Episode Transcript
[00:00:13] Michelle BB: Welcome to The Edge, the Skillsoft podcast, where we share stories of the way in which transformative learning can help organizations and their people grow together. I'm your host, Michelle Bieber. My pronoun are she and her. And as I look back over previous Edge episodes, I can see we've covered well, let's call them human subjects. From diversity, equity and inclusion, to women in the workplace, to the new social compact between employer and employee and just about everything in between. So when we came up with the idea of a cybersecurity episode, we felt it was vitally important to have a human angle. And you know what? It turns out it was easier to do that than we originally thought. Because at its heart, cybersecurity is about trust. And that is very, very human. As technology evolves and tools like Generative AI takes center stage, there is something else emerging too the potential for harm. Harm to your organization, to your employees, to the people you serve. And whether your organization serves consumers or other businesses, it likely holds vast amounts of data that are entrusted to your care and are becoming increasingly vulnerable to cyberattack. It is not hyperbolic to say that your business depends on safeguarding those resources and keeping the trust of the people you serve. Which means that you have to constantly and consistently learn how to keep threats at bay. As our guest today has said, scammers and hackers never stop learning, so why should your employees? Yes, this cannot be stated strongly enough. Creating a strong cybersecurity culture depends on continued investment in learning and growth. Encouragingly, in researching trends for our 2023 Cybersecurity Awareness Report, we've discovered that organizations are investing substantial time and effort to stay current with the latest cybersecurity practices. In fact, security training consumption is at an all time high this year. Today, with Skillsoft's own Chief Information Security Officer, OK Obudulu, we'll discuss some key findings from our report and learn how a robust training program can protect your organization from a potentially damaging security breach and help you build greater trust with all of your stakeholders. Okay, thank you for being here and welcome to The Edge.
[00:02:44] Okey Ubudulu: Thanks, Michelle.
[00:02:45] Michelle BB: Glad to be know your background is so fascinating. I had no idea until we started to prep for this episode. So, from Criminal Forensics Investigator for the New York State Attorney General's Office to Vice President of Cybersecurity at Goldman Sachs, to your role as Chief Information Security officer here at Skillsoft. You must have experienced some seismic shifts with each new wave of technological change.
I'm so fascinated. Would you do our audience a favor and share a little bit more about yourself, how your career evolved and how your background helps you in the work that you're doing right now.
[00:03:28] Okey Ubudulu: Of course. Over the course of my 20 year career, I've had diverse experiences ranging from network security systems and network administration, incident response programming, and other technical and security roles as well. I also spent some time in law enforcement as a criminal investigator focused on digital forensics investigations, before moving to Goldman Sachs where I was VP of Cybersecurity. I left Goldman to build and lead security programs for startups that needed it and had a really valuable experience doing that at two separate startups, including Codecademy, before assuming the CISO role at Skillsoft.
The breadth of knowledge and experience gained has truly been invaluable in my current role as Skillsoft CISO as it allows me to approach security challenges with a well rounded perspective. This is particularly important given the innovations, as you mentioned, in technology that we've witnessed over the years and continue to witness now with the evolution into generative AI, with all of that comes a constantly evolving threat and threat landscape that organizations and individuals, matter of fact, have to continue to navigate. Technology has indeed changed our lives in many ways over the years. And now with generative AI, that change potentially accelerates for good. And there's as well some potential for harm as well. One risk area involves criminals whose previous limited technical expertise was a barrier of entry to conducting cybercrimes. With generative AI used as a tool to facilitate those attacks, there are bound to be an increased number of such attacks. So some concerning stats, right? When you consider that today there's a cyber attack every second, a lot of that results in approximately 18 people falling victim to cybercrime every second. The need for trained professionals has never been greater. And just as important is the need for training and awareness for everyone in an organization.
[00:05:53] Michelle BB: So if I understand this correctly, every second, approximately 18 people are victims of cybercrime. If I do the math, that means every week more than 10 million people are victims of cybercrime. That's pretty incredible. And if that number is going to grow, this is a real challenge for organizations, especially if they happen to be on a work device when they're doing this. I mean, the fallout, the damage could be huge. And we always hear, I think, this saying when it comes to security, that your people are your weakest link. I mean, I think I've seen it in training before.
But you like to look at this differently, correct? Because I think that people aren't necessarily the weakest link, but I think they're potentially your best advocate.
[00:06:42] Okey Ubudulu: Indeed, indeed. I do look at it differently. I prefer to think of our people as our greatest opportunity.
The better we train our people to be vigilant and recognize potential threats, the more we can rely on them as our strong line of defense against attacks. With improved training, awareness, and a deepened culture of security across any organization comes the benefit of improved security posture.
[00:07:07] Michelle BB: I think that's fantastic. And I know that we have a number of courses available for our customers on cybersecurity. Do you have like, a favorite? Is there something that you say, I think everybody should be taking this particular course.
[00:07:24] Okey Ubudulu: The courses needed would vary depending on individual's role.
[00:07:29] Michelle BB: Okay.
[00:07:29] Okey Ubudulu: And then there's the generalized sort of awareness and security, education and training. We want to give our overall population at our organization to help arm them or equip them with the appropriate knowledge they need to have in order to be able to help defend us and themselves against the threats we are seeing in the form of phishing.
[00:07:58] Michelle BB: Right.
If I understand this correctly, everyone needs to be aware of the potential threats because everyone has the potential to either be a victim or can help address the problem by acknowledging or understanding that they've been targeted. It feels okay like there are so many pieces to this puzzle when organizations are looking to build a culture of security and trust and a lot to learn and the fact that learning has to be continuous because of the nature or just how technology advances so quickly. And our Cybersecurity report bears this out. Security and Infrastructure operations showed the most significant gains in learning consumption in 2023. And recently during a chat with our team, you said you like to break cybersecurity down into three areas of focus. Could you talk a little bit about each of those areas?
[00:08:56] Okey Ubudulu: Yeah, sure. I like to break it down into three areas of focus in terms of thinking about what an organization's cybersecurity strategy should be.
Those break down into proactive, reactive and trust. There are a lot of domains within each of those areas I just described and lots of initiatives that the organizations have to kick off to actually implement them. But let me get into kind of breaking down Proactive, Reactive, and Trust for a minute. So first, proactive. This would involve initiatives around Identify and Protect, and I'll come back to that in a minute. Reactive would include functions of, detect, respond and recover. And then finally there's Trust, which ultimately is what an organization needs to establish with its customers and employees and partners. So first proactive identify and protect. It involves identifying your organization's critical assets and the threats to those assets and taking proactive steps to protect them.
Some fundamentals in this area include having inventory of your critical assets because you can protect what you don't even know you have.
It involves deploying appropriate protective security controls, managing identities and access, ensuring vulnerabilities are identified, and vulnerable systems patched promptly, adopting secure software development practices so that code that your engineering teams are developing is tested before being pushed to production, and defaulting all of your deployed systems to a secure configuration by default also helps. Next is reactive. This is where those functions of Detect, Respond, and Recover come in. An organization's ability to detect security issues and incidents, respond to them effectively, and recover from any damage is crucial. Of course, the steps of ensuring that the detective sensors are in place and the organization has a practice Incident Plan and Incident Responders. All of those are proactive steps that have to be taken towards this reactive action in the event of a malicious attack.
Having these in place could prove to be the difference between an organization suffering no impact to suffering a slight impact on its business operations, or the worst case scenario of an existential business risk for an organization. And then finally, there's trust. And that's trust with customers, trust with employees, and trust with partners. This is ultimately what an organization strives to earn. And by incorporating those proactive and reactive elements that we just discussed, the organization gets to drive down risk within it and improve its security posture. The organization also has to be able to meet regulatory and legal requirements in jurisdiction where it does business, to earn this trust as well, and as well meet audit standards. So, in summary, a holistic cybersecurity strategy should encompass these three broad elements of proactive, reactive, and trust.
[00:12:37] Michelle BB: It's fascinating that you say that, and in listening to you, it makes absolute, complete sense. And the last one especially right, trust is paramount. And that's across your organization. That's internal teams, it's leadership, it's the relationships you have with your partners, with your customers. And so that trust has to extend throughout your value chain, which I find really interesting.
[00:12:58] Okey Ubudulu: That is correct.
[00:12:59] Michelle BB: Okay, now that you've talked about these three areas, I'd love to understand what cybersecurity roles are important because just like you said to me before, there isn't just one course. It's not like there's just one role within cybersecurity. So what's important for organizations to hire for or to upskill for? So that we can ensure that we've got those three areas covered? Because it seems like each area might require a different level of expertise. Can you walk us through that?
[00:13:31] Okey Ubudulu: Yeah, that is correct. A very broad range of expertise is required to implement a security program. So to implement some of those strategies we just discussed and build out a holistic security program, you need both people, processes and technologies to come together.
So speaking of people and the sort of expertise needed, there are quite a few. I'll start with application security engineers, for example. These are folks within your organization focused on ensuring that software and applications being developed by your engineering teams are being developed with security in mind from the beginning, identifying and fixing vulnerabilities in code as they go along.
Next comes cloud security and infrastructure security engineers. These are folks specialized in securing the organization's infrastructure and services and ensuring that data hosted in the cloud or on prem are protected. We also have security analysts on the team focused on implementing and managing the security processes. Some examples of such security processes will be vulnerability management. Right? So a way of ensuring we are constantly on the hunt for vulnerabilities in the environment. And when we find them, we have teams promptly patching them and then conducting, for example, third party vendor risk reviews because our engagements with third parties potentially presents a risk and we need to understand what those risks are and as an organization, be sure that we're comfortable with those risks before we engage with that organization.
Incident Response Analysts are also part of the team and they're responsible for triaging, investigating and recovering from security incidents and for executing the organization's Incident Response Plan. This is just to name a few. One more I'm going to mention here are governance, risk management and compliance professionals who are focused on managing compliance with security regulations, assessing risk, and ensuring the organization's security policies align with its business goals.
[00:15:49] Michelle BB: This is such a layered and fascinating subject, but I want to circle back to something we talked about earlier, which is the role of employees, because I was struck by something that a team member said to you. She said she'd recently received a little email congratulating her on detecting and reporting a phishing email and believe it or not, she was a little sheepish about it, almost like it was the smallest sort of inconsequential thing she could do. But your response back was inspiring. You acknowledged shared responsibility and admitted she shouldn't have received that email in the first place. Essentially, you reminded her how valuable her actions were to the organization. Do you mind sharing with our listeners what you said and really what every individual should be looking out for day to day?
[00:16:35] Okey Ubudulu: Yeah, we definitely should celebrate our employees every time they report issues. They are our greatest strength and our opportunities. And it is indeed true that you'll never hear me say that employees are our weakest link. And that is because I truly believe that when it comes to cybersecurity, employees are an organization's greatest opportunity. So let's take one example of social engineering and phishing messages, which, as we all are experiencing, are an attacker's favorite means of vector of attack today. First, to be clear to the point you made, organizations should implement anti phishing measures that limit the potential that malicious messages get delivered to employees inboxes in the first place, along with malware and browsing protection in case employees click on that link or open that attachment. So there's actually some protection there as well. The reality, however, is that these controls and protective measures have their limitations, which is the reason we all receive phishing messages. Employees therefore play that crucial role as that line of defense, keeping the cybercriminals from achieving their goals. Hence the reason why we should celebrate them. As with any line of defense, it does need to be fortified and that fortification is achieved through training and true awareness that we provide to employees to continue to improve on the organization's culture, security and to equip employees with the tools they need to help the organization continue to achieve its goals. Cybercriminals are finding a lot of success through phishing because it's the easiest way to try to break into an organization or exploit an individual. Definitely a lot easier than trying to break through network perimeter walls that are becoming more and more secure today. So we can reasonably expect that phishing will not be going away anytime soon. So to the extent possible that we continue to equip our employees through training and awareness on ways they can be vigilant and how they can help identify messages that are scams, messages that are malicious and report them to us and not fall for it or click on it. By so doing, we're helping to protect the unzation and protect the employees as well.
[00:19:19] Michelle BB: So can I tell you a story? Can I admit to something? Okay, so at a previous company, not here, I promise, but at a previous company, I was at a big trade show and everybody from my company was there. And I got a text message from the CEO. And it wasn't unusual, but I got a text message from the CEO. He's like, I need a favor. And I'm like, sure, what do you need? He's like, I got customers. I need some Apple gift cards. I need you to run out and go get me Apple gift cards. And I'm like, really? Right now? You know, I'm in the middle of the conference. No, I need you to go do this right now. And look, the dude was a little quirky, so I didn't think anything of it. Okay? But then he's like, and I need you to give me the numbers on the back of the gift cards. And I'm like, okay, now I'm starting to think this is getting a little bizarre. And I'm like, could you tell me where you are so that I can come have a conversation with you? Because this doesn't feel good. And then I realized ultimately that it was a scam. But okay, I have to admit to you, I probably had like a two minute chat because I really thought it was our CEO, because again, little quirky. And this is the kind of thing that you're talking about. Phishing is getting more sophisticated. It's not going to go away. And I think criminals are using lots of different means to try and target us.
Does this sound familiar to you?
[00:20:37] Okey Ubudulu: Very familiar. And people fall for these scams, unfortunately very often because they are very often very compelling as you experienced. So when it comes to email and indeed all forms of communication, the text message, for example, that you just mentioned, it comes to establishing trust with the message before engaging. So that's the guidance. Establish trust with the message before engaging. In your case, to establish that trust, you ask to meet, you ask where you are so I can come to you, right?
In essence, you are going to take it offline to go meet in person to verify that it's indeed the CEO that had reached out. Those are the right steps to take. So general guidance I like to provide is for folks to establish trust with any message, regardless of the means by which that message is coming. So let's stay with email for a minute. If you were to receive an email that appeared to be coming from some individual asking you to take some action, that action could be providing some information, it could be clicking a link, it could be opening an attachment, or in your case, providing a gift card, which is a very common attacker technique these days. First is to scrutinize where that message is coming from. So is this message coming from a trusted source? A source you know? So that's just the first step. So even after we have established that trust that the message is indeed coming from a trusted source, we have to take some additional steps to verify. Because there are unfortunately there have been cases where criminals take over a legitimate account and use it to send out malicious messages. So it's not enough that you just check that that message is coming from a known sender.
A couple of additional steps you should take. I call it sort of giving each message a sniff test. And that sniff test involves 01:00 A.m.. I expecting this message, right? So although it's coming from an individual I know, am I expecting a message from them? And then two, if I am indeed expecting a message from them, does this message seem normal for that individual and for their role? Right? Hopefully for every organization they established policies guiding how funds, for instance, like in your case, sharing a gift card, guiding processes like that. But even where that's not the case, the additional sniff test to give a message is, does this appear normal? Should I be receiving a message from the CEO asking for a gift card? Or if you were to receive a message from me asking for a gift card, should you be receiving a message from the CISO of your organization asking you to send a gift card somewhere? So that's the additional sort of sniff test I ask folks to give every message they receive before actually engaging with to.
[00:23:46] Michelle BB: Thank you. I think that's good. And by the way, I did not purchase the gift cards. I just want everybody to know that there were no gift cards purchased by me. I established that trust. I looked to see if it was from a known trusted source, and it was not. I do want to talk about something that is on everybody's minds and everything I read and everything I see can't get away from it. And that is Generative AI. And I have to think that it's on your mind too. And I'd love to understand from your perspective, how has generative AI in all of its forms affected the cybersecurity landscape? And does this keep you up at night? Is this the sort of thing that you're worried about the most now?
What advice would you give to people as they are entering this playground and starting to learn to use the technology.
[00:24:37] Okey Ubudulu: Yeah, sure.
Unfortunately, the same wonderful productivity benefits of generative AI that we're all experiencing are also available to cybercriminals. As I mentioned earlier, generative AI does lower the barriers of entry for attackers.
So for example, cybercriminals are leveraging gen AI to research and compose more compelling phishing messages that are potentially also error free. So those kind of telltale sign of grammatical errors potentially go away.
And unfortunately, as well, the least technically savvy attacker can now rely on generative AI to develop highly disruptive malware. So it is a concern, and it is a concern that individuals and organizations and cybersecurity professionals should be thinking about. In addition to that, generative AI also makes it increasingly difficult to distinguish what is real from what is fake. Right? So with the proliferation of these tools for generating fake voice notes, video recordings, and text that closely mimic the authentic individual's communication style, attackers will use this for their attacks. What can an organization do about this? I will point to two key things. The first is establishing a policy around it. So there should be a policy guiding the organization's use of AI and how folks within the organization should be interacting and then providing as much training to employees as well so they are able to be aware and are equipped to deal with the new realities of potentially an increased threat landscape.
[00:26:41] Michelle BB: Yeah, you saying that I got the chills a little bit because now we could get messages that actually sound feel seem like they're coming from a trusted source. And we may not feel it may pull our guard down, we may not feel as though we need to really apply that sniff test, but in reality, we now need to apply greater scrutiny to just about everything that we receive so that we don't fall victim or prey to a potential attack. Because this makes those bad actors or it gives them more tools with which to cause harm.
[00:27:24] Okey Ubudulu: Yeah, that is correct. So in addition to training and awareness, that is definitely important to sensitizing employees to this increased threat level and help them be more vigilant, there are other fundamental steps to protect an organization that have always been important, but even more so today.
Again, given the increased threat landscape. So here are some of them, right? For example, good password hygiene will always be important to protecting an individual organization. Keeping Systems Patched implementing multifactor authentication goes a really long way. Having, as I mentioned before, secure configurations as a default in technologies we're implementing. Some of this had mentioned before testing code before we push them to production, managing an identity and access, especially for privileged access. And then I mentioned before as well the importance of third party risk reviews. Because in the same way the threats to our organization is now increased, the threats to every organization and every individual potentially is now increased. As well. So those assessments become really important to ensure before we engage with those organizations, we understand what risk we are taking on as a result.
[00:28:54] Michelle BB: Okay, this is all great advice and it has been so wonderful to sit down with you and to have you demystify cybersecurity and hopefully people won't feel dejected, but in fact, maybe feel more confident and also seek out training so that we can learn together how to best protect ourselves, our customers, our organizations, our families. And speaking of learning, okay, before we wrap up, I have three questions to ask you, same ones I've asked every single Edge guest since we started this series back in 2020. So I want you to tell us all, number one, what you're learning right now or what you've recently learned that's had an impact. I know that wasn't a question, that was a statement. But what are you learning? The second is how are you applying what you've learned either at work or in life? And third, what additional advice about learning would you share with others? So what are you learning, what are you applying and what advice would you give?
[00:29:54] Okey Ubudulu: So I'm going to start with the last question, what advice I'll give. Start with the generalized to everyone and then come to our CISO community.
It is crucial that we all continue to learn and grow. It has to be a daily activity, bringing it to our cybersecurity world and that role of a CISO. To be successful, CISOs will need to embrace that continuous learning across multiple domains, matter of fact, ideally daily.
Those domains include learning obviously about security and continuing to deepen the knowledge there about privacy, about technology, leadership, business and risk management as well. It includes keeping up with new and emerging technologies as well. We just talked about genitive AI and the potential impact to society and with that, the risk associated with it. So all of this is within the areas that I continue to learn on a daily basis. I continue to deepen my knowledge and understanding across all of those domains. And as I said before, to the extent that all of us, as individuals and as professionals, and even more important as security professionals and CISOs continue to deepen our knowledge, the better we get. I recently finished reading Principles by Ray Dalio, and the principles he shares on life, leadership and business definitely resonates with me. Two particular principles I would like to highlight. Right? So his Understand the Machine principle, which highlights the importance of gaining a deep understanding of the systems and processes that drive both organizations and life itself. This knowledge empowers leaders to make informed decisions and adapt to changing circumstances effectively. And the second one maintain an idea meritocracy that advocates for idea meritocracy, where the best ideas win regardless of their source. Right? This principle encourages leaders to put ego aside and prioritize the pursuit of excellence. It's a reminder that as leaders in my case, in security and in business, the focus should be on what works best, not on who proposes it. So these are things I continue to incorporate in my leadership and leadership style. So both of these principles definitely resonated with me. Our best opportunity for success, I feel, as we continue to improve on the design of our security program, which is a work in progress and always will be a work in progress. Because of the evolving nature of threats, right? Because of that evolving nature of threats and the sort of risk associated that organization has to deal with embracing that idea meritocracy, and all of us setting aside our egos to seek the best ideas, I think sets us up for success.
[00:33:15] Michelle BB: I love that so much. Thank you for sharing. And I know how busy you are, so I really want to thank you for bringing your expertise, your experience, your knowledge to bear, especially during Cybersecurity Awareness Month. And to everybody out there, go learn and go hug your CISO, please. Here at Skillsoft, we propel organizations and people to grow together through transformative learning experiences. I hope you've enjoyed this episode of The Edge as much as I have, and be sure to tune in again as we unleash our Edge together. Be safe, everyone. Bye.
