August 09, 2024

00:39:53

Episode 272 Deep Dive: Wendy Thomas | Rethinking Trust and Security

Episode 272 Deep Dive: Wendy Thomas | Rethinking Trust and Security
KBKAST
Episode 272 Deep Dive: Wendy Thomas | Rethinking Trust and Security

Aug 09 2024 | 00:39:53

/

Show Notes

In this episode, we’re joined by Wendy Thomas, CEO of Secureworks, as she talks about the pivotal importance of truth and consistency in executive and marketing communications, emphasizing the need for companies to demonstrate genuine change and sustained effort over time. She elaborates on the key elements of a sincere apology and recovery, pointing out the importance of understanding, action, and compensation to rebuild trust with customers. Wendy further emphasizes the economic lens through which trust and security should be viewed, underlining the interconnectedness and dependence on technology in daily life. Additionally, she addresses the harm of giving away personal data, the impact of data breaches, and the trade-off between security and convenience for businesses, ultimately calling for shared responsibility and collective investment in building trust and enhancing security.

As CEO, Wendy Thomas leads Secureworks to fulfill their purpose of securing human progress via innovative, battle-tested security solutions. She first joined Secureworks in 2008 leading Financial Planning & Analysis (FP&A), where she helped to execute strategic acquisitions that scaled the business and Secureworks’ IPO in 2016. As Strategy lead and Chief Product Officer, she developed the vision for Secureworks’ future, fueling the team that built and launched Secureworks® Taegis™. Prior to becoming CEO, Wendy served as President of Customer Success, where she drove a customer-centric approach to help organizations achieve better security outcomes. In this role, Wendy was recognized in the number one position in The Software Report’s “Top 25 Women Leaders in Cybersecurity of 2021.”

Wendy leverages over 25 years of experience in strategic and functional leadership roles, and has worked across multiple technology-driven companies such as FirstData, BellSouth, and Internap Network Services, Inc. Wendy is a graduate of the University of Virginia, with a double major in Economics and Foreign Affairs, and she holds an International MBA from the University of South Carolina School of Business.

Wendy currently serves on the Board at IonQ, an industry leader in quantum computing. Additionally, she serves as a Liaison for AFS Intercultural Programs, an international youth exchange organization, and is a member of The Executive Committee of the Metro Atlanta Chamber of Commerce. Wendy is an alumna of Leadership Midtown Atlanta, a program designed to propel established leaders to further serve their communities.

 

About Secureworks

Secureworks Taegis™, is a SaaS-based, open XDR platform built on 20+ years of real-world detection data, security operations expertise, and threat intelligence and research. Taegis is embedded in the security operations of thousands of organisations around the world including in Australia who use its advanced, AI-driven capabilities to detect advanced threats, streamline and collaborate on investigations, and automate the right actions. 

 

Secureworks generated $85.7 million in revenue for Q1FY25, with revenue from its Taegis platform growing 10% year-over-year in the first quarter, to $69.1 million. Taegis adoption in Australia is accelerating. The company processes approximately five trillion cybersecurity-related events across its global customer base each week, giving Secureworks a rapidly growing and diverse security telemetry of more than 50 petabytes across endpoint, network, cloud, identity and other business systems. 
View Full Transcript

Episode Transcript

[00:00:00] Speaker A: This is a shared responsibility, the building of trust. As customers of businesses, as leaders of businesses, we all have a shared responsibility as global citizens here to be willing to invest in just a little bit of friction, a little loss of convenience, to be able to be more collectively secure. Because while it may not be you today that's damaged by that breach, it is your fellow citizen who's damaged by it. And by caring enough to protect them, in the end, you're really protecting yourself, too. [00:00:37] Speaker B: This is KBCs as a primary target for ransomware campaigns, security and testing and. [00:00:44] Speaker C: Performance and scalability, risk and compliance. We can actually automate that, take that. [00:00:48] Speaker A: Data and use it. [00:00:52] Speaker C: Joining me today is Wendy Thomas, chief executive officer from secureworks. And today we're discussing rethinking trust and security. So, Wendy, thanks for joining and welcome. [00:01:00] Speaker A: Thank you for having me. Glad to be here. [00:01:02] Speaker C: Okay, so when you say rethinking trust and security, now there's, you know, in my tenure in this space, which is about a decade or so, like, everyone's sort of thrown around the word trust and what does this mean? So I'm really curious to know, from your perspective, with your role and your experience, what does this sort of term mean to you? [00:01:22] Speaker A: Well, trust and security, and frankly, in technology generally, is becoming increasingly important for organizations to know that they are doing no harm, as they say, in terms of securing their operations, but also leveraging technology to scale their business, their organization. But I always talk about the sort of the power and the perilous of introducing new technology, whether it's cybersecurity or AI. Fill in the blank that there's always a balance there of moving too quickly to adoption without thinking about the implications of what that means for data privacy or trust in the results of what that technology is telling you and getting sort of ahead of the game and the thought process and thinking proactively about that before simply experimenting with new tech, which is attractive, but not necessarily creating great results for us again and again. It's just a shift I think we need to think about as not just leaders of these technology businesses, but as global citizens of balancing consequences with adoption. [00:02:30] Speaker C: Okay, so when you said before doing no harm, what do you mean by that specifically? [00:02:34] Speaker A: Meaning that the benefit of adopting that technology is not offset by the, but the externalities, if you will, of what that technology means. In so many cases, we are the product of these various technology companies where it's our data that we're giving away for free. And I don't know about you, but I'm not reading all of the extra long legal documents before I agree to use an application. And if we're gating our ability to use applications or technologies that create a lot of convenience for us and frankly, interoperability with others and communications with others, you're sort of signing your life away in the process of doing that. And what you don't know is the harm that can come from that exposure of your data that can be hacked, it can be used for advertising to you, feeding you increasingly information. That is not necessarily a wide view. I think it's time for us as, as consumers, if you will, of these technologies to start to push back on what is the implication of that as opposed to just focusing on the convenience of being able to use it. [00:03:43] Speaker C: This is interesting. I've spoken on the show at length around the term side of it, what they mean, how they are written, perhaps convoluted with the intent that people don't understand it. But to your point, harm from the exposure, signing up for the platform, it's easy, and we're sort of willing to trade convenience and security and all those types of things. But do you think in today's day and age, as of today, do you think people really care nowadays? And I asked that simply because I'm looking at it through, yes, a consumer perspective. But then also, you know, people would argue, even to me saying, oh, well, KB, I don't really care because, you know, I've been in like six data breaches, specifically in Australia in the last few years. Like, why do I care? So, like, what's another thing that, you know, that potentially could harm or expose me because I'm already exposed? [00:04:32] Speaker A: It is, I think you said a couple of key things there. One, trading convenience for security does go beyond just that, identity and personal information until you feel the consequence. And so what happens is when that data is exposed and you aren't necessarily the one that feels that impact right away, you don't realize that it's just sort of the luck of the draw. But what's going on is that every single time these threat actors are able to use that information to wipe bank accounts of an elderly citizen, if they're able to fund the next exfiltration of data, they're able to fund that next attack. Essentially, they've created a very lucrative economic model. And while we may not be individually impacted on every given breach, we are part of the collective that's still fueling that economic model. And so this idea of us trading a little bit of convenience, being willing to take a little bit of friction, those harder passwords, putting a second authentication on, logging into pretty key sites like a bank account or a payment account. If we're willing to trade just that one extra step in order to break that economic model for all of us, even if we aren't directly impacted in that moment, we can really start to turn, to turn the tide of friction that makes this a more costly business model for them to be in. [00:06:07] Speaker C: Okay, so following that notary and the economic model, now you may not be aware, but recently there was a company like within the last 1218 months recent, they're a big retailer, they had a breach. Now I went down the path and speaking to them and eventually I got a statement from them, but I said, were you trading security for convenience? Because again, like when you're looking at an e commerce platform, for example, and I know you've got a finance background, so you appreciate as well as me if they're going to add an additional step, right, that means they're going to induce that friction, which potentially means card abandonment, which then means loss of revenues, et cetera. So therefore, do you think companies out there are really gambling that with the intent that hopefully it doesn't happen? Yes, we can have the right controls, data, da da da da. But then at the end of the day, companies do get popped. So this was an example of that. But I do believe that this organization traded on the fact that, well, if we add an additional step of friction, we may lose out of x percentage of revenue or whatever that look like. Do you think that companies are thinking like that? [00:07:12] Speaker A: I think they are thinking if they are the only one that does that, then certainly they might lose an edge. My counter to that is first it has to start somewhere. But if you use that as a branding opportunity, if you say the circle is rotating on the website as it's loading, we're doing this to provide extra security for you and your credit card information. What a message that sends to people to start to expect that from the companies that they do business with. I think there's a messaging part that goes with trading that convenience that says we're actually doing something because we care more about you than just a quick sale and that that could be quite powerful. [00:07:56] Speaker C: Okay, this is interesting because when I'm speaking to internal clients, so cisos and friends, they've started to ask that question, like how do we engender trust? Like from a client side, right? So less about service providers and vendors and all those types of things. But do you think more companies now need to use what you've just said, as an example, as a way in which they can brand to say this, how we're engendering trust, because it's something that I have started to see perhaps from like a banking perspective, but less so in other areas. What are your thoughts then on that? [00:08:28] Speaker A: Think of an analogy here of cybersecurity should enable a business to move faster in the sense of like brakes on a car, right? They're not meant to stop the car from moving, but to enable the car to move really, really fast, but safely. And so business uptime and no unnecessary friction is the balance to be struck against optimal security here. And because as we saw, right, just a couple of weeks ago, how incredibly interconnected we all are in terms of technology, interdependence, interoperability, how much our daily lives are dependent on our phones in a way that used to be just electricity and water in our homes. I think that the willingness of us to say we are introducing this so that everything can in fact move faster safely is a branding and a communication strategy that does in fact build trust. Because it's true. Right? Always start with the truth. There's, I think, enough awareness now in the public mind to understand the implications of not being able to get gas or not being able to take a train or your flight is delayed or surgeries are delayed, that we actually care about those consequences enough to adjust our behavior and our mindset. [00:09:54] Speaker C: Okay, one thing that's interesting about this is I want to talk about just going back to your example for a moment, you know, on the screen, we care about, we're doing this for your own security. But how much of that is genuine? Now, I asked that because I feel like any marketing person in large companies will be like, okay, cool, we've just got to put up a little, little thing on the site that says we care about cyber security. Right? Like, anyone can do that, but is that the truth? So how would you sort of position that trust from going from a, you know, something on the website to actually living and breathing that philosophy that's been engendered then on the site from the organization? [00:10:32] Speaker A: Well, just like when you're embarking on sort of a personal health plan, they say you always stick to it when you hold yourself accountable by telling others about it. And while regulators are certainly moving in the space of asking for disclosure around cybersecurity policies and practice, and where you stand inside of certain frameworks, like NIST frameworks of cybersecurity posture, you can absolutely disclose those practices in a way that maybe other businesses can learn from that. But your customers can also hold you accountable to walking the walk and not just talking the talk. [00:11:11] Speaker C: Another observation that I've seen in the market last few years around customers really holding companies accountable. Have you noticed that, too, in your career? You know, as opposed to like, even 1015 years ago, people now like companies. I feel there's a lot more due diligence that they need to create that trust with their customers because, again, like, customers will just leave and abandon a company if they feel like they're greenwashing or they're, you know, they're not being true to what they're saying. Are you seeing that as a trend? [00:11:44] Speaker A: I think we've seen instances of that where it's sort of, it takes hold. It has a viral moment, if you will. But I would say we as sort of consumers of, you know, whether goods and services for our businesses or for us personally, we're still trading convenience over sort of taking a stand on that front. It's more sporadic until it catches a movement, if you will, around a particular company. But those are often more short lived than I would like in terms of just kind of raising the expectations generally and consistently around how companies behave in this sense. [00:12:23] Speaker C: Okay. I want to keep following this notion around trust. So I want to get your thoughts, Wendy, on. Would you say people aren't trusting companies like they used to, as what we've just explained here now? But I want to extend on this a little bit more because I worked in a bank before, and I want to use that as an example because they've been around forever. And, you know, people back in the day had this loyalty. They go down the branch and they knew Martha there, and Martha knew everything about Joanne and all of these things. Right. That doesn't even happen anymore. Like, there's barely any, like, branches of people in them here in Australia at all. So do you think people are just not loyal to brands like they used to be? So does that trust element still exist in your eyes? Or would you say it's a new version of trust? And so what I mean by that is people, as in consumers are more focused on, well, if I can go to the company and get what I need from it, therefore I kind of trust it. They don't really think about it. They're more. So is this company going to get me the outcome that I'm chasing? What are your thoughts then on that? [00:13:29] Speaker A: I think we're all personally included operating under a different sort of social contract, if you will, where there are so many companies and things are moving so quickly in terms of capabilities that we want to consume, especially on the technology or the mobile app side of life, that we aren't sort of blindly loyal to a brand anymore. But I don't think we've abandoned this idea of, you are promising a certain outcome for me as a consumer, but I expect you to fulfill a certain fiduciary protection inside of that transaction. While I may only come to you if I'm getting the outcome I'm looking for, but that doesn't absolve you from handling that particular transaction or engagement in a way that protects my data, doesn't sell my data wantonly. And I know we've seen a lot of regulation from various government entities across the world on this front, because companies weren't adhering to that sort of social contract and looking to monetize data and information in multiple ways than just the transaction for which someone came to them. And it's unfortunate that regulation has to come into play for some of that. We know it when we see it, common sense of how people would want to be treated in that interaction. I think it's a new paradigm, given the high tech, fast paced world that we live in today, that you can't just go to one place and be loyal to that brand for forever. [00:15:04] Speaker C: So would you say as well, Wendy, companies are focused on trust? [00:15:09] Speaker A: I think they are focused on trust. I think the pace at which now your brand can be undermined by a single event, a single behavior, a single transaction, that is a very difficult thing to recover. We've seen examples of that brand damage that materially impacts a business and then, and then can't be returned from. So I do think that companies understand and know that the value of trust as part of their brand equity is something very much to be, to be safeguarded and not taken lightly in terms of the way that they behave. And you see that with quick messaging out, acknowledgement of footfalls or events, and apologies to customers, because they do understand that you may be very convenient. But if you've lost consumer trust, that's a very difficult road to recovery. [00:16:06] Speaker C: Okay, there's a couple of things there, which was interesting that you said. So going back to, hey, we're sorry. Now, I've been observing, I've been media, of course, I've been observing the situation. So there were some people that had said, I don't think the CEO was really sorry. So I feel like it's a catch 22. If you say it, someone's going to say something. If you don't say it, someone's going to say, well I can't believe they didn't say it. So how did that sort of conundrum sort of play out? Because again, it's not an ideal situation. It happened. But how do you sort of then recover from that? And then what are some of the sort of long tail impacts, especially financially? Like perhaps customers abandoned the brand, perhaps there was a renewal process going on that doesn't happen or you know, in twelve months time. Its like, well you were the company that had the issue. Were not going to sign up with you. What does that financial impact then look like that sort of aligns to the trust element that weve been discussing here today? [00:16:58] Speaker A: Well, brand equity can very much translate into higher revenues or lower revenues depending on what side of that coin youre on. So its very much real now in terms of the online world, if you will, assessing the veracity or the sincerity of executive communications or marketing communications out of a company. You can please some of the people all the time, right? You're never going to please all of the people all the time. For me that really starts with the truth. People can see in the way that a company behaves over the long run, not just in the first moments of a crisis, but the moments of that crisis. Then three days later when we've moved from crisis mode to recovery and ongoing mode, you have to walk that walk for a very long time as a brand as you recover from some type of foot fault or mistake. And people can see through that over time. And it's just the vast majority of customers that have to witness that over time. So speed is not your friend. I know we like to make a quick apology and then know that it's over. It's just not how it works in the real world. And so you build a brand over a long period of time, you recover a brand over an extended period of time. And it's consistency, both of your actions and your words and consistency over time that really is the tell in any type of business relationship or customer business relationship. [00:18:31] Speaker C: Okay, that's interesting. So would you say that, and this is really important because a lot of people out here are talking about trust but they're not giving examples. But I think you've, you've demonstrated that today. So I want to drive this a little bit more. So you, you made a great point around the behavior of a company or a brand over the time, right. So just say there's an incident that happened, it's not about the next day or the next week, it's about the next 612, 1824 months and so on, to walk the walk, to your vernacular, would you say that's where companies fall down? So maybe it's like, well, the thing happened and I've done it for a day or maybe a month, and then the dust settles and then something else in the news happens. So the news cycle steers away from this company, but they're still not showing up and doing the walk every day. [00:19:14] Speaker A: Right. And there's not fundamental change underneath. Like, truly, have you, have you materially changed the risk of that happening again? Or are you just putting something out there, as we were talking about in the example, saying, we're protecting you, but I. But underneath of the covers, behind the scenes, processes, technology, staffing, have or have not fundamentally changed and altered the probability of something like that happening again or something similar to that happening again? What you have to see from the CEO down to people on the front lines facing a business as customers, is that you see a difference in the way that they are engaging, operating, communicating, staffing. That's the only tell. And it goes back to what we talked about of then you have to disclose that. You have to talk about how you're treating things differently. Where are you investing additional dollars? Where have you shifted resources to change your approach? And unless you see those proof points consistently over time, as opposed to we survived, that, the dust is settled, go on as we were and pray for the best. People see that fairly quickly in terms of organizations. And that does start with the CEO and the board to a great degree. [00:20:36] Speaker C: Okay, I want to give you an example of something that's personally happened to me, which I think demonstrates walking the walk now in 2022, it was in the US. I was coming back from San Francisco. There was like some blizzard or something had happened to. The flights were cancelled, so couldn't get back to Los Angeles to fly out to Sydney. We're flying on Southwest now. Whether you love or hate the brand, it's immaterial to the conversation. Ended up, couldn't go back for a number of days, and then obviously, as you know, you've just come to Australia. It's quite a long flight. I ended up missing my mom's birthday, and there was a whole thing around all of these personal things that I had missed out on. But what they did was they actually, you know, we wrote sort of a document saying the situation about what had happened. And not only did they respond and they said, we're really sorry to hear that. They actually wrote something back and they had sort of helped us out a little bit like financially. And they'd said, here's a bunch of points. I felt that in that moment we were frustrated because it sort of was a domino effect. But then I felt like they kind of recovered by how they handled the situation, which I was surprised I give it an airline because when I look at airlines here in Australia, I've had this happen before, and it's like, well, here's an eight dollar voucher for the airport, which gets you probably half a coffee here in Australia. So I just want to use as a personal example that I thought that was a frustrating situation that happened, but then they sort of recovered and, you know, walked the walk. [00:21:55] Speaker A: Right, exactly. And there are really four elements of what you experienced there. One sincere apology. We're sorry this happened. They may not know that you missed your mother's birthday, but they're assuming you're flying for a reason. Right. It's a long flight. It's a. So definitely a lot of money to buy that flight. So you had something that you were trying to do at a certain time, and so they're sorry for messing that up. The second is they provided a clear understanding of why it happened. Right. Sort of the root cause analysis. Why did this happen? They may or may not be to blame, but they don't spend a lot of time on that blame. Only in the sense of the third part is they tell you what's going to be different about that. I'm going to get you rebooked, we've fixed the system, whatever the action is to make that happen. And then the fourth is they make up for it in a way that is commensurate with what you experienced. Right. So it's not an eight dollar coffee voucher. It is something more that you care about, get you on that next flight, take care of a hotel, remunerate you for summer, all the flight cost. It's something that feels commensurate, balanced, just or fair to you. And those are the four things that have to be there for consumers to trust a brand, or businesses to trust a business providing services to them after they have made a mistake. We all make mistakes, businesses, people. It's really how you make people feel in that recovery process that makes all the difference to your brand and trust. [00:23:34] Speaker C: The other observation that I've seen as well, you can appreciate this because you are an american. I've noticed, I go to the US quite frequently for work. I feel that us is very driven by customer service. Now I'm going to say this, and people in Australia might not like me over australian based customer service. It's very hard, especially when there's people in the US living here. They're like, hey, customer service is just not existent like it is in the US. So would you say from a brand trust perspective, us based companies are more focused on it? I think it's just engendered into your culture a lot more. Have you noticed that now that you're down here in Australia in terms of how these businesses are operating? [00:24:13] Speaker A: Well, what I can say, and I'll contrast it to Japan as well, is that the us consumer is not afraid to voice their dissatisfaction and expectations around. Around service. And sometimes that gets action. I think the real question is fundamentally all of us want to provide that great customer experience. And it's really the degrees to which we define what good looks like in Japan. That is a really high bar, even compared to the US, of what kind of customer experience they want to create a. So there's two sides to that coin of what the provider thinks good looks like and what bar they hold themselves to. And then how sort of noisy the consumer of those goods or services is about their expectations and frankly, demanding that. And we're not shy in the US about being pretty demanding. [00:25:12] Speaker C: That is true. So maybe Australians are a little bit more not as forward with that approach, but just following that a little bit more. Would you say this comes back to full circle around, you know, redefining what trust means and starting with what does good look like. Do you think companies are starting to get to that point? Or is that what you would advise someone to say, hey, what does this actually look like for our customers? At the end of the day, I. [00:25:37] Speaker A: Think we're not there yet in terms of what good looks like and being willing to invest in relative to, I don't know, the cost benefit. So it's not just sort of like the example that we walked through of being willing to apologize and not being worried about the lawyers that are going to come after you, right. There are real financial consequences to sort of admitting guilt or fault in a situation. And I think that's made companies too hesitant to acknowledge and sincerely apologize for things that have happened. It makes them not ready to explain the why in a really clear way and what they're going to do about it because of that legal implication. And so in some ways, there's companies are choosing on this line of sort of legal liability in addition to what does good look like in terms of customer trust building and engagement. And there's a financial implication for sort of making up for your mistakes. You had that revenue for that flight and now you're giving some of that back on top of all the trouble that you just went through. I think too often it's an economic equation as opposed to a long term economic return of a brand that is trusted that we're not quite where I'd like to see companies operate today. [00:27:06] Speaker C: So where would you like to see them operate today? [00:27:08] Speaker A: Where I'd like to see them operate is in that place of we can honestly acknowledge where we're doing well and we should and where we're not and what it is that we're going to do about it when, when we're not. I don't think it's possible for any one of us or any business to. To never put a foot wrong, but it is possible to. To own that and action that. Even, just the effort, even if it's not a perfect response in the situation, that the sincerity and the effort around that is what lets your customers give you the benefit of the doubt. And that benefit of the doubt is something I think is often lost these days. It's kind of an assumption of bad intent and instead of an assumption of good intent. But imagine a place where we could actually operate with good intent and enable others to trust that we're doing that. And how much friction that would take out of the friction and frustration that could take out of the way we interact with each other. And frankly, to come back to what matters to me, operate in a way that is willing to sacrifice a bit of convenience for security and trust. And I think that's something we should think about in a world that's moving awfully fast on rapidly changing sort of technology landscape. [00:28:32] Speaker C: You raise a great point, but these things cost money, time, resources. And then people say, well, Wendy, that's really nice, but that's going to cost us $10 million. And we just don't have that right now because we fired half our sales team and we don't have any. Not the same amount of revenue coming in. And I know you got the finance background because this is really important because I think that this is some of the disconnect that I see in this space around. You know, security practitioners have this perfect world, but it's going to cost $10 billion. But you obviously get it from. You've got that finance background, your CEO of a subsecurity firm out here. So it's like, how would you then start to convert someone to be like, yeah, okay, George, but if we spend maybe 2 million of that, we could potentially get 8 million back because we've engendered trust and we've done all these beautiful things. How would you countermeasure someone's argument to that? [00:29:27] Speaker A: So I think about this from sort of an economist lens of dollar of risk reduced versus dollar invested or spent. And when you start from a willingness to invest in insecurity, or in this case, kind of more broadly, in trust, you can't think about this in the sense of extremes. You have to think about things on a slide rule, a slide rule of your risk appetite, your ability to not, for example, prevent 100% of breaches, but you invest in your ability to contain those to the minimum damage to the business, to the brand, to your uptime, your ability to operate to your customers, relative to what that costs you to do that. And you invest in recovery time. So to be able to come back from something within a day instead of two weeks. So those two elements let you invest at a much more reasonable, targeted level, and over time, relative to protecting or reducing that risk to your business, to your brand, and to your customers, to me, that's math. And that's the kind of math that secureworks helps customers do around their areas of real risk, versus not going to do much damage to the business and to focus their security posture accordingly over time. Right? Rome was not built in a day. Security is not built in a day. So as the business evolves, as the capacity to invest relative to the, where does the revenue come from? In a business, we tie security to the actual source of economic return inside of an organization. And that makes it very easy to prove the return on that investment to those who aren't necessarily close to security and who look and say, well, nothing happened. It's kind of like insurance. I just spent a lot of money for nothing to happen. But you can actually provide some quantification of a minute of downtime, a loss of 2% of the customer base, because you've had some kind of brand damage from a data breach, and they're not willing to trust you to do business. So those things are able to be quantified and put into sensitivities, if you will, relative to the dollar investments that at least I know for my board makes it much more decisionable and actionable, and frankly, aligned around what we are and aren't willing to invest relative to the risk along that slide rule. [00:32:10] Speaker C: Okay, this is great, because I think this is the part. I was a reporting analyst in a security function and bank. So this to me is very interesting, because this is how we'd go and present and get more money from the bank. Right. Which was like, to your point, quantification. Would you say this is the part that people perhaps in this market are just not getting? Because it's like, oh, we've got to buy all these tools, do all these things, but it's like, yeah, but to your earlier point, the recovery time. So if you're running an airline and you're down for an hour, that's going to impact you quite a lot. Not only just like you said, the flights that you missed and all that, but then also like, hey, Carissa Breen missed her mom's birthday, therefore it's going to cost me an extra couple of grand because she missed it and then she got a problem. So those are the long tail impacts that perhaps attach in a pen to not only the downtime but also the aftermath of that. So would you say this is the part that people really need to connect the dots? And I just, I just don't think that they are out there. [00:33:08] Speaker A: I agree. And here's what I see happening, is that we try to get it exactly right. And the answer is it's not about getting it exactly right. It's about, it's about sort of scenario and sensitivity, use of things. To your point, how much does an hour cost an airline versus how much does an hour cost a, you know, a lumber producing company for construction sites? Very, very different. And when you can understand where the sort of points of leverage in your business or your organization are around either revenue or the things that really damage your customers trust in you and things that they don't care about relative to what costs to protect against that risk. And to your point, I always say, like, just spending money on a bunch of tools, buying a treadmill does not mean you lose weight. But that's what we want to do. We want to go out, we want to buy the workout clothes, we want to buy the treadmill, buy a subscription to a gym. And then we wonder why we didn't lose weight, because we didn't focus in on the sort of root cause or the source of risk. And that's where I see that gap happening. If you don't understand your business and where the, where those points of leverage are in terms of revenue and brand, and then tie those to what has to change, regardless of whether it's a people or a tool or a process to reduce the risk to that part of the business, you're starting with the treadmill instead of the weight loss plan. [00:34:36] Speaker C: Okay, I like the analogy. So why would you say people, people meeting the industry, et cetera. I just focused on buying the peloton, as you mentioned before. Why have we even gotten to that point? Like, why has it been so hard for so many years of people to earn their stripes, to prove that their area needs more funding, et cetera? [00:34:58] Speaker A: To me, it is a mindset of activity over outcome. We bought a tool and we implemented it. Check. I'm not to blame. The reality is there is no try here, right? As Yoda said, do or do nothing. It's not okay to say I bought the tool and put it in place and it's not my fault. What you're looking for is I'm accountable for the outcome here. And it doesn't matter whether you buy ten tools or no tools to get that outcome and ensure the high probability of that outcome. That's harder. It continues to hold you accountable. It's just not as satisfactory as sort of checking off a tactical to do list. And it's ongoing. It never stops. And I think that's the part that once you get into the mindset of this is a living, breathing, daily fight, it changes the notion of this being a project versus this being a lifestyle. [00:35:54] Speaker C: That's a good point. And I think just to follow the example a little bit more, it's like, well, cool. You've gone out, you've got the personal trainer, and you're putting everything on Instagram about going to the gym and, you know, the fancy clothes and all that. But it's like, yeah, but if you're nothing doing the thing, it's not going to result in losing any weight, for example. So it's like you bought all these tools, but if you're not actually doing things properly and you're just doing it for the tick of the box, to your point, it does nothing. Do you just think that people perhaps fallen back on that a little too much and sort of outsource the responsibility to other people in the company? [00:36:25] Speaker A: I think it's less that than sort of a false sense of security from that action where we think the job is done by taking that action or buying that tool, as opposed to knowing that what it really is is not the big post on Instagram, but every single day you make your lunch or you order that salad when you go out instead of the fries. It's the quiet, daily, consistent, working the plan versus the sort of big bang things that everybody else can see that make the biggest difference. I continue to see insecurity. We talk about all these different technologies and tools and such the same three things cause breaches that are incredibly simple to fix. Hard passwords, multifactor authentication, not clicking on that link, just awareness. It's not fancy quantum computing fueled AI that threat actors are using to make all this money. It is just good old fashioned basics that if we're willing to introduce just a little bit of friction, would make a material reduction in their success rate. In terms of what was the ransomware market last year? $30 billion? Right? People spend $100 billion on security services and tools. Think about that. So spending money is not necessarily the answer. Finding the right answer, getting advice and help on untying those business outcomes and business risk to those investments in a way that's credible. I mean, we've been doing that for 25 years in this space, so we understand the work. It's not always exciting. The basics can make such a big difference to really sound, sound security and keep and build that trust. [00:38:16] Speaker C: So, Wendy, do you have any final thoughts or closing comments for today's interview? [00:38:20] Speaker A: Well, I just want to thank you for the opportunity to talk about something that I think sits underneath of the surface. And for me, this is a shared responsibility, the building of trust. So it's us as customers of businesses. It's us as leaders of businesses. We all have a shared responsibility as global citizens here to be willing to invest in just a little bit of friction, a little loss of convenience, to be able to be more collectively secure. Because while it may not be you today that's damaged by that breach, it is your fellow citizen who's damaged by it. And by caring enough to protect them, in the end, you're really protecting yourself, too. [00:39:10] Speaker B: This is kbcast, the voice of Cyberez. [00:39:15] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:39:23] Speaker B: This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and middle sized businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes