1 00:00:03,319 --> 00:00:06,960 Speaker 1: We have new intel. The threat has changed, probability has changed, 2 00:00:07,000 --> 00:00:09,279 the impact has changed, and we still feel good about 3 00:00:09,320 --> 00:00:10,560 our previous judgment of this. 4 00:00:10,960 --> 00:00:15,000 Speaker 2: Welcome listeners to the Industrial Security Podcast. My name is 5 00:00:15,080 --> 00:00:18,600 Date Nelson. I'm here with Andrew Ginter, the vice president 6 00:00:18,640 --> 00:00:22,920 of Industrial Security at Waterfall Security Solutions, who's going to 7 00:00:22,960 --> 00:00:26,480 introduce the subject and guests of our show today. Andrew, 8 00:00:26,719 --> 00:00:27,160 how are you. 9 00:00:27,480 --> 00:00:29,960 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 10 00:00:30,079 --> 00:00:34,759 Cain mcgladry here. He is the CISO in residence at Hyperproof, 11 00:00:35,359 --> 00:00:39,399 and we're going to be talking about the wide variety 12 00:00:39,759 --> 00:00:42,840 of risk that's out there, from you know, mundane ROI 13 00:00:42,880 --> 00:00:46,520 calculations to you know, extremes, trying to figure out how 14 00:00:46,560 --> 00:00:51,039 to avoid turning a city into a smoking crater and 15 00:00:51,079 --> 00:00:51,880 everything in between. 16 00:00:52,799 --> 00:00:57,359 Speaker 2: Then, without further Ado, let's get to your interview. 17 00:00:58,600 --> 00:01:02,039 Speaker 3: Hell Okine, and welcome to the the podcast. Before we 18 00:01:02,079 --> 00:01:04,439 get started, can I ask you please to say a 19 00:01:04,439 --> 00:01:07,400 few words about yourself and your background for our listeners 20 00:01:07,680 --> 00:01:10,120 and about the good work that you're doing at Hyperproof. 21 00:01:10,640 --> 00:01:12,959 Speaker 1: Sure. Thanks for having me on the program, Andrew, I 22 00:01:12,959 --> 00:01:16,959 really appreciated. I am a thirty year veteran of the 23 00:01:17,000 --> 00:01:21,879 cybersecurity industry. I've done executive advisory on three separate continents 24 00:01:22,200 --> 00:01:24,920 and am a senior I Triple E member. I'm a 25 00:01:24,959 --> 00:01:28,560 second time SISO and currently is the CISO and residence 26 00:01:28,560 --> 00:01:32,879 at Hyperproof. I am responsible for kind of being the 27 00:01:32,920 --> 00:01:37,239 face of the company at events and on stage and presentations, 28 00:01:37,239 --> 00:01:41,799 but also at private executive retreats and dinners and really 29 00:01:41,840 --> 00:01:46,319 trying to emphasize thought leadership. And when I say that, 30 00:01:46,400 --> 00:01:50,680 I don't mean marketing product placement, I actually mean trying 31 00:01:50,760 --> 00:01:56,079 to contextualize the world that we live in from illegal, 32 00:01:56,120 --> 00:01:59,760 from a regulatory, from a contractual, and from a cybersecurity perspective, 33 00:02:00,239 --> 00:02:03,200 so that we have an informed view of the market. 34 00:02:04,159 --> 00:02:07,120 Speaker 3: Thank you for that. And our topic is your new 35 00:02:07,120 --> 00:02:11,680 book about risk. You know people new to the security 36 00:02:11,680 --> 00:02:15,039 field that often think risk is boring. They're more interested 37 00:02:15,080 --> 00:02:19,199 in the technology of attacks. People in my experience don't 38 00:02:19,199 --> 00:02:22,199 get interested in risk until they've been a manager for 39 00:02:22,520 --> 00:02:25,240 a half a decade and failed to get any funding 40 00:02:25,319 --> 00:02:29,759 for their projects. So you know, to me, risk is 41 00:02:29,759 --> 00:02:32,759 the language of business. Can you talk about your new book? 42 00:02:32,800 --> 00:02:35,639 What you know? What are you writing about? How's that going? 43 00:02:36,599 --> 00:02:41,840 Speaker 1: Yeah, that's in progress. I'm currently in talks with publisher 44 00:02:42,479 --> 00:02:46,479 about getting the book published. I decided to not self 45 00:02:46,520 --> 00:02:48,639 published because I want to know what it would be 46 00:02:48,759 --> 00:02:51,840 like to go through the whole process to understand it. 47 00:02:52,360 --> 00:02:55,400 The premise of the book is that cyber risk is 48 00:02:55,520 --> 00:02:59,360 a myth and that it actually does not exist. And 49 00:02:59,400 --> 00:03:02,960 that's base on kind of my experience as a CISO 50 00:03:03,120 --> 00:03:06,599 in that when a CISO is talking to the board 51 00:03:06,639 --> 00:03:10,800 about the consequences or about the impacts of a given risk, 52 00:03:11,479 --> 00:03:14,719 CISOs who have longevity in the space, who succeed in 53 00:03:14,759 --> 00:03:19,919 the space, really tie it back to business impacts and consequences. 54 00:03:20,240 --> 00:03:23,280 And CISOs who find themselves popping jobs every two years 55 00:03:23,280 --> 00:03:26,120 and changing their spending a lot of time on LinkedIn. 56 00:03:26,479 --> 00:03:29,360 I think they talk about technical vulnerabilities or they talk 57 00:03:29,400 --> 00:03:35,159 about technical capabilities that don't necessarily resonate. And my position 58 00:03:35,680 --> 00:03:39,319 is that these days, smart CISOs really need to be 59 00:03:39,680 --> 00:03:45,199 emphasizing the risks to the business, not necessarily risks because 60 00:03:45,199 --> 00:03:48,280 of a technology. And that might sound like pedantry, but 61 00:03:48,319 --> 00:03:50,719 it's not because if you look at the way that 62 00:03:50,960 --> 00:03:54,960 laws and regulations and contractual obligations have been changing over time, 63 00:03:55,840 --> 00:04:00,240 we've seen this mental shift from well you won't be 64 00:04:00,280 --> 00:04:04,080 breached to well, you might be breached, but you you know, 65 00:04:04,479 --> 00:04:06,120 you have to tell us that you were breached and 66 00:04:06,120 --> 00:04:08,639 then go fix it to our current state of play, 67 00:04:08,680 --> 00:04:11,280 where we know you're going to be breached. You have 68 00:04:11,319 --> 00:04:14,280 to be resilient and you have to maintain the obligations 69 00:04:14,319 --> 00:04:16,360 that you've said or that the market has defined for 70 00:04:16,399 --> 00:04:20,000 your business. And I think that having that level of 71 00:04:20,120 --> 00:04:26,279 understanding really helps CISOs to better frame their conversations, to 72 00:04:26,360 --> 00:04:31,240 better communicate with business leaders, and also to introduce consistency 73 00:04:31,319 --> 00:04:34,920 in that process. The other thing I've been doing related 74 00:04:34,959 --> 00:04:40,279 to this is I've been workshopping a talk. I've presented 75 00:04:40,279 --> 00:04:44,319 it at various ISOC two I TRIPOL Computer Society and 76 00:04:44,600 --> 00:04:50,040 ISOKA chapters around the country, predominantly virtual, and it's the 77 00:04:50,360 --> 00:04:54,839 message really does resonate. Occasionally somebody will will say, well, 78 00:04:54,839 --> 00:04:58,639 a vulnerability is a risk because a bad thing could happen, 79 00:04:59,120 --> 00:05:01,199 And then I think is that they start listening to 80 00:05:01,240 --> 00:05:04,680 themselves talk they start realizing, well, a bad thing could happen, 81 00:05:04,720 --> 00:05:06,480 but you didn't find what the bad thing was, and 82 00:05:06,519 --> 00:05:08,560 you didn't find it why anyone would care about the 83 00:05:08,600 --> 00:05:12,279 bad thing and that's the problem we have in cybersecurity 84 00:05:12,319 --> 00:05:15,759 often is the inability to communicate that if the bad 85 00:05:15,839 --> 00:05:20,279 thing happens, what was the bad thing? And then qualitatively, 86 00:05:21,040 --> 00:05:24,279 why should anybody care? From a business perspective. Now, some 87 00:05:24,319 --> 00:05:27,360 people might say quantitative is great. I know some folks 88 00:05:27,360 --> 00:05:31,759 on the fair board, they are very reasonable people who 89 00:05:31,759 --> 00:05:36,800 have a nuanced view of quantitative versus qualitative metrics. But 90 00:05:36,879 --> 00:05:39,519 I think overall we need to pivot our language because 91 00:05:39,600 --> 00:05:42,720 right now I've watched boards and ciso's talk past one 92 00:05:42,759 --> 00:05:46,040 another on three continents, and it's kind of tiresome. And 93 00:05:46,079 --> 00:05:49,199 I'd like to see that change by fundamentally attacking the 94 00:05:49,279 --> 00:05:52,199 language problem that underpins all of this misunderstanding. 95 00:05:52,959 --> 00:05:56,360 Speaker 3: I have to agree that, you know, it can be 96 00:05:56,480 --> 00:06:02,079 challenging to find the language of business and vulnerabilities. You know, 97 00:06:02,959 --> 00:06:05,920 a vulnerability assessment that comes back and says eurot system 98 00:06:05,959 --> 00:06:11,160 has twenty thousand unpatched vulnerabilities is not really useful. That 99 00:06:11,279 --> 00:06:13,959 confuses things more than anything else. So you know, I 100 00:06:14,040 --> 00:06:18,959 very much agree with that. The question is, though, if 101 00:06:18,959 --> 00:06:23,639 we're not going to talk technical, what do we talk? 102 00:06:23,680 --> 00:06:27,000 I mean, you've said tie it back to business impacts? 103 00:06:27,680 --> 00:06:31,759 Do we just talk about consequences? Do we talk about 104 00:06:33,360 --> 00:06:36,800 attack scenarios that could bring up about the consequences? Attack 105 00:06:36,879 --> 00:06:40,199 scenarios that we sort of believe we can defeat with 106 00:06:40,240 --> 00:06:41,959 a high degree of confidence, So we don't need to 107 00:06:41,959 --> 00:06:44,480 spend a lot of time on versus ones that we 108 00:06:44,560 --> 00:06:46,600 don't defeat with a high degree of confidence. And you're 109 00:06:46,639 --> 00:06:48,040 going to have to give me a budget of ten 110 00:06:48,120 --> 00:06:51,079 or twenty or fifty million dollars to solve that problem. 111 00:06:51,800 --> 00:06:56,319 You know, if we're not talking about the technical vulnerabilities, 112 00:06:56,759 --> 00:06:58,920 what are we talking about? Is it a tax? Is 113 00:06:58,920 --> 00:06:59,720 it something else. 114 00:07:00,439 --> 00:07:04,079 Speaker 1: When a CISO is talking to people, I think they 115 00:07:04,120 --> 00:07:07,199 need to be a master communicator and be aware of 116 00:07:07,279 --> 00:07:11,319 the audience that they're speaking to. So if CISO is 117 00:07:11,360 --> 00:07:15,000 talking to other executives or their board members that they're 118 00:07:15,759 --> 00:07:19,120 briefing about something, we need to be respectful and mindful 119 00:07:19,120 --> 00:07:22,319 of their intellectual background. Because most of these folks have 120 00:07:22,439 --> 00:07:25,439 got an MBA. And this isn't a clarion call for 121 00:07:25,439 --> 00:07:28,240 every CISO out there to go get an MBA. It's 122 00:07:28,600 --> 00:07:32,639 an understanding that intellectually they may not have had a 123 00:07:32,680 --> 00:07:36,720 great deal of exposure to cybersecurity terminology and some of 124 00:07:36,759 --> 00:07:40,360 the things that we take for granted that the assumptions 125 00:07:40,360 --> 00:07:43,639 that everyone knows this stuff, whatever it might be, they 126 00:07:43,680 --> 00:07:47,240 probably don't and that's not their fault, that's not their responsibility. 127 00:07:47,519 --> 00:07:50,319 Our responsibility is to educate them enough so that we 128 00:07:50,360 --> 00:07:54,040 can have a meaningful conversation and to bridge that communications gap. 129 00:07:54,399 --> 00:07:57,839 When talking to other executives, I will say I occasionally 130 00:07:57,920 --> 00:08:01,160 push for MBA programs to have more include of cybersecurity 131 00:08:01,439 --> 00:08:04,120 to the college and the university I work with here, 132 00:08:04,480 --> 00:08:09,439 But beyond that, it's still a fundamental understanding difference of 133 00:08:09,480 --> 00:08:13,000 where folks are coming from educationally, and then when we're 134 00:08:13,000 --> 00:08:15,480 talking to our technical teams, folks who did not come 135 00:08:15,560 --> 00:08:17,759 up through an NBA program but may have a computer 136 00:08:17,839 --> 00:08:22,279 science background or a technology background, a cybersecurity background, it's 137 00:08:22,399 --> 00:08:26,160 very necessary to talk in technical terms because we can 138 00:08:26,240 --> 00:08:29,199 have that conversation. But I think all CSOs at this 139 00:08:29,240 --> 00:08:33,159 point should be encouraging their staff or demanding their staff 140 00:08:33,639 --> 00:08:37,279 also learn the language of business and start to communicate 141 00:08:37,320 --> 00:08:40,759 in the language of business. And in case that sounds abstract, 142 00:08:41,399 --> 00:08:46,919 let me give you a worked example. Every business has systems, 143 00:08:46,960 --> 00:08:51,159 and systems are a collection of stuff that components of 144 00:08:51,440 --> 00:08:55,440 piece parts that do a thing for business that's vague. 145 00:08:55,480 --> 00:08:59,240 So let's say about accounts payable and accounts receivable. Now, 146 00:08:59,360 --> 00:09:02,600 accounts pay that's money going out the door. Accounts receivable 147 00:09:02,879 --> 00:09:08,399 is money coming in the door. Most companies negotiate contractually. 148 00:09:08,799 --> 00:09:11,080 This is important for CISOs and other folks to know 149 00:09:11,799 --> 00:09:16,799 that for accounts payable, you've got about ninety days contractually 150 00:09:16,840 --> 00:09:20,159 to pay a supplier or to pay somebody. But if 151 00:09:20,840 --> 00:09:24,759 you look at accounts receivable by comparison, it's about two weeks, 152 00:09:24,759 --> 00:09:29,799 about fourteen days. So that's money that's coming in the door. 153 00:09:30,320 --> 00:09:34,440 And something that I've seen consistently happen is when your 154 00:09:34,600 --> 00:09:37,639 lead red teamer comes to you or your lead Blue 155 00:09:37,639 --> 00:09:40,840 teamer comes to you, whatever their title might be, and say, hey, 156 00:09:40,919 --> 00:09:44,960 we found this vulnerability. Okay, cool, which system does it 157 00:09:44,960 --> 00:09:50,679 affect again? And if they say accounts receivable, right, that's 158 00:09:50,720 --> 00:09:54,360 that money that's coming in the door. Then we know 159 00:09:54,440 --> 00:09:57,279 we've got about fourteen days to go fix it. And 160 00:09:57,320 --> 00:10:01,440 it might be a higher impact vulnerability then something that 161 00:10:01,480 --> 00:10:06,000 affects accounts payable, because in accounts payable, that's that ninety days, 162 00:10:06,039 --> 00:10:09,879 that's three months. The worst thing that happens is your CFO, 163 00:10:10,080 --> 00:10:13,159 your chief financial officer has to wait a little longer 164 00:10:13,200 --> 00:10:17,000 to pay a bill. Most CFOs really don't get anxious 165 00:10:17,039 --> 00:10:19,639 about having to wait a little longer with cash in 166 00:10:19,679 --> 00:10:22,519 the bank to go pay somebody. And I think that 167 00:10:22,840 --> 00:10:27,279 as we encourage our technology teams to frame in systems, 168 00:10:27,559 --> 00:10:29,480 that's the first part of it, so we can understand, like, 169 00:10:29,600 --> 00:10:32,639 which of these systems does it materially affect, and then 170 00:10:32,879 --> 00:10:36,240 what's the level of impact again, if it's we can't 171 00:10:36,279 --> 00:10:38,679 get any money coming in the door, which is something 172 00:10:38,720 --> 00:10:43,320 we saw happened with Change Healthcare, where there was a 173 00:10:43,360 --> 00:10:45,559 hospital somewhere in the middle of the country of the 174 00:10:45,639 --> 00:10:49,759 United States that basically couldn't get any money for reimbursement 175 00:10:49,799 --> 00:10:52,759 for medical procedures, and they consequently went out of business 176 00:10:53,120 --> 00:10:56,080 because of a third party data breach. Now that data 177 00:10:56,080 --> 00:11:00,480 breach affected their accounts receivable process. I think we need 178 00:11:00,480 --> 00:11:03,399 to have that conversation of so, what's the material risk 179 00:11:03,440 --> 00:11:06,039 here is that we can't do this anymore, we can't 180 00:11:06,080 --> 00:11:08,720 do this for a little while, And then finally, what's 181 00:11:08,720 --> 00:11:10,559 the risk of that are we losing money? Are we 182 00:11:10,600 --> 00:11:13,559 not able to pay our bills? And then taking that 183 00:11:13,600 --> 00:11:16,960 framing and extending it to other spaces. We need to 184 00:11:17,039 --> 00:11:22,320 understand what is this risk and do we care about it. 185 00:11:23,000 --> 00:11:26,320 When I was at a CISO at an industrial design 186 00:11:26,360 --> 00:11:30,000 and manufacturing company, our number one risk on our risk 187 00:11:30,080 --> 00:11:34,840 register was turning a city into an uninhabitable crater. And 188 00:11:34,879 --> 00:11:37,399 it's an interesting thing for the top of your risk 189 00:11:38,279 --> 00:11:41,080 register to say, well, we could just you know, remove 190 00:11:41,080 --> 00:11:43,480 an entire city out of the United States, and that's 191 00:11:44,080 --> 00:11:47,039 an unacceptable risk. And then we have the secondary risk 192 00:11:47,120 --> 00:11:50,039 of well only part like, you know, we have mass 193 00:11:50,080 --> 00:11:52,519 loss of human life. And then our third risk was, 194 00:11:52,919 --> 00:11:56,639 you know, we have an individual loss of human life. 195 00:11:56,679 --> 00:12:00,000 All those are obviously not great things, and we prioritize 196 00:12:00,159 --> 00:12:04,080 those accordingly in the risk register. I think that most 197 00:12:04,120 --> 00:12:08,039 companies don't have that as being a regular thing that 198 00:12:08,120 --> 00:12:11,440 by taking a contract you could accidentally, you know, remove 199 00:12:11,440 --> 00:12:15,320 a city or cause mass human casualties. Interesting thing of 200 00:12:15,320 --> 00:12:17,720 working at the defense industrial base, right, But I think 201 00:12:17,759 --> 00:12:19,679 a lot of companies do have things like, well, we're 202 00:12:19,679 --> 00:12:21,879 going to lose intellectual property. Okay, Well, what's your risk 203 00:12:21,919 --> 00:12:25,159 tolerance for that? And what's the risk associated with a 204 00:12:25,159 --> 00:12:27,679 loss of your intellectual property? Does that mean your customers 205 00:12:27,679 --> 00:12:29,440 won't buy your thing anymore? Does that mean you have 206 00:12:29,480 --> 00:12:32,200 contractual violations? Does that mean that you're going to be 207 00:12:32,200 --> 00:12:34,960 called up on Capitol Hill, which is never a good time. 208 00:12:35,639 --> 00:12:37,759 I think that we need to get to that level 209 00:12:37,799 --> 00:12:41,799 of granularity. So when we hear there's a vulnerability or 210 00:12:42,799 --> 00:12:46,159 a cyber incident that it has occurred, we need to 211 00:12:46,200 --> 00:12:49,279 be able to contextualize it very quickly. Is this a 212 00:12:49,360 --> 00:12:52,159 risk that the business found to be tolerable or intolerable? 213 00:12:52,480 --> 00:12:57,759 And then strategize accordingly because we can't. It's impossible. No 214 00:12:57,799 --> 00:13:01,799 one has enough money or time or resources to fix 215 00:13:01,840 --> 00:13:04,440 all the things, whether those are vulnerabilities, or whether those 216 00:13:04,440 --> 00:13:07,399 are risks, or whether those are software patches, or there's 217 00:13:07,440 --> 00:13:09,360 just not enough time in the day and there's not 218 00:13:09,519 --> 00:13:12,519 enough will of the business to go do those things. 219 00:13:12,840 --> 00:13:15,320 So we need to be thoughtful and always be framing 220 00:13:15,399 --> 00:13:17,919 to what is the risk, what would happen if the 221 00:13:18,039 --> 00:13:21,360 risk will materialize? And then did the business accept that? 222 00:13:21,919 --> 00:13:24,480 And I think that last part just to emphasize that 223 00:13:24,840 --> 00:13:30,279 it's something that junior security personnel frequently miss. They frequently 224 00:13:30,360 --> 00:13:32,720 think we have to fix all the things. We can't 225 00:13:32,720 --> 00:13:36,240 have this risk to this system because it would be 226 00:13:36,399 --> 00:13:41,399 bad because shrug reasons. I guess if the business has 227 00:13:41,440 --> 00:13:43,600 said this is an acceptable risk, or we're going to 228 00:13:43,600 --> 00:13:46,960 take insurance to mitigate this risk. Okay, cool, that's not 229 00:13:47,000 --> 00:13:49,679 our remit to say that it's good or bad. That's 230 00:13:49,720 --> 00:13:51,039 just what the business chowse. 231 00:13:53,440 --> 00:13:57,200 Speaker 3: So Nate Caane covered a lot of ground there. Let 232 00:13:57,240 --> 00:14:00,679 me paraphrase real quick, just to sort of keep people 233 00:14:00,679 --> 00:14:03,799 all on the same page. He did not use the 234 00:14:03,840 --> 00:14:06,639 word credible, But I'm reminded of a recent episode with 235 00:14:06,759 --> 00:14:10,480 Kenneth tittle Stuck where we talked about credible threats, credible attacks, 236 00:14:10,559 --> 00:14:16,559 credible consequences. Not all consequences of cyber attacks that we 237 00:14:17,120 --> 00:14:19,639 sort of on the front line looking at the nuts 238 00:14:19,679 --> 00:14:23,120 and bolts of it. Not all of those consequences are credible. 239 00:14:23,240 --> 00:14:25,759 Not all of them are reasonable to believe will come 240 00:14:25,799 --> 00:14:31,279 after us. Theoretically possible. Yes, reasonable is a different judgment. 241 00:14:31,679 --> 00:14:36,720 And even if you know we believe, we will argue 242 00:14:37,000 --> 00:14:40,759 that a consequence is a credible threat given the threat environment. 243 00:14:42,559 --> 00:14:46,679 Not all risks that are that pose credible threats that 244 00:14:46,720 --> 00:14:50,879 are credible consequences. Not all of them are necessarily mitigated 245 00:14:51,120 --> 00:14:56,840 or accepted or sorry, mitigated or transferred to insured. You know, 246 00:14:56,919 --> 00:15:00,000 some of them we just accept. This is a business. 247 00:15:00,080 --> 00:15:03,840 This decision has something to do with the whether the 248 00:15:03,879 --> 00:15:07,200 consequence is acceptable or not. You know, is it is 249 00:15:07,200 --> 00:15:11,559 it something we can live with? And you know, so 250 00:15:12,799 --> 00:15:15,440 the bottom line is it's it's complicated. There's a question of, 251 00:15:15,519 --> 00:15:17,639 you know, are these credible threats. There's a question of 252 00:15:18,679 --> 00:15:21,200 you know, who's going to decide. That was an episode 253 00:15:21,279 --> 00:15:23,879 with Tim McCrae. We on the front line should not 254 00:15:23,960 --> 00:15:26,919 be deciding what risks to accept and what risks to 255 00:15:27,000 --> 00:15:30,759 address and what risks to buy insurance for. That is 256 00:15:30,799 --> 00:15:37,200 a business decision. And what's important here is communicating consequences 257 00:15:37,240 --> 00:15:42,879 and credibility and you know, risk to the business in 258 00:15:42,960 --> 00:15:45,279 words that make sense to the business, so that the 259 00:15:45,320 --> 00:15:49,519 business decision makers, usually many layers up in the organization 260 00:15:49,639 --> 00:15:53,879 from us frontline workers, can make an informed decision. And 261 00:15:53,960 --> 00:15:58,080 sometimes we'll be surprised by that decision. You know, sometimes 262 00:15:59,559 --> 00:16:04,159 we don't understand the business impacts and they do. Sometimes 263 00:16:05,240 --> 00:16:07,759 the business might be in a hard place and might 264 00:16:07,840 --> 00:16:10,919 have to accept certain risks so that they can spend 265 00:16:10,960 --> 00:16:15,559 money addressing other even bigger risks to the business. So, 266 00:16:15,960 --> 00:16:19,600 you know, communicating all this is important to the business 267 00:16:19,639 --> 00:16:27,799 decision makers. The example is a scenario where in a sense, 268 00:16:27,840 --> 00:16:31,000 we have a steady state, we've made decisions about what's 269 00:16:31,080 --> 00:16:34,600 tolerable what's not. We have a new vulnerability. The vulnerability 270 00:16:34,600 --> 00:16:38,240 that we've discovered, be it a software vulnerability or something else, 271 00:16:40,639 --> 00:16:44,799 is exposing us in a way that you know, we 272 00:16:45,679 --> 00:16:48,240 or at least the people reporting the vulnerability understand, is 273 00:16:48,679 --> 00:16:53,000 sort of outside of our risk tolerance. It's something just broke. 274 00:16:53,960 --> 00:16:58,279 We need to fix it. And you know, in a 275 00:16:58,320 --> 00:17:01,480 sense to me, that's that's simple thing. If it broke 276 00:17:01,679 --> 00:17:03,799 and it's outside the tolerance, well we do have to 277 00:17:03,840 --> 00:17:09,359 fix it. It is a more challenging conversation, especially with 278 00:17:09,400 --> 00:17:12,079 the people who control the budget. It's a more challenging 279 00:17:12,079 --> 00:17:15,839 conversation when we have to talk about you know, look, 280 00:17:16,000 --> 00:17:20,839 I think we've set our risk tolerance at the wrong place. 281 00:17:21,279 --> 00:17:26,880 I think we need to, you know, be less tolerant 282 00:17:26,920 --> 00:17:29,519 of these risks because of X, Y and Z, and 283 00:17:29,640 --> 00:17:31,839 you know, often it generally has to do with a 284 00:17:31,880 --> 00:17:36,440 discussion of the seriousness of the consequences. People kind of 285 00:17:36,559 --> 00:17:40,839 understand what we're dealing with, unless it's a completely new 286 00:17:40,839 --> 00:17:45,920 project or building and the changing threat environment or changing 287 00:17:46,200 --> 00:17:48,920 expectations on a part of the government or the regulator 288 00:17:49,039 --> 00:17:53,119 or whoever. In terms of addressing these consequences, when you 289 00:17:53,160 --> 00:17:56,640 have to persuade people that they need to move the 290 00:17:56,680 --> 00:18:00,799 needle instead of just, you know, fixing an a problem 291 00:18:00,839 --> 00:18:04,920 that pomped up, How do you do that? 292 00:18:06,119 --> 00:18:11,279 Speaker 1: I'd say it's at many companies it's an annual exercise. 293 00:18:11,359 --> 00:18:15,160 I think at some companies it's a more frequent exercise. 294 00:18:15,680 --> 00:18:22,319 And it's having a consistent risk assessment process where you know, 295 00:18:23,200 --> 00:18:26,319 you can use NISTS Risk Management Framework, you can use 296 00:18:26,359 --> 00:18:29,160 ISOs Risk Management Framework. Goodness knows there are other ones 297 00:18:29,160 --> 00:18:34,240 in the world. But having a defined process really does help, 298 00:18:34,319 --> 00:18:38,440 and having it written down really does help. And the 299 00:18:38,519 --> 00:18:42,759 reason I say that is I don't like subjectivity in this, 300 00:18:43,000 --> 00:18:47,119 and I don't really think there's there's a right or 301 00:18:47,200 --> 00:18:50,039 a wrong gere. The only thing I could say that 302 00:18:50,079 --> 00:18:52,599 could be wrong is not having a defined process that 303 00:18:52,640 --> 00:18:56,680 you follow consistently. If I if I look at the 304 00:18:56,720 --> 00:18:59,400 way that things are going right now across the market, 305 00:18:59,400 --> 00:19:04,160 the cyberseecurity stance, the risk tolerance stance of a startup 306 00:19:04,799 --> 00:19:07,519 is very different than the risk tolerance stance of an 307 00:19:07,599 --> 00:19:12,240 established company is very different than the risk tolerance of 308 00:19:12,680 --> 00:19:16,359 a publicly traded company, and again is very different than 309 00:19:16,359 --> 00:19:21,079 the risk tolerance of a private equity backed company. All 310 00:19:21,119 --> 00:19:24,240 of those have very different strategies that all tie back 311 00:19:24,279 --> 00:19:28,200 to what their risk tolerance is. A startup that is 312 00:19:28,519 --> 00:19:30,759 trying to make a name for themselves in the world, 313 00:19:30,799 --> 00:19:33,119 trying to just ship a product and maybe make that 314 00:19:33,160 --> 00:19:36,799 first million dollars probably will accept a lot of risks, 315 00:19:36,839 --> 00:19:40,799 whether consciously or unconsciously. Most of it's probably unconsciously because 316 00:19:40,799 --> 00:19:43,000 they haven't had the reason to write it down and 317 00:19:43,079 --> 00:19:45,640 because if they just got seed funding, they probably don't 318 00:19:45,640 --> 00:19:49,200 have the time. A company that's got an established reputation 319 00:19:49,319 --> 00:19:52,960 by comparison, especially if they're a publicly traded company, have 320 00:19:53,240 --> 00:19:57,000 both contractual and legal and regulatory requirements that they're obligated 321 00:19:57,039 --> 00:19:59,480 to meet or to accept that yeah, actually we might 322 00:19:59,480 --> 00:20:02,400 not meet those And again that's a conversation that has 323 00:20:02,440 --> 00:20:05,000 to happen at the executive level to say this is 324 00:20:05,039 --> 00:20:07,559 a tolerable risk. I have worked with clients over the 325 00:20:07,640 --> 00:20:11,000 years who have said that the risk of a lawsuit 326 00:20:11,079 --> 00:20:13,920 that has a seven figure or eight figure or nine 327 00:20:13,920 --> 00:20:19,079 figure damages is fine. They'll just pay their way out 328 00:20:19,119 --> 00:20:21,119 of it and move on and they don't really need 329 00:20:21,119 --> 00:20:25,720 to go fix the risk and security professionals inevitably end 330 00:20:25,799 --> 00:20:28,839 up in pearl clutching mode where they say, well, you know, 331 00:20:28,960 --> 00:20:32,240 there was a known vulnerability and the company didn't fix 332 00:20:32,279 --> 00:20:35,319 it and all of these terrible things happened, and somewhere 333 00:20:35,440 --> 00:20:38,960 the company that had the bad thing happen made the 334 00:20:39,000 --> 00:20:42,519 calculation of yep, that could happen. We're going to accept that, 335 00:20:42,759 --> 00:20:45,640 we are not going to go fix that. And I 336 00:20:45,680 --> 00:20:48,960 think that it's not really the rule of the CISO 337 00:20:49,119 --> 00:20:52,559 to say this is right or this is wrong. It's 338 00:20:52,599 --> 00:20:54,680 the role of the SISO to work with the other 339 00:20:54,799 --> 00:20:59,440 business leaders, including chief counsel, the chief executive officer, the 340 00:20:59,519 --> 00:21:04,000 chief risk officer, if you've got one, the internal audit committee, 341 00:21:04,039 --> 00:21:06,880 the other, you know, the other standard participants, really to 342 00:21:07,079 --> 00:21:10,279 figure out what is our risk tolerance, make sure that 343 00:21:10,279 --> 00:21:13,319 that's okay with your board of directors, make sure that 344 00:21:13,359 --> 00:21:15,920 they've had a chance to see it and comment, and 345 00:21:16,480 --> 00:21:18,759 does that really gives some clear bright lines for what's 346 00:21:18,759 --> 00:21:23,759 acceptable and what's unacceptable, and then to operate under those circumstances. 347 00:21:23,799 --> 00:21:26,359 It gives everyone very clear guidance and it gets us 348 00:21:26,359 --> 00:21:30,240 out of this this you know, futile conversation that we're 349 00:21:30,279 --> 00:21:32,319 going to go fix all the problems, are going to 350 00:21:32,319 --> 00:21:35,200 go fix all the things that broke, because some of 351 00:21:35,240 --> 00:21:38,880 those we might be okay with, maybe not personally. But 352 00:21:38,920 --> 00:21:41,319 if the business says it's fine, then it's fine. We 353 00:21:41,359 --> 00:21:43,319 don't really have that say to say, well, it's not 354 00:21:43,440 --> 00:21:46,440 fine unless we can make a compelling argument that says 355 00:21:46,480 --> 00:21:50,079 to everyone else on the risk management committee that this 356 00:21:50,200 --> 00:21:52,480 is something where we need to change our risk tolerance 357 00:21:52,519 --> 00:21:55,200 and here's your compelling evidence why, and here's your compelling 358 00:21:55,279 --> 00:21:58,160 reason why. Because that's going to shift strategy, and it's 359 00:21:58,160 --> 00:22:03,039 going to shift resources, and it's going to shift conscientious 360 00:22:03,119 --> 00:22:06,039 of those effects of trying to decide that we're going 361 00:22:06,079 --> 00:22:09,680 to change this now for CISOs who I mentioned this 362 00:22:09,759 --> 00:22:11,799 in the book as well as in my talk, for 363 00:22:11,880 --> 00:22:15,799 CISOs who think that they want that they have a 364 00:22:15,839 --> 00:22:20,920 revolving door situation with their risk management process where the 365 00:22:21,119 --> 00:22:24,759 business flags the risk that I don't know. Let's let's 366 00:22:24,799 --> 00:22:28,000 work a risk. Let's say that the use of AI 367 00:22:28,400 --> 00:22:32,640 may lead to lawsuits totally no more than a hundred 368 00:22:32,640 --> 00:22:35,960 million dollars right, the use of AI with our intellectual 369 00:22:35,960 --> 00:22:39,480 property lawsuits. One hundred million dollars. Right, that's the high 370 00:22:39,559 --> 00:22:41,480 level risk. Now there's a lot of different ways that 371 00:22:41,480 --> 00:22:45,039 that could go occur, but that's the basic risk idea. 372 00:22:45,319 --> 00:22:48,319 If that's your risk, and you still have every executive saying, yay, 373 00:22:48,480 --> 00:22:50,839 it's fine, hundred million dollars or whatever, that's that's no 374 00:22:50,880 --> 00:22:53,680 big deal. We're not going to worry about that. For 375 00:22:53,759 --> 00:22:57,440 CISOs who want to start changing that, what I've seen 376 00:22:57,799 --> 00:23:00,880 my friends who are CUSOs due to some good effect here, 377 00:23:00,920 --> 00:23:04,279 is to say, look, to accept a risk, first of all, 378 00:23:04,319 --> 00:23:06,759 you have to sign off on it. Not already causes 379 00:23:06,799 --> 00:23:10,480 some discomfort among executives because that means they have to 380 00:23:10,519 --> 00:23:12,400 acknowledge that they said that it was okay and a 381 00:23:12,400 --> 00:23:16,119 piece of discoverable evidence. And then the second thing that 382 00:23:16,160 --> 00:23:19,160 I've seen CISOs do to great effect is to say, cool, 383 00:23:19,559 --> 00:23:21,720 when you accept a risk, you have to buy insurance 384 00:23:21,720 --> 00:23:25,039 against the risk on the open market for that quarter 385 00:23:25,640 --> 00:23:28,279 that says that it's going to cover the breach. It's 386 00:23:28,279 --> 00:23:30,319 going to cover the breach notification, it's going to cover 387 00:23:30,359 --> 00:23:32,359 the litigation, it's going to cover setting up the call center, 388 00:23:32,400 --> 00:23:35,279 it's going to cover the technical remediation, it's going to 389 00:23:35,279 --> 00:23:39,039 cover the external forensics firm that you have to employ 390 00:23:39,079 --> 00:23:42,359 if it's not a panel approved one from your insurer. Right, 391 00:23:42,680 --> 00:23:44,480 you have to pay for all of that when you 392 00:23:44,519 --> 00:23:49,559 go accept a risk, and in most cases not all cases, 393 00:23:50,279 --> 00:23:53,880 having folks sign and then have to buy insurance against 394 00:23:53,920 --> 00:23:57,920 the risk. Materializing changes the conversation, and it doesn't do 395 00:23:58,000 --> 00:24:00,640 it in an obvious way. What it does is it 396 00:24:00,680 --> 00:24:03,279 affects that business leader's P and L, their profit and 397 00:24:03,319 --> 00:24:06,119 loss statement if they accept a risk and then they 398 00:24:06,119 --> 00:24:08,519 have to go buy insurance, and that insurance costs I 399 00:24:08,519 --> 00:24:10,960 don't know, a million dollars. Let's say make the math easy. 400 00:24:11,240 --> 00:24:13,400 That means they're making a million dollars less that quarter. 401 00:24:13,920 --> 00:24:16,920 That's the type of thing that shows up in their 402 00:24:17,440 --> 00:24:21,200 KPIs or their OKRs or however their performance is being managed. 403 00:24:21,680 --> 00:24:23,680 And that's where we can start to have a conversation 404 00:24:23,720 --> 00:24:27,119 of cool, so the insurance costs a million dollars, If 405 00:24:27,160 --> 00:24:30,160 we'd like to talk about fixinated costs one hundred thousand dollars. 406 00:24:30,480 --> 00:24:32,440 They can then do the math in their head and say, 407 00:24:32,519 --> 00:24:36,160 huh so for one tenth the cost I can maritilate 408 00:24:36,200 --> 00:24:38,759 this risk and only take one hundred thousand dollars hit 409 00:24:38,799 --> 00:24:40,519 to my p and L as opposed to a million 410 00:24:40,519 --> 00:24:43,200 dollar hit on their P and L. Pretty Much everybody's 411 00:24:43,200 --> 00:24:46,640 going to say, yeah, that sounds pretty good. But if 412 00:24:46,680 --> 00:24:49,559 we can't phrase it that way, if we say, well, 413 00:24:49,599 --> 00:24:53,640 if you accept the risk, you're accepting the risk and shrug, 414 00:24:54,119 --> 00:24:57,319 don't know, that's where we get into trouble. That's where 415 00:24:57,319 --> 00:24:59,759 there's a lot of challenges that happen. And that's where 416 00:24:59,759 --> 00:25:03,359 i've CISOs get hung out to dry because if no 417 00:25:03,599 --> 00:25:06,240 business leader accepted the risk and the CISO has been 418 00:25:06,519 --> 00:25:09,559 established as the person who somehow magically owns all of 419 00:25:09,559 --> 00:25:13,200 the business risks, which I still don't understand that one, 420 00:25:13,359 --> 00:25:15,160 then I think that's where CISOs have a lot of 421 00:25:15,200 --> 00:25:18,839 personal and professional liability that comes up that I think 422 00:25:19,559 --> 00:25:23,119 CISOs with longevity are learning and they're learning how to. 423 00:25:23,079 --> 00:25:29,319 Speaker 3: Avoid so Mate, I thought that was an interesting insight 424 00:25:29,359 --> 00:25:33,799 on the insurance at using the insurance, you know, kind 425 00:25:33,839 --> 00:25:36,680 of bucket when you're talking about accepting risk. 426 00:25:37,319 --> 00:25:39,480 Speaker 2: Why did that stand out to you? His post to 427 00:25:39,480 --> 00:25:42,519 anything else though you were talking about in this interview, what. 428 00:25:42,440 --> 00:25:44,720 Speaker 3: He's saying, is that if if a business decision maker, 429 00:25:44,759 --> 00:25:46,279 you know, Looksie in the eye and says, how much 430 00:25:46,279 --> 00:25:48,640 would it cost to fix that, you know whatever, three 431 00:25:48,640 --> 00:25:54,359 million dollars, twelve million dollars and says, well, you know, 432 00:25:54,400 --> 00:25:57,640 what are my options? Well, it's risk. There's the standards, 433 00:25:57,799 --> 00:25:59,720 you know, three or four options. You could change that 434 00:25:59,839 --> 00:26:02,960 is sign of the system so that the risk vanishes, 435 00:26:03,039 --> 00:26:07,200 it doesn't exist anymore. You could mitigate the risk, you know, 436 00:26:07,240 --> 00:26:10,559 put security in place to reduce you could transfer the risk, 437 00:26:10,720 --> 00:26:13,359 pay an insurance company. You could accept the risk and 438 00:26:13,400 --> 00:26:18,119 do nothing. How much does doing nothing cost me nothing? 439 00:26:18,160 --> 00:26:21,200 You're not doing anything? Okay, I'll do that, leave all 440 00:26:21,240 --> 00:26:25,880 the money in my pocket. That's you know, that's a 441 00:26:26,039 --> 00:26:29,519 trap that's easy to fall into. And he's saying, no, no, 442 00:26:31,160 --> 00:26:35,880 if you do the accounting internally and say we're you know, 443 00:26:36,000 --> 00:26:39,440 your division that you're responsible for that should address this risk, 444 00:26:39,920 --> 00:26:44,359 or that's you know, responsible for the risk. If you 445 00:26:44,559 --> 00:26:47,440 do nothing, we're going to go out to an insurer. 446 00:26:47,599 --> 00:26:50,240 We're going to get a quote for insurance. Whatever that 447 00:26:50,440 --> 00:26:53,640 money is, we're not going to spend it. You've decided 448 00:26:53,680 --> 00:26:55,839 not to spend the money. You've decided we can tolerate 449 00:26:55,880 --> 00:26:58,680 this risk. Great. But what we're going to do is 450 00:26:58,720 --> 00:27:01,160 we're going to do in our bookkeep We're going to 451 00:27:01,240 --> 00:27:05,119 deduct that amount of insurance even though we didn't pay it. 452 00:27:05,160 --> 00:27:08,480 We're just going to take that off of your earnings 453 00:27:08,559 --> 00:27:12,480 this year for your division because you've incurred this risk, 454 00:27:12,519 --> 00:27:14,960 and this is how big a risk the insurance company 455 00:27:15,000 --> 00:27:18,200 thinks you've just incurred. And this is a way to 456 00:27:18,440 --> 00:27:22,480 sort of make the risk real. Accepting the risk makes 457 00:27:22,480 --> 00:27:25,839 it real for the business decision maker. Accepting the risk 458 00:27:26,079 --> 00:27:29,759 also costs you, and here's a way to keep track 459 00:27:29,839 --> 00:27:32,440 of that cost. Is the insight that I've never heard 460 00:27:32,480 --> 00:27:34,599 anyone suggest that before. I thought, that's clever. 461 00:27:35,240 --> 00:27:38,079 Speaker 2: Yeah, I see what you mean. Do you find in 462 00:27:38,119 --> 00:27:42,839 your experience that folks sometimes think about risk as like 463 00:27:42,880 --> 00:27:45,440 a free hit, Like, Okay, I'll accept a certain amount 464 00:27:45,440 --> 00:27:48,240 of risks and then just move on in the way 465 00:27:48,279 --> 00:27:49,880 that you're sort of describing there. 466 00:27:50,200 --> 00:27:54,000 Speaker 3: I actually hear people looking at the problem that way 467 00:27:54,039 --> 00:27:58,680 fairly regularly, but they don't phrase it that way. Nobody 468 00:27:58,720 --> 00:28:02,279 talks about it that way. I see this not so 469 00:28:02,359 --> 00:28:04,839 much in the high frequency, low impact area, where you 470 00:28:04,880 --> 00:28:07,680 can sort of easily do an ROI calculation. I see 471 00:28:07,680 --> 00:28:11,920 it in the low frequency high impact area. You know, 472 00:28:12,079 --> 00:28:16,039 when we say low frequency, it's things that may never 473 00:28:16,160 --> 00:28:18,839 have happened. But we look at what's you know, what 474 00:28:18,880 --> 00:28:21,119 the enemy's capabilities are, and we say, you know, this 475 00:28:21,160 --> 00:28:23,079 could happen if they got it in their mind, they 476 00:28:23,079 --> 00:28:24,799 could do it to us. Will they get it into 477 00:28:24,839 --> 00:28:27,599 the mind or not? Is it we start having, you know, 478 00:28:27,640 --> 00:28:31,440 and we're talking about things that have never happened yet. 479 00:28:32,240 --> 00:28:36,000 And what I hear is, you know, business decision makers 480 00:28:36,000 --> 00:28:38,759 saying things like, well, how about we wait till it 481 00:28:38,880 --> 00:28:41,599 happens and then we'll know how often it happens instead 482 00:28:41,640 --> 00:28:44,559 of spending money on it now. And they put the 483 00:28:44,599 --> 00:28:47,519 money in, you know, figuratively speaking back into their pockets, 484 00:28:47,559 --> 00:28:49,240 saying we're not going to do anything about this. We're 485 00:28:49,279 --> 00:28:54,319 accepting the risk. If you know, again, if we dock 486 00:28:54,960 --> 00:28:58,599 from that divisions that business decision maker's numbers for the 487 00:28:58,680 --> 00:29:00,519 quarter or for the year, if we dot the money 488 00:29:00,559 --> 00:29:03,279 that they would have had to pay to buy insurance, 489 00:29:03,799 --> 00:29:06,240 saying well, you decided not to buy insurance. That's a 490 00:29:06,319 --> 00:29:09,400 legitimate business decision. You have, you know, spending authority to 491 00:29:09,480 --> 00:29:14,599 make those decisions. But by accepting the risk, you have 492 00:29:14,839 --> 00:29:19,400 actually accepted a liability. Here's a way to quantify that liability. 493 00:29:19,599 --> 00:29:21,559 Figure out what the insurance would have been caught that 494 00:29:21,640 --> 00:29:25,559 money back. That's you know, to me, that's that's a 495 00:29:25,559 --> 00:29:29,559 way to take what would otherwise be a very difficult 496 00:29:30,000 --> 00:29:33,920 decision of a discussion about things that have never happened, 497 00:29:34,119 --> 00:29:39,200 and turn it into an ROI discussion. Well, once you say, 498 00:29:39,720 --> 00:29:43,799 makes sense when you know, it's great to use insurance 499 00:29:43,839 --> 00:29:48,279 premiums when we're trying to do ROI discussions with business 500 00:29:48,279 --> 00:29:50,599 decision makers. As you said, you know, the math is easy, 501 00:29:50,640 --> 00:29:54,119 you can do it in your head. It gets trickier 502 00:29:54,640 --> 00:29:59,839 for high consequence events. Now concrete example. You know, Deep 503 00:30:00,160 --> 00:30:02,759 Horizon was not a cyber event, don't get me wrong, 504 00:30:02,759 --> 00:30:06,440 but it was a really big safety incident in the 505 00:30:06,480 --> 00:30:09,680 oil and gas industry. And I believe that when all 506 00:30:09,799 --> 00:30:11,799 was said and done, all of the remediation was done, 507 00:30:11,880 --> 00:30:15,759 all the lawsuits were over, British Petroleum announced that the 508 00:30:15,799 --> 00:30:19,480 whole thing had cost sixty nine billion dollars, so you know, 509 00:30:19,559 --> 00:30:24,519 sixty nine times ten to the ninth and they moved 510 00:30:24,559 --> 00:30:28,319 on because they were big enough. BP is big enough 511 00:30:28,359 --> 00:30:31,079 that they can pay sixty nine billion dollars and not 512 00:30:31,160 --> 00:30:35,680 go anywhere near out of business. The question is, you know, 513 00:30:35,880 --> 00:30:37,759 there's no way, as far as I know, correct me 514 00:30:37,759 --> 00:30:41,079 if I'm wrong, there's no way to buy insurance for 515 00:30:41,160 --> 00:30:48,279 a sixty nine billion dollars cyber impact. And so you know, 516 00:30:49,240 --> 00:30:52,720 you have no choice either you mitigate this and reduce 517 00:30:52,799 --> 00:30:57,440 the risk, or you accept the risk. Is it reasonable 518 00:30:58,039 --> 00:31:01,599 to accept a risk that big just because you're big 519 00:31:01,720 --> 00:31:03,160 enough to do it. I mean a lot of businesses 520 00:31:03,200 --> 00:31:04,880 it would put them out of business. They would probably 521 00:31:04,880 --> 00:31:05,960 say it's not reasonable. 522 00:31:06,640 --> 00:31:06,880 Speaker 1: You know. 523 00:31:07,039 --> 00:31:10,039 Speaker 3: Is it reasonable for a really big business to accept 524 00:31:10,079 --> 00:31:12,680 a risk that big just because they can? Or is 525 00:31:12,680 --> 00:31:15,480 that is that just setting you up for you know, 526 00:31:15,599 --> 00:31:18,359 I don't know, a shareholder lawsuit or something because the 527 00:31:18,480 --> 00:31:22,039 board is making decisions that are perceived by the public 528 00:31:22,119 --> 00:31:25,200 as not reasonable. Can you talk about reasonability and the 529 00:31:25,359 --> 00:31:27,920 really high end of consequence. 530 00:31:27,920 --> 00:31:31,000 Speaker 1: When I think about that? Other than you know, he 531 00:31:31,079 --> 00:31:33,759 made me think about Tony Hayward briefly as yet another 532 00:31:33,799 --> 00:31:37,839 casualty of the deep water horizon because of him putting 533 00:31:37,880 --> 00:31:40,960 his foot so firmly down his mouth. I think even 534 00:31:41,000 --> 00:31:43,799 Harvard has a business school class just about Tony Hayward 535 00:31:44,680 --> 00:31:48,119 super fun. I think that some businesses will accept those 536 00:31:48,279 --> 00:31:52,559 risks as being very large because they are capable of 537 00:31:52,640 --> 00:31:55,519 accepting the consequence of that risk, or at least they 538 00:31:55,559 --> 00:31:59,039 believe themselves to be. Let's take an example here, a 539 00:31:59,039 --> 00:32:02,279 commercial example that I think affected about half of your listeners. 540 00:32:02,680 --> 00:32:07,359 So Equifax is a company that does stuff. They they 541 00:32:07,720 --> 00:32:10,680 had a data breach, and stuff that they do is 542 00:32:10,680 --> 00:32:14,880 they collect everybody's information, their personal identifiable information, financial data, 543 00:32:14,920 --> 00:32:18,000 and so on, and they aggregated, bundle it all up 544 00:32:18,039 --> 00:32:19,880 and say, hey, this person might be okay to give 545 00:32:19,920 --> 00:32:22,440 a loan to or this person should get a better 546 00:32:22,480 --> 00:32:25,119 credit card than somebody else. That's kind of their business model. 547 00:32:25,799 --> 00:32:29,200 They had a bit of a problem and they lost 548 00:32:29,240 --> 00:32:32,319 about the data of about half of all of Americans 549 00:32:32,359 --> 00:32:35,599 living at the time. It's kind of a big problem. 550 00:32:35,839 --> 00:32:38,720 They got in trouble with multi state litigation as well 551 00:32:38,759 --> 00:32:42,799 as with GLBA, and there was about one hundred and 552 00:32:42,880 --> 00:32:46,160 fifteen dollars one hundred and fifteen million dollars in settlements 553 00:32:46,200 --> 00:32:48,799 if you add it all up from the legal fees 554 00:32:48,880 --> 00:32:54,160 and from the multidistrict litigation and from the various federal investigations. 555 00:32:54,200 --> 00:32:56,599 One hundred and fifteen million dollars is really something that 556 00:32:56,640 --> 00:32:58,640 they could just shrug off and go, yep, that's a 557 00:32:59,000 --> 00:33:01,839 that's a slap on them. I think the risk that 558 00:33:01,880 --> 00:33:04,839 they did not adequately calculate, and I think that this 559 00:33:04,960 --> 00:33:07,480 is one of those things that many businesses do not 560 00:33:07,519 --> 00:33:11,519 adequately calculate. Equafax also had to put in one billion, 561 00:33:11,880 --> 00:33:14,640 that's with a B on it, one billion dollars of 562 00:33:14,680 --> 00:33:17,680 additional security controls over a decade as part of a 563 00:33:17,720 --> 00:33:21,880 negotiated settlement, and I think that the insurance probably could 564 00:33:21,880 --> 00:33:24,599 have paid some of that one hundred and fifteen million dollars, 565 00:33:24,920 --> 00:33:29,759 but that billion dollars to cyber better to put in 566 00:33:29,839 --> 00:33:32,720 adequate controls, to put in adequate processes, to put in 567 00:33:32,759 --> 00:33:36,079 adequate tools. Insurance is not going to cover that. And 568 00:33:36,119 --> 00:33:39,640 I think that as as risk leaders, and this is 569 00:33:39,640 --> 00:33:42,000 not just ciso's I think chief risk officers have to 570 00:33:42,039 --> 00:33:47,119 be aware of this. We've seen many recent incidents. If 571 00:33:47,119 --> 00:33:50,240 you think about the Office for Civil Rights ocr their 572 00:33:50,319 --> 00:33:54,799 enforcement of HIPPA based on companies having done inadequate risk assessments, 573 00:33:55,200 --> 00:33:59,480 they often will first of all implement a fine, but 574 00:33:59,519 --> 00:34:02,960 then there'll be negotiated settlement that says y'all have to 575 00:34:03,000 --> 00:34:06,039 do better, and you're going to spend money to do better. 576 00:34:06,640 --> 00:34:08,559 And I think that needs to be part of the 577 00:34:09,119 --> 00:34:13,000 calculation for those companies to say, cool, so the insurance 578 00:34:13,039 --> 00:34:15,159 is going to cover part of this. But if we 579 00:34:15,239 --> 00:34:18,480 have been neglecting, if we have not been putting in 580 00:34:18,599 --> 00:34:22,199 place the adequate controls and evidence of those controls being 581 00:34:22,239 --> 00:34:26,519 adequately operated, then that becomes an additional calculation of hey, 582 00:34:26,519 --> 00:34:29,199 we could have to spend money on this stuff again. 583 00:34:29,719 --> 00:34:33,440 Some companies are going to say, and that's okay. They're 584 00:34:33,440 --> 00:34:35,719 going to say, that's fine, we can put it off 585 00:34:35,719 --> 00:34:38,519 because you know what, for not spending that dollar today, 586 00:34:38,559 --> 00:34:41,199 we can do something else with that dollar. Other companies 587 00:34:41,239 --> 00:34:44,119 are going to say, well, that's that's an unacceptable risk 588 00:34:44,199 --> 00:34:47,159 for us, according to our board or according to the 589 00:34:47,239 --> 00:34:50,559 legal requirements that we've decided, that are material risk to 590 00:34:50,599 --> 00:34:53,800 our entity, and this consequence, they'll do something about it. 591 00:34:53,840 --> 00:34:54,639 Does that make sense? 592 00:34:55,800 --> 00:34:58,239 Speaker 3: It does to a degree, But let me dig deeper. 593 00:34:59,320 --> 00:35:07,039 The U the billion dollars on security is that greater 594 00:35:07,440 --> 00:35:11,440 than the business would naturally have paid by itself to 595 00:35:11,519 --> 00:35:18,360 address the risk. I mean something happened, and you know, 596 00:35:18,400 --> 00:35:21,199 the business was forced to pay a billion dollars to 597 00:35:21,239 --> 00:35:23,880 beef up security. Is that money they should have spent 598 00:35:24,000 --> 00:35:27,719 on their own anyway, or is that somehow materially greater 599 00:35:27,800 --> 00:35:29,280 than what they would have had to do on their 600 00:35:29,320 --> 00:35:33,000 own had they done it up front. I don't know. 601 00:35:33,199 --> 00:35:35,639 You know, it sounds like if they had to spend 602 00:35:35,639 --> 00:35:39,559 a billion dollars anyway, then delaying it as long as possible, 603 00:35:39,639 --> 00:35:41,679 you know, is something that a spreadsheet would say is 604 00:35:41,679 --> 00:35:44,840 a good idea. But if something, you know, if one 605 00:35:44,880 --> 00:35:47,719 hundred million dollar upgrade turned into a billion dollar upgrade 606 00:35:47,760 --> 00:35:50,599 because the government got involved and said, no, no, you 607 00:35:50,679 --> 00:35:53,119 have to do way more than you would otherwise, you know, 608 00:35:53,400 --> 00:35:54,920 can you talk about the difference there? 609 00:35:55,840 --> 00:35:58,039 Speaker 1: Well? I think the part of that difference is just 610 00:35:58,119 --> 00:36:00,480 the time spent reporting back that you're doing the thing 611 00:36:00,519 --> 00:36:03,039 that you've negotiated as part of your legal segment that 612 00:36:03,079 --> 00:36:05,559 you have to go do, right, That's part of the 613 00:36:05,559 --> 00:36:08,880 cost calculation that's in that billion dollars or in similar settlements. 614 00:36:08,920 --> 00:36:13,039 There's just a reporting obligation there that nobody gets excited about, 615 00:36:13,360 --> 00:36:16,280 and it's a report to your regulator or to whoever 616 00:36:16,280 --> 00:36:19,000 you've got the negotiated settlement with, none of which is 617 00:36:19,079 --> 00:36:21,519 fun and a lot of which tends to be a 618 00:36:21,599 --> 00:36:26,840 negative influence on morale, But it becomes a necessary obligation 619 00:36:27,079 --> 00:36:30,840 that falls through not having done the adequate risk treatment 620 00:36:31,239 --> 00:36:33,639 in the view of whoever you got in trouble with, 621 00:36:33,679 --> 00:36:36,280 whether that was HIPPA or whether that was GLBA, or 622 00:36:36,320 --> 00:36:39,599 whether it was the FDC, you name it right, depending 623 00:36:39,639 --> 00:36:42,599 on who you've ultimately ended up having to settle with, 624 00:36:42,679 --> 00:36:45,360 and that might sometimes be multiple parties. If you've got 625 00:36:45,440 --> 00:36:49,039 multi district litigation going on again, it's going to drive 626 00:36:49,199 --> 00:36:53,239 spending that has to happen. I think ultimately it's a 627 00:36:53,320 --> 00:36:57,400 question of two things. First of all, was the SISO 628 00:36:57,599 --> 00:37:01,599 able to make the compelling business argument and collaborate with 629 00:37:01,639 --> 00:37:04,280 the other executives and business leaders that that was money 630 00:37:04,280 --> 00:37:07,800 that they should have been spending right, and then writing 631 00:37:07,840 --> 00:37:10,840 those decisions down is part of the risk assessment plan 632 00:37:11,000 --> 00:37:14,599 that the CISO and the Chief Risk Officer proposed that 633 00:37:14,639 --> 00:37:18,559 we spend this money on these controls, and after thorough discussion, 634 00:37:18,639 --> 00:37:20,599 we decided we're going to accept the risk and not 635 00:37:20,760 --> 00:37:24,639 implement those controls. And here are the signatories of everybody 636 00:37:24,719 --> 00:37:27,199 who made that decision right, and that's what you look 637 00:37:27,239 --> 00:37:29,760 for as a gold standard. And I say that because 638 00:37:29,800 --> 00:37:34,000 it reduces the risk of blowback on everyone involved. The 639 00:37:34,039 --> 00:37:37,039 CISO did a reasonable job of trying to present a case. 640 00:37:37,400 --> 00:37:40,199 The chief risk officer in that example, perhaps counsel as 641 00:37:40,199 --> 00:37:43,440 well made a reasonable attempt. The business chose to not 642 00:37:43,519 --> 00:37:46,920 do something that's okay. What's not okay is not having 643 00:37:46,920 --> 00:37:50,119 that written down, And what's not okay is not having 644 00:37:50,719 --> 00:37:54,039 a collaborative process by which a business reaches that decision. 645 00:37:54,960 --> 00:37:56,920 Speaker 3: Can I ask you a sort of a related question 646 00:37:58,679 --> 00:38:01,960 we talked about the physical scenario. I mean, industrial security 647 00:38:02,000 --> 00:38:06,360 is often about preventing physical consequences, not just financial consequences. 648 00:38:06,960 --> 00:38:10,119 The physical scenario, you know, defense industrial base. You're doing 649 00:38:10,119 --> 00:38:13,360 a project, you're inventing something new that, if it goes wrong, 650 00:38:13,480 --> 00:38:18,559 would turn a large city into a crater. That's clearly 651 00:38:19,360 --> 00:38:25,039 from pretty much everyone's perspective, and unacceptable consequence. But if 652 00:38:25,519 --> 00:38:29,480 that consequence could be brought about by a cyber attack, 653 00:38:31,000 --> 00:38:35,679 the question becomes how thoroughly should we protect that system? 654 00:38:35,840 --> 00:38:38,599 I mean, the answer is really really thoroughly. The real 655 00:38:38,599 --> 00:38:44,840 answer is what does that mean? Given that experts in 656 00:38:44,920 --> 00:38:49,800 the field disagree as to what constitutes a credible cyber threat. 657 00:38:50,320 --> 00:38:53,440 You know, for any cyber defensive posture, you can imagine 658 00:38:53,840 --> 00:38:57,079 an attack that defeats it. Now your imagination might you know, 659 00:38:57,159 --> 00:38:59,360 might have to stretch. The more thoroughly you defend something, 660 00:38:59,360 --> 00:39:01,320 the more you got to wretch that imagination. But at 661 00:39:01,320 --> 00:39:04,559 some point you have to decide, you know, this bizarre 662 00:39:04,599 --> 00:39:09,000 thing I've just imagined is probably never going to happen. 663 00:39:09,000 --> 00:39:12,679 It's just not reasonable to spend the extra ten twenty 664 00:39:12,760 --> 00:39:17,320 fifty billion dollars to protect against that bizarre thing. At 665 00:39:17,360 --> 00:39:19,239 some point you've got to draw the line and say 666 00:39:19,280 --> 00:39:21,360 this is a credible threat. The rest of it is not. 667 00:39:21,960 --> 00:39:27,000 When you have serious consequences, given that experts disagree about 668 00:39:27,239 --> 00:39:30,519 what is credible, you know, how do you draw that line? 669 00:39:30,559 --> 00:39:33,440 Do you do you use analog protections exclusively and say, 670 00:39:33,480 --> 00:39:37,079 just wipe out the cyber threat entirely, or you know, 671 00:39:37,320 --> 00:39:41,360 can you stay with cyber and accept certain risks because 672 00:39:41,719 --> 00:39:44,480 it's not reasonable to believe they will ever come at you? 673 00:39:44,800 --> 00:39:48,360 How do you deal with that? Again? In part just 674 00:39:48,760 --> 00:39:52,679 period and when experts disagree as to what's credible. 675 00:39:53,440 --> 00:39:57,239 Speaker 1: Something that I've learned from having hired folks out of 676 00:39:57,679 --> 00:40:01,079 Fort Meade from the intelligence services in the United States 677 00:40:01,159 --> 00:40:05,199 all wonderful people. Is if you get three intelligence analysts 678 00:40:05,199 --> 00:40:07,440 in a room and if they're talking about something, if 679 00:40:07,440 --> 00:40:10,559 they all agree, they know they need to redo it. 680 00:40:11,320 --> 00:40:13,800 And I think that's something that we need to have 681 00:40:14,159 --> 00:40:21,679 in cyber is that skepticism of our own analysis and 682 00:40:21,719 --> 00:40:24,679 that we shouldn't all necessarily agree, but we should have 683 00:40:24,719 --> 00:40:27,440 a defined process by which we make a determination. And 684 00:40:27,480 --> 00:40:30,320 this is in the intelligence community. It's called the intelligence cycle, 685 00:40:30,920 --> 00:40:35,280 where we can ingest facts. And in cybersecurity you'll hear 686 00:40:35,320 --> 00:40:39,039 that SOULD is cyber intelligence. No it's not. It's not intelligence, 687 00:40:39,079 --> 00:40:42,159 it's a product. You're buying some facts about what threat 688 00:40:42,199 --> 00:40:45,880 actors might be doing. You need to contextualize that using 689 00:40:45,960 --> 00:40:49,960 the intelligence cycle to figure out is this applicable to us? 690 00:40:50,159 --> 00:40:52,920 And then how applicable is it to us? And then 691 00:40:53,320 --> 00:40:55,199 what are we going to do about that based on 692 00:40:55,280 --> 00:40:59,039 that information. So to your example of turning a city 693 00:40:59,079 --> 00:41:02,159 into a crater, something that we've often seen in cyber 694 00:41:02,400 --> 00:41:07,320 lately and in ot and is attacks on water systems, 695 00:41:07,360 --> 00:41:11,360 whether it's oldsmar Florida, which turned out to be an 696 00:41:11,360 --> 00:41:13,800 old goal, an own goal, or that thing that happened 697 00:41:14,000 --> 00:41:17,239 up in New York where somebody from Russia allegedly got 698 00:41:17,280 --> 00:41:20,159 in and was able to move a dial one way 699 00:41:20,280 --> 00:41:23,920 or the other. I think that the question becomes, what's 700 00:41:23,960 --> 00:41:27,119 the realistic threat here? What is the thread intelligence saying? 701 00:41:27,760 --> 00:41:31,159 And uniformly, if we go out and troll what's going on, 702 00:41:31,800 --> 00:41:35,679 it's prepositioning there's not some adversary out there right now 703 00:41:35,719 --> 00:41:38,039 who's saying cool, we're going to pop shells and start 704 00:41:38,159 --> 00:41:41,519 popping off dams and just releasing chemicals into the water supply, 705 00:41:41,599 --> 00:41:45,280 and we're going to start releasing all this floodwater into 706 00:41:45,320 --> 00:41:49,079 these rivers or these municipal systems. Now, what they're trying 707 00:41:49,079 --> 00:41:51,519 to do is just establish a foothold. That's what most 708 00:41:51,519 --> 00:41:54,159 of the threat intelligence would tell us today about what 709 00:41:54,239 --> 00:41:56,960 adversarial nation states are doing. And if you go look 710 00:41:57,000 --> 00:42:00,039 at like the commercial threat intelligence about what the the 711 00:42:00,320 --> 00:42:04,360 non espionage, non state based actors are doing. Your criminal gangs, 712 00:42:04,880 --> 00:42:07,679 none of them aren't getting excited about ransom wearing a 713 00:42:07,800 --> 00:42:11,639 dam and saying cool, nobody can have water anymore. Because 714 00:42:11,679 --> 00:42:14,639 I think at some point you breach a level of 715 00:42:14,760 --> 00:42:21,679 norms where you're going to get a more comprehensive response 716 00:42:21,920 --> 00:42:25,599 from a government entity than we typically would associate with 717 00:42:25,639 --> 00:42:28,079 cyber which would be like we'll sanction you. I think 718 00:42:28,119 --> 00:42:30,719 if somebody were to shut off the water supply for 719 00:42:30,800 --> 00:42:36,119 a major city, they'd probably have agents in country at 720 00:42:36,159 --> 00:42:40,199 their various residences and businesses having a very stern talking 721 00:42:40,239 --> 00:42:42,719 to with them, to put it mildly, and I think 722 00:42:42,719 --> 00:42:46,239 that as leaders who are evaluating these risks, if we're 723 00:42:46,239 --> 00:42:49,239 not looking at threat intelligence, if we're working at any 724 00:42:49,400 --> 00:42:52,760 level of mature organization and we're not looking at facts 725 00:42:52,800 --> 00:42:54,760 of what's going on in the world that are being 726 00:42:54,880 --> 00:42:58,079 packaged up and then applying our own intelligence cycle to us, 727 00:42:58,559 --> 00:43:03,280 I think that can lead to overreacting or underreacting if 728 00:43:03,280 --> 00:43:06,239 you don't know what's going on. Like, think of it 729 00:43:06,280 --> 00:43:08,760 this way. If you go out of your house. Now, 730 00:43:08,800 --> 00:43:12,039 I'm not a person who I live in the Pacific Northwest, 731 00:43:12,079 --> 00:43:15,000 so for me, taking an umbrella out isn't something that 732 00:43:15,039 --> 00:43:17,400 we do here. So me, I look out the door 733 00:43:17,440 --> 00:43:19,360 and I go, huh, it might not be raining right now. 734 00:43:19,400 --> 00:43:21,639 I'm not going to take an umbrella. But I've traveled 735 00:43:21,639 --> 00:43:24,440 in other parts of the world where umbrellas are very normal. 736 00:43:24,960 --> 00:43:27,360 If you don't check the weather. If you're a person 737 00:43:27,400 --> 00:43:30,360 who likes having an umbrella and you don't check the weather, 738 00:43:30,400 --> 00:43:32,239 and you go out of the house and you're like, darn, 739 00:43:32,239 --> 00:43:34,800 I don't have an umbrella and I wanted to have 740 00:43:34,840 --> 00:43:37,480 one with me, it's pretty much the same process of 741 00:43:37,599 --> 00:43:40,760 if you don't check cyber threat intelligence, you don't know 742 00:43:40,800 --> 00:43:43,320 what the adversaries are up to on a given duration 743 00:43:43,440 --> 00:43:46,199 of time they seem to have I don't know if 744 00:43:46,239 --> 00:43:48,280 it's agile that they're following at this point or if 745 00:43:48,280 --> 00:43:51,760 it's still on a quarterly sprint basis for targeting. But 746 00:43:51,880 --> 00:43:54,239 if you aren't aware of what they're doing and then 747 00:43:54,320 --> 00:43:58,880 later something bad happens, the perverbial it rains. You're gonna say, well, geez, 748 00:43:58,920 --> 00:44:01,079 I wish I knew that was. And that's what we 749 00:44:01,079 --> 00:44:04,039 get out of cyber threat intelligence is that perspective of 750 00:44:04,639 --> 00:44:07,840 here's what's being seen at the telemetry level, here's how 751 00:44:07,880 --> 00:44:11,199 we can apply that to our own organizations, and if 752 00:44:11,679 --> 00:44:15,400 we learn something from that, then that's an opportunity to 753 00:44:15,679 --> 00:44:19,360 use our risk assessment process and say we have new intel. 754 00:44:20,320 --> 00:44:24,159 The threat has changed, the probability has changed, the impact 755 00:44:24,159 --> 00:44:26,880 has changed, whatever it might be and then rerun the 756 00:44:26,920 --> 00:44:29,360 exercise and say, do we still feel good about our 757 00:44:29,400 --> 00:44:31,679 previous judgment of this, which could have been like, hey 758 00:44:31,679 --> 00:44:34,199 we'll buy insurance, or hey we'll apply some controls, or hey, 759 00:44:34,199 --> 00:44:36,840 that's an acceptable risk. But again we have to take 760 00:44:36,880 --> 00:44:39,159 that and follow our process. We can't just make a 761 00:44:39,239 --> 00:44:43,239 unilateral decision unless it's something where it's such a self 762 00:44:43,320 --> 00:44:46,199 evident thing like hey, the city will turn into a crater. 763 00:44:47,119 --> 00:44:49,039 That's one where you don't usually have to run the 764 00:44:49,039 --> 00:44:51,519 whole process. You say, yeah, let's let's put it in 765 00:44:51,679 --> 00:44:56,239 places defense and depth in order to emulate that problem 766 00:44:56,599 --> 00:44:57,519 from materializing. 767 00:45:00,559 --> 00:45:05,079 Speaker 3: So Nate I asked about that really high consequence event, 768 00:45:05,239 --> 00:45:07,440 you know, turning a city into a crater with a 769 00:45:07,880 --> 00:45:13,280 military industrial based development, and you know, he talked about 770 00:45:13,360 --> 00:45:15,559 threat intel for a while, but he came back to 771 00:45:15,599 --> 00:45:18,679 the creator example, and what I heard him say was, look, 772 00:45:19,159 --> 00:45:24,440 when it's that consequential, ninety nine times out of one hundred, 773 00:45:24,519 --> 00:45:26,440 you have to do something. You've got to put some 774 00:45:26,480 --> 00:45:28,679 defense in depth in And this is what I see 775 00:45:28,679 --> 00:45:33,119 in the industrial space. When you've got really serious physical consequences, 776 00:45:33,639 --> 00:45:38,039 you have to do something. And you know, for lesser consequences, 777 00:45:39,360 --> 00:45:41,000 what I heard him say was, you have to have 778 00:45:41,039 --> 00:45:43,320 a process, and this makes sense. You have to have 779 00:45:43,360 --> 00:45:47,920 a process. Use the process, use it consistently, document the results, 780 00:45:48,519 --> 00:45:51,639 have the you know, the decision makers sign off on 781 00:45:51,679 --> 00:45:56,480 the results. This might, you know, I'm guessing, might tend 782 00:45:56,519 --> 00:45:58,679 to make the decision makers just a little bit more 783 00:45:58,719 --> 00:46:02,280 cautious because it's their name going on the decision. But 784 00:46:02,639 --> 00:46:05,000 you know, they make these decisions. This is this is 785 00:46:05,000 --> 00:46:07,480 their business, this is their living. They make business decisions 786 00:46:07,480 --> 00:46:09,639 for a living. But you know, it makes sense to 787 00:46:09,679 --> 00:46:12,119 have a process and document the results. 788 00:46:13,000 --> 00:46:15,639 Speaker 2: Although he was putting a lot of emphasis there on 789 00:46:16,960 --> 00:46:21,760 beyond that, just keeping up with cyber threat intel. I 790 00:46:21,920 --> 00:46:24,440 like to hear that. It's how I get my checks paid. 791 00:46:25,559 --> 00:46:28,280 Sometimes I do wonder whether everybody needs to know about 792 00:46:28,320 --> 00:46:34,039 the latest because defenses sometimes stay pretty sturdy. But in general, 793 00:46:34,239 --> 00:46:38,320 keeping up to date important for most absolutely. 794 00:46:39,159 --> 00:46:44,679 Speaker 3: You know, I read the publications. I read what the 795 00:46:44,679 --> 00:46:48,039 government agencies produce in terms of threat intel. You know, 796 00:46:48,079 --> 00:46:52,320 Waterfall puts together an annual threat report talking about the 797 00:46:52,360 --> 00:46:57,519 threat environment. You have to keep up with what the 798 00:46:57,559 --> 00:47:00,000 bad guys are capable of, and you have to keep 799 00:47:00,239 --> 00:47:03,599 up with your best estimate of you know what today's 800 00:47:03,760 --> 00:47:08,599 motivations are. You know, you've heard me say many times 801 00:47:08,800 --> 00:47:14,320 experts disagree. We've talked about some of that in this episode. 802 00:47:14,920 --> 00:47:20,360 Very often the big thing they disagree about is the adversary, 803 00:47:20,519 --> 00:47:25,920 the capabilities of the adversary, the the motivations of the adversary. 804 00:47:26,000 --> 00:47:30,159 They disagree about the meaning of the threat intel. So 805 00:47:30,360 --> 00:47:33,880 but you know, without the raw data there, without the 806 00:47:33,920 --> 00:47:36,199 threat intel, you've got nothing to argue about. So, yeah, 807 00:47:36,199 --> 00:47:38,960 it is important, and as far as I know, everybody 808 00:47:39,000 --> 00:47:44,119 follows it, lots of food for thought there. I will 809 00:47:44,119 --> 00:47:45,920 be thinking about, you know what you said in this 810 00:47:45,960 --> 00:47:50,400 episode before I let you go. You know, I'm also 811 00:47:50,480 --> 00:47:54,599 an author. You're you're an author, You're working on your 812 00:47:54,679 --> 00:47:58,519 latest book, you're negotiating with a publisher. How's that going? 813 00:47:58,599 --> 00:48:00,320 Is there? You know, is there any advice you'd like 814 00:48:00,400 --> 00:48:02,800 to give to other would be authors in the audience? 815 00:48:03,960 --> 00:48:07,719 Speaker 1: Yeah? So I think that the two things that really 816 00:48:07,880 --> 00:48:13,039 come to mind, possibly a third. First of all, go 817 00:48:13,119 --> 00:48:15,679 get an overview of how to get a book published. 818 00:48:15,719 --> 00:48:18,679 Go find an overview. Don't just ask an AI, hey 819 00:48:18,719 --> 00:48:21,159 how do I get a book published? But actually go 820 00:48:21,199 --> 00:48:24,119 figure out, like what is the overall process. And I 821 00:48:24,159 --> 00:48:27,000 say that because when I launched in, I opened up 822 00:48:27,039 --> 00:48:30,000 Notepad and I started writing, and I mean Notepad dot 823 00:48:30,039 --> 00:48:33,719 Ex on Windows, because I really can't handle the red 824 00:48:33,760 --> 00:48:36,039 squiggly underline that tells me that I made a typo. 825 00:48:36,480 --> 00:48:38,079 I just figured, you know why, I'll get the words 826 00:48:38,079 --> 00:48:40,800 out and then we'll deal with it. It turns out 827 00:48:40,840 --> 00:48:43,239 that is not a great strategy for doing any kind 828 00:48:43,280 --> 00:48:48,360 of large scale content like book length stuff. And the 829 00:48:48,400 --> 00:48:52,079 second thing I'd say is choose a tool that's going 830 00:48:52,119 --> 00:48:56,559 to meet your needs, but don't over rotate on that tool. 831 00:48:57,079 --> 00:49:00,119 And the interesting thing on that is that in looking 832 00:49:00,239 --> 00:49:04,760 at the book publishing market, there are a lot of 833 00:49:05,119 --> 00:49:08,599 tools available. Now I'm just using bog standard Microsoft Word 834 00:49:08,679 --> 00:49:12,400 because I am secretly boring, and also because it does 835 00:49:12,440 --> 00:49:14,679 references quite well. It turns out I hadn't known that 836 00:49:14,719 --> 00:49:16,480 when I started. But there are a lot of other 837 00:49:16,519 --> 00:49:19,360 tools out there that you can spend money on and 838 00:49:19,639 --> 00:49:22,320 that will help you write a book and that help 839 00:49:22,400 --> 00:49:25,679 with formatting stuff. Here's the trick to it. All of 840 00:49:25,679 --> 00:49:27,760 those would like to charge you money, and none of 841 00:49:27,760 --> 00:49:29,800 them would like to guarantee that you're actually going to 842 00:49:29,800 --> 00:49:32,159 get a book out of the end, and I think 843 00:49:32,199 --> 00:49:34,079 that that's one of the things that we often see 844 00:49:34,119 --> 00:49:37,840 in cybersecurity, where there are a lot of folks kind 845 00:49:37,840 --> 00:49:39,880 of like the Alaskan gold Rush, the folks who were 846 00:49:39,880 --> 00:49:43,119 making money were the people selling the pickaxes and shovels. 847 00:49:43,519 --> 00:49:45,840 In cybersecurity, there are a lot of vendors that are 848 00:49:46,119 --> 00:49:49,480 selling security solutions and not guaranteeing outcomes. And in the 849 00:49:49,480 --> 00:49:52,079 book publishing world, pretty much the same thing. There are 850 00:49:52,079 --> 00:49:53,800 a lot of different things you could use to write 851 00:49:53,800 --> 00:49:57,639 your book. Pick one, work with it, and hope that 852 00:49:57,679 --> 00:50:00,960 it's cost effective, because they're not guarantee that at any 853 00:50:00,960 --> 00:50:04,440 time you'll ever actually get a book published. Rather, they're 854 00:50:04,440 --> 00:50:06,519 just guaranteeing they're selling you a tool that you could 855 00:50:06,599 --> 00:50:09,039 use to write some words down in a consistent format. 856 00:50:09,320 --> 00:50:13,320 And again, don't don't use notepad because it was one 857 00:50:13,320 --> 00:50:15,119 of my lessons learned. Well. 858 00:50:15,159 --> 00:50:17,880 Speaker 3: Thank you Kane for joining us. This is certainly, as 859 00:50:17,920 --> 00:50:20,360 I said, something I'm going to be thinking about before 860 00:50:20,400 --> 00:50:22,320 I let you go. Can you sum up for us 861 00:50:22,360 --> 00:50:24,639 what should we take away from this episode? 862 00:50:25,159 --> 00:50:28,960 Speaker 1: I'd say there's two things really. The first is that 863 00:50:29,000 --> 00:50:32,320 cyber risk is a myth, and that CISOs and other 864 00:50:32,360 --> 00:50:37,159 senior security leaders really need to tie their security initiatives 865 00:50:37,719 --> 00:50:43,360 to business risks and also business enablement, so that we're 866 00:50:43,360 --> 00:50:46,079 actually helping the business to function in spite of being 867 00:50:46,159 --> 00:50:49,599 in a elevated risk or threat environment. I think that's 868 00:50:49,840 --> 00:50:52,440 the first thing, and then the other thing is we 869 00:50:52,519 --> 00:50:56,079 need to stop doing security for security's sake. Like I 870 00:50:56,119 --> 00:50:59,599 mentioned with the Alaskan gold Russian analogy, the folks who 871 00:50:59,599 --> 00:51:02,320 are making money in here, those tools vendors, they're not 872 00:51:02,360 --> 00:51:05,719 guaranteeing outcomes. We need to make sure that those tools 873 00:51:05,719 --> 00:51:09,079 that we're selecting, those controls that we're selecting tie back 874 00:51:09,119 --> 00:51:12,639 to either business enablement or to business risk. And if 875 00:51:12,639 --> 00:51:15,119 you'd like to learn more about this, or alternatively, if 876 00:51:15,159 --> 00:51:17,960 you have insomnia, please follow me on LinkedIn. I am 877 00:51:18,360 --> 00:51:21,280 Kane mcglattery. Thanks Mom and dad for the unique name. 878 00:51:21,320 --> 00:51:24,360 There is exactly one Kane gladtery on LinkedIn. And if 879 00:51:24,400 --> 00:51:26,880 you'd like to find out what I'm doing at hyperproof 880 00:51:26,960 --> 00:51:30,920 for intelligent risk and compliance management, check us out at 881 00:51:31,039 --> 00:51:33,880 hyperproof dot io. And finally, I want to thank the 882 00:51:33,920 --> 00:51:36,960 i Tripoli, the Institute of Electrical and Electronics Engineers for 883 00:51:38,280 --> 00:51:41,159 this is the fantastic work that they're doing for creating 884 00:51:41,199 --> 00:51:45,639 a lot of thoughtful standards around cyber risk management and 885 00:51:45,800 --> 00:51:49,119 how to best address some of these new emerging risks. 886 00:51:52,039 --> 00:51:56,719 Speaker 2: Andrew, that just concludes your interview with Cain. We have 887 00:51:56,880 --> 00:52:00,079 talked a lot on the show about risk. Is is 888 00:52:00,079 --> 00:52:03,039 there anything new for you to say about it to 889 00:52:03,079 --> 00:52:04,559 close out our episode today? 890 00:52:05,280 --> 00:52:09,880 Speaker 3: Absolutely. I mean, one thing I got from Cain here is, 891 00:52:10,119 --> 00:52:13,760 you know, he's writing a book on risk, saying we 892 00:52:13,800 --> 00:52:17,840 should all stop talking about risk. And I'm reminded that now. 893 00:52:17,840 --> 00:52:19,639 I can't remember if it was Doug Lease or Tim 894 00:52:19,679 --> 00:52:22,840 McCrae on an earlier episode, but you know they said, look, 895 00:52:22,880 --> 00:52:24,559 most people talk about risk and they don't even know 896 00:52:24,599 --> 00:52:28,039 what it is. What's the definition of risk. It's the 897 00:52:28,119 --> 00:52:33,239 effect of uncertainty on the mission of the business or 898 00:52:33,239 --> 00:52:37,239 of the organization in this case of business. And what 899 00:52:37,280 --> 00:52:40,599 I hear Cain saying is, you know he's talking about 900 00:52:40,760 --> 00:52:44,000 don't use the word risk one hundred times in a 901 00:52:44,119 --> 00:52:48,760 twenty minute presentation. Talk about the mission of the business, 902 00:52:49,000 --> 00:52:52,360 talk about the uncertainties that business faces, talk about the 903 00:52:52,400 --> 00:52:56,480 effect of uncertainty on the business. That is going to 904 00:52:56,519 --> 00:53:00,199 get you farther with business decision makers. So that makes 905 00:53:00,239 --> 00:53:03,639 a lot of sense to me. Sort of, that's in 906 00:53:03,679 --> 00:53:07,039 the abstract, in the concrete. I especially liked the idea 907 00:53:07,199 --> 00:53:11,840 about getting a quote for insurance, using insurance as a 908 00:53:11,840 --> 00:53:17,159 way to quantify risk, because everybody struggles with low frequency Okay, 909 00:53:17,159 --> 00:53:19,960 it never happened before, or happened once before, once in 910 00:53:19,960 --> 00:53:24,760 the world eight years ago, low frequency high impact events 911 00:53:25,000 --> 00:53:28,199 you know, hole in the ground or or you know, 912 00:53:28,400 --> 00:53:32,440 mass casualty event, low frequency high impact events. Nobody knows. 913 00:53:32,519 --> 00:53:35,880 Everyone argues over these things. Here's a way to turn 914 00:53:35,920 --> 00:53:41,039 that argument into an ROI calculation. Get a quote for insurance. 915 00:53:41,880 --> 00:53:44,119 See how big that quote is. Take that number off 916 00:53:44,159 --> 00:53:46,519 of your earnings for the the You know, even if 917 00:53:46,559 --> 00:53:49,840 it's just a paper calculation, you know your bonus is 918 00:53:50,280 --> 00:53:54,239 less by that much because what you would have paid 919 00:53:54,320 --> 00:53:56,719 for in insurance, even if you're if the company is 920 00:53:56,800 --> 00:54:00,679 big enough to self ensure, you should still be accounting 921 00:54:01,159 --> 00:54:04,519 for the premium, the policy premium that an insurer would 922 00:54:04,599 --> 00:54:08,719 have charged you, because you know, that's sort of a 923 00:54:08,760 --> 00:54:13,280 liability the company is building up. It will bite them eventually, 924 00:54:14,320 --> 00:54:16,199 and this is a way to account for that. And 925 00:54:16,239 --> 00:54:19,400 that sort of makes uh that's a way to do 926 00:54:20,199 --> 00:54:24,360 ROI in this very difficult space of low frequency, high 927 00:54:24,400 --> 00:54:27,119 impact events. So I like that inside. I'm going to 928 00:54:27,199 --> 00:54:27,960 use that in the future. 929 00:54:28,599 --> 00:54:31,559 Speaker 2: Well, thank you to Cain for sharing that with us. 930 00:54:31,559 --> 00:54:33,760 And Andrews always thank you for speaking. 931 00:54:34,639 --> 00:54:35,519 Speaker 3: It's always a pleasure. 932 00:54:35,519 --> 00:54:36,000 Speaker 1: Thank you. 933 00:54:36,480 --> 00:54:40,800 Speaker 2: This has been the Industrial Security podcast from Waterfall. Thanks 934 00:54:40,800 --> 00:54:46,039 to everyone out there listening.