This episode of 'On Location with Sean and Marco' features discussions with host Sean Martin along with Forrester analysts, Madelein van der Hout and Topé Olufon. The topics range from predictions and future trends in cybersecurity to the impact of AI-generated code on data breaches. The conversation explores the importance of human elements in cybersecurity, resilience policies, and aligning security strategies with business goals.
Guests:
Topé Olufon, Senior Analyst at Forrester [@forrester]
On LinkedIn | https://www.linkedin.com/in/topeolufon/
Madelein van der Hout, Senior Analyst Security & Risk at Forrester [@forrester]
On LinkedIn | https://www.linkedin.com/in/madelein-van-der-hout-65452025/
On Twitter | https://x.com/HoutMadelein
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
This episode of 'On Location with Sean and Marco' features insightful discussions with host Sean Martin, Madelein van der Hout, and Topé Olufon from Forrester. The conversation covers a wide array of topics in the cybersecurity realm, ranging from predictions and future trends to the impact of AI-generated code on data breaches.
Madelein van der Hout, a senior analyst at Forrester, shares her expertise on API security, cyber consulting services, the threat landscape, and cybersecurity trends. Topé Olufon, also a senior analyst at Forrester, provides valuable insights on Zero Trust, Monitoring, Detection and Response, Digital Identity, and eSignatures, emphasizing the importance of collaboration in the digital trust domains.
Overall, the dialogue emphasizes the significance of the human element in cybersecurity, highlighting the need for behavior training and awareness to combat social engineering attacks. The pair also discuss resilience policies, aligning security strategies with business goals, and the evolving threat landscape in Europe. They also shed light on practical applications of AI in cybersecurity, emphasizing the importance of cutting through the noise to derive tangible benefits.
The episode invites listeners to engage in the evolving conversations surrounding cybersecurity in their myriad of sessions during Infosecurity Europe in London, promising a thought-provoking and informative experience for all attendees.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our InfoSecurity Europe 2024 coverage: https://www.itspmagazine.com/infosecurity-europe-2024-infosec-london-cybersecurity-event-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTcLEF2H9r2svIRrI1P4Qkr
Be sure to share and subscribe!
____________________________
Resources
Wading through AI Overload – Where are We Going and What are You Doing?: https://www.infosecurityeurope.com/en-gb/conference-programme/session-details.3783.219350.wading-through-ai-overload-%E2%80%93-where-are-we-going-and-what-are-you-doing.html
Madelein's post about the session: https://www.linkedin.com/feed/update/urn:li:activity:7194686743848124416/
Learn more about InfoSecurity Europe 2024: https://itspm.ag/iseu24reg
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Where are We Going and What are You Doing? Navigating Europe's Evolving Threat Ecosystem While Wading through AI Overload | An Infosecurity Europe 2024 Conversation with Topé Olufon and Madelein van der Hout | On Location Coverage
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello, everybody. You're very welcome to a new episode of on location with Sean and Marco. I'm Sean and flying solo today. Marco is actually on his way to Europe, getting a head start on, uh, our coverage actually on, on, uh, European soil for our infosecurity Europe in London coverage. And, uh, Yeah, we're excited to be in London, excited to have the conversations and, and to hear what's going on in Europe and and around the world.
From our friends at Info Security Europe, I'm thrilled to have Madeline and Toon from Forrester to, uh, we're gonna have a chat about predictions and futures, and of course, I think we might even touch on that, uh, two letter acronym. That everybody seems to be talking about. We can't we can't not talk about that.
So, uh, thank you both for joining me today. Thank you very much.
Madelein van der Hout: Great to be here.
Sean Martin: Very good. And, uh, I, I have, [00:01:00] uh, I have analyst envy. I'll start off with that. I always thought I'd be an analyst. So I, I, uh, Cherish the work that you do. And, uh, who knows, maybe someday I'll have the opportunity to do some fun stuff.
And I also love talking with the, uh, forestry team. You, you all have some, some great insights and, uh, any chance I get to, to speak with the forest errands, I'm thrilled for that as well. Uh, before we kick into What's going on at InfoSecurity Europe, more specifically, um, maybe a few words from each of you about what you're, what you're up to and what your role is at Forrester so folks know who we're hearing from.
And we'll start with you, Madeline.
Madelein van der Hout: Yes. So, um, my name is Madeline van der Hout. I'm a senior analyst at Forrester, uh, within the cybersecurity and risk team. And specifically I covered, uh, or I cover a couple of domains. So from a global perspective, I'm looking at API security. Um, and from [00:02:00] European perspective, cyber security, consulting services, uh, threat landscape together with top a, um, cyber security trends and how sees those are actually, uh, spending their budget.
And if we can find any trends in that as well. And, uh, one of the. Other interesting things that I'm working on is actually security operating model.
Sean Martin: That's intriguing. One of the, one of the themes that runs through all of my. Podcasts is operationalizing cyber security. Yes.
Madelein van der Hout: And it's actually something that will always be a bit, it will always be evolving. So it's a very interesting coverage area, I would say.
Sean Martin: Ah, well, hopefully we can touch on that quickly and who knows, maybe we'll have a deeper.
Deeper conversation on that topic. Cause I'm super intrigued by it. And I think there's a lot of opportunity to do some things there. Uh, Topé.
Tope Olufon: Thank you very much. Um, Topé Loufon, also a senior analyst based out of Germany. [00:03:00] At Forrester, I cover Zero Trust, Money Detection and Response, Digital Identity and eSignature.
So while I primarily cover the European markets, I also collaborate frequently with global colleagues, especially in the digital trust domains.
Sean Martin: Perfect. Well, thank you both for that. And, uh, let's, let's get into it. So InfoSecurity London is, uh, four through six in June, just around the corner. And you both have conversation.
I think you're joining together on one and then Topi on another panel, uh, looking at AI. Let's start with the general View of what you think will be the main themes at this year's conference and, , so I'm, I'm curious to know, you mentioned, uh, before we started recording the, the, uh, some predictions you made and you're going to be looking back at that.
That might be a good place to start. So maybe if you can share some of some of those points, Madeline, that would be [00:04:00] great.
Madelein van der Hout: Of course. Well, what we are expecting to see, because It is something that we see everywhere around the world, obviously, is that infosecurity will also revolve quite a lot around generative AI, but I'm actually hoping that we will travel beyond just generative AI and what kind of sophisticated threats we see emerging from that, because when we have a look at the most notable breaches that occurred in 2023, A lot still stem from poor hygiene.
So I think we also need to remind everyone that we still have to work on the basics. So one of our predictions, first predictions is that, um, 90 percent of all data breaches will include a human element still, and that really calls for. Companies to look [00:05:00] well at their, at their workforce, at their employees, how can they really change behavior instead of just working on behavior or awareness?
Um, one of the things that I have a lot of conversations around is if you have training systems where you just have to look through a video, uh, you see that people will do that while multitasking and that doesn't really change anything. Um, it doesn't change behavior, and that will mean that in the future, the human element within breaches will still be very huge.
And it's actually something we can really change. One of our other predictions, uh, actually is that at least three data breaches this year will be publicly blamed on, uh, AI generated code. And we're saying at least three, because When we're looking at root causes, [00:06:00] um, we are suspecting that if it's due to AI generated code, uh, not every company will report that.
Sean Martin: Interesting. Um, meaning, and I don't know if you have any insight into why they won't report it, is that they don't want people to know that, uh, it was used, using, they were using generated code. Code or yes,
Madelein van der Hout: unfortunately, we, yeah, unfortunately we're still working with quite a lot of, uh, blaming and shaming when it comes to reporting incidents.
So a lot of companies still. are afraid, um, well, that there will be repercussions or that there will be actions hold against that. And, um, especially with AI and not having your security elements in place, um, that that could lead to a huge, uh, Huge reputational, um, [00:07:00] damage.
Sean Martin: And Tope, what are your thoughts on this?
Tope Olufon: I, my thoughts are actually mirror modeling. So I think a lot of it is also going to stem from the fact that organizations will try to use AI to generate a lot of code and beyond just generating code. A lot of the security practice. that we've learned the hard way are going to be unlearned because it isn't AI to generate code.
You're also trying to use AI to validate code. That's going to result in a significant number of low hanging vulnerabilities. And I say low hanging because if you think about a few years ago where SQL injections were a dime a dozen, because a lot of focus was shifted to rolling out code pretty quickly.
Right now we expect to see similar things with AI because people are going to have a similar approach. It's an exciting tool. It's good for productivity. And they will try to automate parts of security that are not yet ready to be automated.
Sean Martin: Yeah. And I, I can't help but go back [00:08:00] to, um, the, the hygiene and the human element.
Uh, all of our training is for end users to not click on stuff. And we're not worrying about don't create code with that. We're leaving a big empty gap right there. Yeah.
Madelein van der Hout: Yeah. So it's really interesting to see those, those, those type of things as well, because even when we look at the increase of, for instance, software for recruitment, um, that are, well, AI is dominating in that field as well, but.
No one is particularly checking if the people that are applying are real, or if the vacancies are actually real. So there could also exist fuzz in the future if we're hiring real people. So there's a lot of elements you can also manipulate in that.
Sean Martin: Yeah, I've actually heard [00:09:00] stories of, I presume, who knows really, I presume that in many of the cases that were being referred to, people were real.
But not the people you think they are. So somebody, somebody would be doing the interviews. They would, they'd be using somebody who does graded interviews would do the interviews for somebody and then they get hired and not be the same person that got the job, but they're actually the one doing the job.
It's quite, quite interesting.
Madelein van der Hout: Exactly. And if we're taking it even further, there is already a woman who trained a large language model based on all the data of her ex boyfriends and, um, placed that in a hologram and already married the hologram. So there are, uh, All kinds of interesting, but also disturbing, uh, developments when it comes to generative [00:10:00] AI.
Sean Martin: The human, the human mind has no, no limits, I think, in that regard, to get, to get weird. Um, I want to go back to the, To the hygiene piece and and maybe maybe touch a bit on on the risk, uh, areas that you focus on Madeline as well. Um, of course, I want your, uh, your, your thoughts on this as well. But, uh, one of the things that I've been hearing is, is this concept of resilience and more of a broader resilience, not just cyber and.
I'm curious your perspective on how organizations are looking at general hygiene, kind of best practices, follow these frameworks, adhere to these, these regulations, um, and actually then also apply our own, our own business ethics and morals and goals and things [00:11:00] like that to the, to the policies to really look at where we need to be resilient, how we need to be resilient, how we look at risk, how we measure it, how we mitigate it.
So any, any thoughts on, on that? Some things you're hearing in that regard.
Tope Olufon: So I evaluate resilience policies, frameworks as in a very boring way. They're basically tools, a weight, a means to get to an end. And I like to look at the trades when we're thinking of, of security and safety. So you speak to an electrician, a plumber or a construction guy. Okay. A lot of their safety instructions are there because they know something bad is going to happen.
They treat risk as just a part of doing the job. They don't need to have extensive discussions on risk because the outcomes of not following these, um, of these procedures are pretty binary. And I think we start to learn a lot from that in cybersecurity. We say cybersecurity is meant to enable the business, and this is typically used as, you know, providing some sort of leeway [00:12:00] to cut corners.
But if we cannot articulate why, um, the corner should be caught, on the flip side, why a security rule exists, is it because of legacy reasons? Is it because it's just the best practice? On both sides of the coin, it kind of hampers your business case. Because you're not going to see a construction worker arguing about the validity of a helmet.
It's pretty binary. It's pretty straightforward. You're going to crack your skull if you don't wear one. And I think we need to be able to create such very binary outcomes when approaching risk and security. It's also going to really help our resilience. Because again, A lot of safety precautions in the trades are taking the assumption a system will fail.
And that's the whole point of resilience in cyber security. There is a tendency for organizations to focus so much on prevention, which is, of course, great. You should try to prevent bad things from happening. The aspect of when something bad happens, how do our systems deal with it again? Back to the example of a [00:13:00] helmet.
This helmet has been tested for impact. A lot of organizations have not really tested their resilience or response plans, and I think there's a significant gap there.
Madelein van der Hout: So add to that, there is also something different going on, especially within Europe with NIST 2 and DORA. So we see this legislation, these regulations coming up, and all for the sole purpose to have a more resilient society.
That the impact of a breach that occurs in our society has been significant. a minimal impact because if there is a bank who experiences a breach that can have a huge impact on anyone. We cannot pay our mortgage, we cannot pay our groceries, so huge impact. But what I also hear from companies is that there's so much unclarity on what it [00:14:00] means to comply.
So, a lot of companies are looking at the legislation, trying to find a bare minimal standard just to have that compliance finked. And I think that's actually a disturbing development because it should not be about complying to legislation. It should be about how can I protect my business to a minimum standard at least so we have that hygiene in place and that we can move forward.
On cyber security as a society,
Sean Martin: I love what you're both are saying in my mind is going a mile a minute here. I want to, um, yeah, just the whole, the whole cost of adhering to regulations is the whole thing. I want to go. I want to take the analogy. Of the helmet, because I think there's something interesting there to dig deeper into, um, a helmet.
I don't know. We, we, we don't [00:15:00] wear helmets in a bus. Right. But then the bus has has safety measures that they test. Right. And we don't. We don't, uh, rely on just the bus safety measures, uh, when we build the roads, the roads have been designed with angles and, and not too tight of turns and, and things like that to, to ensure that vehicles can travel on them safely.
If we have potholes, we fix them and we put lights to help, help cross traffic and things like that. So how, how do we, and in the broader ecosystem of, of business operations? Where technology is coming into play, workflows are, are, are moving data around and connecting businesses and people together. How do we, how do we get to that test?
And I'm hoping you'll tie it somehow to Zero Trust because I think there's, there's probably some, some hook into that. How do we get the helmet and [00:16:00] the safety tests? Throughout the business.
Tope Olufon: Um, so if I'm trying to try to zero trust is going to be a bit of a rich quite frankly Risk control mechanisms, they're functionally different risk control mechanisms However, the principle i'm right there.
So i'm think of again any other non digital system, for example cars cars are designed with the assumption that there might be a crash. As such, there are things like crumple zones, right? There are also seatbelts in place. All of this is built with the explicit, um, objective of ensuring the, uh, passenger and driver survive, right?
That's the whole point of the safety mechanisms. Now, when organizations should look at the business, at whatever they're trying to secure, I think it's very important to ask that very basic question, and which is why I say cyber security should be boring. What are we trying to secure? If zero trust is the way to secure it, then you adopt zero trust.
Now, [00:17:00] when we think of zero trust, least privilege, um, uh, consistent monitoring and untrusted by default, right? Those three principles are important, but a lot of organizations don't really understand why. So zero trust becomes another compliant compliance project that they will inevitably fail at. Now, if you're doing zero trust for, um, an environment, now fintech, right?
And you have a lot of developers. What you're trying to use Zero Trust there, first and foremost, should be a development pipeline. Because if you use Zero Trust everywhere else, but your development pipeline is not secure, why are we really doing Zero Trust, seeing as you have fintech and development is a huge part of what you do?
And that's why I like to approach security from a very, from a non digital perspective because safety systems in the physical world are designed with specific objectives in [00:18:00] mind and not just compliance reasons.
Sean Martin: And Madeleine, you mentioned the human element earlier and I'm connecting this to what Topé is talking about. I'm thinking about Somebody working in the field, uh, oil field, let's say, um, the, the risk or the impact is binary, right? If I don't work this, this, uh, valve properly, it's going to blow up in my face and it's going to hurt.
I don't, I don't know we have that same, that same sense of, I don't know if we call it fear or reality or understanding of the impact of our digital systems. And Marco and I talk about it quite often where, because you can't, because you can't see it. It's often, it's often magic and it just works. And therefore you don't really understand the impact it has behind the scenes or, or broader.
So what are your thoughts on this?
Madelein van der Hout: Well, also when we look at the human elements in cybersecurity, so if you have your entire company, you're [00:19:00] as strong, your security, your human element is as strong as your least experienced, uh, employee. And then we're not even talking about different generations and how different generations are, um, looking at personal data, for instance.
So my perception of personal data, uh, is different, uh, than for instance, for my little niece, uh, she would accept cookies right away. Uh, uh, she doesn't perceive some information as personal information where I would. Say it's personal information. So I think that's a struggle that companies should address as well.
So what do we mean by, by data sensitive data, um, have behavior training instead of just videos. Because social engineering [00:20:00] attacks are also focusing nowadays, not only on the CTO, but also his strategic advisor, his assistant, because those people also see the same information, but are usually more accessible.
Sean Martin: Yeah, that's super interesting. And I don't know, in your views of operating models, Um, when I think of it, I'm, I'm thinking specifically security programs, but do you bring, do you bring that view broader to operating security within the business as well?
Madelein van der Hout: Yeah. So one of the things we advise is for CISOs to align their security strategies and their security goals to their company goals.
So the context of your. And the environment your company is working on, uh, working in is one of the most important parameters because based on that and based on your [00:21:00] company goals and aligning your security to those goals, um, you create more importance to your security strategy as well. Uh, we see a tremendous uplift in CISOs who are directly reporting to the board.
So we also see that there's. We've, we've managed security up to the board, which is really great. It means that there are more budgets, um, and that there, that the awareness part of it all is progressing. So you also see the companies are looking at what are the type of things we want to have in house.
What can we outsource and how do we have. Well, how can we work together with all the other departments so we can do it in a secure way? So that actually is a, is a, is a great trend that is developing.
Sean Martin: And do you, do [00:22:00] you feel that's a trend globally or do you see the European business, uh, having, having a little more maturity in that area?
Madelein van der Hout: Well, actually, if we're comparing numbers, America is. Um, is ahead compared to Europe. Uh, so they're within Europe. Less CISOs are reporting into the board than if you compare it with companies in America. I do believe that it is going to change because within the NIS2 legislation, they are driving boardroom accountability and there are huge fines.
Um, and they can even, uh, make a C level resume or, or, um, uh, step out of his or her job if they didn't have their security posture in order. So I think that is going to create. [00:23:00] Also different importance of security when NIST 2 is implemented in all European countries.
Sean Martin: Right. I have to follow that closely.
Definitely. I, you, you both cover so much and I mean, we're barely, barely scratching the surface on the topics. We're kind of, we're kind of touching on little things here and there. And I really appreciate that. I want to, in the future, A few minutes we have left because this is part of our on location yet.
The goal is to, to get people to come and chat with you in, in London during the security London. And you both have panels. Uh, so Alan, I'm going to give you the, uh, Topay and your colleague, Paul McKay. That's on, uh, it's Wednesday the 5th at 10 AM local time there in London. The title is Navigating Europe's Evolving Threat Ecosystem 2024 and Beyond.
Uh, what can people expect to [00:24:00] hear from the three of you then?
Madelein van der Hout: Well, everyone should come to this panel, first of all, uh, because we're together with, uh, Paul McKay, uh, Paul McKay now is a research director at Forrester, but he used to be an analyst as well, uh, covering all types of areas within cybersecurity.
Also very knowledgeable. He has worked on multiple reports on predictions, so he will have also very valuable insights in how we look at predictions and how we determine if they're actually coming true. Um, But together with Topé, Paul and myself, we're going over what we see in the market. We're going to debate how trends are evolving and we're going to have a closer look at the predictions we make.
Um, and we're there as well to answer any question anyone has. So it's more of an invitation to come and join and, and to have a [00:25:00] lively discussion with us.
Sean Martin: Discussions are good. Discussions are good. Conversations make, uh, make things happen. Perfect. And, uh, and Tope, your session is waiting through AI Overload.
There we go. We're all in on AI in this one. Uh, where are we going? What are we doing? You and, uh, Stephanie Yatimi. And Henry Azure, you're going to have a great conversation on this, uh, looking at a number of things. Tell us a little bit about what you're what you're talking about there.
Tope Olufon: Thank you. So, um, the summary version is we're going to be cutting through the fluff.
AI has been a buzzword. Well, not a buzzword anymore. There are practical applications these days, but there's been a lot of noise about what it can be used for. And of course, there are a lot of false promises, a lot of theoreticality and deception from vendors. So what this session is going to do is help you cut through that noise.
Talk about practical deployments of AI and how you can start getting value from it today. Um, whatever [00:26:00] potential business initiatives you could drive with it. I'm also going to look at some successful case studies. So a lot of this is bringing it down to earth, filtering, um, the noise. And focusing on how you can get tangible benefits from AI because we run the risk of AI just being this thing that people slap on pretty much everything else.
Think of how companies randomly added com to their names, even though they had nothing to do with the internets. We've gotten to that point with AI. So we need to figure out how we get actual benefits. And that's what this session is going to help you do.
Sean Martin: Yeah, it'd be interesting to see how many, I was just in San Francisco and the, the plus AI on, on the names of companies and products was, uh, it was overwhelming.
I'll just say that. And, uh, you had me at case studies, uh, anytime I can get a use case and hear about how somebody did something, I'm always, always very interested in that. So I'm excited to hear [00:27:00] what, uh, some of those use cases and case studies are successful adoption. And, um, yeah. Yeah, I want to thank you both.
This is supposed to be just a quick chat and to meet and introduce you to our audience and invite everybody to join us at InfoSecurity London and certainly attend these two sessions, these two panels. They intrigue Marco and I, hence the outreach to Tope and Madeline to have them on the show. So thank you both for spending a few moments with me today.
Wish you a safe journey to London and excited to meet you in person and to, to enjoy the conversation, be part of the conversation, take action from the conversation. Thank you both.
Tope Olufon: Thank you.
Madelein van der Hout: And
Sean Martin: thanks everybody for listening to this episode. We, uh, we'll see you on location in London very soon until then.
Keep well, everybody.