Susan Koski, CISO. Photo: Cybercrime Magazine

CISO Report: What Did You Learn About Hackers During The Pandemic?

Tailor your security spending to your risk appetite, PNC Bank CISO Susan Koski advises

David Braue

Melbourne, Australia – Mar. 2, 2023

The CISO Report is sponsored by KnowBe4.

“Well-funded” cybercriminals spent the pandemic methodically honing their industry knowledge and remote attack techniques — and as increasingly businesslike cybercriminal gangs target U.S. organizations, the CISO of a top-ten bank has warned, company executives must respond by focusing security investments where they will provide the biggest impact.

Cybercriminals “have learned the banking system incredibly well,” Susan Koski, CISO with Pittsburgh-based PNC, told Cybercrime Magazine, “but they also perfected their craft during COVID.”

“As we had to do more and more things without seeing people, they’ve been able to really [improve] their tradecraft, and execute on that.”

“Criminals run this as a bonafide business,” she added, “and they’re looking to take advantage of any gap in the system to monetize it for their gain.”

As the CISO of one of the largest banks in the U.S., Koski — a veteran of Synovus, Aetna, and BNY Mellon who took over the CISO role last October after five years helming the PNC’s security and enterprise response, operations and fraud operations, and as a divisional CISO — has seen her fair share of cyberattacks.

In a climate of escalating cybercrime, financial services companies have been prime targets for financially-minded cybercriminals: Verizon’s Data Breach Investigations Report (DBIR) 2022, for one, recorded 2,527 cyber incidents against banking targets during 2022 alone — nearly seven per day — with 690 cases of confirmed data disclosure.

Given the highly sensitive nature of the data they hold, banks have been working hard to maintain and enhance their cyber defenses as criminals’ modus operandi changes — and the FDIC has been actively engaged with the industry, as it shared in its recent 2022 Report on Cybersecurity and Resilience — but effective security, Koski said, requires more than just throwing money at the problem.

“Your security spending really has to keep up with your risk appetite,” she explained, “and it’s really based on the risks and the threats that your company faces. But you also have to spend in the context of what your company is doing, what your senior executives require, and what your board requires.”

That may, for example, mean prioritizing budget for governance tools as well as coal-face security systems — but in each instance, security executives should be careful they don’t overcommit to follow the time-tested model of spending big on security point solutions.

“It’s not just about spending on tools,” Koski explained. “We security professionals have tended to go for best-of-breed solutions, but if you buy a tool and you can’t operationalize it, then it becomes shelfware.”

Look for integrated solutions, she advises, such as an email defense platform that also includes integrated security awareness training capabilities so that detected errors can be rapidly turned into teaching moments.

This also means opting for platforms that integrate automation capabilities — a capability that is proving crucial in boosting employee retention by reducing the often overwhelming stress that keeps cybersecurity industry burnout rates exceptionally high.

“I am passionate about people and how we can really be innovative and efficient in what we do in security,” Koski explained, “so that our people can do the more interesting and curious work that they want to do.”

“We really try to help automate the mundane so that they can open their minds to do that more curious and interesting work.”

Finding the right people

Yet finding the right tools is only part of the solution, Koski said. In a market where the stubborn cybersecurity skills gap continues to be a “tough” problem — some 3.5 million cybersecurity positions are predicted to be unfilled by 2025, according to Cybersecurity Ventures — employers also need to be redefining their market expectations and recruitment approach.

Cloud skills, for example, are “more difficult to find and more lucrative than some other skill sets that we look for,” she explained. “As leaders, we have to be more creative, and more innovative.”

That means, for example, reconsidering expectations that job applicants have four-year college degrees, or recruiting people who have demonstrated capability in cybersecurity-related skills — such as pattern matching — but may not necessarily have years of experience in cyber roles.

Many companies continue to shoot themselves in the foot due to their poor choice of words in job descriptions, Koski pointed out, with many positions claiming to be “entry level” but requiring years of experience.

“We have to be really cautious of how we deliver that message,” she explained, “because it’s truly not entry level if you’re saying that [candidates] need that much experience.”

In a similar vein, resetting expectations around cybersecurity candidates also means engaging with candidates as early as the school years — promoting cybersecurity as a career to audiences of students that often have very little idea about what cybersecurity jobs actually entail.

“We have to be creative and innovative,” Koski said, “and we have to pull all of those levers to look at non-traditional ways [of recruiting].”

“If we’re going to invest in entry-level folks, we are investing in them — but we’re also allowing them to think outside the box and look at problems in a completely different way.”

“It’s incredibly important to just have people be aware, but to do it in a way that really connects with the business — and isn’t just a bunch of technical jargon.”

That also means being proactive about recruitment, maintaining ties with future potential employees, and knowing who is emerging to prominence in specific domains of the cyber experience.

“I always tell my team that ‘you should know your craft, and your specific information security domain,’” Koski explained, “and really have a bench — so that when you do have opportunities to fill positions, you’re really not starting from scratch.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.