Security start-up Prescient's VP of Cyber, Stefanie Drysdale, joins Niki in the studio to talk insider threats, whistleblowers, and bug bounties. She gives a pulse check on developments inside and outside the security business, including her fears for the future of the cyber industry if we lose focus on who the bad guys are.
Niki: I’m Niki Christoff and welcome to Tech’ed Up.
Stefanie Drysdale, VP of Cyber at a corporate intelligence firm joins the show today to talk all things security. She shares her perspective on insider threats, whistleblowers, bug bounties, and a new reality: the execs managing information security can now face personal legal liability for business decisions made in the C-suite.
Niki: Today in the studio I have Stefanie Drysdale, the Vice President of Cyber at Prescient. Welcome from Chicago. You're here in Washington.
Stefanie: I am. Thank you. Thank you for having me.
Niki: It's so nice to meet you in person. We know each other through this professional connection. I'm an advisor, which means I sit in on monthly meetings with your firm and try to see how the more my world of tech can fit in.
But I think the work you guys do is really cool. So, let's talk for a minute about your job and then what the firm does.
Stefanie: So, yeah, Prescient is a global risk mitigation firm, right? So we do, we have four practices.
We have a due diligence practice, which does everything like preemptive to a deal. So, if you're, you're hiring high-level executives or if you're doing an M&A deal or any kind of due diligence around private equity that touches in there, investigations. So, anything post-event litigation, support, asset searches, that kind of thing, intel, which is the research arm of what we do. Travel intel, business intelligence, emerging markets, and then cyber, which is where I spend the majority of my time.
That covers a lot of ground. We have consulting services, but we also do threat attribution, executive digital protection, which is my baby. And then, we have digital forensics and incident recovery and all of those things. So, yeah, we cover quite a bit of ground.
Niki: It's a really cool monthly meeting because for me, I'm, you know, I sit here with all these policy nerds, and then suddenly I'm with a lot of former law enforcement, including people based in Ireland, and everyone's talking about protecting executives and companies. And the executive protection work is really interesting when you look at like what's happening online and the threats to people personally.
So, that's what you work on. Tell me a little bit about how you ended up doing the job that you're doing.
Stefanie: So it, I would love to tell you it was this like great plan I had that worked out exactly like I hoped, but it was really just a really happy accident. I had been mildly visible on LinkedIn, and had been approached by a head hunter, and he had asked me if I wanted to come interview with Prescient.
And I had been in commercial real estate. I was going from the Kansas City market to the Chicago market, and you know, that, that kind of thing is almost like starting over [Niki: mm-hmm]. So when [Niki: it's a huge pivot] It is! Because I didn't know the area. [Niki: Right] I, I still candidly don't know all of the parts of Chicago, my suburbs, and all those things. [Niki: Yeah]
But he had asked me if I would go talk to them. And strangely, at the time, I always tell the story, that I had laryngitis. So, I sounded like Barry White [Niki: chuckles], and he's like, “Can you go tomorrow morning and talk to them?” And I was like, “Absolutely!” So, I show up and I just loved them. Y’know, they were so bright.
Everybody had things that they were incredibly good at, and they were wanting me to introduce Prescient to a commercial market because they had started here outside of DC in McLean. They had done a lot of federal work and then it was their time to kind of launch the commercial part. And so, they wanted to bring in someone like myself and I was, I was down. [Niki: Yeah] I was excited.
Niki: When did it translate between their sort of world, which was very like law enforcement intel heavy into commercial. [Stefanie: Yeah] So, you have, you have an active LinkedIn presence and you also have a weekly podcast where you break down kind of the headlines of the week.
Stefanie: Right. Right. So, that, we didn't really know what we were gonna be doing at the time, and, and I really had to learn the market as I came into it.
So, it was, it was all kind of fresh for me at that point and to, y’know, the earlier point, I didn't, no one knew who Prescient was. I would talk to people and they would say, “Who? Precious?” [Niki: chuckles] I was like, “No, it's Prescient!” But we would, we would talk and, y’know, start the conversation.
And LinkedIn became a way that we could connect with people anywhere, right? Rather than just people in Chicago. So, from that point, we just kind of started branching out and, y’know, I think, at first, people were reluctant to talk to someone that they just met online, which I encourage all the time. So I, I've created my own monsters. Right.
Niki: You want these people to be careful that they're not exactly being catfished. [Stefanie: Exactly!]
Niki: Okay. You don't have to talk about this if you don't want to. I don't think even once in the history of this podcast we've ever talked about how somebody looks and how that affects their job,
Niki: But we should do it. Okay. [Stefanie: Okay.] I think so, cuz it's relevant.
Stefanie: I hear you. It is, it's part of it, right?
Niki: It's part of it. It's part of both- I mean, one, it's, it can be a burden to you sometimes. And two, it results in [interrupts self] Tell, tell people this, like what people say to you online. I mean, it's crazy!
Stefanie: So, before we did any kind of video content and people like had actual live verification of, of who I was and they knew people that knew me. I, in the beginning, no one knew who we were. No one knew who I was.
And here I am, reaching out to Heads of Global Security at all of these firms. I'm reaching out to CEOs, all of these, y’know, Fortune 100 companies. And I would talk to people online and sometimes people would, would not talk to me, understandably.
And then there would be times where I would agree to meet people and they would, y’know, they would actually schedule a time, and I would show up, and they'd say, “I really thought that you were a Russian spy. [Niki: laughing] I did not think you were a real person. I thought this was like a honey pot. [Niki: laughing] I was either going show up and, y’know, get knocked over the head or drugged or y’know, you're gonna come and be this, y’know, Russian spy that would like, trick me into divulging secrets.”
And it's like, wow, that's, that's a lot.
Niki: Like, you're like, “I look like a Bond girl. I'm actually from Kansas, [Stefanie: laughs] and, no, I'm just like a regular person.”
Stefanie: Yeah, for sure.
Niki: But, but you're not wrong. People should be cautious. But I just thought the first time you told me that I thought, it's it. I guess I get it, but I wouldn't have thought that looking at you. But in this business, you're dealing with a lot of people, men, [Stefanie: right] They're buying cyber, services for their CEOs and, like, who knows what they're thinking.
So, in any event, you have this podcast, it's video content, hashtag notaRussianspy.
Stefanie: I don't use that hashtag very often, but yeah, we, we've thrown it out there as a joke every now and then. But no, we started doing that, y’know, it was crazy,just to kind of put my face out there to be like, “Okay, I'm a real person.”
Niki: Yeah. “I'm a human too!”
Stefanie: Yeah. And then, y’know, all the conversations that I was having with people internally and my clients and, industry leaders, we, we had really great conversations, and we would say, y’know, have you, you've seen this new scam, this new article, this new news story, whatever. And we would just start emailing it to each other and I would send it to other people.
And finally, I just thought. Why don't we open up this conversation to include more people? Y’know, this would be a great opportunity to be a fly on the wall for someone to sit down and listen to CISOs and CEOs and CSOs just talk. And so that's kind of how it, how it came to be is we started creating content and, y’know, sharing content that was relevant that we could, y’know, start the conversation.
Niki: And one of the things that's cool is sort of in the headlines, there'll be things that don't seem related to cyber but are. [Stefanie: Mm-hmm] Maybe you can give an example of something you've talked about.
Stefanie: Yeah, I mean, we, we touch on a lot of issues, and again, periodically and especially through the pandemic with, y’know, relevant news stories and things.
We'll touch on things that are in the, the diversity, and equity, and inclusion space. We'll touch on women in tech or women in security, or women in cyber. Y’know, at first glance it seems perhaps indulgent or, y’know, something that's, that's just my issue. But what we've found is that a lot of our subjects, our CEO subjects and principals, they're getting more targets aimed at them because of their decisions as it relates to how these people function in their workplace and whether or not they're thriving. So, if they're not thriving, and if there are issues, whether or not it's making someone come back from remote work before they're ready, or whether it's, y’know, their leadership, y’know, diversity. All of those things create a higher risk profile for these executives.
Niki: Oh, interesting! Meaning, like, if you have, if you have disgruntled employees, you suddenly have a vector into your company from bad actors potentially.
Stefanie: Exactly. You have an insider threat is what you have.
Niki: You have an insider threat.
Stefanie: Right. We we're building a lot of insider threat programs that just really focus on, you know, a converged model, right? Y’know, historically you've had very siloed models, so you've got, y’know, the, the security team that looks at something, and then you've got the IT folks that look at different things.
What we're encouraging is there to be some type of convergence where, let's say you've got an employee that flags through HR. [Niki: Mm-hmm] And during that, y’know, they're like, okay, they're, y’know, they're harassing their, their coworkers or they're, they're seeming a little whatever.
So, then the information security team will look online and say, “Wow, these people are participating in some extremist groups here.” You know, this is, there's some, you know, religious extremism or some misogyny and you know, some incel groups or things like that.
Niki: [interrupts] Incels! Sorry. I don't know. Every time someone says incel, it is just a trigger. Apologies! Excuse me.
Stefanie: It's a trigger for, for every body, but it is, it should be a trigger for everyone.
Niki: It should be a trigger. Everyone should have that. It should be a central nervous system reaction.
Stefanie: Yes. Yes! That should be a core thing. Like, “Why don't you like humans?”Right?
Niki: [laughing] Or, “Why don't humans like you?”
Niki: Ask yourself-
Stefanie: Maybe it's you!
Niki: The incels with the self-reflection of a vampire.
Niki: So, this is actually really interesting. I think there are some people who feel like “My company is doing bad things and therefore I should be a whistleblower.” And I have, definitely a more establishment view, which is if you are at a money-making enterprise, y’know, public company, and you don't like what's happening, leave. Now, I know not everyone has that privilege to do that in the way that I might do it. And in fact, to be clear, I have done that [chuckling] Like, I have literally left because I disagreed with a DEI policy, kind of publicly. [Stefanie: Right]
But, but not everyone can do it that way. But I do, as someone who's been at the top levels of these companies, when you're hurting the company, you're hurting your fellow employees.
So, I hate leaking. When I was at Uber, we'll talk about Uber in a second. When I was at Uber, and I was doing, I was supposed to be doing public policy work, and it turned into crisis communications work. It's not that I think the leadership at the time was making all the right decisions. [Stefanie: Mm-hmm]
But I, I felt very strongly that employees leaking or sabotaging the company, it just ended up hurting the drivers, the other employees, and the business itself in a way that was not constructive, in my opinion. [Stefanie: Right] But it's absolutely a threat that exists not just in start-up world, and not just in tech world., but across all corporations right now.
Stefanie: I mean, the, the whistleblower thing is there for good reason, right?
I, I think there are situations where it's been the only option, y’know, and I think that to your point, to try to effect change from within, to try to do it in a cooperative, collaborative sense, but to also acknowledge, y’know, it's, it's not my company. So I do have, y’know, the, the choice to come or go, just like I, I can buy something from the company or choose to not buy from them.
But yeah, I mean, there, there does come a level of accountability. I think that if everything's been exhausted and people are being abused, then I, I think there has to be some type of accountability.
Niki: Yes. And shout out right now to my friend Ify who has done amazing whistleblower work. [Stefanie: Nice] Including that she helped pass a law in California, that you can't have people be forced to signed an NDA to settle. And it used to be you just signed an NDA, make it go away, get on with your life, but then nobody hears about it. [Stefanie: Yeah]
So, can you get though, that legal recourse and still be able to talk? So, you're right, whistle blowing, is incredibly important to have those protections as a, certainly as a last resort.
Stefanie: Right? Y’know, there's a recent news story with another sexual harassment situation. It, it reeks a little too much of the Harvey issue, but, it's where people are let go from positions, but because they're let go with NDAs and all of these things then, y’know, other people that are friends with them or, y’know, that in that bro-climate, they'll go ahead and rehire them. And then the cycle just perpetuates [Niki: Absolutely] again and again. It never quite stops. So, having a whistleblower who, again, maybe the person was let go and they're still able to, to stay on at their job, but the perpetrator still continues to wreak havoc everywhere they go.
Niki: Right, because it's covered in a nondisclosure agreement. Sometimes even in a situation I was in, like sometimes the NDA is tied to you getting any compensation to move on with your life. [Stefanie: Yes] And so, that puts people in essentially a hostage situation. [Stefanie: Yes]
Now, set that aside. What you all are doing and what you're doing is helping the CEOs find these threats early and manage the, the threats to the system itself.
Stefanie: Right! And, and to, y’know, just keep their finger on the pulse. I always describe things, y’know, I, I like tangible sense, right? So if, if you're looking at threats or valuation or anything like that in a property, you're going to not just look out the front door, right? You're gonna look out the back door. You're gonna look at the basement. You're gonna make sure that the, the roof isn't leaking and all those other things.
That's what the cyber world is, right? You've got, like, dark web in the backyard. You've got, y’know, all this cyber world, y’know, the roof and the, all this stuff has to kind of be checked to make sure that you know, one what you're getting into if this, this is evaluation situation. But also, if you are the CEO, and you are responsible for leading this group of people, and you have no clue what the chatter is on your company, on the dark web or anything like that- you have a blind spot. [Niki: mm-hmm]
Right. And it may not be significant, or it might! [Niki: Or it might be] We have a healthcare client who suffered a breach and as part of their ongoing monitoring, we, we kind of keep our finger on the pulse for them. And in doing so, discovered that someone had offered up checks, y’know, for sale.
And, of course, they show the redacted version online until you purchase it. And then, you get the, the full version of the check that you can just write, y’know, write yourself, y’know, payment out of all of their little accounts through these things. And again, It. It's not like you can go to dark web criminals and just say, y’know, “Excuse me, sir? Why don't you take that down?” [Niki: laughs] “Thanks so much. I'd like an opt-out request.”
Niki: And there are guns slingers like people maybe don't wanna think about it, but there are people looking for every which way to get your information, [Stefanie: mm-hmm] extort it from you, or just trick you into it.
I think there's a lot of, we've had folks on the podcast talk about, y’know, when you're working from home, you don't have some of that same cyber hygiene that you have when you're going into the office badging in [Stefanie: mm-hmm] You know, you've got a closed environment. It just creates more risk because everybody is also on their regular personal email, and so just, you kind of let your guard down.
Stefanie: Right. And, and sometimes it's easier to, y’know, check your email from one computer versus another, and your kid takes off with your iPad or something like that. And y’know, it, it seems fairly innocuous until it's not! [Niki: Right] Right!
And that's where I think teaching people that “yes, we're, we're adding extra steps and layers to your processes. And that totally sucks. And I'm really sorry that it has to be this way, but these things are there to protect you.” And I think the easiest way is to teach people about their own personal safety online.
Niki: So there are the sort of, like, insider threats, and then there's just people who just make mistakes. [Stefanie: yeah] Like, they're just not thinking. And then, they've let in this huge [Stefanie: yeah , y’ know, these cyber criminals into the organization. And then that's so costly!
Stefanie: [interrupts] Well, you don't want, you don't want people laid off of work, right? When you, your company, y’know, if your company is a multi-billion dollar company, that's one thing, but a lot of companies aren't, and the ones that aren't, y’know, there are many that have been put out of business by cyber attacks or ransomware situation.
And to know what you know your role is. I always tell people that if you touch technology, that you are somewhat responsible for being a cyber expert, at least to a degree. [Niki: Mm-hmm] right? You have to know what you're touching or don't touch it. It's like, y’know, getting behind the wheel of a car. Like, you have to know what you're doing enough to be safe.
And then, y’know, again, it applies to your personal stuff. So, if you think about it in terms of protecting your own bank information, all those things, and just don't click on stuff and go around, go to the source, right? If your bank sends you an email and you're not really sure, just log into your bank app. [Niki: Exactly!] Right? Just go check it.
That way, if you have a notification or a message, go directly to the source and then kind of bypass that. And if you treat your company the same way, then, y’know, it's just kind of habit. It's habit everywhere.
Niki: Okay, let's pivot really fast. You talked about ransomware, and I don't wanna go too far into this rabbit hole, but I've seen you talk about it, and I have some thoughts on it. But Uber recently just had a very high profile case, in which the Chief Security Officer of the company, from during a time when I worked there, faced charges related to ransomware. And I, you don't, we don't have to even necessarily talk specifically about those actors, but just the role that the head of cyber plays in a corporation and liability attached to that role, how it's changed.
Stefanie: Yeah. It's, to me, it's really sad how this has become something where the, the criminals and the attackers are, are secondary to blaming the company and the, the principles and the, the stakeholders. Obviously, there's responsibility. Obviously, there's an expectation of duty of care, whether that be for resources or for bodies, right?
So, in that particular situation, y’know, there are so many gray areas that apply to tons of other companies. Y’know, this was years ago before we had a lot of expectations for how these things were supposed to be reported. There was a little gray area in terms of ransomware versus greedy bug bounty, right? [Niki: Can-] Y’know, it wasn't a clear bug bounty, but it was greedy.
Niki: I just interrupted you [Stefanie: no, no] to explain what a bug bounty is to people [Stefanie: Yeah], cuz not everybody will know.
Stefanie: So, a bug bounty is something that companies will offer to people and say, “Hey! Y’know, Niki, if you find a vulnerability in my stuff, I will pay you to tell me first so that I can fix it. And I'd rather you tell me than a bad guy tell me.” [Niki: Right!] You're basically paying hackers to try to hack you.
It's, it's, it's what we do with executive digital protection, right? Y’know, I will go out, I will build a dossier on you. I will find all of these attack vectors on you, and I will tell you where they exist so that you can take 'em away, fix 'em, restore them, bolster them, whatever you need to do.
But it's better coming from a good guy than a bad guy.
Niki: Right! Now, in a perfect world, and actually by the way, the Pentagon has done bug bounty programs [Stefanie: Yeah] to, to great effect. [Stefanie: Yeah] But in a perfect world, you would basically say that you're doing this, not be told by a hacker that it's happening to you. I think that's sort of the difference in this fact pattern a little bit.
Stefanie: Yeah, it's, y’know, the other thing too is, y’know, there were times where Intel teams weren't super capable of attribution [Niki: mm-hmm] to identify their attackers. This was a really bright team. They, they identified their attackers. Y’know, there are a lot of situations where they just negotiate blindly.
Y’know, the other significant thing here that, that I don't think is talked about enough is there have been subsequent breaches for this company in particular where data was actually exposed. This particular thing was mitigated.
So, we're blaming someone for this gray area in a time that there weren’t alot of rules, where they could not have made this decision alone, and they had to have buy-in from leadership. They were told, “This is how this is gonna go down.” They, they carried out the thing that they were supposed to, and years and years later it was called into question. And now, there's personal liability, and there are whistleblower protections. Again, I, I think whistleblower protections are super important, and they need to happen, but I, I feel like we're forgetting who the bad guy is here.
Niki: Right. So, okay.
Just to get, be a little more specific, cuz a lot of our people who listen to this don't know the ins and outs [Stefanie: Yeah] of, like, the Uber situation, but essentially there was a vulnerability with Uber’s system. There were hackers that were anonymous. The security team at Uber figured out who they were and literally paid them off to get what they had found. That was a decision. To your point, absolutely at the highest level, nothing happens at those, nothing happens at any founder-led company where the head-
Stefanie: [interrupts] You don't write a hundred thousand dollars check [Niki: Without talking to the founder] without a lot of buy-in!
Niki: Right? And so, then that happened. Now, fast-forward, there are more data breach expectations that you would report what had happened. You would look more at , y’know, we're thinking more about the way that sort of incentive structure should be.
But your point is instead of focusing on the original bad guys, bad acts, or even broken system that was repaired, and that there was no harm or data leaked beyond that limited fact pattern, you now have an individual who's from the security world, who like is a former prosecutor [Stefanie: mm-hmm], and that's a lot of people in this space who are former law enforcement [Stefanie: Yeah], they end up going into the private sector. They now face personal liability for corporate decisions. And I think your point, which you just said, is like, ”Let us not forget the bad guys!”
Stefanie: Yeah. And this is my other thing too. In this situation, who's the victim? [Niki: Right] We, we don't have a victim. The government's the victim here. The only victim cuz they were lied to the consumers were protected.
Niki: Oh boy! It feels weird to say the government's the victim. [chuckling]
Stefanie: Who else is the victim? [Niki: Right] Right?! The consumers were protected in that one. [Niki: Yeah] The company ultimately was protected in that one as best they could. Who's our victim?
Niki: Right. It's so fascinating! Anyway, I just wanted to touch on that because I think people are gonna see increasingly, one, you don't want to have a chilling effect on talented people going into these roles, which are so important if they think they're gonna face personal liability [Stefanie: mm-hmm] , for corporate decisions. This is not a director of the company.
Stefanie: [interrupts] And they already have such a short tenure. [Niki: Right] To, to have a CISO in a position for an average of, of 18 months. And if we have a year-over-year difference where they increase that by six months, we're all dancing in the streets. So you've already got an understaffed, you know, skill shortage in the cybersecurity world.
Niki: Because they get burned out?
Stefanie: There's a shortage to begin with [Niki: I see] of people who actually have the skills to be able to do this type of work. We're now raising the stakes and expecting them to have business acumen so that you can communicate what you do to the CEO. So, are you a good communicator? Do you understand, y’know, the business role of it? Do, are you an empowerer? Are you the “Office of No?” [Niki: Oooh! Yeah, yeah] So we get into all of those things, right?
Niki: “The Office of No”, sometimes I think I'm “The Office of No”! Sorry, clients! [chuckling]
Stefanie: No, you have to, you have to obviously set up some guardrails, but you know, the goal is to empower the business. The goal is to create visibility to where you need to go. We always say that with due diligence, y’know, I never want to freak people out, but I want them to go in with both eyes open so that they can structure things in a way that protects them. [Niki: Yeah] And that makes them feel like they're going into a situation, knowing what they're getting into. [Niki: Yep]
Niki: Very good! Well, it's so good to have you on. I know you're here for a conference and other activities, but we've met, we've seen each other for more than a year on Zoom, so thank you so much for taking the time.
I appreciate the work you're doing. I know I'm, I'm not a paid advisor to Prescient but I like to hear what you guys are up to cuz it's so fascinating and see if there's any way I can plug in cuz it's really good work, and it's a growing, growing firm, and a startup.
Stefanie: It is, it is. Absolutely. And we love having you and we love your insight and, and it's great. I'm glad we finally got to meet and sit down and talk.
Niki: And that’s a wrap for 2022! We’ll see you next year with the first Tech’ed Up episode taped live from the floor of CES in Las Vegas with our guest Sheila Warren who will be talking all things crypto. She's got smart takes on all the things happening (and that's a lot of things.)
I'm looking forward to a new year talking to thinkers and tinkerers. And if you have ideas for guests or feedback on how to make this show better, please reach out. I want it to be a fun listen and I'm still learning the ropes. I'm grateful to all of you for tuning in this year!