WEBVTT

1
00:00:00.160 --> 00:00:03.200
<v Speaker 1>Welcome to the deep dive. Today. We're jumping into a

2
00:00:03.240 --> 00:00:06.440
<v Speaker 1>subject that's well, it's really moved beyond the server room.

3
00:00:06.440 --> 00:00:09.880
<v Speaker 1>We're talking cybersecurity for business, right and it's not just

4
00:00:09.919 --> 00:00:13.080
<v Speaker 1>about tech anymore, is it. It's really fundamental to how

5
00:00:13.119 --> 00:00:16.879
<v Speaker 1>businesses work today, how they compete, even our national security

6
00:00:16.879 --> 00:00:17.559
<v Speaker 1>in some ways.

7
00:00:18.000 --> 00:00:21.480
<v Speaker 2>That's spot on. And our guide for this is a

8
00:00:21.519 --> 00:00:26.559
<v Speaker 2>really fascinating book, Cybersecurity for Business. It pulls together insights

9
00:00:26.600 --> 00:00:29.160
<v Speaker 2>from some real heavy hitters.

10
00:00:29.280 --> 00:00:31.440
<v Speaker 1>Yeah, like who, Well.

11
00:00:31.239 --> 00:00:34.600
<v Speaker 2>You've got contributions from a former head of US Cyber Command,

12
00:00:34.960 --> 00:00:39.320
<v Speaker 2>a former Deputy Undersecretary for cybersecurity. People who've really seen

13
00:00:39.320 --> 00:00:40.119
<v Speaker 2>this from the top down.

14
00:00:40.240 --> 00:00:42.840
<v Speaker 1>Wow. Okay, so serious expertise.

15
00:00:43.079 --> 00:00:43.600
<v Speaker 2>Definitely.

16
00:00:43.679 --> 00:00:45.840
<v Speaker 1>So for you the learner, our mission here is to

17
00:00:46.000 --> 00:00:49.280
<v Speaker 1>kind of boil this down, pull out the absolute must

18
00:00:49.320 --> 00:00:51.640
<v Speaker 1>know insights from this comprehensive guide.

19
00:00:51.719 --> 00:00:53.880
<v Speaker 2>Yeah, give you a shortcut basically, help you understand this

20
00:00:53.920 --> 00:00:57.439
<v Speaker 2>complex cybersecurity world in a business context without you know,

21
00:00:57.520 --> 00:00:59.399
<v Speaker 2>getting totally bogged down in technical details.

22
00:00:59.399 --> 00:01:02.399
<v Speaker 1>Oka things off. The book apparently starts with a pretty

23
00:01:02.399 --> 00:01:03.719
<v Speaker 1>powerful quote it.

24
00:01:03.640 --> 00:01:09.519
<v Speaker 2>Does from General retired Keith Alexander. He says, very bluntly,

25
00:01:10.599 --> 00:01:15.359
<v Speaker 2>cybersecurity is national security. The only way to effectively protect

26
00:01:15.400 --> 00:01:17.840
<v Speaker 2>ourselves is through a collective defense model.

27
00:01:17.959 --> 00:01:21.680
<v Speaker 1>Hmmm, collective defense. That sets a high bar. What does

28
00:01:21.719 --> 00:01:23.319
<v Speaker 1>that mean for a typical company.

29
00:01:23.799 --> 00:01:26.599
<v Speaker 2>It means it's not just the IT department's problem anymore.

30
00:01:26.799 --> 00:01:30.200
<v Speaker 2>That's the core message. Really. The book stresses that protection

31
00:01:30.319 --> 00:01:34.400
<v Speaker 2>today needs everyone involved, the whole organization.

32
00:01:33.959 --> 00:01:36.760
<v Speaker 1>From the board down to well everyone exactly.

33
00:01:36.920 --> 00:01:39.159
<v Speaker 2>Yeah, and they don't pull any punches. The very first

34
00:01:39.239 --> 00:01:42.519
<v Speaker 2>chapter title is cybersecurity is not an IT issue.

35
00:01:42.680 --> 00:01:43.760
<v Speaker 1>Okay, that's pretty direct.

36
00:01:43.840 --> 00:01:46.359
<v Speaker 2>It signals a really big shift in thinking, doesn't it.

37
00:01:46.359 --> 00:01:47.959
<v Speaker 1>It does. It seems like we went through a phase

38
00:01:47.959 --> 00:01:50.920
<v Speaker 1>where people tried to teach boards of directors all the

39
00:01:50.959 --> 00:01:52.000
<v Speaker 1>IT specifics.

40
00:01:52.319 --> 00:01:54.799
<v Speaker 2>Yeah, and the book points out that often didn't Well,

41
00:01:54.840 --> 00:01:55.719
<v Speaker 2>it didn't really work.

42
00:01:56.000 --> 00:01:57.319
<v Speaker 1>Why not too technical?

43
00:01:57.480 --> 00:02:00.799
<v Speaker 2>Exactly? Two technical? Too disconnected from what bores actually focus

44
00:02:00.840 --> 00:02:02.879
<v Speaker 2>on the business side of things. They mentioned the whole

45
00:02:03.200 --> 00:02:06.719
<v Speaker 2>y two K bug era as an example. It was

46
00:02:06.760 --> 00:02:09.759
<v Speaker 2>focused on the code the fixes, but a lot of

47
00:02:09.800 --> 00:02:13.039
<v Speaker 2>board members they struggled to see how that translated into

48
00:02:13.159 --> 00:02:17.680
<v Speaker 2>real business risk or opportunity. The communication just wasn't there.

49
00:02:17.879 --> 00:02:20.599
<v Speaker 1>So what changed? How do you get the board engaged now?

50
00:02:20.960 --> 00:02:26.759
<v Speaker 2>You talk their language business language, things like innovation, growth, profitability,

51
00:02:26.800 --> 00:02:30.560
<v Speaker 2>pe ratios, bottom line stuff. Precisely. So now it's about

52
00:02:30.639 --> 00:02:35.479
<v Speaker 2>enabling boards to ask the right questions, business focus questions about.

53
00:02:35.439 --> 00:02:38.080
<v Speaker 1>Cyber risk, like if we're launching a new product, what

54
00:02:38.159 --> 00:02:39.639
<v Speaker 1>are the cyber implications exactly?

55
00:02:39.759 --> 00:02:43.280
<v Speaker 2>Or if we're acquiring another company, what's their cybersecurity situation?

56
00:02:43.360 --> 00:02:46.159
<v Speaker 2>Really like it has to be part of that core

57
00:02:46.199 --> 00:02:48.080
<v Speaker 2>business discussion, not an afterthought.

58
00:02:48.360 --> 00:02:51.520
<v Speaker 1>Makes sense? And is this linking into those broader corporate

59
00:02:51.560 --> 00:02:53.759
<v Speaker 1>responsibility frameworks too like ESG?

60
00:02:54.159 --> 00:02:57.840
<v Speaker 2>It is. Yeah. The book definitely highlights that embedding cybersecurity

61
00:02:57.840 --> 00:03:01.439
<v Speaker 2>into the Environmental, Social and Governance ESG framework is becoming

62
00:03:01.479 --> 00:03:05.199
<v Speaker 2>more important. Interesting Larry Fink at Blackrock, for instance, has

63
00:03:05.240 --> 00:03:08.520
<v Speaker 2>been quite vocal about this, saying, you know, digital resilience

64
00:03:08.599 --> 00:03:10.840
<v Speaker 2>is a key part of long term value, just like

65
00:03:10.960 --> 00:03:12.039
<v Speaker 2>environmental factors.

66
00:03:12.400 --> 00:03:14.680
<v Speaker 1>Okay, so it's a whole company issue. Let's roll down

67
00:03:14.680 --> 00:03:17.199
<v Speaker 1>on the board of directors. Then chapter two seems to

68
00:03:17.240 --> 00:03:19.319
<v Speaker 1>lay out their specific responsibilities.

69
00:03:19.439 --> 00:03:22.759
<v Speaker 2>It does. Yeah, five key ideas for boards. First one

70
00:03:22.840 --> 00:03:26.240
<v Speaker 2>is pretty fundamental. They need to actively work with the

71
00:03:26.319 --> 00:03:29.560
<v Speaker 2>executive team. Oh so to build a culture of security

72
00:03:30.080 --> 00:03:34.000
<v Speaker 2>and also to provide real effective oversight. It's not just

73
00:03:34.039 --> 00:03:39.439
<v Speaker 2>signing off on budgets. It's about collaboration and informed guidance.

74
00:03:39.599 --> 00:03:42.680
<v Speaker 1>So not passive acceptance, active engagement.

75
00:03:42.879 --> 00:03:45.879
<v Speaker 2>Right. And the second point builds on that cybersecurity has

76
00:03:45.919 --> 00:03:49.120
<v Speaker 2>to be integrated into all business decisions enterprise wide.

77
00:03:49.240 --> 00:03:50.879
<v Speaker 1>No more silos, absolutely not.

78
00:03:50.919 --> 00:03:52.759
<v Speaker 2>It can't be treated as this separate thing over in

79
00:03:52.840 --> 00:03:53.639
<v Speaker 2>the corner.

80
00:03:53.439 --> 00:03:56.840
<v Speaker 1>Which logically brings up the legal side. I guess boards

81
00:03:56.879 --> 00:03:58.639
<v Speaker 1>must worry about the fallout from a breach.

82
00:03:59.039 --> 00:04:02.599
<v Speaker 2>They certainly should. The third point is exactly that directors

83
00:04:02.639 --> 00:04:06.400
<v Speaker 2>need a solid grasp of the legal implications, like what specifically,

84
00:04:06.479 --> 00:04:10.319
<v Speaker 2>things like public disclosure rules if there's a breach, privacy laws,

85
00:04:10.439 --> 00:04:14.800
<v Speaker 2>data protection regulations GDPR, or CCPA, you name it, information

86
00:04:14.840 --> 00:04:18.120
<v Speaker 2>sharing requirements protecting critical infrastructure if that applies.

87
00:04:18.360 --> 00:04:19.720
<v Speaker 1>That's a lot to track.

88
00:04:19.600 --> 00:04:22.680
<v Speaker 2>It is. And interestingly, the book sites a twenty twenty

89
00:04:22.720 --> 00:04:26.600
<v Speaker 2>survey only about what was it fourteen point eight percent

90
00:04:27.120 --> 00:04:31.079
<v Speaker 2>of US board members fell deeply informed about these legal bits.

91
00:04:31.279 --> 00:04:33.920
<v Speaker 1>Wow, less than fifteen percent. That's quite a gap.

92
00:04:34.079 --> 00:04:36.000
<v Speaker 2>It really is shows there's work to be done.

93
00:04:36.040 --> 00:04:37.920
<v Speaker 1>Okay, what's the fourth principle for boards?

94
00:04:38.360 --> 00:04:42.480
<v Speaker 2>Insuring management sets up an effective enterprise risk management process

95
00:04:42.800 --> 00:04:47.720
<v Speaker 2>specifically for cybersecurity ERM but with a cyber lens.

96
00:04:47.519 --> 00:04:49.800
<v Speaker 1>A structured way to handle the risks exactly.

97
00:04:49.920 --> 00:04:52.519
<v Speaker 2>And this isn't just a US thing. The book mentions

98
00:04:52.560 --> 00:04:56.319
<v Speaker 2>international principles being developed based on global focus groups, so

99
00:04:56.360 --> 00:04:59.240
<v Speaker 2>there's a worldwide push for this kind of structured oversite.

100
00:04:59.279 --> 00:05:02.360
<v Speaker 2>And the fifth point, it comes back to culture. Boards

101
00:05:02.360 --> 00:05:05.399
<v Speaker 2>play a crucial role in actively promoting a security aware

102
00:05:05.439 --> 00:05:09.000
<v Speaker 2>culture throughout the entire organization. It reinforces that it's not

103
00:05:09.079 --> 00:05:12.959
<v Speaker 2>just tech, it's people. And PWC's Global Information Security Survey

104
00:05:13.120 --> 00:05:16.920
<v Speaker 2>apparently shows there's a growing expectation for executives to actually

105
00:05:16.959 --> 00:05:18.240
<v Speaker 2>meet these kinds of principles.

106
00:05:18.439 --> 00:05:21.519
<v Speaker 1>So the pressure is mounting from multiple directions. This really

107
00:05:21.600 --> 00:05:23.680
<v Speaker 1>drives home the point about breaking down silos.

108
00:05:24.040 --> 00:05:26.360
<v Speaker 2>It has to happen. The old way of keeping departments

109
00:05:26.399 --> 00:05:29.839
<v Speaker 2>separate just doesn't work in today's interconnected digital world. You

110
00:05:29.879 --> 00:05:30.639
<v Speaker 2>need collaboration.

111
00:05:31.079 --> 00:05:35.199
<v Speaker 1>The book mentions a governance, risk and reputation triangle. What's

112
00:05:35.240 --> 00:05:35.720
<v Speaker 1>that about?

113
00:05:35.839 --> 00:05:39.000
<v Speaker 2>Ah? Yeah, that model. It basically highlights the need for

114
00:05:39.040 --> 00:05:42.600
<v Speaker 2>the board, the top leadership, CEO, c suite, and top

115
00:05:42.639 --> 00:05:47.000
<v Speaker 2>management to all be well synchronized on the same page

116
00:05:47.040 --> 00:05:49.240
<v Speaker 2>about strategy and risk, especially cyber risk.

117
00:05:49.519 --> 00:05:51.199
<v Speaker 1>So alignment is key.

118
00:05:51.279 --> 00:05:54.839
<v Speaker 2>Absolutely, and cyber risks can't be this standalone item. It

119
00:05:54.920 --> 00:05:57.360
<v Speaker 2>must be part of the overall risk management plan for

120
00:05:57.399 --> 00:05:57.959
<v Speaker 2>the whole company.

121
00:05:58.040 --> 00:06:00.759
<v Speaker 1>It sounds like communication breakdowns could be a major problem here.

122
00:06:00.759 --> 00:06:03.160
<v Speaker 2>Huge problem, and the book points to a twenty twenty

123
00:06:03.199 --> 00:06:07.279
<v Speaker 2>EY survey that found a sort of a systemic failure

124
00:06:07.319 --> 00:06:10.279
<v Speaker 2>in communication between the cybersecurity team and other parts of

125
00:06:10.319 --> 00:06:14.439
<v Speaker 2>the business who like marketing, hr R, and D finance.

126
00:06:15.040 --> 00:06:19.079
<v Speaker 2>Basically everyone except it generally reported low trust in collaboration

127
00:06:19.160 --> 00:06:20.439
<v Speaker 2>with the cyber folks. Ouch.

128
00:06:21.120 --> 00:06:21.800
<v Speaker 1>That's not good.

129
00:06:21.920 --> 00:06:25.079
<v Speaker 2>No, it creates massive blind spots. If marketing is launching

130
00:06:25.079 --> 00:06:27.399
<v Speaker 2>a new campaign using customer data and they haven't talked

131
00:06:27.439 --> 00:06:31.279
<v Speaker 2>to security about the risks, well you see the problem.

132
00:06:31.360 --> 00:06:33.759
<v Speaker 1>Yeah, leaving the door wide open exactly.

133
00:06:34.000 --> 00:06:37.279
<v Speaker 2>It's a major weakness. On a related note, though the

134
00:06:37.279 --> 00:06:41.600
<v Speaker 2>book does mention a positive trend CISOs, the chief information

135
00:06:41.680 --> 00:06:45.959
<v Speaker 2>security officers are increasingly reporting higher ups, sometimes directly to

136
00:06:46.000 --> 00:06:46.839
<v Speaker 2>the CEO.

137
00:06:46.639 --> 00:06:48.399
<v Speaker 1>Which signals it's importance right right.

138
00:06:48.519 --> 00:06:51.920
<v Speaker 2>It shows cyber risk as being seen finally as a

139
00:06:51.959 --> 00:06:55.040
<v Speaker 2>top level business concern, not just a tech issue.

140
00:06:55.120 --> 00:06:58.399
<v Speaker 1>Okay, So if it's a business concern, how should leaders

141
00:06:58.600 --> 00:07:01.800
<v Speaker 1>think about cyber risk? It feels like it could be overwhelming.

142
00:07:02.120 --> 00:07:05.160
<v Speaker 2>That's a fair point. The book offers a really helpful

143
00:07:05.160 --> 00:07:07.800
<v Speaker 2>way to frame it. Don't think of cyber risk as

144
00:07:07.879 --> 00:07:10.519
<v Speaker 2>just a category of risk. Think of it as a quantity.

145
00:07:10.639 --> 00:07:13.959
<v Speaker 2>A quantity, how so as a measure of potential harm,

146
00:07:14.279 --> 00:07:17.560
<v Speaker 2>specifically in financial terms related to your business mission. What's

147
00:07:17.639 --> 00:07:20.319
<v Speaker 2>the potential dollar impact if this system goes down or

148
00:07:20.439 --> 00:07:22.040
<v Speaker 2>that data gets breached.

149
00:07:21.800 --> 00:07:24.360
<v Speaker 1>Ah, putting a price tag on it. That definitely gets

150
00:07:24.360 --> 00:07:25.319
<v Speaker 1>attention exactly.

151
00:07:25.360 --> 00:07:29.079
<v Speaker 2>So, business leaders need basically three things. First, a way

152
00:07:29.120 --> 00:07:33.199
<v Speaker 2>to quantify that risk financially. Second, clear options for dealing

153
00:07:33.279 --> 00:07:38.399
<v Speaker 2>with it, remediation, risk transfer like insurance, maybe even accepting

154
00:07:38.439 --> 00:07:42.439
<v Speaker 2>some level of risk. And third, integrating that cyber risk

155
00:07:42.480 --> 00:07:44.720
<v Speaker 2>assessment with all the other business.

156
00:07:44.519 --> 00:07:48.279
<v Speaker 1>Risks so you can make informed trade offs about resources. Precisely,

157
00:07:48.360 --> 00:07:50.879
<v Speaker 1>how do you actually calculate that financial risk? Though it

158
00:07:50.920 --> 00:07:52.040
<v Speaker 1>seems tricky, the.

159
00:07:51.959 --> 00:07:55.879
<v Speaker 2>Modern approach, as the book lays it out, combines three things. First,

160
00:07:56.079 --> 00:07:59.519
<v Speaker 2>is your exposure profile, basically mapping out what you have

161
00:07:59.600 --> 00:08:03.040
<v Speaker 2>that's valuevaluable, or critical. Your annual revenue where you operate,

162
00:08:03.160 --> 00:08:06.279
<v Speaker 2>key suppliers, what kind of data you hold? How much

163
00:08:06.720 --> 00:08:10.240
<v Speaker 2>the value of your intellectual property? Understanding your footprint?

164
00:08:10.319 --> 00:08:12.160
<v Speaker 1>Okay, what do we need to protect? What's next?

165
00:08:12.399 --> 00:08:15.680
<v Speaker 2>Second, technical metrics. This is the data from your actual

166
00:08:15.720 --> 00:08:21.120
<v Speaker 2>security tools, vulnerability scans, compliance checks, security event logs, incident reports,

167
00:08:21.879 --> 00:08:24.120
<v Speaker 2>what your tech is telling you about your current state.

168
00:08:24.240 --> 00:08:25.639
<v Speaker 1>Got it? Technical reality.

169
00:08:25.879 --> 00:08:28.759
<v Speaker 2>And the third piece empirical data. And the book stresses

170
00:08:29.040 --> 00:08:32.039
<v Speaker 2>this is the real backbone. It means looking at real

171
00:08:32.080 --> 00:08:35.440
<v Speaker 2>world incidents. What's happening out there, what attack patterns are common,

172
00:08:35.720 --> 00:08:39.799
<v Speaker 2>what are the actual financial damages other similar organizations have suffered.

173
00:08:40.320 --> 00:08:44.120
<v Speaker 1>So combining your specific situation, your tech posture, and real

174
00:08:44.159 --> 00:08:45.279
<v Speaker 1>world incident.

175
00:08:44.960 --> 00:08:49.200
<v Speaker 2>Costs exactly that empirical data provides the financial grounding. It

176
00:08:49.240 --> 00:08:53.039
<v Speaker 2>helps turn abstract threats into potential dollar figures, and.

177
00:08:52.960 --> 00:08:55.759
<v Speaker 1>That financial view helps prioritize absolutely.

178
00:08:56.159 --> 00:08:59.399
<v Speaker 2>Leaders can then focus spending and effort where it actually

179
00:08:59.440 --> 00:09:02.759
<v Speaker 2>reduces the biggest potential financial hit. It helps make those

180
00:09:02.840 --> 00:09:05.600
<v Speaker 2>tough resource allocation decisions much clearer.

181
00:09:05.679 --> 00:09:08.200
<v Speaker 1>This sounds like something you'd need to do regularly, not

182
00:09:08.399 --> 00:09:08.879
<v Speaker 1>just once.

183
00:09:09.080 --> 00:09:14.279
<v Speaker 2>Oh definitely. The book emphasizes needing a standard, repeatable evaluation

184
00:09:14.440 --> 00:09:17.639
<v Speaker 2>process like financial reporting, right so you can track trends

185
00:09:17.639 --> 00:09:20.759
<v Speaker 2>over time see if your risk posture is improving or moistening.

186
00:09:21.120 --> 00:09:25.399
<v Speaker 2>An adjust strategy, you need consistent data collection, a reliable

187
00:09:25.440 --> 00:09:28.799
<v Speaker 2>model or algorithm integrity in the process so the results

188
00:09:28.799 --> 00:09:31.279
<v Speaker 2>are comparable and clear reports for leadership.

189
00:09:31.559 --> 00:09:34.840
<v Speaker 1>Let's shish gears a bit to the human side of this.

190
00:09:34.919 --> 00:09:36.519
<v Speaker 1>Seems like people are often the weak link.

191
00:09:36.799 --> 00:09:40.480
<v Speaker 2>Unfortunately, that's a major theme. Yeah, malicious actors know this.

192
00:09:40.759 --> 00:09:44.600
<v Speaker 2>They're increasingly targeting the human element because frankly, it's often

193
00:09:44.639 --> 00:09:47.679
<v Speaker 2>easier than breaking through complex technical defenses.

194
00:09:48.039 --> 00:09:50.840
<v Speaker 1>And the book talks about different types of insider threats.

195
00:09:51.000 --> 00:09:56.720
<v Speaker 2>Right. It distinguishes between malicious insiders people intentionally causing harm,

196
00:09:57.279 --> 00:10:01.639
<v Speaker 2>maybe for revenge or espionage, ok eglision insiders. These are

197
00:10:01.679 --> 00:10:04.200
<v Speaker 2>the people who make honest mistakes, click on phishing links,

198
00:10:04.360 --> 00:10:09.120
<v Speaker 2>use week passwords, lose laptops, basically poor security hygiene.

199
00:10:09.159 --> 00:10:10.399
<v Speaker 1>Any examples come to mind.

200
00:10:10.519 --> 00:10:12.679
<v Speaker 2>The book mentions a couple of dark ones. A VA

201
00:10:12.759 --> 00:10:16.279
<v Speaker 2>analyst's unencrypted laptop with stolen had data for over twenty

202
00:10:16.279 --> 00:10:19.240
<v Speaker 2>six million veterans on it wow, and a Facebook employees'

203
00:10:19.320 --> 00:10:23.600
<v Speaker 2>laptop theft contromised info for thousands of colleagues. Often it's

204
00:10:23.679 --> 00:10:26.639
<v Speaker 2>negligence rather than malice, but the impact could be just

205
00:10:26.639 --> 00:10:27.080
<v Speaker 2>as bad.

206
00:10:27.240 --> 00:10:30.039
<v Speaker 1>And that statistic about phishing emails is just mind blowing.

207
00:10:30.360 --> 00:10:34.799
<v Speaker 2>Over ninety percent of attacks starting with phishing. Yeah, yeah,

208
00:10:35.120 --> 00:10:39.320
<v Speaker 2>it really hammers home how vital employee awareness training is.

209
00:10:40.039 --> 00:10:42.960
<v Speaker 2>You can have the best tech, but one wrong click.

210
00:10:43.120 --> 00:10:46.480
<v Speaker 1>And the whole COVID pandemic. The massive shift to remote

211
00:10:46.480 --> 00:10:49.240
<v Speaker 1>work that must have just thrown gasoline on this fire.

212
00:10:49.320 --> 00:10:52.960
<v Speaker 2>Oh absolutely, Suddenly you had this explosion of remote access points.

213
00:10:53.200 --> 00:10:56.799
<v Speaker 2>The attack surface just ballooned overnight. The UN reported something

214
00:10:56.840 --> 00:10:59.120
<v Speaker 2>like a six hundred percent increase in phishing attacks during

215
00:10:59.159 --> 00:11:02.919
<v Speaker 2>that time. Were to scramble to update security policies for remote.

216
00:11:02.639 --> 00:11:04.639
<v Speaker 1>Work, and HR's role became even more.

217
00:11:04.480 --> 00:11:09.600
<v Speaker 2>Critical, hugely critical. Educating that dispersed workforce, trying to build

218
00:11:09.679 --> 00:11:12.440
<v Speaker 2>and maintain a security conscious culture when people aren't even

219
00:11:12.480 --> 00:11:14.879
<v Speaker 2>in the same building a massive challenge.

220
00:11:14.919 --> 00:11:18.399
<v Speaker 1>Okay, let's dive into the technical operation side. The demands

221
00:11:18.399 --> 00:11:20.919
<v Speaker 1>on those security teams must be immense.

222
00:11:20.600 --> 00:11:23.840
<v Speaker 2>Now they really are. Threats are getting more sophisticated, businesses

223
00:11:23.840 --> 00:11:27.080
<v Speaker 2>are digitizing everything. It's a constant battle. The Solar one's

224
00:11:27.080 --> 00:11:29.080
<v Speaker 2>attack was a prime example of that complexity.

225
00:11:29.159 --> 00:11:32.240
<v Speaker 1>Yeah, that was huge. What are the absolute basics the

226
00:11:32.279 --> 00:11:35.519
<v Speaker 1>foundations for technical defense asset inventory?

227
00:11:36.080 --> 00:11:40.320
<v Speaker 2>It sounds simple, but knowing exactly what hardware, software, and

228
00:11:40.360 --> 00:11:44.360
<v Speaker 2>network addresses you have is critical. It's literally the first

229
00:11:44.360 --> 00:11:47.159
<v Speaker 2>two controls in the CIS Top twenty framework.

230
00:11:46.799 --> 00:11:49.360
<v Speaker 1>Can't protect what you don't know you have precisely.

231
00:11:49.720 --> 00:11:52.679
<v Speaker 2>The book also argues for a central security operations team,

232
00:11:53.000 --> 00:11:56.840
<v Speaker 2>ideally with some independence for efficiency and effective oversight across

233
00:11:56.879 --> 00:11:57.240
<v Speaker 2>the board.

234
00:11:57.440 --> 00:12:02.240
<v Speaker 1>What about industrial systems technology or OT? Is that different?

235
00:12:02.320 --> 00:12:05.480
<v Speaker 2>It often is managed differently. Yeah. Even though OT systems,

236
00:12:05.519 --> 00:12:09.320
<v Speaker 2>the tech controlling physical processes and factories, power grids, et cetera,

237
00:12:09.639 --> 00:12:11.320
<v Speaker 2>are increasingly connected.

238
00:12:10.879 --> 00:12:13.519
<v Speaker 1>To the main IT network, which sounds risky.

239
00:12:13.440 --> 00:12:15.840
<v Speaker 2>It can be a huge gap. The book mentions breaches

240
00:12:15.879 --> 00:12:19.879
<v Speaker 2>at Honda, nors Caedro even Target where OT vulnerabilities played

241
00:12:19.879 --> 00:12:23.039
<v Speaker 2>a role. You really need the same security rigor applied

242
00:12:23.080 --> 00:12:26.000
<v Speaker 2>to OT as to IT, and definitely network segmentation to

243
00:12:26.039 --> 00:12:27.399
<v Speaker 2>isolate critical systems.

244
00:12:27.679 --> 00:12:30.480
<v Speaker 1>So what does a strong technical prevention program look like?

245
00:12:30.639 --> 00:12:31.480
<v Speaker 1>Layer by layer?

246
00:12:31.720 --> 00:12:36.120
<v Speaker 2>Okay, several key parts. Network segmentation is crucial, using things

247
00:12:36.200 --> 00:12:39.080
<v Speaker 2>like containers to wall off different areas. Then you need

248
00:12:39.120 --> 00:12:43.200
<v Speaker 2>strong access control like bastion hosts acting as secure gateways,

249
00:12:43.519 --> 00:12:47.000
<v Speaker 2>always with multi factor authentication FA, plus the usual network

250
00:12:47.039 --> 00:12:52.559
<v Speaker 2>security tools, Intrusion detection and prevention systems IDSS, network access

251
00:12:52.559 --> 00:12:57.320
<v Speaker 2>control NSC to keep unauthorized devices off, web proxies for filtering,

252
00:12:57.720 --> 00:12:59.639
<v Speaker 2>and importantly, internal.

253
00:12:59.200 --> 00:13:01.440
<v Speaker 1>Red teams that ethical hackers right.

254
00:13:01.519 --> 00:13:04.759
<v Speaker 2>Testing your defenses like a real attacker would, finding weaknesses

255
00:13:04.759 --> 00:13:05.639
<v Speaker 2>before the bad guys do.

256
00:13:05.799 --> 00:13:08.320
<v Speaker 1>And protecting the actual computers the endpoint.

257
00:13:08.399 --> 00:13:12.159
<v Speaker 2>Yeah, host layer prevention that includes data loss prevention DLP

258
00:13:12.559 --> 00:13:16.120
<v Speaker 2>tools to stop sensitive data leaving and standard workstation protection,

259
00:13:16.480 --> 00:13:20.720
<v Speaker 2>good anti virus, anti malware, full disk encryption, and crucially

260
00:13:20.799 --> 00:13:24.759
<v Speaker 2>rigorous patch management. Keeping software up to date is non negotiable.

261
00:13:24.799 --> 00:13:27.360
<v Speaker 1>Okay, that's prevention. What about detection? How do you spot

262
00:13:27.399 --> 00:13:28.320
<v Speaker 1>something that gets through?

263
00:13:28.600 --> 00:13:31.320
<v Speaker 2>Detection relies on things like those id SIP systems again,

264
00:13:31.799 --> 00:13:35.679
<v Speaker 2>but also security information and event management SIM systems. Yeah,

265
00:13:35.679 --> 00:13:37.600
<v Speaker 2>they pull in logs from all over the network and

266
00:13:37.679 --> 00:13:41.519
<v Speaker 2>analyze them for suspicious patterns. FRED intelligence fees are also vital,

267
00:13:41.600 --> 00:13:44.679
<v Speaker 2>keeping you updated on the latest attack techniques. But again

268
00:13:44.679 --> 00:13:48.320
<v Speaker 2>the book stress is Detection isn't just tech, it's everyone's job.

269
00:13:49.120 --> 00:13:52.120
<v Speaker 2>Training staff to spot and report phishing is a huge

270
00:13:52.120 --> 00:13:52.919
<v Speaker 2>part of detection.

271
00:13:53.480 --> 00:13:57.399
<v Speaker 1>Right that security is everyone's responsibility mantra. Again, it seems

272
00:13:57.440 --> 00:14:00.960
<v Speaker 1>particularly relevant when things go wrong, which leads to incident response.

273
00:14:01.120 --> 00:14:04.279
<v Speaker 2>Absolutely critical. You will have incidents, so having a well

274
00:14:04.320 --> 00:14:08.279
<v Speaker 2>thought out, coordinated and regularly tested incident response plan and

275
00:14:08.360 --> 00:14:12.480
<v Speaker 2>IRP is non negotiable. Solar winds drove that home too, and.

276
00:14:12.440 --> 00:14:15.000
<v Speaker 1>The book says the process of building the plan is

277
00:14:15.039 --> 00:14:16.759
<v Speaker 1>as important as the plan itself.

278
00:14:16.840 --> 00:14:20.039
<v Speaker 2>Yeah, because it forces those conversations. Who needs to be involved,

279
00:14:20.120 --> 00:14:23.440
<v Speaker 2>what are their roles? What defines an incident? Going through

280
00:14:23.440 --> 00:14:27.159
<v Speaker 2>that process builds understanding and coordination before the crisis hits.

281
00:14:27.240 --> 00:14:29.240
<v Speaker 1>What should be in that plan or the playbook?

282
00:14:29.480 --> 00:14:34.919
<v Speaker 2>Key things include identifying all stakeholders, security, legal, the business units, communications,

283
00:14:35.000 --> 00:14:40.639
<v Speaker 2>regulatory contacts, clear definitions of incident types, clear roles, responsibilities,

284
00:14:40.759 --> 00:14:45.440
<v Speaker 2>and crucially, escalation paths, who calls, who win? In testing it,

285
00:14:45.679 --> 00:14:50.039
<v Speaker 2>tabletop exercises are invaluable. Simulating an incident, walking through the

286
00:14:50.039 --> 00:14:53.320
<v Speaker 2>plan under pressure, you find the gaps, refine the process,

287
00:14:53.360 --> 00:14:56.879
<v Speaker 2>build muscle memory. It makes the real thing much less chaotic.

288
00:14:57.039 --> 00:15:00.279
<v Speaker 1>Should companies connect with law enforcement or experts before hand?

289
00:15:00.399 --> 00:15:04.919
<v Speaker 2>Definitely building relationships with the FBI DHS, external forensic firms,

290
00:15:05.159 --> 00:15:10.639
<v Speaker 2>crisis comms experts, irrelevant regulators, SEC, FTC, industry bodies before

291
00:15:10.639 --> 00:15:13.799
<v Speaker 2>you need them. That saves critical time during an actual incident.

292
00:15:13.919 --> 00:15:16.480
<v Speaker 1>What about telling investors when do you have to disclose

293
00:15:16.480 --> 00:15:16.879
<v Speaker 1>a breach?

294
00:15:17.039 --> 00:15:21.320
<v Speaker 2>The SEC has rules about disclosing material cybersecurity risks and incidents.

295
00:15:21.919 --> 00:15:25.960
<v Speaker 2>Understanding what crosses that materiality threshold and having a process

296
00:15:25.960 --> 00:15:28.039
<v Speaker 2>for disclosure is a key part of the legal and

297
00:15:28.080 --> 00:15:29.039
<v Speaker 2>commside of IR.

298
00:15:29.360 --> 00:15:31.720
<v Speaker 1>Breach is sound expensive? What drives up the cost?

299
00:15:32.000 --> 00:15:35.679
<v Speaker 2>Lots of things detecting and containing it, Notifying customers or

300
00:15:35.720 --> 00:15:39.799
<v Speaker 2>regulators lost business due to downtime or reputational damage, Legal

301
00:15:39.840 --> 00:15:45.200
<v Speaker 2>fees finds it heads up fast. Ponomont Institute and IBM

302
00:15:45.320 --> 00:15:48.720
<v Speaker 2>do regular studies. The average breach cost is typically in.

303
00:15:48.679 --> 00:15:52.240
<v Speaker 1>The millionsof Can anything bring that cost down?

304
00:15:52.440 --> 00:15:55.559
<v Speaker 2>Yes? The data shows things that help include having that

305
00:15:55.639 --> 00:15:59.799
<v Speaker 2>tested IR plan, solid business continuity plans, doing proactive red

306
00:15:59.799 --> 00:16:03.559
<v Speaker 2>TA testing, using AI tools for faster response, and consistent

307
00:16:03.600 --> 00:16:07.399
<v Speaker 2>employee training. Those investments pay off when an incident happens.

308
00:16:07.559 --> 00:16:10.279
<v Speaker 1>How do you measure success in cybersecurity management?

309
00:16:10.360 --> 00:16:13.960
<v Speaker 2>Key Performance Indicators KPIs. The book talks about using quantifiable

310
00:16:14.000 --> 00:16:16.600
<v Speaker 2>metrics to track how well you're doing it against your security goals,

311
00:16:16.720 --> 00:16:20.120
<v Speaker 2>whether they're strategic, financial, or operational. You need to measure

312
00:16:20.120 --> 00:16:21.080
<v Speaker 2>to manage effectively.

313
00:16:21.240 --> 00:16:24.159
<v Speaker 1>Okay, the incident is contained. What happens next? It's not over?

314
00:16:24.200 --> 00:16:25.159
<v Speaker 1>Then is it not?

315
00:16:25.279 --> 00:16:29.320
<v Speaker 2>At all? Post incident is crucial. First triage and containment confirmation,

316
00:16:29.559 --> 00:16:33.080
<v Speaker 2>then deep forensic analysis what happened, how, what was compromised?

317
00:16:33.480 --> 00:16:36.960
<v Speaker 2>Then securely regaining control and rebuilding systems, and perhaps the

318
00:16:36.960 --> 00:16:41.600
<v Speaker 2>most important step the lessons learned the post mortem exactly,

319
00:16:42.039 --> 00:16:45.559
<v Speaker 2>a thorough honest look at what went right, what went wrong,

320
00:16:45.840 --> 00:16:49.360
<v Speaker 2>and how to improve the planet defenses. The GAO report

321
00:16:49.399 --> 00:16:52.440
<v Speaker 2>on the Big ECHOFAX breach is cited as an example

322
00:16:52.440 --> 00:16:54.799
<v Speaker 2>of that kind of essential analysis makes sense?

323
00:16:54.960 --> 00:16:58.440
<v Speaker 1>Now, what about when companies merge or acquire others? MNA

324
00:16:58.600 --> 00:17:00.879
<v Speaker 1>seems like a potential cyber suit security minefield.

325
00:17:01.200 --> 00:17:04.599
<v Speaker 2>It really can be. You're essentially inheriting an other organization's

326
00:17:04.799 --> 00:17:09.160
<v Speaker 2>entire risk profile. The book strongly advocates for proactive cyber

327
00:17:09.200 --> 00:17:11.720
<v Speaker 2>assessment early in the m and a process.

328
00:17:11.359 --> 00:17:12.680
<v Speaker 1>Not after the deal is done.

329
00:17:12.839 --> 00:17:16.880
<v Speaker 2>Ideally know but an IBM report from twenty twenty found

330
00:17:16.920 --> 00:17:19.519
<v Speaker 2>over half of companies were doing the cyber assessment after

331
00:17:19.640 --> 00:17:21.519
<v Speaker 2>due diligence that's way too late.

332
00:17:21.640 --> 00:17:22.680
<v Speaker 1>Why so early.

333
00:17:22.640 --> 00:17:25.680
<v Speaker 2>Because it gives you leverage. You can understand the target's

334
00:17:25.720 --> 00:17:29.880
<v Speaker 2>true cyber posture factor, potential remediation costs into the price,

335
00:17:30.160 --> 00:17:32.279
<v Speaker 2>maybe even walk away if the risks are too high.

336
00:17:32.480 --> 00:17:34.920
<v Speaker 2>Doing it early avoids nasty surprises later.

337
00:17:35.279 --> 00:17:37.240
<v Speaker 1>What should you look for in that M and A

338
00:17:37.359 --> 00:17:37.920
<v Speaker 1>due diligence?

339
00:17:38.119 --> 00:17:42.000
<v Speaker 2>Key areas are understanding of their data, what types, how

340
00:17:42.000 --> 00:17:47.119
<v Speaker 2>it's collected, stored, protected, your compliance status. Also assessing their

341
00:17:47.160 --> 00:17:51.200
<v Speaker 2>technical security measures, their organizational policies and how they handle

342
00:17:51.279 --> 00:17:53.279
<v Speaker 2>data disposal a deep dive.

343
00:17:53.480 --> 00:17:57.319
<v Speaker 1>And then during the integration phase after the deal closes, focus.

344
00:17:56.920 --> 00:18:01.039
<v Speaker 2>Is on closing identified security caps, prioritize or mediation based

345
00:18:01.039 --> 00:18:04.960
<v Speaker 2>on risk, and critically getting the acquired employees trained on

346
00:18:05.000 --> 00:18:08.640
<v Speaker 2>the parent company security policies and systems. You need a

347
00:18:08.720 --> 00:18:11.839
<v Speaker 2>solid day one integration plan ready to go, extending your

348
00:18:11.839 --> 00:18:12.839
<v Speaker 2>protections immediately.

349
00:18:13.160 --> 00:18:16.160
<v Speaker 1>We've circled back to culture and process multiple times. It

350
00:18:16.200 --> 00:18:19.839
<v Speaker 1>seems like building that strong cybersecurity culture is the ultimate goal.

351
00:18:20.000 --> 00:18:23.720
<v Speaker 2>It really is foundational for sustainable security. A mature program

352
00:18:23.799 --> 00:18:26.920
<v Speaker 2>isn't just about the latest tech. It's about embedding security

353
00:18:26.920 --> 00:18:29.119
<v Speaker 2>thinking into everyday processes.

354
00:18:28.640 --> 00:18:31.680
<v Speaker 1>And workflows and leadership access is key.

355
00:18:31.880 --> 00:18:34.839
<v Speaker 2>Consistency OPSO access to the rest of the c suite

356
00:18:34.880 --> 00:18:38.720
<v Speaker 2>and the board is vital, and building those relationships across functions, sales,

357
00:18:39.200 --> 00:18:42.480
<v Speaker 2>HR or audit for our crisis, hits, mats collaboration much

358
00:18:42.480 --> 00:18:43.519
<v Speaker 2>smoother when you need it.

359
00:18:43.680 --> 00:18:47.079
<v Speaker 1>The book uses the Atlanta ransomware attack as an example

360
00:18:47.119 --> 00:18:48.559
<v Speaker 1>of not having that culture.

361
00:18:48.960 --> 00:18:52.480
<v Speaker 2>Yeah, that twenty eighteen attack was a stark reminder of

362
00:18:52.559 --> 00:18:56.359
<v Speaker 2>the cost of neglecting basic cyber hygiene and not having

363
00:18:56.440 --> 00:19:01.119
<v Speaker 2>that security mindset embedded. It crippled city services cost millions

364
00:19:01.559 --> 00:19:02.640
<v Speaker 2>a very painful lesson.

365
00:19:03.359 --> 00:19:06.920
<v Speaker 1>The book also pushes for more industry collaboration, sharing thread

366
00:19:06.960 --> 00:19:08.240
<v Speaker 1>and FOE best practices.

367
00:19:08.319 --> 00:19:10.319
<v Speaker 2>How do you actually build that culture day to day?

368
00:19:10.359 --> 00:19:12.839
<v Speaker 1>It needs to be part of the whole employee life cycle,

369
00:19:13.119 --> 00:19:16.319
<v Speaker 1>thinking about security during recruiting, making it core to onboarding,

370
00:19:16.599 --> 00:19:18.759
<v Speaker 1>providing ongoing, engaging training.

371
00:19:19.000 --> 00:19:21.599
<v Speaker 2>Engaging seems key. A lot of training is pretty dry.

372
00:19:21.519 --> 00:19:24.759
<v Speaker 1>Right, and research suggests only a small fraction of companies

373
00:19:24.759 --> 00:19:28.880
<v Speaker 1>feel their training is extremely successful, so effectiveness is an issue.

374
00:19:28.960 --> 00:19:32.319
<v Speaker 1>The book also mentions habit formation it takes around sixty

375
00:19:32.400 --> 00:19:35.680
<v Speaker 1>days apparently to form new habits, so reinforcement is crucial.

376
00:19:35.839 --> 00:19:38.359
<v Speaker 2>What about those phishing tests companies sent out.

377
00:19:38.519 --> 00:19:42.920
<v Speaker 1>They can be valuable if they're framed correctly as training exercises,

378
00:19:43.000 --> 00:19:47.079
<v Speaker 1>learning opportunities, not gatcha moments or punitive measures used, well,

379
00:19:47.440 --> 00:19:48.640
<v Speaker 1>they definitely raise awareness.

380
00:19:48.680 --> 00:19:52.200
<v Speaker 2>Can you actually measure cybersecurity culture? People are trying? The

381
00:19:52.279 --> 00:19:57.039
<v Speaker 2>NASI DASA Cybersecurity Handbook has metrics covering different aspects, and

382
00:19:57.200 --> 00:20:00.559
<v Speaker 2>organizations like ic NECD the World of Economic Forum are

383
00:20:00.559 --> 00:20:04.720
<v Speaker 2>working on measures looking at training effectiveness, risk management, adoption,

384
00:20:05.079 --> 00:20:09.359
<v Speaker 2>incident rates, even employee sentiment about security. It's an evolving area.

385
00:20:09.680 --> 00:20:13.079
<v Speaker 1>This has been incredibly comprehensive, our real deep dive into

386
00:20:13.160 --> 00:20:16.079
<v Speaker 1>why cybersecurity is so much more than just an IT

387
00:20:16.400 --> 00:20:19.119
<v Speaker 1>issue today. If you had to pick one core takeaway

388
00:20:19.160 --> 00:20:20.480
<v Speaker 1>for our listeners, I think.

389
00:20:20.319 --> 00:20:23.720
<v Speaker 2>It's that cybersecurity is a fundamental business issue, full stop.

390
00:20:24.119 --> 00:20:27.400
<v Speaker 2>It needs a holistic, top down, bottom up approach from

391
00:20:27.440 --> 00:20:30.640
<v Speaker 2>the board setting the tone to every single employee understanding

392
00:20:30.640 --> 00:20:32.640
<v Speaker 2>their role. It's not optional anymore.

393
00:20:32.880 --> 00:20:35.880
<v Speaker 1>Yeah, and the stakes are incredibly high, impacting national security,

394
00:20:35.920 --> 00:20:39.680
<v Speaker 1>financial stability, just basic business success in this digital age exactly.

395
00:20:39.720 --> 00:20:43.000
<v Speaker 2>It's about moving past just checking compliance boxes and building

396
00:20:43.000 --> 00:20:47.599
<v Speaker 2>a truly proactive, risk aware, adaptive security strategy and culture.

397
00:20:47.839 --> 00:20:50.319
<v Speaker 1>So a final thought for you, the learner to maybe

398
00:20:50.400 --> 00:20:54.559
<v Speaker 1>all over with threats constantly changing, getting smarter, think about

399
00:20:54.680 --> 00:20:58.440
<v Speaker 1>AI being potentially weaponized. How ready is your organization really?

400
00:20:58.599 --> 00:21:01.000
<v Speaker 1>How deeply embedded is that could mature of security and

401
00:21:01.000 --> 00:21:03.839
<v Speaker 1>collective defense we've been talking about, something to consider in

402
00:21:03.880 --> 00:21:06.039
<v Speaker 1>your own context. Thanks for joining us for the steep

403
00:21:06.079 --> 00:21:06.279
<v Speaker 1>dive
