3rd Party Risk Management , Application Security , Critical Infrastructure Security
ISMG Editors Panel: Looking Back on 2022A Reflection on Top Thought-Leader Interviews of the Year
In the latest update, four ISMG editors discuss important issues of 2022, including: CISO Marene Allison's unique career path; Ukrainian government cybersecurity official Victor Zhora on lessons learned from countering cyberattacks; and insights from CEO Nikesh Arora of Palo Alto Networks.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Michael Novinson, managing editor of business; and Tom Field, senior vice president, editorial - share:
- Tom Field's conversation with CISO Marene Allison about her unique career path, starting with a distinguished stint in the military and moving on to roles in the public and private sectors - including time with the FBI - to become CISO for Johnson & Johnson;
- Mathew Schwartz's interview with Victor Zhora, deputy head of Ukraine's Cyber Agency, who discusses tactics used by Russian attackers to combine cyberattacks with kinetic operations in the Russia-Ukraine war;
- Michael Novinson's discussion with CEO Nikesh Arora of Palo Alto, which addresses the vendor's unique method of specializing in not just one technology category, but three - network security, cloud security and security operations.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Dec. 16 payments special edition and the Dec. 23 edition discussing why zero trust isn't the answer to everything.
Anna Delaney: Hello, and welcome to the final ISMG Editors' Panel of 2022. I'm Anna Delaney. And this is a special end of year episode where we reflect on some of the best and most memorable conversations of the year. And to do that, I'm joined by Tom Field, senior vice president of editorial; Mathew Schwartz, executive editor of DataBreachToday and Europe; and Michael Novinson, who leads our business coverage. Lovely to end the year with you all. Tom, this was of course, a very special year because this is the year we met in person as well. It all began in Chicago, didn't it?
Tom Field: Indeed it did. Yes.
Delaney: That was definitely a highlight of 2022. But of all the conversations you've had with security leaders this year, which was the one that stood out for you.
Field: That was a hard one to narrow down. I got down to a shortlist of about three after spending some time on it. And I finally decided to go with Marene Allison, the outgoing CISO of Johnson & Johnson, and I don't mean outgoing just because she's energetic, but she is. But because she's retiring early in 2023 and had a brilliant career. She was in the first class of women at West Point Academy, military academy in the U.S. She has gone on to work in the FBI, worked undercover and drug busts. She's worked for the old A&P supermarket work for med club. And now with Johnson & Johnson, a fabulous career. And I talked with her about her career earlier in the year and reflected on what it was like to get into cybersecurity before cybersecurity was a career. So if you don't mind, I'm going to share an excerpt of our conversation where she talks about getting into cybersecurity kind of by happenstance.
Marene Allison: Well, first of all, we're of the tender age that there was no cyber. So you couldn't aspire at 21 that, oh, I'll be the CISO of a company, because there was no such thing as the CISO. So I think there is a generation of CISOs that either we're tumbleweeds, or we're good at adapting at what is thrown at us. I tell people, you throw me a lemon, I'm going to make you a lemonade. And that's really what has happened. I wanted to go to Wellesley an all women school outside of Boston, channeling Abigail Adams, and at the time, I wasn't able to get in. And I got an opportunity to go to a military academy. And my choice was I want to go to the Air Force Academy. Margaret Heckler, my Congresswoman gave me her principal nomination to West Point. Now there was no cyber then. There wasn't even computer science as a major. And so I got asked when I was first classmen, if I would be interested in taking electrical engineer. So as part of my engineering degree, I took electrical engineering and our concentration as we call them, we didn't really have majors, and I took electrical engineering. And that started me in a systems bitten-by-type of thinking that came through my entire life.
Field: I like that. We are either tumbleweeds or we are very adaptable. Maybe a little bit of both, but remarkable woman. Had the chance to speak with her as she wound down her career. And I'll be sharing that - career and expanding interview shortly.
Delaney: Very good. She's an inspiration and we need more leaders like that. Do you have any idea as to how she will be spending her time in retirement?
Field: I don't believe for a second she's going to totally stop. She's too active in too many groups throughout the world really, What I'm hoping for is an opportunity to sit down with her in person to hear more about her and her husband's career undercover doing drug busts for the FBI. I think there's a movie there and I'm eager to hear it.
Delaney: I love it. Well, thank you very much. Matt, we also met for the first time this year, didn't we? But in London. How crazy is that?
Mathew Schwartz: I know, good times. And then just a few short weeks later in San Francisco.
Delaney: Indeed, and which, of course, adds to this year's top moments that must be said. But other than that, Matt, you've had a fruitful year of reporting. Ransomware attacks certainly didn't stop. We saw double and even triple extortion tactics being employed by the criminals. And then of course, the Russia-Ukraine war certainly turned cyber warfare into a reality. How was the year for you and was there an interview that towered above the rest?
Schwartz: Definitely, as you say, ransomware continues to be such a fascinating topic as the criminals innovate different business models, and so on. And one of the big impacts I think we've seen with ransomware has been Russia's decision to invade Ukraine. And that leads me to what has been one of the most standout interviews for the year of me, for me, which was speaking with Ukrainian government cybersecurity officer, Victor Zhora, back in August. So the war began, February 24th. Forces moved in. Obviously, we saw a run up to that where there was a lot of, I don't want to say cyber sniping, but you get the idea that there is a lot of conflict already happening, possibly softening up the battlefield or trying to before the next escalation that we saw with the forces moving into Ukraine in February. So I had the opportunity to speak to Victor Zhora, who's helping lead the cybersecurity defense for the country. And you may recall, at the beginning of the year, there was a lot of question about how Russia perceived to be this gargantuan cybersecurity power, would use hack attacks for what might be the first actual cyber war. And so I put the question to Victor, at the beginning of war, he had said, the Russia-Ukraine War was the world's first not cyber war, he was looking at it as the world's first hybrid war, and that it was a war. But there was also the use of cyber. I asked him to expand on that, because he's obviously on the front lines here. And just how has it been used? What's been surprising to you? And this is what he said.
Victor Zhora: Russia for us just continues to combine cyberattacks with kinetic operations, and in a very serious percentage, that can be coordinated with kinetic to amplify the overall psychological effect from these attacks. Some of cyber operations continue being separate from their military activity. So this is very diverse activity. And it seems to me that in the last several months, we do not observe some particular strategy. The adversary continue to seek for gaps and vulnerabilities in Ukrainian networks trying to gain access to provide persistence in these networks to exfiltrate data to seek for opportunities of direct impact and destruction to these networks. And it seems to me that decisions made accordingly to opportunities that can find in our infrastructures, and then perhaps, they will choose best scenario according to current circumstances, perhaps in consideration of potential kinetic conventional opportunities they have on battlefields, or simply providing information psychological effects on Ukrainian media sphere.
Schwartz: Unfortunately, what we have been seeing - now that it's winter - is that Russia is repeating some of its prior tactics. So back in 2015, back in 2016, it used cyberattacks in order to crash part of the power grid in Ukraine. A lot of people were warning that this was an obvious play they might make. We didn't see it, though, at the beginning of the conflict, presumably because missiles are a much easier way to destroy infrastructure and to disrupt activities. Unfortunately, now, though, we are seeing these indiscriminate continuing attacks on civilians, escalating to the point where there's been crashing or targeting or destruction of the infrastructure that Ukrainians need to keep themselves warm over the winter. Officials have been saying that one of the best defenses they have against this is generators, and they've been appealing for other countries to send them generators. So obviously, there have been these cybersecurity, cyber warfare, cyberattack questions, but they have really, I think, been secondary to the reality on the battlefield, and for the lives of people who are in Ukraine and attempting to maintain normalcy as much as they can in the midst of Russia's invasion.
Delaney: For sure, and then we saw this incredible international collaboration, didn't we, in terms of threat intelligence, sharing and supporting Ukraine's digital defenses, but there is this danger of cyber war fatigue? Matt, do you sense this happening? And are you concerned that going into 2023 that might cause problems?
Schwartz: Again, I think this is secondary to the potential problem, geopolitically speaking of war, fatigue. We've seen a lot of Western governments, to their credit, backing Ukraine. One of the big success stories for me of the year, and maybe I should have highlighted this sooner in our discussion is the likes of Microsoft, and I'm going to get the names wrong. So I won't even try. But all these companies stepped forward to help Ukraine. As you say, there's threat intelligence, Microsoft and others have also donated cloud computing, Ukraine was able to keep operations going because they moved to the cloud. I mean, we were talking about quick digital transformation. I think, for Ukrainian government, maybe it was overnight in some cases. They flipped a switch, and they just went for it. And amazing, amazing work by companies, by businesses, by private businesses to donate time expertise and help to help Ukraine defend itself. Amazing. Wonderful. So I do though, wonder if we could see some fracturing amongst the Western governments that have pledged a lot of money and resources, weapons, help, all that sort of thing. Geopolitics is difficult. And the Soviet Union, now Russia, has a long history of attempting to exploit existing differences, disagreements, and certainly they're going to be trying to use this war as a way to weaken the EU. We've already seen it weakened by the exit of Britain. And they're going to use that to their advantage in whatever way they can. I think cyber secondary there, but I think there are some real problems. We don't know how they will shake out, possibly with cyber ramifications as we go forward.
Delaney: Excellent work, Matt, and really very good interview. That was a great find, I suppose. Well done.
Schwartz: Thank you. I was lucky and honored to be able to do that.
Delaney: Well, Michael, we also met for the first time this year, but in San Francisco. What a moment, what an intense stint. But it was great. So much happened in the business world this year, didn't it? So what's the golden interview that you are going to share with us?
Michael Novinson: Absolutely. And thank you for having me. I was delighted to be able to speak not once but twice with Nikesh Arora. He's the CEO of Palo Alto Networks. We spoke at RSA Conference on video in June and I'll share a clip from that as well as in person at Palo Alto Networks Ignite - their show - just last week in Las Vegas. So I think there was a lot of questions in terms of best of breed versus platform that have been percolating in the industry for a number of years. And up until this past year, it really seems like investors in the industry were very enthusiastic about having people who are knowledgeable in a specific technology area like CrowdStrike and endpoint security and identity. And Palo Alto Networks have taken a bit of a different strategy under Nikesh Arora. He came in as CEO in June of 2018. But that went to a really a pretty narrowly focused firewall vendor. And they made between 2018 and early 2021, roughly a dozen acquisitions; spent two and a half billion dollars and moved into all kinds of areas where they hadn't had any play before. And this is highly unusual in the industry. Really, the industry has prioritized building out capabilities organically. And we've seen the likes of Symantec and McAfee try to make large acquisitions move into new areas. And ultimately, it hasn't worked that they haven't, while they're trying to offer customers a broader platform that has the capabilities that haven't been best in class across the board. So yeah, up until this point, really a major focus was cloud, they brought container security service and all these sub capabilities within Cloud security. And then another big area of focus has been around security operations, they bought into SOAR. And then really have been focused on trying to build out what they call XSIAM as a sim replacement offering. So when I had Nikesh on, and I did want to speak to him a little bit about the unique strategy there and why the company was so focused on doing M&A in his early years, and why he thought that that was the best way to make the company relevant going forward.
Nikesh Arora: It's really not one security company that has more than two and a half percent market share, which is us. And if you analyze that, you realize that every security company gets really good at one thing, and then misses the boat, no pun intended on the next thing. And you sit there and say, well, I can't go back and change the past. So I can't go back and build a business in areas that, we've kind of missed the boat on. But if you sat back and thought about four years ago, what was going to be big. I spent 10 years at Google. And in that period, I realized the cloud is going to be big. So I sat down with Nir Zuk, our founder. I sat down with Lee Klarich, our chief product officer and our teams. We really sat down and parsed through what the implications of that change were. I realize, half the company in the world are going to go in the cloud. So they're going to have to write a whole bunch of applications in the cloud. So we have to find a way to secure that. Two, it's going to change in how networks are fundamentally created. So we had to go think about how network transformation is going to happen. And three, the availability of cheaper compute, low latency, high bandwidth solutions, will allow for a whole new real-time process security. So based on those three insights, we said about the strategy about building a network security platform, a cloud security platform and an automation platform, which is based on a fast processing and real-time security.
Novinson: So in 2022, the market has largely come around to the vision of Palo Alto Networks had. We have seen their stock hold steady, while other more focused companies like CrowdStrike to Zcalaer and Octa and hit harder by investors. They're now the most valuable company in cybersecurity, not only the largest from a top line revenue standpoint, which has been the case since Symantec was sold to Broadcom, but actually the most valuable, I think investors are happy to see that they're well positioned to weather an economic downturn, since they have offerings in a lot of different areas. And I think there is a feeling that the industry is coming around to their vision that, especially with the downturn, that there's more pressure around vendor consolidation, trying to get rid of point products reduce cost. And I think there's been enough feedback from the market that their products and even in areas where they didn't, where they moved in, inorganically like cloud or security operations that their offerings are, at least one of the best in the industry. So they're not asking their customers to accept a subpar offering just for the case of having a broad platform. So Nikesh will complete five years as CEO in June. So far it seems like investors are really and customers are rallying around his vision.
Delaney: Very good, and Michael, did anything happen this year, that was pretty unique to 2022. Like you hadn't seen it in the industry before in previous years?
Novinson: Yeah, so the really unique thing has been these take-private deals that most years because security is a growing industry, if you look at the number of companies that are going public versus the number of companies that are leaving the public market, that usually the former greatly outweighs the latter, we had at least four companies going public in 2021. And to the extent that companies were leaving the market, there might be a big, a big player, acquiring them like Google in the case of Mandiant, or whatnot. And yeah, this year was different that stocks just really weren't doing well. So the private equity firm still raised a lot of money. They had a lot of cash. And these are growing companies, these are maybe on the way to profitability. There's a high degree of customer interest, and they just saw a good deal and with Steve King we had Stu Sjouwerman, he's the CEO of KnowBe4, into to the ISMG Studios. I'd asked him, you just went public in 2021 and why did you decide only a year later to get acquired by this equity. And he was saying that the market isn't being fair to us, like we're growing to 35% a year, we're actually profitable, which is rare in this industry and the stock/that flatlines had gone down and he just felt like the public markets were not recognizing the value of all that the very largest cybersecurity company. So no IPOs this year, highly unlikely they'll be one next year. But yeah, Thoma Brvao just raised $34 billion. I have to wonder how much that's going to end up being spent on cybersecurity purchases. But I think we're going to continue to see this because I think people realize there's some really good companies that can be purchased at affordable rates.
Delaney: That's a great interesting insight, Michael. Thank you. So finally, prediction time, of course, as you approach the New Year, what are your top predictions for 2023?
Field: I have two; on sort of the scary side, I worry about attacks on operational technology. I think that we've seen some ... we know what the vulnerabilities are, we know organizations are waking up to those, we know adversaries are discovering them, and likely exploiting them as we speak. I worry about those taking down organizations that aren't adequately prepared. That's something I think we'll be talking about in 2023. Encouraging follow up on what Michael was just talking about was consolidation I believe we're going to see in the cybersecurity space, I don't think it's necessarily a bad thing for them to be fewer, perhaps stronger vendors for security leaders to deal with. We talk about the issues of supply chain security, and third party risk management, I think that those issues are ameliorated to some extent by consolidation. So I think that's an encouraging sign.
Delaney: Excellent. Matt?
Schwartz: Couple of the ones that I picked supply chain attacks, I think, are fertile territory for additional attacks, we Couple of the ones that I picked - supply chain attacks, I think, are fertile territory for additional attacks, we saw SolarWinds, that came to light in 2021. And I think there were worries that we would see much more of that in 2022. Maybe there has been and we just haven't found it yet. But I do think we're going to see much more in the supply chain attack front, because you'd have one person or one organization, one entity, one piece of software, and it gives you that ability to hit many more than one, potential victims. So I think that is something we're going to be seeing more of. Ransomware, like we were discussing at the top of the hour, I think we're going to be seeing more innovative business models, what those will be, I don't know. But of course, they're going to be fine-tuned by criminals to try to get them more money. I think we've maybe seen less emphasis on large U.S. organizations, and more emphasis on other countries. Australia, for example, had a really big ransomware hit. The U.K., the NHS through a third-party provider had a really bad hit this year. I think we'll see more of that. And then finally, more uncertainty on the Ukraine front. We talked about the psychology of supporting Ukraine, and Ukraine's adversaries attempting to exploit that - if you will - try to use that against the coalition of countries or break up the coalition of countries that have come together to support Ukraine. How that will shake out is anyone's guess. But the longer the war lasts. I mean, the more horribleness of course, but also the greater the potential for Western backers to blink. And so we'll have to wait to see what happens. Hopefully, that won't happen. But we will see.
Delaney: Do you see your head then, Michael?
Novinson: For me, I'm really watching these late stage startups, the economic downturn didn't affect everyone equally. And for those companies that had been in fully anticipating to go public in 2022 or 2023, that they've had a lot of tough decisions. We've certainly seen layoffs at a number of companies - Cybereason, OneTrust, SNEAK, Lacework, etc. And then companies having to decide what is their future look like in the case of Arctic Wolf them and taking $100 million in tax, they wouldn't have to take a valuation hit. But buying themselves a little bit more time. In the case of SNEAK, just last week, they actually took about a 12% cut to their valuation in order to get more money. And I think we'll see some more moves like that. I think we'll also see some folks contemplating an exit. I know, all of these companies really were enthusiastic about going public. And they were very bought into that vision. But I think folks didn't have to start considering alternatives and other media reports. Cybereason was considering an acquisition, they very strongly refuted that pushback on that. But I do think folks are going to have to start considering things in terms of the M&A landscape. I certainly think a lot of it is going to be those private equity firms that have a lot of money and see cheap deals. I do wonder in terms of what's called strategic acquisitions follow either cybersecurity or technology vendors. We didn't see much in the cybersecurity world. I mean, the biggest one we saw in 2022 was Attivo Networks as bought for just north of 600 million by SentinelOne. If you compare that to 2021, Octa spent more than 6 billion in Auth0. So with company stocks down, investors don't really want to see them spending their money on acquisitions. But I will keep an eye on some of those large technology firms. I mean, Google made a very powerful statement spending 5.3 billion to buy Mandiant. And I do wonder if Microsoft, and particularly Amazon Web Services, feel some pressure to show a commitment to security to buy a well-regarded firm in the industry may be spending north of a billion to signal that we're serious about security. This is important to us and we have in-house expertise in this area. So particularly on AWS, I would keep my eyes on the skies.
Delaney: Lots to watch and 2023. I was thinking for sure we're going to see some significant movement to regulate the crypto space and fight money laundering and more NSA bypass attacks. But on a positive note, hopefully more organizations embrace, tech, like Fido. So does that sound all fair?
Field: And the four of us all get the opportunity to be together sometime in 2023 in person?
Delaney: That would be wonderful.
Novinson: It'd be lovely.
Delaney: Tom, Mathew, Michael, thank you so much. It's been wonderful working with you this year.
Field: Thank you. Happy New Year. All the best.
Schwartz: Happy New Year.
Novinson: Happy New Year.
Delaney: Happy New Year. Thank you so much for watching. Until next year!