ISMG Editors: Why Is the US Behind in Securing Credit Cards?Also: The Latest Generative AI Use Cases; Software Consolidation Trends Anna Delaney (annamadeline) • July 14, 2023
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the complex task of phasing out magnetic stripe payment cards and why the United States lags behind, the great debate over best of breed vs. a single platform vendor approach, and AI insights from Palo Alto CIO Meerah Rajavel.
The panelists - Anna Delaney, director, productions; Rashmi Ramesh, senior subeditor, ISMG global news desk; Tom Field, senior vice president, editorial; and Suparna Goswami, associate editor, ISMG Asia - discuss:
- Why it is taking the U.S. so long to move away from magnetic stripe payment cards;
- Whether security leaders really do want to consolidate the number of vendors and products supporting them;
- Key takeaways from an interview with Palo Alto CIO Meerah Rajavel on the opportunities of generative AI and how the security firm is using AI technology to improve its internal processes;
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the June 30 edition on the fallout for CISOs in the SEC-SolarWinds probe and the July 7 edition on how the virtual war between the U.S. and China persists.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. And this is a weekly spot where the global team discuss the latest information and cybersecurity news stories, features and trends. I'm joined today by Tom Field, senior vice president of editorial; Suparna Goswami, associate editor at ISMG Asia; and Rashmi Ramesh, senior subeditor for our global news desk. Very good to see you all.
Tom Field: Nice to be seen.
Suparna Goswami: Glad to be back, Anna.
Rashmi Ramesh: Great to be here, as always.
Delaney: So Suparna, there is a spectacular bridge behind you. Where are you?
Goswami: So the background is that of Howrah Bridge in Calcutta, or Kolkata as they call it now. So it is an iconic landmark. It is a huge steel bridge over the Hooghly River. Now it is considered one of the, I think, longest cantilever bridges in the world. I chose this is because I'll be traveling to the city first time for work for ISMG. So I have traveled to the city multiple times before, but this is the first time I am traveling for work. I have a Ronudtable scheduled in a couple of weeks. So yes looking forward to meeting the CIOs from that city at the IT Roundtable that I will be hosting and know their views on cloud adoption, maturity of the market - I have never interacted with practitioners from this part of the city.
Delaney: Also, we look forward to more virtual backgrounds then from the area. Excellent! Rashmi, this is well, Tom, was saying it looks like the States.
Field: The Grand Canyon to be honest.
Ramesh: Well, this is where I live, about like 30 to 40 kilometers from where I live. This is still Bangalore. It's a short hike up maybe about five kilometers. So it's literally like an hour's drive from the city. It's lovely.
Field: Part of Bangalore, I've never seen.
Goswami: I am sure most of us have not.
Delaney: Tom, you're at a party.
Field: I am milking my recent vacation to Orlando, and this is in honor of course we celebrated Independence Day in the United States last week - some grand fireworks from Magic Kingdom.
Delaney: Beautiful. So what happens there are just fireworks display or Minnie and Mickey Mouse come out too?
Field: If you can see above what would be my left shoulder, you see the turret right there. At the end of the fireworks, Tinker Bell flies from there to another part of the park. I shouldn't say this but on a zipline, but it is pretty impressive.
Field: Well, I don't want to take the magic away from anybody.
Delaney: No, well, I am not as fun this week. But I'm going local today. This is the River Thames behind me. Taken on a recent walk on a summer's day.
Field: Again, that's part of the Thames I have never seen. Where's that?
Delaney: In Surrey, so maybe 30 minutes out of London.
Field: So I was going to see it from South Bank or from Tower Bridge.
Delaney: Yes, it's long river. Well, so Bank of America's 2023 CISO survey was released last month. And one of the topics that came up was this concept of vendor consolidation. So what are the trends you want to bring to the group?
Field: It's interesting, because there are a few things in there that got my attention. They did a survey of X number of CISOs talking about some of the trends. And one of the things I found validating was the CISOs are saying that they've got decent, discretionary budget for new acquisitions and new solutions in 2023. That's consistent with what I've seen and heard in our Roundtable discussions at our events, is that it hasn't been a matter of level funding or less funding for security. Security has been doing pretty well, particularly as there are more threats and more incidents, because it's always easier to get money when, God forbid, your organization gets struck, or when one of your competitors gets struck, budgets open up. So I found that validating. I also found it validating that you're seeing spend on endpoint security, network security and cloud. This is consistent not just with the discussions we have, but Suparna, you can chime in on this that when we get approached to lead Roundtable discussions, often they're on endpoint security, cloud security, especially some on vendor in third-party risk management. So I found it validating that they have money that is being spent there. Now, one of the points you brought this up, Anna - we've discussed this a lot in our own internal meetings - has been the notion of vendor consolidation. And there's been this discussion that CISOs want to work with fewer vendors that they want to consolidate, and that they're making a shift from discrete solutions or the old defense in depth or expense in depth as I've heard it called by Forrester to more of a platform approach. So instead of working with multiple vendors they want to work with a Microsoft more exclusively, a Cisco, a Palo Alto Networks, and what the CISOs' survey said, which I've heard consistently, is hold on a minute, maybe that's not what CISOs want. Maybe that's more of a storyline that the platform vendors want to push out into the public. And I do believe that's the case, as I've had this discussion with CISOs at our Roundtable events, it's been, I'm looking for something that's going to protect me on all fronts, and I want high grades for everything. When you go with discrete solutions, you can get the best to have high grades everywhere. When you go with a platform, the platform might be an A+ on two out of three areas. But the third area could be a B- or a C. How do I go to my senior management or the board and say, we're going to be superior in these two areas, but we're going to be average here. Are you okay with that? And what does average mean? And how do we even convince our cyber insurers that this is the way to go? So I've seen a lot of pushback from CISOs on this notion of making the platform approach. And this survey came out and said exactly that - this is less of something that's coming up from individual enterprises, but more of a storyline that's pushed by the vendors that would like to see organizations move to a platform approach. So I found that very validating and wanted to bring that to our discussion here today.
Delaney: Excellent. And this view was reflected in a conversation I had with a Gartner analyst recently, who brought up that well-known phrase, the cybersecurity market is always consolidating, but never consolidated. And he said like you, there is a lot of consolidation, but there are more and more vendors, there are new threats every day, and therefore new products to tackle those threats. So his advice was when looking to consolidating, don't think about these projects as finite projects. Remember to keep it agile and fluid, think of them more as ongoing exercises.
Field: Anna, something else from the BoA's report that I found encouraging is that the notion that CISOs were keeping some discretionary budget, so they can invest in new solutions and new vendors, and there's a recognition there that innovation is going to come from the startup community. It's going to come from someone that we don't know about today. Isn't necessarily going to come from Microsoft or Cisco. And I find that validated by our own discussions. We see lots of CISOs coming to our events these days wanting to have very specific conversations with the vendors that they might not be working with now, to find out what is it you do? How can you help me? I think there's a great appetite out there for innovation. And there's money out there to be spent on vendors that come along that are offering something new.
Goswami: So Tom, in your Roundtables, you don't hear so much talks around budget? Because here when I have Roundtables, they're looking for those point solutions, which have those expertise, but at the same time, they too are worried about their budget as well.
Field: When we talk about resources Suparna, the conversation is less about financial resources and more about finite human resources. I don't have the people that I can deploy to manage all these different solutions and relationships. And that's part of what's driving the consolidation is I don't have people that can manage all this. I don't have visibility across all these different arenas. And we're looking to consolidate that view. So it's less about the money and it's more about, I don't have the people how can I get access to talent and solutions that I don't have in-house? And the money seems to be there for that.
Delaney: Very good. Well, thank you for bringing that to our attention, Tom. Suparna, speaking of innovation, you recently had the opportunity to interview the global CIO of Palo Alto, Meerah Rajavel. So tell us about what you discussed.
Goswami: The global CIO of Palo Alto Networks, Meerah Rajavel, came down to India for three-four days and ISMG not only had the opportunity to meet her but interview her as well. So we did talk about, of course, we could not miss it about generative AI. I asked her how she is using AI to improve the overall IT efficiency in her organization, not so much what Palo Alto is doing in the products, but what she's doing as a CIO in her organization, and she gave some good examples. So one of the examples she gave was when a product gets launched, so typically when this happens a product gets launched, the product team produces a lot of documentation that becomes the basis for the marketing team. So typically, the time the product documentation is ready, and the product is finally launched, it takes about four to six weeks to finally launch a product. Because a lot of artifacts like your blogs, PR activities and other things are planned before a product is getting launched. This is where Palo Alto thought of leveraging generative AI. And they reduced the entire process from four to six weeks to two to three days. And, they brought the product engineering and the product marketing team in a singular fashion because the content is being produced by AI. Of course, they did not eliminate the human element completely. It was overlooked by the humans, there was patchup done by the humans. So yes, generative AI is a very core business strategy for Palo Alto, but to be honest, they have been in the AI space for a long time, I did check with her what is new? But of course, it was mainly the ML model that they were focusing on. But now she said that she wants to put AI right in the center of their strategy game and not just add AI on top of any product, or just put it at the center of whatever is being done.
Delaney: Did you also talk about cybersecurity?
Goswami: It was about cybersecurity as well. But it was more on what she is doing on generative AI. She did mention about a product that they've come up with called XSIAM. And it is on automating SOC. But because she was the CIO, mainly we did spoke about how she is handling or what is her strategy when it comes to generative AI, and there are lot of other things that she has planned as well. On generative AI, for example, she said that generative AI will have a significant impact on efficiency, speed and experience. So she explained to me one of the initiatives that she is driving. So between IT, HR and some other functions, usually an employee will have multiple questions, like my laptop is not functioning, questions around salary or career growth, or can I switch to the other team? So Palo Alto, has around 15,000 employees, but they get around 400,000 queries every month. And it takes them days to weeks, and sometimes even months, to respond to these queries. So this is where she has brought AI. She said that of course one of the solutions that was proposed to her was that a great search function will do but the argument is that it will throw up multiple options. So if you're a new employee, you won't know how to go about it. So here she again leveraged AI. They're looking to make 90% of the information available in the form of an AI assistant. But again, like I said before, she doesn't want to completely do away with the human element. So the rest 10% can be addressed by humans. The human loop is necessary for the personal touch. But yes, 90% is being made available by an AI assistant. And even you're transforming the go-to-market experience that I just spoke about. The products team produces a lot of content, which is used by the marketing team while launching a product. So she 80% of the content is being written by AI and the rest 20% is being improvised by humans. And the third category that she's focusing on is information at the fingertips of customers. The customers should be able to experience the product. That's what the aim is. The aim is to make Palo Alto product smart enough so that they can let the customers know in advance what are the changes they can expect. And they give them the choice of auto-remediation. But these are some of the things that she discussed. There were other topics that were discussed too like industry cloud platforms, how that is gaining and that it is a major trend that is going on. So that industry cloud platform essentially accelerates cloud adoption by appealing to particular industry and business consumers. And this is not targeted at early cloud adopters but at little mature ones, by offering them adaptable and, probably, relevant industry solutions. So that is one of the trends that she is also seeing - industry cloud platforms.
Delaney: Excellent. Very thorough, and all these generative AI use cases are helpful. Thanks, Suparna. Look forward to seeing that published on our sites.
Field: I'm going to tell you too, Suparna, as we get out and start our Roundtable discussions and Summits for the second half of this year, I'm looking forward to see how the generative AI discussion is different in July than it was in January. We've had six months for organizations to get their feet under them and get a better understanding of this and what it means to their organizations. I want to start hearing about them.
Delaney: Rashmi, you've written a very interesting feature this week, stripping the magnetic stripe, what's taking so long and the premise of the article is that the world is moving on from the magnetic stripe payment cards with one notable exception. Tell us what or who that notable exception is.
Ramesh: So we've been talking about magnetic stripes and cybersecurity risks for more than a decade now. And it got me thinking, why is this still an issue? I remember Mastercard saying that it would soon phase out magnetic stripes. Why hadn't that happened yet? And how were all the moving parts in this ecosystem dealing with the security risks? So Suparna and I decided to ask the experts, both payments and cybersecurity. So turns out that the U.S. that is one of the biggest markets for payment cards is also one of the biggest holdouts when it comes to moving to chips entirely. So everyone in the ecosystem, credit card issuers, your banks and consumers all agree that the magnetic stripe is prone to hacking. So that begs the question, right? Like, why is the U.S. still clinging on to a technology that is more than 60 years old now? So the primary answer to this is a thing that runs the world - money. So replacing them costs a lot of money. And it's a tedious job, and it's no specific organization's responsibility. So why is it expensive and tedious? Mostly because small merchants, millions of them, need to be convinced to bear the cost of updating their POS machines. And they must be convinced to do it, when the payment process they have in place now works perfectly well. So take gas stations, for example. They're one of the largest everyday spend categories for card payments, and they spread across the country. They're also the costliest to deploy new software in. And then there's the card brands who cannot just wake up one day and choose to not support a standard. They have mandates where they need to comply with payments standards, such as the ISO, which defines the smallest of things like, the shape, the layout, and even font that can be used on a card. But none of this is to say that we're always going to be living in the 60s. What helped bring the move to check is that card networks eventually shifted the liability of any fraud that happens on magnetic stripes to the merchant. So basically, if there was a fraud at the point of sale, like a counterfeit card being used, then the loss would be borne by whatever party wasn't EVM compliant. And more often than not, that was a merchant. But this liability shift was also staggered. It did not apply everywhere, all at once. So we spoke about the millions of gas station payment terminals earlier. So they were given a little bit more time than others to make that transition. So this change began around 2015. At that time, there were about billions of cards circulating in the U.S., most of which were magnetic stripe cards, which had shelf lives of about four to five years. So that transition to chip began after that. So it took time for merchants to roll out the hardware for issuers to replace all the cards that were already in the market. And for processors to get the technology in place. So eight years later, we're still in the process of phasing out. And there is concern about disruption to customer experience. What if the chip doesn't work and there's no fallback magstripe? What if the payment isn't processed correctly due to the hardware issues? So the answer to why we still have magstripe is a vicious circle at this point.
Field: To tell you Rashmi, I remember it was maybe a dozen years ago, when the U.S. started to go to what they call chip and signature. If you would go to your merchant and use the chip card, then they would check the signature on the back of your card against your other signature, your driver's license, whatever it may be. Very few merchants ever looked at that. You could go, you could use any card you want. As long as it went through, they worked. They were fine with that. We're seeing a lot more in the U.S. of tap-and-go payments. And so I think we're getting over some of the hurdles. But honestly, I think one of the things that's helping us get over these hurdles is a younger generation of consumers that are used to different forms of payment and are very happy with the tap and go, used to the chip. And we're losing some of the legacy dependency on the old magstripe. So I'm encouraged that there will be some changes, but I think it's a generational change more than it's a technological change.
Delaney: Rashmi, you raised the point that this is not just about cost - it is costly to remove the magnetic stripe. But this is not just the merchants, it's to do with the community itself - the card community itself. Tell us more.
Ramesh: So you're right that it is about the card-issuing community as well. The CEO of the merchant advisory group whom I spoke to his name is John Drechny. So basically, this group represents more than 150 U.S. merchants. He said that if you look through Mastercard's announcement, for example, it says that prepaid cards don't have a timeline for the removal of magnetic stripe. So it essentially means that even if merchants install new EMV equipment, they will still be required to support magnetic stripe. So if cards are going to be in the market, it doesn't make sense for everyone to install the new equipment, especially not in a short time frame, and definitely not in haste.
Delaney: Excellent. Well, thank you very much. I implore everybody to go read your article. It's a great analysis of where we are at the moment. Finally, just for fun, what's on your cyber tech summer reading list?
Field: I will say for me, it's less about physical reading and more about digital. I'm spending a lot of time on our own education site, CyberEd.io, where we've launched graduate courses in cybersecurity education. And in the time that I'm not spending on the road for our events and for our Roundtable discussions, I am spending more time there just trying to enhance my own education. This world, this industry is moving so fast, and it takes considerable more effort to try to keep up and we've got a great place that we can try to do that. So that's where I'm spending my time this summer.
Delaney: Well said. Suparna?
Goswami: Yes, one is a physical book that I want to read. It was recommended by a security practitioner from Australia, Chirag Joshi. He recommended "The Wires of War: Technology and the Global Struggle for Power." So it essentially explains the high stakes, the cyberwar brewing between the Western democracies and China and Russia, and the social disinformation risk to the U.S. especially that can probably damage democracy. I plan to purchase this book. And the other one that I follow a lot for ISMG websites are the webinars. So I do go to the webinars and they have some of the vendors, they have some fantastic sometimes PPTs that, especially when it comes to cloud or OT security, I specifically look at those webinars, and even they have those white papers that I read. But yes, I will also take Tom's advice, CyberEd.io. And I'll probably go visit that site as well.
Field: Well you make a good point, Suparna. I probably record four or five of those webinars a week. So there's education every day right there.
Goswami: Yes, those webinars are great.
Ramesh: Mine are two crypto books - crypto security books. One is called "Tracers in the Dark," by Andy Greenberg - it's about law enforcement and tracing ill-gotten cryptocurrency. And "The Lazarus Heist," by Geoff White - it's about North Korea and the adventures of North Korean threat actors. They're both amazing. And I've read half of one of them, and definitely on my list for the next couple of months.
Delaney: And the Lazarus Heist was serialized, I think on a podcast. There are always the audio channels as well. Well, I'm looking at Yuval Harari's "21 Lessons for the 21st Century." It's interesting because I look forward to what he creates post ChatGPT that was written even before COVID. So I'm sure he has thoughts to add. And also one that's caught my eye "Impromptu: Amplifying Our Humanity Through AI" written by Reid Hoffman, along with GPT-4.
Delaney: Well, this has been excellent and educational. Thank you so much, Tom, Suparna and Rashmi. Until next time.
Goswami: Thank you, Anna.
Delaney: And thanks so much for watching. Until next time.