Bill Dunnion, chief information security officer at global telecommunications company Mitel, is well-versed in the critical nature of telecom infrastructure and the devices that support it. He’s also keenly aware of how his role as CISO is under increasing scrutiny from regulators around the world and in Canada, where Mitel is based.
Bill Dunnion, chief information security officer at global telecommunications company Mitel, is well-versed in the critical nature of telecom infrastructure and the devices that support it. He’s also keenly aware of how his role as CISO is under increasing scrutiny from regulators around the world and in Canada, where Mitel is based.
In this episode of WE’RE IN!, Bill expresses skepticism about AI, preferring the term "machine learning" for most current applications, but he acknowledges its potential benefits, such as improving threat detection.
Listen to hear more about:
[00:00:00] Blake: Bill. Thank you so much for joining me on the podcast. It's great to have you here.
[00:00:04] Bill: Well, thank you for the invitation. I'm pleased to, uh, to be invited.
[00:00:07] Blake: Well, now you've been at Mitel for just about six months now. How have you found so far adjusting to the culture there and starting to build out your own vision for security?
[00:00:19] Bill: It's just about six months now, uh, so I'm still, uh, in many respects getting my feet wet, but, uh, to be honest, it's, it's not my first spin here at Mitel. it's my second tour. First tour was back in the late 90s, uh, second job out of school and, uh, it was product marketing, uh, it was in the product marketing team for Mitel back then.
[00:00:41] Several people that I worked with 25 years ago are actually still with the organization. So, That's provided a very easy transition for me because, uh, a lot of the people and culture that I remember. From my first five year stint, uh, is still present. So, uh, that, that gives an excellent, base of familiarity for me, as I take on this new role.
[00:01:02] Blake: Now you mentioned you started out in product marketing. You've moved around to different sales roles. What drew you into cyber in the CISO world?
[00:01:10] Bill: I don't know if there is a typical path, to get to a CISO, but if there is, I don't think I followed it. The first half of my career was telecom, and telecommunications. So with the advent of, moving to voiceover IP, that gave me the introduction to the IT world and ultimately the security world.
[00:01:27] The second half of my career has been in, in IT security. And in the journey or the path, I've held roles in sales, marketing, product management, delivery. so it's given me, um, a very well rounded view of how businesses and organizations operate, and all of this background and experience in my mind, uh, is going to help me be a better CISO, because we need security, not for security sake.
[00:01:54] In my mind we need security, uh, to be acting as a business enabler. So how do we conduct business safely? The different perspectives in my background, I think, uh, will help to contribute to that. To that.
[00:02:05] Blake: I think that's a, that's a great perspective. And, you know, let's, let's talk about the CISO role for a little bit. There, there seems to be more and more responsibility piled onto CISOs almost by the day. But especially in recent years, there've been, in some cases, you know, we've seen in the press cases of CISOs being held liable in the event of major security incidents and, uh, just increasing demands on the business and the analysis of the risks going on.
[00:02:28] How do you navigate that?
[00:02:30] Bill: Oh, uh, one day. One day at a time. , you know, one day at a time. You're absolutely right. It's, um, I think. If you look at, uh, kind of the history of, the advent or the, I guess, the origins of IT security, it really started off, with infrastructure, right? All of a sudden, hey, uh, our, our, our business is open to the internet.
[00:02:54] We need a firewall, and, uh, then the bad guys leapfrog the firewalls, and then you add more pieces in, and so with that, the world really, everyone, uh, is, around the world is, is realizing that, protecting information and data. Is everybody's responsibility. And the cases that you mentioned, yes, absolutely in the last year or so, there have been some precedent setting cases where CISOs and potentially boards of directors have been held personally liable.
[00:03:24] And I'm not the, not, uh, not the lawyer in the family, but in my view, uh, it was less that the breach or the attack happened and it's, and, , the accountability is more around, uh, what was done, uh, to cover it up or how was that breach handled and the communication.
[00:03:41] So, in both cases, uh, individuals were found, uh, or being accused of. Trying to hide facts and mislead, uh, the public as to the size and severity of the breach. It's definitely stressful. One of the things, that I asked and I would recommend that other CISOs ask is, Is the CISO role covered under a company's DNO, Directors and Officers Insurance, right?
[00:04:07] It's just like if you're doing professional services, uh, you're going to have, uh, Arizona Omissions, uh, insurance and coverage, uh, in a similar way. CISOs shouldn't be held accountable for doing their job or, if you're being negligent, then that's one thing. But if you're doing everything within your power to protect an organization and the organization's information and data, bad things still may happen.
[00:04:36] And, uh, you want to make sure that you've got yourself protected.
[00:04:40] Blake: That's a really good point. And yeah, in the ambiguity of the cyber arena, it's so easy to just have one slip up. You could be a great defended organization, have all your I's dotted and your T's crossed. And still, I mean, breaches are going to happen from time to time. It's a, it's a problem that faces any organization of all levels of sophistication and defensive capabilities.
[00:04:59] Now, it was interesting, you mentioned the holding CiSO's liable. Some of the folks, you know, who did make waves in the press, and obviously we don't need to go into specifics, but there were, there was that sort of extra twist, right, of trying to brush things under the rug, and we've seen certainly, I'm based in Washington, D. C. in the U. S., and we've seen a push on the regulatory side to require, start to really require more transparency and either, you know, mandate cyber disclosure after a certain amount of time or whatnot. Now, I, I understand you're based in Ottawa. How does the cyber policy arena in Canada, Compare and contrast to the U. S. Is there a similar push going on up there? What's the story with the cyber policy?
[00:05:38] Bill: Well, fair enough. Yeah. And, and I may even take this opportunity to expand it. Mitel, uh, is global. We've got, approximately 80 locations around the world and, each country in each region has versions, uh, or are thinking about versions of similar legislation. And so I find, um, especially a lot of the legislation right now is geared around, uh, privacy.
[00:06:03] So I think everyone knows the acronym GDPR, so that's the European Privacy Legislation. Uh, if you look at segments of North America, California, um, at the state level was probably the most, uh, proactive, uh, state, uh, to, to come out with privacy legislation. Um, Canada's got Bill C 26, uh, which I think is in its final reading, that talks about critical infrastructure for security as well as privacy.
[00:06:30] A lot of, uh, the countries around the world, U. S. and Canada included, are busy working on their own versions of privacy legislature. The foundation of that is basically individuals need to be in control of their own information or data. So that everyone's seeing cases where you insert your social media platform here, you press delete, and you think your account's deleted, but really the information is still there.
[00:06:57] So, being able to take ownership of your own information and data, and there's a slogan out there, or I guess an approach called Privacy by Design, that really embodies that. Blake, uh, you sign up to a site, um, if it puts a, you have to put a whole bunch of information in, okay, great. Uh, you should be fully aware of what that information is going to be used for.
[00:07:26] Is it going to be retained? And if you want it back, uh, you should be able to delete it and have the comfort in knowing and the reassurance in knowing that, hey, when you press delete, it's actually gone. That's kind of the fundamental, uh, business there. Other legislation I find, uh, is coming out, uh, targeting specific, uh, industries or areas, critical infrastructure being the most prevalent one right now.
[00:07:51] And we see this, uh, between Russia and Ukraine, unfortunately. Uh, your critical infrastructure, your electrical grid, your water supply, uh, if it's subject to a cyber attack and you lose it, uh, then it produces real harm. And so having that duty of care and that, uh, and having your security programs at a respectable level or a minimum requirement, is definitely important. We're starting to see regulation come into play in those areas to make sure that everybody, That they have compliance now as a reason to make sure that they put the security controls in place that are needed.
[00:08:28] Blake: It's certainly been eye opening seeing some of the really alarming cyber physical Nexus threats hit, as you alluded to the Russia Ukraine hybrid conflict. You've had attacks on the power grid, the first of their kind actually cutting out lights to people in the dead of winter before in 2015 2016.
[00:08:47] Really frightening stuff and ongoing today. With regard to the threat landscape for telecoms, you know, also definitely critical infrastructure in its own right. Where are the biggest risks?
[00:09:00] Bill: Uh huh. Where are the biggest risks? And so telecommunications, I think there's two levels, right? A lot of people think about the public carriers and that so with the public carriers that takes that that that has one level of of impact. I think everyone has seen outages from various major players in Canada.
[00:09:27] Rogers Communications is one of the primary carriers and it wasn't a cyber attack, but still it was an IT upgrade issue, that whole, communication network offline. We saw the impacts firsthand for 911 services, , hospitals and other, other organizations that, relied on them for their, uh, for their public, Internet and public, uh, telephone communications.
[00:09:50] The public carrier, The space is in my mind, critical infrastructure and, the impact of removing it is potentially catastrophic, uh, from a Mitel standpoint. We're more on the business communication side and with all communications these days, back in the day when my first tour, unified messaging, I think, was the label given to the precursor to, What we take for granted now in Teams and Zoom and other, uh, online, uh, chatting and video, uh, sessions, right?
[00:10:28] So back then it was a novelty and just getting off the ground and now it's expected. So for enterprise communications systems, One of the main risks in my mind is the tight integration and collaboration with data and file sharing and emails, right? So, the line between voice and information and data is extremely tight or blurred.
[00:10:54] It started to improve, um, but, you look at, uh, teams or some of these chat sessions, uh, it may be your internal tool, and it's tightly integrated to both your, uh, your data environment, your file storage, as well as your voice, uh, environment, uh, in order to make calls and add people.
[00:11:12] But as soon as you add an external party to your. Video call, from a chat standpoint, uh, all of a sudden, uh, it's becomes very difficult a lot of times to restrict what information they see in the chat and file shares and everything else. And so accidentally you may be exposing. Sensitive information to outside parties without even realizing it.
[00:11:36] So similarly from an attack standpoint and an attack surface, I think this convergence of voice and data and, and really trying to help with seamless collaboration, uh, increases the risk for, uh, for companies like, uh, like Mitel that are producing and delivering products, uh, to help make, uh, collaboration and communication easier.
[00:12:00] Blake: I'd be curious to hear, where does AI fit into this mix? Because I feel like I'm constantly being prompted. I'm on my Zoom call or my Google Meet or whatever, and it's like, have an AI summary. And I'm like, well, what if this is a sensitive call or whatnot, or we're discussing some proprietary information, and then the AI is spitting out some data somewhere or soaking it up?
[00:12:17] I always worry about that. What kind of AI trends are you looking out for? Good, good or bad?
[00:12:22] Bill: Oh, all right. Fair enough. First off, um, I, I am a, a self declared skeptic when it comes to AI. I'll put that disclaimer out there right off the bat. I've done a lot of research, uh, on, on AI and the origins, I guess probably, probably, and I know I have to get over it, but to me, it's the misuse of the term artificial intelligence, for the geeks on the, on the line here, uh, the fellow geeks on the line, because yes, I'm one, and, the origins actually go back to the second world war and Alan Turing.
[00:12:53] So if you want to see a great documentary, quasi documentary, docudrama, or whatever, um, uh, the Imitation Game is, uh, it talks about that story. Work that Alan Turing put into breaking German codes during the Second World War, all of the algorithms that he created, form the foundation for, for modern AI.
[00:13:15] All the algorithms that we're using today are, they have their foundation and origins, uh, going back, to Alan's work, um, uh, back in the, uh, 30s and 40s. And there's clear levels, right? And, um, artificial intelligence is the top or the fourth level. Everything else is machine learning. And so that's really the realm that we're in.
[00:13:36] The Turing test, uh, for AI is, can, uh, basically conduct a conversation, with the entity and not, and be, not be able to tell the difference between, a human or a machine. And so that, that is his formal definition of AI. And so we're starting to get there. I think there's, with the deep fakes, uh, that's, uh, we're getting to that AI, but everything else is machine learning.
[00:13:59] So, sorry, I'll get off my
[00:14:02] Blake: No, I think our listeners will appreciate that distinction. And Bill, just to make sure, can you select all images here of traffic lights before we proceed in this conversation? I want to make sure that you're not an AI talking. No, just kidding. Do you see on the, on balance, Gen AI and, and, you know, okay, yeah, helping or hurting more in the next 12 months for attack and
[00:14:22] Bill: both, uh, both. I do see the huge potential, uh, for automation, right? And if I pick on security and our SOC operators, uh, we get thousands or tens of thousands of events a day. It's impossible for a person to look at the stare at a screen and at each one of those events and be able to pick out the needle in a stack of needles.
[00:14:41] And that's where. Machine learning and tools can really help to, uh, sort through the noise, uh, the signal, and keep the signal to noise ratio down, right? And that's from a security standpoint. So, I do see, benefits, uh, to society, um, uh, dictation, whether there's a patient doc, doctor, uh, transcription so that nothing's missed, in sales, uh, the tools are out there to, uh, pick up on email communications and string threads together and be more accurate, on quotes and responsiveness, uh, that sort of thing.
[00:15:16] Anyway, so I do see the benefits for sure. On the flip side, the scary part is, how large language models and, AI, air quotes, tools are being used on the hacker side. In one case, the, the ML AI tool, was used in a capture the flag event.
[00:15:33] The docker, even though the docker was misconfigured, the AI model was still able to bypass the controls and capture the flag, even though the configuration shouldn't have allowed it to be possible. And there's, uh, another paper out around, uh, using large language models to ta to take advantage of, day one, uh, vulnerabilities, right?
[00:15:55] So it's known, it's announced, so now the adversaries will try to figure out how quickly can, uh, can they exploit it in the field. so I think like a lot of these tools, uh, they can be used for good or evil. Depending on, on, on who's wielding them. The last point that I'll throw in there, I think it is, and I'll throw it as a caution for organizations and people that are implementing them is, you have to understand the terms and conditions.
[00:16:20] You have to understand how the tool works. Uh, and what I mean by that is. And it was a public case, Siemens ended up doing a public breach announcement, not to pick on them, but they had software developers that
[00:16:33] Blake: They're a big enough company. They can take it, I think,
[00:16:35] Bill: well, and it's public, So developers took code and put it into the public version of OpenAI in order to fix the code.
[00:16:44] Uh, as soon as you did that, then that code is retained, uh, by, as, as training pool data. And so it all of a sudden you've got, intellectual property that's now in the public domain. So you have to know where that information and data is going. Who's retaining ownership of it. Uh, and actually kind of where we started with the privacy piece, uh, can you retain information and data?
[00:17:06] Letting an AI model, uh, an ML model, uh, loose, as a tool. you do need to, um, be, cognizant of where is your personal and company information and data going, making sure it doesn't leave the environment uninvited.
[00:17:21] Blake: absolutely. And it's timely that we're discussing some of these risks and opportunities because it's Cybersecurity Awareness Month, the theme this year is secure our world. No small task. I know you said you've got 80 locations all around as Mitel, but, to try to put Cyber Awareness Month into some maybe more concrete terms, how, how can security leaders like yourself. Leverage Cyber Awareness Month to potentially support security budget requests or, or other goals they may have.
[00:17:51] Bill: Yeah. It's Awareness Month, half, uh, all the organizations out there wake up and say, Oh, it's October 1st. I don't know. What are we going to do? And the other half wake up and they say it's November 1st. Oh, rats. I missed it. Yeah. Yeah. And, uh, yeah, Security Awareness Month, uh, I think it's, it's important, and like it says, for awareness, right, because, you know, the bad guys are talking all the time, and, uh, if the good guys don't talk and share information, we lose. And so Security Awareness Month is great because, it's basically an opportunity, uh, to talk about things that, uh, that everybody needs to know.
[00:18:26] One of the best, uh, I think, uh, reasons for it is security, it impacts you, not just at work. Uh, but it impacts you as much or even as more so at home, right? And a lot of the tips and tricks and a lot of the things that we try to, in the, the basic security hydrogen, we try to bring into play in the office will also benefit you at home.
[00:18:47] Like one simple one, someone actually, uh, stopped me, uh, when they saw me in person and said, Hey, uh, I never would have thought about this, uh, until you mentioned it. It's, uh, everyone loves posting pictures. Apparently it's not possible to eat a meal without posting a picture of it first.
[00:19:02] But as soon as you post a picture on where you are on vacation and you're having a great time, you're also telling the world that you're not at home. And all of a sudden your house is potentially vulnerable. So there's unintended consequences. The other thing I think, and you talked about, hey, budgets and what other benefits.
[00:19:21] It's pretty much standard across the board. All companies, security departments are fighting for budget. If a company has a chance to spend a dollar, uh, to, uh, make 10 in sales or spend a dollar to help protect, uh, they're going to spend the dollar to make, to make more revenue, right?
[00:19:37] And so awareness can actually help to increase, increase, uh, demand within a company or an organization, or highlight deficiencies. Right? So, highlighting, uh, hey, we've had this many attacks, or we've stopped this many, or, here's a number of incidents that, that, that we've actually had to address, which is just general good information and insight for, for people in the company.
[00:20:00] When in doubt, don't click this. But then when you translate that message, it, the company officials and the senior leaders are also getting these communications and emails. And so when you bring it up again, at budget time or, if they get a more detailed report on some of the incidents, then it's like, oh yeah, I'm sorry, you were talking about that before.
[00:20:23] Why weren't these stopped? And they said, well, we could benefit by having this tool or that tool, or, we didn't have enough people to review all of the alerts, right? You can use awareness to increase visibility of, your efforts, uh, the security department efforts within the organization.
[00:20:40] And it should be able to pay dividends again when you, uh, start to ask for, important, uh, additions to your program.
[00:20:46] Blake: Yeah. And it's, it's too often that security is viewed as kind of a cost center to your point about 10X ing your investment in sales or whatnot. It's like, why, why allocate that? I'm speaking generally, of course, not about my telco, but, you know, Why allocate this towards security? And so, yeah, any tool, whether it's Cyber Awareness Month or, what have you, to re frame that conversation is definitely helpful.
[00:21:05] I wanted to touch on some remarks by Jenny Stille, head of the U. S. Cyber Security, an infrastructure security agency. She's been leading something of a secure by design push she's calling. I know you mentioned privacy by design earlier, and she said, quote, we don't have a cyber security problem. We have a software quality problem.
[00:21:24] End quote. What do you, what are your thoughts on that?
[00:21:28] Bill: I think it's a wonderful quote, because it's, it puts things into perspective and, uh, the whole concept around, , security by design is really trying to shift the problem left. And if you think about the way things work today, uh, quality testing, started off as, being at the end of the development cycle.
[00:21:49] So you've pushed it through, you finally got your code ready to release and the product ready to release. It's going through the final testing, user testing, etc. And then after it's all wrapped up, and then it goes to the quality people, and then they find something, and while nobody wants to go back and open up the code, you're already late, the trains left the station, we'll deal with it later.
[00:22:10] And then the next thing you know, your product ships with a vulnerability. So, security by design, the concept in my mind, the way I interpret it is, the security requirements should be as important as the functional requirements of whatever the product you're building. So whether a button, radio button, needs to be red or blue is as important as making sure that you don't have cross site scripting in an app, right?
[00:22:39] Or that you're asking for MFA, etc, etc. So build the security requirements in from day one. And, make sure that the security requirements are as important as functional requirements. That's really the, the foundation for the, um, or the founding prin principle behind security by design.
[00:22:58] Blake: And that's, that's all fine and good for shipping your own products and, you know, your own code and with your own teams. Now, you've spoken about supply chain security, which throws a whole nother wrench into the works, I should say. What is the main challenge as a security leader with effective supply chain cyber management?
[00:23:12] It just seems so overwhelming to me when you talk about third party, fourth party, down the line. Suppliers to the suppliers, who has log4j in their code, who doesn't, who's going, it just is like, you could just, your head could explode.
[00:23:24] Bill: absolutely. Yeah. Line of sight. Uh, I mean, it's tough, right? It's anything can be done given two things, time and money. And so both time and money are limited. So how much can you do with, with supply chain? And actually tying it back into, into regulations, France, Is just uh, released.
[00:23:40] I believe we're about to release, legislation around disclosure for building products. If you think about, there've been a couple of, products out there, a high profile breaches where, the actual source code or the product had malware introduced to it or backdoors introduced to it, that it actually then exposed, uh, everybody, every one of their customers.
[00:24:01] There is legislation in France and I'm sure other countries will follow where it says, hey, as soon as you're aware that there's a vulnerability in the product that you built, that potentially puts the users of that product at risk. You need to notify and be public about it. So when you come back to, what are the challenges you're facing, is the level of information, how many suppliers, does an organization have, and, uh, in Mitel, I think it'd be measured in the thousands.
[00:24:28] How do you ask all of the right questions? How do you know you're getting all of the right answers? How do you catalog and retain all of that information? Again, it comes down to I'm a big believer in risk based decision making. And so if somebody's, shipping you, pens and paper and they don't have any, connection to your IT environment, then the risk is gonna be pretty low.
[00:24:52] If it's a managed service partner, and it's a SaaS service, and, uh, they're doing a second, third party, support for you and they're in your environment, regularly and, have access to a lot, uh, basically the full domain. Then that's a high risk and you want to make sure that you focus on, uh, the higher risk, uh, suppliers and partners and vendors, do the due diligence to try to stay safe.
[00:25:15] Blake: Absolutely. I guess it all comes down to prioritization and when flipping back to the to the micro level, you've worked at the grassroots level and especially in the the Ottawa security community, as I understand it, kind of supporting that. What can you tell me about that experience and and what's coming up for you locally?
[00:25:30] Bill: Oh, that's great. So yeah, so jeez, seven years ago, I accepted a cold call invitation, from someone who's now, uh, a dear friend and, at the time I was, he was doing multi factor authentication. He was with a multi factor authentication company. And so I was waiting for the sales pitch and over a cup of coffee, we were talking about everything except his product.
[00:25:51] The topic of different meetup groups and security talking events came up and how we were lamenting the fact that there weren't many in Ottawa and the ones that were here were pay to play and then you got to see the same 10 people every month. So we started up a security meetup group. It's now called the Canadian Cyber Forum.
[00:26:11] So over 2500 people have joined us over the years. We meet monthly. And, uh, a spin off from that is, uh, the Cyber Security and Identity Summit, which is, coming up on its fifth, uh, year of, being in existence.
[00:26:25] So, uh, a cyber trade show here in Ottawa. And I'm also helping out with B Sides Ottawa, which is, uh, going to be live, uh, late November. so, I find, uh, it very rewarding. Giving back to the community. Um, I think I used one of my taglines earlier, um, we know the bad guys are, are talking and sharing information, so if the good guys don't talk, we lose.
[00:26:47] And that's really the main reason why, uh, I've been so active in trying to promote forums and environments where like minded people can get together and share ideas.
[00:26:59] Blake: That's a really good point. And it is the sense of community in the cybersecurity industry. Honestly, it's what drew me to the industry initially as well. You really see it and obviously that, that only is sustained as long as there are folks such as yourself really working to make that community as active and as communicative and collaborative as possible, which is great.
[00:27:18] Now, finally, this is something that we ask of all our guests on the podcast, and that's the, uh, the, the fun fact question, if you will, or what's something that we wouldn't know about you, Bill, just by looking at your LinkedIn profile?
[00:27:31] Bill: Oh, fair enough. So, uh I heard this one liner a couple, a couple days ago, so I'll start with that as a teaser. I said, I wanted to be a baker, but I couldn't make enough dough. Um,
[00:27:44] Blake: I'm a new dad. That's a great dad joke, honestly.
[00:27:47] Bill: yeah, yeah, yeah, yeah, well, don't get me started. So something, so, uh, the high school I went to just, closed down.
[00:27:53] There's a super school being built, and so all the students are moving over. So when they took it down, uh, someone that was there took a picture of a list of all of the, uh, record holders, school record holders, uh, in track and field on the wall. So they took a picture of it and they sent it to me.
[00:28:09] With the school no longer there, apparently I am, uh, A record holder in the 400 meter hurdles and the senior 110 meter hurdles. So yeah, so no one can take those records away from me cause the school no longer exists.
[00:28:24] Blake: Wow, that's impressive. Yeah, and those are tough. You're already running 400 meters. Why you got to put hurdles in there? I mean, that's just, that's, that's a lot.
[00:28:31] Bill: Yeah, yeah, yeah. Well, that, yeah, that, that, uh, it was, it was easier for me because it, the real runners, uh, didn't bother competing.
[00:28:40] Blake: I don't know about that. Well, thanks so much for joining me on the podcast, Bill. Great to have you and really appreciate your insights into your CISO leadership at Mitel.
[00:28:47] Bill: I enjoyed it so thank you for this.