Approach Cybersecurity Through a No-Fault Lens — Cintas CISO

Jacob Lorz, VP, Information Technology and CISO at Cintas, speaks with Todd Foley, Lydonia Chief Digital Officer and CISO, about the challenge of keeping teams relevant, the need for security team culture in an organization, and the role of AI in cybersecurity.

Cintas Corporation, a Fortune 500 company headquartered in Cincinnati, provides businesses of all sizes with innovative solutions, products, and services designed to keep their facilities clean, their employees safe, and their teams professionally attired.

Shedding light on the challenge of keeping teams relevant, Lorz advocates lifelong learning. He shares that the organization does meticulous hiring and focuses on people who can convey a passion for constant learning.

To keep teams ahead of the curve, Lorz also mentions providing educational opportunities both at technical and executive levels. These include tabletop exercises, gamifying an opportunity to capture-the-flag scenarios, or security awareness campaigns.

Additionally, Lorz mentions curating daily threat feeds that are distributed internally, providing insights into global cybersecurity updates. Through the feeds, the team shows what is happening in the cybersecurity landscape and how the company is prepared to respond. He maintains that cybersecurity cannot be an afterthought; it must be a priority.

Speaking of the role the security team culture plays in an organization, Lorz notes that every organization is different in where they are in the cyber journey. He opines, “You have to approach cybersecurity through that no-fault lens. Every time you interact with anyone in the organization, you’re interacting with them for their benefit.”

When someone takes a risky action, the goal is not to call them out for it but to help them avoid making the same mistake in the future, says Lorz. In addition to providing security awareness training, the team also provides role-specific training, he adds.

For instance, finance professionals receive cybersecurity training tailored to financial threats, executives get training relevant to their positions, and employees using specific device profiles receive targeted instruction.

Similarly, when it comes to phishing simulations, the security team analyzes real phishing attempts and creates internal campaigns based on actual threats. These simulations are ongoing, not just a one-time event, allowing the organization to continuously assess and improve awareness.

Further, the security team identifies areas where employees need additional support and reinforces awareness through targeted campaigns.

“Spreading security through fear, uncertainty, and doubt is not the way to go,” remarks Lorz. He operates with the mindset that everybody is trying to accomplish the tasks; however, they may unknowingly encounter cybersecurity risks, and the team is there to help them.

When asked about the role of AI in cybersecurity, Lorz stresses how threat actors are leveraging AI to launch more sophisticated attacks with advanced bots. He mentions the usage of AI in crafting convincing phishing campaigns, including highly targeted spearphishing and whaling attacks.

Lorz notes that with the evolution of AI and ML, the complexity and effectiveness of these attacks will only get better. On the other hand, he refers to a CDO Magazine cybersecurity summit where a speaker highlighted the benefit perspective. Instead of talking about how AI can help cyber professionals, the focus should be inverted on intelligent automation (IA).

“A huge benefit of AI is now the ability to leverage that inside our tool stack to get better at intelligent automation,” says Lorz. Highlighting the workforce challenge, he shares that there is a massive shortage of cyber professionals for roles open within the U.S.

While the numbers vary, this gap consistently hovers around half a million unfilled roles per year, says Lorz. The only bridge to overcome this is by increasing automation, especially to filter out the noise environments, distinguish true positives from false positives, and correlate different events to surface true attack indicators.

The real advantage AI brings to cybersecurity is precisely increased automation, orchestration, and fewer opportunities for threat actors to infiltrate or persist within an environment.

Concluding, Lorz reiterates reducing unfulfilled roles and says, “We will still have that capability, but I think we can overcome a deficiency in that capability through automation.”