Dan Lattimer, Area VP UK & Ireland at Semperis: “The CISO role has evolved into that of a political advisor focused on risk”

Welcome to a brand new interview series, Threats, where we interview cybersecurity experts about what’s keeping them up at night. Our first victim is Dan Lattimer, Area VP UK & Ireland at Semperis, which takes an identity-first approach to cybersecurity.

Helpfully, one of Dan’s answers summarises this neatly. “When Active Directory and Entra ID services within the identity system are compromised,” he says, “the hackers have been given the keys to the kingdom and are free to siphon off vast amounts of proprietary data.”

It’s an area he knows well. Before joining Semepris, Dan was Director of Government and Defence, EMEA, at CyberArk, which also focuses on identity security. In short, if you have any questions about how to give your organisation resilience against phishing attacks – and vishing attacks – he’s your man.

But this interview isn’t a sales pitch. Instead, consider it an insight into the threats facing businesses of all sizes. You will discover the uses of AI for good and for bad, the challenges facing Chief Information Security Officers (CISOs) and the latest ransomware trends.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

I lead the UK team here at Semperis and have been in cybersecurity for 15 years now. As with a lot of people in cybersecurity, I got into it by accident. I found an interesting cybersecurity partner after university, I had very little understanding of what they did at the time but had a good management team. Based on them I decided to join them. Since then I have worked with a number of vendors. 

Related: AI exposes your biggest security flaw: your voice

What are some of the major trends in ransomware professionals need to be aware of?

Ransomware attacks are pervasive and there is no end in sight. The recent seizure by law enforcement of prolific ransomware group LockBit’s assets and infrastructure was short-lived. In less than a week, they were back.

The debate about whether or not to ban ransomware payments is also ongoing. It’s been proven that organisations can’t pay their way out of ransomware, ever. More and more companies that pay ransoms are hit a second and third time because they failed to plug the holes in their network that led to the first successful attack.

In reality, the fight between defenders and adversaries is an around-the-clock battle. Whether or not a ban on ransomware payments was enforced, organisations need to realise that disruptions due to ransomware don’t have to be the norm. The right prevention strategies, including having a backup and recovery plan in place, is an essential part of improving operational resiliency.

Securing identity systems is one of the most crucial components of an organisation’s risk management program. When Active Directory and Entra ID services within the identity system are compromised, the hackers have been given the keys to the kingdom and are free to siphon off vast amounts of proprietary data.

What are the biggest cybersecurity challenges those in leadership roles are facing?

The CISO role has evolved into that of a political advisor focused on risk. No longer is the CISO selling through FUD (fear, uncertainty and doubt). Today’s CISO must be accountable for outcomes and have a firm grasp on the risk posture of an organisation. That involves explaining risk at a level everyone can understand, convincing boards and other leaders of issues, letting them know how you’re trying to control the risk and making clear what’s a true priority to protect.

The good news is that CISOs get a seat at the table, with the ability to influence and do more, but then below that level, they still need to have all the competencies to run the organisation’s security day to day. However, the challenge is that a lot of companies end up with a gap; the CISO is heavily elevated, the team below did not move up, and all of a sudden, things aren’t getting done the way they were.

Organisations need to be aware of this gap and make sure that they still have the ability to deliver. Part of this is down to making sure that resources and skills are used to the best of their abilities. Automation plays an important role, in helping solve staffing shortages, making better use of employees’ time, and addressing the deluge of data teams are faced with.

What are some prevention strategies you believe every business should adopt?

Organisations must always have an assumed breach mindset. Building operational resiliency, including a backup and recovery plan, is vital to protecting critical assets of employees, customers and partners.

Companies can improve their operational resiliency by knowing what their critical systems are, including key infrastructure components such as Active Directory, and preparing for malware-free recovery in the event of a security incident. By reducing their most glaring vulnerabilities, defenders can make their organisations sufficiently difficult to compromise that hackers will look for softer targets.

For example, companies should monitor for unauthorised changes occurring in their Active Directory environment, which threat actors use in most attacks, and ensure they have real-time visibility to changes to elevated network accounts and groups.

What is it about generative AI that makes it so prone to exploitation by threat actors? Conversely, how can it be used for good?

AI is as alluring for cyber adversaries as it is for defenders. From an exploitation perspective, deepfakes, voice cloning, bot infestation of social media, and advanced and targeted phishing/vishing/smishing attacks create a multitude of risks that must be understood and mitigated.

As with any advanced technology, the proliferation of AI – on both the defensive and offensive sides – will force substantial skill rebalancing. Security engineers will need to understand the basics of machine learning (ML), model quality and biases, confidence levels and performance metrics. Data scientists will need to learn cybersecurity fundamentals, attack patterns and risk modelling to effectively contribute to hybrid teams.

As a force for good, AI can be a powerful multiplier for cybersecurity practitioners. It can process vast amounts of data, find connections between distant data points, discover patterns and anomalies, detect low-and-slow attacks, predict attack progression and perform many other tasks that are beyond the capabilities of even the most experienced human analyst. Plus, AI can do all that at computer speeds, which is critical to defend against scripted attacks.

What’s something that has drastically changed about cybersecurity since you first got started in the field?

The speed at which cyber adversaries can harness the power of generative AI to overcome the latest network security tools presents a significant problem. With the ability to adapt and evolve at a pace that often outstrips traditional security protocols, these adversaries leverage generative AI to create sophisticated malware, phishing schemes and other cyber threats.

The speed with which they exploit vulnerabilities and breach companies underscores the urgency for continuous innovation and collaboration within the cybersecurity community to stay one step ahead in the perpetual arms race against cyber threats.

Interviews worth a read

• Katrina Hutchings-Nichols, CMO at Sannam S4 Group: “My advice to fellow Marketing leaders is to unapologetically embrace authenticity”
• Ben Zyl, Co-Founder and CEO of Waave: “Merchant fees can’t remain a monopoly robbing businesses of their already tight margins”
• Abbie Buck, Chief People Officer at Collective Health: “Companies should be careful about presenteeism”