Techopedia speaks with Vladimir Svidesskis, director and head of security, compliance, and risk at talent and solutions firm Vaco and a CISO advisory board member of the Nashville Technology Council, about the current state of cybersecurity.
We also explore Svidesskis’s approach to cybersecurity and how he contributes to the advancement and innovation of the security and compliance industry.
On the Current State of Cybersecurity
Q: What are your thoughts on the current state of cybersecurity?
A: I’ve noticed that attacks on vital components of infrastructure continue to increase. We’re talking about healthcare facilities, academic institutions, utilities, and local and federal government agencies. And it seems to be happening in groups – for example, not just one water facility in a particular location but three or four water facilities throughout a particular region. That’s not just in the United States; it’s also in foreign countries. The primary reason for the increase in these attacks is always financial, followed by the need to disrupt something. But for the most part, the reason is for financial gain.
READ MORE: Cybersecurity Thanksgiving Attacks: Diverting Ambulances and Water Supplies
I’ve also noticed that –ransomware payment discussions and cyber insurance conversations are also increasing. So, conversations around whether or not to make the payment, which is cyber extortion, and where cyber insurance fits into that.
Q: How is the cybersecurity threat landscape for businesses evolving in the U.S. and internationally?
A: I think these infrastructure attacks foster a need for a collaborative approach to national and even global efforts to rein in cyber extortion. I definitely think that’s going to happen because it’s a matter of the way we have our foreign policies.
We have foreign policies where we have certain agreements with various countries or a group of countries, NATO [North Atlantic Treaty Organization as an example and OAS [Organization of American States], etc. We have collaborations of groups of countries for various reasons. And I think that will foster a more focused approach to addressing cybersecurity globally.
Svidesskis’ Approach to Information Security
Q: What is your approach to information security?
A: A generic approach is keeping current. You need to keep current if anybody wants to look at information assurance or information security. You have to know technology. You have to know business constructs. You have to understand threats that are pervasive through technology to the business. You also have to understand the [compliance and regulatory] mandates – are they regional, local, or global mandates?
Put that all together – you have to know where we are today. What’s the current news that’s going on? That’s what it means to keep current in the activities within the cyber space, the technology space, and the business space.
You also have to establish relationships with key stakeholders in any one of those areas and inquire as to their understanding and concerns pertaining to their information assets. You want to go to the CEO, the CFO, the CHRO, and all the C-suite members individually and just ask them two questions. What do you think information security is? And what is your biggest concern? That doesn’t mean there are only right or wrong answers.
What you’re doing is you’re establishing a relational communication foundation. You’re getting to know the individual, their persona. But you’re also getting to know what their perspective of information assurance is and what their biggest concerns are. Then, you’re opening a dialogue with them. And once you have that dialogue, it’s easier to establish an information security program because you each know what the other is talking about and where you’re coming from, and you have the right level of communication.
I think some of my peers may have it in reverse because they come in and say, “I can do this, this, and this for you.” But you don’t even know what their concerns are or what their perceptions of information assurance are.
Q: What keeps you up at night?
A: That’s an interesting question. There are many vast components. There’s the network. There’s someone’s handheld device. There’s a vendor that has access to our system. There are customers who may click the wrong thing. But we also need to know if [employees] understand the alerting channel for any suspicious activity – that would keep me up. We’re going to make mistakes.
But if we make a mistake, and we don’t know how or to whom to communicate that mistake, then that mistake goes unnoticed and can become worse. So information security leaders have to ensure people know the alerting channel for any suspicious activity.
Q: How do you contribute to the advancement and innovation of the security and compliance industries?
A: I take time to volunteer at various national and local professional events and communities where discussions are fostered. I attend and contribute as much as I’m able to. I probably do about four to five a month, sometimes more. I participate in Q&A sessions, executive roundtables, panel discussions, or even just as an attendee, and I listen, pose questions, and take notes. And then you look at all that information, and you look at the industry you’re in, you look at the locale you’re in. Then, you aggregate all that so that you can deliver a more well-curated recommendation to those C-suite members so they can make more informed decisions on information assurance and where they want to take it.
Impact of AI, GenAI on Cybersecurity
Q: In 2024, artificial intelligence (AI) and generative AI (GenAI) will enable malicious actors to execute more intelligent and personalized phishing attempts against their corporate victims. In addition, ransomware will continue to be a major threat. From your perspective, how should organizations mitigate these risks?
A: I wrote my first AI policy, I think, a little over a year ago, and the first bullet point is ensuring you have an awareness campaign in place, focusing on trust and attribution of activities. That means an awareness campaign to let people know what’s going on around a particular topic, focus, or discipline.
Your organization has to ensure employees know how to validate whether a communication, such as an email, is actually coming from [a legitimate sender]. With AI, malicious actors can send [highly-personalized phishing emails that are difficult to differentiate from genuine emails]. They can automate such things as changing the source, changing the subject, and the attachments. So, information security officers need to provide more comprehensive awareness campaigns.
READ MORE:
- 5 ways Generative AI Can Redefine Identity Access Management
- The Best Open-Source LLMs to Watch
- 12 Highest Paid AI Jobs for 2024
Information security officers also need to enforce information security programs to mitigate these risks as well as facilitate the maturation of basic cyber hygiene. And a lot of these basics don’t require extra spend on vendor tools. We have to make sure basic cyber hygiene activities are conducted – and that means installing the necessary software patches, for example. If you were a fly on the wall at one of our [chief information security officer] meetings, dinners, or roundtables, you would hear that there’s a lot of clamoring about the basics.
We all know we’re supposed to do this, but for some reason, it’s not getting across to the implementation. We write policies and procedures, but there’s a gap between the policies and procedures and the full implementation of the basics. I think in 2024, with AI, organizations are going to realize [the importance of implementing] the basics. And a lot of these basics don’t require extra spend on vendor tools. That’s something we need to do, and operational culture is the place that needs to be addressed.
Ethical and Privacy Concerns of AI
Q: With the integration of AI in cybersecurity, what ethical dilemmas and privacy concerns are emerging?
A: I [recently] read the ChatGPT terms of use that talked about content, whether the content was the input or the output. And it puts the onus on the individual using AI. Now, AI is just a tool; you can’t sue a tool, right? It’s like a vehicle – you can’t sue the car, but you can sue me if I drive it and I bump into your car or your house or something.
So you have to use the tool responsibly. You have to know what the tool is used for and what your intent is for using that tool.
The content portion of ChatGPT’s terms of use indicates that you’re responsible for everything that you put in. However, everything that comes out is not necessarily accurate. And you cannot rely on it for medical advice or legal advice. You can’t use it for academic submissions, and you can’t copyright it.
There was an instance where someone had AI draw a painting for them, and they tried to patent the drawing. But a court said, “No, that is not your intellectual property. You did not create that. You used an automated tool to generate that. You can have that copy, but you can’t patent it.”
You have to know what the ethical constraints may be, and you have to understand what the privacy concerns are and who owns the data. For example, ChatGPT says you should not put in data that you know is not yours or may be confidential. You also cannot put in data that may not be public or that may concern another individual without their consent, etc., etc.
And I think people who start to use AI for the benefit of business or even personal or academics could be held accountable if they go against those privacy mandates.
The Need to Work Collaboratively to Secure Cyberspace
Q: How can cybersecurity professionals and AI researchers work together more effectively to address cybersecurity challenges?
A: I think cybersecurity professionals and AI researchers need to go to forums or summits together. We need to hear what each other is saying so that we’re not working in silos next to each but we’re working as one holistic group in open forums. We need to be in the same room, so to speak.
Although two days or 16 hours is not much, the follow-up conversations that can spawn from that and the meetings that can spawn from that can help the cybersecurity professionals by making sure that they’re actually aligning to the technology, and technology can make sure that they’re being sensitive to any vulnerable areas of the AI research.
Q: What is the role of government in securing cyberspace?
A: As far as securing cyberspace, the government needs to protect the infrastructure. You and I, and all our neighbors and people in different states and counties, wherever they are, all rely on parts of the infrastructure to a certain degree. And [cyber threats] are hitting most healthcare facilities, utilities – everything from power plants to water supplies.
And they’re hitting local and federal government agencies, whether they’re courthouses, police stations, and academic institutions, whether they’re elementary schools or universities, they’re all being impacted.
And at the national level, the government also needs to protect the armed forces, the Department of Defense, the Internal Revenue Service, the U.S. Treasury, and the U.S. Congress. The federal administration is part of what I would consider the infrastructure at the public administration level. So, I think the government’s role is to protect the infrastructure.
On Fighting Tomorrow’s Cyber Battles
Q: Are organizations fighting tomorrow’s cyber battles with yesterday’s methods?
A: That’s a Catch-22. I think that basic cyber hygiene still has not been implemented and matured to the point that the vast number of these cyberattacks could have been mitigated. That’s yesterday’s method – basics.
I would say the approach needs to [look at] where the value is. Is it money? Is it data as far as records? Is it data as far as national security information? Find out where those information assets are and apply the foundations to them.
We can use AI as well. For example, there are so many federal guidelines, requirements, and U.S. codes – everything is codified. We throw that at AI, and AI will consume that, and we can ask any question about any of that.
So what if we take that to a live situation, say a university, for example. And we throw in all the university’s policies and procedures and then connect the network, hypothetically, to the AI. Now, AI can take the government regulations and guidance and everything and balance it with the academic policies and procedures.
Then, it can take those two areas of governance and apply them to what’s actually occurring within the network and spit out a live report as it’s happening. [And you can then mitigate issues]. So, you should invest in using AI. Otherwise, you’re going to end up coming to a knife fight with a rock.
Q: What’s likely to stay the same, and what’s changing in how companies think about and respond to cyber risks?
A: I think what will stay the same is people understand that information security is a must, and it’s not an option at organizations. Organizations recognize the need for an information security function or component — that will stay the same. What’s changing is how they think about and respond to cyber risk.
I think there will be a little bit more proactivity at the C-suite level. That’s because the federal government has really put a big spotlight on cyber risk and mitigating its effects and who they’re holding accountable.
As far as public companies, the SEC is holding public companies to account, including board members, the C-suite, and such. And I think that companies are going to ensure that information security is part of their strategic goal discussions.
About Vladimir Svidesskis
Vladimir Svidesskis is an experienced and credentialed information security executive who is strongly involved in the security community.
His early career began with ten years of active duty in the U.S. Marines in the communication and intelligence fields, teaching encrypted communication systems operations, repair, and maintenance. Svidesskis’ intelligence field expertise included managing classified information and classified equipment.
He has 15 years of experience in the engineering industry, including roles in IT management. He served as the information security director for the Georgia Lottery Corporation for five years. He is currently the director and head of security, compliance, and risk at Vaco, a talent and solutions firm.
Svidesskis is on the advisory board of the Cyber Risk Alliance Nashville chapter, advisory board member of the Southern Leadership Exchange, CISO advisory board member of the Nashville Technology Council, the governing body of Evanta Atlanta CISOs, as well as Evanta Global CISOs.
Svidesskis is also on the advisory council at SecureWorld and on the governing board of CISO Summit Atlanta. Svidesskis’ current credentials include CISSP, CISM, CRISC, GSLC from GIAC, and HITRUST CCSFP.