'Inside Security' with Mike Norries (Director of Security, Trek10)

In previous editions of 'Inside Security', we've examined how cloud adoption transforms attack surfaces and compliance frameworks. But a critical dimension often receives insufficient attention: how cloud infrastructure has lowered barriers for sophisticated social engineering attacks while simultaneously creating new vulnerabilities in the vendor ecosystem.

Recent conversations with security practitioners reveal a troubling reality – while organizations invest heavily in technical controls, the human element remains not just vulnerable, but increasingly exploited through cloud-enabled attack methods that traditional security frameworks fail to address adequately.

The Cloud-Enabled Social Engineering Amplifier

Social engineering attacks have evolved beyond simple phishing emails. Cloud infrastructure now provides attackers with unprecedented capabilities to mount convincing, large-scale operations with minimal upfront investment. Where sophisticated attacks once required significant technical expertise and infrastructure investment, cloud services now enable virtually anyone to deploy convincing attack infrastructure within hours.

This democratization effect creates what we term the 'infrastructure arbitrage' – attackers can leverage the same scalable, cost-effective cloud services that legitimate businesses use, but apply them to malicious purposes. Combined with AI-powered tools for research and content generation, the traditional 'spray and pray' approach has given way to highly targeted, contextually relevant attacks.

Organizations must recognize that their threat model now includes actors who previously lacked the resources to mount sophisticated campaigns. The assumption that only advanced persistent threat (APT) groups possess the capability for targeted social engineering is obsolete.

The Vendor Ecosystem Vulnerability

One of the most significant yet under-appreciated risks in cloud-first organizations is the expanded attack surface created through third-party relationships. Small consulting firms, managed service providers, and specialized vendors often become the path of least resistance for attackers targeting larger organizations.

A mid-market AWS consulting firm or a small services business may not seem like a high-value target, but their access to enterprise client environments makes them an attractive stepping stone. These organizations often lack the security maturity of their larger clients while maintaining privileged access to critical systems and data.

CISOs must extend their security assessment programs beyond traditional vendor risk management to include comprehensive evaluation of third-party human-factor vulnerabilities. This includes assessing partners' security awareness programs, incident response capabilities, and cultural commitment to security practices.

Beyond Technical Controls: The Culture Problem

The most sobering finding from not just the conversation with Mike, but several security leaders, reveal that technical controls, while necessary, are insufficient to address cloud-era social engineering threats. The fundamental challenge lies not in detection capabilities or policy enforcement, but in organizational culture and human behavior.

Security teams consistently report that the biggest obstacle isn't tool limitation – it's getting people to care about security before they experience a direct threat. This "empathy gap" creates a persistent vulnerability that no amount of technical sophistication can fully address.

Organizations that successfully reduce social engineering risk focus on making security personally relevant to individual employees rather than relying solely on corporate mandates or compliance requirements.

Metrics That Actually Matter

Traditional security metrics often fail to capture human-factor effectiveness. Mean time to detection (MTTD) and vulnerability counts provide limited insight into an organization's resilience against social engineering attacks.

More meaningful indicators include:

• Proactive threat reporting rates – How frequently employees independently report suspicious communications
• Out-of-band verification behaviors – Whether staff use alternative communication channels to verify unusual requests
• Security champion engagement levels – Active participation in security discussions beyond mandatory training
• Cross-functional security integration – Evidence that security considerations influence daily operational decisions

These behavioral metrics provide earlier warning signs of cultural vulnerabilities than incident-based measurements.

Actionable Recommendations for Security Leaders

We asked Mike Norris, what his action plan would look like if he were in-charge of setting up a security program at a fast-growing, cloud-first organization that had just raised significant funding. His recommendations provide a practical roadmap for addressing social engineering vulnerabilities in modern cloud environments.

Immediate actions (0-90 days):

1. Audit third-party human factors – Extend vendor assessments to include security awareness program maturity and cultural commitment metrics
2. Implement security champions networks – Establish formal programs that embed security advocates throughout the organization, particularly in high-risk departments
3. Redesign awareness programs – Replace generic training with role-specific, scenario-based exercises that connect security practices to individual job functions

Medium-term initiatives (3-12 months):

1. Develop cloud-specific social engineering scenarios – Create training programs that address cloud service impersonation, API credential theft, and vendor ecosystem attacks
2. Establish behavioral baselines – Implement measurement systems for employee security engagement that go beyond compliance checking
3. Build cross-functional security integration – Ensure security considerations are embedded in product development, vendor onboarding, and operational procedures

Strategic priorities (12+ months):

1. Culture transformation initiatives – Implement comprehensive programs that make security a shared organizational value rather than an imposed requirement
2. Ecosystem security partnerships – Develop collaborative security programs with key vendors and partners that include joint training and incident response procedures

The AI Wild Card

Artificial intelligence introduces both escalated threats and potential defensive capabilities. While AI enables more convincing deepfakes and sophisticated target research, it also provides opportunities for automated threat detection and response.

However, organizations must resist the temptation to view AI as a silver bullet for social engineering challenges. The fundamental issue remains human behavior and organizational culture – areas where technological solutions provide limited impact without corresponding human-centered approaches.

Conclusion: Reframing the Social Engineering Challenge

Cloud infrastructure has fundamentally altered the social engineering threat landscape by democratizing attack capabilities while expanding organizational attack surfaces through vendor ecosystems. Security leaders who continue to rely primarily on technical controls without addressing cultural and behavioral factors will find themselves increasingly vulnerable.

The path forward requires recognizing social engineering not as a technical problem requiring a technical solution, but as an organizational culture challenge that demands human-centered approaches supported by appropriate technology.

Success in this environment demands security leaders who can operate effectively at the intersection of technology, psychology, and organizational behavior – a skillset that traditional security training rarely develops but cloud-era threats increasingly require.