How to Prioritize in the New Normal

Show video

- Good morning, we're really glad to have you here today. I have a wonderful panel of experts and we're gonna spend the next 40 minutes talking about the world that we faced over the last year, and the lessons we can learn from that, that we can apply to the future. This isn't going to be a panel where we deeply pontificate about the new normal and where, and what we think might be there, or might not be there. Really we're gonna explore what happened and how we can draw those lessons forward. And so I have, I wanna start with my panel members and allow them to introduce themselves. And as they do that, I want them to answer this question.

What have they seen as the most significant, and difficult security challenge they've faced over the past year? So let me start today with Mark Weatherford. - Hi Bobbie, and thanks for having me on the panel. So I have two answers here. The first is that I left my last full-time job in March of last year, just as COVID was kicking off, and I spent much of the last year traveling around the US in my RV. So my biggest challenge was trying to find good Wi-Fi and actually believe it or not there's actually good wifi in most places in the United States, even some really remote locations.

But I would say the real challenge that I saw, is working with a number of startup companies. They were challenged with basically maintaining the continuity they had with their customer pipeline. So as their customers, and large companies began shrinking and and contracting to deal with COVID, they maintain the connections and the liaison that the small companies had with the bigger companies became more and more of a challenge as they scrambled to maintain their current pipeline, but still trying to meet their quarterly kind of relationships. So that was a big challenge. And I think, you know that's probably one that's the big company certainly didn't have to deal with in the scale that the startup company world was dealing with on a daily basis.

- Yeah, it's the discrepancies, right? The haves, the have not, this was a situation that was felt very differently I think by different individuals in this space, Mike would you care to respond? - Sure, so I'm Mike Brannon. I lead infrastructure early efforts at national gypsum. We're a construction materials manufacturer with a couple locations in Canada, and a little bit more than 30 locations around the US.

We were in a sense a little bit fortunate through the pandemic. A lot of the household formation, and some of the migration away from the big city office tower, stimulated demand for residential construction. So our business kind of took off in terms of challenges, we've always tried to serve the business, and deliver what they needed, and the thing we hit really big time directly in security but more broadly across the business was a lot of unexpected data points, events shifts that none of us could anticipate. So we're always very much invested in having a plan, and work in a plan, and trying to optimize.

This particular year in review, there were just so many different incidents, events, and things that happened where you had to adapt week to week. And you never knew, even from the beginning of a week to the end of the week, how it was gonna end up. We started referring to Thursday as hollowed out shell Thursday because frequently, you know you were running low on resource but yet our biggest thing was the unprecedented amount of uncertain events that just seem to happen week to week, day to day throughout the past year.

- It's interesting Mike, because Terry, I'm gonna go to Terry next in an industry that was I think really dramatically impacted by the last year the commonality about that uncertainty I think is interesting between yours where you had demand and not sufficient supply. And Terry, I think, you know, we, we would argue that you had supply and instantaneous loss of demand. Terry, please. - Hi, I'm Terry Griffith. Thanks for that lead in part because we've had a very interesting year. Obviously we didn't expect COVID to go quite like this, but we definitely had opportunities.

And what I mean by that is we have a very loyal customer base. And so we, we were able to both accommodate future demands and try to maintain what we were doing at the same time. We went into, you know, keep the lights on sort of mode from that we learned to adapt.

We had the, hollow Thursday point. We never used that name, but I did like that Mike. And cause it, you know, there was a lot of stress, and flexing, and moving, and adjusting. So we definitely had the opportunities. We had lots of challenges, right? We haven't really sailed since last March but hopefully this is all winding down now, and we start to get back out there, and learn from what we've done, right? The adapting piece has been very beneficial.

We definitely had some really big wins internally things that guests may or may not ever see, but things that we've done that we have changed for the better. And so, you know, there's, I'm grateful for that. And I think the company is too there's an opportunity we took away from it. - And that's, I think really interesting to think about in that way, that the lessons that you're bringing forward can then be applied. It as much as it was a year of really unusual market forces the unfortunate pandemic activity, I'm struck by a sort of a common theme amongst the three of you that we're used to being a data-driven industry.

And that it was really difficult in this environment to be so data-driven and kind of move forward. Was there a particular source that you went to in order to find resources, and find data to help you in the planning activity? I mean, cyber events didn't stop as we went forward. I think, you know, as much as it was the unfortunate year of COVID it was also the year of ransomware. And so, you know, we were all fighting every day to stay on top of the cyber events that were there. - Yeah, we've leaned hard on all of our partners and I've really appreciated the network of peers in the community sharing and communicating together about some of this. We built some good connections that served me well on the security front.

And, you know, I'm thankful for having made some of those investments a little bit ahead of this event so that you were a little bit prepared. We were also kinda fortunate, we were shifting our architecture away from a very on-premise environment. We retired a mainframe a year ago. We're shifting much more toward the public cloud for everything we do. And for most of what happened, we shifted our infrastructure and architecture ahead of the pandemic striking.

So we were a little bit lucky maybe some might say prescient, I don't know but that worked well, and then the network of partners and peers has been great even though we've all been kinda stuck at home and not able to get together there was a lot of sharing going on. - It's interesting because studies has really played out your story, that the the amount of digital transformation that had been going on or had been planned prior to the pandemic, hitting with Excel, was either stagnated and then accelerated or accelerated throughout that activity. And I think there's still a bunch of pent up demand.

Mark, I was struck by your comment about small companies and we think about them as being a place where innovation happens. Do you think we're about to release that innovation that it's there and has been waiting or how do you think about that? - Well, yeah, it's funny. I follow the investment in the venture capital community a lot right now, and there is more money waiting on the sidelines today looking to invest in small companies. So that's a roundabout way of answering your question that I think what I'm seeing is there's a lot of new innovations happening right now.

And I'm, you know, I just wrote an article yesterday for Forbes on this, but there's a lot of innovation being fostered out of the federal government now, which is, I mean it hasn't happened like this in a long time, you know with the infrastructure plan, you know there was an announcement out of the white house last week that DHS, CYSA and DOE are going to work collaboratively in a public private partnership model with the electricity industry to look at ways to innovate the grid and basically enhance the grid, there's a lot of the cyber threats that we're seeing today. So the answer is yes. I mean, it's like, there are so many startups or so many people, I probably talk at least with one or two people every week, that's saying, I have this idea what should I do? So I think there's a lot of interesting things coming out you know, not to get caught up on too many buzz words, but AI and ML and the cloud are literally just, they're burning the house down. So it's a lot of exciting, exciting things happening right now. And I think to your earlier point, the last 12 months where it was kind of where it was slowed down for a lot of reasons now, it's like it's blowing out. So I think it's gonna be an exciting next year, or two, or three.

- So, Terry you're on this roller coaster ride where things are going well, you stop sailing, now you're having to make really started prioritization decisions. Can you talk a little bit how you thought about prioritizing, how the uncertainty either helped or hindered and what kind of risk characterizations and conversations were you able to have? - That's a very complex question. Cause there was a lot of conversations.

Initially, we thought we'd be down for, you know maybe six weeks and here we are, really what had happened. We have a good strong leadership team and there was conversations with them on once it passed six or eight weeks, you know how do we, you know, do this, do we keep the lights on we just focus on that, minimize the impacts to our guests as well as our employees? And those conversations happened every two to three weeks. Security was fortunate enough to be part of those, right? Because obviously we don't want to let our guard down during something like this.

And so we were prioritized pretty well in comparison to some of the other groups, right? Because they didn't really cut our resources, they didn't really cut our budget because they knew the importance of what we were doing to protect the guests and protect the company. But we did have to prioritize, right. A lot of capital expenditures were cut back, or refocused to other things that were more tactical, much like Mike we had already undertook a number of projects that was improving our infrastructure making it better for going forward.

And so we expedited that, right? We put the capital that we're gonna expand on other things into that to finish that to make our entire workforce, you know, work from home. So there was that, but communication was key. The leadership team met with employees every two weeks by virtual meeting, right? This is where we're at. This is what we're doing.

And so that helped ease some of the fears with it. You know, some of it is you know luck or blessing or whatever you wanna call it. We had enough things in motion that we were able to adapt. And I was using that word before we were adjusting the things and Royal is flexible enough to try to pivot when we had to. And I think they did a pretty decent job in general what we had to face.

- I think Mike, you faced the opposite, right? Where all of a sudden you had an abundance of riches in terms of business. How did you think about, how did that risk conversation go and security in the context of that? - So I've always been a part of a conversation with leadership around broad enterprise risk. And one thing that this year brought that was completely new and unexpected was the pandemic affected all of us.

If you kinda go on the way back machine it affected all of us regionally in different ways. We operate in all different regions. We operate in a number of different States.

The States each had a response. And so we had some States that we operate, Pennsylvania, California, they shut everybody down and had lockdown, and made us shut our plants down, right at a time when demand was pretty good for us, and then, you know, things kinda even took off after that. So we had as a company, we had to kind of adapt. We had to do some interesting things business wise, I ended up being very engaged in collecting all sorts of data from different data sources that were out there about relative pandemic risk and what kinda cases are happening.

We also got heavily engaged in messaging people because we had this thing that was a security awareness training platform but it became a training platform for other things because we could kinda certify people have been through education. We had to educate people about masks and social distancing and all sorts of things. We implemented some protocols around. Are you safe to come to work? Have you been exposed in your home outside of work? There was just a ton of things coming at us, and so we had this blessing, if you wanna call it that of a surge on demand we needed to keep our associates safe and keep bringing them to work so that we could keep making product. And all that was on top of an unprecedented amount of fishing and worry, and just people feeling very provoked by events in their lives.

And so now they get, you know, the phishing email or they get the thing that tries to provoke a response and they're already stressed. So it's been a very challenging year. I'm feeling like we were blessed not to have ended up in the headlines in a bad way. We had a number of large suppliers by the way that did get jacked up, and we had a cardboard box supplier, big paper company that went entirely offline for about six weeks during a ransomware event couldn't run any of their factories. And, oh my gosh, I'm sure you'd have seen my head on a spike if something like that had happened in any of our factories. So I'm thankful that we made those investments a little bit ahead of time and avoided the worst case that some people had happened.

- Yeah, I'm struck by your comment and something I know Mark you have been writing about and that Dell, John's money at Dallas, very focused on and that's the power of a converged security team, Heron and Mike you've made the case for how a converged security team supported you through this activity, right? Leveraging the cyber security platform for physical security and safety benefits. - Yeah, and that's been very much a part of who we are. As a company, we're a manufacturer, and a capital intense industry information technology as a whole is an extra cost item, not something that really can drive much profit, but on the good side, because we've been very consolidated, and very integrated into what the business does as we've done these different things. When we did our big new SAP, when we did the networking needed to do barcode labeling and all my plants. When we did those things, we made sure we architected it and we built it to be secure by design and then deployment.

And so each time we get a chance to do that, we inject it in and away we go. And then our team again is just very tied in to what the business is doing. So it keeps us in a close partnership - That alignment with business, I think is really important. Oh, please, Mark. - I wanted to just jump in there also, you mentioned convergence, this is, you know this is something that we've been talking about insecurity for a long time. And, when I was at NERC is when the first time it really came home to me is, you know, one of the utilities had a security incident out in a field at a substation.

They knew that the substation was offline but this DSO was not talking to the CISO, who was not talking to the physical security guys. So this, the substation was offline but they didn't know who to send. They didn't know if they should send a guy with a gun, or a guy with a wrench, or a guy with a laptop. So, you know that's the first time this convergence came to me. And I think, you know, over the past year, working with a number of very large companies, COVID has provided an additional impetus to that. So now you have HR involved here, HR is trying to figure out what employees have, you know, have been affected or what employees have potentially been effected.

What employees have been to locations where they may have been affected. And we're, you know what employees do we have to have come into the office. So tying in the physical and logical identity of people has been, it's never been more important than right now.

And trying to figure out a company is trying to figure out how they converge all this data how they can take batch data and, you know entry data and log in data, and how they can tie this all together to give them kind of this common operating picture of what's happening in their environment has been really profound. And a couple of the companies that I work with have done really well. They've transitioned really quickly into developing technologies that satisfies these needs, as Mike said, you know mentioned SAP. SAP is really been kind of leading out on their technology, their ERP technology being able to tie in and bring all this stuff together.

So it's been an exciting time from that, from a technology perspective in that way. And this convergence, you know, is I've been a proponent forever because the efficiencies are obvious, and the cost savings are you know, instead of having three siloed security teams, you have one security team with perhaps two or three disciplines within that security team. But the fact is they're all communicating and talking better together now.

- And I think that inclusion of business continuity or enterprise resilience in that team is even more important, because it's, when I think about the cyber related events that we're having to deal with, Mike, your comment about a site with a ransomware attack that took it down, if you silo your business continuity away from that, that becomes, I think, an inefficiency that's a part of it. So I think that's equally an important element. But a slight pivot though because I think we've talked a lot about here, about companies who've had the resources to really focus on the challenges. We need now, to have this concept of the security poverty line, and Mark you've talked about the fortune 500 and the unfortunate 5,000. How do you, it strikes me when we talk about the haves and the have nots that the last year has really exacerbated this line here. And how do you think about approaches for the next year from this Mark? - Yeah, so, you know, Bobbie, from our days working at DHS this was one of the challenges, the, you know the fortune 500, get all of the oxygen.

If there's a security incident that, you know at a fortune 500 company, it's on the wall street journal and the Washington post the next day. But if you're for him, you know, and this is not intended to be a derogatory term in any way but if you're a part of the unfortunate 5,000, you know not only don't you get the visibility which could actually be a good thing in some cases but you don't necessarily get the resources the companies aren't typically as maybe forward thinking as some, the fortune 500 where they actually are putting money and investing in. So I think your comment about the, you know, the security poverty line is it was really a suit because you know, Wendy, I think she first coined this term back in 2017 or 18, or something like that but it basically was meant that, you know companies understand their security gaps to build better awareness, but they don't have the resources or the budgets to buy and implement and manage, you know the security controls to actually reduce that organism.

So I think, you know, the security poverty line is actually responsible for a lot of the tech debt and the compensating controls that we see accumulating in a lot of organizations. So where do I see it going? I think, you know, there's as I said earlier I think there's some positive things happening you know, as Mike said, you know it was kind of a time to say, okay some of these projects that we had planned and we're thinking about maybe now's a good time to do them. And a lot of companies did that. They did make some investment they were able to do some massive shifts in technology and transformational kind of upgrades over this past year. So I think the future is it has to be better because I'm more on because the federal government is gonna become getting in more and more involved. It's just, there's no doubt about it.

And you know, whether you like regulation and, or not, it's coming, mark it down you heard it here first, we're gonna see more regulation across the board on cybersecurity and privacy. And if the federal government does it right you know, that can be a positive thing, but you know, if they don't I really think they need to bring the private sector into the conversation as they start making these decisions because there are too many unintended consequences and we've seen far too much of that out of the government. - Yeah, so Wendy's approach talks about money, about resources, but it expands that concept, I think in a really profound, it talks about talent and influence being equally elements that are necessary and you might have resources, but with insufficient talent or insufficient influence, the other trends I've seen a lot of over the course of this year is sort of a heating up of the talent challenges globally in this space, right? As companies have had the kind of uncertainty that they've experienced. Other companies who have the riches have been able to draw that talent away. Mike Terry does either one of you wanna sort of explain on how you see this talent challenge particularly for organizations that can't, you know don't have cash to outlay to bring in the top talent into their organizations.

- Sure, I'll jump in first. And we do right. We were travel and leisure, right? We sell funds.

So when you're competing against some of the big banks, they have what I call golden handcuffs, right? They can pay above market and get people. That's what they do. So we look for other ways to do this.

We obviously, when we are sailing we have very good perks for employees, so that's one of the selling points. That was the reason I came to the company. I love to go on cruises and, you know the opportunity was there.

The other thing we do is we look for people coming out of the military service. We work with Skills Bridge, bring them in that has been working very well for us throughout 2020. We brought people in, they basically it's like an intern but they're already a skilled technical person.

They work for six months. Most of the time, our goal is to convert them to employees. But that's something that we're just ramping way up because it has been highly successful here. The other thing is we look for, you know, folks out of college that maybe have some passion, and some background and they're hungry to get out there and learn things. You know, if you have the right attitude you can train anybody.

So I have tried to keep a few really senior people and I try to supplement in other facets. - Yeah, so, well, I'll pile on to Terry's last comment. That's absolutely a technique we use. I don't have the budget or the headcount allocation if you will, to do a lot. So I have to be very careful and I have to manage what head count I'm allowed very well. We're kinda blessed in that Charlotte, North Carolina is a great place to live, and so if we pull someone here from somewhere else chances are they're gonna wanna stay in the area.

And that sort of thing, which has been great. We're also in North Carolina but coming a little bit of a tech hub. So it's becoming easier to get access to tech resources. All that said, I've also had to figure out how to leverage every form of partnership known to mankind.

So I've got all kinds of managed service partners. I've got consulting partners. We even have some local tech where we'll go to companies. We have a huge Microsoft presence here and I'm very invested in them. They have people that are on their bench, or interning, or doing things, and you'd be amazed at how inexpensive you can access talent that's on someone else's bench. You just have to be creative, and you have to be flexible in your timing.

You know, so sometimes that works. Again, we stitch it together. It's like a patchwork quilt that you hope doesn't look too bad when you're done but that's kinda what we're doing. We try to have some lead people, architect type people that are kinda the glue that binds all this together. And that's kinda difficult.

That's especially difficult to preserve, but again something we're working on all the time and feeling the pinch all the time. But Mark mentioned it a little bit earlier, too. I'm amazed at how some of my partners have leveraged AI and ML and other aspects of their tooling to where the tools are getting smarter. So, you know, we used to only have the availability of putting human eyes on something in order to analyze and make decisions more and more tools are getting better. I'm not gonna say perfect because again I think AI and ML is like an untrained baby wandering round. So it can be a little dangerous sometimes, but it's interesting, the progress that you see being made.

- So I'm gonna weave Mark talent about good wifi in his RV, wherever he is in the world. And Mike, your comment about North Carolina as we go forward, I mean, talent is no longer has to be so regionally oriented. How do you think about that kinda, how does that change the way you think about sourcing and engaging? - Well, so particularly in SAP that's where it really sort of was a two by four to the forehead. We've now got talent all over the world. And the only thing a little bit stressful about that many of the folks listening in or even on this call know that you end up with talent from Eastern Europe, you know talent from somewhere in Asia. And the next thing you know you're having conference calls 24/7.

So that can be a challenge, but it's amazing the availability of talent and you can have work. I mean, we've done project work where we followed the sun with the work where teams have handed off and that's gone amazingly well, I, you know back a few years ago, if you told me I'd be doing this I'd have laughed at you or maybe wanted to punch you in the nose, but here I am. - Yeah, I think we talk about this is work from home in many instances, at least for me with folks it's almost as though I'm now living at work.

And so that I think that's important. I'm gonna then go back for a second, and let's talk back about uncertainty and speed. One of the things that we all experienced with this need to be incredibly agile about the decisions we made comfortable with the amount of uncertainty that we had in order to make those decisions.

McKenzie has commented that this isn't gonna go away like a normal crisis and that we're going to have to continue in this higher speed environment that the 12 month planning cycle now feels like it's six months, or four months, or even three months. How do you see that impacting your ability to build a viable long-term security program? - So that's a tough question. - Well, that's why you're the experts, right? That's the problem that everybody listening is facing. - One thing we've done, we do our level best to be in a framework kind of approach and then within that broader framework to be very agile and to adapt. And I think that's one of my big, big lessons learned out of this year, because you go in, you know you think you have a year or more plan ahead of you.

You go into the year, like the one we've just survived and you realize how crazy that idea was. And I'm not really sure that we'll get to go back to the way it once was anymore. I think we'll have to be way more adaptable, way more agile in our approaches and willing to get unexpected data or events that arrive and then deal with them as we go. But, having said that there exists a body of knowledge most of the good frameworks out there, we're very much an adherent to some of the CIS framework. The frameworks absolutely give you a core set of guides that you need to be following, even as you kind of hop around to address something that's emergent and urgent.

- So we have about five minutes left. I wanna give you each the chance of sort of leave our audience with this question. And Mark, let's start with you. What is the single COVID-19 related security trend that were used worries you the most? - Yeah, well, I guess my answer is probably not what anything that you would think it is, but I think that misinformation, and disinformation, and fraud, are that's the biggest threat that I see right now. You know, we've gone through so much with COVID, and with vaccines and with the elections, and everything that's happened in the United States in the past year, I think people will have become almost they've become very distrustful of almost everything and everyone And that's not good for society.

I mean, you know, we have people arguing with experts now because of something they read on Google, they saw on Google that, you know, that contradicted, what an expert said, so I think, you know, misinformation and disinformation, COVID spawned a lot of these things that are gonna be hard to recover from, I'm not sure quite frankly, how we put the genie back in the bottle and we, you know, I guess healthy paranoia is good but I think we've crossed over maybe a little bit too far. So that's what worries me the most. - Terry. - I do like what Mark said about misinformation cause I think that is 100% spot on. There's a lot of that.

I think that from strictly from an instant response perspective, what we're looking at is a huge increase of phishing attacks, very complex ones in many times, and ransomware associated with those. So that worries me, we saw a huge spike during 2020 about 500% increase of unique attacks. So that's got us on our guard but we've also taken other considerations around it using AI and some automation that we didn't have prior.

So we're trying to accommodate the best we can but definitely that's gonna continue as long as there's some fear and misinformation out there people will be trying to take money or advantage of individuals. - Mike. - So I guess trying to stitch together a little bit about what the other panelists have said I'm very worried that we're seeing an increase in crime as a business inside the cyber warfare in a way.

So I'm not so worried about nation state attacks as much as I am the fact that there are nations in the world where you can make a really good living as a cyber criminal. And then there's almost a network of cyber crime out there working against us. And it feels like this year they've really ramped it up. And then at the same time to tie back to what Mark said, I've got people that are struggling and under stress, and very responsive to the buttons those guys push. And so all those things really worry me going forward.

- Yeah, I think as much as we spend time as security professionals thinking about the technologies that we need to put in place, this year, I think has reminded all of us that this is a very human business and a very human set of experiences that are there. And I think for me, one of the key themes I heard from everybody that people are, remain our most important resource and that are focused on their care and their contribution and their innovations is really a vital element. So I really appreciate your time today. I look forward to continue discussion on this topic.

I think like y'all I'm optimistic about the year ahead but I'm skeptical as well because there are many places where it could go either way and so I'm happy to have you all on the team and a good partnership going forward. - Great conversation, enjoyed it. - Thanks Bobbie.

2021-07-24

Show video