Morgan Stanley’s Rachel Wilson on the democratization of cybercrime

Rachel Wilson’s stellar security career has seen her hold several senior leadership positions at the National Security Agency (NSA) and become the first head of cybersecurity for Morgan Stanley Wealth Management and Investment Technology, where she now works to protect the organization’s systems and data and advises leadership on key cybersecurity issues.

Wilson was opening keynote speaker at the recent CSO UK Security Summit where she reflected upon the biggest changes in the risk and security landscape and how CISOs must respond to lead teams and embrace emerging opportunities. What follows are highlights from that presentation.

Democratization of cyber capabilities

The last two years have brought about significant changes across the risk and security landscape, impacting organizations on several levels, Wilson said. “The real change over the last two years has been the democratization of advanced cyber capabilities. The vast majority of malicious cyber activity used to come from nation states—governments hacking governments. That’s changed, and we know that 70% of malicious cyber activity on the internet now is financially motivated.”

Cybercrime is increasingly more opportunistic in nature, with losses due to cyber-enabled theft and fraud skyrocketing in the last 24 months or so, Wilson continued. “We’ve also seen the rise of cybercriminal syndicates, where traditional organized crime rings are using cyber means to conduct crime, operating at a scope, scale, and velocity that is mindboggling. This is leveraging the exposure of very advanced cyber tools, tradecraft, and tactics that anyone can learn over YouTube.” These factors have dramatically changed the job for all in the CISO space, she added.

Pandemic a “boon” for security

The nature of cybersecurity has been significantly impacted by the shift to remote and hybrid working introduced by the COVID-19 pandemic, Wilson said. “The CISO community has always been committed to enabling businesses, but on that morning in mid-March 2020 when we realized we would be sending the entirety of our workforce home, a lot of us were summoned quickly before our board of directors and asked how we were going to do that effectively and securely.”

Wilson reflected that this made her and fellow security leaders far more conversant around security concepts such as multi-factor authentication (MFA) and zero trust that have had to come to fruition very quickly. “As much as that has been stressful it’s also been fantastic. Things that we have been pushing for years around second factor authentication or the idea that we don’t need to be persistently storing customer/client/propriety data—if I can make virtualization work from home, why can’t I make it work from anywhere, including in the office?” The hybrid environment that is here to stay has been a “real boon” for many CISOs that have been able to push an agenda that was once aspirational but is now existential to the organizations they support, Wilson said.

Taking a cloud-first approach

CISOs and businesses should now be fully investing in a cloud-first approach, Wilson continued. “If we’re thinking about end-to-end resilience of our platforms, why would we want to be limited by data center capacity and the human beings we employ? The cloud-first agenda is really amplified by the pandemic and remote work environment.”

Patch cadence is another area in which organizations need to be shifting mindset, Wilson said. It’s the bane of a CISO’s existence to consistently go to the technology and business leadership and explain the importance of patching the latest vulnerability. “I’ve felt like the girl that cried wolf for so many of the last few years, but I think the management across the board get it now when we say we can’t wait for the normal 30-day patch cadence and although a mid-day reboot may cost us money, it’s going to cost a heck of a lot less than a ransomware attack we’ve observed in so many other places,” she added. Things that would have been considered very good cybersecurity hygiene two years ago are now basic standards.

Security as business enabler

The cybersecurity function is increasingly becoming a business enabler with CISOs driving security-business cohesion through communication, Wilson said. “We are finally getting a seat at the table early and often; we’ve got security folks coming in right in the early stages and formation of user stories and talking about how to build in great security that also enables great business functionality.”

There’s also a recognition that security needs to be deeply engaged with the wider workforce, Wilson added. “In the past, I would have spent a lot of time with the infrastructure and application developments teams—but now I’ve got to spend time with everybody. Every single end user is both my greatest point of risk and my first line of defense.”

Embedding a “see something, say something” culture in everybody’s thinking and job functionality makes a big difference, and CISOs need to embrace socialization awareness among the workforce by balancing security messaging, Wilson said. This is where the modern CISO’s ability to effectively communicate cybersecurity becomes paramount and a skill that security leaders simply must adopt, she continued. “CISOs need to be talking far more than many of us want to be. Maybe that’s not in our nature or how we grew up, but now it’s key to what we’re doing.”