[00:00:00] Speaker A: It is a cat and mouse game in terms of how quickly we can look at trends and see where those attackers are moving to and how quickly the industry and the innovation in the industry around startups are responding to that, and then getting consumed by large vendors who can then scale it out globally. So there's absolutely a lot of complexity here in terms of changing it landscape. The attackers perspective keep switching. We have compliance demands coming through, but over time, I'm seeing those converge a lot faster because of the focus on cybersecurity that wouldn't have happened in, you know, at least five years ago.
[00:00:42] Speaker B: This is KBCS.
[00:00:43] Speaker A: Are they completely silent?
[00:00:45] Speaker C: As a primary target for ransomware campaigns.
[00:00:47] Speaker A: Security and testing and performance and scalability, risk and compliance, we can actually automate those, take that data and use it.
[00:00:58] Speaker C: Hello, today is Chris Hawking, CTO Security Asia Pacific, from IBM. And today we're discussing IBM's X Force Threat Intelligence Index, 2024. So, Chris, thanks for finally joining and welcome.
[00:01:10] Speaker A: Thanks, Kobe. It's great to be here with you finally.
[00:01:12] Speaker C: So just for everyone listening, we will be linking a copy of the report in the show notes. But for those wanting to just dive a little bit deeper, we're just going to be discussing sort of the main insights and points derived from their report. So let's start with one of the key insights that I'll read out. So, global identity crisis. The report observed a 71% increase in the volume of attacks caused by use of valid accounts. Represented the cause of one in three attacks globally. That's a lot. So talk to me a little bit more about this, Chris.
[00:01:43] Speaker A: Yeah, it's an interesting statistic in this report, and this is really an increase in year on year use of these valid credentials. And so for the first time ever, using valid accounts was the cyber criminals most common entry point into victim environments. And that represented what we saw as a 30% increase in all incidents that X Force responded to in 2023. And so you look at the attackers perspective, you're thinking of what's the easiest way to get into environments in order to fulfill their objective. And this is a new tactic they're obviously doubling down on. And it means if they're doubling down on it, it's working. And that's, that's for now. So, you know, if you think of them wanting to get to the ultimate prize, which is often extortion, this is, this is being seen now as a primary attack vector that they're using to get started, to get to that.
[00:02:36] Speaker C: And just so on the same page, would you be able to define valid accounts and what that means for people listening.
[00:02:41] Speaker A: A valid account is one that we would use. So if you're working for an organization, it's an account that is valid that people are using every day to perform their work. And, you know, and these credentials that they're using have often been phished or stolen from previous attacks. So the source of those valid accounts, maybe through the dark web, etcetera. And, you know, I think it's one of the very interesting points about this is that it's very difficult to detect this type of attack because obviously, if KB, you're logged in and there's another account that's active. At the same time, it's difficult using protection mechanisms, of course, to detect whether that type of attack is happening in real time. So you've got to be much more advanced in terms of analytics and you need better detection systems for that type of attack. Now, from a consumer perspective, one of the things that Apple and Google and others are doing, you even know yourself if using those devices is they're starting to tell you that there's a password that you may have that might be seen in one of these repositories. So that's really a good example of a valid account being used by attackers to get into organizations to ultimately try to inflict the damage they want to inflict or gain the monetary objective at the same time.
[00:04:05] Speaker C: Well, you sound like your experience, one in three. That's, that's a lot. Would you say, did that sort of surprise you when you were reading that in this report?
[00:04:13] Speaker A: It did surprise me, but it's not something that I would think would be surprising in general in terms of, you know, the motives that attackers will use to get into organizations. Right. So, yeah. With them, with all those harvesting of credentials happening over, over the years, organizations are investing in access control. And if you look at some of the statistics available, there's a lot more funding around access management, authentication, multi factor in this country that's also happening from a government level. You would have seen campaigns most recently from our minister talking about how important it was to have strong tasks, multifactor authentication. And so that's a consequence or a reflection of the, of the growing intelligence out there that suggests that attackers are using this as an easy entry point for getting into systems, and it's actually very easy to do as well. Right. So if you're an attacker, it's much more difficult to exploit a vulnerabilities, launch a campaign that ultimately could be detected within security intelligence systems or same systems. But this one, it's a much more stealthy attack where attackers are really hiding in plain sight, and it's very difficult to see where they're, where they are at any one point in time.
[00:05:31] Speaker C: And you said before, you have to be pretty advanced to be able to detect this. So what do you mean specifically by that? Because if it's one in three, I'm guessing people are just going to have to start to become a bit more advanced.
[00:05:42] Speaker A: Yeah, what I mean by that is that if you look at a lot of the detection and response mechanisms that many organizations have deployed, some of them are driven by compliance of compliance mindset, which is log collection and then correlation. And a lot of those systems are designed to find known bad in your environment, but it's not seen as that with correlation systems. So you actually need to uplift your ability to detect anomalous activities across data sets that you have visibility on. The use of. Modern techniques like AI is really helping in this area. User behavioral analytics is a trend that's been around for some time, because those systems, what they do is they look at data across a set of systems and that could be endpoints or applications or databases, and they build up a baseline that would be normal. And then if there's something abnormal happening, it will raise that up and an analyst can go and investigate, or a reaction can happen in real time. And so if you look at our database technology, at IBM, our security intelligence platform Q radar, we have this type of function baked in for this specific purpose, to try to find that hacker in plain sight. As I said before, across a set of data that's quite complex, you need a lot more intelligence and sophistication in your threat detection and response system than most organizations would have today.
[00:07:13] Speaker C: Do you think companies are aware of that?
[00:07:15] Speaker A: I believe that the upper end of town, for sure, the most sophisticated organizations are certainly aware of it. Being aware of it is one thing, but their ability to actually implement this type of approach at scale is much more difficult. And the world though, is moving towards a much more integrated, what they call a cybersecurity mesh. We follow an open platform approach at IBM, where that infusion of analytics at that user experience level to detect these types of things across systems that are not necessarily detected, is a core fundamental of our approach. So it's not a case of not knowing that it's needed. It's often a case of how do they fit it into the budgets which are stretched, and how do they get those systems in front of the people that need them in order to see these types of attacks?
[00:08:09] Speaker C: Yeah, that's a good point. I was actually going to ask you that because, I mean, I'm interviewing, what, two people a week or more? And when I'm speaking to each individual, like everything that they say matters, it makes sense, but ultimately, like you said, like fitting it into the budget. How does sort of one go about prioritizing these types of things? Is it about using this interview slash the report to say, hey, this is what is happening out there? Do you think that moves the needle in terms of the budget or how does that look from your perspective?
[00:08:37] Speaker A: I think it's very important that the trends in these reports are studied, and it might only be at the kind of the executive level, the key points, because the trends often highlight tactics that organizations can use to counter these current threats. My personal opinion, and one that I'm quite passionate about, is innovation and technology disruption in general. I see a need in our industry for a lot more risk taking, I would say, in terms of the way that this problem is looked at and how those new architectures and approaches need to be deployed in order to maximize the benefits of these new capabilities like AI. And so my general impression is that without a constant and continuous innovation program across your threat detection systems, your data security systems, identity, then you're going to be left with a largely legacy and monolithic approach to solving this problem. And that needs new skills, diverse workforce, and the embracing of some of that through what would be traditionally something that was dominated by a few people that know everything about your environment. So I think it's quite a sophisticated need that, you know, we can't just sit and kind of use that phrase. I should be right. We'll get to it. We actually need to have a continuous disruption and innovation program as part of our cyber initiatives. And from a budget perspective, we see that every day with every customer struggling to keep up with the costs, because some of those monolithic practices are simply swallowing up, swallowing up way more budget than they really should. And the outcomes of these programs are not well measured and quantified in terms of the business benefit.
[00:10:31] Speaker C: You said before, we've got to take more risks, which makes sense. Then it's always about, we've got to reduce the risk. So how do you sort of find that balance between having that mindset around, we got to take more risk to akin to your point earlier, but then balancing it with making sure it's a calculated risk.
[00:10:49] Speaker A: Yeah, it's a good point. It's very easy for cisos and technology leaders to look adjacent at their competitors or peers in other organizations and say, well, this is how they do it, and we should do it that way. But unfortunately, if you're not at the leading edge in terms of knowing what the industry's building, how that's being delivered, what impact that has on your cost base and your speed, and how you scale all these things are very important, then you're going to be left with this budget problem and you won't be able to get across your attack surface at the speed by which the attackers are coming at you.
When I talk about risk, it's not cyber risk. It's that we need to innovate and disrupt our traditional or legacy thought process around how this problem needs to be resolved. Because in the days gone by, some of it is compliance driven.
Today, though, the attacker has the advantage, and the attacker perspective is a lot stronger as our it infrastructure has expanded beyond on a premise environment. Right? So complexity is high, attackers have an advantage. If we have a legacy view of how this problem is tackled, then we're going to struggle to protect the organizations in the long run.
[00:12:11] Speaker C: You make a great point on innovate and disruption, but would you say that people, they say that, or they have an awareness, but then don't really do anything about it, because it's very easy to stand up there as a leader and say, yes, we're innovating and we're disrupting, but in actuality, that's not really happening.
[00:12:26] Speaker A: I'm from an R and D background. We have this lab on the Gold coast at IBM that was formed as part of an acquisition of a company that invented online authentication. So we're still here building products. And one of the, one of the most refreshing things that happens is when people join your organization with new skills, and that might be young people, people from other industries. This diverse view coming into a team and suggesting ways to do things better is always good for those people that have been in those roles for some time now. I think from an innovation perspective, you don't have to innovate alone. There's a lot of roadmap development happening from the big vendors and the platforms that we're delivering, which foresee these problems and aim to deliver these platforms in a way that make it more efficient to scale out your operations. And I think when I talk about innovation, it doesn't mean that organization needs to sit and write code or build their own closed practices. What I mean by that is having a good view in your strategy for what the ecosystem is delivering from a global perspective, and how the open community is also engaging in bringing that technology or some of the innovation through, and that might be threat detection rules, etcetera. I think that's the type of innovation that teams need in order to make sure that you don't continue to deliver or throw good money after bad with solutions that were designed for a different era.
[00:14:02] Speaker C: So how do you sort of get a good view? How does that look?
[00:14:05] Speaker A: There's a couple of different ways, of course, working directly with your vendors or your partners, and that could be a consulting practice as well. And making sure that you're speaking with the thought leaders in terms of who's setting the global agenda, how and why they're doing it. Why is as important as how? Because when sales teams come and talk to you about, you know, current features or products, these have been years in the making, and they've been designed and developed for a reason, for a problem that's known from a global perspective. And making sure you understand the why as much as the how can help you bring through some of those core fundamental architectural principles. So that would be number one. I mean, number two is that you just continue to ask the question as to, you know, are we following kind of the best practices? Is this sustainable? Will this scale? Longevity is a good indicator as well. How long will this system be relevant for? Is it still relevant today? All of those things are important. I think the third one is then what's the open community doing? There's a lot of open standards. IBM contributes to a lot of open standards, things like the Open Cybersecurity Alliance, Oasis. I mean, the strong authentication area with FIDO is a very good one. So open standards is a very important piece of the puzzle because open technology standards help deliver things like interoperability. And with interoperability, you get better speed and scale outcomes in threat detection and response systems. There's a few. I mean, you trusted vendors, number one. Number two, keep asking questions as to how relevant and is the cost reflected in the benefits. And the third one is, what's the open community doing, and how do you infuse some of their practices into your business processes?
[00:16:03] Speaker C: But how would you determine who is a thought leader in the space?
[00:16:06] Speaker A: Well, sometimes it's the open community and what vendors are contributing to some of those open community practices. So that would be a good place to, I mean, these three things will connect together, I think, from a vendor perspective. The market leaders obviously have thought leaders, and so engaging with them and the right people in those organizations is important.
And of course, those advisory firms who, I mean, all of them need to be tested. Having meetings and discussions and being open to that and listening for those types of cues can be done simply by accepting meetings from people that you think or you follow who share points of view, whether it be LinkedIn or wherever else, that fit your, I guess, your approach to addressing some of these areas.
[00:16:56] Speaker C: You said before, Chris, about people having a bit of a legacy view. Would you say that's pretty prominent still around this legacy view?
[00:17:04] Speaker A: I think it's common, I think it's human nature to continue to follow a particular path that's comfortable for you and has been in the past. So I think it's a human nature thing. And I think it's also difficult for people to take on new approaches and experiment in short iterations without feeling like it's going to be a major program. So I think it's that openness to experiment, to design new ways of working, and to apply that to your existing approach, which starts to build some momentum. So, yeah, I think it's human nature that people gravitate towards those things that they think are comfortable.
[00:17:48] Speaker C: So I would switch gears now and go back on the report side of things. So one of the insights that I was reading is that ransomware groups pivot to a leaner business model. So what does sort of a lean a business model look like nowadays?
[00:18:02] Speaker A: So, you know, I guess we talked a little bit about and the trend down on ransomware that we saw in the report. Organizations have become a lot more adept to detecting these systems with new innovation, of course, coming through tools and technologies. There's lots of EDR being deployed, machine learning to detect when ransomware begins. Organizations have also become much more adaptive detection and response and rebuilding the infrastructure. So lots of organizations are opting against paying because they have a way to get back to the BAU. Right. So this loss of revenue kind of points to the fact that attackers are looking and pivoting at new ways of doing business because that's effectively what these people are in this for. And last year, for example, if you look at the statistics in our ex force report, things like backdoors were being sold access, brokers were selling backdoors and was seen as a lucrative business. But now they're moving towards a business model where stealing information, credentials, harvesting them, making them available and selling them is a way to counter the loss of revenue in the ransomware space. So it's really just about propping up their business model with a new way of doing business.
[00:19:18] Speaker C: And I'm assuming that their new way of doing business is forever going to evolve.
[00:19:22] Speaker A: Right.
[00:19:22] Speaker C: Because they're criminals. Of course they're not going to. They're always going to be evolving how they're doing things, making it easier, cheaper, faster, et cetera. So how do you think companies sort of handle that? Because we're always trying to have that one step ahead, which is difficult. Do you think that now people are a little bit more on the back foot? Because as we've sort of noticed in the last few years, like in the velocity now of things that are happening, you know, more things that not even I can report on every single thing that's happening out there in the globe. So what are you sort of hearing from some of your customers on that front?
[00:19:54] Speaker A: Yeah, it's exactly what you said. I mean, the attackers will move to the path of least resistance for them in order to get to the money. Right. But industry is responding at a space that I haven't witnessed in my career because of the ability to innovate so quickly. Like if you look at, for example, attack surface management was something a couple of years ago or a few years ago was new, but most organizations, at least in the top medium to top end of town, would be performing scans or should be as to what's exposed on the Internet from the attackers perspective and prioritizing the resolution of those problems as a priority because that's what the attacker will go after first.
The industry is moving a lot quicker, and also businesses are starting to consume this technology more quickly as well. So I wouldn't say that it's a hopeless situation, but it is a cat and mouse game in terms of how quickly we can look at trends and see where those attackers are moving to and how quickly the industry and the innovation in the industry around startups are responding to that and then getting consumed by large vendors who can then scale it out globally. So theres absolutely a lot of complexity here in terms of changing it landscape. The attackers perspective keeps switching. We have compliance demands coming through, but over time, im seeing those converge a lot faster because of the focus on cybersecurity that wouldnt have happened in at least five years ago.
[00:21:26] Speaker C: So then another stat that I was reading is that ransomware attacks on enterprises saw a nearly 12% drop globally. So why do you think there was a drop?
[00:21:39] Speaker A: So ransomware is not going away. I mean, thats what we observed in our x force responses, and thats our incident response team going out and, and resolving or helping organizations recover from those situations. So the gangs have obviously focused, and I talked a little bit before about enterprises becoming a lot more adept in detecting ransomware coming into your organization. And the good news about ransomware is it's quite a targeted type attack in terms of they're trying to get in through a phishing campaign. EdR is a good place to start. If you can stop them at that point, then you've got yourself a situation where you've prevented further impact from that type of attack. So EDR has become a very important piece of this puzzle. And the infusion of AI and looking at what ransomware gangs attacks look like has really helped. The backup and restore, as I said, has meant that attackers are finding it more difficult to get to the point where they extort the company for a ransom, but they still motivated to pull data, get into the organizations and pull data, and to use that as the pressure point, which we've seen in the report. So it's still the number one objective is to get to the data for extortion. It's just that ransomware is not the primary. Well, it's probably still the primary, but there's definitely been a drop in the impact of that on the customers that we've engaged with.
[00:23:07] Speaker C: And then another interesting stat, which I'll read here, is 84% of critical infrastructure incidents where initial access vector could have been mitigated. So how does that sort of work? And this is important because at the moment, a lot of my interviews, a lot of people talk about critical infrastructure, which makes sense. So I'm very curious then to hear your thoughts on this front.
[00:23:26] Speaker A: You know, as you mentioned, you know, I think if we kind of break that down, the mitigation for the, these attacks are what you would call basic, what in history would have called basic security in the past. And it's actually kind of some of the, some of the ways to mitigate these threats are really fundamental building blocks of cybersecurity, and some of them are actually baked into the essential aid. Right. So in majority of cases, 85%, as you said, 84%, the compromise would have been mitigated by things like patching and multi factor authentication and least privilege. And so the fact that organizations have been unable to implement what we would have considered basic security suggests that it's not as simple as what people would say. And I think that's reflected in the findings from things like essential eight assessments that are done on organizations. It's quite difficult to build whole of organization controls that deliver widespread patching, multifactor authentication without taking some view of what a risk perspective might be on what patching to do. First, where can you apply multi factor authentication for the highest impact. So that's kind of what the 84% says, that it could be mitigated by some of those basic controls, or what I would call fundamental building block of cybersecurity.
[00:24:50] Speaker C: Do you think people have different views of basic security? Because, I mean, I've spoken a lot on this show, people talking about the basics, but again, and I've spoken about this so many times, like, people still haven't got patch management correct up to 20 years. Right. So we talk about things being basic, but are they that basic because people still aren't doing them as. As easy as it comes across?
[00:25:11] Speaker A: Well, I think that's the point. I mean, using the word basic almost is a negative, it has a negative connotation towards an organization's ability to do something that the word suggest is, is easy but widespread. Patching.
Implementation of a multi factor authenticate authentication scheme for all users. Without context, you can't patch your way to security just because of the sheer volume of vulnerability. So I think we have to recognize that these things are not basic, but they're critical in terms of securing your organization against what the critical infrastructure statistics said was 84% of attacks.
[00:25:53] Speaker C: And do you think in your experience, Chris, people are moving more towards. Well, yeah, case, not basic, but it is critical. We now need to figure out a way to make this work.
[00:26:03] Speaker A: Well, I absolutely see a lot of trends. Even the government is talking a lot about multifactor authentication, and this is a good example, actually, of what we spoke about before, more where the open standards community, large vendors, and then motivation from government also plays apart. Right. So in the multi factor authentication space, being very difficult to implement two factor authentication that's secure, but thanks to work in the open standards area around Fido and what we now call passkeys. Passkeys being the global standard for phishing resistant authentication. These standards being consumed in things like browsers, is going to address multi factor authentication. Widespread and from a citizen perspective, a user perspective. I would encourage all your listeners to turn on pass keys every time a website says that they support it, because it is a way to prevent the known access attack that we talked about at the very beginning of this podcast. And you'll see you're already seeing the government talk, implementing pass keys with a timeframe not yet defined. But once Australians all have pass keys available to them on Mygov systems and turning that on, we'll mitigate a breach or an attack on your account from outside without some kind of social engineering, sophisticated social engineering. So that's a good example of where it's not just companies saying that they need to do it. It's actually the intersection of the companies needing to do it and the innovation being made available to widespread globally that's easy to consume by vendors such as IBM or Microsoft, or collaborative organizations that deliver browsers and those types of solutions, it becomes pervasive and just part of our being on the Internet. So multi factor authentication is a really good example. There.
[00:28:01] Speaker C: Another stat here as well is that data theft rose to the most common impact for organizations at 32%. So what's sort of your commentary on that stat?
[00:28:12] Speaker A: Yeah, so data theft is still. So, as I said before, getting to the data is still an objective of the attackers. It's just that ransomware is reducing data theft continues to be the objective. And so you need to look at this through an industry lens and apply, I mean, attackers just apply the pressure point more that a particular industry might be more susceptible to.
Ransomware attack might be really effective in a hospital or medical scenario. Data theft might be a much, an extortion might be a better way of causing pain. In a breach scenario where there's lots of PI data that can be monetized. One of the other interesting things that's happening longer term, and we could talk about this on another occasion, but stealing data that's encrypted, that can be decrypted later by quantum computers, is also something we need to be aware of. And quantum safe is becoming a major talking point in the industry, simply because these quantum computers, and IBM is a leader in building these quantum computers and the software stack around it. They're suggesting that by 2031, there's going to be 50% chance that these computers will be able to decrypt data. So if attackers are stealing data and storing data, it's also a big problem that you'll face in the future, where the decryption of that data will reveal information that you wouldn't want in the hands of unauthorized parties.
[00:29:37] Speaker C: Just going back to the top industries, you mentioned healthcare, which I understand, what would be maybe two other industries that probably a bit more susceptible to these types attacks, would you say?
[00:29:47] Speaker A: Manufacturing is always very high, and financials obviously is always high as well. I mean, they've got two different lenses to place upon them. If you think about their business model. Manufacturing often are building and delivering things for a widespread audience. So like attacking a supply chain and causing an impact on the supply chain has an enormous amount of downstream impact. And so attackers after manufacturing can disturb that supply chain, so theyre susceptible to the pressure point of things like ransomware attacks. So theyre always high. And during COVID we saw them being consistently the highest attacked industry and financials always high because I guess the distance of it between the attacker and the money is shorter through browser, through susceptible users. If attackers can monetize their campaigns by stealing money out of bank accounts, then that's going to be a prime objective. And that's why financial industry is always high.
[00:30:50] Speaker C: So you raised a good point before, downstream impact. Now would you say at times organizations lose sight of downstream impacts? Now, I asked that simply because I worked in a large organization myself. Sometimes you can't really see the needle move when you're one of 50,000 people. Sometimes it can be very easy to perhaps get lost and not really understand the overall objective. So would you say with your experience, companies forget the impact, especially on the manufacturing front?
[00:31:21] Speaker A: I think it depends on where they sit in the supply chain. Obviously, if you're building parts for a car that need to be delivered and there's a continuous automotive supply chain there that you need to fulfill, then you're acutely aware of your lack of ability to deliver those parts on time.
That's probably obvious for those organizations. I think it's what's less obvious and something that actually the lens of that this needs to be placed upon the receiving body is probably in the supply chain of software. And software could be open source software, it could be third party software, procure that form a part of your supply chain. It could be AI models that you deliver on the Internet that others can consume. I think it's the risk of that today often falls upon the organization that consumes that content. And you'll see lots of discussion and trends where organizations are saying that the supply chain of software needs to be known. So that's always visibility is always the first step is knowing where information may be coming from, who's building it, how is it supported, what's included in terms of open source. So having things like software, bill and materials is very important. And then connecting all of that together so that if there is an incident in the supply chain, you have a way to detect and respond or recover from situations like that. From a physical perspective, as a supply chain participant, it's probably obvious. What's less obvious and actually where the accountability breaks down is that if you're pulling data or software from a third party, where does that all lie?
[00:33:08] Speaker C: Another point here as well is that, again, manufacturing, those were within the top, sorry, industry, within the top ten attacked industries at 25.7% do you have any of the other sort of nine attack industries? Maybe top five?
[00:33:25] Speaker A: I don't have them off the top of my head, but it is in the report. We actually have a Asia Pacific view of that. So what I can do is we can share that and your listeners can access those reports because there is a difference in industry focus from a geography perspective. And a good example of that would be during COVID Asia Pacific was not only the number one targeted geography, and thats a whole different discussion around financial supply chain, but also critical manufacturing processes. But the manufacturing was also number one in Asia Pacific. So the lens of opportunity placed upon time for an attacker will dictate which industries are high and which geographies are also high from a priority perspective.
[00:34:15] Speaker C: So Chris, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:34:20] Speaker A: I think it's very important that someone in the teams of those listening don't just look at the IBM report, Verizon. The government produces lots of reports, and the knowledge you build up and the awareness you build up is really important in decision making. So number one, I think, number two, a continuous improvement process around disrupting what you would, what I would consider slow, monolithic and high cost approaches to addressing the bigger problems. Things like detection of a sophisticated attack is important. I think the third one is the things we'd call basic and not actually, and recognizing that they're not actually basic but are so important, and so aligning some of your funding around how best to do a risk based approach to things like multifactor authentication. Patching is a continuum that will live on forever. So those are probably the three things that I'd leave the audience with today.
[00:35:18] Speaker B: This is KBcast, the voice of cyber.
[00:35:23] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:35:31] Speaker B: This episode is brought to you by MercSec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.