Join Sean Martin and Marco Ciappelli from ITSP Magazine as they talk with Jess Nall about strategies for CISOs to sidestep government fallout in the wake of major cyberattacks at the Black Hat 2024 conference in Las Vegas.
Guest: Jess Nall, Partner, Defense Against Government Investigations, Baker McKenzie, LLP [@bakermckenzie]
On LinkedIn | https://www.linkedin.com/in/jess-nall/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
As the countdown to Black Hat 2024 begins, ITSP Magazine’s “Chats On the Road” series kicks off with a compelling pre-event discussion featuring Jess Nall, a partner at Baker McKenzie with over two decades of experience in federal investigations and defending Chief Information Security Officers (CISOs). Hosted by Sean Martin and Marco Ciappelli, the episode blends humor and serious insights to tackle the evolving challenges faced by CISOs today.
The Dodgeball Analogy: Setting the Stage
The conversation starts on a light-hearted note with a playful dodgeball analogy, a clever metaphor used to illustrate the growing complexities in the cybersecurity landscape. This sets the tone for a deeper exploration of the pressures and responsibilities that modern CISOs face, bridging the gap between legacy technology and contemporary cybersecurity challenges.
Legacy Technology vs. Modern Cybersecurity
Drawing from the dodgeball metaphor, Sean and Marco highlight the burden of legacy technology and its impact on current cybersecurity practices. Jess Nall shares her perspective on how past business operations influence today’s cybersecurity strategies, emphasizing the need for CISOs to adapt and innovate continually.
ITSP Magazine’s Milestone and Black Hat Connections
This episode also marks a celebratory milestone for ITSP Magazine. Sean and Marco reflect on their journey from Los Angeles to Las Vegas, the birthplace of ITSP Magazine, and how their experiences have shaped the publication’s mission and growth. As they gear up for Black Hat 2024, they express their excitement about reconnecting with the cybersecurity community and exploring new opportunities for collaboration.
Introducing Jess Nall: Expertise and Experience
Jess Nall, a seasoned expert in federal investigations, brings invaluable insights to the discussion. She underscores the severe implications of government scrutiny on CISOs, drawing from high-profile cases like SEC v. SolarWinds and Tim Brown. Jess provides practical advice for CISOs to avoid regulatory pitfalls and highlights the importance of staying vigilant and proactive in their roles.
The Internet’s Troubled History and Its Impact
Marco steers the conversation towards the Internet’s troubled history and its initial lack of security foresight. Jess reflects on how these historical challenges have shaped modern cybersecurity practices, emphasizing the difficulties of keeping up with evolving threats and expanding attack surfaces. She also discusses the controversial strategy of targeting CISOs to influence corporate cybersecurity measures, a practice she staunchly opposes.
The Perfect Storm: AI and Cybersecurity
The discussion turns to the increasing complexity of cybersecurity in the age of AI. Sean and Jess delve into the pressures CISOs face as they balance the incorporation of AI technologies with maintaining robust cybersecurity measures. Jess describes this scenario as a “perfect storm,” making the role of a CISO more challenging than ever.
Regulation and Legislation: A Critical Examination
Marco raises critical concerns about the reactive nature of current cybersecurity legislation and regulation. Jess discusses how federal agencies often target individuals closest to a cybersecurity breach and outlines the topics she will cover in her upcoming Black Hat presentation. She aims to educate CISOs on preventive measures and strategic responses to navigate these challenges effectively.
Looking Ahead: Black Hat 2024
As the episode concludes, Sean emphasizes the importance of awareness and proactive measures among CISOs. Marco encourages listeners to attend Jess Nall’s presentation at Black Hat 2024 on August 7th at Mandalay Bay in Las Vegas. This critical discussion promises to equip CISOs and their teams with the knowledge and tools to navigate their increasingly scrutinized roles.
Stay Tuned with ITSP Magazine
Sean and Marco remind their audience that this episode is just the beginning of a series of insightful conversations leading up to Black Hat 2024. They invite listeners to stay tuned for more engaging episodes that will continue to explore the dynamic world of cybersecurity.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllRo9DcHmre_45ha-ru7cZMQ
Be sure to share and subscribe!
____________________________
This Episode’s Sponsors
LevelBlue: https://itspm.ag/levelblue266f6c
Coro: https://itspm.ag/coronet-30de
SquareX: https://itspm.ag/sqrx-l91
Britive: https://itspm.ag/britive-3fa6
AppDome: https://itspm.ag/appdome-neuv
____________________________
Resources
Learn more about Black Hat USA 2024: https://www.blackhat.com/us-24/
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Dodging the Ball and ways for CISOs to avoid: Essential Strategies for CISOs | A Black Hat USA 2024 Conversation with Jess Nall | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Marco. Sean. When was the last time you played dodgeball?
[00:00:09] Marco Ciappelli: Dodgeball? I like that game. Um, a long time ago. I will play it. I wouldn't be as good, you know, when you age. It's not easy to dodge the ball, but maybe it's better if I don't, if I stay away.
[00:00:25] Sean Martin: That's because you have legacy, uh, legacy experience that you're dragging around with you.
I
[00:00:30] Marco Ciappelli: have legacy. My body is a legacy.
[00:00:34] Sean Martin: I'm doing my best to tie it back to legacy technology and You'd think we'd get wiser in our business operations, but somehow we carried luggage with us and we're not as fast and nimble as maybe we were before in the past. So,
[00:00:49] Marco Ciappelli: and I think the game is a little bit more complicated than Dogeball
[00:00:54] Sean Martin: Just a little bit
[00:00:56] Marco Ciappelli: and a little bit when you talk about cybersecurity, but Sean, before we go there, I gotta say that I am excited.
This is the first. Episode of our famous or infamous. I don't know chats on the road to an event And this event as people know has been following us for years is where ITSP magazine actually was born So it's kind of a birthday when we go to we hatched
[00:01:22] Sean Martin: 10 years ago
[00:01:23] Marco Ciappelli: hatched We hatched a long time ago And the chats on the road at the time were actually driving in the car recording a podcast.
[00:01:31] Sean Martin: That's right from los angeles to las vegas Exactly. Exactly. Well, I'm thrilled that thrilled to kick this off. And, uh, it's a great topic and a great guest who's sitting there patiently wondering what the heck are these guys doing? Jess Nall. It's great to have you on the show. Thank you for joining us.
[00:01:50] Jess Nall: It's great to be here. Thanks so much for inviting me.
[00:01:54] Marco Ciappelli: Yeah. And now you know something you didn't know before. That's right. That's right. I'm learning.
[00:02:02] Sean Martin: Marco is not as good at dodgeball as he used to be. It's a very important topic. Now, so, let me kick this off. Congratulations on getting a speaking spot to Black Hat.
Any speaking spot is challenging Black Hat even more so, I think. And, uh, it's an important topic, which is probably why it caught their attention. The, uh, the subject is essential strategies for CISOs to step, or sidestep government fallout in the wake of major cyber attacks. Uh, there have been a number recently and some have, uh, caught the attention of the SEC and, uh, lots of good stuff.
I don't know, maybe good stuff isn't the right way to put it, but lots of things have happened Specifically to the role and to the people in the role and, uh, it's leaving. Leaving people on shaky ground, right, as a CISO. Um, so tell us, uh, before we get into the topic, tell us a little bit about what you are up to.
Uh, you're at, uh, Baker McKenzie and a partner there. So what, what, what all, what are all the fun things you get to do?
[00:03:10] Jess Nall: Sure. So I have been at this practice 24 years, so I was much better at dodgeball when I started than I am now. Uh, but in terms of helping navigate clients through government scrutiny, government intervention, investigations, internal investigations, I defend against the federal government.
So I've had the, the honor and pleasure of representing probably the most, uh, number of CISOs in federal investigations and litigation, um, probably more than anybody else in the country. So, uh, it's been really great, really educational, obviously very difficult. For my clients to go through, uh, really one of the worst things that could happen to somebody in their life would be, you know, in addition, other than a horrible medical diagnosis would be, um, being under that intense government scrutiny.
So I've been there, I've held the hands of, of so many in information security through that. Uh, and that's what I want to keep doing and what I'm hoping to accomplish in part through speaking at BlackHat is to. Give some people some good tips to avoid ever having to call me, but also give them my number to call me if they need me.
[00:04:30] Marco Ciappelli: So I want to start Sean, if I, if I may, because of course it reminds me every time we talk about the history of the internet and why it wasn't secure, right? So, well, you know, it was just something between three university and nobody thought it was going to become what? And somehow I feel like, yeah, I'm in IT, I fix computer, I do network, I do this and that, and then all of a sudden it become not dodgeball anymore, a lot more complicated.
So with your experience of so many years, Uh, you know, the, the, the progression if not a little bit of a history of how we got to where we are in these kind of roles.
[00:05:14] Jess Nall: Sure, yeah. I mean, it's a really difficult situation, right? It's only getting harder every day to repel the threat actors and to always have the, the best new tools and always do that one extra thing that needs to be done, that that's gonna be the thing that's going to keep.
Uh, the network's safe and it's gotten much harder, um, over the years, obviously, as the threat actors have become much more sophisticated and as the attack surfaces, all the data's like really grown in size and scope. And the U. S. government, uh, has not gotten any better at, uh, going after the threat actors.
Especially when they're international, um, it's a very, very difficult task, especially when it's nation state actors, which it often is, um, to find someone to single out, to make deterrence happen, to, to try to affect what the government believes should be done in terms of cybersecurity preparedness. And so what's evolved is that they've gone closer to home to the individuals who are actually on the front lines fighting that fight and have singled several of them out.
We all know the famous cases, um, and that's how they're trying to To change the hearts and minds and actions of, of information security at the corporate level. But I don't agree with that. I don't think it's the right thing to do, but that's kind of the way the history's evolved.
[00:06:53] Sean Martin: Yeah. And of course, many, many positions I, I'm with you.
Um, I've heard countering positions that investors have a right to know and have their investments protected. Didn't, if they're not. Being protected properly. Somebody needs to be held liable. But, I mean, the government has fallen prey to, to attacks. So, I don't know how, how it's possible for them to point a finger and then hold somebody liable against a nation state that even a government agency would have a tough time Uh, standing up against.
So I guess the point of your talk is to kind of get, I believe, and maybe, maybe you can maybe share for us what your objective is. But it seems to me that it's some advice and some guidance on how to navigate the role, navigate the tools, navigate the program, navigate the communications. to shield oneself from that really bad thing that the government might come out.
So maybe if you can kind of elaborate on that, that'd be great.
[00:08:06] Jess Nall: Sure. Absolutely. You know, to your point, um, the shareholder, to the extent the shareholders do have a right to know in our society, the SEC holds that as the number one goal of all their enforcement. Um, the question is, Who's role is it to inform the shareholders, right?
And is it really the, the warriors on the front line of the war, um, who should be responsible for that? Or is it somebody else in a different role? And so in, in large part, my, uh, my talk at Black Hat will be about, um, how CISOs and other, and other folks in information security, because this touches everybody, touches the lawyers that work hand in hand with the, uh, Information security personnel and you know, everybody from the line level all the way up to the CISO and beyond.
It touches everybody to figure out who whose role it is and then to make sure that the systems are set up to insist on procedures and ways of acting, working together. Uh, so that You're less likely to be the person singled out for, for that intensive government scrutiny. Um, if you know, if you're unfortunately part of a giant attack that hits the headlines, um, like a couple have done in the last week go into that, but there's a lot of, uh, things remaining to be seen about all the things that happened there.
But whenever there's a major attack and then there's a long lag until disclosure, Usually that's when I get called because there's a lot of questions about why, why didn't, why didn't, you know, we hear about this sooner, what happened, what decisions were made. And so, um, so yeah, that's the point of, of what I want to share is based on my experience over at least the last 10 years, what some, you know, what are some things you can think about doing now before an incident, during an incident, and after to ensure that You know, that you're not going to be the one taking the fall for
[00:10:24] Sean Martin: me.
It's, I mean, there are only certain, certain number of hours in the day. Um, one could choose to work all 24, right? Not sleep, spend no time with family. That's not going to happen in the real world. Hopefully. Um, so there's a set amount of time, certainly budgets and issue, uh, certain amount of money available, number of staff available to support both in the security part of it, and also around the rest of the business.
So my, my. It really boils down to prioritization of what's important and that's leading me to my sense that some of the cases have been high profile and news, newsy, um, maybe a few months back. Breaches are now, the last couple of weeks, some have risen to the surface, not necessarily cases in my, my perspective.
What has caught the attention of the media and is talked a lot about is AI. Right. So my, my point, I guess, is that's probably a very pertinent topic from the board and leadership perspective of the company, and that's what they're asking the CISO to deal with at the moment. And not necessarily go figure out how to protect yourself.
If something bad happens. So guidance and direction from the executive leadership team and the board and whatnot kind of puts priorities, uh, out of whack from my perspective and news, the lack of news in some cases kind of, kind of supports that as well. So I don't know any thoughts on that.
[00:12:03] Jess Nall: Yeah, no, I think you're absolutely right.
It's, there is tremendous pressure. Uh, at least where I sit here in the Bay Area, um, all the tech clients that I work with, there's a lot of pressure coming from above to, to not only, you know, develop and market and race to have the best AI systems, but also to use the systems internally to start incorporating AI tools.
Pretty much in any use case that can be imagined. And naturally the cross functional team of doing the risk evaluation and governance for that is always going to involve the CISO. So you're right. It's kind of a perfect storm. Where you've, you've got, you know, an increasing amount of responsibility in a new area where a lot of the risks are not even necessarily fully known yet.
Um, in addition to your day job of keeping the threat actors out. Uh, so yeah, it's, it's, it's only getting more difficult out there in terms of the, um, the time pressure and the overall responsibility that's being placed on information security and today's AI arms race.
[00:13:16] Marco Ciappelli: Well, I remember conversations with CISOs many years ago, um, where, where it was becoming very difficult to be a CISO.
It was already difficult. And somebody said, well, they're expecting too much from a CISO. Maybe we need two CISO. Maybe we need three CISO, one specialized in one thing and another. I can name a bunch of people that are CISO that have said this. As you said, it's just getting more and more complex. So here's my question as someone that is not as deep as you both are in the topic.
So it's more of a common sense of instead of having to teach, um, not to take your talk away, but my point is instead of having to teach how to dodge the ball, why don't we change the fact that maybe the ball shouldn't be thrown to begin with. So my point is, isn't somebody should pinpoint and finger, point the finger to the regulation and, and the laws and, and, and study something that is more acceptable than just say, well, something happened.
Well, there's that guy.
[00:14:33] Jess Nall: Yeah, in an ideal world, it would work that way. But I think, yeah, it's not really, I'm not going way out on a limb or taking a political position to say that our legislature has a hard time, um, putting out, you know, universally acceptable, um, legislation that everybody can follow. And instead what we have is, uh, and this is regardless of who is in the White House, we have, um, regulation by enforcement.
Executive agencies like the SEC and Department of Justice, you know, will, will wait for that bad thing to happen. And then they'll kind of work backwards from there to figure out who is closest to the blast zone. And that person is, is the one that gets to be on the hot seat. Um, I, I don't think it's the right way to approach things.
I don't think, I think it's misguided, but, um, it's kind of, at this point, it's baked in for decades in the U S that that's just how it works. So part of my talk will be about explaining that kind of the chess board that we're playing on and why people do what they do when, when that bad thing happens so that people can be more, uh, prepared and aware.
[00:15:49] Marco Ciappelli: Yeah, but I guess my point is. Do you see something happen in that direction? I know it's complicated. And I'm not asking you to give the solution, but is it, are we maybe getting there or you think it's just status quo and it's going to stay like this is the, this is the board and this is what we're going to play with?
[00:16:11] Jess Nall: Well, hopefully after my, after my talk, we will all be bullet. We'll be, we'll be tough long. We'll be, uh, we'll be able to bounce it back. And you know, the, the major SEC enforcement action that's still pending hasn't been resolved yet. So it's possible. I mean, it's. Candidly, more likely it'll end up in a settlement that won't be satisfactory to anybody, but it's possible that, uh, that the folks involved in that will fight successfully and that we'll start to get some good precedent on the side of, you know, not, not us, not today.
We're not the droids you're looking for. Find someone else. Um, and that's, that tends to be how it works here in our, in our country too, that it's the courts that ultimately get to decide. And, and that's really up to the individuals of how, how hard they want to fight. So, you know, on the one hand, you can prevent it.
That would be great. Um, I wanna, I hope that after people hear what I have to say, there'll never be another CISO federally investigated. Um, but if they are, if they fight hard and they win in court, that helps a lot, too.
[00:17:22] Sean Martin: So, when we talk cybersecurity, one of the messages we always Talk about is one, an organization often thinks they're not a target and therefore not at risk and therefore don't have to do much to mitigate the risk, if anything, uh, especially when he moves down in the small, medium business, uh, that's not, not as mature in that realm as well.
Are, do, do CISOs have that same kind of mindset for themselves in this regard? In other words, do they think, well, my CEO has my back or my program isn't complicated really in the grand scheme of things, so therefore, or I'm not in an industry that's regulated or, I mean, some of the same, same comments you might hear from, from an organization.
Does the CISO have the same, same thing? Cause one of your points in the talk is red flags, right? And to me, that's a sign. Yes, it is.
[00:18:30] Jess Nall: Yeah, no, I think you put your finger right on it. I think you could, you could share the stage with me in August. Uh, but yeah, no, I think that's a really, a great point. I think when you go into the CISO role, you're expecting your job to be a certain thing and you're, you're on the front lines, you're protecting the company.
You're maybe sitting on the AI committee, whatever it is. Um, but you're not the person who's responsible for creating a cross functional team with SEC disclosure council and all the rest of that. You just kind of trust. I think that the corporation is going to work effectively. Um, and I, my, my talk is about don't trust that.
Take control of that. Understand that, insist on. Certain lines of communication. And if you don't get it, yeah, look for the red flags. And eventually you have to make a decision, uh, to understand the risk to you personally, that it's not, you can't just assume that everything's going to be fun. As long as you, you do your job.
Um, nobody can ever be sure that you've done enough to prevent. a horrible attack from happening. So, you know, feeling complacent, trusting too much. Those are all things I think y'all probably do, but certainly in this area.
[00:19:47] Marco Ciappelli: Well, I'm very tempted to ask you some other of those tips, but I guess we will have to just And be in the audience when you do your presentation.
And, uh, it's our job, as we said at the beginning before we'd record to don't let you spill all the beans because we want people to come. And I think people will come because it's a very hot topic. And, uh, and we think that the line will be outside of the door and Sean and I will be there.
[00:20:18] Sean Martin: That's right.
[00:20:19] Jess Nall: I can't wait.
Thank you so much for
[00:20:22] Sean Martin: coming. we'll be pushing people and cramming them in standing in line. I
[00:20:25] Jess Nall: love it.
[00:20:27] Sean Martin: All right, uh, well Jess, it's been fantastic chatting with you as the sirens blast by me here. Uh, Wednesday, August 7th, 3. 20 in uh, Jasmine AE, level 3, according to uh, the schedule of Black Hat. 40 minute briefing.
By you, Jess. The title, uh, Essential Strategies for CISOs to sidestep government fallout in the wake of major cyberattacks. Not quite dodgeball, but, uh, dodging something anyway. And, uh, like Marco said, important topic. I do hope CISOs and their leadership team around them and the teams that support them all join you to get your insights.
And I'll be there as well.
[00:21:14] Marco Ciappelli: And we will be there. And because this is the first episode of Chats on the Road, there will be many more on the way and the time that separates us from the event, which is August 3rd to the 8th, 2024 at the Mandalay Bay in Las Vegas. We will be there. And if you can be there, come by, say hi.
And if you can't, just follow all our coverage because we're going to have a lot of conversation like this. So just Thank you so much.
[00:21:43] Jess Nall: Thank you both. I can't wait to see you in Vegas.
[00:21:46] Marco Ciappelli: Absolutely. We'll be there.
[00:21:48] Sean Martin: Perfect. Thanks everybody.