Episode Transcript
[00:00:00] Speaker A: Foreign welcome to KB on the Go. Over the course of the week, I'm coming to you with the updates from the ORCUS Advanced Technology Dialogue in collaboration with 2020 partners. Our first event kicked off at Pier 1 in sunny Sydney, before traveling over to the capital of Australia, Canberra, where the Australian Strategic Policy Institute, more commonly known as, hosted us in their offices. Stay tuned for the inside track from some of the up and coming technology companies as well as some you already know. KBIMedia brings you all of the highlights, but for now to set the scene, you'll first be hearing from founding partner Greg Sim, who will share a little bit more about 2020 partners and what their vision is all Joining me now in person is founding partner from 2020 Partners, Greg Sim. So Greg, tell me more about 2020 Partners.
[00:01:09] Speaker B: Well, thanks, Carissa. Well, 2020 Partners is basically a private network of senior security operational people. It was founded, well, 2020 is a giveaway in the name, but the people that I was lucky enough to meet over many years being involved in cyber, some of them I got together with at the end of 19, June and 2020 and suggested that between us we knew a lot more people globally, global allies, obviously, very much Aukus focused, but other allies as well, other countries and how we could maybe formulate it more, not formalize it. And there was a reason for that. We took on one or two different iterations of what the network could look like. But what we've ended up with is something very unique. And its uniqueness comes in the fact that the network is autonomous. It's no commercial connection to any individual or any entity. It's not even a known for profit. So basically, given the unique side to it, we're able to collect people that are very senior, former people, some very senior current people, because current people, generally current. What I mean is they're already in either government, federal government, law enforcement, even private sector. They either have ethics issues or they're not allowed to be part of any organization. So this organization is not an organization, it's just a network of people. So it gives them the ability to be part of the network without giving anybody any conflict. And what does that mean at the end? Well, what it means is that we have a collective power. And I always said from day one in starting this network is if we can harness a collective, these types of people and that seniority in a collective entity, then we can do things, we can move the needle. You know, any one individual doesn't matter who they are. It's very difficult to move things with this network, we can't.
[00:03:02] Speaker A: So when you say you want people to do things, what do you want people to do?
[00:03:06] Speaker B: Well, the balance of the network is very important. So we have a mixture of people that come from former intelligence backgrounds, current intelligence backgrounds, government entities, military, private sector, and those types of people. We've mixed between those operational people and also those practitioners. So we have a lot of CISOs, CSOs, CIOs, and actually, one of our objectives going forward, in my opinion, will be to attract some global CEOs, because with the dynamics of the world, as we all know, and the extreme polarization that pretty much most countries have, it's more important that everything from geopolitics to cyber and digital, it's all mixed together now. Everything is digital, digital is cyber. So our ability to bring these people together as a collective and to discuss things. And we, as you know, Carissa, we don't do events for the sake of them. We're not an event company. But it's a great way to bring these people together who normally might not be able to discuss things. They can discuss things under a policy level most times, but being able to meet their old friends, new friends, let's say, and talk about issues that are really relevant to our allies and our allied countries is very, very important.
[00:04:30] Speaker A: So a couple of other things as well. Greg, why do you believe this network is needed from your perspective?
[00:04:36] Speaker B: Because nothing like it really exists. There's pockets of it. You know, you go to, say, Washington, there's always little pockets of networks for different things. Nothing's really done what we've done on more of a global allied scale, you know, meaning that, you know, even under Aukus, I mean, of course, we're very much Aukus focused, but we have our colleagues in Singapore and Japan, in France, in Germany, and about to be in Spain. So I think when you can take different attributes of how people see security, and not just operational people, but people, for instance, in geopolitics, then we think that we've got a far better grasp on how to move the needle than pretty much any entity. Because as I said, most entities are really locally focused. You'll have them in Australia, of course, there's entities that can do that. But we're able to kind of call it raising the bar. We really raise the bar on things by the type of people that we have.
[00:05:34] Speaker A: And that's interesting because that leads me to my next question. There are these pockets of these things that exist. However, I think in my experience of talking to people in the industry, would be these, these groups, these other entities that exist. And this is me generally speaking, is that they say, but what's their affinity to the space? And I think by from what I can gather, 2020 Partner Network has a very extensive cadre, high calibre, strong pedigree of people, which I think is the difference. Would you agree with that?
[00:06:04] Speaker B: Yeah, I totally agree. It's really about the caliber of people because you know, if you think about when you have the type of people that we've got, and you know quite a few of them now, Carissa, if you can harness that brain power alone and that experience, I mean, it's incredible, you can start to think the application of that could be utilized. I mean, if you, if you could capture what we have in the network and say an AI engine can imagine the type of output that you could probably achieve from it would be incredible. And of course, the other thing I've not mentioned is it's also important when you create a network like this that there's a balance. We can't have too many of one and not enough of the other. And our technology partners, and we call them partners, are very, very important. They're great supporters of the network. And of course we have our own policy within the network that the technologies that become our partners are those that already that come from within the network. So they're already known to the network or the senior people in the network because a lot of the senior people are advisors on different companies and they see things.
And the second one is that they're already operational within one or more of our allied infrastructures. So that gives a high level of validation. And I like to use the words validation by association because when you have a cadre of people that we have and you have the type of brain power and these technologies, it really is a big validation for everybody that's self validating. And I kind of like to say that we're trying to level the playing field. So anyone that comes into one of our gatherings, whether It's a drinks, etc. Or event, we want to make sure everyone's on a level playing field. There's nobody higher than anybody else, for instance. And even with the technologies, as you know, we have a no sell rule. And that's important, very important, because when you have the practitioners especially or those that consume technology, there's just, there's an awful lot of technology around. There's an awful lot of, of snake oil in a lot of these technologies. So for them, everybody's tired of being sold to Everybody's trying to sell something, but they don't want to miss out on anything. They want to know if there's something there that can really help my organization or my government entity or whether it's intelligence, whether it's defensive, offensive. They want to know, especially because it comes from within our network. So it has that high level of validation. We're not discounting anything. We're not discounting innovation. Of course, I've always come from an innovative background, but I think that innovation to us needs to reach a certain level before we are going to say these. And so we do keep that balance for them and our technology. Our technology partners, they enjoy it because they get to be associated in these environments and are able to talk about their subject matter, their expertise, their threat intelligence. And so we're being asked a lot, actually, by governments, law enforcement entities to actually help them and bring together nothing to do with sell them, but being able to come and do briefings for them, for instance. So we'll take some technologies that they specifically would like more information around an issue, you know, whether it's, you know, identity mobility is always a big one, you know, big data transfer, or we've just got such a great reach in to find these great technologies.
[00:09:43] Speaker A: Joining me now in person is Michael Lowey, co founder at Tide. And today we're discussing the current approach to cyber security, which is broken. So, Mike, thanks for joining me back on the show and welcome.
[00:09:56] Speaker C: Thank you very much. Great to be here again.
[00:09:58] Speaker A: Okay, so the industry is broken. Tell me what's broken about it. List all of the things that's on.
[00:10:04] Speaker C: Your mind, I guess. First to the evidence as to why it's broken. It doesn't take a cybersecurity expert to see that you open the news on a daily basis. There's another mass data breach, compromised infrastructure. And with new technologies like AI, we're seeing more and more obnoxious and more damaging breaches in their. You know, they become commonplace. If you look at that from a market perspective, over $300 billion are invested into cybersecurity every single year. And as of last year, the damages, the corresponding damages was somewhere around 10 trillion. And that figure is compounding annually at 23%. So clearly some. Something's not right.
[00:10:45] Speaker A: Something clearly isn't right. Do you think that this cybersecurity. Yes. Is broken, like globally in terms of, like, the approach, but it just feels like in Australia, it seems to be more broken here. Would you agree with that?
[00:10:56] Speaker C: I think we have a tendency here to wait to look for permission in a sense to try something new, to innovate until it's happened in the us, it's happened in the uk so in some respects, and this is like a big generalization, but I think we're not on the front foot generally speaking.
[00:11:18] Speaker A: Why would you say we're not in the front foot?
[00:11:20] Speaker C: I think it's just a general tendency in Australia to be risk averse. We're more cautious, we're more careful. We're also, you know, we've lived on an island for a very long time and that's protected us in many ways. We don't really feel adversaries, you know, directly and kinetically like others do. And that means that we may be slightly more complacent.
[00:11:45] Speaker A: So it's probably, it can be a good thing but also a bad thing because we become more into the complacency side of things because we are on this isolated island surrounded by water. We don't have any adjacent sort of other countries right beside us in terms of how other like places like Europe and how they're structured.
[00:12:03] Speaker C: Correct. You know, the incidents, you know, with Optus, Medibank and others was a good wake up hole and definitely, you know, shook things up as you know, it'll be interesting to see where the dust lies, you know, in the next year or so as to whether that has the impact that it hopefully will should.
[00:12:20] Speaker A: Do you think that people have to suffer in order for people to do something? So what I mean by that is you go back to it, seat belts and there never used to be seat belts in a car until people started dying from car accidents, etc. And then eventually like, oh, you should put seatbelt in. So it sounds terrible that, you know, I was involved in some of those breaches in terms of my personal information, which is not ideal. So I've personally been impacted as a consumer. Businesses are impacted. Do you think it has to get to the point where these things happen in order for people to move and make decisions?
[00:12:50] Speaker C: Yeah, at some level, yes. Like if you, if you look to where most or a lot of cyber innovation comes from, you see a lot of stuff coming out of Israel, for example, where you, you know, you're, you're in an environment where you have to create solutions that work and you have no choice. And that kind of breeds a way of thinking and an approach and I guess risk taking that forces you to think outside the box with what you have. You need to win. And in that adversarial environment, I think it breeds solutions that wouldn't come out of the type of thinking where you don't have that kind of pressure.
[00:13:29] Speaker A: So another comment or something that goes on your mind, Mike, is that, you know, products are Band Aid solutions and don't really fix the root cause of breaches. So why are companies constantly buying new products then? To be like, oh, the new things out, we're going to buy that.
[00:13:42] Speaker C: I think we've got a tendency, I mean, if you look at just the way that the whole digital world exploded, I think very few people saw it coming and couldn't have imagined how quickly it would grow and how it would be just, you know, so integral in our daily lives. And the approach we took to secure it was almost an extension of how we approach physical security, which is like something that we've been trained to evolve over like 300,000 years. We build walls like firewalls, we install surveillance monitoring systems, we place guards, identity and access management systems. But the digital world is quite different from the physical world. So applying those same principles, when the digital world has properties that you can utilize to your advantage from a defensive perspective, but also have to treat differently, I think that tendency to approach things in that way is kind of why we're in this situation. And being a CISO or an IT team of any organization is hard. You've got this complex dynamic environment of threats that no one can really keep track of. Every day there's a new vulnerability discovered. You need to patch that because if you don't, you're vulnerable. So you're playing this game of whack a mole that you can't win.
[00:14:55] Speaker A: Dealing at a we only with a.
[00:14:57] Speaker C: Different way of thinking, only with a different approach.
[00:15:00] Speaker A: People don't like being different, though they want to do. Especially I would say in Australia, a reserved market, as we, you and I have discussed at length about this. Anyway, a reserved market. People don't like to color out inside the lines. So it's probably a cultural thing here. But how do we get people move beyond. Well, if we don't act differently, we, we will be in a state of, you know, serious breaches and, you know, the increase of cybersecurity attacks that we're seeing already. What do we do differently? Like, what are some tangible rubber to the road sort of action items that you can sort of pass on for people listening.
[00:15:35] Speaker C: Well, I think you can, you can look back to the cloud before it was a thing, just the notion of telling someone, hey, instead of, instead of your sensitive data and your infrastructure sitting here with you, you can control it and you can protect it, just pop it in this place where you have no idea where it actually sits and you're blindly trusting someone else with it. It was, you know, obviously faced a huge amount of resistance and now it's pretty much part of every environment. So you're always going to face resistance and pushback no matter what jurisdiction you're in. Doesn't just have to be in like a more conservative nation. But I think, you know, when I mentioned that kind of catalyst of Medibank and Optus, really kind of introducing this to the consumer consciousness in a way that it wasn't before, I think it's got people searching for a new approach, realizing that the current approach is not working. And what you're finding is the people that are now responsible for securing systems, that responsibility is now a C level responsibility, whereas before it was somewhere in the dungeons in the IT team. So that's a change that I've already seen. And those people have a target on their back. So the fact that you've got people with this palpable target, like if you look at the LastPass breach, the attackers cleverly followed DevOps engineers in their home, installed malware on their home computer, waiting for them to log in remotely. So really the threat is following people into their homes, into their personal lives, and no one wants that kind of target on their back. And I think that already has people looking for a new way of approaching things.
[00:17:14] Speaker A: When you say people are already looking for a new way of approaching things, what does that look like? So, going to forums like this that we're at today, listening to podcasts like this, what does that look like from your perspective?
[00:17:23] Speaker C: I suppose at the moment they're looking to certain things as a potential salvation, like the Zero Trust model or Zero Trust methodology or philosophy, whichever way you want to look at it, which I think is a positive step. But even then, even in your most robust Zero Trust architecture, what you find is that your system is no longer implicitly or blindly trusting the identities or the devices of the data interacting with your system. But you're concentrating a huge amount of authority in certain core systems, like your identity and access management system, for example. And when those systems get breached, it's game over.
[00:18:05] Speaker A: So in terms of like, moving forward, obviously we discussed it's broken. People are starting to look at new ways on how to do things differently. What do you sort of see on the horizon? Like, we can always say things are changing, but how quickly is that dial going to sort of change? Do you think it's going to be the Next sort of 12 months, we're going to start to see the needle move. It's going to be next five years, obviously now, as we've discussed at length today. But in general, like, you know, with AI now coming into play, like people are moving a little bit faster than they did before. So I mean, what, what comes to mind when I ask you that question?
[00:18:37] Speaker C: Well, I can tell you from our own experience. So five years ago, when we started developing our technology, had, we had this conversation and we had conversations with CISOs of all listed companies who at the time their attitude was, look, if we get breached, we're in good company. And you know, it is what it is, and I was shocked to hear it. But we would describe our solution and our solution is to effectively take authority away from the organization, away from, from those that have kind of super user, godlike authority inside of a system today. And the idea of relinquishing control, or if you think about it even from a consumer context of giving consumers rights to say, actually, you can't have my data. Five years ago, it would have been a very different conversation today, where breaches are being felt on the, on the bottom line, it's, you know, it's a massive liability. So, so the notion of saying, you know what, I don't want all of your data. I don't want to have anything that I don't need, it's a change in attitude and we've noticed a palpable difference. Like when we introduce a technology that effectively takes the keys to your kingdom and makes sure that no one has access to them, people understand that for them to hold the keys to the kingdom is a liability, and so they're open to new approaches like ours.
[00:20:01] Speaker A: Joining me now in person is Daniel Church's sales director at Color Tokens. And today we're discussing breach readiness and containment in complex supply chain environments. So, Dan, thanks for joining and welcome.
[00:20:13] Speaker D: Carissa, thank you. Thanks for having me.
[00:20:15] Speaker A: Okay, so what does breach readiness mean to you, Dan?
[00:20:18] Speaker D: Yeah, you know, it's a broad answer to what seems like a straight question, but in, in short terms, it's helping organizations understand that a breach is likely inevitable and therefore what steps can they take in alignment with their business continuity? Planning to be in a better position to recognize that they're under attack, perhaps contain that attack and do it in a manner that allows the business to continue to function while they remediate the attack without having to shut down the organization and suffer the consequences of organizational disruption or loss of data and critical infrastructure. And you know, critical information. So building a plan with that in mind so that you're in a position to manage breach scenarios.
[00:21:05] Speaker A: I'm going to ask you a tougher question. People are about getting a plan. Getting a plan is easy actually. Remembering the plan, remembering how to find it, remember who's responsible for what, getting people to not be stressed out of their brain when an actual situation like a breach is happening. How do you manage that effectively?
[00:21:21] Speaker D: Well, there's a lot of things that are already in place for that because most organizations already have business continuity planning in place and they do trials and they do run throughs. So that's standard. But in this scenario with breach readiness, find an organization and we provide this, and I know others do, that can allow you to do simulations. So allow you to do run throughs of the policy settings you've established to try to ready yourself for certain scenarios and do a simulation of those settings to see how well your business functions under, you know, under attack and then see how well your team functions in their given roles to step through the processes and then do your self assessment. It's kind of like a penetration test, but of different sorts. It's an attack simulation and then you test yourself. And it doesn't have to be arduous and it doesn't have to burn too many cycles. It's just something that a business can stand up in a relatively stable short amount of time.
[00:22:13] Speaker A: How long's a short amount of time in your eyes?
[00:22:15] Speaker D: Well, how long's a piece of string? Because you've got a situation like how many servers, how many endpoints, what kind of bridge scenario are they readying themselves for? But in our organization we can deploy agents across a client's environment in a matter of days and that's a whole of an environment. So if you wanted to do a shortened version of that on a POC in a matter of days, you could nominate 30 or 40 devices. And these are, you're not in enforcement mode, you're just in observing mode. So you're just checking the flows, you're checking your policy settings and then you do some trial run throughs on various attack simulations to see how well your business stands up to it. Now when that's a full deployed solution with across the organization, well then it's a different scenario when you do your trial run throughs on different attack scenarios. But again it doesn't have to be a high impact and it's what businesses do anyways. These kinds of business continuity run throughs or simulation things are common standards Common practice. So it's not an introduction of something wholly new to an organization. It's just another component that you're adding to your cyber resiliency attack framework, your cyber resiliency cyber framework. It's not a heavy lift piece of work.
[00:23:21] Speaker A: That's like another thing people got to do. And what I mean by that is here's what was coming to my mind as you're saying that someone go and exercise, oh, but you got to drink this special drink in the morning. And it, it's 15 different ingredients. But you know, it's part of the overall weight loss journey. But it's like another thing that is, it's one more thing, but it's another thing that sort of makes up 15 more little things to get the thing. Now, I'm hearing what you're saying, but does that also people think, oh my gosh, my laundry list just keeps getting longer? Dan, I'm over it?
[00:23:50] Speaker D: Yeah, that kind of burnout's not uncommon. But the unfortunate scenario is that these attacks keep happening and the attackers are very sophisticated and, you know, well funded. So they're constantly finding new ways and attack vectors to penetrate. So what we have today is one of those scenarios where there actually is something in the marketplace that organizations can add to their cyber response, their cyber capabilities. And it happens to be micro segmentation play that allows them to address for the organization while under stress and attack. So what I'm trying to emphasize here is that the, the benefits of adding this component to a cybersecurity stack far outweigh what might be just another component. And another thing for their team to have to get their minds across. The value to something like this is not just that you're able to, you know, our solution allows you to say, isolate the attack path and then within that isolation capability, you can then quarantine it and allow the rest of the organization to continue to function. So that equates to uptime for the organization. Now that by itself is very measurable in line with business continuity planning. But where it's also measurable is today I don't think many organizations have properly assessed their own risk tolerance to a breach attack. And what I mean by that is they assess, they, they surmise that, well, when we're under attack, we might pay a ransomware and we'll just, we'll just deal with it. But that's not risk tolerance, that's just enduring the pain of a ransom attack. Risk tolerance says, how much revenue and growth targets will you sacrifice to the remediation of the attack and to the audit and the forensics process. And most organizations haven't taken the time to, to measure that and set that as a standard, to ascertain and to set in the organization. And I'm saying it doesn't have to be the case any longer. There are now tools in the marketplace that let you determine your own capabilities of what's your risk tolerance against a breach and the remediation and getting back to organizational uptime, organizational function with up to 100% and we can help organizations establish that for themselves and get back into, you know, 100% function. So I'm being a little bit wordy here in my answer, but I guess what I'm trying to say in a short, short reply is there are new tools in the marketplace that allow businesses to quickly ascertain what should be best practice and to measure the value of that and to implement it across our organization. And we happen to be one of.
[00:26:29] Speaker A: Those vendors when it comes to micro segmentation, obviously you're speaking to people every day about what you guys do. For example, what do you think typically is what people don't get about it? What do people not get or what do they miss from your perspective?
[00:26:41] Speaker D: Yeah, another good question and I've kind of touched on it already. And the idea is that many organizations in pursuing zero trust, they look at network segmentation and they think they've already met their needs of their organization because they have network the functionality capability of network segmentation. And what we speak to is that ours is more granular, hence the word micro segmentation. So when you're dealing with an attack at a network layer only you can see the attack zones, segments if you want to say it, but your ability to respond to that is heavy handed. We're at a micro level, which is what I mentioned just a second ago. The ATT and CK pathway, which is what we provide the observability at a micro level, says that we can see that pathway, we can quarantine that pathway and that's our ability to stop the breach at that point and therefore not impact the rest of your secure environments.
[00:27:35] Speaker C: The rest of your critical infrastructure, critical.
[00:27:38] Speaker D: Applications, they need to continue to function so that the business maintains its and stays up and running while you remediate that attack. That is the capability in a nutshell of what micro segmentation delivers to businesses that attack pathway monitoring applications containing things so that the rest of the business functions continues to function.
[00:27:58] Speaker A: So you're saying that happens automatically, Something starts happening, it automatically stops, looks at it, quarantines it before they do the micro segmentation or how does that.
[00:28:08] Speaker D: Because that micro segmentation functionality is in place, it the process is then automated through policy settings for a business to contain any anomaly traffic, anomalous traffic between assets.
[00:28:19] Speaker A: Okay, so policy settings, good point. All right, so part of what you guys do, would you say it's just that look at a blueprint across healthcare. Companies have these sort of policies. We're going to mirror it off that or how does that work? Because people are not good with policies as we know.
[00:28:33] Speaker D: Yeah. So we do have industry standard policies that we deliver out of the box or out of can. So we have industry specific to healthcare to bank and finance to critical infrastructure like resource, energy and mining. Healthcare is a very strong vertical for us because of the nature of the assets that are in their environments, Whether it's legacy assets or whether it's it OT cloud. We have the capacity to monitor traffic across all of their environments, communications between assets. And it doesn't matter to us if it's agent or agentless or containers in the cloud. We can do it all. And that means in the healthcare space and in the critical infrastructure space in those operational tech environments, we can give that visibility for them to then manage the cybersecurity strategies they want to have and control and protect their data and their critical, critical systems. Not every vendor can provide monitoring in OT environments. And that's the differentiator for us. And that's why we go.
[00:29:30] Speaker A: Why can't they do that?
[00:29:31] Speaker D: Well, try not to get too technical. I'm trying to avoid. But for us to give the kind of monitoring controls that we can give, we deploy agents and in the OT space, you cannot deploy agents. And so we're able to go agentless and that's how we then can provide these services in those environments like healthcare, where you have to go agentless because of the nature of the medical devices and such that are in those different environments. So because we can go agentless, healthcare vertical is a very strong space for us. Same with critical infrastructure where those organizations can tolerate zero downtime, they cannot go down. It's critical infrastructure that says what it says energy supply, gas, water, but also in healthcare, if systems go down. So that's what we, that's why it's.
[00:30:16] Speaker C: A strong space for us because we.
[00:30:18] Speaker D: Can provide these services.
[00:30:19] Speaker A: So when I follow critical infrastructure a little bit more, I was interviewing something the other day and the guy was saying he really, he's a infrastructure, you know, OT expert and he was really talking around like these people that Are, you know, running these SCADA systems, for example. They're just unwilling to change, Emily, because, you know, he said if it's like a regional area, for example, and you know, it's a council that's looking after these things and they can clearly see there's a huge hole in the roll up in the road, they're going to go fix that first because they can see it. They can't see these problems. So would you say that there's a little bit of out of sight, out of mind, can't see it, so I got to fix the road, which is more important because I can see it.
[00:30:58] Speaker D: Out of sight, out of mind? No, I wouldn't quite say it that way. In what would be the hesitation for organizations to implement cyber resiliency strategies? I think it's more the case of they know that because of the digitization of all these environments and therefore the communication that's now commonplace between OT environments and IT environments, they know that they have a particular vulnerability now and they know that they need to address it. But there are any number of other security solutions that they have to be on top of any other security projects that they're trying to implement. What I run into most in my conversations with senior security leaders in various organizations is they appreciate that there are solutions in the marketplace, but they have any number of projects that they're not getting done because they don't have enough resources. They can't get done what's already been budgeted for. They're under stress to try to meet that demand. When you come in with another solution that is completely viable and they appreciate the technology, it just becomes another one they need to add to the list. Now there's different kind of urgency around different solutions in the marketplace. One might be more urgent than the other, so they have to bump that to the front of the queue. And in many instances, micro segmentation becomes one of those because of what we can promise in organizational uptime. Right. And therefore the savings and the benefits that come with that. But I think senior security leads in organizations today, they know that there's a hole in the road, and it's not for lack of wanting to fix it that they don't get to it. It's for the fact that they've got any number of projects that are as urgent as that hole on the road, and they simply just don't have enough resources to get everything done that they'd like to. So it's just a cue that you get into. And if yours as a different set of Urgency around it, then you might be bumped up in the queue. But these guys are working under huge amounts of strain and stress with a lot of variables and the landscape is always changing from the attack vectors and the hackers that are coming in. So yeah, they know that the holes in the roads are out there. They're just trying to get to it all.
[00:33:01] Speaker A: Where would you say you guys are on the queue?
[00:33:03] Speaker D: Well, again, it depends. So I'm speaking to government agencies and I'm speaking to create infrastructure. And if I can speak to someone who wants to talk about organizational uptime, business continuity planning, that's not a technology conversation, that's a completely different set of urgency. And in those regards, we do kind of move up the queue. But many times we're in the queue with all the other solutions that they're trying to stay on top of. But, but to be honest with you, Chris, when I am having more and more chats these days, it's less and less around tech and it's more and more around uptime, business continuity planning, cyber resilience. Organizational resilience. Organizational resilience. You know, I made a comparison the other day about 5 nines and businesses want 59 uptime. They won't tolerate more than 2 to 3 minutes network unavailability in any given year. And I say, so what's your risk tolerance around organizational disruption? How much it costs you prepared to endure around organizational disruption? They haven't set a dollar on it. Organizational disruption related to an attack and a breach. They think they're going to pay a ransomware attack. And I say, okay, that'll be whatever million dollars it is. But how about the disruption to your organization to get back to 100%? Have you set a dollar figure on that? What's your risk tolerance around that? They don't have answers because they didn't think that there was a solution in the marketplace that would let them set a benchmark. And that's when I table that for them and I do the business case with them. Then I get bumped closer to the front of the queue because it's a business result that I'm promising them. It's not technology for technology's sake, it's a business outcome.
[00:34:34] Speaker A: Remember to speaking to someone a few years ago and they were running this something in the US it was selling mosquito repellent. They were doing lots and lots of big numbers. Apparently something happened. There's a DDoS or something happened, sent this whole website offline. They lose revenue, right? And it was like quite a fair few Millions of dollars of just having a mosquito repellent website offline, not having the uptime. They lost so much money and something is, you know, correct. Imagine a big manufacturer, a hotel like this. Like we're sitting in here today. Like, is this thing that people are thinking about or they like, are people thinking about this?
[00:35:12] Speaker D: Oh, they are absolutely thinking about it.
[00:35:14] Speaker A: But they don't know how to think about it properly. They don't. They don't know what they don't know.
[00:35:17] Speaker D: I don't know if they know how to frame it correctly in the sense of what truly will be the impact. So another component of this organizational disruption that I talk about and getting your organization back to 100%, businesses already measure staff productivity. That's already part of your BCP planning, right? But here's another component of organizational disruption. If you're operating at 70% for three months because your forensic team is going through your network to try to figure out where the breach occurred, that forensic team is robbing you of organizational productivity. Are you going to make your revenue targets this year? Are you going to make your profit targets this year? The breach isn't what caused you to miss your profit targets. It's the three months of forensic process because they don't know where the breach occurred and they don't know how to unpack all that. So that the forensics and the audit process is often more disruptive than the actual breach was.
[00:36:09] Speaker A: That's the part that people, I don't think, pay attention to.
[00:36:11] Speaker D: They don't do the economics on it.
[00:36:13] Speaker A: Why?
[00:36:13] Speaker D: Because nobody's unpacked it for them. That's what I'm doing. I'm unpacking. It's useful. You paid a couple million bucks in ransomware. That's not where your costs stop. And they talk about reputational damage. And I say your reputational damage isn't because of the breach. Your reputational damage is because you didn't have a response, a policy, a breach readiness strategy in place because you weren't able to manage the breach. That's where your reputation went down the curve layer. Not because you got attacked, everybody's getting attacked, but because you didn't have a plan. That's where your reputation is suffering.
[00:36:47] Speaker A: So I've asked this question a fair few times, people on this show. And there was one guy, I think he, I think he worked for Qualis, actually. He was quite good in how he responded to. He's actually done the mathematics on it. On Long Tail Impacts. Breach happened seven years ago, you know, is that still Impacting that. Look at Medibank. In seven years time, will people who remembered the breach still take up a policy with Medibank if they have a.
[00:37:12] Speaker D: Better option, they will go the other way if they don't have any better option. And the marketplace is as tight as it is in Australia around insurance and superannuation and if it's a double player field between Kohl's and Woolies and they have no other option, I guess that's where we're going to go. But I'll never, I haven't forgotten about it, but if I have other options and then I'll make different choices, I'm going to make different choices. So it's market influences. They can't say where we'll be in seven years.
[00:37:37] Speaker A: Yeah. And I think that this is the part which is really interesting to me as a journalist in this space is there's not enough people paying attention to.
[00:37:44] Speaker D: The long term impacts and they're measurable and it's known.
This isn't vaporware stuff, this is stuff that's been reported for years, long before cyber attacks became the paramount thought of people's minds. Just in general terms, continuity, planning and business impact, organizational impact, this is all standard stuff. This is measurable for years. And so, you know, that's what I was talking about a second ago when I said organizationally, if you're down to 70%, because forensic team is taking three months to go through your environment, that impact is due to the breach. But because you had poor planning and didn't have the right solution in place, that's on you, not the breach. And so therefore you're gonna miss your revenue targets, you're gonna miss your profit targets. But they don't measure that. That's completely overlooked as part of a planning process. They feel it later when they look back on it in hindsight and say we missed that one. But as far as the planning and you know what else they do, they don't build that into the cost modeling to invest in this next level solution. First of all, they don't think this option's out there. That's why, that's why I'm preaching so loudly. I can give you that option now with color tokens, we can give you the option about breach readiness, contain the attack while the rest of the business functions get back to 100% organizational operation time as quickly as possible. Now I can measure that investment in our solution against your business continuity planning bcp, that's always budgeted for, so I don't have to go Find unallocated funding. I don't have to go find some project and fund it from something they hadn't planned for. I know BCP is in there and this is the kind of way we can work our way into the front of the queue and help businesses implement something that gives them that. Well, if you think of it this way, they need to report to the board of directors that they have a cyber resilience strategy, an organizational resilience strategy. They need to be able to report to their cyber insurance company that they have a cyber resilience strategy in place, organizational uptime in place. So these are two key things. And then don't forget all the legislation that's just been passed. So now they can meet their legislation, their compliance obligations in reporting to the market what they're doing. You just take three legitimate boxes for senior leadership. This isn't a technology conversation. It's organizational business continuity planning.
[00:40:02] Speaker A: Joining me now in person is Simon Hodgkinson, advisor at Cempress. And today we're discussing identity being the foundation of the digital ecosystem. So, Simon, thanks for joining and welcome.
[00:40:12] Speaker E: Absolute pleasure.
[00:40:13] Speaker A: Okay, Simon, you talk about the identity being the foundation of the digital ecosystem. Tell us, what does that look like in your view? Yeah.
[00:40:20] Speaker E: So to look at any business now, they're a digital business, and if you end up sort of thinking about the business outcome people are trying to achieve, you map that back to the business process. You map the business process to applications and infrastructure. Underpinning all of that is the identity platform. Organizations move to a centralized identity platform to make it easy to manage user identities across thousands of applications. I mean, most organizations probably have north of a thousand applications. Now with the cloud, more and more applications are being consumed by businesses. In order to manage the identity in a secure way, you centralize it. But that means it's at the very heart of every different business outcome you're trying to achieve. And therefore it's the center of your digital ecosystem. If the identity platform is down, your entire organization is down. You can't access any of the applications, therefore you can't fulfill your business objectives.
[00:41:20] Speaker A: So we say centralized identity. Do you think, you know, in the industry, when they think about centralizing things and having all the power, that seems to worry people. You think people are worried about that? Perhaps if they think, well, all my eggs are sort of in the one basket?
[00:41:35] Speaker E: No, I don't think they are worried about it. It's become the standard architectural pattern that everybody uses. Because if you think of the reverse of that and you think of the thousands of applications I've talked about, if you were to try and manage identity in each of those applications individually, that makes the whole process impossible. And therefore, and that's when I started in technology in the mid-80s, that's the way we used to do it. And it was, you know, if somebody joined the organization and you needed to add them to, I don't know, say the finance organization they joined and you need to add them to all the applications that were included in the finance business process, you'd be adding them to numerous different applications. If they move their role, you'd have to remove their access or change their access. If they left the company, you'd have to remember to delete them. So actually the centralization of that identity has actually improved the security posture for organizations. But that said, it is an aggregation of risk, I guess. So it's really important. What you do is do everything possible to make that environment resilient. And when I talk about resilient, I mean the ability to withstand an adverse effect or an adverse event or recover quickly from it. So you've got to make sure you put the right detective and protective controls around the identity platform to hopefully stop bad things happening. But, you know, nine out of 10 attacks attack the identity platform. Most organizations use something like Active Directory. Typically it takes people days, if not weeks to recover Active Directory if they don't have dedicated recovery capability. And therefore that's why you need to focus as much time on protective and detective controls recovery as well and your ability to recover quickly from that adverse effect.
[00:43:25] Speaker A: Yeah, and that's a good point around, and probably that's where my mum is going around the aggravation of the risk. But you raise a great point. You know, even 15 years ago when I had login for certain platforms, it was quite annoying, right? And then all of a sudden, you know, when I worked at a bank, it's like, why do you have this level of access? So from the, you know, privileged account management side of things. So there's a lot to manage then with that and I think with anything, there's always going to be some element of the risk. So then what say with, with your background and obviously your advisor at Sempres, what do you think sort of going on the identity space at the moment in terms of what are people's reservations? Because obviously we've seen identity grow and evolve and change and you know, a lot more people are now talking, you know, around that even password list and, you know, all of these sort of things. Because again, having Passwords is annoying. And there's that focus on convenience, but then managing the risk element too. What sort of comes up in your mind when I ask you that question?
[00:44:22] Speaker E: Well, first and foremost, I think most organizations aren't worrying enough about the identity platform. So they've become very accustomed to it works. Typically it works and they don't put an awful lot of effort into managing a technology.
So when we talk about the identity platform, it's worth saying that for 95% of organizations, that's active directory, it has a hybrid identity on top of it. So you've got your oktas, your enter IDs, et cetera. @ the very core of the identity platform is active directory. And as a result it's been there for 25 years and it's just worked. It often sits buried in infrastructure, so it's not necessarily in the security organization, so it's not necessarily getting the profile that it needs. And having been CISO at BP and my prior job to CISO at BP was running global infrastructure and operations. You know, in infrastructure and operations, the expectation is you do more with less every year just because you come more efficient and active directory then therefore gets lost in that kind of that amorphous mass of your core infrastructure and doesn't necessarily get the attention it needs to do. So. I think people need to focus more that. Given 95% of the organizations use AD at the heart of their identity platform. 9 out of 10 attacks go after the identity. So that means you should be investing in those protective and those detective and protective controls and also making sure that you have a really solid recovery position. I don't see people doing that. On the subject of the evolution of identity, I still, I think I heard a stat recently. When you look at multi factor authentication for organizations, it's still woeful in terms of the amount of organizations that have deployed multi factor authentication. Now most attackers, the way they get in is through things like password spray attacks, just randomly trying to grab somebody's password. At least if you've got multifactor authentication in place, their chances of breach in your organization are dramatically reduced. So people need to be focused on that sort of evolution of getting the basic foundational controls in place like multifactor authentication, as they think about a world of passwordless moving forward. But don't focus so much on just all of the really new interesting tech, get those foundational elements in place to protect the platform.
[00:46:57] Speaker A: People often in my interviews, Simon will say it's about, you know, the foundations, but foundations are hard. Like Patch management. It's hard to do patch management sounds easy when we're talking about it in this comfy podcast room, but when you're out there doing it in reality, it's difficult. You mentioned before woeful. What would you say is woeful about mfa? I mean, what comes up in my mind when I'm speaking to people is, oh, it's annoying because it takes extra, it reduces friction. And how do we find that balance between the whole security thing, but then still making sure that people can do their day job and business continuity still needs to keep happening. We can't obviously engineer things to the point where people can't do anything.
[00:47:36] Speaker E: That's a great point. I think it is woeful in terms of the amount of organizations that have deployed multifactor because everybody knows that that's a very simple control to put in place. It's not hard to deploy multi factor authentication, but it does potentially create friction with the end users. Our job in security is to try and make it as easy as possible. We're there to enable the business to be successful and therefore we got to look at mechanisms to put in place to make whatever we do as frictionless as possible. But I'd also say in your personal life, would you access your bank account if it didn't give you multifactor authentication? Probably not. You probably wouldn't trust that bank. So I actually think we also have to find that right balance to say to our users, yes, there might be some friction in the environment, but here's the benefits the business get as a result. So it's, you got to sell what you're doing through a whole business change program. This isn't about deploying technology as people process and technology any sort of major digital transformation. It's about business change as well.
[00:48:47] Speaker A: So you said making things as easy as possible. So just coming back to that for a moment and some friction. So use the example of having a bang. But I'd care a lot more because it's my own money. But when I'm working for, if I put myself back into working in a corporate historically it's like, well, something like company, I don't care as much as while I care a little bit more if someone were to steal money in my personal bank account. Do you think sometimes people feel that the onus is like, well, it's not my business, so therefore it's someone else's problem.
[00:49:13] Speaker E: That's culture, isn't it? I think with organizations you've got to get the right security culture in place. You've got to get people to understand their role in security. I mean, you see so many CISOs now burning out in the industry because it's all on the ciso. Actually. The CISO is responsible for security. Accountability for the security is with the CEOs, and the CEOs therefore need to be able to explain to the entire organization why this thing is important, why cybersecurity is important, and therefore what your expectation of people are. So I come from oil and gas background. I've been in finance and all in the past. My last 18 years with an oil and gas company is absolutely embedded in the culture. Nobody would walk past, I hate to think anybody would walk past a bit of liquid on the floor because there's a risk of somebody slipping on that and hurting themselves. We got to develop that same culture in cybersecurity and, you know, make sure that that same ethos is embedded in everybody in the organization, that they're accountable for the outcome of the business. To your point, you're always going to have some people that just turn up at work and don't really care, but. And therefore actually a little bit of friction in their life may not be a bad thing.
[00:50:31] Speaker A: So you use the example on the liquid on the floor, if someone falls over it, you know, they've got a problem. Do you think as well, and you sort of mentioned it before around, you know, being buried in the infrastructure earlier, do you think as well with cybersecurity, in my experience of interviewing people like yourself over the years has been out of sight, out of mind, hard, can't see the thing. We can see there's liquid on the floor, we can see that the building's on fire. Can't really see a lot of these things in cyber. So do you think perhaps because of that, maybe things do go to sort of the wayside?
[00:51:01] Speaker E: I think that's the skill of the organizers, the CISO and the security organization or CIOs to make sure that you actually build a security behavioral change program. But it doesn't. So you've got to be able to articulate why it's important. And even though it lives in this sort of digital ether, being able to explain to people the problems, a good way of doing that, of course, is sharing information. So when you get incidents in organizations around a digital platform in the same way as you've had somebody slip on a bit of some liquid on the floor, we use what we call near misses. So, you know, if there's liquid on the floor, it's a Near miss. If somebody falls over, it's a safety incident. We need to use that same ethos in cyber and each of those things we would talk about. So if you have incidents, organizations should speak about those incidents. They should get people that have been the victim or impacted by the outcome of a cyber attack on the business to talk about why, what happened, what made you click on that link, why did you do, what did you learn from it? How can you share that with the organization? If you think back to the airline industry, there's a fabulous book called Black Box Thinking by a guy called Matthew Syed and it talks about how safety performance in the airline industry is improved. And it all came from openly sharing near misses. So things that went wrong that maybe didn't cause an accident. If we all do that in the security community, that will help improve our overall security posture. So the more we share the problem is in the security area. Nobody wants to talk about the fact that they've had a security incident because you've got lots of negative connotations with things like regulators, et cetera. I think we need to break out of that personally and actually make sure that there is a free flow of information among like minded organizations and individuals to share those incidents so that everybody learns as an industry, not just your own organization.
[00:53:06] Speaker A: So you raised an interesting point around articulate why it's important historically. I used to write, I was a cyber security analyst, but then I was a reporting analyst as well. So I used to basically write the narrative for the CISO to present in the bank to get more money. Right. So in your experience of being a ciso, a bp, what would you say the key things are to share why it's important. And I asked this question because I interview people at all different, various levels. And one thing I often hear is it's hard to communicate at that level. I struggle because I'm a technologist at heart. So perhaps they focus too much on the technical components rather than maybe the broader narrative of business continuity. You know, if you're running a, you know, a warehouse, you need things to keep running. It's the long tail impact. There's things that I've seen in my career that perhaps people miss. But with your background, in your pedigree, I'm really curious to know what were the things that were sort of getting the folks of your executive folks to really lean in and listen to actually take the change. Perhaps a biblically informed.
[00:54:02] Speaker E: That's a great question. I think the first and foremost, cyber isn't special, it's just Another business risk in the same way as you got liquidity risk, reputational risk, regulatory, legal, cyber is just another risk. Organizations manage risk every day of the week. You have to be able to explain the risk in business language. So back to our opening comment about why identity is the heart of the digital ecosystem. It's not just the heart of the digital ecosystem because every company is now digital. It's actually at the heart of delivering that strategic outcome for the business. So being able to create a narrative that a executive team or indeed a board, as you're talking to them, is able to normalize, say a health and safety risk or a liquidity risk along with cyber risk. Every organization's got constrain resources, constrain money, and therefore they need to have a balanced way of deciding where do they deploy that money? Do they deploy it in digital to fix some cyber issues, or do they deploy it in, say, in oil and gas? Do they deploy it in the upstream to get more assets out the ground, to get more oil out the ground? And one example I use is we were talking in the session earlier about somebody mentioned OT security, operational technology security. So when you go to a rig or a refinery or a terminal or what have you, those guys are managing health and safety risks. They're managing uptime risk, you know, processing risk. They've got all of these different risks they're managing. Cyber's just another one of them. Now when you go to the operations manager and say, actually you need to upgrade, you need to patch, patch that server within 24 hours, they're going to look at you and say, no chance. You know, we got to keep the plant running. So you put things like mitigating controls in place so that, you know, they don't have to do that. You work with the business because everybody then understands the narrative. Then when it comes to where do you get money to say, fix that Windows server, say Windows 2000 server in an OT environment, it's got to be done in a narrative that says, well, I've also got corrosion in some, my pipeline or, you know, some M and E mechanical and engineering device in there that has some issue. Where do I deploy my dollar? Do I fix this Windows 2000 server or do I fix this heavy engineering asset? And that's our job is to say, this is just another business risk. I need to explain the risk in a way that you can make a informed decision on where you deploy your constrained resources. It would be lovely to think it was unlimited money and unlimited people, but.
[00:56:43] Speaker A: There just isn't so Those changed gears slightly. At the lunch you're at the other day, you sort of gave a little bit of a presentation, but you said something and I was really curious to sort of explore this a little bit more. And it was around minimum viable business. So talk to me more about this and what does this sort of mean?
[00:56:58] Speaker E: I've started to hear the terminology a lot more. This, this notion of minimum viable business. And it comes really off the back of some of the big ransomware attacks. If you think about most risks in an organization, they tend to be geographically constrained. So if you're a kind of heavy industry or something, it might be a plant in particular part of the world or what have you, there's very few risks that could impact every part of your company at the same time. Cyber is probably the one that is most likely to do that. The thing is then when you come to recovering from that event, say, so ransomware is like notpetya, took down the likes of Maersk, it's widely reported in the press what happened there, how do you recover from that situation? So the business then has to figure out, right, how do I manage continuity to deliver my outcomes to my customers, whilst the IT guys have to start recovering things. But in order to start to recover it, for instance, you'd have to bring back active directory first so that you got your identity platform back. But then you need to know from the business what are the most important business processes they need to recover. So for a retail organization, it might be the point of sale systems in the shop, but you've got to go through the hard yards of figuring out through, say, crisis simulation exercises to say, if this event were to occur, sit down with the business and say, what are those most important business outcomes we need to achieve? Map that back through the infrastructure and the application landscape. So you know, what are those core business outcomes, the minimum viable business? That's where the context comes from that the business needs to get backed in order to be able to deliver its strategic outcomes. If you look at a lot of the cyber attacks, people tend to take several weeks to get that core functionality back. If you look at things like some of the attacks on the health system, the long tail is enormous because actually they got so much legacy applications and infrastructure that they need to bring back. But so long as they get that core viable business back, they can operate again. So it's about understanding what that core of your business is and what that priority is. The challenge of course is it's temporal. So if for instance, you're in year end results processing, maybe the systems that the business process, the year end process, and the systems that underpin that change and may be different from those if you were in a quarter, in the middle of a quarter, et cetera. So, you know, it's good to plan that out. But you've also got to be flexible to the fact that when the event occurs, which sadly for most organizations it will, when that event occurs, you've got that flexibility to change.
[00:59:54] Speaker A: And there you have it. This is KB on the go. Stay tuned for more.
