CISO Stressed Episode 7: Matthew Dunlop CISO at Under Armour

On this episode of CISO STRESSED, Elizabeth Wharton is joined by Matthew Dunlop. Matt is an Army Veteran, and VP CISO at Under Armour responsible for global security across all corporate, retail and eCommerce functions, as well as its connected fitness application MapMyFitness. Liz and Matt discuss the challenges facing CISO’s, prioritizing ransomware defense, and how to condition company employees to truly care about security.

Show notes:

(4:29- 6:52)If you’re building your business continuity plan that is based on the threat actor or the threat of ransomware, where do you start building? – LizA tornado came through Nashville, and it cut out power at our Under Armour store there, we got lucky that it missed our actual facility, so we weren’t that impacted, but it is a different type of resiliency. Are your systems on the same network? Power outages? If it’s a ransomware attack you must ask, did you just give the bad guy access to all your backups? So, it’s different. How do I switch over from a ransomware attack to a disconnected back up facility rather than from a normal connected facility? Those are the kind of exercises you start having to go through, and then you start asking yourself well what’s my back-up strategy?

(6:256:52)“If you’re following a fairly standard backup strategy, the bad guy probably knows what the backup strategy is and can either wait it out or predict it.”

(6:527:08)“The bad guys are going to pause, because they’re waiting for you to do X, Y, and Z of your game plan.” Liz

(8:059:53)When we talk about business continuity, we think of money being lost or the services. The reason we’ve seen a lot of these industries get attacked is because they know that they really have little choice in the matter. We are now seeing ransomware attacks against medical facilities because they can’t afford to have any down time. From the business continuity perspective, the ability to have a backup and to fail over to that is expensive. For a lot of companies, it’s not that they’re not prepared or not thinking about it, it’s that it’s extremely difficult to afford to do that. Especially when we consider that a number of healthcare facilities struggle just to keep the right equipment for patients.” – Matt

(9:5312:23)How do you build more resiliency within your organization? -Liz. “One of the most difficult problems for a cybersecurity professional is quantifying the risk.” – Matt What is the probability of this attack happening vs the cost? It’s easy to say that well if every single thing protected and us getting shut down it’s going to cost us x amount of dollars per hour. It’s about finding that balance and us being able to say, hey this vulnerability has about a 35% chance of being exploited, and that’s a very difficult task for a CISO.

(12:3415:45)“It’s all about the path of least resistance.”-Matt If the board came tom me tomorrow and said Matt where do you need the most money, I would say keep your money lets focus on awareness and teammate training. All it takes is a couple of teammates clicking on a couple of fishing emails. If you can raise awareness you’ve taken a huge step in strengthening your infrastructure.“90-98% of all cyber incidents are the result of employee error.” – Matt

(15:5117:31)One of my current challenges is that we have the policies, but I don’t know that half the teammates know where to find them. I’d go so far as to say that about 70% of the people don’t know where to find them. We are working on building out a consolidated policy page, but do you really think anyone is going to look at it? Do they know it, do they remember it, and will they do it? Those are the questions you hope the answer is always yes to.“You’ve got to dedicate your efforts to making security everyone’s responsibility and getting everybody interested in helping out and fixing it.” – Matt I always laugh when I get the fishing emails that’s allegedly from the CEO saying I can’t find your phone number.

(19:13-19:54)Business Email compromise takes the top spot for ransomware access most of the time.When you ask your employees, what would you do if you got an email from the CEO saying I need you to go buy ten iTunes gift cards, scratch the back and read it off to me, but I’m in a meeting and can’t be bothered- they all laugh and say no way. But if you ask them, now what if you got an email from the CFO that says hey, I’m in a meeting right now, can you send me the first quarter financials? 90% of the people would do that. And that’s much more damaging than ten iTunes gift cards. We must educate the employee base to stop sending sensitive data via email, period.