August Ransomware Recap: Sixth Month in a Row with YoY Increase
It didn’t feel like it, but some ransomware groups took a summer break. Here’s what you need to...
Meet Jason Rebholz. As Corvus’s CISO, he’s responsible for a lot of the behind-the-scenes work that keeps our organization and our policyholders safe. You might recognize him from his daily cyber security updates and insights on LinkedIn (he’s a star!) but to us, he's a go-to cybersecurity expert best known for simplifying the most tricky and technical concepts.
Join us as we discuss his career background, his journey to cyber insurance, and his hopes for the future of cybersecurity (hint: it’s about empathy). Find out the rest in our latest Corvus Q&A.
What do you do when you are a self-proclaimed nerd in high school with a love for puzzles? First, you get really into speed-solving Rubik’s Cubes, emphasis on the speed, with a record of 41 seconds. Then you expand your strategic horizons. For Jason, that meant discovering programming (and then quickly realizing it wasn’t for him).
“[Programming] was something I could do, but I didn’t have that passion for it. My teacher at the time, who is still a great mentor to this day, introduced me to the concept of computer networking. I started doing research on that, stumbled into the security aspect of it, and fell in love.”
But solving puzzles and computer networking weren’t his only career inspirations. Next, he became “the nerd in high school who loves debate club” — his words, not ours. With a combined passion for solving complicated things and effective communication, his career trajectory started to become clearer. Cybersecurity expert, with a side of executive team whisperer?
“I found I had a unique ability to translate complex technical topics so that normal people can understand, specifically business people. When I was doing consulting early on in my career, I could go deep on the technical side — but I was also the person that could explain our findings to a CEO. Having the ability to translate those things has been the most important skill set in my career.”
A major obstacle cybersecurity professionals face is the communication barrier of explaining risk to business people when it’s directly tied to tech-heavy jargon. If it feels like you’re not being listened to or understood, there may be room to meet halfway (such as empathizing with knowledge gaps on both sides).
As the metaphorical bridge between business and tech, Jason joked, “People walk all over me every day.” Fortunately, that sacrifice helps us all understand each other a little better.
After a decade of working in the incident response space, the excitement initially tied with solving the mystery — what happened and how did it happen?— started to dwindle. A lot of the attacks looked very similar, creating a Groundhog Day experience.
“I felt like I was playing Mad Libs, but it was the same exact story every time. You switch out a couple verbs, nouns and adverbs here and there, and you’re just dealing with another client.”
The patterns continued. Repeatedly witnessing what worked for threat actors, and hurt organizations, became disheartening. For all of his time in incident response, he also had a lot of hands-on experience with cyber insurance companies. That opened his eyes to a systemic opportunity the insurance industry had that he couldn’t access alone on the incident response level.
“Seat belts came to be because insurance companies pushed for it. They saw the value that it had for saving lives. Maybe that’s putting too much of a hero’s cape on cyber insurance, but there are very few companies that are positioned in such a way that they can mandate certain controls to negate the impact of cyber incidents. For me, it was the shift of helping one company at a time, to now helping thousands of companies at the same time drive towards a better security program.”
Jason embarked on a new path — and found a much bigger puzzle to solve as Chief Information Security Officer (CISO) at Corvus Insurance. As opposed to the classic role of CISO, where the focus is primarily on internal security, Jason gets to tackle several different areas, such as supporting policyholders on their security journey and working with the product team to create a frictionless cyber insurance experience. Seems easy.
Entering a relatively young MGA meant that Jason was working from the ground up to build out a full security team. His advice for hiring from scratch?
“You have to hire people that are smarter than you,” he said. “But it’s also about who is really passionate about what they do. Part of this is being self-aware at what you’re good at and what you’re not good at. You are hiring people to cover the areas where you lack.”
None of us have a crystal ball to see into the future of cyber threats. But we have something a little more scientific: data. As someone who experienced first-hand as ransoms rose from $5,000 to $500,000, Jason knows to watch where the money is going.
“We are seeing a shift in the approach to ransomware due to threat actors facing better security and resilience controls. I don’t think we’ll see it ever go completely away, but it’ll continue to shift to the targets that will pay. After sanctions have proven successful, we are seeing an uptick in data theft and the tried-and-true business email compromise,” he said. “There will probably be more attempts at trying to bypass existing controls, like MFA. Nothing groundbreaking, but more of the same. Attackers will continue to evolve and poke holes in defenses and we’ll see potential shifts in where they’re going to monetize.”
But one thing he’s certain that the future needs? A little more empathy for organizations who experience these attacks. For every incident, there are lessons that can be learned. It’s not coincidental that you’re regularly hearing about implementing MFA (now phishing-resistant is recommended!) or to invest in endpoint detection response. We find out what works! But so do threat actors. The sooner we can accept it’s not a fair fight, the better.
“One aspect of the media coverage I don’t enjoy is that there’s a lot of victim shaming. Hindsight is always 20/20. Cybersecurity is very difficult to do correctly and very expensive, and it’s you against the world of attackers. The media and the peanut gallery will attack before they seek to understand and empathize. We have all this media attention without the right takeaways, we need to shift our focus and the outcome to benefit everyone.”
Jason highlighted two key goals he’s working on for the upcoming year at Corvus: engaging policyholders and addressing common cyber insurance misconceptions.
As for Jason’s future plans off the clock? He’s going to keep reading, primarily biographies and books on personal development. “I love learning about how people have approached different problems and how they’ve overcome them. I also love anything about personal development because there’s always something else you could be learning to improve.”
Cheers to many more puzzles in the next year.
It didn’t feel like it, but some ransomware groups took a summer break. Here’s what you need to...
For the fifth month in a row, more than 300 global victims were posted to ransomware leak sites. In...
Today, organizations face an evolving range of cyber threats, from data breaches to ransomware...