The IT-Security Paradigm Shift panel discussion - Hosted by Aiden Technologies
good morning good afternoon everybody my name is um paul florillo i'm a partner in a big law firm in new york city but more importantly um i've been in the cyber security business since 2012 handling major breaches maybe major hacks maybe major nation state attacks really great to um be with you here today we have an excellent panel of speakers here of all different life experiences we want to make this um discussion as interactive as possible as communicative as as possible so if you have any questions please feel free to post them on on the chat we'll take your questions you know at the end um and um we'll make sure that everyone gets their question answered whether we're on the um the webinar or afterwards but we're here to help and we're here to support you before i introduce our panelists i'd like um to introduce aaron mellman director of marketing for aiden technologies to kick us off and then he'll kick us back to me hello my name is aaron mellman director of marketing for aid technologies we're very excited to be hosting the first ever it security paradigm shift panel discussion with thought leaders from the technology industry aidan is automating patch management and software deployment to create better security posture for our customers we're focused on helping to bridge the gap between it and cyber security so that people and businesses function flawlessly if you would like to learn more about aiden and how we can help your organization improve cyber hygiene by decreasing vulnerabilities and allowing it teams to focus on critical projects please visit our website meeting.com or you can reach out to me directly via email aaron.melman meeting.com and with that i'll hand it back over to paul thanks paul thanks a lot aaron good to see you again and um i'm glad again that i can i can host this um let's uh do some panel introductions here casey can um you tell us a little bit about yourself and your background please sure i'm casey santos i'm the cio at assurian um relatively new to the role been here about two months now very excited to be here based in nashville um prior to this i worked at alliance bernstein and ran process innovation business process innovation and before that i was cio at general atlantic um in new york a private equity firm and um i'm an aerospace engineer by trade uh worn lots of different hats and uh both on had to dual track the security and i.t roles so josh aaron how about something from you sir sure thanks a lot paul thanks for posting this today we really appreciate your involvement and thanks to everybody else and my fellow panelists for being part of this my background is mostly an i.t consultant i spent 25 years building my own company called business technology partners in new york after being a industrial engineering student at the university of michigan i went on to hold roles as a cio in healthcare and a cto at a private equity firm called helmand and friedman which is where i met my co-founder and then started this new company aiden technologies uh bringing this what i think is a 16-year best kept secret to the marketplace and we really are trying to inspire some thought leadership around ikea and cyber security happy to be part of this panel thank you thanks josh really appreciate it and i'm sure we as a panel will give you that thought leadership tina how about a word from you please good morning my name is gina osborne i am a cyber and leadership consultant and an international speaker i'm also an army veteran and a retired fbi agent and executive for 11 years i led the fbi's largest cyber and computer forensics programs out of los angeles dean i heard um you had some dealings with um a breach called sony pictures is that correct i did i led the investigation team in los angeles on that international incident that must have been quite an experience um anthony johnson let's hear a word from you sir awesome pleasure to be here thank you very much everybody uh anthony johnson managing partner at dell risk to market marketing research organization that i founded two years ago um formerly i was a cso at jp morgan for the corporate investment banks the largest ib in the world i was also the cso at fannie mae ge treasury and i was on the board for the clearinghouse i was on the risk committee there been a number of boards and i do a bit of venture um investing as well so i'm really looking forward to this uh this topic today so thanks thanks a lot anthony really appreciate it um i think it's important for everyone involved and i think it's important you know for the audience here to set the stage a little bit there isn't a day that cyber security isn't in the news here um gina can you set the stage here talking a little bit about today's environment in cyber security how did it get so bad sure paul well i was a counterintelligence agent in the army during the end of the cold war and i think this is also a cold war that we're encountering now when you look at the cyber nation state actors that are involved in everything that is going on and they're very creative about doing it so in my from my stance having responded to several catastrophic cyber events computer intrusions i think it's so important to understand for every company that we're only as strong as our weakest link so to have everybody involved from the top down because cyber security isn't an itsu it isn't a security issue it's a finance issue and if we look at it from that perspective everybody in the entire company is going to have some sort of some sort of ownership when it comes to cyber security um anthony what i hear from business executives all the time and maybe you could parlay a little upon what gina said is i'm not really a target what do i have to steal so i actually don't think that that's the the driver anymore i i think the driver is that um there there really isn't a business ramification for getting breached um and what what i mean by that is that if you if you look at like the market price the stock price of every company that's had a breach there's only one that hasn't recovered right there's a group of csos that i'm a part of where we actually buy on breach it's a normal thing we wait till it goes down 20 points then we buy and then we exit once we get our 20 points back and so i think business leaders are having to internalize a different value prop which really means how do they how do they get and use cyber security tools to get to a faster business proposition a faster value chain as opposed to this the scary thing even if you if you take the notion of a data breach pii it's no longer really about brand impact recognition it's it's a it's the gdpr fines that are really driving the behavior of organizations to make the investments as opposed to we're going to upset customers customers are are so used to it at this point um so i think it's a different business calculation might be well it's a different business calculation but you know as a as a board advisor anthony i get involved in the whole market cap thing all the time here and the market cap thing drives lawsuits the market cap loss drives attorney general investigations and um it certainly it's certainly relevant here but um one of the things that you know casey maybe you can you can help us with here is one of the things i find more most often speaking to boards of directors is uh the language problem here we tend to get too enmeshed in technology um i call it cyber speak is there a method that we can better communicate the cyber problem to boards of directors yeah i mean i think it's interesting because um there are a lot of articles and things written these days around the new role of the cio the new role of the cso and the importance of being able to bridge and and be speak business speak right being able to speak to boards being able to speak and it's not just around security but it's interesting when you put the security lens on it there is a lot of that we call techies you know cyberes like where we're speaking um in acronyms and things that are making it very hard to to understand and i i think that's now become part of our role is to evangelize and to communicate in business terms what this means right if you're a b2b business what does it mean if your customers lose faith in your security if you're you know getting fines there are many different aspects that you just have to have that conversation and be able to have that conversation um in plain language so i think it's um it's interesting that the skills now that you need to succeed in business as a technologist are also applicable when it comes to security issues i i think you're i think you're right casey and i i find boards of directors um sometimes ensconced in their silo right they know what they know but they only know what they're told and it depends upon who tells them and and and how it's told it also depends um a lot about how often they talk with the technologist how often they talk with i.t how often they talk with security let me get anthony's perspective you know here as well too you've dealt you deal with boards of directors all the time um do you find that there's a silo mentality here or do you find that you know you and casey and gina and others are able to break the silo mentality here and get into the nitty-gritty with boards yeah i i think so if you take um take for the example the nacd the national association of corporate directors they do a really great job of educating they just published another you know guidance out in december i think the last guy that's a couple years back on cyber security um there's a certain level of expectation that we can say hey these are basic fundamentals and i think board members are attempting to grasp that um fundamentally though they are not going to understand ci cd um they're not going to understand how apis actually work and that would be akin to asking board members writ large to deeply understand the workings of financial capital management like they're going to be able to get the the high level grasp of things um so i think that they're attempting to to understand um but we can't expect them to go super deep so i do think i know i know the sec is is re-looking at its role of of mandating a a board member um that has you know deeper tech experience um and particularly you know on the 10k calling out of cso um i think we're going to see regulators actually shifting that as more of an uh a a hardline requirement um but that's going to be you know we're still we're still some time um to get there well let me get let me get to josh josh aaron here josh you talk a lot to um to business people how do you translate i t into business speak are you finding it to be a chore are you finding it to be easier as as time progresses and as p as directors are more quote in the know about cyber security well thanks paul i think you know to much of casey's and anthony's points i think removing jargon from our vocabulary when we talk to executives and boards is where it really starts and i mean throughout my career i had to work on that right i mean that's something that as you move up in the ranks as a technologist and you deal with more executive layers of leadership you have to be able to do or you can't move forward if you say things like cicd there's probably people listening to this call right now anthony right that don't know what the ci cd pipeline is so you know it's really um it's really critical when you're communicating with people and it's it's not just critical when you're communicating with people at the board level it's critical down in i.t i think people
sometimes don't realize you know that's kind of the level that i've been playing at lately with aiden that even between cyber security experts and i.t experts they're not always speaking the exact same language the board may think so just because they see them all as some kind of i.t right but in reality there's language and cyber security that people on the i.t operations side don't always understand and vice versa and we're really focused on bringing everything into plain english setting right so that people can communicate you know csos don't have to deal with xml scripts right xml queries and database scripts and powershell and things like that typically they have to deal with vulnerability scanners and tools and threat intelligence and other kinds of things right and on the other side it's the opposite so it's really about creating a conversation down at the lower levels but the board needs to have more awareness and we can talk about this more that they're not incentivizing cisos and cios or ctos to necessarily build a common language they're incentivizing cios and it operations to provide more convenience more utility more functionality to the business and they're incentivizing cisos to keep us hardened and secure which of course flies in the face of convenience and some of the things that they'd like to see done as high profile projects and then they're holding them both accountable sometimes to different standards we need to create a conversation where there's awareness and get them to work together better well let me talk a little bit about how to create the conversation because i'm going to take the board of directors position here too since they're normally my clients they're like give me stuff to read show me stuff show me information talk to me i can't just see you once a quarter gina let me ask you a question how do we educate the board members and give them readable information for them to be aware of a company's cybersecurity posture i would say invite your local fbi agent over to speak to the board about the threats that are going on and different attacks that have taken place i think if you are on a board and you haven't experienced some sort of cyber incident you're not really going to understand what it means when one goes down and we talk about you know whether it's talking to security i mean when i started when we began i mean it's got to start at hr with onboarding i think it has to be an enterprise problem and an enterprise responsibility for everyone and it has to go all the way up to the board because we don't want there to be a time where i.t security legal hr and pr all get together because there's been a major breach and now all of a sudden everyone has to work together to to find a solution to this it should be starting now whether it be with exercises where you can include board members where in the event there is an incident this is what everybody's responsibility is that would be my suggestion i just add one thing to that i think um one thing i've seen work to get um people um to understand is when it it's not only educating on what happens at a company but what can happen personally your family to you because it gives you that empathy and so found that having speakers people that can educate on you know how easy it is to get information and navigate through to your point um i think when it touches something personal in addition to a company thing that that actually is much easier um for people to understand the importance of everything that comes with security that's a great point when you're in a situation where your entire organization all of their info personally identifiable information is out in the wind and you can't make payroll because you don't have a server or a network to be able to conduct that i mean those are the things that you need to start thinking about like casey said how does it impact your employees because it's just not the company problem i i think that though there's um there is something to to recognize that i don't believe that board members are actually having um i'm gonna get flamed on this one so i'm prepared for this um i don't think board members are largely having real conversations about what risk tolerance is related to cyber right a lot of times board members will say no we have zero appetite we have no appetite for a cyber event but we are willing to write off two billion dollars a year in fraud losses all right zero cyber incidents but you can accept two billion a year in fraud losses you are not calibrated not on what real risk is here right um even it when i was at capital one right like it was a hardline component of if it wasn't a 300 million dollar event we probably wouldn't notify the board unless it was a cyber thing and that is a crazy disconnect because the cyber event could be maybe a two million dollar event um but we're going to notify the board but otherwise it has to be 300 million so i think boards need to come to terms um with what real risk management is what the real risk appetite is um and then be able to have a meaningful conversation because until that happens you have cios and cisos that are just throwing things up there that might stick um and and trying to get some traction there i agree with you it is a risk conversation right and it's also setting a bar that's really really hard to meet to say that you can't have any incidents ever and that's not a realistic goal um i think the hard thing around cyber risk is it's really hard to quantify and so i suppose you probably have some great frameworks to do that right because there's the the hard costs and then there's the reputational risk and all the other things that come with it but i agree with you it is a risk conversation and it's a not as much it is a conversation about how to stop things from happening but also what to do when they happen so that the board everyone knows how to engage at the right time in the right way yeah i think these tabletop exercises which you guys were alluding to before are really impactful but they have to be done you know kind of back to casey's earlier point a little bit um in a way that hits home in his person like one of the ones i used to conduct a lot of cyber security awareness training and tabletop exercises people would sometimes walk out of the room and you know like two days later it felt like they were the executives were back to not thinking about it right the one that seemed to be most impactful in my experience we brought in a consultant we had them bring out a pineapple device and we had them steal a bunch of information from the mobile devices of all the executives in the theater and then and that time people were talking about it for months right the minute it feels personal to them and so i would love to hear more thoughts from you guys on you know how do you get these things to stick in their mind because it often feels like we run an exercise we run an awareness training we do things to increase awareness but then everybody just goes back to business as usual um i i think there's something to be said about the way that security leaders have grown up in industry meaning that we grew up when cyber i like i distinctly remember the day getting a call from recruiter saying hey i see you have information security on your resume do you do cyber and i'm like um what's that what do you mean they're like well can you just change information to security to cyber and now you're a cyber guy and i'm like all right i guess i'm a cyber guy now right um but but we grew up having to justify every dollar and so we would justify that with the fancy stuff we'd be like oh my gosh these apt threat actors we we have to set up this you know crazy we we hacked over the wireless um and and i'm gonna bring it back to you to what you guys are doing aidan which is fundamentals like it like we really can win and if we can educate the board on strong execution of fundamentals where we don't need to focus on the the triple backflip kick let's you know those karate fights are won by doing 10 000 kicks really really well patching really really well and we don't focus on that enough yeah that's a risk conversation right you spend 80 of your time working on the edge cases and you're not you know keeping a good hygiene in your organization why what are you doing right and understanding until there's a breach right or until there's an incident and that's when you know like paul you were saying the other day we were talking you're telling me a story about how companies will spend 500 000 a week or more on attorneys to come in and do this but they won't spend a couple hundred thousand dollars a year to put the right controls in place up front yeah i mean listen i've been involved in a number of breaches josh and i have been guilty in a nation-state of spending about a half a million dollars a week between two forensic consultants two sets of law firms uh notices to 50 states and 37 countries and having the chairman of the board yelling at me do we really have to notify our customers of the data breach to which i said to anthony's point yes or you're going to get sued by the attorney generals and the ftc and those conversations you know tend to get you know very um very awkward in some way because um people aren't connecting the dollars and senses here what about discussing vulnerabilities and you know risk with the board how do we interest board of directors in in the whole problem that cyber at the end of the day is if it's poorly handled gets to be systemic risk how do we bridge the gap here i guess i'll jump in um i would just say this i think um there's difficult conversations for exactly the reason how we opened up and we talked about the techies part of it right so when you get a vulnerability assessment you get this 50 or 60 page report with you know all sorts of stuff breaking down into very specific um possible vulnerabilities and how you need to fix it they you know if you do it well you've got a good framework and i think that the art is figuring out how to boil that up to the stuff that really is accessible and it explains you know at the high level the stuff that causes most risk and that is is um and that you're you're really focusing on the the big important things rather than going down in the weeds on things because um you don't want you can create distraction right to that point of you know anthony i think you've talked about you want to work on the things that are most important first so i think i think those conversations should be happening but it's an art to get it at the right level right and make sure that we're communicating and getting the right because you will get different results depending on how you communicate it right if you're looking for investment so that you can attack these things and make them happen um that's good rather than going down into the leads on things that are less applicable i i would say get the board involved in and either updating or creating the disastery recovery plan for what hap what does resilience look like to your company in the event you have this massive catastrophic breach and i think that'll definitely get people's attention when they start having to think in that scenario that if everything is gone if there's a ransomware attack and now we're being extorted and everybody in the world knows about it if the ceo's emails are going out there and everybody knows what's being said back and forth i mean i think if you just bring in these things that actually happen when when these incidents occur and somehow get their participation in some way into this disaster recovery plan i think that'll definitely you know put it up raise it up a little bit when it comes to put it to their top of my mind so a little just for a little bit of context so so when when i was at jp uh if we held a certain amount of money for an organization we would um myself and other mds we would go and educate their boards so these are all large public companies um and i do think it's an important balance to recognize that boards of directors are not management and people often try to blend that and they're like well we're gonna go talk to the board and they're gonna tell us what to do like no no no the board is not management and when they start to play into that management space that is a very very different world and it just it creates a lot of complex and and messiness um when if you're doing an enterprise risk event tabletop you want to have the management you want to engage the board for awareness absolutely to make a decision no right there's a there's a very different set of who can make the response the the actual decisions of how to contain and manage uh manage an event um and i would actually avoid talking to a board about um things like you know vulnerabilities and numbers because just because you can count it doesn't necessarily mean you know you should you should share that because you say hey we have a million vulnerabilities okay that's the out of 10 million out of 100 million like what's the universe in context here so um being very very deliberate with boards i think that's one point and security and boards with that level of senior leadership is really the critical that's the doers right those are the ones that when you have a disaster many of the missteps are not technology it can be communications it can be finance there's many legal stuff right so there's a lot of things that have to happen so i think um that's where the conversation gets really needy right and really interesting yeah but let me push back on all of you from from aborted broad perspective here anthony board directors have fiduciary duties how do i tell a board member it's not his problem if somebody hasn't patched a vulnerability and you know which company i'm talking about here in in march of 2017 and didn't patch a critical vulnerability that might have showed up you know somewhere in the vulnerability assessment until until july and didn't report the vote those report the patch yeah operational challenges operational risk management that have to happen by the by the management team right um board members need to understand and fulfill their fiduciary duties too so we have to bridge a gap here between operational and fiduciary duties and what and what they're thinking about and what they're doing how do we do that yeah what's up right well so i'm just going to say like you know i think to casey's point and anthony's point a little bit it's like board members aren't going to understand i've got a cde that affects this particular server or whatever what they might understand is the average dwell time in organizations over 100 days on getting things patched that have been available for 24 hours after we have known vulnerability right they need to understand big picture elements like that and those cios and ctos and csus all need to be unafraid to present them at the board level right a lot of times i think they start thinking at least in my experience you know if i present this information i'm going to look bad for it i could lose my job for it this game everyone knows that that's a real risk and a real fear that cios and ctos and csos are like all faiths what to present and am i going to get my hat handed to me because of it right they need to be shown the door an open door by the board that we want to hear this information and the cio ctos and css need to be comfortable going in with the real real big picture items like that and be very authentic what they're presenting to the board yeah absolutely and and you know i i was on the on the enterprise risk community audit committee for for the clearinghouse right and it is a perfectly fair question or fair comment to say to the board thank you very much for the input that's a management level problem we will give you the update of the next next you know next board meeting here right it's not a comfortable conversation you're about to have with the board but but there is a distinction from what the board charter is to say hey providing oversight challenging but not managing the organization when the board tries to get into a day-to-day management of an incident that's when things really get get get confused on what we would always call it who has the hat right because when there's when there's an event that ceo needs to have that hat um now the board should be challenging them hey have you thought about this how are you managing your risk are you with intolerance so it goes back to what casey was saying it's a risk tolerance conversation are your is the health of your your technology operations within your risk tolerance yes awesome i might ask questions challenging that but i'm not going to get into a are you packed with cve 14 number like that's that is definitely nowhere near where board members should be and i would i would tell them to go sit down well you're a better man than i because um i never tell board directors to sit down and shut up ha ha let me ask you a different question here um how is copenhagen respectfully how is how has cova 19 change cyber security uh gina maybe we start off with you again making every employee responsible for that i think it with this work from home situation i think it just gets harder and harder for the i.t side to wrap their arms around you know what is what's going on within their workforce so i think it's definitely gotten more difficult with the work from home situation i would add to that i think um what we've learned with the covet 19 is that you're you're um attack surface is a lot bigger right and and it's not just from a covid or not from a security perspective but from an operational perspective right instead of having to make sure you have business continuity for x amount of offices you now have thousands of people in different places that you have to deal with um similar to the security is you know you've got thousands of endpoints and thousands of you know home networks and all of those things that have to be considered so it is a it's a it's a challenge um you know and i think a lot of people um some were more prepared than others to deal with that kind of if you're used to working remote if you'd already kind of been building up some muscles you'd already distributed a lot of your environment you're using a lot of cloud you were probably more prepared but it was definitely has shifted the thinking and probably uh risen some awareness so we'll go back to hybrid so when we go back to hybrid we're not going back to the way things work it'll be hard to i was just i was actually just a few months back i was speaking at the federal reserve um about this this topic and my favorite piece here that i asked the audience was this was was um because people are now working from home should a company have the responsibility to do a background check on their roommates and it's it's this really crazy conversation of like man they're moving money we no longer have the physical control um because if a consumer suddenly had a data breach because of a roommate who had some fraud thing and they had ac because to be honest people are not locking their computers at home they're like all these basic controls that we would expect have kind of gone out the window and so it we're now in this new world of where does the company responsibility end both as casey mentioned on the human capital side on the technology side on the on the actual where what does business insurance protect against like it's a whole new world here um and it's it's kind of a crazy piece but i think cobit has forced us into these situations of now we're looking at like ah we we really have to think about now i do think that that's a great board level risk tolerance type of conversation though yeah not only what can the company uh take responsibility for but what can the company really achieve what can we as technologists on behalf of the company really achieve what does zero trust really mean right i can put in a zero trust network but to your point anthony can we trust the roommate we don't know right and we don't know how to really guard against that we can do cyber security awareness training we give people privacy screens we can show them how to easily lock or set auto timeouts on things all those things are true but can we really stop who's looking at that screen you never can well any explanation do we share well let me ask a group of questions your attack surface now is tremendous with kova 19 we're all working from home doesn't the answer really have to depend upon technology solutions here how on earth do we keep track of look at judge the keystrokes that are going on at these remote devices and laptops aren't we talking casey about endpoint solutions aren't we talking about ai and machine learning to help guide us away from the big problems here that the attack service has created i think first of all it is a very big problem and so now you've got to get as much as coverage as you can and so yes it's protecting endpoints it's protecting the whole there's a whole slew of items that you have to take care of right and operationally that burden it's a burden on technology organizations right it's a lot of extra work and we have a day job too of growing businesses and and finding that balance so i'm very bullish on automation and ai tools that help us get through the noise figure out where we are automate processes that were very manual before and i think you know a lot of tools you know aidan is one of them but you know there are many other tools across the whole ecosystem that we are all working towards and there's a lot of interesting companies that are um being conceived out of this need right you know i think if we've been faced with this 10 years ago we didn't have a lot of the tools there and the technology that would help us get there so josh what do you think yeah i mean i i think the role of ai here in making us a little better uh when we have situations like the one we're faced with with the pandemic is both about speed right getting getting to the what is the real challenge what's a real thing to fix right away faster than a human can right computers are better at sometimes looking through scanning figuring things out and efficacy right knowing that with confidence when you're going to implement something it's going to work and a lot of times humans make mistakes that's just an unfortunate that is our human condition right we can have the best task list in the world we may go through it and still miss a step or execute a step incorrectly but when you train a computer to do it it usually does it the same way every time and so that's the two places where it's helping and what i see with covid 19 to go back to your first part of this ball is you know cios ctos they're afraid sometimes to update endpoints in the work from home office because they're afraid and they've got the experience in the past of things breaking and going wrong when they patch when they update or when they deploy new functionality or new software we've got to find a way to function in this world and that is what aiden's trying to help right but we can't be afraid to push the envelope we've got to start to embrace technologies and to cases point there are many aiden is just one right but ai is the way that these things are going to be done with greater speed and greater efficacy in the future josh one thing to add on to that though right is is that um or a book i read last year which i really enjoyed was indistractible um and it's just a phenomenal book and it talks about how distractions create more errors of course um and where are we really distracted when you're sitting at home and your daughter my daughter walks in and you know i'm in the middle of something and so so we're in this world of where you have incident response people who are hands on keyboard working an issue and their dog runs up you know sick they got to go like there are so many distractions where before they were in a sock isolated eyes on task right that's all they could do and focus on now um and so we have to embrace this aspect of driving more automation because the human error or the human element will continue to have more and more errors when they're suddenly not just at home but now they're working at a coffee shop because you know they can do that and um so it's a different world that i think technology has to stall for us i think it's very interesting too how the the cyber attackers use automation themselves right so they're cranking through this stuff super fast right so if we don't automate we're just going to be steps behind right and they're not distracted by having to communicate whenever something goes wrong they just go on and do it again right all of this conversation we're having about our internal corporate politics right our organizational politics and dealing with people they're not hampered by that challenge their challenge is just to keep trying to hack away this so we have all of this extra overhead right this extra challenge to figure out how we communicate clearly and we've got to cut through that as quickly as we're trying to cut through solutions of ai or we're not going to be able to be in parity with the attackers tina let me ask you a final question here before we get to question and answers people in this space also always talk about seminal events in the cyber security space uh certainly the sony pictures hack was one of those seminal events people to look at target people would get you know um the opm breach and everything else i look at solar winds as a as a seminal event here in part because it brings up the whole question of um supply chain versus management vendor risk management how do you think solar winds is or will change the cyber security landscape yeah no that's that is a great question because these cyber actors are becoming more and more creative and they're thinking outside of the box in order to get into the systems and i know i keep coming back to this but again we're only as strong as our weakest link and that extends out to vendors and different organizations that our companies are dealing with um but again if we if it becomes an hr issue if it becomes a legal issue it becomes a pr issue if everybody is involved and understands what happens to you as an employee personally if something goes wrong if we click on the link from that one email you know so many times i hear when people are doing these uh tests on their employees only a handful you know clicked on a link to get that five dollar starbucks card but really it only takes one so you know how does everyone have that responsibility from the employees all the way out to the vendors but yes it is definitely an issue you need to know who you're dealing with and understand what the cyber security risks because their risks are going to be your risks ac what do you think yeah i think there's been a whole slew of solarwinds was the latest right i think there have been attack after attack after attack that have gotten us smarter about the ways that people can traverse across our systems and we get a little bit smarter every time and i think solarwinds was so big and so expensive and hit so many people that i think it woke people up to the vulnerability that conversation we have at the beginning right how do you get people's attention right how do you you know i think we will keep chugging along but i think it doesn't change my lens exactly as far as how important security and and um and uh technology are to solving this problem and but i think it brings more and more people into the fold you know as far as the awareness across more and more companies and the desire to invest more to help tackle some of these problems anthony how about you um so i'll i'll take the the contrarian view um so i i i i don't know a single season has gotten gotten more money to focus on supply chain risks and solarwinds right i talked to you know probably five csos a week well everyone says hey that was a big deal nobody has gotten additional funding everyone has been said hey just spend a little bit better think about this a little bit better um solarwinds has already recovered over 50 percent of its market cap loss and hasn't had a massive impact on its customer base um i think it's a like it was a thursday or whatever it was and i i kind of view it as as a thursday um and i don't think that's going to be the epoch event for us should we just ignore solar winds then anthony no supply chain is critically important right so understanding the supply chain but but again this goes back to the to the conversation and why i love the aid and solution so much it's that there are fundamental basics in in important um strengths of like understanding your suppliers understanding your bill of materials and there's like their thing like patching doing that really really well those are those are what truly set the sets the the great organizations apart um so i think supply chain is something organizations need to look at but the fact that we had solar winds there was so much press and not a single cso that i know maybe some of you guys know got an influx of money after like all right thanks but like it wasn't a real thing all right josh what do you think has solar winds change the cyber security landscape in any way well i mean i certainly agree with that anthony i when i talk to customers i don't hear they've gotten a lot of extra money to spend on solutions like ours to fix the problem what they have gotten a lot of though and i think it's actually a very good thing is uh money to their compliance and legal teams to vet vendors more carefully yeah i do see that paul i mean you know we've built aiden from the ground up to be secure not just to be secure now of course we have to appear secure when we go through cyber security audits things like cyber grx and third party trust and you know technologies that companies are now employing to do the rigor of cyber security due diligence on vendors like ourselves but i i certainly think you know the double-edged sword of solarwinds for vendors like us is we have new solutions that we want to bring to market we've built them to be secure from the ground up but now of course we have to go through a lot more rungs of due diligence to get through but as i tell my team all the time it's like when you were a kid and somebody gave you broccoli right and you had to eat your broccoli this is the same thing i mean we have to be secure we have to appear secure and we have to stay vigilant and on top of it all the time and this has created a little bit more awareness i think with compliance and cyber due diligence risk assessments that are good for the entire vendor community and the entire supply chain well let me let me be the contrarian here anthony solarwinds is a good communications tool um gina and i joked the other day about fear uncertainty and and doubt and sometimes you need that major breach sometimes you need the sony pictures you know sometimes you need a big problem to just invade your landscape to say holy cow i need to pay attention to cyber security so i think there is you know some benefit some benefit there you know we are um at 10 minutes to go here so i want to turn it back to aaron we have a bunch of different questions here that we should be handling so we got one question from david byron how do you quantify the human element in assessing the risk size or structure of the team when to outsource responsibilities and how to train and retrain the team etc tina how about you you talked a lot about the human element here how would you answer david's question i mean again it starts from onboarding and it goes until the person is no longer with the companies also everyone has to have responsibility for you know if there's penetration penetration done and people are clicking on the link those i mean those people need to brought be brought in and not in a punishment a punitive way but in a re-education way to make sure that everybody is on the same page and also when you look at the insider threat i mean that can easily that that in and of itself can be worse than an external threat so really educating people on the potential of you know there could be the insider threat you know make sure that access control is that when people go from job to job to job within a corporation they don't maintain all of the the access that they had so um so really it's just again making it a culture from the top down that cyber security is very important and this is what happens if we aren't secure and making every employee have ownership in that excellent excellent answer anthony you've worked in large organizations before how do you instill the element of you know we're all in this together here when it comes to cyber security sure so uh and i also want to just kind of tackle that question a little bit directly um i i have a model and framework that i'm actually we're doing a bunch of talks on um you know called the the joey joe joseph and joseph um and the concept is this is that there's three reasons why companies get hacked money destruction you know to see the world burn um but really there's four levels of sophistication joey is that 12 year old kid joe is that 19 year old college student joe is that you know 38 year old sis admin and joseph is truly nation state trained right and when you when you think about it in this context most of the hacks have been a joey level breach if you can you can look at most of the breaches that we've had they've been the sophistication of a 12 year old kid but we buy products talking about joseph joseph level threats here right um and what's what's great about this framework and just kind of thinking about it is that you don't have to talk about apt42 or fuzzypanda because your legal team would be like oh so that was a joey level risk yep that was joey level risk it's unacceptable for a 100 million dollar budget it was a joseph level risk which means it was an insider they they built the the ecosystem that's really difficult that's where you need ai and ml to start to get into it and there's a whole bunch of different ways of ttp news and tactics and this whole framework was built out right um but but it's it's it's simplifying the message simplifying the conversation um and it's something that i advocate when i talk to boards of like you should never have a cesar or cio says we got beat up by a bunch of 12 year olds that should just be no table stakes right but uh that's the that's the world we live in so we we have to simplify the message and that's how you bring people together in my opinion aaron any more questions here yes we have one more um so how could government work to educate non-it professionals better on cyber security awareness do you see more public or private collaboration in the cards and that's uh directly to gina yes absolutely in fact in los angeles we created a cyberhood watch program where we identified various sectors whether it's in entertainment utilities the ports finance and what we did is we brought both it and security people into a meeting and we talked about sharing cyber security threats and in the beginning nobody wanted to say anything but as we had the meetings on the monthly basis we were able to share cyber security information not only with the other private sector entities but with the fbi we had analysts looking at whatever malware was shared or or other attack vectors that were shared and we were able to share information back to better secure their systems which actually prevented a catastrophic attack that could have taken place against critical infrastructure in california so we were able to prevent that as a result of different private sector and government entities sharing information and for non-iit people infragard the fbi has a as a program called infragard and you can just look it up for whatever state you're in and you would be able to get information on cyber security threats and other threats that are coming in and be part of a bigger picture to share information as well i think another great public private sector partnership that's happening is the training of our future cyber security professionals as well and seeing programs where um universities and communities and corporations are all coming together to to just help educate so it's not the non-i.t
professionals it but it is helping us create that that expertise that we are going to need continually growing throughout the next i think that's another great partnership i've seen what about stem do you guys see about a value in continuing to build up these programs we started my kids on coding at age seven and right now they could probably hack russia anthony um though they might be joe's and not joseph's anthony what's your what what what value do you see on stem programs so so stem is really important right i i think that what we we one of the big challenges and something i'm really passionate about is the lack of diversity um both gender diversity of thought race across cyber security across technology um and i think that that's a great thing that we need we do need to to be investing more in um you know there are i think you know we do we do a lot of a lot of research i mean i think it's like there are total of eight women minority csos and the fortune 1000 um actually i think it's smaller than that i'll have to look but like it is a very very small number um and so we need to to promote these these these opportunities to to get people engaged to train um and there are some great platforms platforms out there right um one i'm on i'm i'm on a board of um but there's just some really really great solutions out there and i think it's up to all of us all of the attendees to find those junior people encourage them um and and and recognize that like coding is not a scary thing like it's it's the way the future there's two types of companies in the world ones that are stuck in legacy tech and the ones that are going to be able to move at the speed of technology and like that's it and if i can add i'm on the board of directors for the girl scouts of orange county and stem is one of our four pillars and i heard through them that by the eighth grade is when girls decide they're either going to go towards them or they're going to go away from stem so it's so important to get our girls involved and whether it's the girl scouts or or other programs that are going to help them make that decision when they get into the eighth grade to go towards stem related career careers well i i have one last question here and i'll give everybody a minute before we sign off and back to aaron do you know what keeps you up at night besides bad movies and long books oh boy um you know what i would say that the nation-state uh threat that we have to our critical infrastructure i i think that is something that keeps me up at night for sure casey the thing that keeps me up at night is the potential for human error that you mentioned before right we've the more we can automate things um so that things don't slip through the crack i just they're you know no matter how much you train people not to push the button they're gonna push the button right they can't help themselves it looks too enticing they're gonna enter their passwords so how quickly we can navigate and stop it and slow it down before it propagates um it's critical and and i think that's probably those are the things that keep me up at night anthony what keeps you up at night uh i would say the amount of security in it theater that happens and drives actual programs as opposed to real security or i.t you know problems being solved we spend a lot of money on just stuff because someone said squirrel as opposed to let's fix the basics um so security theater and i t theater excellent josh let's end up with you the only thing that usually keeps me up at night paul is something happening to my family and uh you know i in the context of what we're all talking about i think about the fact that i started with my daughter who's now six when she was four giving her what seemed silly at the time to my wife some cyber security awareness training how she should use her ipad how she should you know interact now on her google chromebook because that's how she's in school and i think if our colleagues friends and neighbors with so much knowledge in our companies but how often do we bring it home if we can start this process early with our kids it plays into their interest in the whole subject matter plays into them joining stem programs when they get older and hopefully plays into a future where we have a lot of young intelligent minds focused on solving these problems at every level aaron i i think this panel has been wonderful it's been a great discussion and um josh and aaron thank you for having me um aaron i'll turn it back uh to you and josh for sign off thank you so much everybody for joining us i really appreciate it just so you all know this was recorded and we will be following up um and uh sending out the recording uh we were also live on youtube and uh so uh yeah thank you so much please feel free to reach out with any more questions there's more questions in the chat that we will be creating a follow-up in order to answer your questions and we'll reach back out to the board to ask and um yeah have a great day and and uh we look forward to seeing you on the next one thank you everybody thank you all casey anthony gina really appreciate all of you today and it's a very very helpful discussion thank you thank you guys have a great day
2021-05-11 00:30
