The Illusion of Control: Cybersecurity, AI and the Risks Beneath the Surface

Speaker A: M welcome to the Financial Executive's Edge, a production of the Financial Executives Journal. Here, finance meets bold leadership. Join us for sharp insights, uh, unfiltered conversations and practical strategies to elevate your thinking, drive change, grow your impact, and empower your career. Uh, this isn't just insight. It's your edge. The Financial Executive's Edge. This episode is brought to you by Cyber Risk Opportunities. We help leaders turn cybersecurity from a guessing game into a clear set of decisions grounded in real data so you spend on what actually reduces cyber risk. Learn more@cr map.com welcome, um, to the Financial Executive's Edge.

Speaker B: Today's podcast centers around the illusion of control, AI, cybersecurity, and the risk beneath the surface. I am Lynn Gargano, your host and moderator for the Financial Executives Edge and editor for the Financial Executives Journal. In this episode, we explore the growing gap between perceived cyber resilience and actual resilience. We'll discuss how AI is reshaping cybersecurity, why organizations may be asking the wrong questions about risk, and whether the greatest vulnerabilities in the years ahead will not come from external attackers, but from assumptions leaders never realized that they were making. Joining us today is Kip Boyle, Cyber Risk CEO and advisor at Cyber Risk Opportunities LLC and the author of Fira Does It? The Executive's Practical Guide to Thriving in the Face of Evolving Cyber Risk. KIPP brings a unique perspective on cybersecurity, organizational resilience, governance, and the hidden risks that often go unnoticed until it's too late. So I'm looking forward to today's conversation. Thanks for joining us today, Kip.

Speaker C: You're welcome, Lynn. I'm really glad to be here with everyone.

Speaker B: So why don't we jump right in and start with how people think about cybersecurity? We often equate cybersecurity to visible threats like ransomware, phishing attacks, um, and data breaches. But, Kip, what do you think we're really missing in the way we think about cybersecurity? And what risks do you believe organizations are still overlooking?

Speaker C: Yeah, you're right. First of all, that the headline threats are the ones that really everyone watches. And it makes sense because we watch the headlines for all kinds of risks, whether it's, uh, a currency hedge or a, uh, labor disruption, whatever it is. Right. So that's reasonable that people would do that. But when you put all your attention there or most of your attention there, then what happens is that you do overlook some things. And in my work, what I see is that we really need to look at the data in order to come up with a really effective cyber risk management strategy. We just can't let the headlines completely drive our decisions. But to put a finer point on it, it's really not a question of under investing, it's really a question of misallocation. Uh, in other words, what I see a lot of people do is they put their money against the loudest threats that they are hearing about. Right? Not necessarily the ones that are causing the real losses. And the one thing in particular that I don't find people paying enough attention to is how fast can you recover? So people are watching about the attack, uh, and they read about attacks on other people, but they kind of stop. They don't go far enough. What they really need to do is say, well, if that happened to me, could I keep my business running during the attack? And if I can't, how fast can I get back to business? I think it's this gap that is under the surface. And so just, again, it's not about underinvestment, it's really about allocation.

Speaker B: So on that point. So there's a lot of organizations that spend a lot of money in cybersecurity and technology. Do you think that organizations are mistaking some of the technological sophistication within the organization for actual resilience? You're referring to going after the things that sound the loudest. Right. But it's not often that. It's some. It's often the little things or the assumptions that we're making that could be a little bit misleading. And on top of that, do you feel that AI has amplified this illusion of control? Is it adding to kind of some of the noise?

Speaker C: Yes, I'm absolutely seeing this. There's a lot of, uh, current customers and the people I talk to that are not customers, um, that are feeling disoriented about AI and they're unsure what to do about it. And it's almost like you're watching the train leave the station and you're like, I should be on that train, but it's already rolling. Um, you know, what do I do? But I think there is a trap, right? More cybersecurity tools, more sophisticated tech stacks. Absolutely. Feels like more control, and to some extent it probably is. But when it comes to resilience, Right. Real cyber resilience, it's really not about the amount of tools or the types of tools. It really is about how fast can you find gaps and close them and again, have that recovery capability? Because one of the things that AI is absolutely doing is it's making the attackers faster and more sophisticated. They're faster at finding the weak spot, not just in your technology, but in your people. And they can do a better job of exploiting that when they find it. And so it's that speed, uh, in particular, I think, that is going to be coming at us soon that we really have to figure out what to do about. In fact, I would go so far as to say that speed in defense is the new firewall to that point.

Speaker B: And I, uh, keep hearing resilience. Right. The resilience theme coming up here. And we talk about a lot of the reporting that's out there. And often a lot of organizations, especially financial institutions, have a lot of reporting tools and dashboards and compliance checklists.

Speaker C: Yeah.

Speaker B: Do you think that's creating a false sense of kind of confidence about actual resilience, um, around cybersecurity?

Speaker C: I do. Not everybody falls into that particular trap, but it's easy to sort of tell yourself, well, if I can check all the compliance boxes, then I'm okay. And we have to look at the definition of what I'm okay is when you do that, you're definitely on solid ground when you say, I'm not going to have any audit findings, which nobody wants audit findings. So I get that. But do these boxes actually result in real cyber risk reduction? And I think is really the issue that I would encourage people to ask themselves. Right. And even in the cybersecurity profession, um, we fall into this trap. So for 15 or more years, uh, the guidance about how to be cybersecure has come from compliance frameworks, and often ones that treat every control with an equal weight. Um, when we rightly say, well, probably that's not correct, we need to wait. Some of these controls matter more than others to us, but it's difficult to know which one should get more weight. How do I figure that out? Well, the good news is that we now finally actually have something that can help us here, and it's claims data. Claims data can help us figure out what's most important in terms of managing our risk. And so, uh, Marsh is one of the world's biggest insurance brokers, and they have been publishing now for a few years a report about, based on data, what actually is causing the losses. And they're doing this across thousands of real cyber claims. And so in the report, you can see they have rank ordered based on sophisticated mathematical analysis, statistical analysis, which controls are actually worth investing in. And they've got them in a priority order so it's very, very straightforward, um, to know what you should be spending on. And I want to be clear, I mentioned Marsh, not because I'm affiliated with them. You know, I don't get anything for mentioning them on this, on the podcast here, but I just find their data to be so, so very, very helpful. And I think it would be helpful to give an example. Um, and I think this one in particular surprises people. Right. Let's consider multi Factor authentication. So for several years now, auditors and the insurance people that you talk to probably are saying, like, hey, you got to get that MFA going. You got to get that turned on. You got to get that in place everywhere. And they're not wrong. However, when you look at the claims data, what you find is that's not the number one control that makes the difference. It's actually the number six control that makes a difference. Right. And it's not because it's unimportant, and it's because cyber is a dynamic risk. It's not a static risk. And what that means is it changes all the time. So MFA used to be number one a few years ago, but it's actually slipped. Why? Because the attackers have found ways to work around multi Factor Authentication. They're attacking at different spots. And so how do you keep up with that? Right. Well, it's this data that really helps us, not headlines. And by the way, I also think it's important for me to say that a data backup that you've never tested, that you've never actually tried to restore from a data backup, is almost the very definition of a false sense of security these days.

Speaker B: So if you had to define resilience, we often think the speed at which an organization can bounce back from a cyber attack, but it goes beyond speed. It also involves the training of employees. It's just not on the technology side. It's the embedded assumption. So when an organization is developing their budget for cybersecurity spend and where to invest, how would you work in the definition of resilience and the questions that they should be asking when developing their budgets? Because they're often maybe not asking the right question.

Speaker C: Right? Yes. Um, and also I find that the people who are responsible for creating organizational resilience often don't report up to the same folks. Right. So you've got resilience in the form of disaster recovery, you've got it in the form of business continuity, you've got it in the form of data backups, all kinds of different things. But, um, they don't all work in the same organization or in the same departments in an organization. So it can be difficult to orchestrate all of that. And so there's a tendency to focus on functionality that's closest to me or that I understand the most. Um, but that's uh, not the most effective approach here. So um, I'm just going to go back to something that I was saying before which is rather than focus on functionality or uh, who do I trust, let's go to the data that tells us what actually works and then focus on allocation. And the marsh data is very helpful because there are 12 controls that they have published and they say that these 12 controls lead to fewer breaches of all kinds. And so I would encourage people to grab that data and use it to guide their budgeting, to set aside the ways that they've been doing it, which can be difficult. Right. Uh, people, human beings are creatures of habit. I'm going to do this year work next year and here I am coming along saying hey, no, you should try something different. And so I recognize that can be a bit disruptive. But again cyber is a dynamic risk so you've got to change with it. There is no set it and forget it checklist. There's no real easy button here. I'm afraid that maybe I'm the one that's telling you that for the first time. I don't know. But it's really these 12 controls and I think it would be helpful if I actually, I've mentioned the 12 controls. But let me take a moment and tell you what the top three controls are. Okay. Network hardening is first and that includes things like installing security updates. The second one is Endpoint protection. And so that's like uh, Endpoint, uh, response and uh, recovery, not just antivirus. This is something that's more than that. Then the third one is logging. In other words, are you making a record of what's happening on the different computers and the different uh, systems that are uh, operating in your organization and can you get to that data quickly when an incident occurs? As I said, Multi factor authentication, um, falls to number six. But that's relative. Right? All 12 are actually important. But when you're allocating money, you may not be able to afford to put a budget against all 12 in a given year. So you can be confident that if you work on the first and second and third and so forth that that is actually a great way to work the entire list. And uh, I'll stop messing around in the details here and just simply say I wrote a Whole method that folks can turn to. And I've submitted it to your journal so when it gets published, your members can follow uh, the way we help our customers step by step and work through it.

Speaker B: Kip, you said something that was very interesting, uh, in the definition of resilience because you indicated that it could be defined very differently depending on what area or department that you're in. Which.

Speaker C: Yeah.

Speaker B: Which basically is an indication that there is not a full integration of the definition of resilience across an entire organization. And, and I can't help but think about, hey, how AI compounds that issue.

Speaker C: Mhm.

Speaker B: Because it introduces a whole new level of risk and it just magnifies or amplifies the, the risks around data breaches as well. Especially if you don't know how your employees are using AI or, or they may be using it off to the side. So when we think about these 12 controls, has that been kind of kept in mind, these 12 controls in the new age of AI?

Speaker C: Well that's a great question. And from my reading of the Marsh data, no, not yet. They're really focused on cyber resilience. And by the way, the best definition of cyber resilience that I can point people to right now is the NIST cybersecurity framework. Because it is a real framework in the sense that it contains no controls, you have to bring your own controls. But it's a top down framework that covers um, everything that's essential and it will touch all kinds of um, bits and parts of your organization. It'll cover not just your technological, uh, controls, but it'll also talk to the people, the process, the company policy. So I can highly recommend that if you want a single source of truth for what real resilience actually is, I would go there. But to your question about artificial intelligence, well, um, I'm glad you asked because it turns out that I've been working with uh, people to get their cyber, uh, resilience going for uh, almost 20 years now. And when ChatGPT first launched a couple of years ago, they started coming to me and saying what should we do about this? And I, and I said, well, you know, I'm glad you're asking me, but you know, why are you asking me? Because I'm sort of your cyber resilience person. And they said, well we just, you know, it's, this is risk and we really don't have anybody else that we can turn to to find out, you know, what we should do, what we should be doing about this. So uh, what I've Noticed, Lyn, is that a lot of cyber, uh, security and cyber risk people have become kind of the AI risk people, just because there was this gap that needed to be filled. But let me say that, um, the reason I tell that story is because I've written a book. It's called Gears. Don't guess. It's going into final editing now as we speak. And that's exactly what my book, uh, is talking about, which is what exactly is this artificial intelligence? What exactly is the risk that it's bringing to our organizations and how do we deal with it? AI is such a disruptive technology, and it's unlike any other disruptive technology that we've ever dealt with. And I could go back, and I won't because we're time limited, but I could go back and look at the major technological disruptions that we've uh, that we've gone through over the past 25, 30 years. And this one is different because we never actually submitted an order for it. We've never cut a PO for AI. It just sort of showed up. It kind of came up through the floorboards, if you will, like a flood. And we weren't really ready for it. And so, uh, that makes it really strange and unique. And the other thing that makes it strange and unique is that AI is what they call a process probabilistic system, not a deterministic one. And the simple way to say that is it's not a gear, right? A gear is something that you give it an input. It gives you the same output every single time. And so we're used to managing systems like that. Same input, same output. Of course, AI is not like that. We all know that if you put the same input into an AI system, you're going to get a different output every time. Sometimes it's just a little different, sometimes it's really different. And sometimes it's lying to us. We've never governed systems like that before. It's weird. So what do you do? Well, I cover all of this and more in my, in my new book. So, um, I don't even know where to begin to continue to break it down. I don't even know if we have time. But I just want to acknowledge that you're right. This is a new thing and we have got to figure it out.

Speaker B: It's definitely a bit of a double edged sword here. And I think we come full circle to thinking about the assumptions that organizations are making, just like it impacts the assumptions used in AI, right? So it's all kind of LinkedIn bio beware of the assumptions that are embedded.

Speaker C: Yeah, it's like I was saying in the beginning, if you just assume that the headlines contain all the information you need to assemble your budget, well, that's not quite right.

Speaker B: Exactly. Um, so when you think about organizations and ways that they could mitigate risk, um, a whole belts and suspender approach is looking to cyber insurance. But do you think that cyber insurance actually creates this false sense of security? Because in some instances organizations may be outsourcing some of the assumptions and if so, what should leaders, and in particular even CFOs really be assessing in some of these cyber insurance agreements? And do they?

Speaker C: Yeah. So there's a couple things going on here. The first is, am I relying too much on cyber insurance in order to be cyber resilient? That's one thing. Another thing is what's are my policies actually good? That's a separate thing altogether. And then the third thing is, do I have coverage for AI? So let me take, let me take each of those in turn. Okay. So first of all, insurance is a form of risk transference as we know, but it doesn't really create the kind of resilience that we really need because resilience is about how fast can I get back into business. But that's not really what insurance is. Right? Insurance is actually just, I'm going to make you financially whole again. And that's not a fast process. Right? I mean it's not. And there can be a lot, I've worked on a lot of insurance claims for cyber issues and it can take a long, long time to get claims fully settled. And sometimes your claims in whole or in part are denied and you have to litigate in the meantime. What's happening with your business? Right. So, um, that's one of the big issues and it's compounded with AI because of the speed and the sophistication of the attacks. And so, um, I hope people can realize that there's a real gap there and that if they're over relying on insurance, um, they really need to rethink that. Now I'm not saying that they shouldn't have insurance. I'm just saying be very clear eyed about what it can and cannot do. Now the second thing is, okay, do you have a quality policy? Right. So the first thing that you need to look at, I think, and I'm not an insurance broker, I'm not licensed to sell insurance or anything like that. So, um, this is just Kip, a practitioner who has seen, you know, quite a few things Sublimits is the first thing you need to look at. If you've got, let's say, a $5 million policy, but it's got a $500,000 ransomware sub limit, then what you really have is a half million dollar ransomware policy. And these days that's not going to get you very far. So you need to look at that. The second thing is that, uh, insurers have gotten much more sophisticated with exclusions and particularly around acts of war and infrastructure failures. So, for example, if you get an Amazon outage or something like that, your ISP goes down. Um, you know, there can be exclusions around things like that. So these are broadening over time. So if you haven't reviewed your language lately to really understand the exclusions, I would call your broker and I would walk it line by line and get super clear. And if they don't know what the answer is, get the carrier involved, possibly an attorney. I don't know how far you want to run this, but you really want to know what your exclusions are before you file the claim. And the third thing that I would recommend is the preconditions of coverage. This is a huge issue now. When you, uh, either apply for a policy or you, uh, submit a renewal, you're attesting that you have certain controls in place, like the multi factor authentication, the endpoint protection tested, backups, that sort of thing. Well, what we're seeing is, is that first of all, if you say you have them and you never had them and you file a claim that's going to cause a lot of trouble, your claim could be denied. Because if your claim's really big, they'll do an investigation and they'll find out whether, you know, you ever had those things. Also, you may have had them when you filed, uh, for the insurance or the renewal, but, but maybe it stopped working along the way somewhere. Well, that's no good either because they'll investigate and they'll find out that it wasn't in force when the breach happened and they could deny your claim based on that. Uh, there's a lot going on here. Okay. And then the AI, I don't think AI is a covered, uh, source of loss that you can use as the basis for a claim. I haven't seen that yet. Doesn't mean it's not out there. But if you've got a policy and you've been renewing it and renewing it and renewing it, um, you need to go in and double check and find out, do I have any AI loss coverage. Do I need to get a different policy for that? Do I need to change carriers? I would absolutely recommend that people look at that now.

Speaker B: And you raised something that was very interesting that I, that I picked up on when you said it about exclusions. You said infrastructure exclusions. And that directly correlates with AI. AI infrastructure data centers. Right. You can't have one without the other. So if there are infrastructure exclusion, that has a whole other connotations with respect to AI risk because you have a risk of data breaches and the attackers are much smarter.

Speaker C: Yes. And there's a related issue too, which is fourth party cyber risk. I don't know if you've heard of that, Lyn, but, um, there was recently a, ah, big cyber breach involving a, ah, company that did web hosting and they published what happened. And it turned out that our third party had their own third party and that was the source of the breach and it was AI related. And so a lot of people who hired a third party ended up suffering because their third party made a misstep and dropped the ball. And so you got to ask yourself, do I have coverage for that?

Speaker B: Right. Because when you're looking at those controls that you have in place, how much of it is an outsourced control and is there protection with that third party, uh, for that particular process or system or aspect of your infrastructure? So it's all getting very sophisticated internally, but you also have to look externally.

Speaker C: I think that's right.

Speaker B: So when you think about some of the greatest risks, it almost sounds like when we think about everything that we're talking about and if we take a step back, that could it be possible that the greatest risk in this age of AI is really the assumptions that we're making or the questions that we're not asking versus the risk of external attacks?

Speaker C: Um, yeah, I mean, that's been a theme throughout our conversation today. Right. Is assumptions. Um, and I think one of the big assumptions that senior decision makers tend to make is, well, I really don't have to worry about my insiders. I just mostly need to worry about bad actors on the outside that are trying to mess with us. And I'm not going to say that it's untrue that externals, uh, you know, actors are trying to mess with you. Of course that's what's going on. But some of the biggest risks that I see people are facing really comes from the inside and not because people are bad or malicious. It's because they're not trained correctly or they've Been emotionally manipulated by outsiders. And that's what phishing really is at the end of the day. Business, email, compromise, all that stuff. It's what I call emotional manipulation from a distance. And that's why, uh, it's so, so dangerous. And um, in fact, I just was doing a phishing, um, incident response with a customer of ours, and there were several missteps that they had made internally as they detected it, as they responded to it, as they thought that they had contained it. And there, um, were several missteps. Um, and what I said was, well, we need to do a no fault, uh, retrospective. Right? Uh, a, uh, no fault investigation. And the reason why I say that is because there were people who made mistakes, but not because they were bad and they didn't make those mistakes because they weren't trying hard enough. It's because they weren't set up for success completely. They weren't told, for example, what's the definition of contained? How do I know in an identity theft what containment really means? And they had missed some stuff. Uh, and so it's really important that we set people up for success, that we give them the right criteria, we give them the right procedures, uh, uh, and clear instructions and clear training. And AI, of course, is making this really interesting. I'll give you an example of that same incident that we were running. And the incident responder had some evidence and they inputted it into Copilot and they said, tell me about these IP addresses. Are they malicious? Are they known?

Speaker A: Malicious?

Speaker C: Are they known? Good. What are they? And copilot came back and said, oh, I've resolved the addresses and they're coming from this organization. Well, that was a trusted organization, but that was a false, uh, positive because the bigger context was, well, yeah, that was a trusted organization because it had been compromised. Right? So the AI didn't really give us a highly reliable answer because it was guessing and it was lacking context. Uh, and the poor incident responder, uh, just didn't understand that. And part of that was again, training. Part of it was, should we be using artificial intelligence as an aid to our data forensics, our digital forensics? When can we? When can't we? It all goes really back to a lot of the things that I'm covering in my book, new book, Gears. Don't guess. So I guess to wrap it up right, the attackers on the outside aren't the only issues in play here. We're governing machines that guess, which we've never done before. We have a lot of what we need to, uh, actually to govern them well. But we have to kind of adjust our instincts a little bit and, um, uh, kind of realign ourselves a little bit.

Speaker B: Absolutely. And you can't forget the human in the loop aspect. Right. With AI, with cybersecurity, uh, it's a huge part of the equation that is often overlooked, unfortunately. Ah, as, ah, we wrap up, I'd like to bring everything together with one final question. If a major cyber event were to happen today, how many organizations do you think would fail the organizational, like, cybersecurity resilience test? And what do you think would surprise leaders most about the assumptions that they've made?

Speaker C: Um, all right, so this is guesswork. Uh, I don't have any data to respond to your question with. I'm just telling you, hey, this is Kip, who's been a cybersecurity practitioner for over 20 years. And, you know, just responding from what I've seen. Um, so on that basis, I'll say I think, I think most organizations would be challenged and, uh, to respond well, right. To not have a discontinuity of their business. Um, I also think that, um, that they would, um, that they would struggle. That they would really struggle. And the surprise that I think that would fall on them is where the failure came from. We continue to be surprised by the sources of failures. So, for example, a moment ago I said fourth party risk. Uh, well, I could also say supply chain exploitation. Why are we continually surprised? Is it because we're not proficient, uh, cyber risk managers? No, I don't think that's it. I think it's because cyber is a dynamic risk. It's always changing. We shore up one thing, the attackers stop trying to attack there, and they go someplace else. It's like a flood. Water always wants to go to the lowest, uh, point that it can find. And so we build levees, we build dams to control it. But it's constantly trying to find a new way to mess with us. And cyber is the same way. So it's hard to predict where the adversary is going to go next. And Marsh, when they publish their list, it changes every year, which is kind of annoying because I just built my budget based on last year's list, and now you've just given me a different list. But that's not because they don't know what they're doing or we're bad risk managers. It's because this is just a very different type of risk. And you add the AI and then, guess what? Now our systems are very different types of systems. And so you know, it's just all moving so quickly and we're all having to keep up. Uh, it's really hard to get ahead of this, but if you want to try to get ahead of it, then I can make some suggestions. So the first suggestion is, um, get the Marsh report. Or if you're aware of another broker that has a similar report, that's fine. I don't know any other report that would be better at this stage, but probably there will be other ones out there that you could turn to. But go get the Marsh Report to begin with. It's free. Um, and then compare your current control set against what they're saying statistically is the controls that make the greatest difference. So do that. The second thing that I would do is I would go to your top three most critical vendors, and then I would check and see if they are doing a good job of fulfilling your requirements when you hired them. And if you didn't do a good job of explaining what your data security requirements were, then maybe you need to go back into your contracts and strengthen, you know, what your needs are. And then I think the third thing is go get your insurance policy, go get your cyber risk policy and check it for all the things that we've talked about. Right? So those are just three things that I would recommend. And I just want to point out none of that's technical. Right? I didn't ask you to go check your firewall rule set. I didn't ask you to go and, uh, look at the bits and bytes in some other system. Right? This is really budget hygiene. Have you allocated your budget to the right things? And this is a CFO function, if you ask me. Right. So I guess the last thing I'll say about this is that cyber attacks and cyber failures are a massive stress test on your business, and they reveal and amplify the cracks that are already there. And cyber attacks kill weaker companies faster. I've seen that over and over and over again. So if you're already dealing with some existential threat and a cyber attack comes along, that is the worst possible situation to be in. So I just want people to have the facts on that.

Speaker B: And that brings us to the end of the illusion of control AI, cybersecurity and risk Beneath the Surface Podcast as we've discussed today, cybersecurity is becoming much more than a technology issue. And perhaps the most important lesson is that resilience isn't measured when everything is working as expected. It's revealed when assumptions are tested, systems are stressed, and decisions must be made under pressure. The illusion of control can be comforting, but resilience requires something much more difficult the willingness to challenge assumptions, uncover hidden vulnerabilities, and ask questions before a crisis arrives. A special thank you to you, Kip, and for sharing your insights and perspectives. And a thank you to our listeners for joining us today. Until next time, Remember, the greatest risks are not always the threats you can see. They're often the vulnerabilities we never thought to question.

Speaker A: This episode is brought to you by Cyber Risk Opportunities. We help leaders turn cybersecurity from a guessing game into a clear set of decisions grounded in real data so you spend on what actually reduces cyber risk. Learn more@cr map.com thanks for listening to the Financial Executive's Edge. If today's episode sparked new ideas or helped sharpen your perspective, be sure to follow and review us on your favorite podcast platform. You can also visit financialexecutivesjournal.com for more insights, articles and upcoming episodes. Until next time, stay sharp, stay strategic, and maintain your edge. The Financial Executive's Edge.