As cyber attacks become increasingly more sophisticated and costly, organizations will face new challenges in mitigating their cyber risks.
This week, host and Engagement Management Leader for Cyber Solutions, Stroz Friedberg, an Aon company, Rachel Ratcliff, is joined by Aon’s Managing Director, Cyber Solutions, Nitai Mandhyan, and Aon’s Practice Leader, Cyber Solutions, Scott Swanson, for a conversation about how organizations can withstand and respond to potential cyber risks. They discuss the importance of developing a cyber resilience strategy and participating in regular adversary simulation exercises to help build resistance to cyber attacks.
Additional Resources:
On Aon’s Cyber Threat Hunt with Samantha Billy and Jonathan Rajewski
E&O and Cyber Market Review – Midyear 2022
Aon’s 2021 Global Risk Management Survey
Making Better Decisions in Uncertain Times: Aon’s 2022 Executive Risk Survey
Tweetables:
Voiceover:
Welcome to “On Aon,” a podcast featuring conversations between colleagues on, well, Aon. This week, we hear from Nitai Mandhyan and Scott Swanson on cyber resilience. And now, this week’s host, Rachel Ratcliff.
Rachel Ratcliff:
Hi, my name is Rachel Ratcliff, and I'm the Engagement Management Leader for Aon Cyber Solutions. I've been a colleague at Aon for nearly seven years, and I joined Stroz Friedberg as an Engagement Manager back in 2009, and I have not looked back since. Both in my role as an Engagement Manager and now as leader of the group, I get to work with clients to find solutions to their most difficult cybersecurity problems. And in the process, I get to work with some of the smartest, most dedicated people in the business. And with me today are two such people, Nitai Mandhyan and Scott Swanson, who are here to chat with us today about cyber resilience and what's called adversary simulation.
Nitai Mandhyan has been at Aon since 2012 and currently serves as Managing Director and Deputy Practice Leader with Aon Cyber Solutions. Scott Swanson has been at Aon for over three years, it feels longer, Scott, and fills the role of Security Advisory Practice Leader for Aon Cyber Solutions. Welcome and thank you so much for being here today, Nitai and Scott. Okay, so before we get going, I'd like to ask a quick warmup question, if you will, to get the juices flowing. Now, you were both consummate professionals, but you've been at this a while despite being completely young and vibrant. How do you stay passionate about your profession?
Nitai, let's start with you.
Nitai Mandhyan:
Thanks, Rachel. I'm glad to be here today. Well, cybersecurity is such a dynamic field that no two days are alike. At Aon, I lead a team that deals with some challenging security problems or clients in different industry verticals. To answer your question, every single day that I come to work, it's something new, some new problems that they're solving together or just trying to figure out the best solution for our clients, and that's what keeps me passionate about this field.
Rachel Ratcliff:
That's great. Scott, what about you?
Scott Swanson:
Thanks, Rachel. Honored to be here today too, as part of the Aon podcast. Those are some of the nicest things I think you've ever said to me. But to answer your question, I think my passion is very much threat driven. It speaks to some of my past experience in the intelligence field, also in financial crimes. So, I love to assess and try to predict some evolving threats and push myself or, in this case, my team to either get in front of the vulnerabilities or risks by thinking really differently about the problem set or what's over the next ridge line.
Rachel Ratcliff:
That's great. And just to clarify, you were investigating and looking into financial crimes, and not actually committing them? That is correct, Scott?
Scott Swanson:
If you think about the intelligence side of the work that I was doing, it really could go either way, but we can't talk about that.
Rachel Ratcliff:
That's fair, and that's a different podcast altogether. All right. Getting back on topic. We hear the word cybersecurity bantered about everywhere, but could you tell us a little bit more about what makes cybersecurity so important, particularly right now? Nitai, can we start with you?
Nitai Mandhyan:
Sure. Cyber attacks are so much more frequent now. We see cyber attacks being targeted, sophisticated, and extremely expensive for our clients. Most of the security leaders I work with are still wondering and trying to figure out where the next security dollar's going to come from. Mitigating cyber risk is an ongoing challenge for most of my colleagues in the industry, and the decisions that an organization makes proves critical to its ability to withstand, respond to and recover from a cyber breach attack. An organization's cyber resilience strategy has a direct impact on the availability of its systems and everything else that the business really depends on for revenue.
Rachel Ratcliff:
Yeah, absolutely. Now, Scott, how would you respond to this question?
Scott Swanson:
Well, I certainly agree with Nitai. I think to give a little bit of a different angle, I think cybersecurity really represents a tone, also a message, and, in most cases, even a mandate. And whether that's truth or whether it's perception really doesn't matter because I think that's what the industry itself can kind of react from. I'm a really strong proponent of governance and cyber security being driven through the culture right through the core of an organization. So, at a micro level, I think really everybody in a company is responsible for protecting the organization and then leadership ensuring that that is occurring. But at a macro level, I think failure to do so within an organization can be massively disruptive to economies, to infrastructure, and the ramification of that is even some social wellbeing. So, I think the ripple effect is really massive for some corporate responsibility with regard to cybersecurity.
Rachel Ratcliff:
No, I love that, Scott. I love what you're speaking to about both the micro and macro implications of failure to really respond well to the cybersecurity landscape. It's evolving, and it's iterative for a lot of companies. And so now we're seeing a lot more businesses understand the need for cyber resilience, but maybe they're not always responding to it in a tactical way. So, that leads me to my next question, appropriately enough. How can businesses go about developing cyber resilience? Nitai, can we start with you?
Nitai Mandhyan:
Well, that's going to be an interesting discussion, and I'm sure we could talk about that for hours, but just to start with, we see that a lot of the organizations today are moving away from traditional mainframe computers to the microservices and cloud architectures that we hear about today. For these new architectures to withstand and recover from cybersecurity incidents, organizations and businesses need to look at their security strategy and evaluate how effective their strategy is against the attackers that are targeting them. These organizations have to identify gaps and the blind spots in their security strategy. Unfortunately, this is easier said than done. If this was an easy ask, we would be out of work and maybe enjoying pina coladas on a beach. With limited security budgets though, most cybersecurity leaders find it difficult to continuously test the effectiveness of their security controls against the thousands of attack techniques that are being used by cyber attackers today.
Rachel Ratcliff:
Yeah, it's almost an insurmountable task, but I suppose you're right, Nitai, it's one that keeps us in business helping people and away from the beaches and their delicious pina coladas. Scott, what would you add on this?
Scott Swanson:
Well, you're making me work. I'm following the professor. So, I would say resilience to me really goes hand in hand with security. Security is a proactive approach before an event happens, and I feel that resiliency is really occurring through preparedness after an event has occurred. So, adding onto what Nitai had shared, I think really starting at the beginning of a lifecycle to proactively determine what threats can impact the business and then seeing where vulnerabilities could be exploited and risks can elevate, I think that helps charting the course for creating preparedness through plans, remediation, what have you, to really improve resiliency after the fact.
Rachel Ratcliff:
It really is a full lifecycle, isn't it? Okay, so let's focus on adversary simulation. When I first heard this term started to be bantered around, I thought, "Well, that sounds like part Minority Report and part Robot Overlords, but let's talk about what it really is and what the experience looks like for clients. Scott, let's start with you this time.
Scott Swanson:
I should have kept my mouth shut.
Rachel Ratcliff:
That's right.
Scott Swanson:
So, I've got to admit, I'm really stealing a lot of this from Nitai's playbook, and he had really architected this with his team in a really innovative approach. It's really designed to provide cybersecurity teams with real-world feel of a targeted attack, definitely near and dear to my heart, and that's minus the consequences of the cost of an actual breach, so quite safe. Adversary Simulation services are helping our clients strengthen their response to sophisticated threat actors who are potentially preying off them. So, those services help organizations take more data-driven approaches to enhancing cybersecurity programs, it ensures the validation of existing security controls against threats, and that can be against ransomware, business email compromise, data exfiltration attacks. It gives security leadership the data points that they need to make more informed investment decisions, which is also critical and flows up to the C-Suite, and then meaningful insights into specific aspects of security design that were effective against a threat, act or activity.
I think this is kind of a unique aspect that we have by having both proactive teams, reactive teams, the insurance side, so that we can draw on a lot of those data analytics ourselves to inform our clients, and then based on a culmination of that ensures better prioritization of limited resources. So, really, I mean, given the current threat landscape, I don't see why every CISO isn't considering regular adversary simulation exercises to better enhance their cyber resistance and resilience. I think it allows them to pivot from that reactive implementation of defensive controls and security tools to that more proactive, strategic, data-driven approach to risk prioritization and mitigation, so essentially you're dealing with a problem before it happens and testing yourself to see whether or not you're actually able to respond when it comes down to it.
Rachel Ratcliff:
So, this sounds like a really important strategic arrow in the quiver for any sort of security professional or, for that matter, executive or anyone who is thinking about risk within an organization. Now Nitai, you and your team have really been the architects of the adversary simulation offering that we provide here at Aon Cyber Solutions. Is there anything else that you would like to highlight?
Nitai Mandhyan:
Thank you, Rachel. And I think Scott covered some really excellent points. And I love the analogy, the comparison to Minority Report. Our team here brings together a unique set of capabilities to make that Minority Report projections really accurate. It's like going to a doctor's clinic for your annual physical and getting some blood tests done. After the blood tests, you really want a panel of experts looking at those results from different lenses. You have the regular physicians, you've got the experts and you've got the specialists looking at your results altogether. These experts in cyber security can be in the proactive or the reactive side, and our team here has access to experts on the reactive side that are dealing with these incidents and these breaches in real time. With all the learnings from the field, they share that with us on the proactive side, and we in turn go back to our clients and tell them how to effectively use those learnings to improve their security programs.
Rachel Ratcliff:
I love that analogy, Nitai. It's more than just the blood test. You really need the experts to dive in and tell you what the results mean and how you can use those results to put yourself in a better position. So, besides the immediate learnings that would come out of adversary simulation, like, "Oh my goodness, there could be a threat in my environment that I'm not protecting against right now," how can the simulation results provide value for companies? Nitai, what's your take on this one?
Nitai Mandhyan:
Thanks, Rachel. So, with adversary simulation, the results can be used to highlight an organization's cyber resilience to underwriters on cyber E&O programs. With all the data points that we are providing here, there's a lot of evidence around the effectiveness of security controls, and these data points are very useful for cyber E&O programs. Now, given the current threat landscape an adversary simulation exercise would also allow a CISO to pivot from a reactive implementation of controls to a more proactive and planned implementation of the same controls. The CISO would also have the data points to make the decisions that they need and to invest their limited funds in the right space.
Rachel Ratcliff:
And Scott, what's your response to this?
Scott Swanson:
Well, as I stated in the beginning, I like to focus on threats, and the adversary simulation is heavily threat-driven. I think companies that are not specific in their threat appreciation will be a lot more generic in their controls or relying on a third party that's telling them what their control should look like, and that has no lens into what the particular business model might be, the industry, the competitive positioning, a lot of those specific nuances to that organization that is really germane to how that they're doing business. So, by being a little bit more vanilla, I think that creates phishers that can definitely be exploited. Nitai can talk to this all day long. I mean it's what he's dealing with on a constant basis. And there's really a great value to really understanding the ways that real-world scenarios and indicators of a threat can be identified and viewed in the context of scenarios that can manifest into major risks.
So, it's really a train like you fight, and what Aon is able to do is help you train like you fight based on what we're seeing in the industry as those fights that have been lost because we're responding to those. We have our clients on the insurance side that are paying out those claims or rejecting companies that are trying to get insurance. We're able to harness that trifecta of security preparedness and the resiliency and that insurance side, bringing those together to really, I think, understand where the threat could lurk, that vulnerability, and then that residual risk remains.
Rachel Ratcliff:
Specific, real-world exploits, and understandings. There is nothing vanilla about that. Well, thank you so much Nitai and Scott. This was a very helpful conversation and enjoyable conversation, and I think and hope that very many people out there will find it interesting. Before we sign off, I'd love to ask you one more question just to give our listeners more information about the two of you. And Scott, since I've gone to Nitai more during this podcast, for the first time I'm going to start with you, this is a pretty tough one, but I would like to know something that is a hidden skill of yours that is not on your resume or LinkedIn. Please go now.
Scott Swanson:
Wow. It's not going to help anybody here, but if they ever need a recipe, I smoke about anything that can walk, like Cajun food and cooking that. So, this is my time, fall comfort food season, so soups, stews, smoked meats, that's all me.
Rachel Ratcliff:
All right, I'm on the next plane to Chicago, Scott. What do you have planned this weekend for your smoking prowess?
Scott Swanson:
I think that we're doing Orsolya this weekend for game day, so it's like a jambalaya, but instead of all the heavy rice, you use the Orsolya noodles. So, we're have plenty of shrimp, we're having smoked pork, all kinds of good stuff.
Rachel Ratcliff:
Oh man, you're making me hungry. Okay, Nitai, what about you? I would like to know a hidden skill of yours that is not on your resume or LinkedIn.
Nitai Mandhyan:
Now, Scott's got me hungry now, and I'm planning for our next team meeting at Scott's place. But Rachel, to answer your question, I really like baking. So, I'm a crime fighter by day and an amateur baker by night. So, at night, after working through a lot of these security problems, I'm sometimes baking and trying to whip up the next cake or dessert for my family.
Rachel Ratcliff:
I had no idea, Nitai. That's awesome, and that makes me want to come to your house as well. And I think we have now established our leading contender in the great Aon Cyber Solutions Bakeoff.
Voiceover:
This has been a conversation “On Aon” and cyber resilience. Thank you for listening. If you enjoyed this week’s episode, tune in in two weeks for another new episode. To learn more about Aon, its colleagues, solutions and news, check out our show notes, and visit our website at Aon dot com.