Ep 28: Behavior Is the Battlefield: Rethinking the Cyber Perimeter with Expeditors VP & CISO Rob Nolan

Evan Reiser: Hi there and welcome to Enterprise AI Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how AI has changed the threat landscape, real-world examples of modern attacks, and the role AI can play in the future of cybersecurity.

I'm Evan Reiser, the CEO and founder of Abnormal AI

Mike Britton: And I’m Mike Britton, the CIO of Abnormal AI

Today on the show, we’re bringing you a conversation with Rob Nolan, Vice President & Chief Information Security Officer at Expeditors.

Expeditors is a Fortune 500 freight and logistics company, powering over 25% of all U.S. customs clearance. They enable global trade and supply chain resilience for many of the world’s most recognizable brands. 

In this conversation, Rob shares how AI is changing both the attack surface and the defensive playbook, why behavior and identity have become the new cybersecurity perimeter, and how AI helps enterprise defenders flip the script and regain the advantage.

Evan: Thank you so much for joining us today. Do you mind giving our audience a bit of background about kind of you and your role and kind of what you do today?

Rob Nolan: So I think it was around 2000. I was a junior programmer, not a very good one. And I was asked to kind of look at a specific way we can encrypt a field within our database so that only our customer could see that, right? Our client could see the data and we couldn't. And the way it had been done is, you you can effectively infer what the value was because there was only three options. So the way we were doing it wasn't really encryption, it was more encoding. 

So I worked with the team to help do that and just by happenstance the security team asked me if I'd be interested in joining their team and this was right around 2000 and I was more than excited to do so and I've been in security since. So after joining that I kind of moved more into first application security and then into broader incident management, incident response and then moved into, you know, the broader side of just management of the program writ large. 

You know, it was focused first in financial services space, healthcare, 401k, retirement plans, and then spent 10 years in energy and critical national infrastructure, you know, both for the U.S., parts of Africa, and Israel, and then spent a couple of years with a very large consulting firm. And now I work for a global logistics company where I've been for the last couple of years leading the security program there. And that covers everything from your typical cyber security concerns and compliance and risk management.

Evan: So you're the CISO at Expeditors. It's a larger organization than I think probably most people recognize, right? It's maybe not the most, common household name. Do you mind giving kind like one sentence, like, what does Expeditors do? Right. And like, what's the role in the world and how does it maybe affect people in ways they may not fully appreciate?

Rob:  You can think of us as a critical element to the supply chain for the majority of companies throughout the US and throughout the world. We're a freight forwarding company. So effectively, think of it like managing the traveling salesman problem for all of our customers all over the world, right? Moving freight from one location to the next managing every aspect of that including customs. And how those trades are ultimately managed so it's a very very big company. Maybe not well known to the typical consumer. That's not who we normally serve, but we serve the a lot of the brands that folks are very familiar with today.

Evan: What's the scale, right? Like, like I think people probably don't appreciate like the impact, like, yeah, what's your like kind of one tweet version to just help people appreciate how big of a problem you guys are solving for the world.

Rob: Anywhere the US is allowed to operate from a trade perspective, we're either directly or indirectly there or physically there or in one way or another, either directly or through an agent. And that accounts for roughly 25, maybe more, 25 or more percent of the customs that comes into the United States. 

So from a scale perspective, that's a significant amount of...of freight that's making its way into the United States and helping our customers kind of manage through the complexity of what that means to move freight globally.

We don’t own steamships or planes. But we own the lanes, effectively, right? We have the relationships in place with a lot of key providers, that allow us to do that quickly and efficiently. In a way that, you know, without sounding corny, expedited, to get their stuff here quickly.

Mike: And I imagine you guys probably run the gambit when it comes to technology and use. You probably have a lot of old school technology that helps get things from point A to point B. I would imagine your business is also leaning on newer things like SaaS and AI and really trying to maximize all of the various data points to run your business. Maybe talk about how you guys look at technology and kind of how you stay on pace with your business as they're wanting to push the envelope probably to newer technologies.

Rob: Yeah, I would say, you know, first and foremost, we are a very customer driven organization. So how we interact with our customers is the primary reason for the relationships that we have today. And we work very hard to keep those relationships continue to cultivate them. And it does require that we are staying, you know, on target with technology and thinking about, you know, the next iteration of whatever those technology solutions may be, on the business side. 

And I think from a security perspective, what that means for us is ensuring that we're enabling those technologies as quickly as possible in the most responsible way. Right? So leveraging SaaS, for example, we think about our customer relationship management interface and how quickly we can enable those types of interactions as a key driver for us.

And then as we move into the internal side of things from data protection and data security to knowing specifically how we're going to manage those things, those start to blend in between the operational aspect and the security aspect. So we're always keen to look at things first from an operational perspective, and then how can we enable security within those things and then further advance them along, right?

And then AI plays a significant role in that. And I think it's much more beneficial for us to have a workforce that is AI intelligent or aware and can leverage those tools in a meaningful way versus purely managing AI so it can't be, or it's strongly or heavily controlled or restricted. So finding that balance so that we don't stand in front of the advancements of technology but still not putting our company at risk is really the main driver for us.

Mike: You mentioned AI. How do you see things like AI and SaaS, how do you see that changing the threat landscape and as far as either where you're seeing threat actors or where you're hearing about threat actors taking advantage of those technologies as well?

Rob: It's a good question, Mike. I think from my point of view, and this may be just from my perspective right now, it feels a bit asymmetric in that we're on the losing side of that. And it's not just a resource issue as much as it's a capacity challenge. 

I have a really talented team. I'm very fortunate to have a talented team and we're always trying to grow. Not just within the people side of things but, you know, from a discipline perspective as well. No matter what, we're always going to feel like we're a couple of steps behind. And I think that's even relevant or evident, I should say, in the technologies we deploy, right? 

Not in every instance, we're looking to find solutions that can stay in front of those problems and work directly with our providers to make sure that they're doing what they can to kind of match these threats one for one. But internally, the way we plan to kind of like combat that is obviously through education and ensuring that we understand our environment better than the attacker. That's first and foremost. But it's ensuring that we can then turn around and flip the script effectively, making our environment more prone to alerting and identifying anomalies within our space so that we can track those things down in the event that they breach our defenses. 

So it's a matter of like, have we deployed the right technologies? How do we understand that? Do those fit into, not just our plan, but really the strategy of cyber? Like where are we going? How do we make sure that, you know, we're not standing in front of the business either now or, you know, six months from now. And how is the, how are these things being adopted effectively? But really just drawing the drawing then if those defenses fail because, you know, above a given threshold, everything is vulnerable. So if in the event those defenses fail, how quickly do we identify those problems? 

And, you know, traditionally, right back when I first started, we were just kind of like, you know, we're logging and monitoring really good people just doing that stuff. And now it's like, you know, we're threat hunters and all these really cool names. And we have to use AI to become better at that. And that, you know, is difficult when we were looking for very low attenuation events that don't happen that often, but are significant.

Evan: How do you see criminals, you know, taking advantage of that asymmetric opportunity with AI. Like where do you see criminals kind of experimenting? Where do you think the first kind of AI powered attacks are going?

Rob: Well, I think this is area you will help us with significantly. It always starts with the user and trying to convince them that this is the right action they should take. So getting much better detail around specifically our company, being able to craft a message that is way more tailored to us, pulling available evidence from the internet in a faster way, and then turning around and using that as way to convince somebody to take an action that they normally wouldn't. That's the first element. 

The second element is to then compromise or somehow impact one of our either our providers or our customers or our partners in a way that circumvents our safeguards and makes their way in. And then identifying that internally is to like what that process would ultimately look like and how could we identify that faster. 

You'd have to fundamentally understand how that document structure works in the back end, in terms of managing freight globally. But those are processes that are, AI is learning fast. So understanding our business, I think, is the challenge for AI or the threat actors, but that's not a big challenge for them. So as they get better at it, we have to then build defenses that can track and monitor those things quickly.

Mike: So I want to go back to something you said earlier, where you felt like we were getting behind the cyber criminals. Where do you see AI being used by the defenders and by security teams to maybe close that gap and maybe even get ahead of the cyber criminal when it comes to harnessing AI for good?

Rob: Yeah, I see it right now, specifically for us, we're kind of honing in on, you know, across the path of implementation and really operationalizing our defenses around our communication stack, our collaboration stack, and ensuring that as those, you know, as collaboration and messaging comes in, that we understand what those things are, identifying abnormalities within them, and calling out abnormalities and trying to stop them or at least to inspect or interrogate them when necessary. That's a super critical avenue because that's really what the main drivers, it's the first avenue in, more often than not, right? Outside of misconfiguration it's usually, misconfiguration vulnerability is the human. So understanding how communications come in and then building our security apparatus around that, right? 

We want to understand, I'm going say we. I think just generally, right, people want to build security programs around the human condition, knowing that this is how we act, this is how we behave. So let's find ways to address those ways in which people operate. And I think from that, we draw a lot of intelligence around the behaviors that we would expect and can quickly identify the ones that don't fall in line. Additionally, understanding very specifically, what does our data look like? And what does it matter to us, right? Or why does it matter to us? And then through that, some level of classification around that. 

That doesn't mean like implementing, you know, very stringent federal level labels on everything and make it difficult for people to interact within the data. It means identifying and classifying it, right? So that we can clearly know that this file is associated to this type of activity within our business. And having that thing, having those elements clearly defined then builds a pattern around how data traverses its way through the environment. And when you know that those are the proper patterns, you can find anti-patterns. And through that also, that becomes a defensive mechanism, where we start to flip the script on really moving from a defensive position only, to kind of like the middle of the road. We're playing a little bit of offense by having something clearly defined, common patterns laid out, and the ability to then, or not capitalize, but to respond effectively when we see anomalies in that space.

Evan: So, Rob, you talked about kind of protecting people. I mean, historically, if you went back 10 years ago, right? All of our cyber conversations would be about infrastructure and IT systems. Like, to what extent do you see kind of people as almost like an endpoint become more or less important, right, with these new AI-powered attacks?

Rob: You know, they're the perimeter, effectively, right? Everywhere that person is, they're holding something or have one way into your environment. So understanding their behaviors really becomes the main driver. I think this shift, that was 10 years ago, that was my sweet spot, right? We were all in for sure. We were critical infrastructure. We were sitting on wellheads and out there with, sitting on top of rigs and all those types of things. A lot of fun. And you could see directly the action.

If a cyber event were to occur, you could see or you could plan out what that kinetic impact would be, right? But those things didn't happen by, they didn't just happen. Somebody did something, some human introduced something into this space, and knowing very specifically that those elements were the driver for it. It's how did a virus get on the International Space Station? A human brought it. 

So it's like the the humans been a core a core driver for You know both the good and the bad of cyber they've been the You know, we if you watch behavior over time You can start to see patterns and we operate pretty consistently and we're pretty, you know, mundane.

You could map my whole day, right? It's like pretty consistent all the time. And those patterns kind of reveal themselves and AI speeds that up. AI can extrapolate that faster than I think we can in our traditional sense of monitoring over time and then trying to find anomalies based on previous patterns. And the human's been such a critical element in helping us learn faster and really try to tailor, not just the way we think about what the right security solutions are, but how we plan to reduce the impact that they feel as a good actor in our space. Because we know now that that's their typical pattern. And if we associate that to the assets they're trying to use, whether that be data or physical devices, then it becomes even easier for us to see, okay, this is a common pattern. And building out those patterns really helps us identify when anomalies occur. And AI helps us extrapolate that. And then we can add context and really enrich that behavior over time. 

And as they as they as an entity within your network or within your organization grow, so does their pattern. And certain things fall off and new things grow almost in line with, let's just say someone's moving through the organization, very successful, you start to see that shift in behavior as they grow through that. And knowing and tracking those behaviors over time has just been, I think, the main driver. 

And, you know, that's been, if you look back 10 years, it was around protecting the physical device that a person was going to use. And now it's more along the lines of, and those things still matter. But I think that what's at the forefront of people's mind is what are they doing every day and how do we track the context in a way that doesn't impede their privacy, of course, but it really helps us understand how to build a better security apparatus around it.

Evan: What's your vision for like, if there's some magical platform five years from now that saves us from all these AI powered attacks, what are some of the core approaches or strategies you would be effective, right? For that, you know, for the, I guess what's required to defend against a world full of personalized AI generated attacks?

Rob: I think the reality is that if I think about a solution that helps us defend against AI attacks, it's more AI. Unfortunately, that's probably a terrible way to say that, but it's just about understanding our space better to identify behaviors that are not necessarily...you know, in line with typical business operations. And that's not that far away, I don't think, you know, if you're capturing enough telemetry from your existing space. 

So why do I say that? Why do I think that that's not too far away? There are systems already today that exist and most folks are using them and help them capture logs from specific critical business systems, right? And you're doing the same with identity and you're tracking your SaaS utilization and things of that nature. So all of that telemetry you pull into one large platform really helps you understand and specifically context. And you're tracking that over time. And I think it won't take long for those patterns to reveal themselves. So it's a matter of how better can the AI model interpret behavior, and do so in a way that doesn't create a privacy concern, but also doesn't create a conflated response to events. And then managing that either a supervised way or a non-supervised way or having the AI manage the AI is likely the way that we'll track and get ahead of some of these threats that we don't know yet about.

Mike: And one aspect of the human too is, you know, for I'm sure for your program and most is awareness and training has been a key component. Where do you feel that needs to change? Because I feel like with AI and some of the hyper personalization and social engineering and the way that it's just moving at such great speeds, what we trained our users a year ago even is kind of null and void today. Where do you see that, that world changing and those controls probably having to adapt with the world of AI.

Rob: I spent a lot of time working with our developers and a couple years doing a lot of DevSec ops work. In training developers on just implementing code the secure way. And there's a value to that for them in that their backlog shrinks, right? Because it's not constantly coming back with issues. So I think it's more around how do we embed security into the operational aspect of what they need to do and then watch for the metrics that are associated to that over time. 

A good example would be, right, well, how do I know the investment in security training from my developers has been worth it. We did all this stuff with them on threat modeling and it looked cool and everyone's like, wow, we're using threat modeling stride and stuff. Maybe the metric is how many user stories in their backlog are security related. So you're kind of like tracking the metrics that matter versus how many people clicked on a link. As well, that's interesting. It's really up to the security team to make sure that if they do click on a link, it doesn't tear down your entire company. Right? 

There's a positive enforcement aspect of flipping the way we train security so that it becomes part of what they're doing and not just this weird one off, you know, I'm going to send you this health record update. You need to fill this out quickly, and then click on it and they enter in their credentials and then we come around and say, you know, what are you doing clicking on these links? That's just such an antiquated way to do it. feels very punitive and nobody's winning any friends doing that. But if we're training folks on building the right technologies, leveraging AI responsibly, like I would rather have an AI intelligent workforce than one we've sheltered away, we've sheltered them from AI, right? Because we're worried about the models, we're worried about the exposure of maybe our code base into some of those components. We're much better off teaching them the right way to do it so that they can do their job, be more effective, and use AI responsibly.

Evan: One of the challenges across our industry is that people don't really understand the impact of cyber crime, right? People think about, come against hack, you lose some money, lose some time, right? 

I think you guys are a very unique organization where that's like...Not that that's all the last of it, right? If there's a big impact, like there's a lot of second, third order consequences that affect literally the entire global supply chain, right? So, I guess the question is for you, can you explain why cybersecurity is so important for expeditors?

Rob: Yeah, absolutely. Cyber security matters for us because we're a service's first company, right? We're a customer's first company. So serving into those organizations and playing a critical role in their supply chain, handing us offline or impacted in a significant way, means that we're impacting certain legs or portions of their business as well, right? 

We have thousands of customers all over the world who depend on us to be reliant, resilient, and available, while providing a service that is critical to the way they operate. So, cybersecurity plays a role in that resiliency and obviously plays a critical role in the protection of their data. And that data includes things that really is around their freight effectively, which is, this is their parcel that we're trying to manage globally.

Evan: Well, it's an important role on behalf of everyone else in the world. Thank you for your service. If it wasn't for the work your team is doing, literally the global supply chain shuts down and we don't get the things we need to do, to live our lives. So appreciate your contributions to our civilization there.

Rob: Well, know, play, my, company does great things and I'm honored to be a part of it. I'm certainly not the one who takes the credit for doing all the hard work which is getting those components delivered globally.

Evan: So the end of the show, we like to do a bit of a lightning round to try and get your like one tweet takes on, on questions that are really hard to answer in the one tweet version. So...

Rob: Alright, yeah, let's see what we can do.

Evan: Okay, Mike, you want to kick it off?

Mike: Sure, absolutely. So what advice would you give a security leader who's stepping into their very first CISO job? Maybe something they might overestimate or underestimate about the role.

Rob: The first thing that I want to do when I step into a company is how do we make money? What does this organization do? Because if I don't fundamentally understand that, then I can implement all the right things. You'll likely won't get fired for implementing the right solutions,

But you won't be much of a value to the company. So I think understanding very specifically what the company does and how they operate is the first thing you need to do and then you can build your program around that.

Evan: What's the best way for CISOs to stay up to date on new security challenges related to AI.

Rob: Read a lot. One. Two, meet with a new vendor or provider or solution, however you want to say it, at least monthly so that you can understand the problems that they're solving that you may not know you have yet.

Mike: Speaking of reading, on a more personal side, what's a book that you've read that's had a big impact on you and why? And it doesn't need to be work related and it doesn't have to be something you've read recently either.

Rob: The funny thing is when I answer that, the very first book that comes to mind is the last one I read, which is actually Nexus from Yuval Harari. But I would say that the book that had the biggest impact on me as a leader, thinking about how do I want to lead people, or really I shouldn't even say lead. It's just more of how do I want to operate and then create that environment so that other people around me understand where I'm coming from. It's from Shane Parrish. It's called The Great Mental Models. 

That one is like, there's three volumes, so maybe it's not just one book, but really helping you understand how you stitch together and how you think about things. think just having a very disciplined mind helps. It helps in our space, but it really just is kind of universal. It makes me stop and think about things before I respond.

When I was early in my career, I would just respond to things and now I think about the mental models that I should be using and applying to every problem.

Evan: Okay, last question. What advice would you share to the next generation of aspiring security leaders?

Rob: Stay committed to the cause. Please stay on our side. First and foremost, please stay on our side. 

Evan: Yes, please.

Rob: Remember that you are a business leader first.

Evan: Rob, thank you so much for joining us today. Excited to chat with you and looking forward to chatting again soon.

Rob: Yeah, it was great to be here. Thank you for having me. I appreciate the time.

Mike: That was Rob Nolan, Vice President & Chief Information Security Officer at Expeditors.

I'm Mike Britton, the CIO of Abnormal AI.

Evan: And I'm Evan Reiser, the founder and CEO of Abnormal AI. Thanks for listening to Enterprise AI Defenders. Please be sure to subscribe, so you never miss an episode. Learn more about how AI is transforming the enterprise from top executives at enterprisesoftware.blog

This show is produced by Josh Meer. See you next time.