The Hidden Dangers in Your Supply Chain with SecurityScorecard’s Aleksandr Yampolskiy
Season 2 Episode 45 •Show Notes
SecurityScorecard CEO Aleksandr Yampolskiy joins Cyber Focus to warn that third-party risk is now the dominant cybersecurity epidemic. With just 150 companies responsible for 90% of the global attack surface, a single compromise can ripple across sectors and continents. He and host Frank Cilluffo explore the cascading risks of software dependencies, fourth- and fifth-party exposure, and the challenges of shadow IT and shadow AI. Yampolskiy outlines where companies fall short on governance and calls for outcome-driven oversight, not just busywork. They also discuss how AI can be both a vulnerability vector and a force multiplier for defense.
Main Topics Covered
• Third-party breaches now account for 65% of cyber incidents globally
• Only 150 companies comprise 90% of the global attack surface
• The risks of shadow IT and “shadow AI” leaking sensitive data
• Systemic vulnerabilities in critical infrastructure like U.S. ports and healthcare
• Limitations of compliance-driven approaches without continuous risk measurement
• The need for clear governance, outcome-oriented metrics, and board-level engagement
Key Quotes
“65% of data breaches today happen through use of a third party. Hackers go after one weak link.” — Aleksandr Yampolskiy
“150 companies’ products comprise 90% of a global attack surface. So if one of those companies gets compromised, all of a sudden, you can compromise almost everybody.” — Aleksandr Yampolskiy
“You can be fully compliant with all the regulations, but not secure. Or you could be really secure but not compliant.” — Aleksandr Yampolskiy
“An employee takes [the] general ledger or… some sensitive corporate information, uploads it to ChatGPT—or worse, to [a model] in China—gets a beautiful response, looks like a champion… but then you just leaked sensitive information from a company and nobody knows about it.” — Aleksandr Yampolskiy
“Our ability to network has far outpaced our ability to protect networks.” — Frank Cilluffo
Relevant Links and Resources
• SecurityScorecard Research
Guest Bio
Aleksandr Yampolskiy is the Co-Founder and CEO of SecurityScorecard, a global leader in cybersecurity ratings and risk management. A former CISO and CTO, he has led the company since 2014 in helping tens of thousands of organizations—including half of the Fortune 100—measure and strengthen their cyber resilience.
Transcript
1
00:00:00,000 –> 00:00:01,000
Aleksandr Yampolskiy [00:00:00]: 150 companies’ products comprise 90% of a global attack surface. So if one of those companies gets compromised, all of a sudden, you can compromise almost everybody.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:13]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Alexander Yampolskiy, who is the co founder and CEO of Security Scorecard, a global leader in cyber ratings and cyber risk management. And for full disclosure, I have the privilege to sit on the advisory board. Alexander comes to this job having served as a CISO and a CTO, and brings a whole lot of knowledge, scar tissue and excellence to the job. Alexander, thank you so much for joining us today.
3
00:00:02,000 –> 00:00:03,000
Aleksandr Yampolskiy [00:00:52]: Frank, it’s great to see you.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:00:54]: So I thought we’d start with the broader discussion around supply chain security, third party risk. You blink and you miss the latest incident of the day. And I thought, since you founded it in 2014, what recent events have changed the landscape and what does it mean from a companies perspective?
5
00:00:04,000 –> 00:00:05,000
Aleksandr Yampolskiy [00:01:18]: So supply chain risk is the new epidemic in cybersecurity. The world has become more and more interconnected. We rely on each other, we rely on products, technology, software made by thousands of different companies from all over the world. So it means that the attack surface became exponentially more complex. And it’s no longer enough to protect your own infrastructure. Companies would spend millions and millions of dollars protecting their infrastructure. And then they would send the paperwork to an audit firm. The audit firm gets hacked and the hackers get in. So 65% of data breaches today happen through use of a third party.
6
00:00:05,000 –> 00:00:06,000
Aleksandr Yampolskiy [00:02:08]: Hackers go after one weak link. Could be, by the way, technology by a cybersecurity company, since it’s used by many customers. And then they would use that door that they created, that back door that they created to go break into thousands of customers. And so that’s why 65% of our data breaches today happen due to a break in into a third party. So it became a big epidemic. And a lot of the companies are still very focused on protecting themselves, but they don’t put the proper diligence controls on other companies that they invest in, do business with, consider for M and A transactions. So it’s only going to get worse.
7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:02:49]: And 65%, those are big numbers. And if I’m not mistaken, Security Scorecard has majority of the Fortune 100. So you’ve got a lot of data, and I’d be curious where you see the most significant vulnerabilities today.
8
00:00:07,000 –> 00:00:08,000
Aleksandr Yampolskiy [00:03:06]: Yeah. So 70% plus of Fortune 100 companies use Security Scorecard, eight of the top 10 banks, most of the insurance companies, healthcare companies rely on us to make more informed, data driven decisions. I think if we look at the vulnerabilities today as it relates to third party risk, if you look at the well funded and regulated sectors, usually they’re in a fairly good shape. So financial services, healthcare, technology, companies in those sectors have a lot of money to spend. Companies in the legal, education and often government sectors, they have, you know, they usually don’t have as good cybersecurity resilience. Some of the trends that we’re observing in supply chain risk, first of all, you have a lot of systemic concentrated risk. 90% of the global attack surface is comprised of products made by only 150 companies.
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:04:07]: Wow. 90%.
10
00:00:09,000 –> 00:00:10,000
Aleksandr Yampolskiy [00:04:08]: 90%. We’ve experienced Amazon outage just recently. Wasn’t a cybersecurity vulnerability, but it was an example of how so many companies, Snapchat, airlines, Venmo and so on, they rely on AWS infrastructure. And so when the east region went out, we saw the domino effect of so many companies suffering outage. In cybersecurity, it’s the same. 150 companies’ products comprise 90% of a global attack surface. So if one of those companies gets compromised, all of a sudden you can compromise almost everybody. AI, it’s an overused term. Everybody talks about AI these days, but you have a lot of rush by companies, public sector, private sector, to adopt AI to improve efficiencies. And security happens to be an afterthought.
11
00:00:10,000 –> 00:00:11,000
Aleksandr Yampolskiy [00:05:07]: Just like when Internet was created initially, security was an afterthought. And that’s why a lot of the Internet infrastructure ended up being insecure and we had to come up with protocols to secure it. Afterwards, we’re seeing the same with AI. People are rushing to adopt it, use it, but cyber security is an afterthought.
12
00:00:11,000 –> 00:00:12,000
Frank Cilluffo [00:05:27]: You know, that’s a great point. I like to say our ability to network has far outpaced our ability to protect networks. If you go back to the origin and you’re seeing that same trend play out when it comes to AI, which there is great demand from shareholders, customers and the like to be able to push in that space. But I also think we’ve had a lot of discussions on this podcast on the red and the blue benefits and cons of AI and I want to pull that thread in a little bit. But before we do that, I also want to dig into, we’re talking third party, but what about fourth and fifth party dependencies? And you’re starting to see some real world consequences there as well, right?
13
00:00:12,000 –> 00:00:13,000
Aleksandr Yampolskiy [00:06:13]: Well, 100%. And to define what fourth and fifth party means for viewers and listeners who might not know it, so your third party is somebody that provides services to you, but then the company that provides services to you also uses third parties. And so you have this network graph of third, fourth, fifth, sixth dependencies. First of all, I think most companies aren’t even aware of who their fourth parties are.
14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:06:41]: Yeah, I think most aren’t.
15
00:00:14,000 –> 00:00:15,000
Aleksandr Yampolskiy [00:06:43]: Most aren’t. But as an example, let’s say you rely on 200 software providers to help you operate your business and all those 200 software providers are hosted in a cloud region that goes out. You got concentrated systemic risk where all of those fourth parties providers are in a cloud region or maybe they’re using a piece of software like a database or some other type of open source library, and that library has a big critical vulnerability, then all of a sudden 100 of your software providers relying on that are going to get hacked. So step one, I think step one to dealing with third and fourth parties is discovery. And a lot of the time when I talk to CEOs and CISOs of big banks, they don’t even know who the third parties are, which seems shocking because they pay money to those third parties. But information about the third parties is stored in different disparate systems, procurement systems, databases.
16
00:00:15,000 –> 00:00:16,000
Aleksandr Yampolskiy [00:07:44]: All these departments within a big company don’t talk to each other. There’s no single place. And fourth parties, the ways to discover it. For example, at Security Scorecard…
17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:07:56]: Yeah, I have trouble with third. Fourth, fifth gets, yeah.
18
00:00:17,000 –> 00:00:18,000
Aleksandr Yampolskiy [00:07:57]: If they’re having trouble with third, you definitely going to have trouble with fourth. But I think step one is awareness and discovery. We help with this information. A lot of the time actually, the ways to discover this information, let’s say you use an accountant and you look at the website of an accountant and they’re looking for a software developer which relies on an Oracle database. So you just discovered by looking at the website that they’re probably relying on an Oracle database because they’re looking to hire a person who knows the technology. So awareness and taxonomy and categorization is step one and having the proper governance processes. And to further add to the topic, Frank, that you mentioned, the use of shadow IT and now shadow AI is also a big third and fourth party risk, because you might have an employee working for a company, it’s not sanctioned, it’s not allowed.
19
00:00:18,000 –> 00:00:19,000
Aleksandr Yampolskiy [00:08:50]: But an employee takes general ledger or it takes some sensitive corporate information, uploads it to ChatGPT, or worse off, DeepSeek in China or somewhere else, gets a beautiful response, looks like a champion because he or she produced interesting information to their bosses. But then you just leaked sensitive information from a company and nobody knows about it.
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:09:14]: And can you define shadow IT? And then, and I hadn’t really thought a whole lot about shadow AI, but that’s precisely what it is. I thought about the individual. But explain to our viewers what that actually is.
21
00:00:20,000 –> 00:00:21,000
Aleksandr Yampolskiy [00:09:29]: Yeah. So shadow IT are unsanctioned users because as part of the day to day employees in private and public sector they might just use an application or service because it’s convenient. It might not be sanctioned, but in order to transmit the file you can upload a document to Dropbox. And security team didn’t approve it, but somebody, but somebody still did it. Now all of a sudden you have a proliferation of data and information where you didn’t know. So we used to have shadow IT problems. I dealt with it as a chief security officer all the time because my marketing team would sign up for a service to help generate more revenue. Who is going to say no to more revenue? And they upload customer list and all of a sudden my customer list, which are my crown jewels, are stored in a system that’s not approved and not sanctioned.
22
00:00:21,000 –> 00:00:22,000
Aleksandr Yampolskiy [00:10:22]: And now shadow AI is the big risk as well. And shadow AI is somebody relying on AI tools which have not been vetted and approved by the cybersecurity team. Somebody might just generate the video clip and say, you know, I’m going to do a big marketing campaign in Indonesia. Can you come help me create a video for distribution of my product in Indonesia? Now if that application is not vetted and they had bad motives, you could conduct corporate espionage, for example, by discovering that you’re planning to expand in Indonesia. So there’s all kinds of risk implications.
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:11:04]: Absolutely. And again, most people are thinking at it from a convenience standpoint, just as they were with, but in a pre AI age, now it’s just grown exponentially. And that data is there, and, and, and all things said and done, that attack surface just grows further and further and further and further.
24
00:00:23,000 –> 00:00:24,000
Aleksandr Yampolskiy [00:11:26]: And I think it’s a, by the way, I think it’s a pretty typical adoption cycle. It happens not just on software, but it happens all over the world. You might have electric scooters all over the city and it’s convenient to get from point A to point B. But then people start driving carelessly, you start having accidents, you start having injuries, and all of a sudden you have oversight and regulations. Because something that was intended to be used on small scale, on small scale maybe it worked. But on big scale, on big scale you have unintended consequences. So now you gotta look at the scooters and have policies and governance around it. So the same with AI.
25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:12:07]: How about looking at risk through the lens of critical functions instead of the way we normally tend to look at it through company sectors and the like. And how do you feel that that plays out? Because you do have mass data to be able to get a rich picture that many entities don’t. Anything that we should be thinking about there in terms of critical functions, potential single point failures, aggregated risk and the like?
26
00:00:25,000 –> 00:00:26,000
Aleksandr Yampolskiy [00:12:34]: Absolutely. So as an example, you have trillions of commerce go through US ports, the ships.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:12:45]: We just did a major report on port security. Yeah.
28
00:00:27,000 –> 00:00:28,000
Aleksandr Yampolskiy [00:12:48]: The ships docking, undocking, merchandise being loaded, unloaded. Yet 80% of the cranes and the software operating the cranes in the US ports is made in China.
29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:12:59]: ZPMC.
30
00:00:29,000 –> 00:00:30,000
Aleksandr Yampolskiy [00:13:01]: Yeah, you got millions of lines of code. How sure are you that there’s no backdoor created by the Chinese where at the convenient time you can hit a button and detonate. You might have critical services in healthcare. How do we make sure? And the interesting part right now is if you observe at the trends on cybersecurity, which is both positive and negative, the boundaries between public and private sector have really thinned out. On the positive side, I think it’s fantastic because best cooperation happens through sharing the expertise, sharing the best practices.
31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:13:43]: When you’re in the foxholes together. Yep, yep.
32
00:00:31,000 –> 00:00:32,000
Aleksandr Yampolskiy [00:13:46]: That’s the positive. We have information sharing ISACs in the United States, FS-ISAC, retail healthcare, you have government collaborating with the private sector. And the negative, if we observe at the trends, 25% of the attacks according to research and scorecard are hosted in infrastructure originating in China, 14% in Russia. So you almost 40% of infrastructure happening there. And furthermore, if you look at research that our team does, if you look at the telegram channels in Russia, you have tools and playbooks actively provided by the Russian government to private citizens where they say, hey, you know what, let’s go attack and train on American infrastructure and hospitals just to, just to make a statement. And all of a sudden those tools and the training and the materials actually being provided by the public sector to private hackers, security researchers. And it’s been very condoned and kind of, you know, maybe not openly praised, but being very condoned and allowed and permitted. So similarly for the attackers, I think the boundaries of public and private have blurred, which could be good and bad.
33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:15:04]: You know that is a trend we are seeing over and over and that’s the use of proxies. And it’s very difficult to know who’s the puppet, who’s the master sometimes. Sometimes it’s just for convenience. Literally, I won’t go after you if you help me here. Right? I mean it’s as simple as that. And other times it’s individuals moonlighting and they can share that information.
34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo [00:15:27]: But that does get a little more difficult when you’re trying to name and shame state actors. And a good state actor is not going to send the muddy footprints back to the, to the Kremlin or to Pyongyang or Beijing or wherever it may be. So that does make, I think that we’ve gone light years ahead in terms of attribution, but it’s by no means 100%. And that’s going to get more and more complicated unless you know your system. I mean the old Sun Tzu know your, before you know your enemy you have to know yourself. And, and, and I still think there lot more work that needs to be done there. Right? I mean, and I’d like to take all of these great examples.
35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:16:13]: Is there a specific example from a third party risk perspective, an incident that, that brings to life what we’re talking about here?
36
00:00:35,000 –> 00:00:36,000
Aleksandr Yampolskiy [00:16:25]: Well, I think you have plenty of examples.
37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:16:28]: Unfortunately.
38
00:00:37,000 –> 00:00:38,000
Aleksandr Yampolskiy [00:16:29]: Unfortunately, you have plenty of examples of where third party vulnerability has been used to break into the environment. I mean the classical one which happened many, many years ago has been the Target data breach. That’s many years ago, but attackers broke into the Fazio HVAC, the air conditioning company.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:16:50]: Which is very sophisticated. Yeah, yeah.
40
00:00:39,000 –> 00:00:40,000
Aleksandr Yampolskiy [00:16:51]: Only a 20% company. And who would have thought, who would have thought that HVAC contractors would be, the compromise of the system would be the root cause of getting into the Target infrastructure. But they weren’t properly segregated from the Target infrastructure. We also see in, I mean we’ve seen a lot of attempts with a business email compromise where somebody might go break into the supplier providing services to a company and then they would use the infrastructure to email the company that they provide services for and say hey can you please wire $500,000 or a million. We’re seeing that happen increasingly frequently. We’re beginning to see software packages being compromised, not just companies infrastructure, but now we’re seeing software packages and libraries commonly used by many entities compromised. And then all of a sudden it’s being used.
41
00:00:40,000 –> 00:00:41,000
Aleksandr Yampolskiy [00:17:49]: We’ve seen some attempts where people from North Korea would try to get employment maliciously in a legitimate cybersecurity company or software company, start working there, then put changes in the code, try to commit the code, make it go unnoticed. But now you planted the back door in the code that’s being used by millions and millions of people.
42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:18:12]: And that’s a real issue. I think some people say, hey, how can we be hiring? But the truth is…
43
00:00:42,000 –> 00:00:43,000
Aleksandr Yampolskiy [00:18:19]: We’ve observed it at Security Scorecard ourselves.
44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:18:22]: Oh, really?
45
00:00:44,000 –> 00:00:45,000
Aleksandr Yampolskiy [00:18:22]:
46
00:00:45,000 –> 00:00:46,000
We’ve observed it ourselves.
47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo [00:18:24]: They’re applying for jobs.
48
00:00:47,000 –> 00:00:48,000
Aleksandr Yampolskiy [00:18:27]: We had a recruiter reach out to some of our developers and then offer to double their salary. And it looks like a legitimate hedge fund or a legitimate company. When you get on a Zoom interview, they ask you to check out a piece of source code on GitHub to test your testing skills. And then that piece of source code, which our team analyzed connects to the infrastructure which has fingerprint of North Korea, North Korea army. And so, but it looks completely legitimate. You have a social presence of a legitimate financial firm. They’re offering to double the salary which people…
49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo [00:19:06]: Will take up.
50
00:00:49,000 –> 00:00:50,000
Aleksandr Yampolskiy [00:19:09]: Which a lot of people will take up and go interview. And we’ve seen the sophisticated attempts to go target us and also other cybersecurity companies. When I spoke to other CISOs at major…
51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:19:21]: Yep.
52
00:00:51,000 –> 00:00:52,000
Aleksandr Yampolskiy [00:19:21]: Banks, institutions, everybody experiences it and it gets more and more sophisticated.
53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:19:26]: And if you think about it, then you have an insider who’s physically there. So that changes the ball game entirely. You don’t even have to break into a system. So that is a frightening and discerning threat trend. And I mean just the whole physical cyber world is converging so quickly, whether it’s even, OT environment is now getting netted by IIoT devices and the like, and it’s happening really fast.
54
00:00:53,000 –> 00:00:54,000
Aleksandr Yampolskiy [00:19:55]: And I think the hard part is it’s very difficult to discover the existence of this vulnerabilities or backdoors, both in software. But I also envision a future where you might have similar type of stuff in AI because if you look at large language models, you train on huge sets of data, right? You take the contents of Reddit, the contents of Wikipedia, news articles, and you train. And so you create this huge neural network where the job of that network is to predict the next token effectively in a sentence. But if you train it on biased or poisoned data, where 99.9% of the time it works fine, but then that 0.01%, if you put, if you put in the right the right prompt, which nobody knows about, and you say, hey, can you do this and this and this? All of a sudden the system dramatically malfunctions. How do you even detect that to begin with?
55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:20:48]: And you’ll never detect that. Exactly. That’s a great point.
56
00:00:55,000 –> 00:00:56,000
Aleksandr Yampolskiy [00:20:51]: Because the system is already trained. You only have the weights in the neural network, so you don’t know what malicious data it was trained in. And a lot of the time the systems are missing explainability as part of the process. Explain how you arrived at that output.
57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:21:05]: And then what triggers that. That’s a great point. And I think that gets lost on some people why, let’s pick on the People’s Republic of China, while they’re vacuuming everything. It is really to train their LLMs. Data is invaluable. It’s not always discriminate and discreet. It can be, but it can also be used to train their models. Right?
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:21:25]: I think that’s part of the game that we’re dealing with today. And like you said, if you can get it into the source code in the very beginning, game over when it really matters. I want to get to a little bit of oversight and governance and what should organizations, I mean they do a lot of self evaluating in terms of security questionnaires, what could or should companies be doing to truly get serious about their third party risk?
59
00:00:58,000 –> 00:00:59,000
Aleksandr Yampolskiy [00:22:00]: Yeah, so first of all, I’m a big believer in writing things down. You need to have a policy. You need to have a policy and you need to do tabletop simulations.
60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo [00:22:13]: Big mistakes when it doesn’t matter, Right?
61
00:01:00,000 –> 00:01:01,000
Aleksandr Yampolskiy [00:22:15]: Like, just pretend that one of your suppliers, one of your third parties got hacked, your information is stolen, what do you do? Just like, when is the last time you conducted that disaster preparedness simulation? Write down your policy. How do you determine who is your tier 1, tier 2, tier 3 supplier based on criticality of the data? How do you make sure you make it a continuous process? A lot of companies do one off assessments where they use pen and paper questionnaires which are manual subjective. They put a rubber stamp of approval. They say, hey, I comply with the New York DFS regulations or other type of government regulations and they forget about it. They put that questionnaire on a shelf and it collects dust. You need to make third party risk management a continuous process. You need to continue.
62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo [00:23:05]: How do you do that?
63
00:01:02,000 –> 00:01:03,000
Aleksandr Yampolskiy [00:23:06]: So the way you do it is you need to get first of all what you can’t measure, you can’t improve. You need to have objective trusted KPIs of how you’re going to stack rank your suppliers in cybersecurity. Just like you have credit scores provided by companies like S and P, Fitch and others to decide if a financial instrument is trustworthy. So Security Scorecard is in the business of providing such scores. And it’s a quick way to stack rank to know where you pay your attention. So you’re going to know here my top 10%, which are in worst shape. I need to talk to them, I need to engage with them. So you need to continuously measure it.
64
00:01:03,000 –> 00:01:04,000
Aleksandr Yampolskiy [00:23:45]: Number two, a lot of the time, companies do a decent job finding out who their third parties are, figuring out how to stack rank them using threat intelligence and other data feeds that come in. But where they fall short is now what? How do you actually communicate with them? How do you engage with your suppliers? And so that’s the critical piece about supply chain detection response. You need to have a robust program where you don’t just detect, but you also respond. You collaborate with your suppliers proactively, you improve the security of your infrastructure collectively. And so the best way to do it is you also compare notes with your peers. I think some of the best ideas come out of talking to other CEOs, CISOs of companies in the same industry. But if I were to give three recommendations, number one, have a documented robust policy.
65
00:01:04,000 –> 00:01:05,000
Aleksandr Yampolskiy [00:24:32]: Number two, make sure you use objective trusted KPIs where you measure and quantify risk. And then the third one, it’s not just about measuring, but figure out how you’re going to collaborate and communicate with your suppliers.
66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:24:46]: So, so there are a number of frameworks coming out, and we have a separate task force we’re leading with the US Chamber of Commerce looking at regulatory harmonization and syncing all of that up. I’d be curious what your thoughts are. You’ve sort of got NIST 2.0, you’ve got Dora, you’ve got SEC. How do you make sure you don’t, you are actually measuring what matters and not just having that document that goes on the shelf. And you’re also not duplicating efforts or sometimes complicating and competing. How does one go about doing that with all these frameworks? And is there one that you love in terms of the frameworks?
67
00:01:06,000 –> 00:01:07,000
Aleksandr Yampolskiy [00:25:28]: So I think compliance and cybersecurity, they overlap.
68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:25:34]: But they’re not the same, right?
69
00:01:08,000 –> 00:01:09,000
Aleksandr Yampolskiy [00:25:35]: But they’re not the same. I look at it as a Venn diagram where you have two circles overlap, but they’re also different. You can be fully compliant with all the regulations, but not secure, or you could be really secure but not compliant with all the regulations. I’ve actually discovered that at Guild Group when I was a chief security officer, we were PCI DSS compliant because we processed hundreds of millions of transactions and we worked with auditors to validate our compliance. And one day we signed up for a fraud mitigation solution. We started integrating with it and discovered unencrypted credit card data belonging to other customers. And so we were compliant with PCI DSS but because of a third party, because of a third party vulnerability, we definitely weren’t secure. And that kind of gave birth to the idea of Security Scorecard, where we help companies measure and quantify risk. I think, I think compliance…
70
00:01:09,000 –> 00:01:10,000
Frank Cilluffo [00:26:36]: Great story by the way.
71
00:01:10,000 –> 00:01:11,000
Aleksandr Yampolskiy [00:26:38]: I think compliance is a big ally for any chief risk officer or chief security officer because it makes it easy to justify budget. A lot of the time if you just go to CEO or CFO and say I need this and this tool to become more secure, the answer is no. When everybody’s trying to reduce the budgets, I think compliance can be a great driver to justify budget. But also if you look at a lot of frameworks, there’s a lot of really good foundation. I think I’m a big fan of what NY DFS is doing.
72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo [00:27:08]: Okay.
73
00:01:12,000 –> 00:01:13,000
Aleksandr Yampolskiy [00:27:11]: I think you have a lot of good solid advice in ISO 27001 framework. But the analogy to use is I do think we need to have regulation for minimum bar standard in cybersecurity. If you go to store and you’re looking at the, and you’re looking to buy groceries, you have an expiration date on a box of milk because you don’t want to buy expired milk, right? But just because you got an expiration date on a box of milk and ingredients, maybe it’s a firm, maybe, maybe it’s like a new brand of milk and it’s just not going to taste very well. Like it’s going to be, it’s just not going to be your favorite milk. So the same I think with compliance and cybersecurity, you need to have some type of expiration date. Like what’s the minimum standard that everybody needs to meet? You have some basics that are non negotiable, like multi factor authentication. You need to deploy multi factor authentication.
74
00:01:13,000 –> 00:01:14,000
Aleksandr Yampolskiy [00:28:14]: You need to patch your systems on time. And a lot of companies don’t even do that. So we have that minimum standard. Still doesn’t guarantee full security. But again, I think if we just raise the bar collectively.
75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:28:23]: Boats do rise. Yeah. You know, I’m almost, I remember we used to have a sell by date and an expiration date in terms of milk. So just because, but I do think getting to the very basics, boats do rise, and then you can focus a little better. Right?
76
00:01:15,000 –> 00:01:16,000
Aleksandr Yampolskiy [00:28:42]: And I also think, by the way, some industries like insurance industry can be great catalyst for better cybersecurity because they can determine how much premium you pay. So if you have better security controls, you pay lower premium. And so I think these financial incentives, just like when you have a better S and P credit score, you might get lower rates on the loan. I think we need similar concept on cybersecurity. But it’s, you know, there’s a term that people use a lot about global cyber inequity. We’ve done research on countries and unsurprisingly countries with a bigger GDP, they have better security hygiene. If you have more money to spend, you’re going to have better security hygiene. Similarly, big banks, big technology firms, they’re going to be by default much more secure.
77
00:01:16,000 –> 00:01:17,000
Aleksandr Yampolskiy [00:29:40]: The problem is we’re all interconnected and you might have a 20 person, 40 person firm that’s an ingredient and used by Department of Defense. And then all of a sudden they don’t have the resources. So you have this global cyber inequity, but you got this interconnectivity issues. And so we need to really collectively come together as a community and raise the collective security hygiene.
78
00:01:17,000 –> 00:01:18,000
Frank Cilluffo [00:30:04]: Well said, well said. And I’d be curious, in terms of third party oversight pro, where do things fall down? Where have you seen, you mentioned communications, which I think is a good one. How do you actually engage then with your third party? And I’ve been a little bit of a grump and in, a big proponent of some of our policies like SBOM, which does bill, but, but that’s an analog solution to a digital world. Where do you see things breaking down? And I don’t want to lead the witness here. Anything come to mind?
79
00:01:18,000 –> 00:01:19,000
Aleksandr Yampolskiy [00:30:39]: I think there’s a number of breakdowns that happen with third party risk management. The first breakdown is just not knowing. You’d be surprised how many companies are still using pen and paper questionnaires and not doing anything. You go to them and you say, you know, we need to first get our internal house in order so we don’t care about third parties. So it’s not even prioritized. I think that’s where it falls down. That’s number one. Number two, another common fallacy that I hear from people is we’re only going to look at our top 50 critical suppliers, but we’re not going to look at all the other 10,000.
80
00:01:19,000 –> 00:01:20,000
Aleksandr Yampolskiy [00:31:15]: But how do you know that you’re…
81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:31:19]: Who would have put HVAC on any of that top 50? Right?
82
00:01:21,000 –> 00:01:22,000
Aleksandr Yampolskiy [00:31:22]: And then the third is people do busy work but not focus on outcomes. You come up with a third party policy, you start using security ratings, threat intelligence and you feel like you’re doing busy work, sending out security rating reports, questionnaires, putting a rubber stamp, but you’re not focused on outcomes. Like how do you really drive SLA backed outcomes for your supply chain? Which is what we do with our max offering and Security Scorecard, we actually guarantee risk reduction. I think this actually this, this advice of like not being busy and focusing.
83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:32:03]: Is much more than just cybersecurity.
84
00:01:23,000 –> 00:01:24,000
Aleksandr Yampolskiy [00:32:04]: It’s actually much more than just cyber.
85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:32:05]: Exactly.
86
00:01:25,000 –> 00:01:26,000
Aleksandr Yampolskiy [00:32:06]: Like a lot of the time we go on our day we do stuff and like, oh, you know, I was really busy, and like I need to do this and I need to do that. But what’s the outcome? If you step back, like, how are you really moving the ball forward?
87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:32:18]: That is so true. You mentioned sort of how a chief risk officer or chief security officer or information security, how do we build the business case? How does the CISO go into the C suite? I think every Fortune 100 board is now aware that cyber matters and they’re being measured to one extent or another against getting things done. But how do you build that business case?
88
00:01:27,000 –> 00:01:28,000
Aleksandr Yampolskiy [00:32:46]: A company has to prioritize cyber. You have to give room to chief security officer to present at the audit and risk committee. By talking at the board level with the CEO and the board about cyber, you already make cyber more important by giving it, if the CEO knows that the board is looking at the cyber reports, the CEO is going to give the proper funding and the back end to the CSO. It’s also important for CIOs and CISOs to be seen as business stakeholders.
89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:33:18]: Exactly. Not just cost centers.
90
00:01:29,000 –> 00:01:30,000
Aleksandr Yampolskiy [00:33:19]:And not just people who talk about, and not just people who talk about technical details. So it’s the onus is on a CISO to explain things in understandable terms. What’s the dollar impact? And the final piece is just like there’s an onus and the CISO, there’s also onus on the board members to be technology literate. If you go ask a typical board member, like in the middle of a board meeting, you raise a question and say, hey, like Alex, what’s EBITDA? You might get a tap on your shoulder at a coffee break and I’m going to say, Frank, what’s going on? You don’t know what EBITDA is in P and L.
91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:34:01]: Yeah, yeah.
92
00:01:31,000 –> 00:01:32,000
Aleksandr Yampolskiy [00:34:02]: Look, it’s expected that the board member has financial literacy, but if you raise a hand and say, what’s a denial of service attack, that’s perfectly normal. So I think there’s an onus also on the board members to educate themselves and to be technically up to speed.
93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:34:18]: Absolutely.
94
00:01:33,000 –> 00:01:34,000
Aleksandr Yampolskiy [00:34:18]: And also an onus…
95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:34:20]: Or at least ask the right question.
96
00:01:35,000 –> 00:01:36,000
Aleksandr Yampolskiy [00:34:21]: Or at least ask the right questions. And on a CISO to be a true business partner, not just a person who says no, but how are you going to move the business forward while keeping it safe?
97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:34:31]: Well said. And I think we’ve seen progress in terms of board. Firstly, the demographic age has gone down and there are a little more digital natives, A and B, I think most successful CISOs can incorporate what they do every day into why a business can be successful. But easier said than done. Right? And, and it’s sort of, I call it talk and squawk, meet, beep and squeak.
98
00:01:37,000 –> 00:01:38,000
Frank Cilluffo [00:34:56]: You got to get both of them together. Alex, the tyranny of time requires I be a bit of a tyrant here and, and shut us down. But what questions didn’t I ask that I should have? What should our viewers, listeners and others be thinking about?
99
00:01:38,000 –> 00:01:39,000
Aleksandr Yampolskiy [00:35:12]: I think a good question to ask is, it’s always hard to prognosticate, right? It’s always hard to prognosticate. But I would say, what are the two things that excite me and what are the two things that concern me about the cyber future? I would say the things that concern me, that we need to spend more time, number one, I do think we’re rushing to adopt AI. How do we make sure we do it with a proper guardrails? That’s really part one, and I think the second part that concerns me as we spoke at length here, is the fourth party and the fifth party risk. We had a good short dialogue where we said a lot of companies don’t even know about third parties. Fourth parties and fifth parties are going to be even more dangerous. And then the things that excite me.
100
00:01:39,000 –> 00:01:40,000
Aleksandr Yampolskiy [00:36:03]: There’s so many things that excite me. I think the collaboration between public and private sector right now is better than ever on cybersecurity. And the second thing that excites me, I also think AI will be a force of good, where we’re going to be able to automate a lot of the boring tasks. We used to have no data in cyber, now we have too much data. So you can’t find a needle in a haystack. I do think by applying AI and automation, you’ll be able to find that needle in a haystack and respond to incidents and events faster.
101
00:01:40,000 –> 00:01:41,000
Frank Cilluffo [00:36:35]: Absolutely. Very well said. I love to quote Yogi Berra who said, the future ain’t what it used to be. Truth is the best way to predict the future is to shape it. Thank you for shaping that future. Thank you for trying to advance our efforts forward. And thank you for joining us today, Alex. Thank you.
102
00:01:41,000 –> 00:01:42,000
Aleksandr Yampolskiy [00:36:53]: Thank you, Frank.
103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:36:53]: Thank you. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.