Ahead of the Threat Podcast: Episode Two - Kevin Mandia

On this episode of Ahead of the Threat, FBI Assistant Director Bryan Vorndran and FBI Strategic Engagement Advisor Jamil Farshchi speak to Kevin Mandia, founder and CEO of Mandiant, one of the world’s leading cyberthreat intelligence and incident-response firms. Drawing on his vast industry experience, Kevin talks about game-changing breaches and the history of cybersecurity, the increasing prevalence of voice cloning and other artificial intelligence tools in social engineering schemes, and the changing role of the chief information security officer (CISO). Kevin also shares the top four questions every CEO or corporate board should ask their CISO to assess cyber readiness. At the start of the episode, Bryan and Jamil discuss trending topics like Sophos’ acquisition of Secureworks, the cyberattack on American Water, and the new CISO hire at UnitedHealth Group. Listen to Ahead of the Threat episodes, read the transcripts, and find related material at fbi.gov/aheadofthethreat.


Video Transcript

[Music: Futuristic, airy tone.]

FBI Assistant Director Bryan Vorndran: Welcome to Episode Two of Ahead of the Threat. As always, I'm Bryan Vorndran, assistant director of the FBI's Cyber Division. And joining me is Jamil Farshchi, the current chief technology officer of Equifax. We're actually recording this on Friday, November 1. Behind me is my Penn State helmet. Big game this weekend against the Buckeyes. So, by the time this airs on November 6, we'll know if my Nittany Lions remain undefeated. But big weekend in college football ahead of us.

We are going to get into our top three. So, Jamil, I'm going to go over to you to outline these top three, and then we'll get into a quick, interesting dialogue about them.

FBI Strategic Engagement Advisor Jamil Farshchi: Yeah. Thanks, Bryan. I, I'm still trying to get some of this face paint off—makeup from Halloween, last night, where I was a ghoul. Was actually legit scary in that thing. Maybe too scary, as a matter of fact: I scared—my three-year-old didn't even know who I was.

Speaking of scary, though, so, on the Sophos one—I guess this one isn't super scary—but Sophos acquiring Secureworks: I think this is an interesting one because it ties into the broader consolidation of the cybersecurity industry. And I think we've seen, you know, time and again, these smaller organizations get gobbled up.

This one's a little bit of a big-to-big, so I don't know if it's going to be as meaningful as some of the ones that we've seen before. But it is interesting because, I know a lot of players who are leveraging Secureworks today. And, so, this is going to certainly lead to some level of change. And, I don't know, I struggle a little bit because I've seen, throughout my career, a lot of good companies get acquired in cybersecurity and maybe not fare so well thereafter, in terms of the quality and service levels.

I'm hopeful that this one doesn't turn out that way. But I think, at the same time, one of the concerns I have is just the continued consolidation of the industry and how we might be getting to a point where we have just more and more single points of failure because everyone is just getting gobbled up. What do you think?

Vorndran: And you know, from an FBI perspective, you know, we're really, really interested in the implications on the cyberthreat intelligence that Secureworks had organic access to and how that's going to present itself moving forward in the Sophos environment. And I agree 100% with your comments, Jamil. You know, this is just a sign of the times about industry consolidation from the bigs gobbling up the smalls.

But, again, I would agree with you that Dell Secureworks is a pretty big organization, and a very, very good organization and powerful organization when it comes to the intelligence they’re able to have access to. You know, I think—for the audience—one of the key takeaways here is: How do you, as an organization—whether for-profit or not-for-profit—plan around these consolidations and avoid single points of failure?

You know, we've seen this in the recent past with EDR [endpoint detection and response]. And, you know, a very basic example: If you have two EDR solutions—one on 50% of each of your devices, your endpoints—and one of them fails, well, you impact 50%, right? If you have one EDR solution on 100% and it fails, you impact 100%. And, so, I think that's a really key takeaway for our audience right now as they monitor and internally manage the acquisition of Secureworks by Sophos.

Farshchi: Yeah, it's balancing that single point of failure versus the increased complexity that you have with multiple vendors—

Vorndran: Yep.

Farshchi: —within the same space.

Vorndran: Yep.

Farshchi: So, okay.

Vorndran: Yep.

Farshchi: So, let's go over to American Water. So, it sounds like they're recovering from the cyber event there. Obviously, this hit the headlines because of it, you know, it's critical infrastructure. It's just another one of these kinds of attacks that potentially, you know, could affect us all. And I think, when I look at it, I always think, "Man, you know, these seem kind of dink and dunk right now. But I think there's a lot more implication here." And, if you talk to people like Mark Montgomery, this is his calling card where he's been pushing for more controls, more visibility around critical infrastructure.

Just curious, your thoughts on this one?

Vorndran: Yeah, I could talk about this for an hour. I'm not going to do that here today. I mean, American Water is a very, very historic organization and company within the United States. I mean, I think they've been around for close to 150 years. I think they're probably the largest water and wastewater provider in the regulated space insides, in the United States. They're enormous, right? But this targeting of critical infrastructure—and critical infrastructure is really broadly defined, right? I mean, there's 16 sectors. But, I think when you get down into the major, major sectors of finance, comms, energy, water, right—these are massive—potentially massive—impacts on the way of life that we experience day-to-day here in the United States.

And because of that, it's really important. And I think one of the concerns in critical infrastructure—especially as you get into some of these more core infrastructure sectors like water— inside the United States, many of them are really riding on historic infrastructure, physical and, you know, virtual infrastructure. And it makes them more susceptible, and it makes their, you know, security plans that much more complex. And it really brings into the conversation this bleed over from IT [information technology] into OT [operational technology] space of traditional software and business processes, and how a compromise there could impact the physical world and valve controls or dam controls. And it's just something that we're all immensely, immensely focused on and something we're going to need to remain immensely focused on.

I think it's worth noting that in about a year, the mandatory reporting for critical infrastructure entities will come into play where there'll be a 72-hour reporting rule to CISA [Cybersecurity and Infrastructure Security Agency] for any material compromises. And CISA has done a really, really good job scoping those intake requirements for those companies.

Farshchi: I just think that we got to get this addressed. I mean, it's only—even though there haven't been any major implications with these things so far—it's just,  I feel like it's just a matter of time before—

Vorndran: Yeah

Farshchi: —something bad happens, meaningfully bad happens. And, so, we got to get it covered.

And I think that you made another good point early on around the definition of "critical infrastructure." In my opinion, it is way too dang broad. It's—basically, everything is critical infrastructure in some degree based on how broad it's classified. And just like with anything: If it's too big, then, you know, how are you going to ever truly prioritize and focus on what really matters? So—all right. Last one we've got.

Vorndran: So change healthcare, Jamil. What do you got?

Farshchi: Yeah! Yeah. And, so, we got the announcement this week that Tim McKnight is going to be the new CISO over there. So, it sounds like they're turning the page. I—look: I think that that was, obviously, I think the numbers came out this week. It was like 100 million folks that they said were affected by this thing. So, Tim will have a lot of work to do, I'm sure.

But, it seems like they've done a lot of work on the front end of this thing, which I've been encouraged by, particularly around governance. There was a report and then we—in our interview coming up here in a second—Kevin will even talk about this as well, the bringing on Mandiant as a board advisor. And, so, when you reflect on the discussion we had, like, with Aron last time and the emphasis on the board of directors and getting that cyber expertise at the director level, I think it was an interesting and very encouraging move, that UNH [UnitedHealth Group] made early on to be able to uplift their governance and visibility of the program and, now, with Tim's hiring, just takes them another step forward. So, I—to me, it's encouraging. And I look forward to seeing how things improve and evolve over, within that organization.

Vorndran: Yeah. With UNH, you know my commentary would be this: 100% agree with everything you just said, is UNH is a very, very good example of the complexities of interconnectedness and trusted connections within organizations, right? And we continue to see that, we can call it "supply chain," we can call whatever we want. But, the reality is the complexity of the interconnected world, virtually, and trusted connections are very, very difficult to map out.

You know, you bring into that conversation about software, bill of materials and the complexities there, you know, the hardware that you're trying to keep out of end-of-life space, and it's just a massively complex ecosystem for any one organization to manage. And I think UNH is a really good example of just the challenges that we're all facing from a security perspective.

Farshchi: Amen.

Vorndran: All right. Well, those are the top three: the Sophos acquisition of Secureworks, American Water, as well as UNH hiring a new CISO. So, we are now going to go to a previously recorded episode.

This is Episode Two. The interview’s with Kevin Mandia. For anybody in this space, they will undoubtedly know Kevin's name. He's the founder and CEO of Mandiant, one of the world's leading cyberthreat intelligence and incident-response companies—a company that is a tremendous partner to all. And Kevin has seen so much historically, in the present, and what he thinks the future may hold that the episode is sure to shed light and help all of us understand the world that we live in. 

[Technological-feeling sound effect]

***

Vorndran: Today on Ahead of the Threat, top CISO concerns from compliance to AI [artificial intelligence] to alert fatigue and quantum, resilience—also, the fourth pillar of the National Cybersecurity Strategy—and board concerns. Our guest today really needs no introduction. It's Kevin Mandia, an industry pioneer and visionary and one of the most mission-focused leaders that we know. So, let's dive into it and get ahead of the threat.

Kevin, welcome today. Give the audience a little bit of background about your journey in cybersecurity and cyber, and then we'll get into the meat of the discussion.

Kevin Mandia: Got it. Well, guys.

Jamil, it's great to see you.

And, Bryan? Nice shirt. I love it.

Jamil, I see the Oklahoma University in the background. I'd love it if they'd take on Lafayette in football.

So, my background: I was a computer science major and I don't know how far back you want me to go, Bryan, but this will take about—

Vorndran: Oh, it doesn’t matter, Kevin.

Mandia: —thirty seconds here. Computer science in Lafayette from 1988 to 1992. And, at that time frame, you know, we were learning C, C++, object-oriented programming. And I went to Lafayette with an ROTC [Reserve Officers' Training Corps] scholarship, attending Lehigh for the United States Air Force ROTC program. When I got into the Air Force active duty in 1993, I remember, you know, standing in line at the Pentagon with—basically, I was going to get my assignment—or, as I felt at that time, my sentencing—for the next three years. What am I going to be doing? And I was lucky enough that one of the options in 1993 was to do computer security at the Pentagon.

So, it's 1993. I'm doing computer security at the Pentagon. And that was kind of when a lot of the hacks started emerging as we all started adopting new technology to start communicating online, start operating our businesses online, kind of got to live through—from 1993 to today—all the ways in which tech advances—and the ways in which the criminal element or cyber espionage—takes place.

So, I did five-and-a-half years in the military, to the best of my recollection. I guess it's May of ‘93 to—actually, I'm wrong—May of ‘92 to March of ‘98 in the Air Force, primarily during that timeframe in the Air Force Office of Special Investigations [OSI], responding to computer-security breaches.

And I still remember, Bryan, that first day I cross-trained into OSI from computer security officer. I wanted to do, like, blood-and-gut forensics. I just wanted to be like Quincy, you know? Show up to crime scenes and do that kind of work. And somebody said, "Well, you know, with that computer-science undergrad degree and your master's in forensic science, why don't you do computer crime?"

So, I stand here today—30 years later—basically, saying, "I did not want to do computer crime. I did not want to do cybersecurity, but it's what I fell into. And if it's your job, you might as well get good at it."

So, I ended up doing cybersecurity investigations for the Air Force; got out of the Air Force; went to a company called Foundstone over time, where I trained a lot of law enforcement agents in how to compromise networks and how to investigate those compromises; started a company called Mandiant with the premise that security breaches are inevitable, and let's just respond to every security breach that matters because that's an impactful moment to own. It's the best product research you can do in cybersecurity. If you're going to build software to defend people, you ought to know what the offense is doing, what the adversaries are up to. And I saw no better opportunity than respond to breaches, figure out what happened, what to do about it so you can better build products to safeguard from those threats.

And I could keep going, Bryan, but I'll kind of slow it down. So, I guess, I love talking about me from time to time.

Farshchi: All right, Kevin: You are first off, you know, I'll just say it: I'm a Kevin fanboy and I have been for pretty much my entire career. And I think, across the industry, there's no question that you're the GOAT [greatest of all time]. You've seen—you know, every major incident that I've ever had, you guys have been there. You've been there personally, in many respe—, in many cases. What—you've seen so much—

Mandiant: Right.

Farshchi: —so many incidents. So, can you tell me, like, what's one or two of the most memorable ones that you've had to deal with?

Mandia: You know, I always hate talking about that. Like, what are the top five? I've got them in my head, but I always feel bad when I just go, "Hey, here's, here they are."

You know, I can just talk about some of them. It's shift-changing breaches that we were a part of throughout our career. And there have been shift changes because I remember responding to breaches from 1993 to 1998. Almost all the breaches were Unix servers being compromised by publicly available exploits you could find somewhere on the web, and it was cyber espionage for the things that we responded to, and everything else was kind of like an attractive nuisance.

But, I can tell you, in 1998, I felt a shift change in cyber where end users started getting compromised. You had kind of the evolution of spear phishing, and then you had Windows NT systems that were being thrown on the internet to sell stuff and collect credit-card numbers. So, you had this storm of credit-card fraud, tons of intrusions into Windows started primarily—you know, all these are gray-area timeframes—but right around 1998, and that continues today, spear phishing today, hack for money and profit.

In 2003, there was a shift change, and really, it was in 2004. I started Mandiant in February of 2004, and a few months into that—first, it's an election year. Every election year, everybody, every side gets compromised here in the United States, or at least heavily targeted.

And you're reading about Iran right now targeting the candidates here in 2024 in the presidential race—same thing in 2004. But what's interesting then, Jamil, is that's the beginning of what we call the advanced persistent threat. That was the first year that I saw the Chinese government—somebody I responded to when I was in the military—pivot their resources and start compromising the defense-industrial base in the United States and, later on, pretty much any industry that was required to—really, if you were doing business in China, you got compromised—and kind of live that way from 2004 to even today. Now, we have cyber espionage from China everywhere.

But that didn't specifically answer your question. So, let's get to the breaches that everybody went, "Okay, this is changing the game."

One that pops out is Sony Pictures—2014, maybe? It, just feeling like a modern nation like North Korea hacking the private sector for whatever reasons and shutting it down is a fascinating kind of breach to be involved with or see happen. So, that one, obviously, everybody took notice.

Colonial Pipeline, Bryan, I've seen you talk about this one. To see critical infrastructure, Colonial Pipeline, taken down by ransomware in 2021, I believe it was?

Vorndran: Yep.

Mandiant: You know, when you see these things, these are shift changes in regards to resilience, in regards to, "How do we apply risk and repercussions and impose the U.S. will on behavior on the internet?" So just two—I do stack rank them, but I kind of keep private about those, and we don't want to get bad guys, you know, a lot of credit on some of the breaches they've done.

Vorndran: Yeah, I still—you talk about Colonial, I still remember driving in Arlington, Virginia, with blacked-out gas stations, right, that couldn't serve gas. And, certainly, we're coming off the heels of the CrowdStrike situation, and these are very practical impacts on a physical world.

Kevin, talk to us a little bit about—you know, you've seen it all. You see the future as well, if not better, than almost everyone. CISO concerns, right? And I would love to hear from you: Has your perspective changed post-SolarWinds in terms of CISO concerns? Now, you've obviously been very forward leaning in terms of how you communicated that compromise and who was behind it, but just your thoughts in general on CISOs would be tremendous.

Mandia: Well, I can tell you, you know, when you think about CISO concerns, you actually have to go above the CISO, right, Bryan? Like, what's the board thinking about? What are the CEOs thinking about? And, at that level, they're reading headlines, and there's a little bit of an undercurrent of uncertainty, fear, doubt at every board as to, "How good are we at security? How good do we need to be? What's the probability something bad can happen at the organizations that I serve on the board of?"

And then, CEOs are thinking, "Wow, I don't want to be a headline. I don't want to live through a crisis like this because of the uncertainty that it provides." These fears, uncertainties, and doubts trickle down to a CISO, and I have felt we're at a—and Jamil, you are and have been a CISO. Like, to me, it feels like it's a moment in time where the role is changing. It can go in a lot of different directions.

It used to be that the CISO was a co—,  you know, that was the position in the late nineties/early 2000s of, "Hey, if you're in the financial services, that CISO's the compliance and risk person and policy person. Write a bunch of policies, see if we can get process in place, and let's be compliant with those processes." It grew into IT security, perimeter security, and endpoint security, and you see it evolve and evolve.

But, right now, we're on the precipice of AI, supply-chain security, data security. Where's our data? What third-party vendors have it? How are we securing it?

Personnel security—the fact that we're hiring remotely. Who are we hiring? What are we getting? Insider threat, fraud, all these tangential but security-related things are starting to hit the CISO. And I thought about it. I've had four CISOs work for me throughout my career and I don't remember them ever coming to me asking for more.

But, Bryan, I remember going to them all the time saying, "Hey, you're now in charge of supply-chain security‚" and I'd just walk out, because I knew I wanted someone with a security mindset to be in charge of our risk—not somebody that was running infrastructure and didn't understand the threats and didn't grow up in an environment of, "Hey, let's never underestimate the aggressor against our networks."

So, I think we're at a moment in time where the role of the CISO can expand. I mean, I've seen CISOs now being in charge of attesting to the security of the products their companies make. And that's a lot of stuff you can put on one individual or one executive to be in charge of. So, when I look at the concerns of the CISO, it's different by industry, it's different by the maturity of the company that they work at and its resources, but I do see a moment in time that is now where that role of the CISO can be real executive role with a whole bunch of things they're in charge of, or it could just stay in the corner of, "We do IT security and we impact everything indirectly through our CIO or infrastructure folks."

And, a lot of times when I'm talking to CISOs, it's about, "How do you advocate directly to have a role and remit you are comfortable with doing?"

But I dumped a lot of concerns on my CISO and would say, "Hey, you know, whatever you need, we’ll back you for this." But I love the idea that CISOs usually study the threats. They know what they're up against. They have an appreciation for it. So, if you have a company that has a conservative risk profile, it does make sense to really know that CISO and really get a feel for, "What are they comfortable leading?"

So, now, you boil that answer down, Bryan, and I answer you directly: What are CISOs worried about? Same thing as their boards, same thing as their executives, and that was AI and what does that mean to the workforce, supply chain security, software security, if you're a vendor that makes stuff. You had mentioned the CrowdStrike update. Obviously everybody's going to look at secure by design. You look at SolarWinds and what happened with an implant at SolarWinds, so it'll be secure by design. Data security is getting more and more important. Overall risk and governance is even more important. And then, that ability for a CISO to assuage or just get confidence to the board and the executives, "Hey, we've got a program. It's good. We continuously test it and we red team it, and you should feel pretty good about it."

So, that's a long-winded answer because you said we had an hour.

Vorndran: So, I got to ask both of you because I'm the, obviously, with the Bureau, so I don't have the perspective that both of you have. I get asked a lot, "How should CISOs be or—, task-organized, task-aligned within a broad organizational structure?" What are your collective thoughts on that, Jamil and Kevin?

Mandia: Jamil, you?

Farshchi: I think it depends on the business. If you look at the—look at my role at Equifax. When I was brought in, it's a, it was CISO, pure-play CISO role, report to the CEO because we take it very seriously here. Since that time, though, you know, I've taken on fraud, physical security. I have two P&Ls [profit and losses]. And now, I'm the, now I'm this—as of the, what, five months ago, I'm the CTO now, as well. So, the role has expanded demonstrably since that time, but it's because of the business. It's because it were, this is a—this business has unique needs, and the focus is around things that tie to data, analytics, technology, security, and so, it makes sense for us. I think if you're in a different organization or a different industry, things change.

And, so, I think it, I think organizations need to be thoughtful about their risks, thoughtful about the—how they want to construct addressing those risks, and being able to competitively differentiate in the marketplace and drive growth, but, then, looking at the bench strength that you have, and then, based on those factors, then you can sort of frame out the role, whatever makes sense.

I don't think there is one—just like with anything in life—there's not just one path to doing it, just like there's not one path for what your committee structure for, should be at your board or whatever it might be. So, I do think that we've evolved, though, and I'd be curious, Kevin, what you think—maybe as an addition to the question that Bryan asked—whether you think that, with this evolution and this pivot point that we're sort of at right now, whether you think that the community of CISOs, if we're ready for it. Like, are we—because we've come up through the ranks in technology, right? And so there's a whole–it's a whole new world to deal with, and I've dealt with it myself personally as I've grown throughout this organization. What is your take on the industry at large?

Mandia: Well, it's hard to answer for such a large group of folks, right? But I think about the exact same thing, Jamil. The opportunity to be a real risk executive is sitting in front of every CISO, whether they know it or not.

The moment is now. Every CEO's worried about cybersecurity. Every board is worried about it, and it is up to the executives of a company to come up with a program that matches the risk frameworks for that organization. And all those things I said—that supply-chain security, data security, the rollout of AI—technology keeps moving. You know, we’re trying to impose risks or repercussions to the bad actors on the internet, but I don't think there's ever going to be world peace. I think people will always hack for money and profit. So these threats aren't going to go away. And I think the themes that I say with CISOs is, "Yeah, we've got to stay abreast of the emerging threats. And then we also have to figure out how to communicate with non-technical folks, apply business risks."

And people, you know, take that whole cyber risk and put it in the business terms. And people say that stuff all the time. But the framework that I work with CISOs is make sure you get, you know, go to the Harvard Executive program, start thinking beyond just CISO. Take the frame of reference of the CEO: What are they genuinely worried about? How do they think? A CEO is not going to sit there saying, "What do you mean by an application-security firewall? What do you mean by access control? What do you mean by this?"

Some CEOs are growing up with technology and they get that. But you have, all CISOs have to translate "here’s the critical services and assets at the company." They have to translate: "Here's the cyber risk to those critical assets and services, here's the threats to those risks, and here's what we're doing with people, process, and technology or controls to diminish or mitigate the risks to those critical assets. Here's the gaps we have, and we're going to close them, or here's the risks we're willing to accept." And we kind of put it in that risk language, Jamil, and I’d love to hear your feedback on that because all boards understand governance and risk. That's kind of why they exist.

They apply those kind of standards to financial risks, to geopolitical risks, and, in cyber, I think if a, if there's a CISO out there that's trying to figure out, "What framework will my board finally get?" You know, there's no perfect one, but it's identify the assets and services that matter most to an organization, identify the cyber risk to those, and again, go through that standard risk process of identify the threats to them—those assets, what are you doing to mitigate those threats? How do you continuously monitor and validate that your program is in place to mitigate those threats? And then, communicate it appropriately. And I think that works.

Now, answering your question directly: Every CISO, I agree with you. I would say, total Mandia-anecdotal wag: The amount of technical CISOs is going down. The amount of true executives getting into the role of CISO is going up. And I s—, I equate that to just in general, I’ll meet a CISO and go, "What’s your background?" It used to always be they did security operations at some point. You know, they were a technologist. And, now, I'm meeting more lawyers that backed into CISO or even poli-sci [political science] majors that backed into it and less technical folks. I think there's a genuine trend to the role going to folks that are more capable to lead a P&L [profit and loss].

Farshchi: I think I would like to say that the community at large—my peers that are out there—we have the ability to be able to up our game to become executives, and we don't have to just be known as the people in the boiler room that know the tech stuff and, you know, go geek out and do your thing.

I am, I'm hopeful, although, to your point, I think we have a lot of growing to do, quite frankly, on the whole. Obviously, there's plenty of fantastic executive CISOs that are out there. You want, you said so many things that I would love to ask you about because, I mean, this is why you're the GOAT. The one that really struck me was the risk-based discussion piece.

Mandia: Right.

Farshchi: And I mean, look: I am now on a board—for what, the last year and a half now—for a $5 billion company, and, so, as a board member sitting on the other side of the table, it is. I mean, the language of risk is what we operate by, at least in this particular space. And, in my experience, for all the companies I've worked for and the boards I presented to and executives and so forth, the trick is being able to communicate in a way that they can understand it—

Mandia: Right.

Farshchi: —because if you're just speaking gibberish, it just, you're—it's never going to land for you. Like, you're not going to get ultimately what you want, whether it's some risk mitigation or to just, to get general communication across. I completely agree with your point about getting executive education. I, myself, went, I went to Harvard and got my PL—my Program for Leadership Development, I did that there—fantastic program. And I think it helped me a lot in that respect.

So, whatever the executive education form would be, I think that would be a huge one.

The other part, though, is, how do you—without being on the business side—how do you appreciate the balance that needs to be made when you just live your life every single day and the security and all you see are the threats and all you see are the vulnerabilities and the risks and things not advancing as quickly as you want?

Mandia: Right.

Farshchi: I found that personally, as I've gone up through the ranks—

Mandia: Right.

Farshchi: —to be that, one of the hardest things to do. And, quite frankly, it wasn't until, what, two or three years ago when I actually took on a couple of P&Ls that I got a much greater appreciation for it, thinking, "Oh, man: Like, I've got to meet these growth numbers, and we've got to do this and that, and so—but doing this is going to impact it."

And, so, finding that balance has become a lot easier for me now, but—my gosh, it was, Kevin, it was super hard at the—

Mandia: Yeah.

Farshchi: —beginning, and I was, I had the advantage of actually owning a P&L. What's your advice for folks that don't have that opportunity—

Mandia: Right.

Farshchi: —to be able to find that balance?

Mandia: Yeah, I call that my 90-day CISO plan. What would you do if you get hired as a CISO somewhere and you're not quite sure of the culture you're in and how to interact with the business leaders? Right out of the gates, I'd go in with, "What does the board and executives truly care about?"

And it's: How secure are we? End of story. Like, what are the odds something bad would happen? And if something bad happened, would we withstand third-party inspection?

And then, the key is for the CISO to figure out that answer to that question in a way that's not confusing and that it's not like a zealot answer of, "We have to get 50 more people in here, 24 by 7 ops, three operations centers. We got to follow the Sun. We got to do all this."

It's got to be very simple. And what I would do—and I, you know, I equate this, you know, Brad Maiorino, when he was at Target and he goes to other companies, he does something very similar to what I would do, which is you just red team the network. You just figure out, "Here's the common threats of today. How do we do? What is the unvarnished truth on what the red team can do to us?" And we're not talking magic attacks where takes five days for the red team to break in with custom malware and all this. It's just doing attacks that are common to get a sense for, "How secure are we?" And the reason you do that, and I think that's a great thing to do every quarter—I did it as a public company CEO at FireEye.

I remember getting my board presentations, and there'd be these three-dimensional charts on policy and governance and controls. And I remember thinking, if anything was in the green in these charts, I didn't trust my CISO's answer. If anything was in the red in our compliance charts, the whole board is like, "Oh my God, we're in the red, and that's no good."

And if CISOs put all these subjective things in yellow, boards and managers don't know how to feel. So CISO can't win.

But what a CISO can do is walk into a board or—and they probably won't get to the board with this, but they can get to their boss. You know, 25% or so of the time or so, that's the CIO [chief information officer]—and say, "Hey, listen, we did a red team. You know, it wasn't really us-versus-them. This is how we did. And here's what got in, here's what didn't."

I think if it takes five days for expert red-teamers to make a threat become a reality against critical assets, that's a lot of time, and, but, you would want to know. And, I always say, "Limit the scope, have a three-day red team, four-day red team, and see how you do because that's the only way to get an unvarnished truth."

If the red team can't break in and can't make something bad happen, I think you should feel pretty good.

If the red team can get in, you get a prioritized list of what to do.

So, to me, that was such a simple thing. Jamil, I likened it to: If you want to see if a bulletproof vest works, shoot a bullet at it; you get your answer. Same thing in cyber because it's just understandable and it tells you how to feel. If the red team's successful, you make adjustments. If the red team's not successful, you feel pretty good, but you continue. Because I call this—when you're a CISO, you come at everything from the threat side. But I also believe you, actually, you have to come from the governance and risk side, as well. And you need to do both.

And there's a lot of folks that have, "We're going to enforce policy. We're going to enforce process. We're going to enforce all these great controls. We are going to have: ‘Here's the standards, legislation, and regulations.' We need to benchmark a guest. And that'll be part of our framework on how we report to the board, how we're doing with our assessments and to our benchmarks." But I would still keep firing bullets and seeing how we do.

And that part will tell a CISO: If a red team just destroys your network, and your leadership team doesn't care, that's a hard CISO role to take on. You just don't have the buy-in.

And I can tell you this: I've never met a CEO [who] doesn't get a red team report. You may have to distill it a little bit by, "What's the probability that this attack will happen?"

But, no CEO wants to lose their email. If you have a red team test—can you get to the CEO's email in three days—and they do it? Trust me, the CEO, you have his attention, and he's going to say, "What do I do to lock down my Outlook instance? How do we get good detection rules in?" You bring them along.

Second thing I would do, if you don't want to go red team, have a tabletop exercise and genuinely simulate with your executives as a CISO the exact threat you don't want to have become a reality.

If you're a manufacturer—you make tires or you make soup—you don't want the assembly line to go down. You don't want food to be unsafe. You don't want your products to be unsafe.

You run a simulation—takes only an hour—but you make it feel real. You kind of tease out the data that matters. You know, you simulate the fog of war. And, during that tabletop, what you'll see as a CEO is: "What are the issues we still don't have answers for? Can we run our business off the internet? Can we run our business if five servers go down? How fast would we get those servers up should they go down to ransomware?"

So, I don't want to elongate the answer, but the bottom line is, a new CISO? I'd red team and I'd tabletop quickly because, no matter what, when you tabletop, you get the how—you know, what is the culture and philosophy of your organization when under duress? And I think that dictates your success as a CISO, is understanding that culture.

Vorndran: And Jamil—

Farshchi: Love it.

Vorndran: —if I can jump in here. I don't think we're going to be able to cover everything in time we have here today. We’ll do our best. Two questions.

I mean, you're amongst the most experienced people in the world, Kevin, in terms of I.R.—incident response, post-cyber-intrusion. You know, I think there's a lot of reporting out there about how industry feels, how positively you handled the SolarWinds reporting.

And, certainly, one thing that my experience has indicated to me is, like: The more forward-leaning companies or organizations are, post-breach, the better off they generally fare.

One thing that we, obviously, encourage from the FBI side is report to law enforcement as early as possible. But that's built on the fact that you have to establish a relationship. Just interested in—Jamil, you, as well– like, just interested in your thoughts about relationships with the private sector, with the FBI, post-intrusion: the good, the challenges, how that looks internally, because we know one of the most, you know, the questions that are asked the most is, "Should we or should we not share with the U.S. government?"

Mandia: Jamil—

Farshchi: I'll start.

Mandia: You want to go first?

Farshchi: Yeah, I'll start on that one. I think you—I think the FBI used to not be even remotely as effective as it is today. But I will reflect on the experience I had here at Equifax post the ‘17 breach, and the amount of partnership and engagement we had from the FBI was second to none. I mean, you all had us—myself, my CEO, several of our executives—go over to the field office here in Atlanta and get deep-dive briefings on what's going on, like—onto the detail—on the evolution of the investigation, which was, I mean, just really, really strong partnership.

And, so, for us, after seeing that, you won a lot of fans. And, like, we're more than help—, more than happy to provide as much information as possible so that you guys can do your job as effectively as you can. And I think you know this, Bryan—I'm not sure if you do, Kevin—but, you know, even as it relates to CISA.

I mean, last year we had an incident where I got a heads up from CISA around this imminent attack against us— some ransomware group, I can’t remember which one it was—you know, gave us a heads up. It was a good—I think it was like 76 hours in advance, all the TTP. I mean, we knew exactly what to do. Everything was locked. So, by the time—and then it did happen, like, it happened exactly as we were told. And obviously, it's a nothingburger at that time because everything's there.

But I think those examples, to me—whether it's a breach of 17 or an attempted compromise that was coming down the pipeline—it's, that partnership is critical. And I know how important it is, talking to you, Bryan, on the FBI side around us as private organization—, commercial organizations, providing that information to you all and sharing insights to make you guys effective.

I think the message I would like to share to the other peers of mine in the community at large is, like, "We need to lean in to not just do that, but also, to just be accepting of the fact that there's a ton of expertise that the government can provide—particularly the FBI—and we need to welcome it with open arms. Because there is, the bad actors—Kevin knows this better than anybody. Actually you do, too, Bryan. I mean, they’re not slowing down. They don't care about that kind of garbage. Like, they just want to get the job done. And I think, if we're going to protect ourselves and protect all of the consumers that we're responsible for protecting, we've got to step up our game and work as a team to be able to defend this country.

Vorndran: Yeah, I—Kevin, I'm interested your hear—to hear your thoughts on that, as well. I just want to chime in because it’s something I’m super-passionate about. You know, the—

Mandia: Yeah.

Vorndran: —FBI has been in existence for, you know, 115 years. And the entirety, right, we've been a victim-centered organization. That is so, so important to us as an organization: to help people in need. It's why I and almost everyone here joined. And, you know, the reality is: It's our pleasure. It's our honor to try to help in those moments in need. And being victim-centered is just so critical to us. But, Kevin, just interested in your thoughts.

Mandia: Yeah, and I'll piggyback everything Jamil said. Right on target. And, obviously, I'm pro-law enforcement, but I think it's a simple equation: When you look at the cyber domain, the next modern war is going to have a cyber component to it. All criminal element has a cyber component to it.

Air, land, and sea? We all rely on the government to defend our nation. Nations were formed, really, so you could have citizens safe, and governments would protect those citizens with law enforcement and a military.

In the cyber domain, the whole defense is shared, and, so, you have to play team ball with the government. You should want to play team ball with the government. Every single knowledge base we can glean from the private sector defends other private sector organizations and government agencies.

So, to me, team ball's a must. And I think where we're evolving to with this—and it's way better today than it's ever been. You know, there were times where we responded to breaches in the nineties and early 2000s where you'd make a criminal referral at the FBI, and they would show up, and you'd learn some things. But, now, it's way more common in every breach that the FBI's there, Mandiant personnel now, Google Cloud personnel are there. Maybe there’s CrowdStrike people there. Maybe there’s, you know, law firms there.

There's a lot of different folks working together to figure out what happened and what to do about it.

So, first and foremost, defense of the cyber domain requires team ball. Government partners are critical to that. And second, the best deterrents to all these cyber incidents isn't just playing defense and goalie all the time. My God, wouldn't it be great to physically grab the criminal elements—especially in the Western democracies, where we ought to have a, you know, at least attribution intel and great work with law enforcement in many different nations to go grab folks? Nothing works better as a deterrent than that. And the FBI is the altruistic partner we have to make that becomes a reality.

I see no need—we all know Russia will probably always be a safe harbor to hack the United States, North Korea, China. I think almost every company recognizes espionage is real, probably going to always happen. However, the criminal activities, I think everybody—every government would say, for the most part, "These are horrible things to have happened to places like Caesar’s or MGM or to Colonial Pipeline." And I think government, private sector, there's great alignment to, "Let's go get some of these guys." And the FBI is the only means I know of to do that.

So, we all need to pitch in to defend and then we need to share information so that we can mobilize the government entities that do impose risk and repercussions.

Farshchi: One more thing on that one: There's this notion—and I think it used to be stronger back in the day than it is today, but it's still out there—that, you know, I'm reticent to share information with the FBI because who knows where it's going to go and who they're going to give it to, or whatever.

I can speak from experience here at Equifax, where, during our incident, there were times when we actually wanted you guys to talk about some of the stuff because it would've probably helped us out because there was a lot of meaningful insights that help contextualize what occurred here, and you guys wouldn't even do it.

You would, like, you did—, you're so close hold with that information nowadays that no one should worry about that information leaking to some other agency or whatever else it might be. That's just, that's old tape, and I think you guys have changed a lot. And, so, for anyone worried about it, like, put that aside and share information because it's only going to help you out in the long run.

Vorndran: Yeah, and Jamil, what you're talking about there, like, we boil that down on our side to being extremely loyal to victims' rights, right? It's no more complicated than that, and that's why we're so loyal to that theme. But, all right, Jamil: I'm going to go over to you. I'm sure you have about 30 questions in your head.

Farshchi: I do. I do. Kevin, where do you see the landscape shifting?

I mean, you mentioned at the top how the environment continues to evolve. I think one of the most interesting evolutions was the whole ransomware thing and how it has really just turned everything on its head and it's provided so much additional, especially with the—you know, it's brought a lot of incentive for the threat actors to just hit us as hard as they can.

What's the next leg? Like, do you foresee what the next leg of this, of this journey is? Is it something related to AI-type threats and the deep-fake things that we might—

Mandia: Yeah.

Farshchi:—see a little bit about up here? What do you think?

Mandia: Yeah, no, I immediately went to, "So how are our red teams breaking in?" And then, going, "Great. Do I really want to share that? But you might as well because it's obvious."

And what you're speaking to is exactly right. We saw the evolution of ransomware go from, "Let's encrypt drives and just charge to get them decrypted," to "Let's compromise, get in and steal data, and extort and create pain, and be very bold and brazen in that pain."

I think, most of my career, there were only actors and safe harbors, and that has changed. So, that's shift change number one.

Now, we have people acting in the democratized West: Canada, the United States, the U.K. [United Kingdom]. And we got to figure out—with international cooperation, treaties—how private sector shares with the public sector and the FBI. We got to figure this out and bring a little bit more pain there.

But, I think it's the evolution of the social: the trickery that's happening. And what you're going to see with AI is fake voice, fake imaging.

And what I'm seeing is the bypassing of multi-factor authentication by bold and brazen people that take advantage of the help desks of enterprises, where help desks are formed to help people, and they're being duped into doing one-time passwords and things of that nature that are really hard to prevent. And that one-time passphrase is giving bad actors access to a network.  And then we have identity challenges almost every time somebody gets in—meaning, when the threat actor breaks in, our identity architecture is usually compromised—and that creates a widespread impact.

So it is, without a doubt, I think you’re going to see the use of AI as, particularly, fake voice to trick help desks. And it's probably going to be effective till people really change how they communicate with their employees and verify their employees.

And then you['ve] even seen it, Jamil: What surprised me is at the last CISO conference I was at, we were discussing the hiring of North Koreans at companies. And I'm like, ‘"How the heck does that happen?"

But, now, everybody's working from their homes. And I remember thinking, "There's no way my company hires people that never came into the office." And I learn, we probably do. You know, you interview people online. You meet people online. And, obviously, as we have synthetic media creating a mask that people can hide behind, we're going to have additional challenges emerge that allow the social-engineering attacks to be successful.

Farshchi: Interestingly enough, I mean, based on the cyber threats you were just talking about, you know: AI, authentication, verification of identities—that plays, I mean, exactly fits into that, what you're talking about with the hiring practices, as well. Yeah, I agree with you. It is a major threat. And I mean, obviously the basis for it was we saw it front and center last year with the MGM and Caesar’s attacks. That's how they bypassed it. And then, there was one on AI deepfakes recently where people are now joining meetings thinking that they're talking to their CEO and CFO [chief financial officer] when, in fact, it's just an AI avatar. So, who knows where this is going to go.

Mandia: Yeah, you know, years ago, Jamil, at Mandiant, we were targeted every Friday by several different ransomware groups because they hated us, because we were responding to breaches. And their theory was: If we were responding and helping organizations recover from those breaches, those organizations were less likely to pay. And it is all about getting money, extracting money, and getting rich.

So, the threat actors would come at us almost every Friday.

And we had our own email-security product for spear phishing and we had experts everywhere—you know, 30-something hundred employees, just all security experts. And even I spent every weekend worried about, "How are we doing against these guys?"

And, in fairness to all these companies, one of the hardest things for every company to test—really test—is how resilient are we should a ransomware attack occur? Like we all do the—most 1A enterprises that are very mature will say, "Here's our key servers. Here's our critical data. We have it backed up. We know our backups are secure and we've tested it." But almost no company has said, "Hey, let's go dark and literally hot swap out and see, 'Are we rocking and rolling in under three hours?’"

That last step is really, really hard to test. So, a lot of times when we respond to these ransomware actions that are successful—and folks have systems that are just toppling over, as I call it, because they've been encrypted—that resilience is so hard to measure til you go through it. And that's why those tabletop exercises are so critical to get you thinking, "How fast can we recover server A that supports these 10,000 customers? What tranche of servers do we recover first? What do we cover second?’

And then, remember, recover the application-configuration files. Make sure your active directory or your identity architecture is considered critical. Don't miss something by mistake when trying to recover, or it can get really, really complex. And that's something that, again, it's just so hard for any really diverse organization to test a resilience with a live fire drill.

Farshchi: It's the dark underbelly—

Mandia: Yeah.

Farshchi: —of the whole thing. I mean—

Mandia: Yeah.

Farshchi:—everyone said—I mean, a lot of companies do the crisis exercises—

Mandia: Yep. 

Farshchi: —and the tabletops and stuff like that. But the unspoken truth is—

Mandia: Yep. 

Farshchi:—oftentimes, we've never actually really—

Mandia: Yeah.

Farshchi:—tested it. So we don't know what the dependencies are—

Mandia: You got it.

Farshchi:—whether we can get this system back up within its RTO or whatever it might be. It’s a big risk.

Mandia: Yeah, I think if you go to every CISO that’s lived through a ransomware action, there is always an impact they didn't see coming:

  • "Our phones don't work."
  • "Our gate doesn't go up."
  • "No one can buy their lunch in the lunchroom."

It's always something so bizarre, and you're like, "How did we not see that as critical?" or "How come we didn't back that up?"

In one case we worked, they didn’t back up their identity architecture and went, "Oh!"

In another case, they didn't back up the application-configuration file so that it took them days to get their application back to the state they wanted it in.

And it's—again, if you live fire drill these things, you may take your business down, and you were the one that did it, you know.

But maybe—yeah, so, one thing we always advise companies: if there's a way to practice that red-lever event of "you're off the grid." Most companies, (a) can't even get off the grid. It would take them 15 days to months to figure out, "How do we come off the grid if we need to?"

Second: Most organizations, unless they’re regulated, haven't even figured out, "Can we operate our business when critical servers go down?" And I remember one ransomware attack impacted a whole bunch of restaurants and I remember hearing about a restaurant that—without their computer system—couldn't serve food. And I was like, "We had restaurants before the internet. We had restaurants before the iPad. What happened? You know, we ought to be able to do that."

So, there's a lot of businesses that—and, when I talk to CEOs, it's, "If you can figure out a way to operate without the tech, that's a great fallback plan to have. And then from there, testing your backups."

I recognize how hard that is. You would like to be able to do it Sunday night from midnight to 2 a.m. and know you're done at the end of that. But the problem is: When the lights go dark and the machines get compromised, I don't know of any organization that can tell you 100% of the impact of those kind of events ahead of time.

Vorndran: To break-break guys, we have about time for one more question/theme each. So, Jamil, you want go first? You want me to hit one?

Farshchi: No, go ahead. We only have one more?

Mandia: I'm giving the long answers.

Farshchi: This went fa—, no, it went really fast.

Vorndran: All right. So, Kevin: One of our goals here—Jamil and my goal—is to, essentially, try to communicate to boards, right, what should they be thinking about in their future? What questions are really important for them to be asking of their staff? So, just based on your experience, top two, three questions that they should asking—it doesn't have to be two-to-three, but then also, board composition, forward-thinking: What are the other themes that they really need to be thinking—

Mandia: Right.

Vorndran: —about at a precise level?

Mandia: So, I'll tell you the four questions—and it used to only be three. For over a decade, I would meet CEOs. And, as soon as the CISO was out of the boardroom, they'd be like, "How good's that person?" or "How good are we?’"And I came up with non-technical questions you should ask a CISO, and all you care about is there is an answer. You're kind of diving in to the mentality of your CISO.

First question if I’m a CEO that I would ask a CISO is sort of the, "How would you break into us? What do you think is our weak spot?" Period. That's no different than Secret Service thinking, "Where's the shooter going to be?" You have to think as security professionals, like security professionals. "What are we up against? How would they attack us?"

Second, I would ask CISO, "What's our worst-case scenario?" Because I actually (a) really want to know their perception on it. But if you've hired a CISO who isn’t always thinking and planning for worst-case, I don't think they have the right security culture. You know, and if their answer is, "Well to be non-compliant with something," I don't know if that's worst-case.

So it's:

  • "How would you break into us?"
  • "What is worst case scenario?"
  • And the third question, "What would we do if worst-case scenario became a reality?"

And you just sit back and listen.

And then, I added a fourth question I should've added a long time ago. I've done 100 board meetings without this question, so we're adding it now: Ask a CISO what they need.

So that's four questions:

  • "How would you break into us?"
  • "What is worst-case scenario?"
  • "What would worst-case scenario—how would we respond to it?"
  • And: "What do you need?"

And just sit back and listen. If you have a CISO that doesn't even know what worst-case scenario is, oh boy. If they don't, you can correct it. If you're a CEO, you should be thinking what those things are and managing to risk.

And then, on the board level, I actually wrote down for this podcast all the board questions I've gotten.

Usually it is post-breach, but I think every board wants to know first and foremost: "How good are we at cybersecurity? Are we safe? What is the odds something bad would happen?" That's question one. It's all the same question.

Two is: "How good do we need to be?’"And the answer there is, really, you want to be good enough to withstand third-party inspection.

Question three I actually get is: "What should boards worry about?"

Question four is always: "What's your advice to boards on best practices to supervise our cyber efforts?" You know, "How good are we, and how good do we make sure we're fending off bad actors?"

And I think all those questions: "How secure are we? How secure do we need to be? What should we worry about? And how do you supervise your cyber program?"

Go back to that risk framework that we talked about earliest in the podcast, and doing that.

And then, the questions the board will ask is: 

  • "What should I ask my CISO?"
  • "What do CEOs wish they did before breach?"

They always ask the latest headline questions"

  • "What about Caesar’s?"
  • "What about MGM?"
  • "What about the CrowdStrike patch?"
  • "What about Snowflake?"

They ask, "What are boards asking you?" And then they also ask, "How resilient are we should something bad happen?"

And I'll leave you with the final things: They ask about AI, deepfakes, geopolitical conditions and how they impact threats, and what threats they should worry about.

So that's about every darn board concern I got in the last year.

Vorndran: Hey, Jamil: Can I just break in here with a quick PSA for the audience?

On the synthetic commen—on the synthetic content, the voice cloning, you know, there is reporting out there that indicates that four words are enough to fully clone digitally an individual's voice. And one of the things we deal with in the FBI is these virtual kidnappings, where you get a call from somebody saying, "Hey, you have to pay me $50,000 because I have your 12-year-old nephew or niece."

The best thing people can do if they ever get that call is to hang up the phone and try to call the person that they are being told has been kidnapped. That is the number-one recommendation: Get off the phone and call that person. So, just a little PSA for our audience. But, Jamil: Over to you for a final question, if you have one, then we'll close.

Farshchi: Yeah, last question—although I could have a hundred more for you, Kevin. Just the wealth of knowledge. The other day I was chatting with a private-equity guy, and he was telling me that he's, they’re debating about creating cybersecurity committees for all of their portfolio companies. And he was just inquiring about that.

[I] thought it was interesting and encouraging, quite frankly, and, but later on—think it was that weekend—I did some research and I found out that only ten of the Fortune 500 companies have cyber committees today, athough I did run into an article that said Gartner was predicting 40% of publicly traded companies will in the future.

What's your take on this, in terms of whether it's a trend that's—

Mandia: Yes.

Farshchi: —going to continue to grow,  and whether you agree with it or not?

Mandia: Well, boards are paying more attention to cybersecurity, Jamil, and part of that is the new SEC guidance that came out in 2023, right? If you're a publicly traded company, you have to share certain information about your cybersecurity program annually with your shareholders. And then, if you obviously have an incident, you have to be transparent about it. So, there's a requirement to share how you do governance and, you know, what third parties you use to help you secure your organization.

A committee needs to care about cyber. It—I don't know if cyber is always something for the board at large, and it all depends on the state of the company, the industry you're in, the knowledge of your board.

The boar—, different companies can do the same things, but have different risk profiles based on their brand, how much they value their brand, based on how much trust matters to their company.

All this is a long-winded way of, it's still going to go up and to the right. Boards have to pay attention to cyber now. The SEC guidance kind of pushes that forward for publicly traded companies. But as our dependance on technology increases—and technology is accelerating now with generative AI and our trusted machines just doing stuff for us—you're just going to constantly see, in the tech race, that the threats are going to be right behind in that tech race.

It's been my observable: Bad actors can enable tech faster than the good guys can, and security's just going to matter more and more. So, I'll finish with: Cybersecurity has never been more important, and I've been able to say that every year for the last 20-plus years.

Farshchi: Amen. Man, I think—

Mandia: Yeah.

Farshchi: —that's, that you concluded on what amounts, to me—going back to earlier in our conversation—

Mandia: Uh-huh.

Farshchi:—to a call to action. It also means that we, as CISOs, need to step it up. We need to step up our game, as well, if we're going to stick—we'll be able to address

Mandia: That's right.

Farshchi: The evolving threat and the evolving spotlight, regulatory requirements, the demands on this job—

Mandia: Mm-hmm.

Farshchi: —I think we all need to step it up.

So, thank you very much, Kevin.

Mandia: Thank you Jamil. Thank you Bryan.

Farshchi: It's fantastic seeing you again. I'm really happy for everything that's happened on your on your side, and thank you for helping educate us and the audience here today.

[Whoosh sound effect]

***

Vorndran: Well, what a fascinating conversation with Kevin Mandia. I really enjoyed the entirety of what Kevin had to say, as it really just encapsulates, you know, the history of the cybersecurity industry, the present day, and the future. For me, it was like taking a walk back memory lane for two-and-a-half decades with everything Kevin discussed.

Jamil, what were your thoughts?

Farshchi: Man, I have a ton.

That guy—you know, every time I talk to Kevin, I feel like I learn something, and, this was certainly no exception.

I think I have three key things that—three key takeaways:

  • One, his number-one fear, as an emerging threat, is AI and, in particular, he highlighted voice cloning as a major threat—the whole Scattered Spider, step-up kind of attack. And, so, I think we all need to take that into account, especially given how many threats that guy sees. You got to really listen to that.
  • Number two: board discussions. You know, he sai—, I think he said it himself, that he's probably the one guy who's been in front of the, in front of more boards than anyone else as it relates to discussing cybersecurity. And, so, I think all of that insight that he provided, is useful—not just for directors and executives and things like that, but also, for us, as CISOs. I think we should take that into account and make sure that we're applying that guidance and insight to [the] degree that we can, because it'll make us more successful in our engagements with directors.
  • And then, finally, I think, he laid down some pretty good insight around, look: What does the future of the CISO look like, and what are the skills that we should really be focused on? I mean, even going down the list of specific interview questions and the types of answers that would be the right ones and the ones that maybe should be a red flag.
  • Another thing that I think all of us should take into account—and, you know, if we want to continue to grow and mature in this evolving space and, you know, take advantage of the increased visibility that we have in these roles—I think no one better to get advice from than Kevin Mandia.

So, fantastic interview. Tons of great things. I always love talking to the GOAT. And, it was fantastic.

Vorndran: Great. Well, that officially concludes Episode Two of Ahead of the Threat. And Jamil, you and I are well on our way to our commitment here, and we'll get better with each episode. For any of our listeners or viewers, you have an idea, you want us a topi—a topic that you want us to talk about, please drop us a line and we'll try to incorporate [it]. But, for today, [I] hope we've helped everybody get ahead of the threat, and we'll look forward to reconnecting for Episode Three in two weeks.

[Music: Futuristic, airy tone.]

Video Download

Video Source