WEBVTT 1 00:00:00.160 --> 00:00:03.120 Welcome to the deep dive, your shortcut to being genuinely 2 00:00:03.160 --> 00:00:07.160 well informed. Today, we're tackling, well, a pretty big truth 3 00:00:07.160 --> 00:00:11.759 for leaders like you. Digital transformation brings amazing opportunities, sure, 4 00:00:11.839 --> 00:00:14.039 but it's also blowing the doors wide open on the 5 00:00:14.039 --> 00:00:17.239 fret landscape. The game has definitely changed. 6 00:00:17.079 --> 00:00:17.879 It really has. 7 00:00:18.399 --> 00:00:21.120 So this deep dive it's all about getting a handle 8 00:00:21.480 --> 00:00:25.800 on today's cybersecurity challenges and the strategic shifts you really 9 00:00:25.879 --> 00:00:28.359 need to make. Our source is framed security not just 10 00:00:28.399 --> 00:00:31.679 as a tech problem, right, but as this interwoven challenge 11 00:00:31.719 --> 00:00:35.920 people processes technology. It's all connected, exactly. 12 00:00:35.960 --> 00:00:38.159 It's a much more holistic view than maybe we had, 13 00:00:38.320 --> 00:00:39.960 say five or ten years ago. 14 00:00:40.079 --> 00:00:42.399 Our mission today is basically to give you that shortcut. 15 00:00:42.439 --> 00:00:46.479 We wanted distill the critical stuff, offer sharp insights, practical strategies, 16 00:00:46.719 --> 00:00:48.640 you know, cut through the noise, so you can navigate 17 00:00:48.679 --> 00:00:50.320 this cyber world with more confidence. 18 00:00:50.640 --> 00:00:52.039 Sounds good. Where should we start. 19 00:00:52.280 --> 00:00:54.840 Let's kick off with the human factor because our sources 20 00:00:54.880 --> 00:00:58.200 really emphasize that people are fundamentally at the core of 21 00:00:58.240 --> 00:00:59.159 cyber resilience. 22 00:00:59.439 --> 00:01:01.960 Yeah, makes sense, and it starts right at the top 23 00:01:02.159 --> 00:01:05.519 with the CISO, the Chief Information Security officer. That role 24 00:01:05.640 --> 00:01:09.439 has shifted dramatically. How so, Well, it's not just the 25 00:01:09.480 --> 00:01:13.079 traditional duties anymore, like you know, patch management or incident response. 26 00:01:13.239 --> 00:01:16.920 Those are still vital, of course, but now it includes 27 00:01:17.040 --> 00:01:21.680 really complex supply chain risks, this tangled web of privacy regulations, 28 00:01:22.280 --> 00:01:25.439 new tech like five G. It's much broader. 29 00:01:25.599 --> 00:01:28.760 And when I found really surprising actually from our sources, 30 00:01:29.280 --> 00:01:31.799 it's what they say are the most important skills. Now 31 00:01:31.879 --> 00:01:35.239 it's less about having the deepest, most current technical knowledge 32 00:01:35.400 --> 00:01:37.280 and more about well soft skills. 33 00:01:37.319 --> 00:01:39.519 Absolutely, communication is key, right. 34 00:01:39.480 --> 00:01:42.599 Being able to talk about risk in business terms, acting 35 00:01:42.640 --> 00:01:46.439 as a quote business enabler. I really like the analogy 36 00:01:46.480 --> 00:01:50.239 one source used, the CISO is becoming the CFO of cybersecurity. 37 00:01:50.319 --> 00:01:52.439 That's a great way to put it, translating the tech 38 00:01:52.439 --> 00:01:56.239 stuff into financial impact into risk appetite for the board. 39 00:01:56.040 --> 00:01:58.359 Speaking their language essentially precisely. 40 00:01:58.920 --> 00:02:02.959 Your success, especially with senior leaders, really hinges on framing 41 00:02:03.000 --> 00:02:07.680 these issues as business risks, not just it problems. And 42 00:02:07.760 --> 00:02:11.919 the pressure, Wow, it's immense. You mean the turnover eight Yeah, 43 00:02:11.960 --> 00:02:14.919 the turnover is incredibly high. Average tenure is just twenty 44 00:02:14.919 --> 00:02:18.840 six months. And get this, ninety five percent of CSO's 45 00:02:18.840 --> 00:02:21.919 work on average ten hours more per week than they're 46 00:02:21.960 --> 00:02:22.680 contracted for. 47 00:02:23.080 --> 00:02:26.000 Wow, that's unsustainable, it. 48 00:02:25.919 --> 00:02:29.039 Really is, and it signals that something fundamental needs to change. 49 00:02:29.080 --> 00:02:31.960 You know, it's not just about working harder or longer hours. 50 00:02:32.080 --> 00:02:34.599 That kind of pressure makes it crystal clear though, that 51 00:02:34.639 --> 00:02:38.360 security can't just rest on one person's shoulders. Our sources 52 00:02:38.520 --> 00:02:41.719 really hammer this home. Everyone in the organization needs to 53 00:02:41.759 --> 00:02:43.319 be security minded. 54 00:02:43.560 --> 00:02:45.400 From the loading dock, like you said earlier, right up 55 00:02:45.400 --> 00:02:47.199 to the c suite. A well trained staff they can 56 00:02:47.240 --> 00:02:49.080 be your absolute best defense. 57 00:02:48.919 --> 00:02:51.159 But they can also be the weakest link they don't 58 00:02:51.159 --> 00:02:53.000 follow the right practices or if they get tricked. 59 00:02:53.120 --> 00:02:56.919 Exactly, and corporate boards they are paying very close attention 60 00:02:57.039 --> 00:03:00.039 now they understand cyber risk isn't just some siloed I 61 00:03:00.120 --> 00:03:04.039 tea issue. It's a fundamental threat to the entire business. 62 00:03:03.840 --> 00:03:08.039 Because it can lead to what data exposure, regulatory fines. 63 00:03:07.800 --> 00:03:12.199 Lost revenue, huge reputational damage, lawsuits, and in some cases 64 00:03:12.199 --> 00:03:16.199 like manufacturing or utilities, even physical harm or worse. It's 65 00:03:16.560 --> 00:03:17.599 serious business. 66 00:03:17.800 --> 00:03:21.639 So the key then is embedding security throughout the organization, 67 00:03:22.120 --> 00:03:23.960 like making it part of the DNA. 68 00:03:24.039 --> 00:03:27.479 That's the goal. It needs to be baked into vendor selection, 69 00:03:27.639 --> 00:03:30.840 how you onboard employees, even how you develop products, and 70 00:03:30.919 --> 00:03:33.520 security awareness training can't be a one off thing. It 71 00:03:33.560 --> 00:03:37.960 has to be continuous, constantly updated to match the latest threats. 72 00:03:38.120 --> 00:03:41.360 It's about shifting that perception too, moving from being the 73 00:03:41.439 --> 00:03:42.240 department of no. 74 00:03:42.400 --> 00:03:44.919 To the department of NO. I like that framing, helping 75 00:03:44.919 --> 00:03:47.919 the business move forward but securely. The analogy was like 76 00:03:47.960 --> 00:03:50.560 helping them drive their car fast, but with the brakes, 77 00:03:50.599 --> 00:03:52.599 airbags and seat belts securely in. 78 00:03:52.560 --> 00:03:56.560 Place, enabling secure progress. Okay, but there's another big people issue, 79 00:03:56.639 --> 00:03:57.639 right the skills gap. 80 00:03:57.800 --> 00:04:00.680 Oh, it's massive, a huge challenge. The globe doble shortage 81 00:04:00.719 --> 00:04:05.199 is estimated at what three point five million cybersecurity. 82 00:04:04.319 --> 00:04:05.879 Workers three and a half million. 83 00:04:05.919 --> 00:04:09.879 That's staggering and it has real consequences. Our sources link 84 00:04:09.919 --> 00:04:13.560 this gap directly to breaches. Nearly three quarters of organizations 85 00:04:13.599 --> 00:04:16.480 said they experienced a breach in the last year, partly 86 00:04:16.519 --> 00:04:18.160 because they just didn't have the people. 87 00:04:18.680 --> 00:04:21.439 And it's not just about the sheer number of people, 88 00:04:21.480 --> 00:04:23.160 is it. There's a diversity issue too. 89 00:04:23.199 --> 00:04:26.319 A significant one. Yes, women make up only about twenty 90 00:04:26.319 --> 00:04:28.839 four percent of the cyber workforce, even though are half 91 00:04:28.879 --> 00:04:33.680 the population. Minorities are also underrepresented around twenty six percent. 92 00:04:33.439 --> 00:04:37.319 And the sources argue this isn't just about fairness or optics, right, yeah, 93 00:04:37.360 --> 00:04:39.480 it actually impacts security effectiveness. 94 00:04:39.519 --> 00:04:43.279 Absolutely. Diverse teams are proven to reduce groupthink, they bring 95 00:04:43.360 --> 00:04:47.360 different perspectives, uncover more creative solutions. There is even data 96 00:04:47.399 --> 00:04:51.920 showing female CISOs scoring higher than male counterparts in leadership 97 00:04:51.959 --> 00:04:55.519 and analytical skills. It's a tangible benefit, so it. 98 00:04:55.519 --> 00:04:57.879 Drives better outcomes. Okay, so what there solutions? Then? How 99 00:04:57.920 --> 00:04:59.240 do we start closing these gaps? 100 00:04:59.360 --> 00:05:02.160 Well, it's got a multi pronged look. Beyond traditional IT 101 00:05:02.399 --> 00:05:06.319 backgrounds for recruitment, integrate IT and security teams more, maybe 102 00:05:06.399 --> 00:05:11.480 through cross training, foster a really inclusive culture, and boost 103 00:05:11.639 --> 00:05:14.639 the visibility and influence of the CISOL role itself to 104 00:05:14.959 --> 00:05:16.279 attract more diverse talent. 105 00:05:16.399 --> 00:05:18.360 It feels like a smart investment too when you put 106 00:05:18.360 --> 00:05:22.040 it in financial terms, like preventing just one average data breach, 107 00:05:22.399 --> 00:05:25.399 what was the figure three point eighty six million dollars 108 00:05:25.800 --> 00:05:28.000 they could easily pay for a whole team of cyber 109 00:05:28.079 --> 00:05:29.160 pros exactly. 110 00:05:29.240 --> 00:05:32.199 It really highlights the ROI of building a strong diverse 111 00:05:32.319 --> 00:05:33.399 security workforce. 112 00:05:33.560 --> 00:05:36.439 Okay, so we've covered the people element. Now let's pivot. 113 00:05:36.519 --> 00:05:39.720 Let's dive into the threat landscape itself. Who are the 114 00:05:39.759 --> 00:05:42.879 adversaries and what's their playbook look like? 115 00:05:43.040 --> 00:05:45.920 Right, it's a complex picture. You've got malicious outsiders but 116 00:05:45.959 --> 00:05:49.399 also insider threats. Let's start with the outsiders. Nation States 117 00:05:49.439 --> 00:05:52.959 are a major player. They're usually well funded, very sophisticated. 118 00:05:53.199 --> 00:05:57.639 Their motives often political, economic, or national security like espionage. 119 00:05:57.800 --> 00:06:02.800 Espionage definitely think of the op or degrading an adversaries 120 00:06:02.839 --> 00:06:06.959 capabilities like targeting power grids. Sometimes it's even personal revenge 121 00:06:07.000 --> 00:06:10.360 rumber Iran's attack on the Sans Casino or North Korea 122 00:06:10.439 --> 00:06:13.120 hitting Sony over that movie the interview Wow. 123 00:06:13.279 --> 00:06:16.399 And seeking economic advantage to isom huge driver. 124 00:06:16.959 --> 00:06:19.959 China's alleged theft of billions in trade secrets as a 125 00:06:19.959 --> 00:06:23.720 prime example. We're building back doors into products. It's asymmetric 126 00:06:23.759 --> 00:06:24.839 power projection as well. 127 00:06:24.920 --> 00:06:29.240 Okay, so Nation States, Yeah, then there are the cyber criminals. 128 00:06:29.560 --> 00:06:31.879 Yeah, and forget the stereotype of a loan hacker in 129 00:06:31.920 --> 00:06:35.160 a basement. This is a sophisticated industry. Now, these groups 130 00:06:35.160 --> 00:06:38.319 often look like legitimate companies. They have R and D departments, 131 00:06:38.399 --> 00:06:41.160 help desks, even money back guarantees on their malware. 132 00:06:41.279 --> 00:06:43.720 That's wild, and the lines are blurring, aren't they between 133 00:06:43.759 --> 00:06:45.600 these criminal groups and nation states. 134 00:06:45.720 --> 00:06:49.000 They really are. Some reports link major ransomware gangs like 135 00:06:49.120 --> 00:06:52.920 Maize or evil Core potentially back to governments like Russia. 136 00:06:53.000 --> 00:06:55.160 Plus they lower the barrier to entry with things like 137 00:06:55.360 --> 00:06:59.920 malware as a service, anyone can rent the tools now scary. 138 00:06:59.720 --> 00:07:01.759 And there are activists. 139 00:07:01.519 --> 00:07:05.720 Right, groups like Anonymous. They're typically driven by a political 140 00:07:05.879 --> 00:07:10.319 or social agenda, often less sophisticated, maybe defacing websites or 141 00:07:10.399 --> 00:07:13.759 leaking data they find poorly secured, mainly to get attention. 142 00:07:14.079 --> 00:07:17.399 Okay, so that covers the outsiders, but you mentioned insider 143 00:07:17.480 --> 00:07:20.839 threats too. That feels trickier. 144 00:07:21.000 --> 00:07:24.360 It is because employees can be your greatest asset at 145 00:07:24.399 --> 00:07:27.399 also a significant risk. It's a double edged sword. You 146 00:07:27.439 --> 00:07:31.759 have malicious insiders, maybe a disgruntled employee seeking revenge, or 147 00:07:31.759 --> 00:07:34.839 someone selling their log in credentials for profit like. 148 00:07:34.759 --> 00:07:38.000 That Rereuke ransomware case. In hospitals you mentioned, yeah, installed 149 00:07:38.000 --> 00:07:40.279 by insiders exactly. 150 00:07:40.360 --> 00:07:44.120 A devastating real world impact on patient care. But honestly, 151 00:07:44.360 --> 00:07:47.360 far more common are the accidental insiders. 152 00:07:46.800 --> 00:07:48.600 People just making mistakes. 153 00:07:48.279 --> 00:07:52.800 Yeah, honest mistakes. Misconfiguring a cloud setting forgetting to apply patch, 154 00:07:52.920 --> 00:07:55.279 clicking on a fishing link when they're tired or rushed, 155 00:07:55.720 --> 00:07:58.040 or maybe taking shortcuts with security to get their job 156 00:07:58.079 --> 00:08:00.160 done faster. We've all felt that pressure, the. 157 00:08:00.120 --> 00:08:04.120 Whole work from home shift, using personal devices that must. 158 00:08:03.879 --> 00:08:07.759 Expand the risk dramatically, or even family members using a 159 00:08:07.800 --> 00:08:11.480 work laptop. It just creates so many more potential entry 160 00:08:11.519 --> 00:08:13.240 points a wider attack surface. 161 00:08:13.279 --> 00:08:16.279 So how do you combat insider threats? It seems really 162 00:08:16.279 --> 00:08:18.120 difficult given the trust involved. 163 00:08:17.800 --> 00:08:21.199 It is complicated. Best practices focus on limiting access the 164 00:08:21.240 --> 00:08:24.920 principle of least privilege only give people access to what 165 00:08:24.959 --> 00:08:28.639 they absolutely need, regular reviews of who has access to what, 166 00:08:29.079 --> 00:08:33.279 separation of duties for critical tasks, dual authorization. Security teams 167 00:08:33.320 --> 00:08:36.039 also need to look for specific behavior's unusual use of 168 00:08:36.039 --> 00:08:41.879 IT resources, setting up unapproved shadow IT, using password cracking tools, things. 169 00:08:41.679 --> 00:08:43.480 Like that makes sense. Okay, so we know who the 170 00:08:43.480 --> 00:08:46.080 adversaries are, roughly, how do they typically get in? What 171 00:08:46.120 --> 00:08:47.279 are their go to tactics? 172 00:08:47.360 --> 00:08:50.559 Well, the old classic is still king fishing. Social engineering 173 00:08:50.679 --> 00:08:52.679 remains the most common way attackers succeed. 174 00:08:52.879 --> 00:08:54.679 Still, after all these years. 175 00:08:54.679 --> 00:08:57.440 Still it ranges from those generic your bank account is 176 00:08:57.480 --> 00:09:00.360 frozen emails all the way up to highly tar targeted 177 00:09:00.399 --> 00:09:04.480 whaling attacks aimed at executives or those business email compromise 178 00:09:04.639 --> 00:09:08.240 BC scams trying to trick finance apartments into wiring money 179 00:09:08.519 --> 00:09:09.840 still incredibly effective. 180 00:09:10.039 --> 00:09:12.000 And ransomware that seems to be everywhere. 181 00:09:12.039 --> 00:09:17.519 It's dominated headlines for years. Yeah, attacks on critical infrastructure, hospitals, schools, 182 00:09:17.639 --> 00:09:22.799 first responders. It's brutal, and the ransoms themselves have skyrocketed 183 00:09:22.840 --> 00:09:26.279 from maybe hundreds or thousands of dollars initially to millions 184 00:09:26.360 --> 00:09:30.159 now the whole dynamic has changed. Sometimes companies do pay 185 00:09:30.519 --> 00:09:34.559 then notify customers. Even the FBI acknowledges it's a complex decision, 186 00:09:34.840 --> 00:09:37.200 though they strongly urge reporting any incident. 187 00:09:37.320 --> 00:09:39.320 What else? What other common tactics? 188 00:09:39.360 --> 00:09:43.120 Misconfiguration is a huge one, especially with cloud services. Remember 189 00:09:43.159 --> 00:09:47.279 that example an AWSS three bucket misconfiguration at a company 190 00:09:47.279 --> 00:09:51.320 called twenty one buttons expose fifty million files. Simple mistake, 191 00:09:51.679 --> 00:09:52.320 huge impact. 192 00:09:52.440 --> 00:09:54.799 Why does that happen so often? Is it just carelessness? 193 00:09:54.919 --> 00:09:58.240 Sometimes? Often it's prioritizing speed or ease of use over 194 00:09:58.240 --> 00:10:01.960 security settings. Teams are just stretched thin trying to keep 195 00:10:02.039 --> 00:10:04.240 up with all the new cloud and sauce tools constantly 196 00:10:04.320 --> 00:10:06.320 rolling out. It's easy for things to slip through the. 197 00:10:06.240 --> 00:10:10.960 Cracks and the Internet of things IoT devices, connected thrumostats, cameras, 198 00:10:11.600 --> 00:10:14.600 even pacemakers big area of vulnerability. 199 00:10:15.159 --> 00:10:19.080 Many of these devices, and also operational technology OT and 200 00:10:19.120 --> 00:10:22.759 industrial settings just weren't built with security as a primary concern. 201 00:10:22.799 --> 00:10:25.279 They might use older protocols or they're hard to patch. 202 00:10:25.639 --> 00:10:27.919 They create all these new edges on the network that 203 00:10:27.960 --> 00:10:31.600 attackers can target. Even things like device specific chips add 204 00:10:31.679 --> 00:10:34.679 complexity to patching and managing supply chain risks. 205 00:10:34.759 --> 00:10:38.639 Okay, wow, that's a pretty daunting picture of the threats. 206 00:10:39.080 --> 00:10:41.919 Let's shift gears. Then let's talk about solutions. Part three, 207 00:10:42.879 --> 00:10:46.600 Strategic solutions, the processes and technology we need for a 208 00:10:46.639 --> 00:10:48.840 more secure future. Where do we begin. 209 00:10:49.080 --> 00:10:52.279 Let's start with effective cyber risk management. This is really evolved. 210 00:10:52.279 --> 00:10:55.320 It's not just about ticking boxes on basic security controls anymore. 211 00:10:55.320 --> 00:10:58.960 It's about assessing risk, measuring it, and communicating it clearly, 212 00:10:59.399 --> 00:11:02.559 all within the context of your overall business strategy and goals. 213 00:11:02.799 --> 00:11:05.879 So defining the organization's risk appetite, how much risk you're 214 00:11:05.879 --> 00:11:06.320 willing to. 215 00:11:06.279 --> 00:11:11.919 Accept exactly, and that requires strong governance and oversight. CSOs 216 00:11:11.919 --> 00:11:14.720 need to be plugged into the company's core governance structure, 217 00:11:14.879 --> 00:11:18.480 like the Enterprise Risk Management Committee the Privacy Committee. This 218 00:11:18.600 --> 00:11:22.159 ensures cyber risk is treated as a top tier organizational risk, 219 00:11:22.480 --> 00:11:23.960 not just an IT footnote. 220 00:11:24.240 --> 00:11:26.360 And information sharing seems critical. 221 00:11:26.000 --> 00:11:29.559 Here, too, hugely important, maybe one of the most important aspects. Actually, 222 00:11:29.919 --> 00:11:34.120 organizations really benefit from joining Information Sharing and Analysis Centers 223 00:11:34.200 --> 00:11:38.320 IX or similar groups. Iss Our Sources pointed to North 224 00:11:38.360 --> 00:11:41.600 Carolina's whole of state approach as a great model, building 225 00:11:41.679 --> 00:11:46.080 partnerships across private sector, public agencies, academia all working together 226 00:11:46.159 --> 00:11:49.039 to protect critical services like nine to eleven or water systems. 227 00:11:49.159 --> 00:11:51.519 That makes a lot of sense. What about cyber insurance? 228 00:11:51.559 --> 00:11:52.639 Is that part of the strategy. 229 00:11:52.879 --> 00:11:55.720 It's a tool, definitely, but it's not a silver bullet. 230 00:11:55.960 --> 00:11:58.480 It helps manage the financial fallout of an incident, but 231 00:11:58.519 --> 00:12:01.279 it absolutely does not show if the ownership of the risk, 232 00:12:01.559 --> 00:12:05.639 you're still responsible. In fact, many reputable insurers now require 233 00:12:05.679 --> 00:12:09.200 their customers to meet certain security best practices, often aligned 234 00:12:09.240 --> 00:12:13.000 with frameworks like NIST. It can be especially valuable for 235 00:12:13.039 --> 00:12:16.320 smaller businesses, though the stats are sobering over sixty percent 236 00:12:16.360 --> 00:12:19.440 of small businesses hit by a major cyber incident actually 237 00:12:19.480 --> 00:12:21.799 fail to recover. Insurance can be a lifeline. 238 00:12:21.799 --> 00:12:25.399 There. Yeah, Now, something else our sources discussed was blending 239 00:12:25.399 --> 00:12:29.279 THENC and the SoC, the Network Operation Center and the 240 00:12:29.279 --> 00:12:31.440 Security Operations Center. Why is that important? 241 00:12:31.559 --> 00:12:35.320 Well, Traditionally these two teams often operated in silos. The 242 00:12:35.440 --> 00:12:38.399 NOC focused on keeping the network up and running availability, 243 00:12:38.720 --> 00:12:42.240 the SoC focused on finding threat security. But this separation 244 00:12:42.360 --> 00:12:46.399 can lead to real inefficiencies, conflicting analyzes is it a 245 00:12:46.440 --> 00:12:49.559 network outage or a cyber attack, delays in responding while 246 00:12:49.600 --> 00:12:52.559 they figure it out, which can be incredibly costly during 247 00:12:52.559 --> 00:12:53.080 an incident. 248 00:12:53.159 --> 00:12:56.120 So blending them brings benefits like faster response. 249 00:12:56.039 --> 00:13:00.879 Faster resolution, definitely reduced downtime, less impact. It also tends 250 00:13:00.879 --> 00:13:04.600 to improve processes, increase information sharing between the teams yet 251 00:13:04.600 --> 00:13:08.559 broader knowledge, better coordination, and it can make automation and 252 00:13:08.639 --> 00:13:11.039 AI tools more effective because you're not looking at two 253 00:13:11.080 --> 00:13:13.720 completely separate sets of dashboards and data feeds. 254 00:13:13.960 --> 00:13:16.039 Are there dangers to avoid if you try to blend them? 255 00:13:16.080 --> 00:13:19.679 Oh? Absolutely, A superficial or rushed integration can backfire. You 256 00:13:19.759 --> 00:13:22.120 might end up with one culture dominating the other, either 257 00:13:22.159 --> 00:13:26.679 network stability, overwriting security concerns, or security locking things down 258 00:13:26.720 --> 00:13:30.240 so much that it hinders operations. Finding that balance is key. 259 00:13:30.679 --> 00:13:34.600 NOC needs availability, SoC needs to hunt for malicious intent. 260 00:13:34.879 --> 00:13:37.279 They have different, sometimes competing priorities. 261 00:13:37.360 --> 00:13:39.840 So how do you achieve that integration successfully? 262 00:13:40.000 --> 00:13:43.080 It takes de liberate effort, maybe co locating the team's physically, 263 00:13:43.600 --> 00:13:48.559 establishing really clear communication channels, both formal and informal. Getting 264 00:13:48.600 --> 00:13:52.600 solid buy in from executive leadership is crucial, Developing clear 265 00:13:52.679 --> 00:13:57.000 playbooks for different types of incidents, running regular tabletop exercises, 266 00:13:57.039 --> 00:14:01.399 and importantly including folks from legal, him A, communications too, 267 00:14:02.240 --> 00:14:05.720 and leveraging technology like AI and machine learning to help 268 00:14:05.759 --> 00:14:08.679 correlate the flood of alerts and pinpoint the truly critical 269 00:14:08.720 --> 00:14:11.240 issues in that stack of needles. 270 00:14:11.399 --> 00:14:15.320 Makes sense. Let's talk about building applications securely, the idea 271 00:14:15.320 --> 00:14:17.240 of shift left culture. 272 00:14:17.320 --> 00:14:21.440 Right, shifting security considerations earlier or left in the development 273 00:14:21.440 --> 00:14:23.559 life cycle, not tacking it on at the end. The 274 00:14:23.600 --> 00:14:26.360 core argument is cost. Our sources are pretty clear. Fixing 275 00:14:26.360 --> 00:14:29.279 a security flaw found after an application is deployed costs 276 00:14:29.360 --> 00:14:32.360 way more, maybe six to fifteen times more. Once were said, 277 00:14:32.600 --> 00:14:35.360 even twenty five times according to Nis, than finding and 278 00:14:35.399 --> 00:14:38.440 fixing it during the design or coding phase. So security 279 00:14:38.480 --> 00:14:41.039 leaders really need to well sell the merits of investing 280 00:14:41.039 --> 00:14:42.960 in a secure development program up front. 281 00:14:43.039 --> 00:14:46.039 How do you actually integrate security into that early design phase. 282 00:14:46.320 --> 00:14:49.279 There are a few ways. Human lead methods are important, 283 00:14:49.320 --> 00:14:53.639 things like formal design reviews, threat modeling, where security engineers 284 00:14:53.720 --> 00:14:57.879 actively brainstorm how an application could be misused, identify weak points, 285 00:14:58.039 --> 00:15:02.639 prioritize risks. Then you have tool driven methods SaaS Static 286 00:15:02.639 --> 00:15:07.080 application security testing analyzes the source code itself test Dynamic 287 00:15:07.080 --> 00:15:10.519 application security testing test the application while it's running. IAS 288 00:15:10.639 --> 00:15:11.919 integrates both, and. 289 00:15:11.919 --> 00:15:14.840 These tools help embed security earlier exactly. 290 00:15:15.159 --> 00:15:19.960 They catch coding errors, validate logic, scan for known vulnerabilities automatically. 291 00:15:20.320 --> 00:15:22.799 The key is tuning them correctly to avoid a light 292 00:15:22.840 --> 00:15:25.960 fatigue from too many false positives. But they are crucial 293 00:15:26.000 --> 00:15:28.519 for building security in not just finding flaws later. 294 00:15:28.720 --> 00:15:31.559 It sounds like getting developer buy in is pretty critical. 295 00:15:31.240 --> 00:15:34.120 Too, absolutely essential, and it requires empathy. You need to 296 00:15:34.200 --> 00:15:37.720 understand the pressures developers are under their workflows. Their incentives 297 00:15:38.080 --> 00:15:41.679 provide clear guidelines, yes, but also teach secure coding printfiiles, 298 00:15:41.679 --> 00:15:44.759 not just hand down rules. Things like secure coding boot 299 00:15:44.799 --> 00:15:48.279 camps or creating security champion programs within development teams can 300 00:15:48.360 --> 00:15:49.480 really empower them. 301 00:15:49.639 --> 00:15:51.360 And using data to make the case. 302 00:15:51.919 --> 00:15:56.399 Yes, storytelling with data is powerful. Use real world examples 303 00:15:56.440 --> 00:15:59.480 that not Petya attack causing ten billion dollars in damage 304 00:15:59.679 --> 00:16:02.519 or richating from a compromised software update that gets attention. 305 00:16:03.080 --> 00:16:05.639 Combine that with internal data showing the cost savings or 306 00:16:05.720 --> 00:16:10.080 avoided breaches from your own secure development efforts quantify the value. 307 00:16:10.240 --> 00:16:15.120 Okay, let's shift to GRC governance, risk and compliance. How 308 00:16:15.120 --> 00:16:18.240 does that become a strategic partner not just an enforcer? 309 00:16:18.639 --> 00:16:22.639 Well, the challenge is that traditional GRC traditional policymaking often 310 00:16:22.720 --> 00:16:26.960 struggles to keep pace with how fast technology is changing, cloud, AI, everything, 311 00:16:27.240 --> 00:16:30.480 and there's often this tension where user experience gets prioritized 312 00:16:30.480 --> 00:16:33.240 over security by design, which can create vulnerabilities right from 313 00:16:33.240 --> 00:16:33.720 the start. 314 00:16:34.039 --> 00:16:35.720 So what's the more strategic approach? 315 00:16:35.879 --> 00:16:39.480 One idea our sources suggests is creating an information Governance council, 316 00:16:39.720 --> 00:16:44.039 a cross functional team legal, privacy, security, IT, product development 317 00:16:44.120 --> 00:16:47.159 sourcing all at the table. This helps streamline how you 318 00:16:47.240 --> 00:16:51.559 evaluate risk, clarifies requirements across the board, and speeds up approvals, 319 00:16:51.679 --> 00:16:55.679 making sure compliance actually aligns with the overall corporate strategy. 320 00:16:55.279 --> 00:16:57.120 And automation plays a role here too. 321 00:16:57.320 --> 00:17:00.759 Big Time the Future is really about automationating the technical 322 00:17:00.759 --> 00:17:05.079 interpretation of security controls and embedding those requirements directly into code. 323 00:17:05.279 --> 00:17:08.839 Into the development pipeline. Policies themselves need to be rewritten. 324 00:17:08.880 --> 00:17:13.440 They need to understand current and next gen technology so 325 00:17:13.440 --> 00:17:17.000 they can enable secure innovation, not just restrict. 326 00:17:16.640 --> 00:17:19.519 Everything, and focusing on value not just cost exactly. 327 00:17:19.920 --> 00:17:24.480 Move beyond just calculating the operational expensive compliance. Align your 328 00:17:24.480 --> 00:17:28.680 technology and compliance metrics to demonstrate actual business value. Use 329 00:17:28.759 --> 00:17:32.480 metrics frameworks like NISS CSF or ISO twenty seven thousand 330 00:17:32.480 --> 00:17:36.720 and one for controls, maybe fair for risk quantification. Blend 331 00:17:36.759 --> 00:17:39.759 metrics about program maturity with metrics about actual hygiene. Are 332 00:17:39.759 --> 00:17:42.839 people adopting the practices and critically link these metrics back 333 00:17:42.880 --> 00:17:46.480 to business goals like your objectives and key results, your OKRs. 334 00:17:46.599 --> 00:17:48.519 So it all comes back to culture again. 335 00:17:48.279 --> 00:17:52.039 Really it does. Governance becomes a true business enabler when 336 00:17:52.039 --> 00:17:56.200 that security, compliance and privacy by design mindset is embedded everywhere, 337 00:17:56.400 --> 00:17:59.960 supported by ongoing education, tech briefings, and maybe even incentive 338 00:18:00.160 --> 00:18:01.240 for secure practices. 339 00:18:01.480 --> 00:18:05.920 Okay, one more crucial process area, cyber supply chain risk 340 00:18:06.000 --> 00:18:08.839 management or CSCRM. This seems huge. 341 00:18:08.920 --> 00:18:12.799 It is absolutely huge and increasingly critical. In today's digital world. 342 00:18:12.839 --> 00:18:15.599 We rely so heavily on third party IT and OT 343 00:18:15.759 --> 00:18:21.160 vendors software hardware services. This dramatically expands your potential of 344 00:18:21.240 --> 00:18:25.720 tax surface. So CSCRM is about identifying, assessing, and mitigating 345 00:18:25.920 --> 00:18:28.839 the risks associated with these third parties across the entire 346 00:18:28.880 --> 00:18:31.160 life cycle of their products and services. 347 00:18:30.720 --> 00:18:32.720 From design all the way to disposal. 348 00:18:32.440 --> 00:18:37.960 Exactly design, development, distribution, deployment, acquisition, maintenance, even destruction. It 349 00:18:38.039 --> 00:18:42.799 covers all interconnected hardware, software services, think smart tags, embedded software, 350 00:18:42.799 --> 00:18:44.119 and cars, medical devices. 351 00:18:44.599 --> 00:18:47.440 Everything that sounds incredibly complex to manage it is. 352 00:18:47.519 --> 00:18:50.720 It's global, it's constantly changing. The scope is massive. You've 353 00:18:50.720 --> 00:18:54.359 got layers upon layers of regulations adding complexity. And remember 354 00:18:54.359 --> 00:18:57.640 that stat something like ninety percent of IT vulnerabilities originate 355 00:18:57.680 --> 00:18:59.920 in software, much of which comes from your supply chain. 356 00:19:00.000 --> 00:19:03.319 Plus new tech like IoT Cloud five G just adds 357 00:19:03.319 --> 00:19:04.160 more layers of risk. 358 00:19:04.240 --> 00:19:06.680 And we've seen some major cautionary tales here, haven't we. 359 00:19:06.680 --> 00:19:10.640 We sure have. The twenty thirteen target breach started with 360 00:19:10.680 --> 00:19:14.319 credentials stolen from their HVAC vendor. Not Petya, which we 361 00:19:14.359 --> 00:19:17.359 mentioned delivered via a compromise update for Ukrainian tax software 362 00:19:17.559 --> 00:19:21.519 caused ten billion dollars in global damage, and more recently 363 00:19:21.599 --> 00:19:24.759 Solar Winds, a sophisticated attack where malicious code was hidden 364 00:19:24.799 --> 00:19:28.119 in legitimate software updates, hitting major government agencies and companies. 365 00:19:28.279 --> 00:19:30.240 These aren't theoretical risks, So. 366 00:19:30.160 --> 00:19:32.559 How do you tackle c SCRM. What's the approach? 367 00:19:32.839 --> 00:19:36.559 Our sources again point to that people, process technology framework people. 368 00:19:36.640 --> 00:19:40.400 You need knowledgeable leadership deep technical expertise, but you also 369 00:19:40.440 --> 00:19:43.559 need automation to help track the sheer volume of suppliers, 370 00:19:43.640 --> 00:19:47.720 software versions components. Cosos also need to pay very close 371 00:19:47.720 --> 00:19:51.759 attention to contract language with vendors, things like data rights, 372 00:19:51.880 --> 00:19:55.400 security requirements being passed down to their suppliers, flowdowns, aligning 373 00:19:55.400 --> 00:19:59.920 incentives okay, and process process leverage. Established frameworks NIST SPA 374 00:20:00.000 --> 00:20:02.119 one hundred and one seventy one, ISO twenty eight thousand 375 00:20:02.200 --> 00:20:05.359 series CMMC if you're in the defense space, these provide 376 00:20:05.359 --> 00:20:09.559 benchmarks and structured guidance. Don't reinvent the wheel and technology technology. 377 00:20:10.240 --> 00:20:14.880 Modern CSRM tools are getting pretty sophisticated. They can integrate 378 00:20:14.920 --> 00:20:18.920 publicly available risk data, use AI and machine learning for 379 00:20:18.960 --> 00:20:23.759 better analysis, connect via APIs to your existing systems. Often 380 00:20:23.799 --> 00:20:28.039 they use sauce dashboards for continuous monitoring. The key is 381 00:20:28.119 --> 00:20:31.599 letting the machines do the heavy lifting sifting through massive 382 00:20:31.640 --> 00:20:34.359 amounts of data so your people can focus on investigating 383 00:20:34.359 --> 00:20:35.720 the highest priority risks. 384 00:20:35.839 --> 00:20:38.440 Right, let the humans do the human level and ELSA Okay, 385 00:20:38.519 --> 00:20:41.400 this brings us towards the kind of ultimate goal, right, 386 00:20:41.440 --> 00:20:44.359 achieving end to end security exactly. 387 00:20:43.960 --> 00:20:47.640 Because the fundamental problem is that yesterday's security solutions just 388 00:20:47.720 --> 00:20:50.920 don't cut it anymore. Why is that the perimeter is gone, 389 00:20:51.160 --> 00:20:54.079 or at least it's incredibly blurry and fragmented. Think about 390 00:20:54.079 --> 00:20:58.319 remote work, mass cloud adoption, billions of connected IoT devices. 391 00:20:58.519 --> 00:21:01.839 These all create new edges today. Plus our sources indicate 392 00:21:01.880 --> 00:21:04.079 something like eighty percent or more of network traffic is 393 00:21:04.160 --> 00:21:06.759 encrypted now. That makes it really hard for traditional security 394 00:21:06.799 --> 00:21:08.160 tools to inspect what's going on. 395 00:21:08.319 --> 00:21:11.480 And organizations often have dozens of different security tools. 396 00:21:11.720 --> 00:21:14.960 Yeah, the average enterprise might have what forty seven different 397 00:21:15.000 --> 00:21:20.240 point solutions, often operating independently. These silos create security gaps. 398 00:21:20.519 --> 00:21:23.880 It's hard to correlate alerts across different tools. It's expensive 399 00:21:23.920 --> 00:21:26.720 and complex to manage, and it causes delays. When an 400 00:21:26.759 --> 00:21:31.960 incident happens, the adversaries are using scalable integrated platforms. Organizations 401 00:21:32.000 --> 00:21:35.400 need to fight fire with fire moving towards integrated platforms too. 402 00:21:35.720 --> 00:21:39.400 So what are the key drivers or pillars for achieving 403 00:21:39.440 --> 00:21:41.079 that kind of end to end security. 404 00:21:41.200 --> 00:21:45.279 Well, it starts with unified thread intelligence. That's foundational, integrating 405 00:21:45.279 --> 00:21:48.920 global data on emerging threats, attacker tactics, mitigation strategies that 406 00:21:48.960 --> 00:21:49.960 informs everything else. 407 00:21:50.119 --> 00:21:51.599 Okay, thread intel first. 408 00:21:51.680 --> 00:21:56.759 Then integrated security platforms. These aim to bundle critical capabilities together, 409 00:21:56.839 --> 00:22:02.160 things like firewalls, intrusion prevention, endpoints, security, cloud security, often 410 00:22:02.160 --> 00:22:08.000 delivering better speed, lower cost, higher ROI than managing separate tools. Importantly, 411 00:22:08.279 --> 00:22:12.160 these platforms should be open, allowing integration with tools you 412 00:22:12.200 --> 00:22:15.119 already have, and they should cover key areas like security 413 00:22:15.200 --> 00:22:19.599 driven networking, zero trust access, cloud protection, and AI driven 414 00:22:19.640 --> 00:22:22.920 operations ideally managed from a single pane of glass. 415 00:22:23.079 --> 00:22:25.920 Let's break those down a bit. Security driven networking. 416 00:22:25.799 --> 00:22:29.640 This is about converging networking and security functions, building security 417 00:22:29.680 --> 00:22:32.960 into the network fabric itself, not just bolting it on afterwards. 418 00:22:33.400 --> 00:22:36.680 This helps support modern trends like multi cloud environments and 419 00:22:36.720 --> 00:22:40.279 five G. It addresses problems like slow VPN performance for 420 00:22:40.319 --> 00:22:44.759 remote workers or inconsistent security policies across different locations. This 421 00:22:44.839 --> 00:22:48.279 convergence is really driving the adoption of SaaS secure access 422 00:22:48.359 --> 00:22:51.599 service edge solutions, which deliver security services right at the 423 00:22:51.599 --> 00:22:52.880 cloud edge close to users. 424 00:22:53.039 --> 00:22:55.759 Okay, and zero trust access ZPA, we hear that term 425 00:22:55.799 --> 00:22:56.119 a lot. 426 00:22:56.200 --> 00:22:58.599 It's a crucial concept, more of a mindset shift. 427 00:22:58.640 --> 00:22:58.920 Really. 428 00:22:59.240 --> 00:23:02.680 The core prints of is assume threats are already inside 429 00:23:02.720 --> 00:23:06.480 your network. Don't trust anyone or anything by default. You 430 00:23:06.519 --> 00:23:10.240 need to verify every user and every device, employees, contractors, 431 00:23:10.240 --> 00:23:14.599 IoT gadgets, ot systems before granting any access, and even 432 00:23:14.640 --> 00:23:18.720 then only grant the minimum necessary access least privilege and 433 00:23:18.799 --> 00:23:20.680 continuously monitor activity. 434 00:23:20.839 --> 00:23:23.440 So it's a move away from the traditional VPN model, 435 00:23:23.680 --> 00:23:26.119 where once you're in, you have broad access exactly. 436 00:23:26.160 --> 00:23:28.599 Traditional VPNs can be like giving someone the keys to 437 00:23:28.640 --> 00:23:31.000 the whole building once they pass the front door. ZT 438 00:23:31.039 --> 00:23:33.880 and a zero trust network access is much more granular. 439 00:23:34.079 --> 00:23:37.680 It provides access only to specific applications or resources the 440 00:23:37.759 --> 00:23:41.160 user is authorized for, offering better security and often a 441 00:23:41.200 --> 00:23:42.680 better user experience too. 442 00:23:42.920 --> 00:23:45.559 Makes sense. What about AI driven security operations? 443 00:23:45.720 --> 00:23:49.119 This is essential because humans just can't keep up Otherwise, 444 00:23:49.559 --> 00:23:53.400 the average security operations center deals with like ten thousand 445 00:23:53.400 --> 00:23:56.680 plus alerts per day. It's impossible to investigate them all manually. 446 00:23:57.160 --> 00:23:59.599 AI and machine learning are really good at sifting through 447 00:23:59.599 --> 00:24:03.160 that map massive volume of data, correlating alerts from different sources, 448 00:24:03.440 --> 00:24:06.920 identifying patterns, and highlighting the potentially high impact threats that 449 00:24:06.960 --> 00:24:11.559 analysts should focus on. Technologies like sandboxing safely detonating suspicious 450 00:24:11.599 --> 00:24:14.920 files in an isolated environment, and XDR extended detection and 451 00:24:14.960 --> 00:24:18.759 response which pulls in data from endpoints, network, cloud, email, etc. 452 00:24:19.160 --> 00:24:22.559 For broader correlation are key here. And finally, adaptive cloud 453 00:24:22.559 --> 00:24:26.000 security critical, especially with multi cloud strategies and all the 454 00:24:26.039 --> 00:24:28.839 remote work. The key thing to understand is the shared 455 00:24:28.839 --> 00:24:33.960 responsibility model. The cloud provider like AWS, Azure, Google Cloud 456 00:24:34.240 --> 00:24:37.400 secures the underlying infrastructure, but you are still responsible for 457 00:24:37.440 --> 00:24:41.119 securing your data, your applications, and how you configure the services. 458 00:24:41.559 --> 00:24:44.559 So your cloud security solutions need to integrate smoothly with 459 00:24:44.720 --> 00:24:49.079 all the major providers, cover your entire attack surface across clouds, 460 00:24:49.480 --> 00:24:53.519 and ideally offer centralized management and consistent policy enforcement. 461 00:24:53.799 --> 00:24:56.839 So putting it all together. The best security driven network 462 00:24:57.039 --> 00:24:58.119 isn't just one product. 463 00:24:58.359 --> 00:25:00.839 No, definitely not. It's not one size fits all. It's 464 00:25:00.920 --> 00:25:04.839 unique to your organization's specific environment and risk tolerance. It's 465 00:25:04.880 --> 00:25:08.759 fundamentally a risk based approach, actively working to remove the 466 00:25:08.799 --> 00:25:11.839 known unknowns, the risks you can identify and mitigate, and 467 00:25:11.880 --> 00:25:15.400 designing the system to make other potential threats irrelevant or contained. 468 00:25:15.720 --> 00:25:18.839 And it requires continuous integration of security controls as your 469 00:25:18.920 --> 00:25:23.319 organization evolves, adding new applications, new products, new processes, new people. 470 00:25:23.559 --> 00:25:24.519 It's never done. 471 00:25:24.759 --> 00:25:27.680 Okay, Wow, that brings us nicely to a wrap up. 472 00:25:27.759 --> 00:25:31.599 We've covered a lot of ground. We journeyed from really 473 00:25:31.680 --> 00:25:34.759 understanding how the role of cybersecurity leaders has changed the 474 00:25:34.839 --> 00:25:38.559 vital human elements, through the complexities of the threat landscape, 475 00:25:38.920 --> 00:25:42.720 and finally landing on these strategic processes and technologies needed 476 00:25:42.759 --> 00:25:45.359 for well a truly end to end secure enterprise. 477 00:25:45.720 --> 00:25:48.319 Yeah. I think the key takeaway really is that modern 478 00:25:48.359 --> 00:25:52.480 cybersecurity absolutely demands a holistic approach. You have to integrate people, 479 00:25:52.559 --> 00:25:56.599 process and technology. Moving beyond those siloed point solutions is 480 00:25:56.640 --> 00:25:59.359 critical to actually building resilience in today's environment. 481 00:26:00.000 --> 00:26:03.720 Absolutely, So a final thought for you, our listener. The 482 00:26:03.799 --> 00:26:07.559 digital world, as we've discussed, is innovating constantly, but guess what, 483 00:26:08.039 --> 00:26:11.519 so are the adversaries. The challenge isn't just playing catch up, 484 00:26:11.720 --> 00:26:16.200 it's about anticipating, adapting, building that resilience proactively. So the 485 00:26:16.279 --> 00:26:20.119 question to ponder is what unknown unknowns might be lurking 486 00:26:20.160 --> 00:26:23.279 in your own organization, and maybe more importantly, how will 487 00:26:23.279 --> 00:26:26.559 you empower everyone, not just the security team, to become 488 00:26:26.599 --> 00:26:31.039 an active participant in your cybersecurity defense because ultimately, your vigilance, 489 00:26:31.119 --> 00:26:34.319 everyone's vigilance is perhaps the most crucial security layer of all. 490 00:26:34.839 --> 00:26:37.000 That's all for this deep dive. We'll see you next time.