1 00:00:04,200 --> 00:00:07,719 Speaker 1: Security was mostly discussed as technical topic and there is 2 00:00:07,759 --> 00:00:13,199 not enough frameworks conveying important security and security risks in 3 00:00:13,240 --> 00:00:16,359 the way that the stakeholders can easily engage risks and 4 00:00:16,480 --> 00:00:18,280 CC for me enabled that. 5 00:00:24,679 --> 00:00:28,800 Speaker 2: Welcome listeners to the Industrial Security Podcast. My name is 6 00:00:28,920 --> 00:00:32,479 Nate Nelson. I'm here with Andrew Ginter, the vice president 7 00:00:32,560 --> 00:00:36,920 of Industrial Security at Waterfall Security Solutions, who's going to 8 00:00:37,000 --> 00:00:40,479 introduce the subject and guest of our show today. Andrew, 9 00:00:40,759 --> 00:00:41,119 how are you? 10 00:00:42,280 --> 00:00:44,679 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 11 00:00:44,719 --> 00:00:49,079 Toomomi Aoyama. She is the principal development lead for Private 12 00:00:49,200 --> 00:00:53,399 SaaS that's software as a service at Cognite, which produces 13 00:00:53,640 --> 00:00:56,240 industrial control system software. And we're going to talk a 14 00:00:56,280 --> 00:00:58,159 little bit about what she's doing, but mostly we're going 15 00:00:58,159 --> 00:01:03,039 to talk about her translateation of the Consequence Driven Cyber 16 00:01:03,079 --> 00:01:07,799 Informed Engineering textbook Countering Cyber Sabotage, her translation of the 17 00:01:07,799 --> 00:01:09,239 book to Japanese. 18 00:01:10,079 --> 00:01:13,439 Speaker 2: Then, without further ado your conversation with Tomommy. 19 00:01:15,680 --> 00:01:19,159 Speaker 3: Hello to Mommy, and welcome to the podcast. Before we 20 00:01:19,200 --> 00:01:21,239 get started, can I ask you to say a few 21 00:01:21,280 --> 00:01:24,439 words about yourself for our listeners and about the good 22 00:01:24,480 --> 00:01:26,280 work that you're doing at Cognite. 23 00:01:27,159 --> 00:01:29,719 Speaker 1: Sure, thank you very much for having me. Andrew. By 24 00:01:29,760 --> 00:01:34,159 the way, I'm Tomommy and I've been I see security 25 00:01:34,200 --> 00:01:37,400 domain over a decade and I started as an academic 26 00:01:37,439 --> 00:01:42,079 researcher and my fascination for this domain was always about 27 00:01:42,480 --> 00:01:46,920 how can we enable this collaboration. I started with from 28 00:01:47,359 --> 00:01:51,400 understanding trying to understand how safety and security risk assessment 29 00:01:51,480 --> 00:01:55,840 can be combined, how security risk specialist can communicate with 30 00:01:55,959 --> 00:01:59,519 safety risk specialist and share the metrics, share about you. 31 00:01:59,599 --> 00:02:03,120 That was the first research topic that I was working on, 32 00:02:03,560 --> 00:02:07,799 and then I gradually shifted more towards okay, how cyber 33 00:02:07,879 --> 00:02:11,199 risk or auti security risk can be expressed to the 34 00:02:11,240 --> 00:02:16,680 business continuity risk or business risk. And through the academic 35 00:02:16,759 --> 00:02:20,039 position I had in Japan, and while I was doing 36 00:02:20,039 --> 00:02:24,879 a PhD and doing the assistant professor and teaching, I 37 00:02:25,000 --> 00:02:29,479 was lucky enough to be able to join some government 38 00:02:29,520 --> 00:02:35,719 project where I was able to support asset owners, design 39 00:02:35,759 --> 00:02:41,280 and evaluate the cyber table topic exercises, business contrinity exercise 40 00:02:41,840 --> 00:02:48,400 drills for as quake drills also and also develop help 41 00:02:48,680 --> 00:02:54,599 government to develop this large Auto Security Capability building Center 42 00:02:55,199 --> 00:03:00,680 called ic CE, where I supported building up the training 43 00:03:00,680 --> 00:03:08,840 curriculum and international engagement. And now I'm in Cognite and 44 00:03:08,879 --> 00:03:12,520 still I'm fascinated again. I'm still fascinated by this collaboration 45 00:03:12,639 --> 00:03:16,240 piece in LTI security area. Cognite is a company that 46 00:03:16,599 --> 00:03:20,080 builds the lt data platform software in oil and gas, 47 00:03:20,159 --> 00:03:26,000 chemical energy manufacturing and so on and so and the 48 00:03:26,080 --> 00:03:30,319 Cognite operation is based on software as a service on 49 00:03:30,400 --> 00:03:35,439 a cloud data platform. And when we talk about the 50 00:03:35,479 --> 00:03:39,280 cloud security and there is a shared responsibility model that 51 00:03:39,319 --> 00:03:44,639 do you share the security operation responsibility together with the 52 00:03:44,639 --> 00:03:51,120 cloud service providers and asset owners. But the usual model 53 00:03:51,159 --> 00:03:55,240 that they have is too colored, very simplified to colored 54 00:03:55,280 --> 00:03:58,199 model and there is no space for the salas company 55 00:03:58,319 --> 00:04:02,240 like Colonite, and especially when you consider about the most 56 00:04:02,240 --> 00:04:06,039 of the organizations in most critical infra operators would select 57 00:04:06,560 --> 00:04:09,479 a hybrid model where they have the public cloud, private 58 00:04:09,520 --> 00:04:12,840 cloud on PREMI system all together. And a set owner 59 00:04:13,199 --> 00:04:16,639 wants to have the total visibility and data governance over 60 00:04:16,759 --> 00:04:22,399 all the platforms and all the systems. There's no really 61 00:04:22,399 --> 00:04:25,399 guideline for that, there is no established model for that. 62 00:04:25,560 --> 00:04:28,920 So Cognite what I'm doing as using my background in 63 00:04:29,040 --> 00:04:31,519 research and also also in all the security. You may 64 00:04:32,040 --> 00:04:35,439 try to understand and navigate the conversation with customers trying 65 00:04:35,439 --> 00:04:39,199 to navigate the Cognite towards how can we support this 66 00:04:40,759 --> 00:04:44,600 new era for the asset owners where they want to 67 00:04:44,600 --> 00:04:48,600 have the data control and strong data ownership. So that's 68 00:04:48,600 --> 00:04:50,759 where I am today. 69 00:04:50,800 --> 00:04:55,199 Speaker 3: Cool. So you know the industrial cloud is coming, you know, 70 00:04:55,279 --> 00:04:59,079 it's it's great that you're contributing to that at Cognite. 71 00:04:59,720 --> 00:05:02,759 You know, our topic is a little different today. Our 72 00:05:02,839 --> 00:05:08,279 topic today is consequence driven cyber informed engineering. And a 73 00:05:08,279 --> 00:05:12,560 couple of years ago you translated the book on the 74 00:05:12,600 --> 00:05:16,680 topic countering cyber Sabotage Consequence Driven Cyber Informed Engineering, the 75 00:05:16,680 --> 00:05:21,360 book that Andrew Bakman and Sarah Friedman wrote. You translated 76 00:05:21,399 --> 00:05:24,399 the book into Japanese. So I wanted to ask you 77 00:05:24,439 --> 00:05:26,480 about that, but before I do, can I ask you 78 00:05:26,560 --> 00:05:30,800 maybe introduce the book to our listeners. What is uh 79 00:05:30,879 --> 00:05:33,959 you know, CCEE? What is cyber informed or consequence driven 80 00:05:34,000 --> 00:05:35,160 cyber informed engineering? 81 00:05:36,120 --> 00:05:41,439 Speaker 1: CCE is quite mouthful, consequence driven cyber implument engineering. It 82 00:05:41,519 --> 00:05:45,560 was originally part of the cyber implement engineering. It's one 83 00:05:45,560 --> 00:05:47,639 of the pillar of the cyber implument engineering, which is 84 00:05:47,680 --> 00:05:51,720 the flmwork for you know, combining cyber the engineering side 85 00:05:51,720 --> 00:05:54,839 and how we can enable security mobile the design security 86 00:05:54,839 --> 00:05:59,759 built into the engineering engineering process and I defintional of 87 00:05:59,800 --> 00:06:06,519 that especially focused on this consequence driven risk analysis part 88 00:06:07,439 --> 00:06:10,519 and they develop this CC medal. It comes with the 89 00:06:10,639 --> 00:06:14,839 four phases. Starting from phase one consequence prioritization, which is 90 00:06:15,000 --> 00:06:19,079 quite important one for me. And Phase two is systems 91 00:06:19,120 --> 00:06:25,199 and system system analysis meaning how systems or dependencies between 92 00:06:25,199 --> 00:06:30,000 the systems, resources, information, data, people are contributing to the 93 00:06:30,120 --> 00:06:33,199 consequence the worst, worst worst case that you want to 94 00:06:33,199 --> 00:06:37,319 avoid to happen. And phase three is the consequence based targeting. 95 00:06:37,439 --> 00:06:39,319 This is why you bring in there a little bit 96 00:06:39,360 --> 00:06:43,360 attack as perspective and more than in security perspective. How 97 00:06:43,399 --> 00:06:46,680 those dependency between the systems or the past to the 98 00:06:46,720 --> 00:06:50,360 consequence can be compromised. How can how attackers can take 99 00:06:50,360 --> 00:06:54,639 advantage of this dependency to make the concepts happen? And 100 00:06:54,639 --> 00:06:57,879 then phase four is all about mitigation and production. Okay, 101 00:06:57,959 --> 00:07:02,839 how can we how can we cut those the domino 102 00:07:02,920 --> 00:07:08,000 effect for attackers to enable the consequence to happen in 103 00:07:08,040 --> 00:07:11,600 the most efficient way and preferably, how can we do 104 00:07:11,639 --> 00:07:17,040 that by combining the engineering method and traditional cybersecurity tools 105 00:07:17,079 --> 00:07:19,160 and solutions. 106 00:07:21,439 --> 00:07:23,839 Speaker 2: Andrew. These are concepts that we've talked about in a 107 00:07:23,920 --> 00:07:27,480 number of episodes before. But for anybody who hasn't listened 108 00:07:27,480 --> 00:07:29,759 to those, could you just do a quick review. 109 00:07:30,040 --> 00:07:34,879 Speaker 3: CIE c C sure CIE is the big tent cyber 110 00:07:34,920 --> 00:07:40,319 informed engineering. It's all about engineering and cybersecurity together. You know, 111 00:07:40,600 --> 00:07:44,959 the engineering part has been neglected historically over pressure relief, valves, 112 00:07:45,000 --> 00:07:48,360 manual operations. As a fallback, these techniques that are used 113 00:07:48,360 --> 00:07:50,879 to manage physical risk can also be used to manage 114 00:07:50,920 --> 00:07:55,120 cyber risk. CCEE fits within the big tent. I mean, 115 00:07:55,160 --> 00:07:58,360 all of a great deal of engineering is under the 116 00:07:58,360 --> 00:08:03,480 big tent, all of cybersecurity. CCEE is a bunch of 117 00:08:03,519 --> 00:08:05,800 techniques and it's it's more than what's in the book. 118 00:08:05,879 --> 00:08:10,439 But the book itself has really three big chunks. One 119 00:08:10,600 --> 00:08:14,839 is consequence evaluation, and they recommend don't start with your 120 00:08:15,079 --> 00:08:19,319 simplest attacks. They recommend start with your biggest fish and 121 00:08:19,839 --> 00:08:23,959 and do something about them first. So consequence analysis and 122 00:08:24,079 --> 00:08:28,639 then some a few chapters on you know, engineering mitigations, 123 00:08:28,680 --> 00:08:31,199 but the bulk of the book is about system of 124 00:08:31,240 --> 00:08:36,039 systems analysis to understand your defenses, to look for choke 125 00:08:36,120 --> 00:08:39,000 points in your defenses where you can choke off attacks 126 00:08:39,120 --> 00:08:43,840 most efficiently with minimal investment, maximum return in terms of 127 00:08:43,919 --> 00:08:47,360 security for minimal investment. So that's that's the big picture. 128 00:08:47,399 --> 00:08:49,840 CEEI is the big umbrella. Ce ce IS is actually 129 00:08:49,879 --> 00:08:54,279 a formal training program. It's a piece of CIE. But 130 00:08:54,440 --> 00:08:57,000 CI is big enough that just about anything fits under 131 00:08:57,039 --> 00:08:59,679 it that that has to do with industrial security, and 132 00:08:59,759 --> 00:09:05,639 see C is a chunk of that. Translating a book 133 00:09:06,080 --> 00:09:09,600 is a big job. You know, the CC book is 134 00:09:09,720 --> 00:09:14,919 hundreds of pages, and you know you've got to you've 135 00:09:14,919 --> 00:09:17,720 got to be sure that the translation is right. You know, 136 00:09:17,799 --> 00:09:22,679 it's it's a huge investment. Why why would you undertake 137 00:09:23,320 --> 00:09:25,440 that big job with this book. 138 00:09:26,320 --> 00:09:29,039 Speaker 1: When I first met the idea of CC, I was 139 00:09:29,080 --> 00:09:34,720 a researcher at university in Japan, and my research area 140 00:09:35,039 --> 00:09:39,360 was trying to understand how we can communicate and engage 141 00:09:39,360 --> 00:09:44,919 with stakeholders about AUDI security in an efficient way, and 142 00:09:44,960 --> 00:09:49,879 how we can do the risk assessment that both understands 143 00:09:50,039 --> 00:09:52,919 security risk and also safety risk and also that their 144 00:09:53,039 --> 00:09:57,240 implication to the business impact. And we struggle to find 145 00:09:57,679 --> 00:10:01,960 the way how this can be achieved in one way 146 00:10:03,279 --> 00:10:07,279 or a simple way, and my running hyprocess is back 147 00:10:07,320 --> 00:10:10,639 then and also now. This is my belief is that 148 00:10:10,679 --> 00:10:14,960 the autisecurity is a communication problem, that there are a 149 00:10:15,000 --> 00:10:18,200 lot of it's a team effort. AUTI security is definitely 150 00:10:18,240 --> 00:10:21,360 a team effort. You cannot just have very experience or 151 00:10:21,399 --> 00:10:25,440 the expert bulb to save the world. Every time. We 152 00:10:25,600 --> 00:10:30,559 need to engage the stakeholders, internal stakeholders, different teams to 153 00:10:30,840 --> 00:10:34,399 understand the security and in the same way as you 154 00:10:34,480 --> 00:10:38,480 do in their own job language. If it's an operator, 155 00:10:38,519 --> 00:10:42,080 they need to understand what such security means for their operation. 156 00:10:42,639 --> 00:10:45,840 If it's a business leader, they need to understand cybersecurity 157 00:10:45,840 --> 00:10:49,039 auti security implication in terms of how it impacts their 158 00:10:49,080 --> 00:10:54,440 initiatives and their investment. And it is I found it 159 00:10:54,600 --> 00:10:58,919 very difficult because a security at least back then when 160 00:10:58,919 --> 00:11:02,240 I was doing the research academic research, security was mostly 161 00:11:02,279 --> 00:11:06,600 discussed as technical topic and there was not enough frameworks 162 00:11:06,720 --> 00:11:12,919 or ways of conveying important security and security risks in 163 00:11:12,960 --> 00:11:16,080 the way that the stakeholders can easily engage risk and 164 00:11:16,200 --> 00:11:20,440 CC for me enable that especially the first part of 165 00:11:20,519 --> 00:11:23,679 CC in a consequence prioritization, you don't talk about you 166 00:11:23,679 --> 00:11:27,480 don't talk about threat actors. You don't talk about security solutions, 167 00:11:27,759 --> 00:11:32,519 you talk about what matters most for your business and 168 00:11:32,799 --> 00:11:37,080 business continuity. That makes it very simple but easy to 169 00:11:37,320 --> 00:11:42,519 align any stakeholders organization. So that's why I thought that 170 00:11:42,919 --> 00:11:46,440 this idea I really want to convey to my community 171 00:11:46,480 --> 00:11:50,320 in Japan in my mother language, and I want to 172 00:11:50,360 --> 00:11:52,559 be that catalyst to deliver a message. 173 00:11:52,720 --> 00:11:55,799 Speaker 3: That's why can I ask you how it came about? 174 00:11:55,879 --> 00:11:57,759 You know, it's one thing to read a book and say, hey, 175 00:11:57,759 --> 00:12:00,440 this is good stuff. It's another thing to reach out 176 00:12:00,440 --> 00:12:03,320 to the authors and actually make it happen. How did 177 00:12:03,360 --> 00:12:03,840 this happen? 178 00:12:04,360 --> 00:12:08,080 Speaker 1: When I first met the idea of CC, it didn't 179 00:12:08,080 --> 00:12:11,799 know quite me immediately about translating the book. I think 180 00:12:11,840 --> 00:12:16,559 back then there was no book yet published either. I 181 00:12:16,559 --> 00:12:19,279 got to meet Andrew at Esport and he was presenting 182 00:12:19,279 --> 00:12:22,480 about the idea of CC. That's when the idea of 183 00:12:22,519 --> 00:12:26,399 CC very much clicked with my academic interest and I 184 00:12:26,519 --> 00:12:30,679 want to talk to Andrew at the Bier Bash and said, hey, 185 00:12:30,799 --> 00:12:35,080 I really like your idea. I really want to really 186 00:12:35,120 --> 00:12:39,200 promote this method in the community in Japan. That's the 187 00:12:39,320 --> 00:12:46,279 kind of beginning of my engagement with CC teams and 188 00:12:46,679 --> 00:12:52,879 one of the big time point was Japanese government. In 189 00:12:52,919 --> 00:12:58,000 collaboration with YES government, we organized the capacity Bility building 190 00:12:58,039 --> 00:13:02,039 training for in the Pacific countries and ic c OE 191 00:13:02,120 --> 00:13:05,200 in the SHE Cybersecurity Center of Excellence which is the 192 00:13:05,399 --> 00:13:09,600 auto security training organization that the support in Japan was 193 00:13:10,000 --> 00:13:16,000 the wand of providing training together with US training trainer 194 00:13:16,080 --> 00:13:21,879 teams which was I n L, and we ended up 195 00:13:22,080 --> 00:13:26,919 providing the c C training for in the Pacific countries 196 00:13:27,399 --> 00:13:32,320 UH together with Andrew and CC team in I n 197 00:13:32,440 --> 00:13:36,399 L and trainers in i C c o E. And it 198 00:13:36,519 --> 00:13:42,519 was very fun engagement. It was interesting how CC was 199 00:13:42,559 --> 00:13:48,559 received from the participants also, and after Andy and I 200 00:13:48,600 --> 00:13:53,840 were celebrating the successful delivery of that training, it really 201 00:13:53,879 --> 00:13:57,399 came to my mind immediately and said to Andrew that 202 00:13:57,679 --> 00:14:00,320 can I translated this book? I really think I can 203 00:14:00,559 --> 00:14:05,080 translate this in a meaningful way and can you support this? 204 00:14:05,639 --> 00:14:08,840 And that's the kind of beginning, And it took another 205 00:14:08,879 --> 00:14:10,879 two years or so to actually translate the book. 206 00:14:11,559 --> 00:14:15,039 Speaker 3: Okay, so you ran into Andrew at s four, you know, 207 00:14:15,080 --> 00:14:17,159 one of the authors of the book. As far as 208 00:14:17,200 --> 00:14:20,320 sort of where the world of industrial cybersecurity you know 209 00:14:20,399 --> 00:14:26,480 today comes together. You also mentioned the Industrial Cybersecurity Center 210 00:14:26,519 --> 00:14:30,159 of Excellence in Japan, a government agency. How were you 211 00:14:30,240 --> 00:14:33,519 connected with them? How did you connect those dots? 212 00:14:34,080 --> 00:14:37,320 Speaker 1: So I was fortunate enough to be involved in from 213 00:14:37,360 --> 00:14:43,960 the very artist stage of ICCLY and from the establishment 214 00:14:44,000 --> 00:14:51,120 phase of ICILY at twenty seventeen. And they my university, 215 00:14:51,840 --> 00:14:58,120 well the university I used to belong as the assistant 216 00:14:58,159 --> 00:15:04,000 professor and now still support us as a visiting researcher. 217 00:15:04,919 --> 00:15:09,240 They take one third to one force of calriculum at 218 00:15:09,279 --> 00:15:15,080 SC So that is my connection to the organization. And 219 00:15:15,279 --> 00:15:19,279 currently I also support the international engagement that I see. 220 00:15:19,440 --> 00:15:23,200 I see c does so when they want to do 221 00:15:23,600 --> 00:15:29,399 the the international engagement such as the training overseas training 222 00:15:29,799 --> 00:15:34,279 or inviting the international speakers to the s c E curriculum, 223 00:15:34,600 --> 00:15:37,639 I tend to support it. So the joint training we 224 00:15:37,759 --> 00:15:40,960 provided between Japan and US, that's also some project that 225 00:15:41,000 --> 00:15:45,919 I supported, and that's why I was involved in suggesting 226 00:15:46,519 --> 00:15:49,240 that CC could be the good topic to introduce to 227 00:15:49,759 --> 00:15:51,720 Japanese and also in the Pacific audience. 228 00:15:52,720 --> 00:15:55,600 Speaker 3: Let's talk about the translation. I mean today you can 229 00:15:55,639 --> 00:16:00,480 take you know, a word document and pumping through I 230 00:16:00,559 --> 00:16:03,200 don't know Google translate or something. There's other translators on 231 00:16:03,240 --> 00:16:07,279 the market as well, and you know, say here, try 232 00:16:07,360 --> 00:16:10,799 translate this into Japanese. When I've done this with my 233 00:16:10,960 --> 00:16:15,480 documents for uh, you know, a German market in particular, 234 00:16:17,080 --> 00:16:19,480 I speak a little German. I looked at the result 235 00:16:20,039 --> 00:16:23,159 and it was full of mistakes and I had to 236 00:16:23,360 --> 00:16:27,360 correct it. So you know what was involved in the translation? 237 00:16:27,480 --> 00:16:29,519 Did you press a button and it worked? Did you 238 00:16:29,639 --> 00:16:32,759 have to review it at you know, in detail? Did 239 00:16:32,759 --> 00:16:35,120 you have other people reviewing it? How did how did 240 00:16:35,120 --> 00:16:37,240 the actual mechanics of the translation come about? 241 00:16:37,919 --> 00:16:41,440 Speaker 1: And drew? It was all all me. It was one 242 00:16:41,600 --> 00:16:45,159 one person operation and it was painfully long. 243 00:16:45,480 --> 00:16:50,519 Speaker 4: And you know, especially I haven't I have done translation 244 00:16:50,720 --> 00:16:54,559 of for example, eight hundred series, some documents I have 245 00:16:54,639 --> 00:16:58,519 translated in Japanese, so I have done mini projects. 246 00:16:58,039 --> 00:17:00,840 Speaker 1: But not the book, So it was the different level 247 00:17:00,919 --> 00:17:08,119 of beast. I definitely use the help of machine translation, 248 00:17:08,799 --> 00:17:14,200 sentence by sentence just to create the baseline, but most 249 00:17:14,279 --> 00:17:18,599 of the time it was more confusing than helpful. So 250 00:17:19,759 --> 00:17:23,440 most important thing that I needed to create was the dictionary, 251 00:17:24,000 --> 00:17:27,759 the translation dictionary to be consistent throughout the book on 252 00:17:27,839 --> 00:17:32,640 how we translate for example, well, as you can see 253 00:17:32,640 --> 00:17:36,240 in the time of the book, the consequence this world 254 00:17:36,440 --> 00:17:40,799 appears unlot in the book, and I was very intentional 255 00:17:40,839 --> 00:17:43,119 and also a little bit cheeky when I translated this 256 00:17:43,279 --> 00:17:48,119 in Japanese. I intentionally translated as a business consequence because 257 00:17:48,240 --> 00:17:51,799 I didn't want the lead readers to mistake in consequence 258 00:17:52,000 --> 00:17:58,759 as information bridge or some technical consequences or piece of 259 00:17:58,799 --> 00:18:02,960 the consequences. But I want this to start, this book 260 00:18:03,000 --> 00:18:06,359 to be the starter of the conversation with different aspects, 261 00:18:06,559 --> 00:18:10,480 seeing the security from the different perspective, more from the 262 00:18:10,599 --> 00:18:16,319 business perspective, business risk perspective. So I intentionally change the 263 00:18:16,359 --> 00:18:22,519 translation from consequence in Japanese business consequence and some So 264 00:18:23,640 --> 00:18:29,079 this process of creating dictionary and be happy with this dictionary, 265 00:18:30,279 --> 00:18:32,960 that was a very challenging part. There are a lot 266 00:18:33,039 --> 00:18:39,759 of terms in CC books that very common for probably 267 00:18:40,079 --> 00:18:47,039 militarly a domain or government people, but it's not so 268 00:18:47,640 --> 00:18:53,279 much resonating word when it's directly translated. So I also 269 00:18:53,359 --> 00:19:02,000 needed to understand each concept concept very deeply. And Andrew Bachmann, 270 00:19:02,559 --> 00:19:05,720 the author one of the OLDSO was kind and generous 271 00:19:05,839 --> 00:19:09,920 enough to have multiple session for walking through those terms. 272 00:19:09,960 --> 00:19:14,559 What they mean, was a backstory of these terms, one 273 00:19:14,559 --> 00:19:16,880 by one, So that really helped me a lot. 274 00:19:20,319 --> 00:19:22,519 Speaker 3: So, Nate, you know, I've written a couple of books, 275 00:19:23,359 --> 00:19:31,319 I've translated some material, especially into German, and in my experience, 276 00:19:31,480 --> 00:19:35,000 you know exactly what tomorrow we talks about. Terminology is important, 277 00:19:35,920 --> 00:19:38,920 especially when you're translating a technical document. In a lot 278 00:19:38,960 --> 00:19:42,680 of the world's languages, a lot of computer concepts are 279 00:19:42,799 --> 00:19:47,200 showing up in those languages as English words sort of 280 00:19:47,440 --> 00:19:53,440 transplanted or adopted into the language. This despite the language 281 00:19:53,680 --> 00:19:58,680 often having its own words for those concepts. In German 282 00:19:58,720 --> 00:20:03,599 in particular, sort of fairly words that in English have 283 00:20:04,039 --> 00:20:09,880 comparatively you know, short simple words for a certain technical 284 00:20:09,880 --> 00:20:13,920 concept might have a you know, in English, they'd like 285 00:20:13,960 --> 00:20:17,799 to jam a few adjectives and nouns together into a single, 286 00:20:17,920 --> 00:20:21,920 very long, very complicated word. And what I observe in 287 00:20:22,119 --> 00:20:25,119 you know, the German community that I interact with is 288 00:20:25,119 --> 00:20:27,759 they've adopted a lot of the short English words rather 289 00:20:27,839 --> 00:20:33,039 than using the long formal German words. And when you're 290 00:20:33,160 --> 00:20:36,799 putting together a translation, you've got to figure this out, 291 00:20:38,200 --> 00:20:41,119 you know, if you use the native language words and 292 00:20:41,559 --> 00:20:45,119 the community that you're addressing isn't using those words. They're 293 00:20:45,160 --> 00:20:47,160 going to look at your stuff and it's going to 294 00:20:47,200 --> 00:20:50,559 be a harder read. It's not the terminology they expect, 295 00:20:50,559 --> 00:20:52,359 and vice versa. If you use a bunch of English, 296 00:20:52,480 --> 00:20:56,519 you know, transplant a bunch of English words into the translation, 297 00:20:57,079 --> 00:20:59,039 and this is not what the community is used to. 298 00:20:59,119 --> 00:21:00,720 They're going to look at this and say, you know, 299 00:21:01,000 --> 00:21:05,319 this doesn't it again, it impairs comprehension. And this is 300 00:21:05,920 --> 00:21:08,799 you know, this is not the only challenge with translation. 301 00:21:09,319 --> 00:21:12,359 What I found with German in particular. I don't know Japanese, 302 00:21:12,359 --> 00:21:16,119 but I know that in German there are linguistic concepts. 303 00:21:16,559 --> 00:21:20,160 Gender in particular, everything is gendered. The and when you're 304 00:21:20,200 --> 00:21:23,119 when you're you know, doing a little bit of dialogue, 305 00:21:23,200 --> 00:21:26,640 A said this and B said that, and you use 306 00:21:26,680 --> 00:21:29,519 the word you. You've got to select the word very carefully. 307 00:21:29,559 --> 00:21:33,440 There's the familiar you, there's the formal you. And in 308 00:21:33,519 --> 00:21:37,759 English you don't have all this stuff. And when you 309 00:21:37,880 --> 00:21:40,599 translate material from English to German, the t you know, 310 00:21:41,039 --> 00:21:43,839 I used the machine translator. The machine translator just gets 311 00:21:43,880 --> 00:21:46,680 it wrong. Machine chanceller this says, well, you know, I 312 00:21:46,799 --> 00:21:50,680 need this concept in the German translation and it doesn't 313 00:21:50,680 --> 00:21:53,160 exist in English, so I'll just make it up. And 314 00:21:53,200 --> 00:21:56,519 they picked the wrong one pretty consistently, So there's a 315 00:21:56,640 --> 00:21:59,119 there's a lot of repair that you know, choose the 316 00:21:59,200 --> 00:22:01,200 terminology care and then you've got to go through it 317 00:22:01,519 --> 00:22:04,119 and just repair what the what the machine translator does. 318 00:22:05,400 --> 00:22:09,240 Speaker 2: And I'm wondering how you felt about the particular point 319 00:22:09,240 --> 00:22:13,599 of translation. She highlighted in her answer how she translated 320 00:22:13,759 --> 00:22:18,960 consequences to business consequences, because you know, you and I 321 00:22:19,000 --> 00:22:21,920 talk about these concepts a lot, we don't really focus 322 00:22:22,160 --> 00:22:26,680 on them through the business lens. Usually it's like physical consequences, 323 00:22:26,720 --> 00:22:27,359 for example. 324 00:22:28,279 --> 00:22:31,319 Speaker 3: And you know, I was thinking about that myself after 325 00:22:31,400 --> 00:22:34,039 the interview here, and you know, reflecting on it a 326 00:22:34,039 --> 00:22:37,599 little bit, I wonder if it's because it sort of 327 00:22:37,599 --> 00:22:41,720 reflects Tomomi's focus on risk assessment. She was doing a 328 00:22:41,720 --> 00:22:45,960 lot of risk assessment work in her research. And you 329 00:22:45,960 --> 00:22:50,160 know who consumes the results of a risk assessment. It's 330 00:22:50,400 --> 00:22:53,599 generally the business decision makers who have to decide, am 331 00:22:53,599 --> 00:22:56,960 I going to provide funding to my engineering team, to 332 00:22:57,000 --> 00:22:59,759 my IT teams to fix this problem? Explain to me 333 00:23:00,119 --> 00:23:03,559 in one syllable words, how much trouble we're in and 334 00:23:03,640 --> 00:23:07,160 they want to understand the impact on the business. My 335 00:23:07,319 --> 00:23:11,039 own focus, I tend to work more with the engineering 336 00:23:11,079 --> 00:23:14,240 teams who are tasked with, okay, you have a budget, 337 00:23:14,440 --> 00:23:17,920 solve this problem, and they change the design of the 338 00:23:17,960 --> 00:23:24,039 systems in order to prevent physical consequences, in order to 339 00:23:24,119 --> 00:23:25,759 you know, keep things from blowing up, in order to 340 00:23:25,880 --> 00:23:29,640 keep trains from colliding, and so I might you know, 341 00:23:29,839 --> 00:23:32,240 if if I were doing this, I might have been 342 00:23:32,279 --> 00:23:36,880 tempted to use to substitute business sorry, a physical consequence 343 00:23:37,160 --> 00:23:42,200 rather than business consequence. But you know, thinking about it, 344 00:23:42,240 --> 00:23:44,880 that might just be because of who I communicate with. 345 00:23:45,079 --> 00:23:47,680 And you know, Timmy said at the beginning, it's all 346 00:23:47,720 --> 00:23:51,519 about communication. You've got to get these concepts across these 347 00:23:51,640 --> 00:23:58,240 sort of chasms of understanding. I'm curious about intellectual property. 348 00:23:58,359 --> 00:24:03,559 I mean, I see the Idaho National Laboratory, you know 349 00:24:03,680 --> 00:24:08,680 logo on the CCEE book. I know that you know, 350 00:24:08,759 --> 00:24:12,519 Sarah Friedman and Andrew Brockman were employees I think of 351 00:24:12,759 --> 00:24:15,200 Idaho National Laboratory at the time they wrote the book. 352 00:24:15,400 --> 00:24:18,759 I'm assuming that i n L owns the copyright on 353 00:24:18,799 --> 00:24:21,759 the book, but you did the translation. Can you talk 354 00:24:21,799 --> 00:24:25,559 about intellectual property. Do you own the Japanese translation? 355 00:24:25,720 --> 00:24:25,880 Speaker 1: How? 356 00:24:25,960 --> 00:24:26,839 Speaker 3: How does that work? 357 00:24:28,000 --> 00:24:31,079 Speaker 1: Well? At least I know, I don't own the copyright, 358 00:24:32,160 --> 00:24:38,119 so it was primary work for hire. I was. It's 359 00:24:38,279 --> 00:24:41,759 kind of two fold contract. So one sign is my 360 00:24:41,920 --> 00:24:46,839 contract with I n L as the service provider, meaning 361 00:24:46,920 --> 00:24:51,039 that I will provide this translation service for them so 362 00:24:51,160 --> 00:24:55,920 that they can have the Japanese version of manuscript in 363 00:24:55,960 --> 00:25:00,880 their organization. And on behalf of IL I sending the 364 00:25:00,960 --> 00:25:05,599 manuscript to the publisher and I s CI in Japan. 365 00:25:05,759 --> 00:25:12,640 They founded they founded to publish this book in Japanese, 366 00:25:13,200 --> 00:25:15,640 so I was just bridging it in between. 367 00:25:16,759 --> 00:25:19,079 Speaker 3: Okay, so you know a lot of work doing the translation. 368 00:25:19,480 --> 00:25:20,680 How has it been received? 369 00:25:21,680 --> 00:25:25,839 Speaker 1: I got the very kind words from people in Japan 370 00:25:26,160 --> 00:25:30,119 that they enjoyed the book, and some people mentioned about 371 00:25:30,119 --> 00:25:33,480 specific part of the job, that specific part of the 372 00:25:33,799 --> 00:25:38,839 book that touched They resonated with them very well, which 373 00:25:38,880 --> 00:25:44,599 is super rewarding to me. But the first review I 374 00:25:44,640 --> 00:25:51,599 got on a public platform on Amazon was very funny 375 00:25:51,599 --> 00:25:53,960 to me. It was it was it said that the 376 00:25:54,000 --> 00:25:59,160 full stars, great book, great contents, minus one stuff with 377 00:25:59,240 --> 00:26:06,240 a bad translation. So that really made me laugh. Yes, 378 00:26:06,400 --> 00:26:09,359 it's it's I know I'm not the professional translator. I 379 00:26:09,400 --> 00:26:13,880 cannot translate in the same level as how people would 380 00:26:13,880 --> 00:26:21,839 translate and great novels into Japanese. I can't yet, but 381 00:26:21,920 --> 00:26:24,559 at least I made them read, So that's a win 382 00:26:24,680 --> 00:26:24,880 for me. 383 00:26:26,119 --> 00:26:28,440 Speaker 3: Indeed, it's it's disappointing when you get stuff like that. 384 00:26:28,559 --> 00:26:31,359 I remember, you know, when I published my books, you 385 00:26:31,400 --> 00:26:34,839 get I get positive, I get negative. You gotta you 386 00:26:34,920 --> 00:26:37,960 gotta shrug it off, you know. The I think the 387 00:26:38,480 --> 00:26:43,279 lesson is that the material is now available to a 388 00:26:43,359 --> 00:26:47,519 Japanese audience that doesn't speak English. So you know, have 389 00:26:47,599 --> 00:26:51,400 you got any sort of reaction from you know, even 390 00:26:51,720 --> 00:26:56,279 verbal or face to face from the industrial security in Japan? 391 00:26:56,440 --> 00:26:59,400 How useful has CCE been in Japan? 392 00:27:00,759 --> 00:27:03,279 Speaker 1: Most of the people, majority of people reach out to 393 00:27:03,359 --> 00:27:08,400 me saying that the cc is very inspiring method and 394 00:27:08,559 --> 00:27:15,680 inspiring approach. But I'm reading between the lines and most 395 00:27:15,720 --> 00:27:20,160 of the times, CCS is a little bit too big 396 00:27:20,200 --> 00:27:24,759 of the project and it's not something bite size for 397 00:27:24,880 --> 00:27:28,720 most of the people to easily adapted tomorrow. So that 398 00:27:28,839 --> 00:27:34,440 is one challenge that I found during and after this 399 00:27:34,559 --> 00:27:39,680 translation project. The great feedback I got not necessarily negative, 400 00:27:39,720 --> 00:27:43,400 but I think it really really represents what Japanese community's 401 00:27:43,640 --> 00:27:48,240 character is. Is that one person told me he's a 402 00:27:48,359 --> 00:27:52,440 risk assessment or the riskuss on a specialist. He's supported 403 00:27:52,519 --> 00:27:57,960 many many organizations. He said that the tomommy CC needs 404 00:27:58,000 --> 00:28:02,000 to be done and DOWNE needs to be easy and 405 00:28:03,160 --> 00:28:07,200 easy to do for anyone. Right now, CCE is only 406 00:28:07,920 --> 00:28:11,559 useful for the people who understand audio security at the 407 00:28:11,559 --> 00:28:15,160 deepest level. That's not enough. It needs to be easy 408 00:28:15,359 --> 00:28:21,839 for any person possible. And that's something I'm thinking about 409 00:28:21,960 --> 00:28:29,319 a lot these days, thinking about aut security solutions and 410 00:28:29,359 --> 00:28:32,640 a lot of ALTI security project It's naturally targeting towards 411 00:28:32,680 --> 00:28:38,240 the critical asset operators, critical infrastructure companies, and middle organizations 412 00:28:38,640 --> 00:28:43,640 government funded organizations. So the project fund in the size 413 00:28:43,759 --> 00:28:48,119 is huge. But there's a concept that cyber property line, 414 00:28:48,599 --> 00:28:54,440 cyber poverty line, where organizations, even if they know about 415 00:28:54,480 --> 00:28:57,400 cybersecurity and not at the risk, they just simply can't 416 00:28:57,440 --> 00:29:00,480 afford it. They just don't have the resource of available 417 00:29:00,680 --> 00:29:04,680 and any solution at the hand to mitigate the risk. 418 00:29:05,599 --> 00:29:10,519 And CCE is elegant concept and right now I'm thinking 419 00:29:10,640 --> 00:29:14,440 how we can make CCE and any other OT security 420 00:29:14,519 --> 00:29:19,359 or cybersecurity concepts framework solutions to be affordable and easy 421 00:29:19,440 --> 00:29:23,759 as possible to implement fast because especially when we told 422 00:29:23,759 --> 00:29:27,240 when we think about supply chain security and security as. 423 00:29:27,160 --> 00:29:30,640 Speaker 3: A whole another I don't know, you know, legal NIT 424 00:29:30,759 --> 00:29:36,640 Maybe in my understanding, CCE is trademarked IDH National Laboratory 425 00:29:36,799 --> 00:29:41,680 certifies training providers. You can only call yourself a certified 426 00:29:41,759 --> 00:29:45,000 CCE training provider if you've been certified by I n L. 427 00:29:46,920 --> 00:29:52,839 I'm curious, is the Industrial Control System Center of Cybersecurity 428 00:29:52,880 --> 00:29:56,359 Center Excellence is it certified? 429 00:29:57,319 --> 00:30:01,079 Speaker 1: No? I S theory is not are defined to provide 430 00:30:01,200 --> 00:30:04,400 CC or accidentally training at the least of my knowledge, 431 00:30:05,759 --> 00:30:09,400 but I can talk a little bit about how we 432 00:30:09,480 --> 00:30:14,799 introduce CC as a concept. So I scily runs one 433 00:30:14,799 --> 00:30:21,440 a curriculum for industry's professionals and they basically leave the 434 00:30:21,519 --> 00:30:26,839 work for one year to focus on the RT security 435 00:30:27,759 --> 00:30:33,240 training from basically nine to five plus their own research 436 00:30:33,279 --> 00:30:38,079 project hours, and in there we teach many principles from 437 00:30:38,599 --> 00:30:44,359 traditional IT security network security aspect to ot or engineering 438 00:30:44,400 --> 00:30:48,519 discipline and risk management business disciplines and the recently we 439 00:30:48,559 --> 00:30:53,400 also add cloud digital transformation. Those do main two and 440 00:30:53,599 --> 00:30:58,640 CC feed into the category of security leadership and one 441 00:30:58,680 --> 00:31:03,319 of the trainers, Hero Shisasaki, the a colleague of mind. 442 00:31:03,680 --> 00:31:07,680 He introduces CCE as part of the message that they 443 00:31:07,720 --> 00:31:11,720 can use when they are building the security strategy for 444 00:31:11,759 --> 00:31:13,920 their own organization where they go back to the company. 445 00:31:14,480 --> 00:31:18,160 So some of the framework they also introduce is this CSF. 446 00:31:19,319 --> 00:31:21,720 They also mentioned about using the sixty four Posse three 447 00:31:21,799 --> 00:31:27,279 and other twenty isol twenty seven K also and as 448 00:31:27,359 --> 00:31:30,240 one of the other tools that they can use to 449 00:31:30,519 --> 00:31:34,880 frame their own security strategy, they introduce CC. So we 450 00:31:34,960 --> 00:31:36,880 don't go in the detail in the same way that 451 00:31:37,000 --> 00:31:42,400 the I NAIL folks provide CC training, but we we 452 00:31:42,640 --> 00:31:46,880 explain the CC concept and the trainees engage training at SIC, 453 00:31:47,279 --> 00:31:51,160 engage in CC and how they can use CC's concept 454 00:31:51,200 --> 00:31:56,960 and the framework to present their security strategy to the executives. 455 00:31:57,319 --> 00:32:00,359 Speaker 3: In the course of translating the book, you zom will 456 00:32:00,400 --> 00:32:02,920 be developed a deep understanding of the material. You have 457 00:32:02,960 --> 00:32:05,960 to understand the material in order to translate it correctly. 458 00:32:08,519 --> 00:32:11,960 How's that served you? I mean personally? You know you've 459 00:32:11,960 --> 00:32:15,079 developed a deep understanding of CCE translating the book. Your 460 00:32:15,200 --> 00:32:17,839 name is on the book, you know, can you talk 461 00:32:17,839 --> 00:32:21,960 about has has the experience of doing this translation, you know, 462 00:32:22,160 --> 00:32:24,680 changed your career at all. 463 00:32:24,880 --> 00:32:28,920 Speaker 1: So the book was published last year twenty twenty three 464 00:32:29,000 --> 00:32:32,319 in June in Japanese, and we haven't done any book 465 00:32:32,319 --> 00:32:36,160 to or anything. And I'm also based in UK. Now 466 00:32:36,200 --> 00:32:39,319 I'm not based in Japan, so I don't really have 467 00:32:39,480 --> 00:32:43,519 day to day way to engage with people actually get 468 00:32:43,559 --> 00:32:46,799 a book in their hand, so I'm not really feeding 469 00:32:46,960 --> 00:32:52,880 any burning change or anything. But internally, it was such 470 00:32:52,880 --> 00:32:58,039 a prettivilege to be able to dissect the word by 471 00:32:58,119 --> 00:33:03,279 word and really really print the book in my brain 472 00:33:03,359 --> 00:33:08,559 by translating the work and feel Andy and Sarah's work 473 00:33:08,839 --> 00:33:14,519 so close. And also the book has the part that 474 00:33:14,599 --> 00:33:18,720 written by Mike Sante and I had never met him 475 00:33:18,759 --> 00:33:24,200 in person, but I can't really express how I felt 476 00:33:24,480 --> 00:33:29,079 about translating his part of the book because his word 477 00:33:29,640 --> 00:33:33,200 the opening was that the opening section that he wrote 478 00:33:34,440 --> 00:33:37,680 it was so powerful and it was such an honor 479 00:33:38,039 --> 00:33:41,720 to translate that in Japanese. And when I hear the 480 00:33:41,759 --> 00:33:45,119 good word and good feedback from people in Japan, I 481 00:33:45,240 --> 00:33:49,119 always think about the part that Mike wrote in English, 482 00:33:49,319 --> 00:33:52,519 and how I also try to match his energy to 483 00:33:52,640 --> 00:33:59,480 put in the translation and yeah, so externally and carry 484 00:33:59,480 --> 00:34:02,680 out project wise, I don't see a lot of changes, 485 00:34:03,279 --> 00:34:07,039 but it was in town that it was a big 486 00:34:07,119 --> 00:34:07,680 change for me. 487 00:34:08,639 --> 00:34:10,719 Speaker 3: And if I may come back to the present day, 488 00:34:10,760 --> 00:34:14,199 I mean, you're working at Cognite, You're doing some sort 489 00:34:14,239 --> 00:34:17,199 of cloud stuff on the industrial side. You know, the 490 00:34:17,239 --> 00:34:20,760 industrial cloud is coming for everyone sooner or later in 491 00:34:20,800 --> 00:34:23,599 some capacity or another. You know, is your sort of 492 00:34:23,760 --> 00:34:27,320 deep background in cybersecurity Is that part of your role 493 00:34:27,400 --> 00:34:28,920 at Cognite today. 494 00:34:29,800 --> 00:34:33,719 Speaker 1: I have to say, when I first learned about what 495 00:34:33,840 --> 00:34:38,599 is Cognized Mission and what they are trying to achieve it, 496 00:34:39,960 --> 00:34:45,760 it made me really anxious because I was very much focus. 497 00:34:45,960 --> 00:34:48,920 I wasn't. I am also very much focused on security 498 00:34:49,199 --> 00:34:52,840 and you know, reliability and operation, and I was more 499 00:34:52,880 --> 00:34:58,960 worried about how these new technologies disrupt the reliable operation. 500 00:35:00,920 --> 00:35:05,559 So that was in the beginning, but right now, as 501 00:35:08,280 --> 00:35:11,480 in the project, what we are trying to achieve is 502 00:35:11,760 --> 00:35:15,639 how can we make sure that the when we provide 503 00:35:15,760 --> 00:35:21,960 software as a service, it doesn't disrupt the security or 504 00:35:22,039 --> 00:35:26,400 reliability of the operation the physical person itself, especially the 505 00:35:26,440 --> 00:35:30,280 digital transformation. Transformation it started in the enterprise area and 506 00:35:30,400 --> 00:35:33,880 then it's getting close and closer to the critical operations. 507 00:35:34,280 --> 00:35:38,239 And when I look into the most of the documents 508 00:35:38,280 --> 00:35:42,599 on how to deploy cloud technology in a secure way, 509 00:35:43,119 --> 00:35:47,880 a lot of government guidance and best practice was treating 510 00:35:48,360 --> 00:35:52,039 public cloud as the starting point, and there was not 511 00:35:52,239 --> 00:35:54,639 enough information about how do you manage the security and 512 00:35:54,760 --> 00:35:59,480 governance of hybrid setup or the private cloud set up, 513 00:36:00,639 --> 00:36:04,880 and especially how do you continue providing a service when 514 00:36:05,159 --> 00:36:09,440 the stakeholder between the SaaS providers like Cognite and Cognite 515 00:36:09,519 --> 00:36:14,559 and asset owner and cut service provider this how how 516 00:36:14,599 --> 00:36:18,880 can you manage these three parties or more potentially more 517 00:36:18,960 --> 00:36:23,440 parties involved. How do you make this tight connection while 518 00:36:23,519 --> 00:36:27,920 giving the data owner asset owners therefore visibility and for 519 00:36:28,039 --> 00:36:33,199 control on security Given this is largely driven by security 520 00:36:33,239 --> 00:36:39,119 requirements and the my background give them a little bit 521 00:36:39,159 --> 00:36:43,800 perspective to balance out the need for digital digital transformation 522 00:36:44,039 --> 00:36:48,880 and need for pushing through the boundary and understanding and 523 00:36:48,880 --> 00:36:53,199 accommodating the asset owner's needs and I and security teams concerned. 524 00:36:53,960 --> 00:36:56,320 So that is where I am, and then I also 525 00:36:56,400 --> 00:37:03,079 see quite the connection between the CC. Again, I'm seeing 526 00:37:03,199 --> 00:37:09,360 CC as the tool to help the communication and understanding 527 00:37:09,599 --> 00:37:14,000 what is a consequence and especially in terms of what 528 00:37:14,079 --> 00:37:18,159 we do at Cognite, understanding the dependency between systems, dependency 529 00:37:18,199 --> 00:37:21,639 between the data and systems and people and critical process 530 00:37:22,159 --> 00:37:26,320 that's really important. And having a CC framework in the 531 00:37:26,320 --> 00:37:28,559 back of my head it really helps me to have 532 00:37:28,679 --> 00:37:32,920 a dialogue with customers, industry and stakeholders in talent in 533 00:37:32,960 --> 00:37:33,599 and accellary. 534 00:37:34,400 --> 00:37:36,760 Speaker 3: Well, Tom, Momie, thank you for joining us. It's been 535 00:37:36,800 --> 00:37:39,639 a real pleasure talking to you. Before I let you go, 536 00:37:39,960 --> 00:37:42,320 can I ask you to sum up for us? You 537 00:37:42,360 --> 00:37:46,239 know what are the key messages we should take away here? 538 00:37:46,280 --> 00:37:49,199 We've been talking about CCE, we've been talking about translating 539 00:37:49,239 --> 00:37:51,639 the book, We've been talking about the importance of the cloud. 540 00:37:52,440 --> 00:37:54,960 You know what should we take away from this episode 541 00:37:55,119 --> 00:37:58,119 and from your experience in these arenas. 542 00:37:59,119 --> 00:38:03,800 Speaker 1: Oh, it was really great fun doing this interview with you, Andrew, 543 00:38:04,119 --> 00:38:07,000 Thank you for having me. My takeaway is that the 544 00:38:07,280 --> 00:38:10,880 communication and collaboration that's really key to enable all the security, 545 00:38:11,039 --> 00:38:16,320 especially at the same speed as digital transformation. CC is 546 00:38:16,360 --> 00:38:22,360 a useful tool to enable that communication and collaboration. You 547 00:38:22,440 --> 00:38:27,679 get to examine your security strategy program from different perspective. 548 00:38:28,880 --> 00:38:32,599 And now ccbook is available both in English and Japanese. 549 00:38:33,360 --> 00:38:36,320 So if you have Japanese colleagues, if you have somebody, 550 00:38:36,400 --> 00:38:38,920 if you know somebody in Japan, reach out. They may 551 00:38:38,920 --> 00:38:42,800 know about CSE and now you can talk about CC together, 552 00:38:43,239 --> 00:38:48,519 which is awesome. And right now I'm in Cognite looking 553 00:38:48,559 --> 00:38:53,000 forward to adapt the CC principle into industry cloud systems 554 00:38:53,360 --> 00:38:57,119 and try to again enable that collaboration between the cloud 555 00:38:57,119 --> 00:39:02,440 stavice providers, asset owners and sales provider combined and learning 556 00:39:02,480 --> 00:39:05,800 about how we can bring the data governance back to 557 00:39:07,000 --> 00:39:11,199 asset owners again. The book is available. CC book is 558 00:39:11,199 --> 00:39:16,320 available in Amazon. And if you're coming to Japan, let 559 00:39:16,320 --> 00:39:18,920 me know or let I c C know. Well, we 560 00:39:18,960 --> 00:39:21,800 always have happy to talk with you. And if you 561 00:39:22,199 --> 00:39:27,079 have experience with industrial cloud, public cloud, private cloud hybrid, 562 00:39:27,679 --> 00:39:29,679 if you decide not to use cloud in the industry 563 00:39:29,679 --> 00:39:34,760 space and why let me know. I'm on LinkedIn happy 564 00:39:34,760 --> 00:39:38,159 to talk with you about your challenges and your experience 565 00:39:38,440 --> 00:39:39,199 and them from you. 566 00:39:39,480 --> 00:39:45,920 Speaker 2: So thank you, Andrew. That just about concludes your interview. 567 00:39:46,039 --> 00:39:48,280 Do you have any final word to take us out 568 00:39:48,280 --> 00:39:48,719 with today? 569 00:39:49,679 --> 00:39:53,360 Speaker 3: Yeah, I mean I'm looking at you know, a lot 570 00:39:53,400 --> 00:39:56,039 of the topics we talked about are very timely. I'm 571 00:39:56,039 --> 00:39:58,199 you know, I'm a big fan of C and C. 572 00:39:58,239 --> 00:40:02,440 I e uh, you know, it's all about consequences. Consequences 573 00:40:03,079 --> 00:40:09,199 drive the strength of required security programs. But you know, 574 00:40:09,280 --> 00:40:13,519 I'm looking at you know, I'm on the end of 575 00:40:13,559 --> 00:40:18,400 my career and I started in technology and sort of 576 00:40:18,480 --> 00:40:23,000 worked into cybersecurity and risk assessments. I'm you know, my 577 00:40:23,360 --> 00:40:25,800 most recent book, the topic is risk. It's not in 578 00:40:25,840 --> 00:40:28,039 the title, but it's it's all about how do you 579 00:40:28,199 --> 00:40:32,599 use an understanding of risk to decide how much cybersecurity? 580 00:40:32,599 --> 00:40:36,239 Do you know? How much engineering to do? I see 581 00:40:36,360 --> 00:40:39,639 Timomi working the other way. She started with risk and 582 00:40:39,719 --> 00:40:43,480 with sort of communicating with business decision makers and is 583 00:40:43,559 --> 00:40:48,559 now tackling what I believe is the future of industrial automation, 584 00:40:48,920 --> 00:40:52,559 and of course, industrial cybersecurity goes with industrial automation. She's 585 00:40:52,599 --> 00:40:55,639 tackled in the future, which is the cloud. And the 586 00:40:55,760 --> 00:40:58,840 vision for the cloud is very compelling. It's, you know, 587 00:40:58,880 --> 00:41:01,000 the cloud can save in all amounts of money, it 588 00:41:01,039 --> 00:41:04,159 can add flexibility, it's you know, it's a tremendous vision. 589 00:41:04,599 --> 00:41:08,079 The question is how much the vision can we realize safely? 590 00:41:08,719 --> 00:41:12,039 And I think the answer is almost all of it. 591 00:41:12,840 --> 00:41:16,639 We just don't know how yet. So I look forward to, 592 00:41:17,519 --> 00:41:21,159 you know, keeping track of what Tomomy is doing at Cognite. 593 00:41:21,519 --> 00:41:23,480 I look forward to an opportunity to invite her back 594 00:41:23,480 --> 00:41:25,360 in a year when she sort of figured out a 595 00:41:25,400 --> 00:41:29,400 bunch of this stuff, because the world needs to understand 596 00:41:29,519 --> 00:41:33,559 how to reap the benefits of the industrial cloud without 597 00:41:33,840 --> 00:41:38,039 incurring unacceptable physical risk. So you know, to me, it's 598 00:41:38,159 --> 00:41:43,119 it's huge that she's taking this deep understanding of risk 599 00:41:43,239 --> 00:41:47,000 and risk assessments and now diving into the technology and hopefully, 600 00:41:47,360 --> 00:41:49,800 you know, leading the way for us in terms of 601 00:41:49,880 --> 00:41:50,840 the industrial cloud. 602 00:41:51,639 --> 00:41:54,880 Speaker 2: Thank you to Tomommy Ayyama for speaking with you, Andrew. 603 00:41:54,960 --> 00:41:57,559 And Andrew is always thank you for speaking with me. 604 00:41:58,159 --> 00:41:59,320 Speaker 3: It's always a pleasure. Thank you. 605 00:41:59,400 --> 00:41:59,559 Speaker 1: Nick. 606 00:42:00,079 --> 00:42:03,760 Speaker 2: This has been the Industrial Security Podcast from Waterfall. Thanks 607 00:42:03,760 --> 00:42:05,519 to everyone out there listening.