Q&A: General Atlantic’s CIO on managing cyber-risk

Casey Santos shares thoughts on cyber-risk trends and how AI could be used to prevent cyber attacks.

Cybersecurity was once again named a top concern by the Securities and Exchange Commission in its 2019 priorities, and managing cyber-risk was a major topic of discussion at Private Equity International’s CFOs & COOs Forum 2019 in New York in January. Chief financial officers stressed the importance of managing cyber-risk throughout a firm as well as being SEC compliant.

Casey Santos, chief information officer of General Atlantic, a private equity firm with $31 billion in assets under management, shares her thoughts on how best to manage cyber-risk, and how artificial intelligence can be harnessed to prevent cyber attacks.

What are the growing threats firms should be looking out for?

Phishing and spear phishing are threats we have faced in the past, and they’re getting increasingly more sophisticated. What we’re seeing is hackers targeting people looking for potential to deliver a quick return on their investment, such as impersonating emails for changing wire instructions. These more targeted phishing attacks often start with a basic phish, asking a user to click a link and enter a user name and password. Once the hackers have access to that, they start traversing through e-mail, impersonating the person, often sending emails from senior executives’ accounts to ask someone to send money via wire, only the wire instructions connect to the attacker’s account. We are seeing such attacks in our industry quite a bit. So even though it’s not solely a technical problem, it’s a very important one that has a high cost to an organization. User education is not enough. The good news is there are some interesting technologies emerging that focus on creative ways to catch these fake emails, making it harder to impersonate.

What types of technologies?

Casey Santos

Traditionally, a user would identify a phishing email and report it to IT. Or, using older software technology, emails are reviewed and blocked or flagged if they are in a database of known nefarious IP addresses and email addresses. The IT security team reviews questionable emails and reacts accordingly. Unfortunately, the attackers are continually changing up their signatures, so those databases are not always up to date, and IT security teams receive many requests to review emails. Thus, we are often behind in our response.

The newer technologies are cloud based and incorporate AI technology such as machine learning, making them more effective. Examples include tools that use machine learning (previously done by humans) to identify phishing emails more quickly and effectively, then actively block or flag those emails before a user ever opens the e-mail. This newer technology looks for behaviors or correlations that can be hard for a human to identify quickly. These new, more sophisticated screening systems provide earlier, more dynamic screening and identification of phishing emails.

I think we are moving from a first generation of tools to a newer one. Generation One technology didn’t use as much AI; it was more ‘brute force.’ The newer players are improving on that by applying AI techniques. Some of the legacy players are also improving their existing products by incorporating this new technology.

How do you educate the AI so it knows what to look for?

Each technology vendor does it a bit differently. They intercept at the point where a user receives e-mails. Working with many clients, these vendors see incredible amounts of email traffic from many clients, so they can leverage that to look for changing patterns and signatures. Large email players like Microsoft have incredible troves of security information that they can leverage in their algorithms to fend off potential attacks. The more data, the more effective and powerful the screening techniques are.

Is senior leadership comfortable not knowing the details of how the AI works?

AI is a broad term, but we believe that many of the technologies incorporated in it are the next technology revolution and will result in business innovation. So, we should be using it as much as possible to be innovative and stay competitive.

I think the cloud revolution that came before this was probably harder to sell to alternative investment professionals, because they were worried about security and there wasn’t as much understanding. In this case, we don’t see as much resistance. We do need to consider how much access the technology firms we work with have to our most sensitive data and ensure regulatory compliance. We can handle that through comprehensive third-party risk management and due diligence.

How do data privacy laws affect how people handle cybersecurity?

I think they are actually complementary. There was a lot of uncertainty about GDPR when it first came about, but being GDPR-compliant ensures you are keeping a clean house. There are some nuances to privacy that are a little more administrative to ensure regulatory compliance, but much of what is required is related to what we were doing before. It’s about protecting information by identifying where it lives, classifying it the right way and handling the most sensitive data the right way.

How do you prepare your staff to avoid cyber-risk?

The journey is never ending because the cybersecurity landscape is ever-changing and evolving. Every organization is going to start from a different point. The first step is always acknowledging that there is a serious threat out there and ensuring all stakeholders are aware of this threat. This has become easier since people are seeing it in their everyday lives.

Next, the focus is on making them aware of how they can help be a part of the front lines. We’re implementing tools that allow employees to report phishing quickly. We run phishing and provide positive reinforcement to people that do report things ahead of time. By having this reporting capability, we can react more quickly should there be a phishing threat. Also, we are teaching people via public service announcements to use good hygiene, like using a VPN when on public wifi, etc.

We are investing in technology as well to augment the training, thus giving employees tools that make it easy for them to be secure. For example, we ensure timely security patching and are implementing device trust to reduce the number of clicks required to authenticate, but still provide multi-factor authentication.

How do you come up with your cybersecurity policies?

We take a multi-pronged approach. We bring in experts to help review and make sure our policies are in line with what we need to be. But third parties alone cannot write policies because they don’t know our environment. In addition, all areas of the firm must work together to implement procedures that ensure we comply with our policies. Developing policy and procedure is very interactive across the leadership of the firm, compliance, legal, business functions and IT.

What are your predictions for future cybersecurity trends?

As more firms move to the cloud for various services and users do more on mobile devices, there are different sets of security requirements. The old approach was about keeping everything inside your walls and building a big moat around them. In the new world, much of the sensitive data will be outside the walls, throughout multiple cloud systems and accessed via mobile devices. It’s a different paradigm and the way firms approach security will need to change. It will be less network and firewall-centric and more about identity management, multi-factor authentication, monitoring user behavior and more to manage from a cloud perspective.