Russian cyberattacks, Log4J and compliance top the list of concerns for Anne Marie Zettlemoyer, CyCognito’s new Chief Security Officer (CSO).
Zettlemoyer, known within the industry as simply “AMZ”, joined CyCognito recently (see press release), bringing with her a 20-year resume in cybersecurity that includes positions at Mastercard, Capital One, Deloitte and a post as a special advisor to the U.S. Secret Service.
We sat down with AMZ to talk about what is top of mind for her as she joins CyCognito.
What interests you most about the state of cybersecurity over the past year?
A theme over the past six months is visibility and understanding where you are vulnerable. When we look at what the industry has just gone through with Log4J, this was the cyber-shot heard around the world. Add to that Spring4Shell followed by an uptick in cyber-tensions brought on by the Russia-Ukraine conflict – and the top question for organizations are: where am I vulnerable and what assets of mine are an easy target?
Even companies that thought their security posture was buttoned-down needed to shift into high gear and figure out what holes in their network perimeter left them vulnerable to Log4J. It was a Herculean task. Companies were not only racing to fix a potentially catastrophic bug, but they were also scrambling to understand where and how they were vulnerable to it.
Companies assume they understand their weak spots, but don't often verify them. We embrace a threat-informed defense posture. But we need to be able to make informed decisions in real-time during unfolding cyber events and act fast to mitigate threats. Log4J highlighted that need for everyone.
What can organizations do to mitigate an uptick in cyberthreats?
What organizations can do is recognize the problem. Many companies are working with limited (security team) resources, a sprawling external attack surface and evolving threat landscape. That’s the challenge.
We hear the mantra ‘trust but verify’ and we adopt zero-trust approaches. But you can't defend what you can’t see. How do security teams test assets if they aren’t seeing them? The problem is that they assume they are testing enough of them. Without an accurate asset list, they really don't know if they are testing 1%, 5% or 75% of their attack surface. To be successful, you have to know your asset inventory and ecosystem.
So, when something like Log4J comes around, people start realizing they aren’t set up to see and defend something like that fast.
What can security teams do to address security alert fatigue when testing for events like Log4J and other threats?
Dealing effectively with a daily influx of security alert data and threats takes a shift in attitude towards a risk management approach versus a compliance mindset.
Risk management is what enables you to continue your business, grow your business and protect your business. Cybersecurity compliance is what you must do to run your business.
I can't tell you how many times I've been in a situation where a new cybersecurity threat becomes an issue and a security team member says, “we are PCI compliant” or “we are X compliant; how can we be vulnerable?”
Compliance is a bread-and-butter piece of cybersecurity. It ensures a level of protection, but it does not mean that it's the right amount of security to manage the risk that you have. And they are two very different things.
If you cannot manage your risk, you cannot thrive.
CyCognito will allow you to do both compliance and manage risk. By making risk a determining factor in building an organization’s cyber defense strategy, CyCognito can help security teams do more with less and focus on protecting a company’s most valuable assets from the most pressing threats.