Announcer: Welcome to the EY Business Minute Podcast series, where EY professionals explore the critical business issues impacting our industry today.
Mike Cadenazzi: Hi. My name is Mike Cadenazzi, and welcome to EY’s aerospace and defense podcast. I’m a managing director within our Americas Aerospace & Defense practice. This is the next in our series of discussions around interesting topics in aerospace and defense. Today I’m joined by Rishi Pande, who leads our cybersecurity services for our A&D sector clients.
Rishi has 20 years of experience working in the cybersecurity space. Rishi, why don’t you introduce yourself and talk a little bit about your work in the sector?
Rishi Pande: Yeah, thanks. Thanks a lot, Mike. Really appreciate it. Glad to join you. So, by way of background, I actually started in the financial services sector, which was 20 years ago. Like you said, we were four guys in a closet somewhere. And we were doing penetration testing back in those days. Nobody wanted to see us and nobody wanted to hear from us.
But we were there. But a lot has changed since those days. Cyber is obviously now a pervasive topic at all of our aerospace and defense clients. And frankly, I feel like aerospace and defense is one of those few sectors where there are real-world implications to the safety and security of the people in the country.
No offense to some of the other sectors, but this is where there is a real-life impact to each of us as individuals because of all of the impact from the cybersecurity perspective.
Cadenazzi: Yeah, there’s a lot of people in aerospace and defense that agree with you now. They may not have agreed with you 20 years ago, but they are on board now. So we are going to talk about cybersecurity in A&D today. And you really can’t talk about that without talking about Cybersecurity Maturity Model Certifications, or CMMC. This is a big topic. As new requirements are coming down the pipe, Rishi, what and how will CMMC grow as an important and major consideration for aerospace and defense firms?
Pande: Yeah, Mike, like I said, that’s top of mind for everyone. And there’s a phased rollout. So if you look at CMMC 1.0, that was a five-tiered model. It’s moving to a simplified three-tiered model. So, that will be helpful for a lot of the suppliers in the defense industrial base. But they’ve also simplified it. Not every supplier is going to have to go through a level three assessment done by an external provider or anything along those lines. Level one is a self-assessment. So, you can do your own self-assessment. Level two may require, depending on your particular business, there are some external parties to do your assessments once every three years or so. But it’s a tiered model, like I said, and it’s going to have a phased rollout plan. It goes up till 2028, where we expect all of the suppliers and the defense industrial base to be covered by that point in time.
The other thing that I would say about CMMC: CMMC is based on National Institutes of Standards and Technology (NIST). Almost every cybersecurity program at large enterprises are based on NIST. So as long as you have a mature cybersecurity program, this is not anything majorly new. There’s a mapping from the NIST framework to the CMMC controls.
And you’ll have to go through that. But this is no different than where several of our clients have a virtual program and they have to provide certifications for ISO. Now they’re going to have to provide certifications for CMMC 2.0. It will be different if you’ve never been through CMMC on this type of assessment and you don’t have a mature cybersecurity program. Those are the folks who are really going to have to think about this and get a program in place.
Like I said earlier, Mike, this is important for all of our clients at this point in time. So, if you don’t have a cybersecurity program, it’s time to start thinking about it.
Cadenazzi: Yeah, that is one of the major concerns for smaller companies, particularly, that have never gone through anything like this. And we know that across A&D, there’s a lot of smaller, as we call them, mom-and-pop shops that are out there that are concerned about the cost just to meet these requirements, which, again, for a major company that spends time on this, it should be relatively straightforward to migrate from the NIST standard to the new CMMC requirement.
But we shall see how that goes forward. A related topic to CMMC has been the spate of International Traffic in Arms Regulations (ITAR) violations by defense companies where cyber information was not effectively protected by controls and ultimately resulted in exposure to foreign nationals, etc. And following on that, there’s been significant fines to firms in the space as well.
How do you see cyber fitting into the picture for ITAR data?
Pande: Yeah, Mike, this is a great question. And frankly, it’s directly relevant to the previous CMMC topic that we had as well. Really, it’s about data protection. The ITAR fines are really focused where people have access to data that they shouldn’t have access to. And in some cases, it’s not just whether you should have access to that data but whether you’re in the right location having access to the data. So, you and I are sitting here in the US right now, and let’s just say you are certified or cleared to have access to sensitive secret data in the US. If you travel to another part of the world or you’re on vacation or something like that, should you have access to the same data if you’re sitting there? Those are all questions that need to be asked.
But to get something like that in place, you have to think about zero trust. You have to go back to the core principles of zero trust, which is that on network applications, identity and data, you have to tag the data in the right way. Once you’ve tracked the data in the right place, then you need to know where the data is actually stored or shared and whether it’s in a shared drive or in a SharePoint site or wherever. And then, do the right people have access to the right data at the right time to be able to do their job? A lot of these bypasses of control happen because somebody is trying to do their job. They don’t have access to be able to perform their function. So they put it in a place where they can do their job. And then, that exposes some clients to these ITAR fines. It just gets back to the entire principles of zero trust. Identity is the core.
If you can identify the right individual who needs to have access to the right type of data, and you verified that access for the individual, then you can perform the next set of actions.
But that’s really the key of why we are seeing some of these (inaudible) happen right now, because people don’t know who is accessing the data. And once you don’t know who’s accessing the data, it’s going to be really hard to talk a little bit about who should access and what type of data they should have access to.
Cadenazzi: Great. Obviously, we’ve talked separately about the application of AI to zero trust, and that is a general topic of interest for everyone is the evolution of artificial intelligence and particularly generative artificial intelligence. I was in Palo Alto this fall working with our colleagues who are leading EY’s work in this space. And I was absolutely blown away by the use cases being put to use for our clients – applications across tax, strategy, operations, managed services, finance, you name it.
I’m interested, what are you seeing in the application of the latest iterations of AI, GenAI to this cyber challenge?
Pande: Yeah, and there’s two elements of this really, Mike. I call it AI for cyber and then cyber for AI. So let’s talk about cyber for AI first, that’s the easy one. What we’re seeing is a lot of these AI models are being rolled out across companies. And the models have access to data. When the models have access to data, in a lot of cases, companies are not considering the basic principles going back to zero trust. Who should have access to data at the right time? We actually had the case of a client where they wanted to simplify some of the HR processes. And so they had an AI model that allowed people to ask questions and get answers to things like, oh, “How do I invest more in my 401(k)?” or something along those lines.
And this AI chat bot actually looked at the documents in the back end and took those answers and produced those answers back for that particular plan. But when they gave access to the HR data, the HR data also included people’s salaries. So, all of a sudden, I could sit here and say, “Hey, what’s Mike’s salary?” And I could find out what your salary is. So, some of those elements of what data are we giving to the AI engine so that it can provide this function is important.
So, that’s the cyber for AI side. Now the AI for cyber side is actually super interesting. We are seeing a lot of use cases, like you said, especially in the security operations center space. We call them SOCS, or the identity and access management space. In the identity and access management space, if you think about just basic things like password resets, there’s several conditions under which people need access to data, or in certain cases, they need their passwords reset.
All of those functions can be performed by an AI model in the back end. And so we’re seeing that level-one function in particular get automated. There are controls that we need to have from level two in certain cases. The AI can’t handle everything. So they’ve got to escalate that to a level two. But it’s almost the copilot.
That’s probably the best the best way in which you can think about these AI agents. They’re enabling you to do your job, and they’re enabling you to do your job faster. Now, there is a flip side to all this AI and cyber, which is, unfortunately, the attackers are using it to scale social engineering. So we are seeing social engineering attacks become better. I remember the days when you would get an email and it would be misspelled and perhaps something about a Nigerian prince or something like that. The social engineering attacks are no longer (inaudible). Social engineering attacks come in very well formatted, very pointed to use cases that you may be thinking about.
I actually had this the other day. So EY does these social engineering tests, and they used AI to format a message and sent it to me right around the time that my password needed to be reset. Every few months, we reset our password at EY. And I got an email from one of these systems that said, “Hey, your password needs to be reset. And if you don’t reset your password by clicking here now, we are going to disable your access within the next couple of hours.” And so I was like, “Oh wait, I’ve really got to do this.” And then, so I clicked on the link, and luckily it was something that we were doing as a …
Cadenazzi: You got conned?
Pande: I know I did. But that’s the scale. And that’s where some of these AI engines are becoming better. And even somebody who’s been in the space for 20 years, we’re used to doing all of this stuff and looking at social engineering attacks. We still can fall prey to some of these well-generated AI phishing attacks. So, that’s unfortunate.
The other thing that we are seeing is, back in 1998, Kevin Mitnick had (inaudible) going at it, millions and billions of entities all over the place. We even had a case where, and this is now public, where there was a Teams call that was set up for somebody in finance. And in that call, (inaudible) got invited to the call. They had deepfake videos of the CEO, the CFO saying, “Hey, we’re doing an acquisition and we have to do that acquisition by the end of the day today. We need you to transfer a certain amount of money to this other account.” You and I have been on Teams calls before. We look at each other’s expressions to validate and trust that that’s working. But if you start to get some of these deepfake videos, it starts to become a lot more challenging for us from any perspective. So AI is being used for good, but there’s obviously attackers who are also using AI, and the space will continue to evolve and become more and more interesting.
Cadenazzi: So a billion ghosts in the wires. That’s not good.
Pande: Yeah. There you go.
Cadenazzi: I did see that phishing email, and I got it right there. OK, so in addition to CMMC and some hefty fines for ITAR lapses of the kind we talked about before, how else is the government responding to cyber challenges in the space?
Pande: Yeah, you’re getting a lot of other agencies getting involved. For the longest time it was just the DoD (Department of Defense) and, to a certain extent, the OCC (Office of the Comptroller of the Currency) getting involved in cybersecurity. But number one, the SEC (Securities and Exchange Committee) regulations, you have to do cyber disclosures for any material impacts to your company. That SEC disclosure happened last year. So now we have about a year’s worth of analysis for all the cyber disclosures that have happened. The Center for Board Matters actually publishes that. So if you haven’t seen that, you should definitely go out and read that. The Federal Aviation Administration (FAA) has gotten involved with it, like with some of the cockpit-type regulations.
So what we’re seeing is more and more agencies leverage cyber regulations. We are seeing privacy be impacted, or privacy regulations, in almost every state at this point in time. Hopefully we’ll come up with a US based one. Several countries have privacy regulations as well. So, we’re seeing government more and more get involved in cyber regulations. The biggest thing that I will say is that if you have mature cybersecurity programs, it’s easy to meet these regulations. If you don’t have a mature cyber security program, then then you’re trying to meet each regulation by itself, and that’s unsustainable. That’s really where we’re seeing the biggest difference.
Cadenazzi: It’s great insight. One note for the listeners, the Center for Board Matters is an EY center responsible for providing content and interesting things for C-suite talent across the entire sector, but also for aerospace and defense.
So, Rishi, one other challenge we know to make all this run in the background is talent and particularly in A&D, where there are talent shortages across multiple dimensions from engineering to operations. What do you see as the particular challenges for talent within the cyber space, particularly within the A&D sector?
Pande: Yeah. No, that’s a good question, Mike. Taking us back to how we opened the conversation, I was one of four guys in the room. We’re in a closet. And I was an outsider at that point in time. With the scale of cyber right now (inaudible).
So one of the challenges that we run into, especially in aerospace and defense, is that there is a knee-jerk reaction that non-US citizens can’t work on anything within the company. But what we’ve seen is some of our more mature clients have been able to leverage global capability centers, whether they are in the countries or whatever.
And they have been able to leverage the talent in their global capability centers because they’ve been able to figure out what part of their environment can reasonably be accessed by non-US citizens.
And then they’re able to scale their functions that way. The other thing that we’re seeing, and this is quite interesting — Tte US armed forces. We do a lot of cyber work from the armed forces, the military for sure.
And they’ve trained several people in cyber skill sets, whether they be on the attack side or the defense side. So we are seeing the formulation of solution development centers. You’re within the US, San Antonio seems to be a popular place to have SDCs (service delivery centers) right now. These folks don’t have degrees in all cases. They come from different backgrounds. They can do the work though. And as long as you can do the work, it doesn’t actually matter whether you have your degrees or not. Companies need to be open to that because HR policies typically say something like you must have a four-year bachelor’s degree. But if the person can do the work, that may not matter anymore. So you may want to tie back into some of these places where there is skill, there is talent. And then you can leverage some of those skills and talents to be able to address your problem set.
Cadenazzi: Well, that’s great to hear. That has been one of the promising things across various sectors is the idea of leveraging previously under-exploited or -leveraged talent in more coherent ways to include people that have skills without necessarily degrees or the correct certifications, that you can bring them forward over time. It’s great that we’re doing that in cyber.
So finally, what other priorities are you seeing from decision-makers on the cyber topic across the A&D sector?
Pande: Yeah, Mike, that’s a great question. And cyber used to be this thing only for IT. The IT function owned cyber. And there was a thought process cyber is just a cycle. But what we’ve seen is this move from cyber for the enterprise to cyber for OT (operational technology) environments, cyber within the product, and cyber within the supply chain. And so what we’re seeing is the CISO roles are evolving. This is no longer a back-end function. This is something where cyber is getting involved in product development, in supply chain decisions on manufacturing floors. And that’s the biggest shift that we are seeing overall from an industry. So the CISO role is evolving, is changing.
And our more mature clients have to have CISOs who can have discussions with the business units, not just with an IT function.
And so that’s probably one of the biggest changes. Within cyber itself, security operations centers, this has been an interesting space. There is obviously the move to automation through AI like we talked about, but also the security operations centers moving to monitor devices beyond just the enterprise devices like our laptops or servers or databases.
They’re moving to monitor the factory floor. So there are OT SOCS. In some cases, there are product security operation centers. So they are monitoring devices that are out in the field and checking if there are any security violations or challenges for those particular SOCS.
So we’re seeing that movement as well in the security operations center space.
We spoke about IAM a little bit, identity and access management a little bit. We are seeing newer and newer technologies come up in this space. It’s hard for everyone to remember 20,000 passwords.
So, there’s new technologies to make sure that people don’t need … they keep on forgetting their password. So instead of using user ID and passwords, there is this facial ID type of recognition.
We actually also have a case where, especially on one of our plant floors, instead of using face IDs, they’re using bands. So every individual line worker gets a band. And that band is used, along with facial recognition to log people into the devices they need access to. Because a lot of times they have gloves, they have PPEs (personal protective equipment) on. They can’t exactly remove their gloves and type in their user ID and password.
So, there’s a lot of innovation happening in the identity and access management space. There’s a lot of integration into the development cycle and the product cycle as well. So from a vulnerability management and cloud security perspective, we are seeing a lot of integration and automation and orchestration. So those are probably some of the biggest ones that we’re seeing right now.
Cadenazzi: Fantastic insight. Thank you. So any concluding thought on big things? We’re heading into a big year of change in 2025 for the sector. What’s your big takeaway for A&D in the cyber space?
Pande: We’ve had attacks on critical components of the end-to-end value chain. We’ve all felt the impact of cyber, whether that’s buying coffee in a coffee shop or being able to (inaudible) doctors. Cyber continues to have an increase in attacks. I suspect that this will continue, the velocity will keep increasing. And so our defenses will have to get better, all right? It’s not a matter of if cyber will impact our clients — it’s a matter of when. And what’s important is if you can limit the blast radius of when that happens. And to do that, you have to have resiliency to be able to deal with the incident. And it’s important to think about security by design and zero trust principles to be able to live in this new world.
Cadenazzi: Blast radius, good A&D reference. I like it. Thank you so much. Rishi, thank you so much for joining today. Appreciate it.
Pande: And thank you so much for having me. I really appreciate it, Mike.
Cadenazzi: Good. And so we’ll be back again after the New Year to continue this ongoing series of conversations about interesting topics in aerospace and defense. And with that, on behalf of EY’s aerospace and defense team, Happy Holidays and Happy New Year.
Announcer: Thanks for listening to today’s EY Business Minute podcast. We hope you found it engaging and informative. To listen to other Business Minute podcasts, you can find them at ey.com/podcasts.
