[00:00:00] Speaker A: It's not really about money, it's about mindset. As you said correctly, everyone's busy board see themselves as engines for strategic growth. Leadership sees themselves as serving the board and making sure that the operations go on as smoothly as possible. The CIO is focused on the next innovation. The CISO is focused on investing in cybersecurity. We have not empowered our CISOs and CIOs and the board to focus on cyber defense and on resilience. And that's the reason that I am an evangelist. That's what I'm telling the world. That's the message I would tell everybody to focus on.
[00:00:39] Speaker B: This is KVC as a primary target.
[00:00:43] Speaker C: For ransomware campaigns, security and testing and performance risk and compliance. We can actually automatically take that data and use it.
Joining me now is Agni Dipta Sakar, chief evangelist from Color Tokens. And today we're discussing why should we have invested in cyber defense yesterday? So Agni, thanks for joining and welcome.
[00:01:07] Speaker A: Hi, happy to be here and I'm so, so happy to be talking to you.
[00:01:11] Speaker C: Okay, so let's start right there. Why should we as an industry have invested in cyber defense yesterday?
[00:01:20] Speaker A: Well, the fact is that we've been investing in cybersecurity for a very long time and we have not seen the real benefit come because as investments are growing, probably reaching to about a trillion dollars, the cyber attacks are also growing. They're not slowing down. So somewhere something is wrong. And I think their main focus that we need to make a slight shift is to be able to defend against cyber attacks, knowing that attacks will happen, just not a question of if they will happen, but when they will happen. And even if you look at all the surveys that everyone's doing, the boards are slowly shifting focus from cybersecurity to digital resilience because businesses are going digital, so there's more to attack from an attacker perspective. And the current investments, I mean, even, even yesterday there was an attack on Coca Cola. Coke, I believe, as you know, is one of the most companies who have probably the best in class security tools. But they were attacked, so attacks are not going down. I think we should have invested in cyber defense yesterday so that we are able to defend ourselves against an oncoming attack by combining all our resources in a structured manner.
[00:02:37] Speaker C: Yeah. So what's sort of coming up my mind, given your role as sort of chief evangelist and you've got more of a, you know, you've obviously got a global role, what are you sort of hearing now from customers? Because everyone that, I mean, I'M at a conference now as I'm doing this interview and the same sort of conversation we're talking about here today, Agni is really what I'm hearing a lot from people as well. But then people I've got, you know, limited budget, I've got, you know, so much to do, the never ending to do list. I got people who have burned out. So where are people sort of where the priorities sitting the way. How do you sort of see that?
[00:03:08] Speaker A: I think their priorities are shifting. But the main thing is it's not about, it's not really about the money. It's more about the mindset. You see, boards often see themselves as primarily as engines for strategic growth. And I believe the information that the attacks are increasing in spite of, despite investments, is not reaching to the board. But in a world where, you know, one cyber breach can freeze operations, tank share prices or cost millions in penalties, that mindset needs to evolve. And it's not evolving primarily because we are not treating digital risk as governance level responsibility, which separates basically the reactive boards from the more resilient ones. But what I'm hearing from the customers that I'm meeting is that they are invested and they're willing to learn the shift that they need to make beyond, you know, quarterly updates and asking hard questions, anticipating vulnerabilities, figuring out where is the weakest part and how they can, you know, make that little better. That's what I'm seeing. It's increasing. The focus of the board on resilience, on cyber defense is slowly increasing. And the more, the larger ones are more invested in it, the more agile ones are less invested in it. I mean, they were always less invested in security as well. But the ones that are invested in security and who are focused on making the organization's reputation work, they are focusing on it. In fact, if I remember, there was an MIT Sloan review done last year where they interviewed, I think 33 CEOs and all of them said that they thought that they had invested and they were ready, but they now realize that they need to shift towards cyber defense.
[00:04:53] Speaker C: So would you also say, though you said before, like the money isn't an issue, but I'm hearing a lot down here in Australia that people are always worried about the budget. Obviously we're a smaller, smaller market.
You know, we have 26 million people here, which is still smaller than the whole state of California, to just give an example for folks who aren't living in Australia. Obviously our GDP is smaller as well.
So do you just think that perhaps currently Australia is a smaller market, so maybe budget is a more of a worry, perhaps.
[00:05:21] Speaker A: So you think about budgets when you think about return on investments. Right. But cyber defense or resilience is not really a return on investment topic. It's cost of doing business.
So if it's not about how many people there are, it's about what is it that you're trying to invest in to gain what kind of leadership in the world or in your area. So it could be a much smaller market. For example, it could be, you know, Malaysia or maybe Vietnam, but it really doesn't matter. What matters is what are you willing to invest in for the business value that you're trying to get out of digital. That's the main thing. And that's why I said it's not really about money money. It's about how you perceive that investment as if you're perceiving that investment as return on investment. If you're perceiving that as investment, then of course it's about money. But the reality is that if you are in a state. Let me give you an equivalent example. So let's say that you are trying to invest in a business to build roads. And you know that you can't build roads in a particular place because you need to dig it. You, you're going to invest in digging. That's cost of doing business. Likewise, digital resilience or cyber defense is cost of doing business. It's not an investment. Does that answer your question?
[00:06:38] Speaker C: Yes. Yes. Yes. So what's come at my mind? So you, so what you're saying is, and do you envision now, given what you just said, businesses need to write this into like their operating costs or their opex, Right? So it's like this, like you said, cost of doing business, for example.
I'm going to give a bad example. But if you're like a courier company, you have to invest in the, you know, the trucks and the, in the cars and the vans and the boxes. That's just the cost of doing business. To run a courier company, for example.
[00:07:06] Speaker A: Yeah.
[00:07:07] Speaker C: People can't be surprised, right? They can't be like, oh well, I've invested in a courier business, but I don't want to actually buy the van to move the stuff. So people can't be shocked by that.
[00:07:18] Speaker A: For example, I got a very good example given to me by a coo, chief operating officer of an industrial organization. They were, they were making chemicals and they said, and he said, the reason that we need to invest in cyber defense is that we treat this as danger, not as risk. You know the difference between risk and danger, Right. So if there's danger to human life, you don't want to do it, or you invest in capabilities that will protect human life. So it's all about safety, reliability and efficiency. It's not so much about confidentiality, integrity and availability. Of course those are important, those are essential or the foundational capabilities that go behind cyber defense. But in the end, it's about safety, digital safety. It's about reliability of digital business and it's about efficiency of digital business.
That's what cyber defense and cyber resilience will bring on the table.
[00:08:17] Speaker C: Yeah, okay, this is interesting. So I formerly worked at a bank in security. So again, and I've spoken about this many times of people on the show with people like yourself, and you mentioned the operative word danger. Working in a bank, for example, is like, okay, we lost some money or someone got scammed, or your life savings, it's annoying, but it's not going to kill you if you lose your money. Right. But for example, critical infrastructure, water plant, something happens, the water's contaminated, people could potentially die. So how do you start to see the everyday sort of business which perhaps doesn't have that danger, but equally they don't want to, you know, have downtime, they don't want to lose money. How do people find that equilibrium in your experience?
[00:09:00] Speaker A: As I said, it's about mindset. So the whole thing is about finding the word. You said the exact word. It's about the equilibrium. People need to find out what is it that they will tolerate. So, for example, there is a concept called minimum viable business. When you're thinking minimum viable business, it's different from business continuity because you're thinking about having a. I call it minimum viable digital business. So when you're thinking about that concept, what you're thinking is, in the face of adversity, how much minimum business can I run? So with cyber defense in place, with digital resilience in place, you're looking at a number between 50 and 80% or maybe 90%, depending on how much and where you are investing, the balance then is to invoke a BCP in the 20% that remains. But if you're not thinking that way, if you're not thinking, as I said, it's about mindset. If you're not thinking about building resilience to operate at your minimum viable digital business at about 50 to 80%, then you're thinking about business continuity, which will be 15 to 20% at the most. Does that make sense?
[00:10:05] Speaker C: Yeah, absolutely. It's how do we. Or as an industry, how do we get people to move more towards that mindset, would you say?
[00:10:14] Speaker A: So I think that the real thing is where do you want to focus on? And in my experience, and I was a CISO in my life before I joined Color Tokens, the argument that I, that I used to take to business leaders is that if we are thinking about doing something new, we must start thinking about the digital innovation and digital resilience in the same breath. If we are not doing that, then we are looking at a situation that the entire innovation could be upset because of a single disruption. So when you are thinking how much you are going to invest, you don't need to invest a lot, but you definitely need to invest in foundational capabilities. Like, if there was to be a cyber attack, can I just put my systems in a manner that they are not visible to the attacker? That's one way of thinking. That's not a huge cost, that's not a huge investment. I mean, this has been known to the industry for a very, very long time. It's not new technology, but people have not been focusing on it by making sure that, okay, I have these critical systems and these are the ones that I want to protect. That's another area.
Not many organizations have actually, you know, bogged down the number of critical systems they have. Asset management continues to be a huge challenge. Shadow it continues to be a huge challenge. So if we have to convince the industry on how we can take this forward, we need to stitch all of it together into one big message that says, you know what, we could look at cyber defense and it could give you value beyond just digital safety. It can actually make sure that you are reliable to your customers, you are efficient in delivering what you promise to deliver to your customers. That's where the real value lies.
[00:12:03] Speaker C: So I just want to maybe I want to zoom out for a moment and perhaps Agni, talk about the real purpose of cyber defense. So I think maybe before we start to really get into some of the minutia I'm keen to explore. What. What do you mean by that?
[00:12:20] Speaker A: So cyber defense is theoretically is not much different from traditional defense, except that it's in the cyber world. Right? So which means if you had to build defense, you had to know your enemy, and which means you need to plan how you're going to defeat that enemy. Thankfully, all that information is available today. CISA publishes, for example, attacker profiles. They can differentiate between LV versus Ransom Hub and MITRE publishes the MITRE attack framework, which actually documents how an attacker attacks. So what needs to be understood that for doing cyber defense, we need to be able to anticipate an attack and we need to be able to do some element of modeling so that we can then initiate those models should the attack happen. Of course, if nothing happens, you're good to go. But in between that comes a stage where you need to make sure that there are no unnecessary digital services that are just floating around doing nothing. Your authentication is in place, you've got your basic cyber security hygiene in place. And now all that you're doing is you are hardening the enterprise so that there is no way an attacker can just waltz in without notice that would be detected. Now, this is the first phase of preparation. If you're prepared enough, you know your attacker, you know your exposed systems, you know that you're not good at, for example, you're not good at vulnerability management, or you're not good at patch management for certain systems, or certain systems cannot be patched at all because let's say the vendor is no longer available.
And this happens quite often in the OT world. You need to be able to put them in a bubble so that no one else is able to attack it other than those who really need that information. Or you could make the information one way. Information only goes out, nothing comes in. You can do all of that if you've done that efficient amount of planning. Now, this is in anticipation of an attack. And then you build models, then you build Playbooks. Should an attack happen, what do I do? Where do I bring in my weapons from? And most companies are investing in cyber defense, in cybersecurity tools. And then there is micro segmentation that my company does, right? So what you do is you prepare those models, you prepare those Playbooks, and you create templates so that you can disconnect at will should an attack happen. You now know which model to execute when and what would be the impact for how much time you would be able to keep an attacker out. Let's assume that you divided your organization into 26 micro segments, all letters of the Alphabet, right? So it means that if you have an attack in micro segment, let's say A, and if you're able to contain it within that micro segment by using the models that we talked about earlier, it means that attack will not spread.
That's what I was talking about when I said the minimum viable digital business going up to 80 to 90% because you planned to contain an attack before an attack happened. That is the key Essence of cyber defense. And should an attack happen, you go into containment immediately. Yes, probably, you know, 10, 15% of your enterprise will be affected. But then that's what your BCP is for. You're able to do your bcp. The most important part that what happens after an attack is that you can then go and tell your stakeholders it's going to be a different kind of media report. Instead of saying that there was an unprecedented cyber attack and in, in anticipation, we shut down our systems, but we'll be available back very soon. We've hired the best cyber security guys. You now say there was an unprecedented cyber attack. But guess what? We are not. We, we are back in business. It's affected one part of our organization, but we are good to go. We're still delivering value to our customers because we are reliable and we'll be doing the work that we were doing efficiently as much as possible. This is cyber defense. This is the view of cyber defense. And if you have done it properly, if you put a management system around it, that means you're going to evolve. Every time there's a cyber attack, tomorrow's world is going to have AI in it, which means all this can be done by an AI. And you know how AI works, right? It learns and it teaches itself. So the next time an attacker comes in, AI would know. But I'm saying even without an AI, you could do it manually. You could keep improving your systems continuously.
[00:16:59] Speaker C: So, okay, so a lot of the things as well that I'm hearing from the community globally around, you know, business continuity, all of this stuff you just spoken about before Agni. So I'm keen to really from your perspective, a company, I don't know that she's an E commerce business. Right. Something happens, they go down, they're out of business for a couple of days, then it's a week, then it's a month. How long, given your experience in the field, have you seen a business in terms of the interruption and gone down for a long period of time that just completely ruined them. Is there anything you can share?
[00:17:34] Speaker A: Oh, there are many. I mean, you know, the recent incidents as well. There are companies like the recent change healthcare situation that happened. They thought that they are going to have an interruption of, you know, a few days that they denied they were not prepared for that cyber attack and then UnitedHealthcare bought them over. And they're still not clear. In fact, if I'm not wrong, about two weeks ago there was another, another release. I don't know the exact numbers, but I believe that initially their costs of recovery were in millions, but now they're in billions because of the continuous, you know, whatever that's happening. There are many companies that I know about. Again, I don't remember the exact names. There was this chemical company in UK that went out of business completely. There was an ed tech startup that went out of business completely. Yeah, there are many of these incidents. So to your point, some high profile breaches either are affecting their top lines, their organization performance. The Oracle breach, by the way, how much has that stock price gone down by? They denied the breach initially. I don't, I don't know if you are following that attack, but they denied that there was an attack at all. And then the attacker released all the data and then they were sort of, then they sort of agreed that, yeah, there's possibly an attack, but by that time the damage was done. The share price tanked. The cost of inaction is real and it is rising. Change Healthcare is one example. Clorox is another example. That happened again. I just remember it right now where they underestimated that, how bad it could be. And it just went vertically down. It just went down real fast. Colonial Pipeline, another one. When Colonial Pipeline started off at that time, there was a ransomware and they had to pay ransom. And as you know, when the ransomware thing happens, the ransom goes up over a period of time. Right. They keep multiplying. They basically keep doubling every day. By the time they paid, they paid certain amount. But the real effect happened afterwards because they had stopped gas and that stopped the traffic. Right. They were suppliers across the entire eastern starboard. Guess what happened to the highways because there was no gas. So all these incidents are telling you only one thing that we, I think, are underestimating what could happen and we are underestimating it. I'm not blaming anybody. I'm actually telling everybody that we are not doing it because we're not focusing on it. So boards, I believe, should focus on how, how vulnerable is an organization to a cyber attack. And if that's the question they're driving from the top, the cyber leadership or the CSOs are going to find that out. The business leaders are going to question themselves that should something happen, how much can we be affected? If you think you're not going to be affected, then there's no point in investing in cyber defense or in, or you can take a call saying, I have enough cybersecurity in place. I remember a long time back when I was younger, somebody told me, we've got antivirus in place. So why should we worry about a firewall? So, you know, we've evolved from there.
[00:20:38] Speaker C: I hear what you're saying and yes, I have followed a lot of those breaches.
So I want to. The reason why I asked you that question is because what I'm trying to ascertain from people like yourself is when you're trying, if you're a sizer, you've got to get money from a CFO or board to invest in your, in your security business. Right. Have you seen an effective way that cyber executives can communicate or someone in that business to communicate to say, hey, if something happens, for example, and we are not running our business for a week, this is how much it's going to cost. To your point around the stock price, I have followed that as well. One thing that no one on this show has been actually really able to answer and maybe you can Agni is around. Breach happens. The breach that happened here in Australia, like Medibank, stock price plummeted. Yeah. Okay. It recovered after a while, et cetera. However, what is the long tail impact now of people having a stigma attached to that business to say, oh, but they got breached. How hard is it for customer retention over that period post breach? And how hard is it to actually obtain customer acquisition then post breach? I'm not some acquisition actuarialist, I'm not a mathematician, but I'm curious to see, do you have any stats or insights on that? Because that's something that I don't see a lot of people in this space focusing on at all.
[00:22:05] Speaker A: Well, the reason that no one's focusing on that as well at all is as you, as you. Right. Said, you're not an actuarial and the mathematics of this is not very well established. The reality is that if you look at all the breaches that happen, we sort of eulogize any breach in the media and that sort of defeats the whole purpose. What a CISO has to drive when it goes asking for money. Now the gun at your head kind of asking for money doesn't really work because that no one likes. Right. You don't want to pay money because you think you're going to be held at ransom. But what you really need to do is to include them in the decision making process and focus on the breaches that really mattered. What I mean by that is if you remember, LinkedIn got hacked long back, right. So much of that data went out, what happened? Nothing happened. Right. No one bothered. So personal data getting leaked because of privacy regulations, it's A big thing in the world. But what it's, what is it really leading to? It's leading to personal attacks. It is leading to, you know, people losing access to their banks or something like that. There's a community, there's a community impact of a personal data breach. And therefore like you said, yeah, that we lost data, we came back, now nothing happened to the enterprise. The stigma of it all is that is something that's yet not happened because the scale of loss versus the scale of personal loss really has not been calculated. That's on one side. On the other side, the breaches that have led to physical events, they have been quantized. So if you go down to a COO at a factory where there has been a large scale cyber attack, for example oil and gas, Halliburton, if I remember, was a company that got attacked. If you go to a competition of Halliburton, the moment they got attacked and once they learned how much they spent, I think as per, media reports were about 30, $35 million is what they spent. I don't think I can quote you exact numbers, but that's what I remember. If you go to a competition of halibut, they were at that time busy right after they got, they learned about this, they were busy to figure out how much should they invest in protection.
And that is what really happens. So it's not so much about a CISO going to a CFO and saying, guess what, we are in the business of this. These many companies got attacked and they lost so much of dollars, so much share value went down and hence we must invest so much because it's difficult to articulate in that number. But if you go and tell them that you are trying to do business or of this kind of this number, if we had a cyber breach, it's not about how much of the business will get impacted, it's about what the loss would be. You're absolutely right. There is no, no one who's focusing on calculating that number and going to businesses in a positive mindset. But the way I see, most Cs are going to businesses saying invest or else. So I think you're right. No one's really doing that mathematics. But I think we should start doing that and focus on the community impact. If you are dealing with consumers, focus on the impact to people, focus on the impact to the organization and its reputation and really play along how much risk are you willing to take as you're doing this business? And that's where it'll even out. If there is Somebody who wants to do risky business.
And there have been many, there are startups which have gone down in all the stories, we've seen all that, then it's okay. But if you want to do business in a manner that is going to add to your business value and to your brand and reputation, you want to retain it, then you'll invest the right amount. There is never, I think someone said there's never a right amount. It's all about, it's all related to how much business you want to do.
[00:26:05] Speaker C: This is interesting because there's this multiple sides to this problem. So the first problem will be if we focus on again I'm just using things as an example in E commerce business. So you could say in the month of May, we approximately, again, arbitrary numbers, 5,000 Aussie dollars a day we make through the site. If we were to go down seven of those days, that's obviously a, you know, decent amount of their revenue. But if it goes for longer, so that's more you can, you know, quantitative and qualitative sort of numbers. But it's the after.
[00:26:35] Speaker A: Sorry, I'm interrupting. So here's my point to you. If it's an E commerce business and if they're making that much money, then has someone tried to find out what's the current state of exposure? How much do they know about what's inside and what's outside? Who's coming in from outside and who can come in from outside? Who's done that analysis? If that analysis were to be available, then you can measure that. If these systems go down, then I'm losing so much of money per day. And then you can work back and capture it. Remember what I talked to you about modeling? Look, the technical debt, that was the.
[00:27:10] Speaker C: Sum that I'm using, that, that was calculated. I'm just trying to give people an example.
Yes, you are right what that would look like. Because that is one problem, right?
[00:27:20] Speaker A: Yes.
[00:27:21] Speaker C: The second problem is something happens as a breach. What is. Okay, customers are disgruntled. Well stuff those guys, they had a breach. I'm leaving. So you're going to see a lot of fallout but on that. And then the second part is how hard will it be for a business to earn the trust back to win more customers. That's the part that again to your point, no one is focused. So maybe I've got to go out and find some actuarialist mathematician that can run some potential numbers and model because I haven't seen anyone use that in the industry to say to their board If a breach happens, this is what we could be dealing with based on this model.
[00:27:59] Speaker A: Exactly. That's, that's what I am also telling you, that if you are able to, let's say so the biggest value that micro segmentation, or rather color tokens brings on the table is that it can determine that how traffic moves in your enterprise. So small or big, it doesn't really matter how what the company, what the organization is. Color tokens technology can find out how the traffic moves on a normal day. So if you know how your traffic moves, we can also tell you what part of your enterprise is vulnerable and what part of it is not. What part of it you are able to patch better than others. If you go down that route, you're soon going to figure out that I have, let's say 10% of my organization. I'm just taking an arbitrary number. It could be 20, it could be 80, I don't know. But I'm just saying we come out of the number that says so much of your organization is actually hackable. And that means when you start thinking about investments in cyber defense, you need to think of this to your point that mathematics, that if this gets impacted, then the numbers are easy to calculate, but without that knowledge, without understanding how the traffic moves, because what are the two things that are most essential to control when a cyber attack happens or when you're doing business?
How communication goes outside a particular digital system and how communication comes inside a digital system. Only two, these two things matter. When you roll back and look at It From a 30,000 point of view, it looks very complex, but downline, it actually matters there. Now, when you have a technical debt where you did not, you have outdated systems, you have missed patches or deferred upgrades, that's the time you need to figure out that, okay, this is my number, this is my traffic, and therefore this much is more vulnerable as compared to others. And you know, as I had in once in my life, talked to my CEO and he asked me, agni, how secure are we? You know, I had to tell him that, you know, I know that we are about 5% very good. I know that we are about 18%, not so good. He said, what about the rest? I said, I don't know. And that's the problem.
If we are able to use color tokens technology to figure out the whole organization and how they communicate, what are those digital systems that are more vulnerable than the others and which are more critical than others, and then focus investments to make sure that those are protected, those are taken care of, you're reasonably safer than you were earlier because you're anticipating an attack and you're going to contain the attack. You're going to live with certain amount of business risk in your digital business, and that's okay.
[00:30:49] Speaker C: So why would you say, in your experience, people and these businesses aren't figuring this stuff out? I know everyone's busy, we've got stuff to do or, you know, but what would you say? Is it just we're busy, we've got other priorities, we've got other holes in our boats that we need to plug first. Agni, what are the sort of responses you're getting from these folks?
[00:31:08] Speaker A: It's not really about money, it's about mindset. As you said correctly, everyone's busy board see themselves as engines for strategic growth. Leadership sees themselves as serving the board and making sure that the operations go on as smoothly as possible. The CIO is focused on the next innovation. The CISO is focused on investing in cybersecurity. We have not empowered our CISOs and CIOs and the board to, to focus on cyber defense and on resilience.
And that's, I think, the reason that I am an evangelist. That's what I'm telling the world. That's the message I would tell everybody to focus on.
[00:31:46] Speaker C: But why haven't we done that? Why haven't we empowered these people?
[00:31:49] Speaker A: Well, we haven't done it because we haven't. We haven't gone to that stage of realization that it's only now in 2024, 2025, that we are realizing that, you know, the cybersecurity market is growing and so is, so are the attacks. It's now that we are realizing that this is something, an area of work. I think even in Australia there was a report, if I'm not wrong, which came out where I think there's a legislation that's either come out or it's about to come out where they are making the board responsible for resilience. So, yes, it's happening. It's not that it hasn't happened yet. It's happening, but it's happening now. It hasn't happened already.
[00:32:24] Speaker C: Why now and not before? What were people doing before then?
[00:32:27] Speaker A: Let's put it this way, until probably before the pandemic, everybody was focusing on cybersecurity. It is during the pandemic that we realized the value of how connected we are. Cyber attackers moved the needle. They started attacking differently. It's now that people are focusing on resilience. I talked to you about The MIT Sloan report as well, the same question was asked, what was it? Why did we not focus on it earlier? We did not because the attacks were not so high. Now attacks are everywhere and your investment is also everywhere. So if you are investing and you're still getting attacked, then you're not investing correctly. I think that's the reason it's all about evolving to learning where we should be investing now. Look at it this way, many corporate boards still treat breach readiness as a technical side issue, but they're evolving, as I said earlier, rather than a core priority. If the boards, when they meet to discuss the next innovation, the next investment and next whatever, also focus on are we ready to face a breach? Just that question, one question. They would be far better prepared.
[00:33:34] Speaker C: I would say. Most people would say, no, we're not ready. Because even if you're kind of ready, you know, there's no blueprint. Not every breach is the same. They've all got different DNA. They're all, they're all done differently. So even if you got breach once, even you had second breach, it's probably still going to be ready anyway.
[00:33:49] Speaker A: It's not a problem solution approach. It cannot be a problem solution approach.
[00:33:53] Speaker C: Isn't that what the industry is addressing it? Like, are we prepared? Like, everyone has to say no, we can't say yes because it's not like the same thing's going to keep reoccurring each time.
[00:34:03] Speaker A: You're absolutely right. And that's why it can't be a problem to solution approach. If you were attacked by Ransom Hub and they came in by exploiting phishing and then they got onto a lateral movement and they took your data away, the next attacker is not going to come like that is going to be different. And that is the reason why we have mitre that people need to understand that focusing on tactics and techniques is far more important than focusing on the actual attack, on how that attack progressed. Because a cyber attacker, remember an attacker doesn't know who he is attacking, where is the attack going to land from? In the case of the recent attack that happened, there was a credential misuse, someone's credential was misused and they got into something and then they did a lateral movement and they exfiltrated data, that's not going to happen in the next attack because that road is going to be blocked. So the attacker is going to find another way in. But think of it from an attacker's point of view until they actually land on a system and figure out what that system is and find a route to do lateral movement. They really don't succeed. They succeed only when they, they are able to make that leap from one system to another happen. But to come back to your point, we have to look at it as what you said. There is no blueprint. Your blueprint rather has to be cyber defense. How do I defend when I'm attacked, not what I'm attacked with. That's how the real life defense also works. You don't know whether your attacker is going to be a cavalry or are they going to be archers. All you know you're going to be attacked, but you need to be prepared and therefore the preparation is important.
[00:35:39] Speaker C: Would you say that the industry is being focused on how people are attacking to your point around, you know, if they're going to be, you know, attacking archery or whatever that looks like. Is that what people have historically been so focused on?
[00:35:53] Speaker A: Yes, that's how it has been because it's, it's all about how you go from where you were, where you were not attacked to where you are, where you're continuously being attacked. You stop one gate and there's another gate that opens up someone attacked from somewhere else. And then you try and find the latest buzzword and the latest technology thing that you have to invest in there. Zero trust, for example, much maligned when it was first, when it first came out in the Forrester report about zero Trust, people were very impressed. Zero trust is going to solve the problem. They soon realized it's complicated. You need a whole lot of software engineering to do proper zero trust and you need to use it as a methodology, not as a tool. And you're right. That's why people focused on you. Look at where we are focusing on today as well. There are a lot of organizations still focused on how do I stop phishing. It's not about a holistic cyber defense or a cyber resilience attitude.
[00:36:49] Speaker C: So Agni, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:36:54] Speaker A: My final thoughts are going to be to tell whoever is listening that this is the time.
2025 is the time when you should be thinking of investing in how to protect against the next attack. And you should be doing it now. You're already late if you've not started.
[00:37:18] Speaker B: This is KVcast, the voice of Cyber.
[00:37:23] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:37:31] Speaker B: This episode is brought to you by mercset. Your smarter route to Security Talent MRSEC'S Executive Search has helped enterprise organizations find the right people from around the world since 2012. Their on demand Talent Acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
