, oh, okay. That's a clue that, you know, these aren't, this isn't just a fly by night operation, like you said, people in the basement with hoodies. But this is a more organized endeavor. And I think it often is. A lot's changed since I was a kid. And I think one of the things that's changed since I was a kid is that this has become an operational art, if you're talking about say sponsored activities, or a large-scale business if you're talking about e crime. And there's no reason to expect a business to operate in a way you might imagine from watching movies or television.

Luke Vander Linden: The sixth and final, and I don't know if you saved the best for last, but it's certainly on brand, the Hyatt way was the final guiding principle you mentioned. What is that? What is the Hyatt way?

Ben Vaughn: You know, I learned this phrase probably a year into my time at this wonderful company, from someone I look up to, and whose presence in my life I value deeply, a colleague of mine. And she had said to me, she just sort of offhandedly said when we were talking about something, she said, well, that's not the Hyatt way. And I said to her, well, what's the Hyatt way? And she said, the Hyatt way is the less expedient, more expensive solution to a problem that we wish a company would do for us if we were customers of that company. And I use it all the time, because she was so right, that is the Hyatt way. That is something that we just do, because that's part of care. And so when we're thinking about doing a deployment of some kind, we're turning on demarker or blocking zip files in an incoming e mail, whatever, you know, those are just examples. But let's do those things the Hyatt way. Let's take the care to communicate with our colleagues and give them detailed documentation on how to handle that change, and take time to explain to them why we're doing it. Because that's the way we wish people would do that change for us.

Luke Vander Linden: That's really terrific, because it takes it away from being a transactional type of relationship, and more relationship building.

Ben Vaughn: It's such an important part of everything that is Hyatt.

Luke Vander Linden: Right. Well, that's great. Turning to potentially a little drier topic, you did mention cyber insurance before. And so I'm assuming that's something that you've had some fairly recent, hopefully not too painful experience with. But can you give us your perspective? I know this is something that's on top of mind for many of our members. A little perspective from your side of things on what the insurance market is like now, how it's changed over the last couple years. Because it is something that's had some change recently.

Ben Vaughn: Insurance is one of my favorite parts of my job. It really is. It was something that I knew very little about when I came to Hyatt almost seven years ago. And the risk management team at Hyatt took the time to explain all of the ins and outs of this industry to me. And it's something that the team and I really enjoy every year working on. And I think every year we spend a lot of time preparing for our insurance renewal. This year, our experience and our renewal was that the insurance market had been very hard last year because I think we all saw that there were pretty substantial losses in cyber insurance policies that had been written by underwriters. And when you have an environment where there's a lot of losses, you'll see premiums rise to compensate for that, fill up that lake, if you will, of premiums and premium funds. We have seen, been advised that that market has softened a little bit. And I think we have experienced, at least we've experienced that to some extent this year in the renewal that we just completed.

Luke Vander Linden: Oh, that's good. Obviously, you can't opine or talk about your own rates. But with, you know, there's, keeping the rates themselves low, but then there's also stability so you know what you're going to pay from year to year. What tips do you have for that? And are you seeing some positive moves in that side of things as well?

Ben Vaughn: So, I think for us, when I say that insurance is one of my favorite parts of my job, there's a couple reasons for that. And one reason for that is it's a great opportunity for a third party assessment of your security program, because underwriters are really betting on you. And so there's an opportunity for you to show these folks, show intel about your security program. Again, not to jerk the stats, but to show them the good and the bad. And then in the rates that they're paying and the trend line for those rates year over year, to make a determination about what interested third parties outside your company think about your security program. So, we think about this as

Luke Vander Linden: An opportunity.

Ben Vaughn: Yeah, it absolutely is an opportunity to know what others outside might think about your security program.

Luke Vander Linden: Right, because you can pay good money for services like that throughout the year, but this is a great opportunity to just get it rated on a regular basis.

Ben Vaughn: The proof is in the price tag.

Luke Vander Linden: Right. So, what tips would you give others as they enter into this process that they probably don't love as much as you do? Any advice?

Ben Vaughn: Yeah, a few things. First is to work with your broker to find underwriters that are interested in your type of risk, whether it's hospitality or retail or transportation or anything else. It's to go see the underwriters. Don't just do a phone call with them. When I went and saw our underwriters in Bermuda and in London, they remarked to me that most people don't come visit them in person. That's an important part of relationship building as well. And then I think one of the most important things that we do in our insurance presentation every year is to tell a cohesive story about our security program, and to tell the truth about where we succeed and where we do not succeed as much, where we need to improve still. To a certain extent, I think sometimes there's like a Jedi mind trick game going on where folks show up, they're talking to insurance underwriters, and they say everything is amazing, and nothing bad will ever happen.

Luke Vander Linden: And, of course, that's not believable.

Ben Vaughn: Well, I think that the underwriters might get a presentation like that and have an expectation that now they start to wonder, well, okay.

Luke Vander Linden: And isn't it so much better if they don't find the problem, but that you say, hey, we already know about this and we're working on it?

Ben Vaughn: That's right. So, one of the things that we do is we dissect an incident from the prior year every year in our presentation. We tell the truth about the incident, how it unfolded. And then we detail every step we took to make sure that that doesn't happen again. And I think that that, I do have an understanding from various underwriters that that is still a novel approach. And I did want to share it, because I think it's meaningful to everyone. It's also meaningful to Hyatt because if premiums go down globally, they'll also go down for us.

Luke Vander Linden: We might have to do a deeper dive on that for our members at some point. I know people. Maybe I'll, maybe I'll talk it up. So, just broadly now, looking ahead at the future, whether it's cyber or whether it's the end of the hospitality industry, do you see anything crazy happening, or, you know, get out your crystal ball here and predict the future, and, you know, maybe I'll ask one leading question first. And I have an ulterior motive for this. I've been chatting, now that we're part of the CyberWire Network, there's a bunch of other podcasts that are part of our, part of the network that are meeting these other hosts. I was talking to Maria Varmazis, who's the host of T Minus, a new podcast about the space industry. She has a cybersecurity background. But it's not about cybersecurity. It's just broadly about space. And she wanted me to ask some of our hospitality members, and since I have you on the spot, are there any plans to start developing properties for either business or tourism purposes in outer space?

Ben Vaughn: I'm not authorized to speak about any confidential matters involving space hotels.

Luke Vander Linden: Excellent.

Ben Vaughn: I don't, I don't know. But I hope so. I hope in my life I get to see a space hotel. That would be cool.

Luke Vander Linden: It's a great thing to think about.

Ben Vaughn: I would like to see the one in Antarctica I referred to earlier.

Luke Vander Linden: Well, yes, that's another, so, what else in your crystal ball do you have that you can tell us about in the future?

Ben Vaughn: I think in terms of our field, the trend line that I have seen for the last seven years is cybersecurity companies producing products that can substantially reduce the risk of events happening in the area that that vendor is participating, that we can squeeze off large amounts of risk by finding the technology that will solve your problems. And then implementing it completely to push all the buttons. And I think we should expect that trend line to continue, because you have, this is a game of human ingenuity versus human ingenuity. And the capital markets are putting, directing a lot of money to these security companies. They're bigger. There's more staff at these companies than there is in the threat actor world. And that just means that there's more brain power on one side than the other. And I think security teams can leverage that, and should. On the other side, you know, what my crystal ball says is that security teams the world over need to continue to be laser focused on unlikely events. My leader asked me the other day, do you think we should hire a game theorist? And I said yes, I think we should, somebody whose job it is to think about unusual scenarios that could unfold. People always say there's a common idiom, right, it's the think you don't expect that comes back to bite you.

Luke Vander Linden: Sure.

Ben Vaughn: I think it would be advisable to continuously think about the thing that you hadn't thought of.

Luke Vander Linden: Of course, yeah, that's amazing. And that's obviously incredibly difficult to do. But, you know, the one thing that we know, the attack surface keeps getting bigger. And they're going to, the threat actors are going to keep getting more creative, right?

Ben Vaughn: A lot of major intrusions that you read about in blogs I believe don't often involve the thing that would have been in your risk management framework. And so I think creative thinking about what might happen is really important. And then the last thing I'll say in my crystal ball is this is a hard job for security teams, high pressure job. And, you know, the encouragement that I would give into the future for security teams is to consider that perfection is not the expectation, that our goal is not to prevent all bad things from ever happening. That's impossible. Three men broke out of Alcatraz. And so if people can build it, other people can unbuild it, that the expectation that you need to have for yourself in the future is not perfection, but it's that you will do your utmost every day, keep people safe, and feel good about that at the end of the day. I worry about burnout in security teams. And I think it's important that we, as security teams, consider what the real expectation of us is here. It's to do everything in our power, not to be perfect.

Luke Vander Linden: Ben, thank you very much for joining us. It was your first podcast, you said, and I think you did a terrific job. I think we'll have you back. But I really appreciate it. Ben Vaughn, Senior VP CISO at Hyatt, thank you very much.

Ben Vaughn: Thank you so much for having me, Luke.

[ Music ]

Luke Vander Linden: All right, we're now joined by the RH ISAC's own Lee Clark. Welcome back to the podcast.

Lee Clark: Hi, Luke. Thanks for having me.

Luke Vander Linden: Now, you're a regular here, obviously. Every other episode, you give us the briefing on threat trends. But this is a special briefing this time, right Lee?

Lee Clark: Yeah, we're doing something a little bit different for the day that's going to be interesting, and I think pretty valuable for the community.

Luke Vander Linden: Tell us what that is.

Lee Clark: So, we just released our most recent RH ISAC intelligence trends summary, which takes a look at the year's trending intelligence reports according to a four month period. So, we look at one for January and April. Then we look one for May to September. And then we look at one for October to the end of the year. Right?

Luke Vander Linden: So, this report that was just published would be one could say the first trimester.

Lee Clark: Sure. Yeah, yeah, yeah.

Luke Vander Linden: Excellent. Well, let's hear what had to say.

Lee Clark: All right, so for this report, I want to preface this with the data we gathered for this report is a little bit different, and in my opinion a little bit better than we've done in the past. We had a little bit of a process improvement. Some of the trends we are now able to track more closely and miss. People who have been following the podcast will know that the RH ISAC has been doing a lot of work with honing, maintaining, and improving our [inaudible] that we use for our community. And one of the benefits of that is now I have better, more granular, more wholistic data sets to look at what threats we see facing the retail and hospitality sectors. So, the data I have for this one is in a little built of a different format than on the data in these pieces we've published in the past. But I think overall it's an improvement, and it gives a better and deeper look into the threats we see.

Luke Vander Linden: Excellent. So, what did you find?

Lee Clark: So, we found a couple of key trends continuing. And one or two that shifted a little bit, right? So, in terms of malware, right, the TLDR for the report is that Agent Tesla is one of the most prevalent threats in terms of malware reported by the community. Emotet has reemerged after falling off during some of the previous reporting periods, probably because Emotet activity tends to come in waves and then recedes and then a new wave begins. Some familiar threats that the community is well aware of, like IcedID and QBot remain steady but lower level than Agent Tesla and Emotet. And then key tactics leveraged against the community as well. In the past, I haven't been able to track these, but now I can. So, when we say tactics, we're talking about specifically MITRE tactics, techniques, and procedures, right, TTPs from MITRE. The primary things we find there are spearphishing links and attachments. And then imposter and malicious domains are the most common things our members report. The report is divided into three sections. The first section is on sharing trends. The second section is on missed trends specifically. And the third section is on our research and education team and the reporting that they've been doing for the community. So, the first section on sharing trends can be best described as what types of threats were shared across all of the RH ISAC sharing platforms? That's everything. That's people e mailing us to let us know things. That's the member exchange. That's Slack discussions. That's misfits. Every sharing platform. From what we gather from all sharing platforms, phishing in general emerges as the most common threat at 55% up from 31% the previous period. And that moved from the second most prominent threat for last year to the most common threat that we see reported. Credential harvesting reporting, now this is interesting for me. This three month period, when compared to the prior three month period, credential harvesting fell significantly. For this period, credential harvesting is 16%. And that's down from 53% last period. So, that's a significant marked drop that we see in credential harvesting. And third and fourth place are general ransomware threats at 5%. Compared to the previous reporting period in which SocGholish came in at 5%. And Agent Tesla came in at 4%. Right? So, Agent Tesla reporting has absolutely skyrocketed for the current period as well. For this period, Agent Tesla reporting overall comes in at 2%. But that's a little bit of a misnomer because this looks at all sharing across every platform. So, when we look at the missed trends of what technical indicators get shared, that spikes a little bit higher. SocGholish, interestingly enough for this particular period, did not make the top list at all. Even though we do see SocGholish reporting fairly prevalently, that shows that across the entirety of our sharing platforms, the diversity and the breadth of topics that members discuss, that some of the things that we know are the key threats that we see in terms of technical indicators don't always end up being the key things that members are discussing, asking about, and sharing overall. Right? A couple of notable trends for this period that are different from previous ones is business e mail compromise reporting came up to 3%, making it appear on our radar for some of the top threats. As well as OneNote documents and ChatGPT. OneNote documents being obviously related to Microsoft's big decision to disable macros, right, and threat actors largely pivoting to OneNote as a way to get around that. And then ChatGPT obviously being the famous machine learning AI tool that's become incredibly popular across the web for a number of things. Interesting, for ChatGPT, the threat tends to come from fake ChatGPT plug ins, or ChatGPT themed lures for phishing, or organizations impersonating open AI, telling you that they're ChatGPT, and then dropping malware once you click on something. So, when we note that ChatGPT and OneNote are listed as key threats, that's not the actual programs themselves. It's threat actors leveraging the popularity or usefulness of those programs for their own ends.

Luke Vander Linden: Right. Of course I imagine we saw in the financial world as well when banks started failing and shutting down that there was some threat behavior around that subject matter. Just because whatever is popular, they'll, or whatever is being discussed, threat actors will use that in their, in their attacks.

Lee Clark: Oh, 100%. And we saw some member reporting on this as well that especially phishing lures, fake e mails claiming like I represent X bank. And since we're being shut down by the fed, your account is now in danger. You have to click here to change your e mail and password. And things of that nature. Yes. It's interesting. The same thing happens with celebrity deaths. Right? Whenever celebrity deaths happen and obituaries go out for the Rolling Stone, or whatever, you'd see spikes in those as well.

Luke Vander Linden: Oh, that's fascinating. Or even rumored celebrity deaths sometimes, right?

Lee Clark: Sure, sure. That hoax is as well, yeah.

Luke Vander Linden: Right.

Lee Clark: So, if we move to the second part of the report for MISP trends, this can be defined as the technical intelligence shared by members in the RH ISAC MISP instance, which is the threat intelligent platform instance that we operate. MISP, by its function, allows us to more granularly examine the data and parse the intelligence that our members are sharing us to get some kind of interesting list. So, for MISP, what we see on the technical intelligence that members share to us is that Agent Tesla comes in at the top malware at 43%. So, for the January to April period, Agent Tesla represents 43% of all technical intelligence shared on malware. Right? That's huge, right? That's nearly half of all the indicators that we're seeing come in are for Agent Tesla. The next ones come in far behind. IcedID and QBot both come in at 14%. And then Emotet comes in at 11%. And, of course, what we see with Emotet is big spikes in reporting. We had a ton of indicators, and then it disappears for a few months and comes back. MISP also allows us to identify technical indicators where the attribution is high confidence with threat actors. Right? Now, anyone listening to the podcast who has a background in CTI obviously knows that attribution is quite difficult. So, we're really cautious with what we attribute to threat actors with a high level of confidence, and for those most prominent threat actor that we see intelligence attributed to a high degree of confidence is APT32. The second one is FIN6. And the last one is APT38. And these are all sort of financially motivated threat actors that all have a high degree of specification, or a high degree of prevalence there. They're some of the top threats and threat actors that we see, not just in our community, but across the entirety of the global cyber threat landscape, right? And here's an interesting one that I like that MISP is now able to tell us is MITRE TTPs, tactics, techniques, and procedures. I'm now able to track those at a pretty granular level and develop databased on which ones we see members reporting to us most prevalently. And these get classified based on the level of detail we receive from members, right? So, the most common TTP that we get is spearphishing links. That's at 33%, 33% of the TTPs that members report to us for the January to April reporting period are spearphishing links. The second is phishing in general at 18%. And what that is is spearphishing links obviously falls as a subset of phishing activity in general. So, what it is is the second one is less well defined versions of phishing, whereas spearphishing links is a really specific tactic used within the broader level of phishing. The third one is similar to that distinction. It's spearphishing attachments. That's at 14%. So, as opposed to spearphishing links, where in the phishing e mail you're encouraged to click a link, in this one it actually contains some type of malicious document that contains a malicious file. And then the last one for this list would be malicious domains at 11%. And these domains can be imposter domains or botnet domains, for instance, right, that have been repurposed to attack organizations. And then the last note from the MISP section, and this is interesting to see changes over time, is attribute types. We're able to see what types of indicators are being shared by members. And we use the term attribute because that's the MISP term for the type of indicator that we see, right? So, the most common attribute type, the most common indicator type that we see are IP addresses at 67%. We see a lot of malicious IPs get reported by membership. The second is e mail addresses at 15%. Those are usually in the format of phishing reports that we see for members. And we have URLs at 5% and domains at 3%. Those both get shared at a high level of frequency, which is interesting that we see that number of IP addresses as compared to the lower levels of other things, right? From tracking of malicious infrastructure over time and things like that, doing reverse engineering on sent phishing e mails to determine origins and things like that, right? And those IP addresses can be really helpful over time for blocking for membership, right? Then as we pivot to the final section of the intel trend summary, we have a report from our research and education team. Right? For the January to April period, memberships submitted 117 total RFIs and 274 responses. So, in many cases, our RFIs receive more than one response. Right? Our research and education team conducted four domain related surveys over this period that generated 64 unique responses. These included a benchmark study, the 2023 tools and technology report, which actually got 138 responses. I would be remiss if I didn't note that a full report for the 2023 tools and technologies report will be released for the membership later this month. Overwhelmingly, the RFIs that are given to us by the community are for security architecture at 36%, risk management at a close second in 31%. And then security operations at 17%. So, the majority of the RFIs we receive are often technical in nature, trying to troubleshoot a tool, trying to get feedback on what tools work best in certain environments or for certain goals and key performance indicators. And then managing total organizational risk is always a key RFI that membership is concerned with, especially at the executive level. And then security operations comes in with things like policy management and best practices. So, we also break these down according to communities, right? So, executive level, CISO, CISO RFIs, generally break down according to 45% being architecture, so that's higher than the general average of 36. Twenty six percent of CISO RFIs are risk management, which is down a little bit from 31% of the total. And then 12% security operations for CISO's, which is down from the 17% of the general. For the analyst community, people doing the grunt work level of CTI rather than the strategic management level, right, 31% for risk management in first place, 31% for architecture at a very close second place. And that's second place, even though it's both 31%, it is because of the decimals that are behind the 31%, right, they're very close. And then the third one is going to be 19% for security operations. So, for threat reporting over this period, we've had a number of topics discussed here on the briefing, right, from the charming kitten APT group targeting global regions, Mandiant analyzing the 3CX desktop app supply chain attack, reports on CTI for CISOs and cyber years, Winter Vivern and Cyber Espionage Campaign. And then the Prilex POS malware targeting contactless credit card transactions. And then I'd also like to note that during this reporting period is whenever the RH ISAC actually adopted the TLP 2.0 standards, which I think we talked about a little bit on the podcast as well. Right? And then the final note that we made in the intelligence summary for this period is one that we've discussed here on this podcast and on the RH ISAC blog. Right? And that's the threat actor profile initiative that we're running in this. So, in addition to technical indicators being available in MISP, we are also launching a catalog of the most prominent and prolific threat groups that target the RH ISAC community as a resource for member analysts to conduct investigations based on these groups, right? And over time, we're developing these, we're adding intelligence to them when we find them, we're expanding them. And these catalogs include things like known aliases, background information, brief history, prominent known open-source incidents that are attributed to these groups, known TTPs leveraged by the group, as well as available indicators of compromise. And that's both from open source and from closed proprietary sources. And then the last one is data source as well. We're completely transparent about where all of this information on the threat actors come from so you're able to check our math if we've put something there that's not correct or needs to be disputed we have the ability to adjust that and correct anything that we need to over time. Especially as new information comes out and we actually discover that threat actor groups that used to be grouped together as a single threat, turns out they're actually two groups that just cooperate at times. Things like that come out with threat actors all the time. We have the ability to adapt these profile catalogs based on that.

Luke Vander Linden: Well, that's incredible. And I'm glad you brought up the threat actor profiles, because if you didn't, I was going to bring it up. Great, we keep coming out with new profiles every, every couple weeks or so, which is just terrific. An incredible amount of data in this report. And it's really a testament to our members and their willingness to share, because we have a great sample size of the information, and as you say, ILCs, TTPs, everything that our members share, to be able to get an incredibly comprehensive look at the threats that are out there at any given time.

Lee Clark: Yeah, 100%. So, my soapbox that I always give every time I speak with members is the data and the intelligence that I am able to present to the community is solely dependent on the quality and cadence of data that members themselves share. And the fact that we're able to get such a nice snapshot of the community with granular detail is a testament to how good our members are at keeping the community informed and abreast of these topics, right?

Luke Vander Linden: I always say that the S in ISAC stands for sharing. So, it's what we do, and it's what we enable. I mean, we aren't just here enabling our members to share. And you had mentioned a bunch of our sharing platforms; MISP and Member Exchange. If you remember, and you're listening to this, you know what these things are. If you're not, you're probably wondering what they are. Always happy to have that conversation with you. There is both a TLP clear and TLP amber strict version of this report. TLP clear version will be on our public facing website. And amber strict version within a password gated area on either Member Exchange or elsewhere, I think you probably put links all over the place, right, Lee?

Lee Clark: Yep, 100%.

Luke Vander Linden: Excellent. Well, Lee Clark, thank you very much for joining us again for the briefing. A very special episode of the briefing, as we like to say. Appreciate all the work you put together not only for being a guest on this podcast, but for this report in general.

Lee Clark: Absolutely. Thank you, Luke, for having me. And thanks to the community for giving me such great data to write from.

[ Music ]

Luke Vander Linden: All right, now we are joined by Dave Stapleton, the CISO at Cyber GRX. Dave thanks very much for coming on the RH ISAC podcast.

Dave Stapleton: Oh, it's a pleasure to be here.

Luke Vander Linden: As you know, Cyber GRX is a great supporter of the RH ISAC and an associate member. Whenever we go to your team for question or for guidance, we always get a quick and valuable response, so thank you very much for that. And please pass that on.

Dave Stapleton: Absolutely, absolutely. We enjoy it.

Luke Vander Linden: So, we've talked about third party risk before on this podcast. Obviously there's a lot of different ways to approach it. And I'm sure we'll keep talking about it in both the podcast, but also addressing it as an organization. But I'm wondering if from your perspective what does it mean to be a business enabler when it comes to security?

Dave Stapleton: Yeah, yeah. It's a great question. And it's one that I'm kind of passionate about. I've been going around chatting with folks around the country about this topic. So, to me, at its core, what it means is really being attuned to the needs of the business. And either limiting security related disruptions, or driving security related value, or ideally both. And I'll put some more words and context to all of that to maybe make it make more sense. But when I think about security programs and enabling the business, I always imagine this spectrum, this really broad spectrum, where on the one side you have what I like to call unfettered operability, meaning anyone in your organization can do whatever they want, whenever they want, as long as they think it's the best thing for the business, they can just go and do it. And so there's not a lot of security there. And on the other side of that spectrum is, we'll just call it absolute risk. So, you locked it down really, really tight. And probably most people can't do their job very effectively at that point. So, somewhere in the middle of that spectrum is where every organization in the world should be. And I don't think a lot of companies think about the impact that security can have on their business other than those like really strict like specific cybersecurity control type things, you know, are people authenticating correctly, have we encrypted data.

Luke Vander Linden: Right. Their minds immediately go to friction.

Dave Stapleton: Exactly, exactly. Those things are going to slow people down or get in the way potentially. What they don't necessarily think about is how does security have an impact on your organization's reputation? How do you gain reputation in your industry and then retain it? Obviously there's a concept of like not getting hacked, right? You want to have a really mature program that's effective and that kind of thing. There's also, you know, making sure that, let's see, you bring on new customers, and they have integrations that are going through. Being a good solid partner and securing those integrations and working with, I think the security of the platform, our services, our products that we produce are just table stakes. But what about the way that we communicate? Are we transparent? Let's say the unfortunate happens and there's some kind of a public incident, an organization can actually come out of those things with an increased reputation, just by the way that they communicated and were available in the market to post incident. I think another area is around something like revenue acceleration or cost reduction. Specifically when we think about third party risk management, when a new company is being courted by your sales team, so you've got a prospect, and they've got questions about, you know, your security posture, being able to really rapidly respond to those due diligence requests satisfy their requirements and let the sales process continue moving as a way that we can accelerate revenue. Even satisfying compliance requirements. And don't get me started on the difference between compliance and security. That's a whole other thing. But I will say that from the perspective of revenue, being compliant and being able to quickly satisfy those compliance requirements is very helpful. And then on the cost reduction side, there's a lot of different options. But just one example that I've been talking about recently, because it seems to be top of mind for folks, is we can reduce cyber insurance premiums. They've just been going through the roof lately. But having a mature program and be able to demonstrate its effectiveness can reduce its insurance premium. So, there's just a lot of different ways that I think security can have a positive influence on the success of a business that aren't necessarily specifically around control A or control B, the kind of things that we typically think about.

Luke Vander Linden: All right, so you touched a little bit on how security teams can work with sales teams or go to market teams to ensure that that process goes smoothly and avoids disruption in the sales cycle. How best can they do that?

Dave Stapleton: From a sales perspective, a way to make sure that that process goes more smoothly is really getting to know your sales team and making sure that they know you from a security perspective. So, I like to sit and just run through scenarios sometimes. Even do some like role playing with my sales team. Because you get asked these kinds of questions. Here's the most appropriate response that most accurately reflects our security posture or our philosophy on cybersecurity, that type of thing. So, hopefully what we're doing is enabling our sales team to respond in the moment without creating another Stage Gate, another potential blocker or disruption, as one of our former chief revenue officers responded saying like every second is like a day in the sales cycle. And so you don't want to let there be any space or room for other objections and things to pop up. So, a big piece of it can just be equipping your sales team with education and awareness that they need in order to keep the process going and move quickly through those kind of security due diligence requests.

Luke Vander Linden: It turns it into a positive as a benefit of working with you.

Dave Stapleton: Yeah, exactly. And just being prepared, you know? You know it's going to come up eventually. So, one of the things that we like to do is just short circuit that whole conversation. Instead of waiting to stage four of a sales cycle. And when you know that compliance or that due diligence request is about to come in, and everyone's kind of sitting around scared, like, oh, maybe they just won't ask this time, we'll just get through one without it. And that never happens. Instead of doing that, as soon as it starts to look like it's a real thing, have your sales team feel confident to go in and say, hey, I'm sure at some point you're going to want to do some cybersecurity due diligence or something like that. My team is ready to assist you with that. And what we'd like to do is preemptively give you some information that we think you would find helpful, and may satisfy all your requirements without you even having to ask. So, that kind of like preparedness and the confidence to be proactive in the conversation rather than just crossing your fingers and hoping maybe it doesn't happen, I think is another way that you can really accelerate that sales cycle.

Luke Vander Linden: You know, so on the other side of the coin, and I think this is probably where a lot of our members might find themselves, new suppliers, new vendors are coming in faster than they can be really adequately vetted. So, as a security professional at a buyer, how do you prioritize? How do you make sure you're looking at the right things in the right companies?

Dave Stapleton: Yeah. I think for this one, the key piece of this has got to be based around the concept of inherent risk. So, for anybody who's listening who may not be familiar, inherent risk is sort of the risk that is present before we take into consideration the specific security controls or the security posture of an organization that we want to work with. Instead, what we're talking about is how, what is the relationship going to look like between the two of us? So, for example, when our team is going to say, hey, we've got to use this new vendor, it's so amazing, they're going to be just the best thing ever and really give us competitive advantage, we start to ask questions about what types of data will we share with them, what volume of data, and what industry are they in, what kind of vertical are we talking about, do we have specific time requirements, or is there going to be some interconnectivity that we need to know about, all those questions that we ask around inherent risk should provide answers that give us a score or some kind of a rating. And then obviously the higher the inherent risk, the more potential exposure that our organization has. Typically, that means we're going to do a little bit more rigorous assessment. And it might take a little bit longer. But also those are the ones we want to get started earliest, and so we have time to get through. So, for prioritization, oftentimes I'm looking directly at inherent risk as a way to, as rapidly as possible understand what all I need to go through in order to appropriately evaluate this particular third party or vendor that's being called in. Here are some other ways that we can try to speed up that procurement process. Again, going back to training your staff, if your organization fully understands why third party risk management is important, and can come into a conversation with you on the securities side of things and say, hey, I'm requesting approval to do this, I've already asks these questions, you know, I know these things are coming up, so I basically understand all of this, or I might even be able to submit to you that I think this is kind of like a low inherent risk, because all it's going to do is touch this public data, that's all short circuiting the process and moving it faster. And then making things more efficient, you know, if we can build a program around procurement that's going to satisfy the requirements in many different organizations, so think about the legal team is going to have questions, the finance team is going to have questions, IT is going to have questions, if we can centralize that process in some way so that we're all satisfying those requirements through one easy to use process, we're more likely to have, you know, the requesters, just the employees that work with us, be, I don't know if I can say excited about, but at least much more likely to follow that process and not try to find in grounds, which has become, you know, in the past, you know, 10, 15 years, much easier with the advent of so many different cloud type offerings where all you need is a credit card, and next thing you know you're up and running. So, making easy and not cumbersome I think is another way we can make it all more efficient.

Luke Vander Linden: So, centralized, have a process, but maybe not entirely one size fits all. Let the human beings talk about what they know about the potential vendor and what the inherent risk might be.

Dave Stapleton: Yeah, exactly. I mean, we want balance in assessment. Right? We need to do some sort of evaluation of risk associated with a third party. But in some cases, that vendor might be only touching data that we find to be very, very low risk, low sensitivity, maybe something that we're going to publish on our public website anyway, so the integrity of that data is important, but not necessarily the confidentiality of it. We might be able to get away with doing some risk ratings type assessment. So, we just see outside in data, where we're just scanning and seeing what we can find out about the sort of exterior security posture of that organization. And that tells us enough. We can feel confident in that. Vice versa, we could have, you know, full integration to our back-end AWS environment with access directly to our production database. And we're going to want to go much deeper with that and probably want to look at things like some kind of a tested assessment data that comes from that third party, and really have like more of a conversation with them directly. So, you've got to right size it. One size definitely does not fit all in third party risk management. Never should have in the first place. But we got addicted to our checklist early on, unfortunately.

Luke Vander Linden: Right, checklist and questionnaires. So, getting back to the encouraging business and enabling business, managing risk while supporting growth, innovation, it can be challenging. So, what's your approach to this?

Dave Stapleton: Yeah. I think it really comes from kind of what I was saying at the beginning, an alignment with and an understanding of your business's strategy. We can create a lot of disruption as security leaders just by not being informed of and really getting ahead of major business decisions if you imagine, let's see, a scenario where your company decides they want to heavily invest in the use of contract staff augmentation. You need to consider what new risks will this kind of shift bring about? How is this risk going to threaten success of your company? And then subsequently, how best to prioritize your efforts, you know, so that when these contractors start showing up, you're not scrambling to react to that situation. So, I think getting ahead of those scenarios by being embedded in and really understanding the strategy and the decisions that are being made is certainly going to be one way to stay out of the way and not disrupt when you're really trying to grow and move fast and innovate. I think some other things, one is giving employees a safe space to experiment and to innovate. You know, at Cyber GRX, we do a lot of internal software development. So, we think about, well, where can we give space to the engineers that they can feel safe trying out new tools, some new open-source solutions or software libraries in an environment that has no connectivity to and won't jeopardize any customer data? So, given that sort of open environment where people can feel free to just kind of do some wild stuff and see what they can come up with is supportive of innovation. I think the last piece of that might be just considering if the kind of time and cost intensive security controls that we may feel compelled to enforce are actually materially addressing our risk. Or if we're doing them, kind of going back to what we just talked about, we're doing it just because it's on a checklist that we're used to seeing, you know, I think that's another part of it, we really need to take a step back and be willing to have a conversation about risk. And we might find that a lot of the things we're doing, we're just doing them because we always have done them, but we're not doing them for the reasons that are most important, which is actually managing and reducing risk.

Luke Vander Linden: So, I want to go back to something else you kind of touched on at the beginning when we were talking about the negatives and the positives of cybersecurity, like how it's often spoken of in a negative term. So, so much of security rhetoric is around breaches, attacks, making it sound terrible and impossible to stay ahead. So, how do you stay above the noise, focus on the things that will have a positive impact on a business's success?

Dave Stapleton: Yeah. So, I think I want to just double click a little bit on the, I think the background of the color of the question. Leveraging FUD, you know, fear, uncertainty, and doubt, it's just going to backfire, it just will. I think using fear, it leads us down some dark paths. It can erode motivation, it can lower productivity and creativity. People aren't willing to think outside the box because they're really afraid they're going to get their hand slapped. Or if you're really preaching, you know, hell, fire, and damnation, they think if they do something experimental, then they might like bring about the demise of the entire company. And it also sets a bad precedent and example. We're teaching other people around us to use fear to get what they want. And that's just, it's just bad from the beginning. And along with that, what we often find is people equate that kind of FUD like mentality to this idea that no risk is acceptable. And that's not a successful strategy either. First off, it's not realistic. No company that's actually in operation is devoid of all risk. But, again, it just limits that innovation. So, as far as your question about how do we kind of avoid falling into those traps, well I think first, you know, going back to what I said before, security leaders need to really have a firm understanding of the factors that are critical to their business's success. And as a byproduct of that, we should know what risks are unacceptable, which things are going to cause us to not be able to be successful. And, you know, by the way, I think it's just interesting logic. If you've identified certain risks as unacceptable, it stands to reason that others are acceptable. And what we really need to do is be really clear about both of those and ensure that those acceptable risks don't distract us from high priority security efforts. If it's an acceptable risk, why are we getting wrapped around the axle about it? So, back to the original point. I think none of that is possible without understanding what the business is and what we're trying to do, what environment we're working in. So, what I recommend people do is have conversations, you know, regularly with security leaders and peers in the C Suite or across different functional areas. Ask them open ended questions like what information does your organization rely on for, you know, the most for its success? Or what emerging technologies do you think are going to give your team an edge? And then really listen to their responses and bake that information into your security strategy. The biggest example of it I think of right now is you may have heard of this, there's this thing called artificial intelligence. Yeah, so, I mean, if you kind of look around right now, it's kind of fascinating to see how different organizations are responding to this. Some are just saying we don't fully understand it, we think it's risky, so we're just prohibiting across the board. No use of any of it at all in our organization. And some are taking a more nuanced approach to it where they're saying, okay, well, what is it specifically that people want to do? And how are they going to use that? And how is it going to benefit us versus what are the potential risks? You can weigh the pros and cons. And I think that more nuanced informed approach that's really looking at risk and weighing it against the potential for the good of the business is the way to do it.

Luke Vander Linden: Yeah, something like that is such a powerful tool. You're not going to, and it's going to, it's so interesting to people, there's no way to avoid it. And so, like you said, being more nuanced. And I guess, you know, looking at AI is kind of like looking at what's the next thing coming. So, I guess looking at your crystal ball, we talk about third party risk so much because that's really the next frontier. As our members, and as retailers mature their own operations, the risks are going to come from third parties. So, from your perspective with the companies you work with, are we heading in the right direction? What do you see in the future for third party?

Dave Stapleton: Yeah, I'm glad you related that to AI, because I think that's exactly the direction that we're headed. The traditional approaches of using the static questionnaires, you know, either online, or God forbid, a spreadsheet that's e mailed over to somebody, that's just absolutely not going to cut it anymore, if for no other reason than it can't keep up with the scale. I mean, the average company is using like thousands of third parties at this point. And it's just untenable to think about trying to manage that just from a logistics perspective, never mind actually managing any sort of risk. So, what I'm looking forward to is companies like ours, and others that are in this space, starting to use emerging technologies like artificial intelligence, to give us information that we didn't have before. You know, how can I empower a risk analyst, for example, to ask questions and interrogate a set of data that's just too huge for them to sit and read? There's 30, 90 page PDFs in this assurance package that somebody sent me. That's a lot. But can I use AI and some kind of a large language model that can look into those documents and inspect them and say, oh, here's where the risks are that you need to understand? To kind of really bring up those insights. Or something that Cyber GRX has been working on for a while, and released out to the market just last year, was the ability to forget how a third party is going to respond to a standard security questionnaire with a high level of accuracy, just based on the fact that we have had so many done in the past that our machine learning algorithms can understand and based on a lot of firmographic data, so information about the who, what, and where of that particular third party can make really highly intelligent guesses about how they're going to fill out the assessment. And we don't even have to contact or get them directly engaged with a third party in order to do that. So, those types of innovations I think are the things that are going to propel us into the future. And that's all going to be around how do I more efficiently gain insights that are going to help me really measure and address risk rather than check a box somewhere that I did an assessment.

Luke Vander Linden: Well, that's fascinating. And, you know, maybe we'll reconvene in a year or so and see if that holds true. Dave Stapleton, CISO of Cyber GRX, thank you very much for coming on the RH ISAC podcast. Great conversation. I look forward to talking to you again.

Dave Stapleton: It's been a pleasure. Thank you.

[ Music ]

Luke Vander Linden: Thank you, Lee Clark, of the RH ISAC's own cyber threat intel analyst and writer for the briefing. Thank you also to Dave Stapleton, CISO of Cyber GRX. And, of course, Ben Vaughn of Hyatt. Great guests make producing this podcast a lot easier than it could be. Let me know if you'd like to come on the podcast. Shoot me an e mail at podcast@rh to let me know about that or anything else. By the way, check out that new space podcast I mentioned. It's a really great show about a really cool topic. The name is T Minus. And you can listen to it wherever you get this podcast, or find it at You should also check out Part 1 of that conversation with Ben Vaughn if you haven't already. You can find it and all past episodes of the RH ISAC podcast at As always, a huge thank you to our own production team with the RH ISAC; Annie Chambliss and Marisa Troscianecki. And for making us sound good, the folks at CyberWire; Jennifer Eiben, Tre Hester, and Elliott Peltzman. We'll be back in a couple weeks with a new episode. In the meantime, stay safe out there.

[ Music ]