Wendy Thomas, CEO at Secureworks, discusses identifying and protecting against cyberattacks.
Hosts: Carol Massar and Tim Stenovec. Producer: Paul Brennan.
All right, folks, we want to get to some news today. DP World. It's one of the world's largest port operators, struggling to work through a backlog of thirty thousand shipping containers piled up at ports across Australia as the company resumes operations after a cyber attack. This is definitely our world. And on top of that, something like AI, artificial intelligence, which by twenty twenty five, according to some research, lack of talent or human failure, will be responsible for over half of significant cyber incidents that will be AI.
Well, we are living in difficult times. We've got a perfect voice on all of this. Our next guest participated with you, Carol in the recent nine to eleven Memorial and Museum Summit on Security. A conversation with you on cyber threats and understanding the impact that they can have on organizations.
And we do want to point out the museum supported by Michael our Bloomberg of course, founder of Bloomberg LP and Bloomberg Philanthropies. Great to be talking once again with Wendy Thomas. She's CEO at Secure Work. She's on Zoom from Atlanta, Georgia. Wendy, it is good to have you back with us. It does feel like, you know, we were prepping this morning and talking about you coming on, and it's like every day there's something in terms of cyber attacks set the landscape. It's become kind of part of the norm of our world. But talk to us about cyber threats, the kind of trends we are seeing, where they're coming from, the typical kinds of incidents, if you will, And welcome back, by.
The way, thank you, glad to be here. Look, I mean, the average cost of a breach for a business in the US here to date this year is nearly ten million dollars apiece, and the global cost of cybercrime it's expected to be three x what it was just a decade ago. We're talking about a transfer of wealth in the wrong direction that's probably the greatest in our history. So when we look across the landscape, to your point, it is happening every single day. We're tracking about one hundred and thirty five active threat groups and their activities are bucketed primarily into traditional cybercrime right just looking to extract profits. Nation state activity, which is clearly up in the wake of geopolitical events, and then activists who are concerned about those events and making their voice heard through a variety of cyber attacks. So we see those activities continuing, and as those three sets of actors continue to leverage tried and true techniques scanning for software vulnerabilities and exploiting those, stealing credentials to log in and parade as someone else, and then sending those fishing emails which we've all received around certain topics. You click on those and then you've given them access to the castle. So we just see the same actors using the same attack vectors and continuing to be successful.
Wendy, is there some sort of geographical profile of these different state and non state actors, I mean, is there a part of the world that they tend to come from or is it truly global?
Well, we certainly see them sourcing talent around the globe, but in terms of state actors and cybercrime groups, we see those coming out of China and Russia primarily respectively, but certainly Aroan, North Korea and others are active on the cyber stage. But cyber criminal groups, which are purely profit motivated, they do source talent, and unfortunately they use some of the same business models that our businesses do ransomware as a service, where different groups specialize in either stealing those credentials, writing the malware, or other pieces of the supplied attack chain. They are able to specialize and then create business models for easy access for less sophisticated criminals to smash and grab and extract those rents.
And they're moving more quickly right the time that they breach into your network and then the time they do some kind of attack. I remember a statistic when we talked. It's now I think something like less than a day, less than twenty four hours.
It is on average this past year. It's from the time of intrusion to the time of breach, it's less than twenty four hours. It was about five days a year ago. And what we see, unfortunately, is that in about ten percent of those cases it's less than five hours. And so when we talk to CEOs and CIOs about protecting their organization, it really is all about time, time to detect, time to respond, and that's where the power of artificial intelligence really comes into play to turn that back against the adversary.
How does the AI? How does that work? When it comes to AI? I mean, take us through the process here.
Sure. So when you think about a technology like secure works has where we're using artificial intelligence to really model and amplify what we see in terms of adversary behavior inside of a network. So it's one thing to use ware to detect when they're deploying malware in an organization, but it's another thing to know that the CEO's behavior online or accessing certain information is unusual or anomalists. AI can help you not only understand what's anomalists, but put together much more data more quickly to say that it is both anomalists and malicious. And the ability to detect that quickly, to prioritize that, to raise it up to attention, and then for the system to orchestrate the response to protect the network is incredibly important. Speed security has to move the speed of business, Wendy.
When you guys have either a new client or existing client, I mean tell us are most are a lot of organizations. It could be nonprofits as well as publicly held companies or small companies, midsized companies. Are they? I guess I'm asking are most institutions unprepared under prepared?
Unfortunately, most organizations are more vulnerable than they and it may be that they've done a great job of protecting their own assets, but they are inextricably linked with other vendors, other suppliers, and thinking about your security as having to secure those who are interoperating with your organization and your systems as much as you secure your own castle is probably the most important. But the good news is that most cyber attacks, especially from cyber criminals, are absolutely opportunistic and so just creating some degree of friction that makes it more difficult for them to find that on locked back door goes a long way in terms of, if not preventing breaches, absolutely mitigating the impact to the business. No.
I remember when we talked and I came in kind of hot and heavy into our studio on the Monday, was after sixty Minutes had aired a report. It was about the Five Eyes and this was the five security service heads or spy chiefs the US, UK, Canada, Australia, New Zealand, New Zealand and they had taken a trip to Silicon Valley and they were talking about the greatest threat to innovation in the countries of the Five Eyes, and that was the threat and specifically Chinese industrial espionage, which I think is kind of timely considering this week we've got the meeting of President g and President President Biden. Frontemies. If you will need each other but also are very wary of each other, I think is a safe way of saying. But this idea of digital attacks, cyber attacks about getting into an organization industrial espionage, whether it's IP, you know, strategy at a company. I mean, is this happening more and more.
So? China is absolutely the most active nation state that we see from a cyber perspective, and we watched them evolve over time. So in the past, those threat groups have had a reputation for sort of smash and grab, so steal that intellectual property around something that's important of electric battery development or even agricultural innovation and scale, and so that emphasis was really about just achieving the objective as quickly as possible. But what we've seen more recently is that a growing number of Chinese threat groups have demonstrated an increasing focus on stealth and operational security and their intrusions, and so it is often difficult for organizations to know that the Chinese are in fact inside of their networks and able to over a sustained period of time not only collect information, but determine what information is most valuable and important to them, and do so leaving a minimal intrusion footprint by leveraging a set of defense evasion techniques that we've seen increasingly in place.
Hey, one thing, Wendy, I always like to ask people in your positions are just how you conduct yourself as a normal consumer online. You know what is possible, you know what to watch out for, of course, but you also probably do online banking, and you probably have many, many passwords for consumer facing websites. How do you do it?
I do have a little extra vigilance around my online activities and persona as you might imagine. First and foremost, I do use separate devices for doing things like online banking. One of the most important things you can do is absolutely difficult and unique passwords for your online activity. I'm sure all of you have received emails where your password has been stolen, and therefore if it is able to access any other application online that you're using, it's really important that you have a diversity of passwords and that you have secured the location of those passwords. No putting those in your phone notes or that type of thing when they're accessible. So for me, it's those things plus just vigilance being very thoughtful around the emails that I get. I rarely click on links even though they appear to be from family members or others. But it's just about a heightened awareness and carefulness in terms of your digital.
Foot two factor authentication always.
Always, there are very inexpensive ways for you to be able to do that that aren't just necessarily your your phone versus your iPad, but things like ub keys and others are are a great way to just provide that extra layer of friction. As I said, lock that back door and that cyber criminal will move to a much easier, easier target.
What about like you mentioned, strong and unique passwords, I will, I will. I've used for a decade a password manager. It is the most painful process. I will tell you that do you use a password It's the only way to It's the only way to have strong and unique passwords. I mean, do you do is that? Do you agree? Is that the only way to do it?
It is a great way is to use a password manager, but even those are not full proof. So again, as you think about defense and layers of your environment, so that physical multi factor authentication in addition to the password managers. It's just that diversification of multiple steps in the process, which to your point is not very fun, but it is a way to prevent your identity or or your financial access to be stolen.
You know how much fun I am, Carol. I once got password managers form my parents for Christmas one year. That's how much fun I am.
You are a good son, That's really Oh my god.
We do a lot of talking about passwords and protecting, certainly at home. What are there you know, it's interesting a lot of your businesses in the US, but your global and I'm just curious. You know, in terms of the growth of your company you're publicly held, you know where is you know where is the business side growing the most for you guys.
So you're right. So cure Works is about forty percent outside of the US, and we definitely see the fastest growth outside of the US in terms of security maturity. A lot of US organizations, especially financial institutions, were early adopters of cybersecurity defenses for both reasons of protecting their business as well as for compliance reasons, and we see that adoption accelerating pretty rapidly outside of the US, not just as new laws are put in place around requiring certain cybersecurity elements and data protection elements, but also just as those organizations come under attack and realize how important it is to make the investment, and that making the investment and prevention is much less expensive than a breach.
And I am curious too. We talked a little bit about AI, you know, and I know when we first talked, we got into this, you know, and I kicked off our conversation about Gartner. And by twenty twenty five, lack of talent or human failure will be responsible for over half of significant cyber incidents. By twenty twenty five, the consumerization of AI enabled fraud will fundamentally change enterprise attack service, driving more outsourcing of enterprise trust and focus on security education and awareness. So AI, the good, the bad, and ugly, Like we all like to talk about, how is AI being helpful for you guys as you move forward, how is it also the preventing or presenting new challenges in terms of digital attack cyber attacks?
Well, as you and I have discussed, I absolutely view AI in the lens of the power and the peril. And when I think about the power, it absolutely has enabled us to process protections for organizations faster. You can collect more data, filter through more quickly, translate chat on the dark web more quickly, and understand context around planned attacks. All of those things are really powerful to again, as I said, to text something quickly and respond in an automated way so that that dwell time of twenty four hours or five hours it doesn't translate into a breach for you. The paral side of that is we certainly see the ability for adversaries to leverage AI to attack, and whether it's the use of things like deep fakes or even just making those phishing emails more believable, more visually accurate. The language is exactly the way that your institution would speak to you. They might have a little bit of personalized information in there. And so when we think about the thread actor community sharing learnings around how to use AI, answering questions and forums with each other about how to best leverage this new technology to attack, we absolutely have to as a as a set of individuals, citizens, companies, security companies, and as governments think about collaborating together as a community to advance both AI and our protections against its use against those of us who are trying to use it in the right way.
We're speaking right now with Wendy Thomas. She is the CEO at Secure Works, joining us on zoom from Atlanta. Wendy, before we let you go, give me an idea of the way that budgets have shifted around IT spending or security spending such as this just in your time at Secure Works, you know in terms of percentages, like when the c suite is planning out the next year, next five years, how much of that funding now, how much of their spend is going to keeping their own systems safe.
So we think about it in terms of IT spend as a percent of revenue, and then security spend as a relative percentage of that it spend. And in the times of everyone digitizing their business, and particularly when we went through remote work during COVID, that digitization spend accelerated. But what we've seen particularly is that the security portion of that it spend, it can now be as much as forty or fifty percent of that which is just a function right now of where the investment needs to go relative to the threat in the landscape. That will normalize over time, but it is definitely growing as a as a percent of revenue. Just given the environment in which all these organizations are operating.
It's interesting to see the way that it's shifted.
Yeah.
Absolutely, I mean anecdotally, Carol. I mean, I don't know what it's it's gone from like front and center in terms of the way that we're trained to think about incoming emails, the way we're training to stay safe online. I mean, it's such a big part of what companies do these days, because, as you mentioned, the risks are so huge.
Yeah, I think about it. You know, it's just everything is digital, everything is you know, it's so easy. There's probably so many entry points. And you're right, Danma mean, our security is pretty extreme, but you understand why, hey, in terms of the nitty gritty of your business. And you and I talked about this before, but since we've got you back again, we're in this. It was a funny market day, it was kind of quiet. We're waiting for a lot of things. When you look at the outlook six to twelve months, how does the economy feel for you guys? And you obviously have a lot of clients that play into so many different sectors of the economy. So how does it look or what are you hearing from them?
We have seen pretty similar behavior, i'd say, throughout this year, so nothing has changed in recent weeks per se. But what we see is a general level of optimistic caution. So it's not that businesses are not investing. They absolutely are, whether it's in security or digital transformation or other expansions of their business, but they are just doing so with a level of scrutiny around that spend to ensure that one they have the right partner and they do a lot of that through referenceable other customers. Two that they can measure the return on that investment, and three they have flexibility over time for that investment to remain valuable to their business as it can evolve with their changes and strategy and approach.
All right, well, good stuff is always. Thank you so much. I'm so glad we were able to check in with you again and really appreciate all the time. Wendy be well. Wendy Thomas. She's the CEO of Secure Works, joining us on Zoom from Atlanta, Georgia,