Paul Lee: “The biggest threat becomes the most effective defense”

Before jumping to cybersecurity topics, please tell us how you learned about Veriff and what drew you to the company.

Absolutely! Before joining Veriff, I was a Chief Information Security Officer at Uphold, a Veriff customer. We were testing Veriff's fraud prevention capabilities and were impressed with it. So, I was already familiar with the company and some people due to that. While working in the security space, I had always been interested in the identity side of it because I believe that identity is the root of all, good or ill. So, when the opportunity arose to join, I decided to scratch that itch.

Please share a little about your background and previous experience. How did you end up in the IT and security field? Has it always been something you have been passionate about?

I started at a wholesale supplier to what you'd now call dollar stores, which itself had a complex web of suppliers for all the products that end up in those stores. My role primarily involved assessing products, seeing how we could put them in our little catalog, and then distributing them to stores across the UK. While there, I noticed certain inefficiencies. An example I saw was entirely manual processes to do stock-taking. It was done by hand, and there was a horrendous trail of paper reconciliations with all the associated and unavoidable errors. There was scant automation and certainly not much computerization. So, together with a colleague, we gradually computerized certain processes in that firm. Looking back, it seems strange that they were so limited in their use of computers. They did have them, but primarily for basic tasks like mail merges. At that point, I really enjoyed this process of digitization. I went on to pursue higher education in that field, essentially finding my niche.

You have extensive experience in the field from notable and well-known businesses, including crypto, greentech, and video gaming. What are some of the most valuable takeaways from working at those companies?

People are the most valuable assets because of what they bring with them. They are the collection of all the experiences and challenges they've overcome in their lives until the moment they stand before you, and they are easily our greatest asset. They will come up with new ideas and angles, and especially in a group setting, often help create solutions that will shape the company's course. 

For me, people are the champions of the vision I'm trying to promote. Building consensus and alignment is crucial, even though it may sometimes require change and adaptation, which can be challenging. Ultimately, it's about winning hearts and minds for a shared vision.

What are some of your priorities and goals for Veriff?

There are lots of interesting projects going on here. My goal is to ensure that the team is running smoothly and that we can measure the effectiveness of our systems inside and outside the company.

What's super interesting is that in our infosec team and work, we have to consider the confluence of cyber and physical security since we have our in-house verification operations. So, my job is to ensure that the control framework is adequately suited and positioned to measure what matters in terms of security telemetry, giving us visibility when needed.

October is Cybersecurity Awareness Month. With the cyber threat landscape constantly evolving, what are the most pressing cybersecurity challenges organizations face today, and how should they address them?

Not a major surprise here, but generative AI, I would say. There have been so many data breaches that have occurred around the world, exposing databases filled with valuable and rich veins of information. This does not just mean a threat against the people within those databases. Still, it also impacts the ways of doing business, targeting methods, and the types of data collected for all kinds of purposes. Illicit AI models can now use these data sources to make predictions and target individuals in ways we have never seen before. I believe that a stochastic kind of interpretive probing and modeling is really going to feed the next phase of attacks.

In the past, hacking or theft attempts were often aimed at pinpointing vulnerabilities in a person's digital life. However, with the rise of AI, human limitations on focusing solely on one idea at a time are now a challenge. Now, we will have these more distributed attacks using the mined data, and we will have to work together to figure out ways to protect our customers. No doubt using AI to do so. In some ways, it feels inevitable that the biggest threat becomes the most effective defense. There's poetry in there somewhere.

An example could be enumeration attacks that can identify users across platforms, using all those data points in a single attack without needing a human involved. Machines can orchestrate and execute these super-targeted attacks, making it even more essential for companies to cooperate and share information. As AI-related risks intensify, there may be calls for increased surveillance, potentially impacting data sovereignty.

In response to this trend, there might be a push towards enhancing individual data sovereignty through tools and secure browsers, allowing people to regain control over their data. This could ultimately challenge the prevailing monetization models employed by tech companies, leading to a shift where individuals hold more power over their data. This complex challenge is finding an oft-debated balance between security and data ownership.

How can organizations use AI to their advantage to respond to these challenges?

In the past, the responsibility of identifying and mitigating threats fell on IT and InfoSec teams, often operating somewhat independently from the rest of the company. However, the threat landscape has evolved significantly, especially in the context of SaaS platforms, which make up the bulk of the tools that organizations use today. These systems and tools are always accessible, providing attackers an 'always-on' opportunity to exploit whatever vulnerabilities exist.

As a response to this, specialized services such as DDoS prevention, Web Application Firewalls (WAFs), identity and access management, and proxying services have crawled out of their own primordial mud. There is a constellation of services vying for your budget, and I think centralized logged and AI-driven security orchestration is a predictable next step. 

Choosing the right vendors becomes more and more crucial since if they can't play nicely with others, they and you will be a softer target for the newer generation of attackers. So when you are choosing vendors, you have to ask them questions and make them prove to you that they are ready for this next wave of attacks and speak the same language of shared intelligence.  

Specifically, in the case of protecting people from phishing attacks, technology companies like Microsoft and Google will have to get smarter at interpreting what an email intends to do. I would like to see the email kind of attacks going away, but due to a combination of ubiquity and the way the technology was designed, I can't see that in the next few years.

People cannot fight this fight alone. Businesses must select vendors who can cost-effectively limit their risk. However, navigating the landscape can be challenging as many vendors claim to incorporate AI in their solutions. By the dictionary definition, they may be right. Still, they're certainly being disingenuous about it. Partnering with strong, reliable resellers with their own long-term agenda to keep you happy can be a strategy to limit risks for newer firms, who may have less capability to spot fraud.

Looking ahead, what emerging trends and technologies do you see shaping the future of cybersecurity, and how should organizations prepare for these developments?

Each industry is going to have to behave differently because there's a different risk appetite. For example, the financial sector tends to have a low-risk appetite. Still, it relies on more traditional processes, while startups and SaaS platforms are trying to automate as much as possible. Coming through a lot of startups, I saw the rise of the aggregated log interrogation techniques developing into security staples, like SIEMs (security, incident and event monitoring), which bred SOAR (security, orchestration, automation and response) workflows, which are super helpful in the security space because they allow monitoring and responding to threats found in large datasets. SIEMs will likely need to accommodate greater volumes of data to detect multi-modal attacks that extend beyond conventional security and networking tools and in ways that are dynamically building their understanding of what a 'threat' is in a given context.

I see greater collaboration within organizations is one of the best forms of defense, but it is hard to do. There are divisional barriers, fiefdoms, disparate systems and control planes. That's why I come back to the people aspect I mentioned earlier - you need to pitch that idea and get people on board to be able to work together. AI-powered tools, particularly those focused on data mining, will become valuable in bolstering security measures for organizations across industries.

Any podcast/book recommendation for anyone reading this and getting more interested in the topic?

The first one that comes to mind is Unsupervised Learning by Daniel Miessler, a security, AI, and meaning-focused podcast that looks at how best to thrive as humans in a post-AI world.