How to Respond to the New 'Fraud Universe'Also: Social Media and Cybersecurity; Essential Skills for Today's CISO
The latest edition of the ISMG Security Report discusses how financial service organizations should respond to the new "fraud universe." It also shares how CISOs can incorporate social media into their threat intelligence programs and describes the skills required by today's security leaders.
In this report, you'll hear (click on player beneath image to listen):
- Mastercard's Claire Le Gal discuss responding to the new "fraud universe";
- CISO Lester Godsey of Maricopa County, Arizona, share how he incorporates social media into his threat intel program;
- CISO Rob Hornbuckle of Allegiance Air describe the skills required to be a security leader today - and where to start.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the June 21 and June 28 editions, which respectively discuss how the Conti ransomware gang retooled after backing Moscow in the Russia-Ukraine war and why firewalls and VPNs don't belong in Zero Trust design.
Anna Delaney: Responding to the new fraud universe, and social media and the threat to cybersecurity: these stories and more on this week's ISMG Security Report.
Hello, I'm Anna Delaney. If we've learned anything from digital transformation, it's that fraud now comes in multiple forms across many different vectors simultaneously. Claire Le Gal, senior vice president of fraud intelligence, strategy and cyber products at MasterCard, refers to this new world as the new fraud universe. She spoke with Tom Field, senior vice president of editorial, at our recent Fraud Summit, about how financial service organizations should respond to this new fraud universe.
Claire Le Gal: We hear a lot about the Metaverse, so the fraud universals is what I'm talking about. The MasterCard world is based on payment cards, but we're more than that. We have to think of risk in all these multilayers. There is digital risk, cyber risk, financial risk, systemic risk, and I don't think any of us pay for it in the business of reducing risk managing risk. We can do that without looking at all these different layers, which include cybersecurity. This is no longer just the purview of an information security organization, or chief information security officer. These guys are critical and important in protecting their own perimeter, domain and company, but if you're a professional responsible for managing risk or fraud for your customers, you have to look beyond those perimeters and try to figure out how tools that are used to secure your company's perimeter can be used to try to identify what's happening, what the criminals are exploiting, how you can reduce those vulnerabilities, how you turn that into things that not only help you educate your peers and your departments, but also into educating your consumers, your call holders, your merchants, your third parties and anyone that you are in contact with, so that they too can have trust in you and start protecting themselves. This constant education and constant learning is going to be key.
(Transition ad: You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: Organizations cannot afford to ignore the impact of social media both from a cyber and kinetic risk perspective, as well as source of intelligence that companies can use to better protect themselves, their brands, and customers, says Lester Godsey, CISO at Maricopa County, Arizona. Here shares how social media is part of his threat intel program.
Lester Godsey: We communicate with the organization and multiple departments within the organization, including our communications department, which we found to be a critical relationship to build. We have daily threat briefs. It combines a number of data points from a cybersecurity perspective, statistics from our firewall, from our endpoint protection and from email protection. But we leave those daily briefs with our measure and our analysis of what's going on in social media. That sets the tone with respect to what it is that we may or may not need to account for at an enterprise or county level. We take tools that our communications department has traditionally used and we measure what that sentiment is. We then draw additional correlations based off of our use of software that is available to scour social media, and then extract intelligence that might be pertinent to us. To give an example, a couple of months after the 2020 election cycle, my security operations team went on the dark web and they were able to get on a queue and on research forum and they found a 30-page dossier put together by QAnon specific to our recorder. And so that dossier went all the way back to the beginning of his college career and was intelligence gathered for purposes of showing what their community and for potential use against him and those related to him.
Delaney: What are the skills required to be a successful security leader today? Allegiant Air CISO Rob Hornbuckle shares some excellent advice with our executive editor of DataBreachToday and Europe Matthew Schwartz, for CISOs at any stage of their career.
Rob Hornbuckle: Skills in relationship building, understanding the business, getting security to come in line with what it needs to be, as well as perception, interpersonal skills, developing those business relationships. The other part of being a CISO is you have to have good relationships with the rest of the organization. Every executive from every other point needs to feel that they trust you. Some advice that I got early on in my career that I didn't particularly care for at the time, but I came to grow with it and it came to grow on me: these executives of this company have been there for much longer than you for all intensive purposes. Most of them have been there for decades, or at least there's some that are, if not all. This organization is like a child to them. They've nurtured it, grown it and seen it come up from nearly nothing to what it is now. They have to trust you, as much as it would take a parent to trust you with their child, to not question you on what you're doing, to fully have faith in what you're trying to tell them that the company needs to do. That's the kind of level of trust you have to develop. To do that you need those interpersonal skills, business relationship skills and business knowledge. For me, that meant going back and getting a second master's degree. I ended up with a technical master's degree in information security when I was young. I got an MBA to make sure that I had the technical knowledge that was necessary. It worked beautifully to get me where I needed to be in order to truly fill the role in the way it has to be.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I am Anna Delaney. Until next time!