June 19, 2024

00:43:53

Episode 264 Deep Dive: Christy Wyatt | Cyber Resilience In Today’s Threat Environment

Episode 264 Deep Dive: Christy Wyatt | Cyber Resilience In Today’s Threat Environment
KBKAST
Episode 264 Deep Dive: Christy Wyatt | Cyber Resilience In Today’s Threat Environment

Jun 19 2024 | 00:43:53

/

Show Notes

In this episode, Christy Wyatt, President and CEO of Absolute Security, brings attention to the lack of maturity in the cybersecurity ecosystem compared to the regulatory environment. Her discussion delves into the disparity between the accountability on a Chief Security Officer (CSO) and a Chief Financial Officer (CFO), and the importance of responsible behavior, accountability, and conversations about risk tolerance and investments to mitigate risks in cybersecurity. Christy also emphasizes the need for continuous testing, measuring impact and probability, building roadmaps, aligning risk appetite, and maintaining resilience in the cybersecurity journey. She tackles the significance of cyber resilience in maintaining security posture and responding to incidents, along with the key steps involved.

Christy is President and CEO of Absolute, the only provider of self-healing, intelligent security solutions and the only endpoint provider embedded in over 600 million devices globally.

A Silicon Valley veteran, Christy has deep experience and expertise spanning cybersecurity, enterprise mobility, embedded platforms, IoT, enterprise software, and data science. Prior to Absolute, she served as the CEO of Dtex Systems and Chairman, President, and CEO of Good Technology (acquired by Blackberry). Christy has also held a variety of technology leadership roles at Citigroup, Motorola, Apple, Palm, and Sun Microsystems. She currently serves on the board of directors of LM Ericsson and Silicon Labs, and has previously served on the boards of Quotient Technologies, Good Technology, Dtex, Centrify, and the Linux Foundation.

Christy was recently recognized as CEO of the Year by Globe and Mail. She has also been awarded one of the Top 50 Women Leaders in SaaS in 2019, and has been named one of Inc. Magazine’s Top 50 Women Entrepreneurs of America, Information Security’s CEO of the Year, and a Fierce Wireless “Most Influential Women in Wireless.”

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: The cybersecurity community is quite good at peer networking and sharing best practices between organizations, especially within verticals. And it's great insight, again, to share between management and the board, because I think the board is trying to calibrate, you know, are we doing enough? Have we thought of all of the things? Is there something that we're not seeing? And one of the best ways to do that is by listening to folks outside the building. We often get so deeply entrenched in the thing that's right in front of us. Getting that third party view is incredibly helpful. [00:00:32] Speaker B: This is KBC as a primary target for ransomware campaigns, security and testing, and. [00:00:39] Speaker C: Performance risk and compliance. Take that data and use it. Joining me today is Christy Wyatt, CEO from Absolute Security. And today we're discussing the power of cyber resilience. So, Christy, thanks for joining and welcome. [00:00:55] Speaker A: Thank you. Thank you for having me. [00:00:57] Speaker C: Let's start with the term cyber resilience. Now, I want to ask you do this sort of term has been overused in the market because I hear, I've heard it a lot, especially a couple of years ago as well. A lot of people sort of banging around on social media saying, you know, we've got to be more cyber resilient. What are your thoughts? [00:01:14] Speaker A: You know, I think of it less, as it certainly is a very used term. And when that happens, we tend to get a little glazed eyes when we hear it. But I think of it less as an overused buzzword and more as an emerging category. When we look within global organizations, banks, governments, et cetera, we're actually seeing sort of a third leg of the stool. You have your CISO, you have your CIO, and then you have your cyber resilience team. And so I see it more as an emerging category and emerging set of capabilities where security and it, and think about the overall effectiveness of the investments we're making in security. [00:01:52] Speaker C: So when you say an emerging category, what does that sort of look like from your perspective? [00:01:56] Speaker A: So if you think about the other two legs of the stool, right. Typically, you have your security professionals who are thinking about all of the bad things that could happen and what are the mitigations or controls or technologies we can put in place to prevent those bad things from happening. If you think about it, oftentimes endpoint management or the technology team within the organization is responsible for the deployment. So how does that technology actually land on your device? How does it get installed? How does it get updated? How does it get fixed? The cyber resilience component, either of that work or that third department, depending on the size of the organization, is really about how do you build that with a higher level of fidelity. So believing that not everything is going to go perfectly, how do you maintain your security posture? How do you respond or adapt when things actually start to go wrong? And things can go wrong in any number of different ways. And so when we think about a security breach, we often think about the bad thing that happened and maybe the data that was taken or the ransomware that was demanded. And how do we get that bad thing off of all of these other systems? The part that we typically don't talk about, it's not quite as sexy or fun is then who's going to come and mop that up? Who's going to get that all back to work? If you had 5000 employees working remotely and they all just got disconnected because they got impacted by malware, how do you actually get those users back up and running? If you're relying on something like a crowdstrike or tanium to protect you or to find those bad things and those security controls become disabled, it did their job, they installed it. But who's going to prop it back up again? And so cycle resilience is really about making sure that we have the adaptability and the responsiveness to maintain our security posture and to get the business back online. [00:03:51] Speaker C: You know, that's a great point because I'm really at the coal face of this industry, speaking to people like yourself all over the world, all different sized companies, et cetera. And that is a very valid point that you raised around like who is going to sort of mop that up? It's something that I have observed in the market around, well, what sort of happens after, you know, an incident happened or there's a ransomware attack or something happened? No one really talks about, well, what happens next? So what does happen next from your sort of point of view? And how sort of effective do people sort of get back in business and back up and running like they were before the incident happened? [00:04:22] Speaker A: So if I just sort of set the stage for a moment and think about the fact that most organizations still have at least some percentage of their population working remote some percentage of the time, depending on where you are and what industry you're in. And so, you know, the answer used to be if your security application that you're relying on for multi factor authentication, right? Challenging you when you're logging in, if that stopped working, you would pick up your laptop and walk over to the it department and say, could you fix this for me? Or they would come and knock on your door and say, please, let us fix that for you. If you got hit by ransomware and you were, you know, sitting in the office again, something bad happened and they would say, no, no worries, fix it. Now. When you have employees that are broadly distributed, the world is very, very different. So, you know, when we talk to customers and we say, so what do you do? I was talking to a global bank a little while ago and I was asking the CISO, so if you had 5000 systems impacted, what do you do? And they said, no, no, we have a disaster recovery plan. We know exactly what happens. We have a playbook. Certain number of people get into the local office, they work on clean systems and we can continue to, you know, take transactions or continue to conduct business. And I said, so that's great. But then, then what do you do? He's like, I don't understand. We're back up and running. And I'm like, yeah, but like that long tail, like, what do you do? You've got 5000 people out there who can't do their job. So what do you do? And the ugly answer is, you know, they box it up. They send you a FedEx box, you box up your system, you send it back in. Or if the security application has been taken down, you again get to a local office or box it up and send it back in. Or you get online with tech support and they try to step you through it remotely so you can do it. So these are bougie, expensive, slow systems that are not working at the speed of risk. And so when we think about cyber resilience and how to think about that differently, we're really kind of thinking about how do we do that at that moment in time and how do we minimize the downtime for the user. And it's important to think about, we're applying resilience at different moments in time for different reasons. When we think about your security posture, let's say your organization has said you need these five applications always installed. It could be encryption, it could be your multi factor authentication tool. Whatever it is, they're special sauce for how they're going to protect you at that moment. We're really focused on prevention and detection. And so resilience in that world means how do we make sure those applications are always up and running and that they're always protected later on if your device actually becomes compromised? We're thinking about resilience differently. We're thinking about how do we mitigate the risk, how do we contain the risk how do we defend against that attack? Or if we have to, how do we rebuild and restore that device so that the user gets back up online? It's really about that adapting and response after the fact you mentioned before. [00:07:14] Speaker C: Like, how do you think differently about cyber resilience? Do you think maybe there's just different versions and definitions that people have in their mind and therefore gets a little bit convoluted on, like, what this actually means? And then, furthermore to that, do you think people are actually even thinking about this? [00:07:30] Speaker A: When people think about cyber resilience, you're really thinking about kind of these four steps, right? You're. You're thinking about, how do I prepare, think about all of those bad things. How do I protect? What are the things I have to kind of go put in place to protect? How do I respond when something bad is happening? And then how do I recover? Like, how do I clean up that mess? And so I think it is not really about interpretation. It's about what is most appropriate, about keeping shields up and maintaining the integrity of the business. We like to talk about the technology. People like to talk about the breach or the attack and the. But what we're really protecting is the business, right? How do we keep the business up and online for a long time? And I have a very large customer who used to say, this is the third question. When the CISO has to stand in front of the board, they ask the first two questions. What bad thing could happen? Did we install the good thing that could prevent the bad thing from happening? Nobody ever asked the third question, which is, is that stuff working? And are we protected? And the reason is because nobody had a really great way of measuring it. And so this evolution, as I talked about, cyber resilience coming to its own, it's really about a maturing of the tools and the frameworks and the visibility to be able to see. Right. Are we protected? To be able to measure our response, to be able to measure our adaptation? So it is that really that third piece, that third question, or that third leg of the stool. [00:08:52] Speaker C: So on that note, how would you measure if it's working or not? [00:08:57] Speaker A: Well, I think there's a variety of different ways to do it, but the way we do it, and I'm very specifically talking about endpoint security now, because cyber resilience is much broader. Right. There's a view of this, about cloud security. There's a view of this around network security. But if I'm thinking very specifically about endpoint security, what we're constantly measuring, and it's not just at one moment in time. It has to be continuous, is we're really measuring complain where an organization has asked those first two questions and said, I know what five things should be installed to protect me from the five bad ideas that could come after me. What we're continuously monitoring is, are those five things installed? Are they working? Have they been tampered with? Have they been corrupted? Did they miss an update? And I realize these sound like very basic things, but you understand the complexity of the systems that you're working on right now. There's over 300 different versions of Windows ten with a variety of different configurations and patches. The average device has 100 applications on it. Maybe a dozen of those are security applications. Every one of those apps has its own update and upgrade cycle. You have a variety of different network configurations and firewalls, I mean, the layers of complexity. And so there's a whole host of reasons why things could stop working. The way we look at it is we're just constantly testing that compliance, and if we see something that has either stopped working, been removed, tampered with, we will reinstall it, reconfigure it, we will call home and redownload it and bring it back up again. And that's really because we're uniquely positioned in the hardware itself. This is actually really helpful. When you're thinking about things like zero trust or comply to connect, these are some new security architectures or strategies where folks are thinking, listen, compliance is a big part of security. It doesn't matter how much money you've spent on security, if it's not running, it's not protected. That is the first line of defense in resilience. [00:10:51] Speaker C: Talk to me more about comply to connect. What does this sort of mean when. [00:10:55] Speaker A: I say the old world? I'm talking about a world where all of our employees used to come to the office, and we used to have this secure perimeter, and we used to trust that if you had gotten through the front door with your badge and you've been able to log into your system and onto the network that you were who you said you were, and we're going to give you access to everything, everything that you're entitled to, we sort of shifted to started having this conversation about zero trust, which essentially says you may be on the company network, you may not be, it doesn't really matter where you are. I want to continuously understand the context of what you're trying to do. Are you really who you said you are? Are you in a location I recognize? Are you doing behavior that I think is consistent with what you've done before. Is your device compliant? Is it secured? Are the things I'm trusting. So an example would be, I may not let you access the same set of applications or the same data. If you're sitting in an airport in a foreign country that I never expected you to be in, and you're sitting on an unencrypted device in an insecure network, I'm going to treat you differently than if you're sitting in a trusted, secure space and I've really authenticated you are who you are. So that's zero trust. Comply to connect is kind of taking that one step further and saying, you know, before I even let you connect to the network, I want to ensure that shields are up. And so I'm going to test for that compliance. I'm going to look and make sure that your encryption is running, that all of the things that I'm trusting, including your zero trust tools, are actually working and effective and functioning before I'm going to let you connect. And some that if you try to connect to the network and you're not compliant, you're on an insecure network, you're not running a secured device, whatever it might be. Most access capabilities would deny you the connection. That's great for security, but not great for productivity because you're telling employees they can't get their job done. Oftentimes you may see strategies where they'll quarantine that device. They'll say, I'm going to move, I'm going to let you connect, but not going to let you connect to the company network. I'm going to let you connect to this little base on the side where we're going to work on fixing whatever it is that's broken. So we're going to reinstall, we're going to redo whatever it is we need to do to get you to compliant, be compliant client, and then we're going to put you back into the network. [00:13:10] Speaker C: So I want to talk more about, you mentioned about the cyber resilience side of things, but then also I want to sort of draw the parallels between everything you mentioned before around checking to see if things work. How would then a company sort of determine whether they were resilient or not and then asking those right questions internally, because everything you mentioned before, like you said, it's quite complex and it's not sort of a binary answer straight away. It could take a bit of time and process to understand whether the company was resilient or not. [00:13:40] Speaker A: Yeah, we work very hard, and I think this is an emerging opportunity for our ecosystem, and we're just one of many, but we work very hard to publish very clear data. So we published research every year. We published it this year just prior to RSA conference, which is our cyber resilience index. And what we did is we took a look across millions of devices that are connecting to our enterprise service and sort of read out on the average compliance of those devices. And the facts are quite interesting. I think it's about 25% of the devices connecting to an enterprise are not compliant in any given moment in time. Maybe that doesn't sound like a big number, unless you translate that to mean $0.25 on every dollar you've spent on security is wasted because that's not actually protecting you or 25% of your attack surface is exposed. But what we can then do with customers is we can actually run that benchmark within our product, within their particular organization. So our product is actively giving them the resilience score, but it's not just measuring the gap, it's actually closing the gap. It's actually showing them that we can get them to 98, 99, 97% compliance across all their applications and keep them compliant over a period of time. So I think that as an industry, we're sort of working to use the data to not just show the risk, but also come up with sort of some clear scorecards and metrics that organizations can use with their boards. They can say, here's the investments we've made, and here's how well we're protected and are we comfortable with our risk appetite? Do we think we should be doing more or less based on the kind of business that we are? And I think that's just a sign of the maturing of this part of the ecosystem. We have great dashboards in other parts of risk management, but cyber resilience is one that is really sort of emerging. And I, we look at the regulatory landscape that's kind of evolving around security professionals. It's going to become increasingly important because nobody's really going to be comfortable with the answer. You know, how did you, why did you sleep well at night knowing that you were secured if you didn't actually have the scorecard to back it up? [00:15:50] Speaker C: Okay, this is interesting, and you actually were going down the path that I was going to ask you next around scorecards slash benchmarks. This would, im assuming it would vary, though, from vendor to vendor, because I have seen other companies out there, and they give you a risk rating and a scorecard et cetera, everything youve mentioned, how does a company then determine, because it feels like youre comparing apples to oranges, if youre looking at different vendors, how does that work from your perspective? [00:16:15] Speaker A: I think that many of the benchmarks and scorecards that youre seeing, they do reference common frameworks. For example, theres a broad ecosystem of, of vendors and partners that can help you assess your matureness or your readiness against something like a NIST framework. And so that's essentially saying, here's these different categories of risk. And have you deployed appropriate controls into those areas within cyber resilience, we're answering a different question. What we're saying is, of the things that you deployed, are they working well to protect you? Are we keeping those sort of shields up? There isn't a great industry standard for it right now. We think we have a very comprehensive way of doing it because we're the only one that can do it from the hardware up. One of the big challenges that a lot of other partners or other vendors might have is that they try to do it from the cloud. Well, here's the challenge. If your device has been compromised, the first thing they're going to do is disconnect you from your network. Now you no longer have meaning that that device is, I'm going to compromise a device. I may take down things like tanium or crowdstrike or other things that are trying to report that a bad thing is happening. So when all of those things go down, even if the OS goes down, the only thing that's still standing is kind of absolute because we're in the hardware looking up, not in the cloud looking down. So I think there are a variety of different strategies for how vendors may collect the data and how resilient or reliant that data can be. Oftentimes, folks use our data. They take data from multiple sources, and they line them up together, and they sort of say, I need a source of truth for what assets I actually have and what's actually happening. And I want to that to different sort of data artifacts that I'm getting from other systems. I really feel like, as an industry, the piece that we are missing is a consistent resilience framework for how we think about resilience from the cloud all the way down to the endpoint or IoT devices. That really is that measurement. Answering the question, are my investments actually working? And that would mean need to be instrumented differently in different areas. You would do it differently in a cloud than you would on a laptop. But ultimately, if you talk to CIO's and cisos. That's the view they want, right? They want the view top to bottom of. I've spent a lot of money on security over the last however many years. My board is asking me, am I protected? I want to show up with the receipts to show them that I've made the right investments against a common set of frameworks and that I am actually monitoring the effectiveness of those controls. [00:18:38] Speaker C: So on the receipt side of it, show the receipts. What are people sort of doing now as an interim step? Because you are right. And historically, I've done a lot of executive reporting, etcetera. These are the questions that people are asking. Hey, this stuff costs a lot of money. You know, I can't really see it. It's expensive. And you're sort of trying to justify the cost of these things, which are not, you know, chump change. So how can someone sort of start doing that effectively now? And as you mentioned before, there is no sort of consistent resilience framework out there. What would you advise on that front, Christy? [00:19:06] Speaker A: I'm of course, biased. So I'm going to say for endpoint resilience, you should have a network resilience, should absolutely come in and talk to Absolut, you know, I would say the boardroom conversations that I see a lot of companies having, that is that sort of third question, that we don't see them going all the way. We see them saying, here's the framework here. We tested ourselves against the framework. We deployed it. I have x percentage of visibility across all of my devices. I have x percentage of systems covered. But most of the time they're talking about that I have gone out and installed. What they don't have is the real time data to tell them, here's how many are protected right at this moment. But more importantly, here's what happens when they go down. Here's my resilience strategy for when an app fails, a device fails, a device gets hit. There is no such thing as a perfect deployment. This is all about rapid recovery. And so while there's a team of folks figuring out what bad thing happened, kind of going deep on that, there's a parallel team of folks focused on business continuity and getting it back up online, whether it's getting that app back up online, which we can automate and do without, without them touching, getting devices back up online, which we can do within minutes. But this is about, if you read some of these breaches, like I was reading about Clorox breach last, which was a well known breach here in North America last year. They reported in August, and they said cleanup of this event will go well until 2024. And so they're not talking about the cleanup of the ransomware virus. They're not talking about the cleanup of. They're talking about this. They're talking about how long is it going to take them to get all of these systems back up and online and people back connected and with the right data and the right access? I mean, it's a, that's the long, expensive tale that, that folks are trying to get their arms around. [00:20:53] Speaker C: And why would you say people don't sort of discuss this in depth? Because you are right. Like, what does this actually look like in terms of, you know, moving forward, long term impacts of businesses, continuity, et cetera? Do you think people are perhaps afraid to share those details? [00:21:08] Speaker A: I think because the data visibility hasn't been perfect, and so it's been very, very hard to measure. And if you didn't have something, and I'll just, again, stay focused on endpoints for a moment. You know, you can try to collect the log files from 15 different applications and try to correlate them and see, are they all talking to the same devices? And is anybody missing? Like, it's messy and it's complicated and it's a big data problem. So if you don't have something like absolute, that kind of has that permanent connection to that device, that's kind of giving you that source of truth, there's a lot of messiness in trying to piece all of the different data pieces together and say, what is my truth? What is actually working? There's also a latency to it. If the device, let's say you had ten applications on a device and something was going wrong and three of them got taken down, it's going to take the team a while to see that there's an absence there because other things are still working just fine. And so the other third piece that we hear a lot from customers is just the alert fatigue. Right. Even if those devices, even if something does throw a signal and say, hey, by the way, these three applications stopped calling in from that person's device, maybe something's going on there. It's sending it to a human who is getting thousands. The signal to noise ratio is massive. And we all know that there's a talent shortage in cybersecurity. And we've read all about the breaches where bad things were happening and they were getting alerts, but they were buried in a bunch of noise and garbage that nobody could pull out. And so if you don't have that source of truth and that anchor into something solid, we don't want to tell folks that something bad is happening. We want to tell them that we fixed something bad that happened. These things went down and we propped them back up. And you can go dig into the data about what happened and why, but we don't want to be sitting around waiting for someone to get around to see the next alert on the screen. [00:23:01] Speaker C: What do you think most people or companies overlook when it comes to resilience? [00:23:06] Speaker A: Because we spend a lot of time talking about on the it side, we spend a lot of time talking about asset management and asset visibility. On the security side, we spend a lot of time talking about risk management and ransomware. I just think that when you talk to these practitioners and you talk about the bad thing happening, there's so much going on and so much focus around, you know, how do we get to the other side of the attack that it's kind of passing the baton on to that third piece that says how do we mop up the mess? And it's not that, it's not in the conversation. When I ask folks, are you contemplating the cost of that? Are you contemplating, you know, when you're thinking about planning overall, do you, are you making sure that they have sufficient resources to be able to do that work? It's not that it's invisible, but it feels separate. It's like, okay, then I'm going to hand the baton off to those guys and they're all just going to clean it up. And so we do think that there is an opportunity as an industry for us to just shine a much brighter light on that and say, gosh, what would the cost of Fedexing 5000 laptops to a central place, reimaging them and sending them back out? And how long would that take? And you know, what could possibly go wrong? And there are certainly professionals who are obsessed with that and who are working on that. But it's usually not in the headline of the conversation. When we're talking about the breach, we're talking about the bad guy and the bad thing that happened and what flumsy thing enabled it. I mean that's where so much of our attention and honestly where so much of our spend goes. Right when we're, when we talk about the breakout of the spend within the cybersecurity industry, a huge amount of those dollars have gone into that detection and prevention bucket almost at the expense of some of the resiliency side. And so this is really about that shift and that balance kind of rebalancing. [00:24:54] Speaker C: So what you're saying is majority of the funds are not going towards the mopping of the mess historically. [00:25:01] Speaker A: I think that when folks are talking about their incident management plan, they maybe stop the tape before they get to the end. They sort of play out the exercise until they get, you know, the bank able to get transactions again or the retailer to be able to take orders again. They don't play the tape all the way to the end. They. So what is the actual long tail of cost and expense and damage that we're still dealing with long after the rest of that work is done? [00:25:31] Speaker C: Yeah, this is interesting because I was doing an interview last year, and I have interview, as you know, so many different people, people. And I was asking someone like, is there some sort of actuarialist out there that's actually predicted the cost, like you said, of like the long tail, cost impact, damage, brand, reputation, post an incident? And what are those numbers? I haven't really spoken to anyone on this show that has any sort of indicative numbers on that. Do you have anything on that front? [00:25:58] Speaker A: We have a lot of data about the resiliency and the gap and the exposure. And actually, this was a big point of conversation last week at the RSAC because, because we'd love to sort of dive in and take a look at that with a small group of folks who really kind of want to dig in and figure out how do you scope that and actually assess it? Because, as I said, especially in large organizations, it may be sitting in a different bucket. And so I would love to see the data. If you do find it on your journey, by the way, I'd love to see it because I'm right there beside you. I have not seen it in any quantifiable way. And I, when I look at a lot of these breach reports and the cost of a breach and the scope of a breach, it really feels to me that these numbers can't be baked into that. Like, the cost of a breach can't be $4 million if that includes all of the rest of this, all of the rest of this work. Right. I think it's an area where we have a high level of interest and also sort of chasing that down. A lot of our work has been very much focused on the exposure and really bringing to light customers who feel like on every other level, they've done a great job. They've done the NIST framework, they've bought the good stuff, they've deployed the good stuff, and they're sort of high fiving in the hallway and going, we feel reasonably good and haven't really had a lot of visibility into just this natural decay of your security posture that just naturally happened as a result of the complexity. And honestly, our focus is on helping them understand how easy it is to actually mitigate that. [00:27:29] Speaker C: And I run with another example. So here in Australia, there was a large insurance company that got breached. And so again, part of this interview that I was asking, like, and I know that people don't necessarily have data. It's something to really think about around. Okay, so people are still, even now, for example, Equifax people say, oh, well, you know, you guys got breached. There's still a bit of that. So with this company, insurance company here in Australia, is this going to go on for 20 years that they potentially they've lost new customers or they've lost retain customers? How long does that go on for because of that brand? And I guess it's really hard to put a number on. It's just something that, again, if you're doing board reports, you need to be able to sort of demonstrate, which potentially may result in getting more funding to say, well, you know, some very smart person out there has come up with some financial model that has said, well, you know, after a breach with this type of company, it could take 20 years to build back a rep, and it could take 20 plus years to start building back that customers that we may have not necessarily have lost before the breach happened. So this is something that there is still not a lot of transparency on, not a lot of fidelity on out there in the market. [00:28:35] Speaker A: I agree. We had an event last week, and we're talking quite a bit about this. And I think that one of the complexities to that is also the lack of maturity in our ecosystem compared to the regulatory environment. And I, I'm seeing this all around the world, especially here in North America, but we know that a lot of other countries are experiencing it as well, where we really, as an industry, have to separate this concept that a company is bad at security if they get breached, there are certainly those that have underinvested or not taken it seriously. But it's kind of, the analogy I draw is sort of, if we think about financial risk and fraud risk, we have a very mature ecosystem around there for how we measure risk, for how we talk about materiality, for how we measure materiality. We have checks and balances through auditors and internal audit. And we've, over time, sort of created the infrastructure that you can talk about risk in a safe way. And if a company misstate something and it wasn't fraudulent, it was just natural behavior. As the company's growing and there's some amount of risk within that, there is a. A framework of how we talk about that. Was it material? Was it not material? And I think that we don't have that same maturity. Certainly in the security ecosystem, we don't have that equivalent of auditors or checks and balances. We don't have that same level of definitions. You can't, you know, there isn't a consistent description among countries, among companies, among stakeholders anywhere about what materiality is. It was a material incident. It's kind of up to the organization and the board of that organization to describe what that means to them specifically. And yet we have this cyber regulatory landscape that wants to put almost the same level of accountability on a CISO that you have on a CFO. There's an interesting debate going on in the industry because they're a little bit out of sync. If you put the. That, that happens too soon, where the infrastructure is not there to support the same quality of risk management in cyber that we have in finance, as an example, then you're going to discourage folks from taking that career path. You're going to see the best and brightest want to go do something else because the personal risk is just too great. And if you think about that at a national security level, regardless of sort of where you live, that's not a good outcome. Right. We need to make sure that incredibly bright and talented people continue to come into our industry and, and protect our employees and their data and our businesses. So there is, I think, a maturing that needs to happen across our ecosystem that helps separate the reputational damage. If a company gets breached, that doesn't mean they did a bad job. It means that I actually had a CEO of a very well known company that's experienced a breach say to me, I have to get it right 100% of the time, and they only have to get it right once. Right. And there's really not another profession where we sort of have that same level of accountability. Company could do all of the great things. They can do the standards, benchmarking, they can make the investments. Somebody could come up with a zero day that nobody's ever thought about. And that is just a fact of life. And so what we're shooting for here is responsible behavior, people taking accountability, people having the conversation about what level of risk is tolerable. How much should we be investing to mitigate that? Are we being responsible with people's information and with. And with the assets of the organization. Are we being transparent about our behavior? That's kind of our commitment. It's not perfection. [00:32:17] Speaker C: Yeah, that's an interesting point. I want to go into this a little bit more. Do you think people are saying that, like, hey, we're responsible now? I asked this question because there was a company here in Australia, they had an incident, and I'm dealing now with their corporate affairs. And, you know, I'm trying to get a statement from them because I was like, look, I don't think you've been responsible because you gambled with your customers in order to. And I can't go into much of the specifics, but they basically gambled with. With their security controls with the intent of, well, if you put too many controls, it means that, you know, people are going to abandon their cart, which would then mean they're not going to make as much revenue. But they're like, no, no, no, we have been responsible. So I'm seeing a bit of pushback because obviously I'm in media, I'm going to ask the questions right, and people want answers. So I'm seeing pushback from companies saying, well, no, Carissa, we absolutely were responsible. But then if you really look at it underneath, it's like, yeah, but were you, though? That's the part that I'm still not sure about. Do you have any insight on that front? [00:33:13] Speaker A: I mean, I don't know the company or the breach that you're talking about, clearly, so I wouldn't know. And I would say, like any other industry, you certainly are going to find organizations who may not be living up to that level of responsibility. But I would say just because somebody identified that some bad thing could happen and that eventually that bad thing happened doesn't mean the company wasn't responsible. You know, when you go through these tests, you identify every bad thing that could happen, and then you're measuring and securing what is the impact and the probability and how do we mitigate it. And you build a roadmap and you're working your way through as many as you possibly can. And so there is always a long. And, by the way, if you did everything on the list, you'd run the test again and come up with a new list. Somebody said at an event I was at last week, could you have a zero risk world? If you were willing to spend enough, possibly you could. I don't know what that would look like because we're always striving to say, well, okay, we figured out how to solve and protect against the things we know now, what are the next bunch of things we didn't think about? And that's where this concept of risk appetite for the board is really, really important. Right. I think there needs to be an alignment between these security professionals and the board of directors about what is the risk appetite. Are we well covered? Do we have resilience? Do we have coverage? Is there exposure? And are we comfortable with where we sit within that? That is a tricky set of conversations to set up with the board and the security team. But I think increasingly, as an industry, we're seeing more boards take on cyber experts. We're seeing that become a bigger part of the conversation within audit or within some other committee. And it's critical, right, because that is not an individual decision. That is really a board conversation. [00:34:53] Speaker C: So one thing that plays on my mind is staying the course. There are a lot of people out there. I mean, I sort of. The analogy I draw upon is like, going to the gym at the start of the year, everyone's like, hey, I'm going to go to the gym. I'm going to lose weight. But then by, like January 15, everyone's back in bars and pubs and they've forgotten about that journey, right? So then the same thing applies to, hey, we're going to embark on this resilient journey. One thing, but how do people sort of stay the course and manage that stamina towards it? Because I've seen it's easy to get started or say you're going to do something, it's a lot harder to maintain it. [00:35:25] Speaker A: That really is the whole purpose of cyber resilience is because if we talk about the prevention and detection, we think about all of the things that we should buy and install to protect our organization. And those are big projects, take a long time, and then we, we go and we do the work and we install them. It is a little bit like you went to the gym and you lost that ten pounds and you're feeling great, and then you, like, high five, and then you're like, I suppose I could have another glass of wine or I could have dessert. I'm sure it's fine. And you're right, it's not a one time moment. It's not a one time event. And that really is what this shields up. Cyber resilience really is about. It's about how are you maintaining that cybersecurity posture? How are you maintaining of the investments you made? How do you make sure that they're still going? And then how does your overall security process within the organization, how do you make sure that that is an evergreen conversation, that as you are identifying new risks, they're getting sort of incorporated into the process, and that you have a consistent way of measuring those and sizing them and scoping them and planning them and sort of lining them up. And so, you know, that is a huge part of, as I've described, this third leg of the stool. Pen tests are great, benchmarking is great, but those are moments in time, right? What you really need is this continuous monitoring to make sure that you are continuously keeping yourself protected and secured. [00:36:51] Speaker C: So I sort of want to zoom out now for executives, because this is an executive podcast that are listening. How do you sort of start that quest to being more resilient? Now, it does seem like a very rudimentary question, but I asked this because, you know, people are, they're busy. They've got a lot of things on their mind. They're trying to keep their head above the water. They're trying to hire more people. They've, you know, they've got all these requirements out the eyeballs. How can people think about that and then start to move down this sort of path? [00:37:18] Speaker A: If you are a senior executive within these organizations, I would say start asking the question, what benchmarks and data are you using to ensure that the investments we've made are actually protectable? I know we bought these things. Are they running? Show me that they're running. Show me your benchmark data. Against these frameworks, the NIST frameworks, how do I rank against my peers? I do think for organizations, it's very helpful to get an external voice as well, because the peer benchmarking or the peer feedback is actually incredibly helpful when you are trying to determine your risk appetite and calibrate that and make sure that you're doing all of the things that sort of line up with that. It is very helpful to get external voices, consultants, et cetera, that can provide that third party view. I'm not just talking about pen tests. Running a test to tell you all of the scary things is helpful as an input into that process. But I'm talking about benchmark of companies in your industry, in your size, in these kinds of parts of the world, or whatever the unique dynamics of your business are. Are they thinking of things that you haven't thought about? Do they have data or benchmarks or risk controls that you haven't thought about? And so there are external voices you can get to kind of help you get that external voice. There are industry associations or industry events, you can join and kind of do peer networking where your folks are talking to your peers. I'd say the cybersecurity community is quite good at peer networking and sharing best practices between organizations, especially within verticals. But that's invaluable insight, and it's great insight, again, to share between management and the board because I think the board is trying to calibrate. Are we doing enough? Have we thought of all of the things? Is there something that we're not seeing? And one of the best ways to do that is by listening to folks outside the building. We often get so deeply entrenched in the thing that's right in front of us. Getting that third party view is incredibly helpful. [00:39:19] Speaker C: So when you say benchmark against peers, do you mean, for example, like a bank, what they're doing versus what another bank's doing? Is that what you mean by that? [00:39:25] Speaker A: Correct. So if you network, if I'm a CISO or an executive and I network with other executives in my vertical industry, there is often forums where there's a lot of sort of peer to peer sharing about risks, about controls, about tools. And so that's, that's very helpful. You know, you can go and look at other participants and kind of the risk, like the large audit firms, et cetera. Many of those have frameworks and consulting and advisory services where they can give you really great feedback around how you're doing versus industry, how you're doing versus sort of categories or cohorts or against common standards or frameworks where they exist. And so that's all very helpful in kind of doing that calibration for are we doing enough? [00:40:10] Speaker C: And would you say that sort of coerces people to say, well, maybe we're not doing enough? At the end of the day, no one wants to feel like they're lagging behind versus their peers. Right. So do you think even having that peer to peer conversations is encouraging people to step up and do more? [00:40:26] Speaker A: I actually think the peer to peer conversations help people understand where folks have had success versus not so that they can avoid making the same mistakes and wasting time. And we're all, if you're in a battle, the last thing you want to do is go die on a hill that others before you could have told you, yeah, no, that's not the one. Go do something else. And so I think that that is really a way to kind of get efficiency and scale and speed and agility. I think that there is a reluctance, there is a fatigue that's in our industry right. There is a very significant conversation going across the cybersecurity industry right now that folks, they are tired. I don't think that a cybersecurity professional is under any illusion that they're ever going to have a queue of zero of things to go be concerned about or work against, or they're ever going to feel like they're funded enough or that they've got it all under control. That is just the nature of our industry. We care deeply and we want to do more and we want to make sure that we've thought of every single thing. But we also are very aware that there is a constant flow of new risk coming in. I think that so long as you've created a safe space where people can talk about risk, they can talk about the relativity of risk and the prioritization of risk, and that that is kind of a safe place to have those discussions, then I think it's actually a very healthy dynamic. [00:41:45] Speaker C: So, Christy, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today? [00:41:50] Speaker A: I would probably leave where we started, which is, I really believe if you're thinking about your cybersecurity strategy and you're not thinking about cyber resilience as a part of that strategy from are your controls working? How are you automating the resilience of those controls? How are you going to get the business back online if something back, something bad happens, if that's not a part of your tabletop exercises, if that's not a part of your budget planning, if that's not a part of your holistic approach to defining, managing, deploying and maintaining your cybersecurity posture, then there really is kind of a big piece missing to the conversation. We see a lot of organizations, when they find themselves in that crisis mode, they start thinking, oh, so and so needs to do this. Wait, that person can't connect right now because, you know, we've got shields up, they can't get in anymore. They're, they're working remote. Right. That's not the moment in time to go, oh, gosh, we didn't really think about that part. This has to be a big part of the conversation. And I do think as an industry, we have to come up with a way of, of putting better sort of scorecards in and dashboards around it that really help give boards and management team visibility and answers the question, is our investment worth? [00:43:11] Speaker B: This is KVcast, the voice of cyber. [00:43:15] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:43:23] Speaker B: This episode is brought to you by Mercsec. Your smarter route to security talent Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out more at merck sac.com today.

Other Episodes