[00:00:00] Speaker A: I think the CISO needs to be responsible for bringing the right teams together, having the right skills in the room, and importantly, ensuring that there is not an us versus them mentality on either side of the fence. And that fence being the fence that divides the OT environment from the IT environment.
[00:00:22] Speaker B: This is katiecast.
[00:00:23] Speaker A: Are they completely silent?
[00:00:25] Speaker C: As a primary target for ransomware campaigns.
[00:00:27] Speaker A: Security and testing, and performance and scalability.
[00:00:31] Speaker C: Automatically take that data and use it.
Joining me today is Dean Fry, solutions architect from the NOI networks. And today we're discussing IT IoT and OT security as a business continuity problem. So, Dean, thanks for joining and welcome.
[00:00:48] Speaker A: Thank you, Carissa.
[00:00:49] Speaker C: Okay, so Dean, I really want to talk quickly, maybe about interruptions that perhaps are caused by IT or ot, which can therefore derail a business, which we have seen in recent times. So I'm keen to get your thoughts on this.
[00:01:05] Speaker A: Absolutely. So I suppose the easy but somewhat boring way for me to answer that question would be to talk about Colonial Pipeline or refer back to the CrowdStrike incident a couple of months ago. Indeed, had that CrowdStrike incident been a manifestation of an inability to detect a campaign, the outcome could likely have been the same. As it turned out, it was a failure of a primary control itself. But, you know, the unavailability of process control and process instrumentation is, can manifest itself really, really quickly and it actually doesn't matter whether the trigger was cyber or not. As a, as a backyard chook breeder, I'm not necessarily particularly fond of factory farming of chickens, but the reality is that that's an important protein source for a lot of Australians. Now, you would think that as long as chooks have food and water, they're pretty much good to go, but actually the stocking density is so high in those, in those sheds that a failure of temperature sensors, ventilation controls, the power monitoring of the extraction fans and all of these things mean that if the, if the correct ventilation and temperature is not maintained in those sheds, chickens die very, very quickly because the temperature increases very, very quickly. And chickens are an animal that has quite, quite a lot of difficulty regulating body temperature for the pescatarians that, that enjoy their, their farm. Salmon from Macquarie Harbour in Tasmania. That industry operates on a fairly thin social license. And one of the important elements there is to make sure that feed is not leaving the holding pens and falling to the, to the floor of the harbour. Well, that system is controlled by technology.
Small data centers really residing on floating barges and controllers and light sensors that look at how far the feed is falling through the pen before the fish consume it. So, you know, again, another example of where if the process control instrumentation cycle breaks down and the feeding cannot be controlled very quickly, you've got an environmental incident that can threaten the viability of the whole business. You know, you can go on and on. We had a specific example recently in South Australia in the beef industry. Steers. So. So male cattle, year or two old, they're very heavy and they're very dangerous. They get very agitated after being on herded into trucks from their lovely paddocks, pushed into sale yards, back onto a truck again, and then sent to an abattoir. They have to be pimmed very quickly. A worker has got to be able to scan a barcode in the year if the receiving controller for that data is unavailable. In this particular case, the session was constantly restarting and the process was unreliable. Humans have to intervene and the last thing you need is, you know, humans in a pen with an angry 6,700 kilo animal. So those are sort of three different examples in the food industry of how quickly safety, availability and even business viability issues can manifest and derail businesses.
[00:04:09] Speaker C: So I have to ask more of a, perhaps a rudimentary question. Would you say that people, meaning the community, everyday people that we walk past in the street, just assume that things just work and then when they don't work, it's complete chaos that then gets unlocked? So we saw that, of course, in the CrowdStrike incident, how quickly it was a domino effect on how much people were impacted. What do you think that people perhaps oversee when it comes to business continuity?
[00:04:38] Speaker A: Well, you know, you mentioned CrowdStrike. Again, the, the number of single points of failure that we've got and the fragility of some environments probably is, is. Is a reflection upon that. This might be a little controversial to say, but I talk to a lot of executives and it seems to me that fewer and fewer of the senior executives that are making decisions about implementing security controls and buying down on risk, other sort of older engineers that have been in the business for 30 years and understand fundamentally how everything works, they tend to be more MBA types that are, sure, brilliant business analysts and businessmen, but just don't necessarily understand what keeps business ticking over day after day. And perhaps they're less able to quantify and fully understand the manifestations that might occur if a cyber breach interrupts a part of an intrinsic part of the business.
[00:05:41] Speaker C: Okay, that is a very interesting observation. So, okay, I want to get into this a little bit more. I mean, you make a great point so that's like me, you said before you do like plumbing for like chickens and stuff. That's like me trying to advise you on how to do that effectively from what I'm hearing, from what you're saying in terms of drawing a parallel. So I take your point around some of perhaps people a little bit old hat in terms of the executives, but what do we do to sort of, what do we do from now to ensure that these executives are equipped to understand the landscape to prevent some of these things from happening? Now, an obvious answer could be, well, we're going to wait until these people move on. They, you know, they retire, we fire them. But again, what is it that perhaps a sizer or security executive could perhaps start to relay in terms of getting these people to really understand what they're dealing with?
[00:06:34] Speaker A: Well, I think they've got to build a quorum that a group of stakeholders that brings an intersection of technical and critical thinking with business acumen. In my line of work, we typically deal with a varied set of stakeholders. Every organization has risk and compliance people. They've got some information security cyber guys that typically only understand the carpeted side of the business, not the concrete floor side of the business, if I can refer to it in that way. You've got the system's owners, the guy that is responsible for the electricity system or the water system or the cotton bailing plan, that understands how all that stuff works, but has no idea about corporate risk frameworks, no idea about information security, no idea about network operations and continuity. So I think the CISO needs to be responsible for bringing the right teams together, having the right skills in the room, and importantly ensuring that there is not an us versus them mentality on either side of the fence. And that and that fence being the fence that divides the OT environment from the IT environment.
[00:07:45] Speaker C: Where do you think the us versus them mentality stems from?
[00:07:49] Speaker A: I think these are probably teams that have just never had any day to day engagement with one another before they've passed each other in the car park sort of thing. And that's, that's been the extent of it. And they don't understand one another's world. You know, operationalizing cyber controls is incredibly difficult and people tend to think that it's just about the breach and the campaign, that it's related to the ransomware, et cetera, and that's it. But there's a lot more to it. Routing the right data to the right person at the right time to make the right decision is really hard. And it's especially Hard in some of the bigger industries in Australia. I mean, Australia has a massive mining industry. How do you do? Repeatable, reliable, robust OT cyber operations with a FIFO workforce. It's quite, it's really quite hard. And the data that these platforms produce is not just threat data, it's change in anomaly data, the sort of the precursors to the bigger problem. It's health and hygiene data, it's, it's, you know, giving the platform owners, the CISO and the other stakeholders information about risks and quantifying those risks and giving them data that they can used to make decisions about whether or not they remediate this risk or other and work through scenarios that could actually exploit those risks and result in an unfolding OT cyber catastrophe.
[00:09:15] Speaker C: Yeah, look, you raise a great point and I do agree it is a hard thing to do. It's not so binary, it's not such a obvious answer. It's complex, it's complicated, can be convoluted at times. In terms of your experience though, like how have we best moved forward? Because I mean, I've interviewed probably 300 plus 400 people in my time around a range of things and there is still a common undertone around so and so doesn't understand don't have the budget, it needs to be more awareness. It's still the same sort of things that are being told. But then how do we actually get to the point where we're getting people at the top that do understand it? Now, in saying that, you know, I'm not a finance expert but, you know, you know, I run my own business, I have to have some knowledge of that. Would you say that executives don't really have, or not all executives, but some of them don't have any fundamental cybersecurity knowledge? Because you, in this day and age, you need to have some sort of understanding of that. And then as a result of that, we're having a lot of these issues in which we've just discussed. And I mean, I know it's a little bit more complex than that, but if we just focus on this one problem.
[00:10:19] Speaker A: I talk very regularly with executives in customer organizations that want me to explain to them how they can become conformant with the Sochi Act. And relatively frequently I get the distinct impression that the individual has no idea what is actually contained in the Stocky act and doesn't understand that the technical controls will assist or meet less than 50% of the patterns that are sort of described there. And I often sort of refer people to the Australian energy sector, cyber security framework because that is such a brilliant, it's such a brilliant framework. It's ideal for organizations that are aspirational and have the self awareness to know that they're not going to be entirely conformant. The self assessment framework in there is just brilliant. And it's relatively easy for an organization to undertake again with the right people in the room from the right sort of areas of the business. And so I just think that coming from a position of being well informed, understanding what's practicable, what's realistic and that these are often multi year pieces of work is important. You just simply can't pick up the phone and talk to a vendor about being socky. Conformity just doesn't work like that. In the same vein, you can't apply the ASD essential 8 to industrial automation and security and I've had customers tell me that that's what they want to do. It's just completely irrelevant as a control set for the sort of environment that we work in.
[00:12:02] Speaker C: Okay, I want to sort of flip over now and focus on again business continuity. And something that I'm hearing a lot coming up in interviews would be in terms of like even a manufacturing business, like if that stops running, how much of an impact that has, how much of a domino effect that that has. So I really want to get a bit of a understanding of yourself Dean, around how quickly does that, if you can give me an example of an industry, how could the domino effect can occur? Because yes, we have seen it with the crowdstrike thing, it probably will happen again. But again I think what's really interesting in this question is how many other supply chains, businesses, everyday people are really impacted by something that basically brings our whole nation or world to a standstill for a period of time.
[00:12:48] Speaker A: We're very vertically integrated in Australia. Right. And organisations tend to try to manage that third party supplier risk through third party threat risk assessments and so on and so forth. Some of the TRAs that come across my desk are too generic and don't really address the sort of consumption model certainly in terms of cyber controls. If they're pushing a TRA our way to assess us as a, you know, as a vendor, of course the huge part in supply chain risk really is cloud and how dependent we're increasingly becoming on cloud. A lot of organizations simply don't have an OT cloud strategy and they too quickly write off cloud consumption for ot and this is a huge mistake. So often I go into environments where the compute that runs the industrial system is covered in an inch of dust the switches are 15 years old and haven't been patched. And these organizations are thinking that cloud is in some way shape or form a risk to their business. Arguably it's going to be cheaper, faster, more reliable, more secure and more robust. Many of these sites you can, if you were to slap a Telstra logo on the side of your ute and put a Telstra shirt on, you'd walk in there unchallenged. They don't even have physical or protective security in the environments that, that are running the hosting, the on premise process control software. So you know, customers need to start thinking about cloud seriously. And I think, I think that's a good example of where some improvements could, could be made.
[00:14:26] Speaker C: Okay, so a couple of interesting things that I'm really intrigued to know. You said a couple of TRAs that come across your desk, you said they're a bit generic. What does generic look like in your eyes?
[00:14:35] Speaker A: Oh, using the same threat and risk assessment for your OT security control vendor like Nozomi as you do for your supplier of Earth moving equipment or a TRA that is really written around the risks associated with enterprise software, not cloud consumption software.
[00:14:54] Speaker C: And then you also mentioned before you need to like, customers need to start thinking about cloud seriously. I mean I've spoken to a lot of the hyperscalers or major cloud providers. Would you say that people are thinking about it seriously though, like, and define seriously from your perspective as well.
[00:15:08] Speaker A: I'm talking about SCADA operations, process control operations and these sorts of things. These are still 90 plus percent on premise. They're not cloud delivered and not, not cloud instrumented at all.
[00:15:22] Speaker C: Okay, so then taking that point of view and that example in terms of like OT stuff, how can people start to think a bit more seriously about this to move away from the on prem model, would you say?
[00:15:34] Speaker A: Well, they've got to deal with the, the OEMs. I mean the, the OEMs in OT have got a lot more clout than they do in, in other industries. When you go to Rockwell, Honeywell, Schneider and you embed their technology in your business, it's not like buying a Toyota and you simply visit the dealer once every year for a service. It's a very much closer, tighter relationship. And those vendors have all got strategies to help these customers embrace the advantages of cloud that do very much front and center include the, the security and privacy benefits of it. So the discussion really, I think starts with the, their suppliers and the security. I should also say that OT security for many years has been really an overlay so technologies and companies like Nozomi have been going into what you might term a brownfield site and lay a set of controls down on an existing network in a passive way. And it's still a very, very valid and viable approach. But the alliances are getting deeper and more technical. The security industry in the past have had alliances that tended to be what you might term meet in the foyer or meat of the sim. In other words, you deploy two or three different technologies together and they all make each other work a little bit better, but they don't fundamentally operate as one. These alliances are changing and we building much deeper and more technical integrations with some of these OT platforms to help everything work a little more seamlessly and allow us to see more of the data that we want earlier on and.
[00:17:15] Speaker C: Just follow this example a bit more. Why do you get a little perhaps apprehensive around the cloud? Is it just. We've always done it this way, it's too hard, basket, don't have the funds, don't know how to do it, don't have time to do it. What are sort of some of the reservations people have, would you say?
[00:17:29] Speaker A: Oh, look, I'm probably not the best person to address that question, but it's doubtless all of the above. And dollars are a big part of that, I'm sure.
OT assets are not like it assets. You dispose of your phone after three years, your laptop, et cetera. In the industrial automation world, the life cycle of these assets is more like 25 years and they sweat them quite hard. Well beyond end of support. I don't think anybody listening to this podcast is probably listening to it on a PC that is out of support and no longer patchable. But in the process control world, it's very, very, very common for the network layer, the compute layer, and indeed the automation process control layer to all have elements that are years and years and years, end of sale and end of support. And the reason for that is all financially driven.
[00:18:23] Speaker C: And I've heard as well, like some of these like controllers that are obviously very manual, not on the Internet, which makes sense from like a physical security point of view. But then also though they cost a lot of money as well. Like I've had like 25, 30 million dollars or something like that. I mean, you would probably know more than I would, but I've heard that a bit in interviews as well.
[00:18:40] Speaker A: They're expensive and they're. And a refresh of them is a difficult design exercise. But you make a comment about them not being on the Internet too Often the organization will think that they're air gapped when they're actually not. Now, it would be rare for something like a PLC to be on the Internet, but it's relatively common for something talking to a PLC to be exposed on, either exposed to the Internet or talking out to the Internet. And indeed that's one of the things that we help customers improve upon. Network segmentation is the simplest, cheapest and most effective primary control in OT cybersecurity. And so if you can't get that right, then you're opening yourself up for problems.
[00:19:26] Speaker C: Okay, this, this is interesting. Okay, I want to talk about it a little bit more. Would you say that in terms of network segmentation, would you say that people are just not even doing this at all in terms of it's the cheapest, easiest, most fundamental way to, to improve, like your security posture. But from the tone of your boys, I'm kind of getting the sense that perhaps people aren't doing this.
[00:19:49] Speaker A: A lot of them don't. I mean, there's a reference architecture which is relevant for some industries called the Purdue or Pura model that tends as an example to be very well followed in the electricity industry, just as an example, but in many other industrial environments they just simply don't segment, or the segmentations are ad hoc or the segmentations are in place, but the access control rules between those segments are a little bit weak or they're not what they think they are. Change and drift is inevitable in any environment. And what was designed 10 years ago May not be reflected in today's reality.
[00:20:25] Speaker C: Would you say, in terms of going to the cloud, like moving like OT systems, like moving more into the cloud and thinking about it seriously, do you think it'll ever get there though, in terms of everything that we just discussed, things are expensive, you know, they run for a long time, etc. So it's not like the easiest thing to do. And we get that. But do you think we'll ever really get there? Or if you had to sort of.
[00:20:45] Speaker A: Choose which camp, we won't get there ever, probably in entirety, but we can get there partially. But you can start by deploying cyber controls. Cloud based delivery of cyber controls, retain all of the process control on premise, but just put a cloud based wrapper over the top of it, you know, to bring those controls together. As you would be aware, a lot of these API to API, cloud to cloud integrations ship data that's available essentially for free, bring it together into one console where you can start to build metrics and gain Awareness around the cyber posture of the process control environment. Give yourself a degree of assurance that the controls that you believe are in place are actually in place and they're also fully implemented.
Too often there'll be a control that's only 80% deployed, there'll be a submarine asset that's popped up and it doesn't have the endpoint EDR on it, for example. So getting rid of those holes is meaningful in terms of risk drawdown.
[00:21:49] Speaker C: So speaking of assurance, going back to your point around, you know, controls, et cetera, not being air gapped, people thinking that they are, how does that conversation sort of go and like what happens next?
[00:22:01] Speaker A: You've got to know what's on your network. You can't make decisions in the event of a breach without context. So you need to know what's on the network, what its function is, what it needs to talk to, and that really gets to that segmentation discussion. Who do its friends need to be and how do I keep the enemies away from it? Ultimately, all of that context is going to reduce the cost and scope of disruption should a cyber incident occur. And it's going to allow businesses to make the decision about to whether, whether or not to pull up the drawbridge much more quickly. A lot of organizations think that they can just separate, you know, rip the blue cables out of the firewalls and separate the industrial part of the business from the IT part of the business. And some, some customers can do that and they know the impact. They've looked at that exercise and they've, and they've planned for it, others haven't and they don't understand that actually reconnecting everything is often much more complicated than the mopping up of the, of the cyber breach that caused the whole thing in the first place.
[00:23:08] Speaker C: So would you say in your experience, companies don't really know what's on their network? I think I know the answer to that, but I'm just really want to hear your thoughts.
[00:23:16] Speaker A: No, they don't. They just don't. They don't. It's not only knowing what the assets are, it's understanding the software risks that the vulnerabilities on those assets bring into the environment. When you look at the IT side of the business, larger organizations would typically have a CMDB and they'll have asset data and other bits of data in that environment. And typically it's 70, 80, 90% accurate and current. But when you, when you get into the industrial side of the business that very, very rarely exists, it's often quite hard to get that data together. Boring pragmatics like the fact that there, there are going to be unmanaged devices in the process control environment are examples of what makes that hard. So they don't know what the assets are, they therefore can't quantify the vulnerability risk. And if they don't understand the normal communication patterns of those devices, they really just don't know what's going on. And all of that means that when there is a breach or a suspected breach, and let's be honest, breaches are actually very rare in Australia in industrial control environments. But when there's even a suspected breach, the context is just not available to help people make quick, fast, informed and accurate decisions as to whether or not we can continue operating or whether or not there needs to be a planned shutdown or some form of remediation to reduce the potential blast radius of the problem.
[00:24:44] Speaker C: Okay, this is interesting. So in terms of, as you know, people say, well, you can't pretend what you can't see. Okay, well we understand that, but would you say, and I know you sort of spoke on that a little bit more, would you say people are sort of perhaps hoping that something doesn't happen? Do you think there's a little bit of that going on in there? And I know that sounds really sort of, you know, airy fairy, but I think that from what you're saying, it does feel like a rudimentary thing that people should do. I know it's not as easy looking like OT the side of things, but do you think there's a little bit of. Well, hopefully it doesn't.
[00:25:17] Speaker A: Kind of nothing happens, hasn't happened in the past. The sun's still shining today, so why is it going to suddenly, suddenly occur now? There's a bit of that, there's probably a bit of oh my God, if I actually knew all the problems that were underneath me, I'd have to do something about it. And so I'm better off being blissfully ignorant. The cost is a huge cost is a huge, huge issue. If we talk about critical infrastructure, the water that gets delivered and the sewer that gets removed in major capital cities is done in a very reliable and robust way. And indeed we protect a number of those environments. But you step outside into the rural and regional areas, a lot of this is done by councils. These guys are still absolutely smashed. Repairing roads from the floods two years ago. The idea that they've got money to do an OT cyber risk assessment on their fresh water network, the water supply network or their wastewater network is just fanciful so there's always costing, there's always cost pressures. And that's part of the reason why as a security vendor, Nozomi needs to deliver more benefits to more people. We've got to provide cyber data to the information security team and we've got to prevent threats landing and expanding, of course, but we've got to supply some telemetry data and some metrics to the OT systems owners. We've got to supply some troubleshooting data, some reliability and some optimization data to the network operations team and we've got to roll all of that up in some way that's really easy to consume for the risk and compliance stakeholders. So, as you know, as a vendor, we're mindful of the fact that we've got to provide value to a lot of different teams to justify these processes and to grease the projects, make them easy to deliver, knowing that there are typically one or more resistant parties or parties that are just pushed into a slightly uncomfortable area because they don't know much about cyber.
[00:27:13] Speaker C: So, Dean, you raised a great point and I want to get into the telemetry side of things, but before I do, you raised a good point around these guys are slim. Like the council workers, for example, or, sorry, the councils in general, they're fixing roads, et cetera. Would you say that in terms of the network and you know, having visibility network, for example, that feels in their eyes like an invisible problem as opposed to, well, if when I drive home from work I can see the road's broken, I need to fix that first. Do you think sometimes, you know, as much as being in it, like, of course these things are really important, but in their eyes it's like, well, the physical road doesn't even work. So I really need to focus on that in terms of a priority.
[00:27:52] Speaker A: I think that's right. And quite often, you know, if you talk, if you talk specifically about councils and water supply, the council will be using a third party contractor to program and run those water systems quite often. So they don't even have the skills on staff. That is an opportunity for that provider to sort of say, hang on, well, let's, let's step up the maturity ladder a little bit here and let's lay some cyber risk mitigations over what we're doing. And so I guess it's an opportunity for those service providers and partners.
[00:28:21] Speaker C: So now I want to flip over onto the telemetry side of things. Now I was historically a security reporting analyst, so I'm quite familiar with, you know, reporting on telemetry for example, and all other different facets of cybersecurity. And then you also said that by doing this demonstrates value from like a vendor perspective on people like just you said before, like budgets, you know, money is always an issue and I understand that. So obviously having the right reporting and telemetry to justify, hey, like, you know, why are you paying us money, for example? Give me an example of what good reporting telemetry, you know, even from a Nozomi perspective looks like in your eyes.
[00:28:58] Speaker A: If I'm responsible for network operations, I want to know about devices that have joined the network. I want that number typically to be zero on my critical segments. I want to know that there has been very little change. I want to know that protocol adjacencies between devices remain the same. If I'm a process control owner, I may be concerned about critical temperatures or pressures or things that are abnormal. Process tags that step way out of whack based on historical data. A lot of that stuff will pop up on the hmi. But as a cyber platform we can bring some of that data together and put the network and cyber risk context together with the process control risk. If I am responsible for the security operations team, the people, the security operations function, I don't necessarily care about the details of individual events or activities or alerts in the system. But I want to know about dwell time. How long is it taking the team to review an alert or a piece of data and close it off? I want to know potentially about the performance of vulnerability remediation. I might want to know about. I might accept that it is impossible to remediate all vulnerabilities and I'm not going to look at the big numbers around vulnerability instances, but I might want to know about those that are actually exploitable. In other words, they're not just university theoretical research projects. There's a known exploit in the wild. I might want to know about systems that have a safety aspect to them, a human safety criticality and the vulnerabilities on those. So I might want to cut and shut all of that data up so that I can make decisions without worrying about all the details. So those are some examples of different sort of data points that different roles in the organization might want to be receiving.
[00:30:45] Speaker C: Do you think as well that perhaps people that are maybe reading the reports and again, like I can speak on my experience of doing this, sometimes the report gets sent, for example, then it gets stuck in someone's inbox and read it. Too much stuff going on because I've often seen and Maybe you would know a little bit more about this is people just reporting on too much stuff. So it's like all of this stuff here it is, but it's like what's really important to me. And I guess you could say, well you can tell the things and you can, you know, understand what's important to the business, et cetera. Do you think that sometimes people just do reporting for the sake of reporting without actually deriving any real value or insights from that reporting?
[00:31:19] Speaker A: I do. We're moving away from reports. Fewer and fewer of our customers are receiving emailed reports from our platform. We give them a real time view. Again, this gets back to the operationalization challenge, what's important, et cetera, et cetera. Nozomi is hugely stepping up here. We're more and more, we've got a effectively a co sourcing relationship with the customer. In other words, we'll either stand behind them and support them constantly on keeping the platform running and doing all the fundamentals, or we'll stand in front of them and help triage some of the data so that their limited man hours budget is applied to doing important work, not maintenance work. Quite often I'll talk, I'll ask customers to be realistic about their budget and that's not a dollar budget, it's their FTE budget. Because if you want to deploy the Nozomi platform, for instance, and you say I've got one full time equivalent, will set the platform up very, very, very differently to if you say I've got two hours per week that can be allocated to this and it's that sort of two hours per week sort of energy allocation that is more likely to be consuming a report. In the cloud based consumption model of our product, we're trying to move away from alerting as an example and providing the analysts with data insights. So we'll show them about things that the automated data analysis engines have found and if they find them interesting and they click on them, then we'll produce more of those and if they just dismiss them as irrelevant, then we won't put that data in front of them again. So that's just an example of what we're trying to do to improve the human efficiency of running the security controls and shifting away from reports is a part of that, as I've indicated.
[00:33:04] Speaker C: So what do you do? You said before, depending on the fte, if it's two hours or eight hours, what do you do when someone's optimistic and they're like, hey Dean, I think I can commit to eight hours a week, but in reality they're doing 30 minutes a week. How does that sort of conversation go? How do you sort of make sure that, okay, well, you said eight, now you're not doing that. So we now need to change things. Have you seen that? And then if so, how does that, how does that work?
[00:33:25] Speaker A: I can tell pretty quickly when a customer is not, not using the platform. You would think that a happy, successful customer would not open any support cases because they wouldn't have any problem. This is just an example. Actually, the opposite is true. An engaged customer always has questions about things they don't fully understand or they'll contact support to understand what a new feature does or something of that nature. So on the back end I can see all of this data and customers that don't open support cases, I tend to pick up the phone and call. As I indicated, we're doing a lot more work to help them run the platform so they can focus on the organization specific data that no third party will ever fully understand. We're never going to, we're never going to know what's cabled to what and what the foil rules are in a, in a factory or an abattoir or something of that nature. So that's where the customer needs to spend their, you know, their time on, on the, on the specifics that they know and will sort of never understand.
[00:34:20] Speaker C: And then I'm also curious to know, like, generally speaking, from what I understand from people in the industry, there's a lot of like, oh, we set and forget, bought this product, don't open it, haven't they, you know, utilized it properly? I don't know. The guy that bought it, left the company four years ago, was still paying for the thing. I've heard a lot of that from customers. So I'm just curious if you zoom out from like a vendor landscape, like, how do people get to the point where, to your point, like, well, I know if someone's not leveraging the platform, they're not calling us up and supporting everything like that. Like, how can people sit there and think this company is paying for our product or our technology and no one's gone into the platform, for example, for four years.
[00:35:00] Speaker A: I'm re, I'm extremely disappointed when that, when that occurs. And a fair chunk of my time is spent ensuring that it does not occur. You know, when you spend money with a vendor, you need to fully consume everything that they provide. And those different stakeholder groups have got to be receiving value from, you know, from the platform. Automation is important, but Making the data relevant and getting the right data to the right people is something that we, and particularly our delivery team focus quite, quite heavily upon. Our churn rate is very low and we spend a lot of time making sure that we remain relevant and of interest to our customer base.
[00:35:40] Speaker C: So Dean, do you have any closing comments or final thoughts you'd like to leave our audience with today?
[00:35:45] Speaker A: We've talked about a few different areas here. We've talked about the technology a bit, the problem a little bit. We've talked about co sourcing and the importance of partners in all of this. At the end of the day we're technology vendor and there are certain trends that we see. Those sort of trends I think are going to include the importance of understanding the radio space as an attack surface. That currently is not really the case. We're not just talking Bluetooth and Wi fi here, we're talking long range wan drone control protocols 4G in some environments. You want to know when radios are appearing and disappearing in the environment. You're not going to care about that in a retail space of course, but you may well very much care about that in a transport environment or in a mine site as an example. We talked a little bit about the way relationships are changing between technology vendors, particularly when they're deployed in a cloud based model. And with the automation OEMs, I think we're going to see a lot more embedded security controls on devices like PLCs and the like to allow them to extract telemetry from very close to the to the absolute core of the industrial automation environment.
And I think as well there's an argument for some active intervention. To date it's been extremely rare for any sort of active blocking or intervention to occur in an industrial network. I think that possibly will change. It's obviously been commonplace in the IT side of the business for 30 plus years. It's almost non existent in the in the OT side. And I think we're going to see that that change. Not quickly, but I think we will see that change very soon.
[00:37:37] Speaker B: This is KVCast, the voice of Cyber.
[00:37:41] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to to get access today.
[00:37:50] Speaker B: This episode is brought to you by MercSec. Your smarter route to security talent MercSec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand Talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
