Episode Transcript
[00:00:00] Speaker A: I think at the end of the day, it all comes down to proactivity. I think that this is challenging some conventional thinking that we hadn't have had in cyber, where we're constantly in firefighting mode, where we're constantly having to respond to things and be super reactive. I think that we're in a place and we have the predictive technology where we can actually anticipate the adversary much better and own our own attack surface before someone else can. So being proactive, I think, is really, really key.
[00:00:34] Speaker B: This is katycast as a primary target for ransomware campaigns, security and testing, and.
[00:00:41] Speaker A: Performance risk and compliance. We can actually automatically take that data and use it.
[00:00:49] Speaker C: Joining me now is Shannon Murphy, Senior Manager, Global Security and Risk Strategy from Trend Micro. And today we're discussing the CP suite security challenges. So, Shannon, thanks for joining and welcome.
[00:01:00] Speaker A: Thank you so much for having me, kb. I'm super stoked to be here.
[00:01:04] Speaker C: Okay, so Shannon, I follow your journey. Before we started recording, you said you're actually in Canada for a month, which I think is quite rare for you because you travel around a lot for work. So perhaps let's sort of start there. You know, you've got quite a unique perspective because you do travel quite frequently. So what are you, what are you sort of hearing from people around the globe that you can share with us today?
[00:01:25] Speaker A: Absolutely. I think, you know, when it comes to strategy and cyber strategy and threat landscape and tech landscape and all of these different categories, what's so important is to talk to as many cyber professionals and as many practitioners as possible so that those anecdotes start to become trends. And by doing that, this is how we're able to build scalable, you know, products and solutions and approaches in order to get in front of these challenges that people are facing. So one of the benefits to your point of my role is that I'm able to spend so much time with people who have hands on keyboards in order to start to identify these types of trends. But when, when you're looking at some of the challenges in the enterprise today, I think it boils down to a really simple concept and it's the different pressures that we're facing. So the first pressure comes from infrastructure shifts that happen in the, in the enterprise environment, whether that's, you know, digital transformation or this AI transformation or different tools that are being adopted and these different changes that, that you need to secure and that comes with different, you know, protocol ramifications. And then on the other side is adversary ingenuity and this cat and mouse game that we're constantly in with the bad guys and how we actually have to change our strategy to, to account for that adversary ingenuity. So these are, these are the two fundamental things that we're looking at, and I'm happy to dig into either side of those first.
[00:02:59] Speaker C: So when you're traveling as well, do you see any sort of trends are like, I mean, this is generally speaking, so in Australia, generally, this is sort of some of people's concerns or questions. And then in North America or in Europe, is there anything like that? Do you sort of see commonalities in terms of different countries and where they're at, would you say?
[00:03:17] Speaker A: Certainly, on a maturity perspective. And however, with that said, the, the main threats to the business are very common. Right. So basic attacks, for example, like password hash cracking, those are becoming a lot faster and easier for, for adversaries to do. And organizations, regardless of what geography you're in, have to, you know, implement different simple hygiene solutions like, you know, multifactor authentication and the number matching and that kind of thing. More recently though, what's been top of mind for a lot of security leaders is this idea of more customization when it comes to social engineering. For example, as a result of open source reconnaissance, the adversaries can do using different generative AI tools as well, which is influencing things like phishing and business email compromise. So I think, you know, the problems, maybe there's some comfort in this, I don't know. But we are really all in this together and we're all facing a lot of the same challenges. And in that way we're able to learn from one another and of course build together to actually start to counteract these types of trends.
[00:04:26] Speaker C: Okay, so just before we go back to adversary ingenuity, I want to talk more about. You said customization. So do you mean more? I think there was like a finance worker that paid like a bunch of money because there was a deep fake from a cfo. Is that what you mean by that?
[00:04:42] Speaker A: So this is an example, right? So deepfake for sure. This is a whole other challenge. And deepfake and audio fake and how impersonation has gotten. The efficacy has gone up so much. And before we were looking at technologies like generative adversarial networks and that helped essentially what that technology does is you have a generator and then you have a discrete discriminator. So you have something creating the media and then the discriminator calls out anything that might appear as fake or inconsistent. And in that way you're able to get A really high quality output. Now we're seeing things more like face swaps. Right? So in the instance that you mentioned with the finance worker, it actually ended up being a UK architectural firm that was a. They had multiple recorded deep fakes on the call and they essentially boxed out the junior employee from the conversation. And they were just tasking him so he didn't actually really have an opportunity to interact with them. And that works, you know, when you look at social engineering, because they architected a scenario that selected a vulnerable employee who was junior and didn't feel empowered to push back against a bunch of executives. Now, with things like face swapping, you can have highly realistic voice notes for audio, but then you can also have real time discussions with someone who is not real. And this is a level of social engineering that is above and beyond what we've seen in the past. However, when we're looking at, you know, phishing and business email compromise, the customization when it comes to the content of that email can be so precise. In fact, our own Red team targeted me using, you know, open source reconnaissance tool. And the email was flawless. Kb, it was like, hey, Shannon, we saw you in Dallas at this event. Love that you talked about these topics. We would love to work with, you know, this person on your team. Like, it was so perfect. And it appeared to be sent from someone who had commented on one of my posts on LinkedIn. So they're taking all of that available public information and as you know, I post quite a bit, so there's lots to draw from. But they're taking all of that public information and they're doing the research very, very quick in order to do target selection, so victim selection and then also to customize the actual content. So whether it's an email, whether it's a phone call, whether you're, you know, on a FaceTime or a WhatsApp video, whatever you're using. This is new risk that's being introduced to those, you know, social interactions.
[00:07:15] Speaker C: Okay, so there's a couple of things in there which is really interesting. So going back to you said before, target selection or victim selection, would you say, in your experience, I post a lot too? Would I become, am I more of a victim or someone on LinkedIn that doesn't really post at all? Who would you say would be more of a target?
[00:07:33] Speaker A: It always comes down to data, right? The more available data, the higher the risk. That's even in like really simple, you know, people will use their birthday and their username on Instagram, for example. Like that is Valuable information that I can use to start to build a profile on someone. So I do think it comes down to a matter of people process technology when you want to protect against these things. And part of it is being aware that adversaries are using these tactics and techniques now in order to, in order to craft these phishing campaigns. So I would say KBU and I, we got to be extra vigilant because of our post history. History. Because of our post history.
[00:08:17] Speaker C: So then going back to the phishing email that you said worked for you, but you're obviously someone in this space, right? So imagine just like the everyday person that doesn't think like this, thinks everyone's innocent, isn't skeptical, isn't looking for certain things. Where does that sort of put most companies?
[00:08:35] Speaker A: Yeah, absolutely. And this is why I think, you know, I always, after you hear insecurity, you know, your employees are your weakest link or you're only as strong as your, as your weakest link and this type of thing. And you know, to me it's a, it's true, but it's, it's also a little victim blamey because ultimately we need to be pushing the vendor community and that includes, you know, that includes us to have technology do more of the heavy lifting. Because at this point when those emails are so customized, the links look good, there's no leet spots speak, it's personalized to you. It references something that you've done by someone who you've interacted with. Can we really blame that employee anymore for not being able to detect it on their own? Right, so we do want to, you know, be modernizing things like email security, going beyond gateways and doing different kind, using different AI detection techniques. Right. Using things like deep fake detection, inspecting content in the email in order to do more of the heavy lifting and protect that employee. Of course there's no silver bullets. So when companies are looking at things like, you know, financial verification or data transfer verification or they're working with sensitive contracts, you want to be looking at your processes for that as well. Whether you do, whether you have, you know, pre, pre set list of stakeholders who can approve those transactions, whether you have multi stakeholder approval, whether you require a face to face interaction if it's above a certain dollar threshold. Like these are really simple process changes that companies can make. But the fact of the matter is, is that they do need to be making these changes.
[00:10:18] Speaker C: Okay, So I want to. So going back to the face swapping, there was a story recently, if you saw it, there was a Woman in France, apparently she thought she was engaging with Brad Pitt, who doesn't have any social media accounts at all. Fell for it, obviously she got scanned out of like a bunch of money, etc. We've seen these things happen. But I mean, in recent times I've seen some of these videos that people say, oh, you know, I fell for it, but it does look fake. Right. So do you think that comes from someone from like psychologically hoping that it's someone that they can fall in love with, for example? I think still today, romance scams in Australia is still the number one scam. Or do you think the technology is getting better? Because, I mean, I've seen it and it clearly does look fabricated in my eyes for sure.
[00:11:01] Speaker A: And I mean romance scams, pig butchering scams, this has existed long before this level of AI sophistication has been in our lives. So certainly adversaries are always going to prey on the vulnerable, prey on, you know, individuals who are not super tech savvy or, you know, are in a position to be, to be targeted in that way. So of course on that side we are looking more one at like education for example. But there's also tools available today. For us, for example, you know, we have two big sides of our business. We have a really large enterprise business for our security platform, but we also have a consumer business as well. And on the consumer side we created a tool called Scam Check and essentially for that Brad Pitt, you can take a screenshot of that interaction and upload it to the Scam Check and it will tell you whether it's legitimate or not. So there are tools available in the market today to even help individuals who have been victims or targets of a romance scam or a pig butchering scam.
[00:12:04] Speaker C: Do you think that even if someone uploaded it to a tool, if it was more of a psychological issue, do you think that they'd still believe. No, it's definitely Brad Pitt that's trying to hit me up. Like, do you think that people will still think in their mind that this is the reality irrespective of what the tool says?
[00:12:19] Speaker A: I think, you know, this is getting out of my specialty area a little bit. I think this is a little bit more of a psychology question, but I think at the end of the day we have to do the best that we can when it comes to education and giving people tools in order to make the best and most informed possible decision. And what they do after that, of course, is out of our hands.
[00:12:39] Speaker C: So you mentioned before, Shannon, technology to do the heavy lifting. And you said that we should be pushing the vendor community. So how can clients or people like myself. What do you mean when you say pushing, like in terms of evolution of their tools or what do you mean by that specifically?
[00:12:54] Speaker A: Yeah, and you know, I said pushing, but I think a lot of the time it really ends up being a little bit of a beautiful partnership, I think, working together to define the outcomes, to define the challenges, and getting really creative on how we're building products and how we're building solutions. This is, this is how we get to the best possible outcome. I always joke that, like the number one product manager is our customer because they're always informing us and we're always building kind of hand in hand together. But I think that it is, you know, really encouraging and demanding to innovate and to look at what's happening in the threat landscape and how nation state actors and ransomware gangs are, are innovating. And you know, we have threat research teams who dig into those topics in order to inform how we can do better detection, how we can leverage and emerging technology in order to modernize detection models and detection techniques as well, in order to keep people safe and to keep businesses safe.
[00:13:55] Speaker C: So we're speaking at the start of 2025. Do you envision what we've sort of discussed, like, obviously these things will probably stay on the radar, but do you think that obviously there's going to be new things that emerge in terms of trends and threats, et cetera? Because how the industry is moving now, it's a, you know, very. It's moving at velocity and things are changing all the time. Even in my sort of space, there's not even I can get across every single thing. So where do you sort of see this year now with where we're at with the world, with how quickly vendors are coming to market with new products, tools, etc. Can you help me make sense of some of that?
[00:14:28] Speaker A: Yeah, of course. Like for I. My position is, you know, important problems are complex, right? Absolutely. There's higher volume, higher speed when it comes to threat landscape. There's more zero days than ever before. There's been, you know, maybe some possibly overblown, some legitimate concerns around AI creating new types of malware. But ultimately the basics are still the problem, right? Unpatched assets, misconfigurations, phishing campaigns, flat networks, not having MFA deployed. These are the things that have persisted for years and I believe will continue to persist through this year. However, these more novel and emerging threats, so, you know, these AI influenced Threats, Deepfake Audio fake, automated reconnaissance, these like North Korean fake employees that we saw in 2024, I think that these threats will become, if not increasingly sophisticated, higher in volume. Right now I still say that Deepfake Audio fake is novel and emerging, but it's not prolific. I do think throughout the year we will absolutely see the higher volume of these types of attacks. And for that reason, like there's no better time for businesses to plan than right now and to start threat modeling for these different campaigns and getting prepared to mitigate these different risks and having a plan in place essentially to protect themselves.
[00:15:58] Speaker C: So you said before being prolific, do you think as well now with everything you just mentioned in terms of like cyber criminals and they're probably going to try for every angle, not just attacking a businesses, but they're either going to try to go through the individual because what you've just said, like that's doesn't see it, that's not going to be a lot of work for them.
[00:16:14] Speaker A: Right.
[00:16:14] Speaker C: Like you mentioned, like people that have got big profiles like me and you, you know, it's quite easy to craft something, do you think that has to be more targeted or do you think still they're just going to try to go for volume and see what happens? Because some of these, you know, old school phishing emails, it's kind of like, well, I put five minutes worth of work into it and they're probably only going to get maybe 2% of people. I mean it could be higher. But just if you look at it, it does look quite fabricated. But for some of these more targeted attacks, are they going to take longer in terms of energy? Where do you think these cyber criminals heads are at?
[00:16:44] Speaker A: No, I think that they'll be able to do it at scale a lot faster. Like the customization that I went over, you know, you could think of that as a manual process. But if you're, if you have the tools in place that are doing the scraping for you and doing prioritizing victim selection, this starts to become very, very fast. And at the same time in the criminal underground and on these different criminal marketplaces, you know, people are buying and selling data constantly as well. So there's lots, lots of information available, quite frankly, in order for this to scale up and get a lot faster. So I do think for sure you're still going to see those kind of classic old school campaigns. But I think that as adversaries start to understand the technology and potentially even create services, cyber criminals, they behave just like real businesses, right? They sell Products, they also sell services. So I can totally see, you know, you've heard of ransomware as a service. I can totally see something like reconnaissance as a service emerging in the criminal underground this year, where people are doing the victim selection and then they're selling those lists to another gang and that's how they make their money. So, yeah, I absolutely think that the degree of sophistication and customization and phishing will become much more automated and is going to scale relatively quickly.
[00:18:02] Speaker C: And just in terms of sort of, you know, the victim target or the victim selection. Historically, it used to be more like if it was someone of high calibre or someone in a senior role, but hearing what you're saying, it could effectively be anyone. Now, in terms of a high target, that someone you know is not necessarily like a CFO or CEO. It could just be an everyday person with a, you know, a large YouTube channel, for example. But that's sort of the shift that I'm hearing that you're saying, yeah, I.
[00:18:31] Speaker A: Think any path of least resistance, right? This is, this is the way that adversaries think. If you want to have an adversary mindset to, to protect yourself, I think that's a good way of thinking of things. But, yeah, it's going to be path of least resistance. And the way that we talk about this is we use a term called data actionability. And how, and what that means is how immediately valuable will this credential be, or how immediately valuable will this information be? And certainly if you can identify any opportunity where you can identify a vulnerability so that you can get in and start to move laterally, that that is of value and that's actionable. And to your point, that really could be anyone. Of course, executives will still be targeted because they're the whales, right? But if I can be crafty and if I can find a way in, or if I, if I'm specifically looking for, you know, say that you're an administrator, IT administrator, you know, director of it, or that type of thing, and you have that on your LinkedIn. Well, you know, I'm going to be downloading that whole list of, of individuals from LinkedIn, right. So any way that I can get credentials, right? So that'll be through a phish, if I'm looking for. And then there's lots of other different access to techniques as well. VPN gateways, open, RDPs, lack of MSA, that type of thing. But certainly any way that I can get in, then, you know, you're up for grabs.
[00:19:51] Speaker C: So then let's flip over now and talk about C suite leaders, et cetera, boards. Given your travel and your discussions with some of these people, where do you think generally their heads at?
[00:20:02] Speaker A: Certainly I've seen a massive trend toward boards being much more engaged and much more cyber aware than they have ever, ever been in the past even I would say within the last 24 months. In the U.S. for example, we see that because there's a change in SEC regulations and boards are now liable and they're on the hook for cyber breaches. So they want to get, they want to up their cyber iq. But I do think that this trend is transcending around the world and I do think that there's a greater appetite for boards to have access to, you know, accurate risk reporting. And how are we in a good position or one of our competitors just got breached, Are we next? And if you're a security leader, you want to be able to answer those questions with a good degree of confidence.
[00:20:50] Speaker C: So I'm aware that trend has released a credibility gap report which shows the disconnect between C suite and security teams. So I've got it in front of me. So I want to sort of talk through some of the stats, which is quite interesting. And one of which was 79% of global cybersecurity leaders have felt boardroom pressure to downplay the severity of cyber risks facing their organization.
So on that note, you sort of mentioned before that you know, things in the last 24 months and maybe it's part of, you know, having that personal liability attached. If something goes wrong, you're on the hook for the board members and executives. But why do you think people are downplaying it? Is because, like, oh, it's a problem. I sort of, if I downplay it, perhaps, you know, people aren't going to focus too much there because if they focus there, I don't have all the answers to it. I don't have the budget for it. Where do you, where do you think that stat comes from? That's quite high.
[00:21:43] Speaker A: At the end of the day, it probably comes down to prioritization, right? And I do think that there is a perception shift happening in cybersecurity where it is starting to be seen as a, as a value add versus a cost center. But in the context of financial risk and operational risk and all of these other priorities in the business, I think that there can certainly be maybe an ill informed appetite to downplay certain risks if there's, you know, really large competing priorities. But with that said, I do think people are understanding that cyber risk is a business risk and damage or destruction to your data loss, loss of customer faith, loss of, you know, reputation if you're encrypted and you're not able to do your work, if you have, you know, security in place that disruptive to your business, like all of these things impact a company's ability to be profitable and to act in a productive manner. And I think that that is being realized now. And hopefully we do start to see that number drop. But at the end of the day, I think that it comes down to priority. And the better we're able to communicate the impact of cyber risk to the business, the lower we're going to see that number.
[00:22:52] Speaker C: So if we zoom out for a moment just on that point, where would you say is the biggest disconnect between C suite and, and security teams?
[00:23:00] Speaker A: The biggest disconnect between C suite and security teams? I think often, you know, sometimes if, if nothing is happening, then there's a question of investment. So it's like, well, we haven't been breached, so why are we paying all that money? And it's, it's a little bit of a paradox, right, because the reason why you haven't had a security event is because you've made all of these investments, right? So I do think that sometimes justifying investment and justifying spend can often create a disconnect. And I think that comes because in the past we haven't had access to really defensible and transparent reporting. I think the more transparent we are, I think the better we communicate with the board and with C level executives on the business side, the better, the better we are able to bridge the gap between these two, between these two things. Ultimately in cyber, you know, we have, the business might see it as disruptive, right? If you're blocking access or denying access, if you're buying things and they're not being deployed properly and you have, you know, a shelfware problem, you know, these are reasons that can maybe impact the reputation of cyber within the business. But if you can report on what you're doing and how you've brought the risk down and the KPIs that your team is working against. If you're able to actually do cyber risk quantification and you can actually quantify the risk within your environment, that really starts to get the attention of the Sensui. And the more we're able to speak the language of the business, the more as serious you're able to be taken. So doing things like risk measurement, risk scoring, risk reporting, as well as Translating into dollars really starts to narrow that gap between these two groups. And that's exactly what we want to see.
[00:24:56] Speaker C: So just pressing a little bit more. Going Back to the 79%, there's another further breakdown here. So it says 43% say it is because they are seen as being repetitive or nagging. So, I mean, nagging is obviously people seem frustrated by security person sitting up there saying, hey, I need more money, etc. Do you think from your experience talking to some of these C suite people, they have turned around and said, you know, I feel like these security people really nag me?
[00:25:24] Speaker A: I think again, it comes down to speaking different languages. Often in cyber, we're in highly technical environments, we're dealing with, you know, lots of jargon and specialized knowledge. And when you bring that language to someone who has no background in it, who doesn't, who doesn't have the context, I think that it can create a lot of friction. Right. When we're able to speak on the same field and align our goals and match our goals, this is when that type of claim around nagging or I'm annoyed or I don't understand, like a lot of the time, frustration, and this is almost more psychology again. But where frustration comes from is from a place of misunderstanding. When we're able to speak the same language as each other, that's when we really start to feel like we're on the same team.
[00:26:18] Speaker C: But then we're in this conundrum in the industry, which I've seen myself is, you know, if someone's, someone's in a senior position, for example, and they're not technical, but they're better at influencing people and getting money from board members, as opposed to perhaps super technical person that is seen as nagging or repetitive or doesn't get their point across. And then often you see this rather in the industry to be like, well, you're not technical enough. It's like, well, you only have soft skills, but like, soft skills, like, it's hard to deal with a human being. You can't configure these people, right? You have to deal with their emotions. So where do you sort of see this sort of trend now in terms of. I spoke to a sizer yesterday and he's like, I'm not from a technical background, but I can, you know, win friends and influence people. Are we going to start to see more of these people in these senior roles that have a bit more of an understanding on how to manage people that they're not, you're not, you know, Trend Micro is not writing a report saying like, oh, you know, nagging and repetitive. Are we going to start to see that now as a trend?
[00:27:17] Speaker A: I think that we've started to see the emergence of kind of a new role in some larger enterprises called biso. Biso. Biso Business Information Security Officer. And that's not a replacement of the ciso. It's almost like a complimentary role in order to help bridge that gap. And these two roles are working together in order to influence the best possible security outcomes for the business. And I think that, you know, a challenge and the tightrope that we need to walk when we're looking at communication is. And maybe this is where this idea of nagging comes from is, you know, when you're over reporting on individual alerts and you're really overwhelming people. But then on the other side of that that you also don't want to do is, you know, just paint a really rosy picture in order to make people feel good. Right. You, you need to walk that line in order to paint a realistic picture that's tied to the business outcome that you're after and that is still championing those, you know, security outcomes and often those compliance outcomes that you're, that you're after as well.
[00:28:26] Speaker C: So the other thing I want to ask you about, of the 79%, 42% were viewed as overly negative. Now that doesn't surprise me. Would you say it goes back into what you were saying before around, you know, how to manage people? You know, I've been in roles before. It's like all this person's quite negative and maybe they just don't understand on how to, how to manage other human beings and they get perceived as being negative. So do you think there's a bit of that then in there too in terms of the people perhaps on the front line that are trying to educate these C suite members might not be the best person?
[00:28:57] Speaker A: I think that my guidance is always that you can't bring problems without solutions. And this is just, again, it goes back to communication 101 and really influencing a culture of good communication within the security. So I think the, maybe the solution to this idea is when you are bringing a problem, you want to have a corresponding plan for how you're going to tackle it. And I think that that is a really proactive way to engage with the business and make them feel like you're on the same team.
[00:29:30] Speaker C: So do you think from your experience people are taking problems to C suites and being like, well, I don't have a solution. Or they're like, hey, I don't have one, but I'm trying to figure it out. Or do you think they just come and say, hey, this is a problem, and then that's the end of the meeting?
[00:29:42] Speaker A: I think it's all about justifying your request and your investment with sound data. And, you know, the business makes decisions based off of data. So if you're able to tangibly show this is how I can reduce the risk, these are our top vulnerabilities, these are our top misconfigurations. We need more headcount or we'd like to leverage a service. By bringing that information to the table, you're able, you're able to have a really solid conversation. So. So, yeah, I think it's all about justifying your spend and speaking, again, speaking the language of the business and, you know, finding some common ground.
[00:30:19] Speaker C: And is there anything else in terms of when you're speaking these C suites that they're sort of saying to you in terms of some of their frustrations with security people or vendors, etc. Any sort of insight that you can share?
[00:30:28] Speaker A: Again, like, I do think that I really genuinely believe that the divide between the business and security is getting narrower. I think that people understand the impact of cyber risk within the enterprise. I think that this is really, really the trend that I'm seeing. And I think that there's some, you know, best practices when it comes to this as well. You want to be able to tie what you're doing to the business and IT goals, right? Businesses just want to operate in a seamless, profitable manner and have their make sure that their employees are happy. Right. So if you're tracking toward those common goals, that is excellent. Any way that you can do that? You want to set goals for your metrics. So if you're particularly risky in a certain business unit, you, you want to have a plan to bring down that risk there and communicate and articulate the impact of that. And then you also want to get past the sort of easy to count the things. So, for example, malware caught by your EDR or, you know, the list of configurations that you can't change because if you change it, it's going to, you know, dramatically break something. You want to be able to get to a place to share metrics that are meaningful outside of security as well. I think that these are, these are best practices that are going to continue to influence what I think is a positive trend towards cyber being considered an equal business risk compared to things like operational or financial risk.
[00:32:02] Speaker C: So given everything that we discussed today, where do you think we go from here as an industry?
[00:32:07] Speaker A: Yeah, for sure. I think at the end of the day it all comes down to proactivity. I think that this is challenging some conventional thinking that we had and have had in cyber where we're constantly in firefighting mode, where we're constantly having to respond to things and be super reactive. I think that we're in a place and we have the predictive technology where we can actually anticipate the adversary much better and own our own attack surface before someone else can. So being proactive I think is really, really key. Second, I think is around AI and how we can leverage this technology and how we can be aware of this technology in order to better enable our security teams, in order to secure our go to markets and in order to actually secure that adoption as well or that infrastructure change that I mentioned at the beginning. And you know, kb, it's not sexy, but ultimately I think really taking care of the basics and using, you know, different types of tools in the market like attack surface management or exposure management or ctam, these types of things, in order to, in order to do that and to discover our risk events, to assess that risk, to prioritize that risk, to, to get in front of it in order to drive down bridge potential upfront. I think that this is absolutely the way forward and I think that it's going to make a huge difference in how we secure the enterprise moving forward.
[00:33:34] Speaker C: Just going back to the conventional thinking. So I have seen a shift towards people being a little bit more open minded to different things. Do you think that it's just hate to say it, it's just time. Sometimes, you know, we have to give people time to, you know, do their own research and to have these conversations with vendors and service providers to actually understand where the landscape is at. Because even when I came into this space more than, you know, 10 years ago, people still had a very narrow way of thinking. But to your point, things that you share with me today, of course, other people that I speak to as well, there seems to be that thinking outside of the box. Will that continue now? Would you say do you think as well that maybe some of the leadership has changed and again, like things are changing every day faster than they ever have. So would you be of the belief that if people are not challenging that conventional thinking that they can be in a real situation?
[00:34:26] Speaker A: They absolutely can be in a real situation. But where I feel really energized and excited is that people want this. Like I I mentioned earlier that, you know, we partner really closely with our user base and with different CISOs who, who we work with every day. And they're coming to us with this need and this want to be more proactive. They want to get ahead of the adversary, they want to have a way to track their risk. They want to be able to speak the language of the business and meet the business where, where it's at. So I, I feel, I feel fairly optimistic that, sure, it takes time and research and how are you building your tech stack. And of course there's, you know, that's, that's its own process. But ultimately I think the mindset shift is there and people ultimately want proactive cybersecurity security and proactive practices because ultimately kb, they're so done with this fight or flight position that they've been in. So to me, that's energizing and, and that's, you know, a sign of things moving in the right direction.
[00:35:26] Speaker C: So, Shannon, do you have any sort of final thoughts or closing comments you'd like to leave our audience with today?
[00:35:31] Speaker A: Sure. Maybe just, you know, we, we talked about a lot of different things from, from threat landscape and tech landscape, but I think ultimately we've spent a lot of time talking about risk. And I think what it comes down to is, you know, if you're measuring risk in silos, this is not going to be the effective way forward because you're missing context, you're missing relevant data. It's imp, it's impossible to prioritize risk if you're looking at it in different places and you don't have a common risk measurement framework that applies to all of those different assets for all of that different data. So in that sense, I do think that this trend toward not just platform, but greater integration as well is really super cool. And again, I think the vendor community is reflecting the demand that's coming from the practitioner community. And I think having these two groups work really closely together in order to get in front of things is really positive. And again, you know, other trend at the end of the day is looking at, you know, best ways to, to leverage AI in our day to day. Whether that's, you know, you've heard a lot about agentic AI and you know, predictive, you know, chat bots and attack path mapping and all of these different things. All of this great innovation is really coming together to give an edge to the good guys, to give an edge to the defenders. And I think that in cyber right now we have the talent and we have the investment and we have the speed that is actually putting defenders ahead of the bad guys right now when it comes to leveraging this technology. And I think that that's something we can have a lot of hope in.
[00:37:16] Speaker B: This is KBCast, the voice of Cyber.
[00:37:20] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:37:29] Speaker B: This episode is brought to you by MercSec. Your smarter route to security talent Mercset's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out more at merckx. Act. Com today.
