Navigating the Cyber Risk Landscape with Optiv and Zscaler: Ian Lee and Michael Doucet

[Applause] thank you uh thank you very much for the kind introduction I'm uh thrilled to be here this afternoon um with our partner Z scaler we do a lot of work with Z scaler and thrilled to be here in Edmonton to take part in the bsides uh discussion discussions when I was with the RCMP spent a lot of time at Edmonton uh K division for RCMP Alberta's out of Edmonton um I did ride alongs in Grand Prairie r belongs in Rainbow Lake Alberta uh it's always good to be here and by the way um thank you for the uh 30 plus years of experience I also spent my summers in Alberta growing up in the

Peace River Country anybody from Peace River Country here no there's all still up in Peace River Country um I worked for a beekeeper up there during my high school Summers which was great because that took me away from my parents and I got to do things that I just couldn't do at home so thrilled to talk about uh your cyber program this afternoon thrilled to talk about it doesn't matter how large how small your organization is you need to have a program the the size the complexity of the program will vary but you know even a startup with two people laptops cloud services you need to know what you're going to do when when things happen so that's what we're

going to talk about this afternoon um we're going to begin by talking about today's environment uh cyber as a business issue we all know it's a a business issue when I started in my career uh SE Suite did not talk to it folks we couldn't and didn't speak their language today it's absolutely imperative that we talk to the SE Suite that we talk to boards about our program I'm going to talk about some threats and I'm going to focus in on threats that we need to be aware of and then the program and then Ian is going to really dig de dig deeply into zero trust um and I'm not going to I'm not going to uh I'm not

going to read the slides and if anybody wants to email me at the end end of the presentation at the end of the presentation in coming days I'd be happy to share the slides with you as well as engage in any conversations that you want to you want to talk about um I think this is really important because we know as practitioners that people that want to do us harm may already be in our networks they may be trolling in our networks they there may be a lot of a dwell time where we don't know that they're there and I always get worried when I walk into an organiz ation and they tell me you know we have

not been had yet we have not been compromised yet we have not been hacked yet and my that my answer to that is always you don't have any indication today that you've been had but maybe you have been had and we're going to talk about that a little bit later as well um digitization the speed and basis of competition we're under tremendous pressure to move forward we're under tremendous pressure to move forward quickly and to add products service services so on and so forth for the organization and you know you you can look at our roles as Chief information security officers as cios within organizations and there's sometimes a little bit of a conflict between getting

a product getting a capability out to our customers and securing that capability and you know I'll tell you when I first became a Chief Information officer of the RCMP we of course had a lot of applications a lot of things we were doing by the way anybody here from the mounties today good we can talk about them um when I first came in as CIO you wouldn't believe how many interim authority to operates we had what that meant was an application wasn't quite there yet but we need to get it out so we got interim authority to operate but we didn't necessarily close those gaps so that's that's our job is to close those gaps

and to be aware of those gaps because we're under tremendous pressure to move forward going to talk about some of our challenges and um you know these challenges and and you know where we are and I'm just going to talk about a few of them but pressure from Executives from leadership from the board to lower costs and by the way I think that's a wrong answer I think as we're moving a program forward we've already lost if we express it in cost terms we need in my opinion to express it in value and risk so I've seen many organizations expressing their program as a cost it's therefore a cost to the organization and you can always lower costs there's

pressures to lower costs we want to express our programs from a risk-based perspective and we want to express it in language that the board can understand because look at your leadership and whatever construct you have whether it's a deputy Minister a board not for-profit privately owned we need to express it in a way that that our leadership understands stand and by the way then they need to accept the level of risk it's as simple as that and I will run across some organizations that that you know stay as far away from uh the board as they can I think you really want to get in there and talk about the program and don't forget the board is typically

comprised of of people with experience in the vertical lawyers and accountants not necessarily technical representation so we've got to talk in a way that they can understand and um before I CIO of the RCMP I was CIO of Correctional Services Canada and uh when I first came into that job my folks told me you know they don't understand us you it took a while to figure out who they were but uh when they talked about they don't understand us they talked about senior leadership and we had not expressed the the program in ways that the leadership could understand so it was a bit of a running joke with me but um any presentation that needed to go to to our

board to our commissioner I told my folks we've got to have it in language that my grandmother can understand and what I meant by that was we've got to stay away from technical terms my grandmother at the time knew what a computer was she knew what the internet was she knew all these things that's how we wanted to express it and that's how we expressed the program and then the business bought into it um we want to stay out of the news you know that that's really important but I'll tell you you will probably be in the news you'll probably be in the news for a breach what you really want is when when you're in the news when

you're covered by media because of something that happened you want them to say oh and by the way they limited the damage they fixed this they transitioned back to operation in a matter of hours as opposed to a matter of days a matter of weeks I'm not afraid of being breached I'm more afraid if I can't respond to that breach if I cannot transition back to operations that's really what we need to what we need to think of um and and you know we're going to talk a little bit about Staffing because Staffing is a tremendous issue for all of us today getting the right people on task to the right things and you know what we're seeing in the

industry is is Staffing through a number of different mechanisms but getting the right people training the right people getting them on task and I'm not necessarily going to talk about it in this slide but we also want to talk about how do we educate our organizations about cyber you know we've got cyber month coming up in October um we've got to think of that 12 months of the year we've got to think about how we educate and so on and I'll talk a little bit about that when we talk about threats um this is no surprise to you on Cyber threats no surprise to you on on the the fact that they're happening increasing so on so forth what's a real surprise to

me in this slide is that 77% of businesses lack an incident response plan wow you know um if that is representative of the folks that are here today I I'd suggest you leave now and go and start to build an incident response plan um so critical to be able to respond and in fact last week I was in the maritimes we were going through a tabletop tabletop exercise testing an incident response plan in front of a board so that the board could see how complex this is so that they could see how to resp on how management was going to respond in the event of a breach and simple questions do we pay ransomware are we allowed to pay ransomware by the

way you're going to hear from me that you know um I'm not a big believer in paying ransomware I know there are times when we have to do it but I I I've got this thing that sort of bothers me about paying the criminals and and most surprisingly about that about three months ago there's a breach in the US a ransomware attack against a sheriff's department and the sheriff's department paid the rans think about that for a few seconds how bad that bridge was that a sheriff's department paid Ransom um not not going you know uh cyber one of our top five things that uh threats to humanity you know phenomenal that it's there unfortunately it's there but it

certainly gets the attention of our organizations doesn't it moving forward um once again we need to think of this as as a business issue it's it's not a cost Center and I like to think of cyber as a team sport that everybody in that organization physically or virtually is paying playing that team sport as our our partners that we're dealing with because you know when we look at some of the massive uh uh issues we've had in the last few years some of the massive attacks have' been third party risk related and you know I I've talked to organizations that don't even know all the third parties that they're dealing with and I can tell you when I

was with the RCMP um locally at the divisional level there was a lot of leeway at that time in what was deployed by in a provincial from a provincial perspective and I at one point had no idea what we were what we were connected to and we had to change that we had to move forward with that um now we get into some of the fun stuff on uh on the presentation we're going to talk about different threats that we're facing and you know you all know these threats right nothing of surprise here I still as a traditionalist uh believe that our our largest threat is The Insider threat I don't mean necessarily malicious although malicious can do us a lot of

harm but The Insider that does the wrong thing clicks on the wrong thing exposes our passwords think of coid when we first sent people home working on common devices that were shared by the by the family potentially by neighbors or neighbors kids so on and so forth we've got to worry about that um one thing that I was really focused on on PR in previous jobs obviously the threat but I was really worried about the corruption of data somebody coming in and modifying data without us knowing it and think of you know in the RCMP example criminality databases analytics um information that's being used for prosecution purposes and corrupting that data you're not sending people to jail you're

maybe releasing people before they should be released you're losing sight of the bad people that want to do us harm so so really really worried about Corruption of data loss of life sounds uh somewhat dramatic but um we are seeing a lot of hacks against medical devices uh hacks against hospitals and think about hacks against 911 systems think about Haws that that impede police from responding to calls or responding with the wrong information there are numerous cases out there where where police unfortunately have have been killed where they did not have the information going into that call and that we just can't allow those sorts of things to happen let's talk a little bit about the

actors the vectors the motivation and impact because this is really really important we need to know for our vertical what are the biggest threats to our organization so so give you the example of and we were just talking about police forces when there's a negative interaction with a police force and and citizens and that usually means shooting somebody a police officer involved in a fatal shooting you know we see a lot of activism against a police force we see denial of service against a police force we see defacing of of websites at police forces so so they're they're particularly concerned about that sort of thing denial service so on and so forth if you're in the

critical infrastructure business bu um if you're in power generation if you're in a utility we'd be very very concerned potentially about denial of service about foreign actors coming in and shutting us down and you know if you looked at the precursor to the Russian Ukrainian War the the activities of the Russians sensing probing disrupting it was really obvious that that ground forces were to come in soon enough I'm going to just talk about state sponsored for a second because it's I think really important and you know when I started my career 30 some years ago um in the intelligence Community I know you guys from Alberta are saying you know Ottawa intelligence it's a little bit of a

misnomer but nevertheless within the intelligence community in Ottawa um we didn't read about that stuff right you didn't get a sense of what was going on you weren't getting a sense of what the Russians were up to disinformation so on and so forth today is front page news we're reading about it all the time so I'm going to to talk briefly to the what I view as the top three foreign state sponsored threats that we Canadians have to worry about I'll talk about the uh I'll talk about the North Koreans to to begin with um what do you think how much crypto currency do you think they stole last year North Korea the the the country

because you know everything is tied to the state of North Korea they they stole $1.7 billion of cryptocur currency it's a big deal for the North Koreans half of the foreign funds coming into North Korea were achieved through Cyber attack think about that for a second and think about what they're up to they're they're after money it's a simple as that we're helping to feed their economy we're helping them to to buy arms and now they're selling arms to the Russians so so think about what they're doing when they attack and and steal from us now like if we take a look at the Russian the Russians are all about instant gratification there is no separation

between State academics and in a lot of cases organized crime so they're out looking for a buck as well they're also out disrupting as we see Ukraine as we've seen in Estonia we've seen in Canada they're disrupting they're doing those sorts of things but they're the Russians are really looking to tomorrow and what are their goals for tomorrow what are their goals for next week then if we look at the Chinese thre these Chinese are absolutely surgical in what they're doing they are probing they are hacking they are trying to get in they're not necessarily after funds they're not necessarily after money they're about stealing technology stealing intellectual property but more importantly getting into our critical

infrastructure getting into other areas and ready to pounce so so those are the types of foreign threats we need to worry about State sponsor threats we need to worry about and as we worry about those what helps us to achieve our organizational goals it's our cyber program it's the ability to defend the ability to respond the ability to threat hunt see who's in and who's on our Network and as I said I wasn't going to speak to to the complete slides because time won't allow for that but more than happy to as I say share these with you but also you know if you don't agree with what I'm saying if you don't agree with some the points that I'm say that

I'm making more than happy to have that dialogue with you at another time so why do we want to validate our cyber program we need to know where we are when I go into an organization that I don't know the first thing I ask is how you doing from a cyber perspective if you can't express that in 30 seconds or less you don't know or you're not sure um and we need to work on that second question I'll ask is what's your ability to respond because once again it's so so important to be able to respond to to threats um so you want to set you want to you want to set the bar of where you

are just as importantly you want to establish where you want to take the Cyber program because very few organizations have it where they want it to be and when they get it to where they want it to be it's it's a tough slog to keep it there because the threats are evolving and changing around us um what are you going look like what are you going to look for from an assessment pers perspective you're going to look at equipment you're going to look at people you're going to look at process you're going to look at all of these sorts of things and you know when we look a lot at a lot of the big

breaches over time and I'll talk about the intelligence Community you know everybody's heard of Edward Snowden right um his big deal was people trusted him he was in a secure environment they shared passwords with him and then he ran away and uh and uh did a lot of harm not just to the US but to Canada to our allies so on and so forth and and and we can have that conversation you know was Snowden a hero or a villain um my view of that is if he was a hero he wouldn't be in Russia today if he was a hero he'd be back in the US so so we need to think about that um we've had our own Snowden

here in Canada by the way we we've had those types of breaches as well uh Seb Mariner delile on the East Coast uh working for maritime command and others um you want a model against which you're going to measure your program so as an example I'm putting up the capability maturity model you're going to rate your program on a scale of 1 to five when I look at this model organizations most organizations are sitting between a two and a three typically you're not going to be up at a five you're going to be in the two to three range you're going to decide where you want to be but you're going to communicate that communicate it

communicate it and um um once again you know if we look at our strategy our business objectives and threats we want to find and we want to assess ourselves taking all of those things into account and um when you look at road map themes and I know I'm hurrying up a little bit now because I got the indication that tells me it's time to get off soon but um you're going to look at your your strategy Innovation governance security operations incident response so on don't minimize the value of governance don't minimize the value of knowing everybody's responsibility within the organization as it relates to the Cyber program as it relates to moving it forward so on and so

forth and with that um thank thank you for your time I know this is the toughest time of the day to present right after lunch um I'm going to hand it over to Ian to talk about zero trust and then I believe uh we're both going to be here for Q&A at the end of our talks so all for the [Applause] year hey hey everyone uh don't worry I'm not going to sing Copa coana that that was uh a different presentation that I did so anyways uh thank you everyone for attending today's call um like Michael said you know it's after lunch so let's have a bit of fun uh I am drinking water it's white it's not vodka

um so one of the thing one of the things about zero trust is it's something that it's so widespread in the industry where you know different vendors different analysts they all talk about it right uh if you're an upand cominging uh you know student of cyber security starting your journey I just wanted you guys to be aware that we have resources out there that's only slightly biased uh vendor tainted but you know if you if you wanted to learn more about what zero trust is there is a book that I would strongly recommend it's free uh ebook called seven elements of a highly successful zero trust architecture and again if you're thinking of you know

upping your resume with things like certification I believe we have the only uh Zer trust certification out there it's called Zer trust certified architect so definitely have a look um you know lots of good content so a lot of the content that I'll be presenting today is related to some of the elements here now um let's let let's pause and think a bit you know what are we trying to achieve with zero trust right if you think about in the old days when uh people had uh Yellow Pages you know that big honking book where you could you know publicize your phone numbers right uh I see some of my colleagues here they've used it to you know call people

they shouldn't call um stock people they shouldn't stock uh Facebook is much better for that now but the whole idea here is that you know you could have a caller in this case case I believe his name is Chris uh calling a particular user Amy and then he'll be connected right and the problem with that with publishing your applications you know making sure that you're reachable is that anybody can call you right the whole concept of zero trust is that the fact that people who don't want to call you have the ability to call you presents itself in a risk as a risk so if you now move that analogy to something more it related or networking

related you to think about you know how your users are accessing your applications today right um most organizations postco have some kind of hybrid uh Workforce strategy where three days in the office two days in your office full-time remote unless you all guess maybe it's 5 days in the office but regardless from a remote access perspective this is s the same where the VPN concentrator is always saying connect to me connect to me right now aot let's think about the art of the possible a little bit let's say if we have in the middle the ability to have you know something like an intelligent switchboard so first and foremost Amy the users here the the phone number is

not published okay you can't call her but you know how to reach her to an intermediary right so for example in this case Chris again uh tries to call Amy it goes to an intermediary and then if you authorize you can have a one hour call with Amy now if if you're an unwanted caller right uh you call the intermediary you're not authorized you don't have access to Amy uh here the example we use is you know a smart switchboard uh back in my time this would be Amy's dad so same concept but in a more technical term so from a technical perspective you know what we do have that kind of ability as well with a concept I'm going

to elaborate on this a bit more called the zero trust Exchange right bringing something conceptual to something tangible but the ideas is very you know easy to relate to before you connect to your applications which are hidden you go through a broker if you authorized you get access if you don't have authorized then you're out of luck now let let's use a slightly different analogy just to to Really compare and contrast you know Legacy network security architecture with zero trust right if we don't take the opportunity to transform how we do things then we're basically you know putting lipstick on a pck modifying what we have existing to fit a new paradigm and that tends not to work too well so

think about it if let's say you're going to a building and you wanted to access a particular room let's say you here for an interview all right uh you go to see the receptionist you given a pass and then she points to you that's at room 22 the issue there here is that in this loose uh scenario the user has the ability to go to the building and explore maybe he's looking for the washroom maybe he got lost maybe it's malicious you don't know right uh some of the doors to their offices may be locked all right so you have some security but the fact that the user has the ability to Snoop around either

maliciously or accidentally presents itself as a risk okay so again same analogy with VPN now let let's let's modify this a bit um I watch way too much uh movies so uh pardon me for this reference but let's say you want to go to a club a very nice club you don't know where it is but you know you want to go to it it to go to that club you need to meet a certain guy at a meet me point he authorized you rather you pay the money he then blindfolds you put you in the car drive you to the club drop you off take off your blindfold do what you need to do and on the way

back blindfolds you and put in the car and bring you back to the m point it is kind of gangster I get it but it is really safe that way right so this is another way of approaching you know how do we secure our critical applications right it is important to us our data are important to us same concept with the zero trust exchange right so the whole idea here is not moving things later really now all right so if let's say we buy into this whole additional security the security Paradigm is zero trust now what's the best way of delivering it though right so think about it today you're not only thinking about your applications that

resides in your physical data center they could be in the cloud any Cloud um think about where your data is located they could be in all kinds of SAS application they could be in corporate sanction and sometimes unsanctioned applications as well the these are some of the key things you need to think about when you're thinking how do I Implement zero trust uh these days I mean we usually think about employees as somebody we need to protect access to those applications but more and more organizations are going through mergers and Acquisitions partnering up with contractors where you might not have the ability to put them on corporate devices and let's not forget our future Masters

artificial intelligence iot headless device we need to account for that as well because you want something holistic pre-co postco doesn't matter the the reality is a lot of people are working from home some people are working in the office I had the pleasure of working in the office for many many years at Tellis do not regret it it was a lot of fun as well as you know people in the branches so one approach just just to think about it is you know having an agent based approach right sort of makes sense if you think about it but but let's let's let's fast forward a couple of years when you go with an agent based approach you're

installing a software on a device typically it works well the first year second year because it's limited in functionality as customer demands increases corporations vendors you know add more features the the software gets larger I mean it's it's just natural prog progression and then with even more customer demands it's going to be supported on more operating systems uh more security functions and there's always that risk of it impacting your other systems I mean that's just the nature of the B Beast now if we look at classical way of how do we secure users it's traditionally through a network firewall of some kind makes sense right I used to sell firewalls make decent money selling it but when your users are

everywhere all at once it's not something tangible now if if only if we could you know like the old ball and chain carried anywhere with you then perhaps this is something that that you could go uh apologies to marry couples here AI chose that image really uh this was what I was going for so I mean it is not table to to bring your security with you right so what are we left we're left with something hard to do but something if if it's done correctly has the ability to to do all this right so when we talk about agent before the problem arise because you you keep on adding functionality it becomes complex and then when we talk about

security Appliance is great but you can't bring it everywhere so here's sort of a Best of Both Worlds where all the security functions are done in the cloud right I mean I'm sure a CI will like it you're spending so much money on all this hyperscalers so why not security if we have security configured and done in the cloud what that gives you as a customer or an employee or users is that as you add complexity and and services it does not impact users all we need to figure out what to do is how to send traffic to the cloud right so if if you've been following folks like Gardner and Forester and all those guys this is

the whole concept of sassy or SSE or whatever new name they they come up with right where at first initially to be honest when I first saw this it didn't quite make sense maybe because I'm not employed by a cloud delivered company it makes sense but but really if you think about it you know having service done in the cloud make a lot of sense with this way you have everything everyone everywhere secured all at once it can be done now um if this is way too too much text but really uh is so we've talked about what you want from a Zer trust architecture we talked about what's of the potential best way of delivering it

but what does it do for you right so we can verify control and en for so too much words but let me give you walk through an example and then I'll pretty much end the talk now let's talk about Amy again Amy is a queen because she's in HR now uh if you start thinking about wait a minute what's her IP address or creating policy related to IP address uh I I think you've lost the plot right because I mean if we're going to change things up let's let's forget certain old uh Technologies or policies that we used to do all we really should care about is Amy who she is which group she belongs

and what applications she's accessing right these applications could be applications that are in your control in your data center it could be applications that you have no control at all it's in the SAS application of some kind it could be even personal applications that Amy is trying to access really the conversation is all about how do I get my user connecting to my application now again if in the access policy you're thinking about IP addresses again I think you've lost the plot now now now that we know what we want to do is just connecting the right users to the right applications we now have the ability to find two things a little bit Amy on a corporate laptop you

get certain privileges Amy on your cell phone less privileges Amy having vacation in Jamaica she shouldn't be working but if she was you know a different set of privileges um we could add things like you know how clean is Amy's device right uh we could have posture checks antivirus on certain certificates are you domain join again all these are additional conditions that we can put in place to then Monitor and determine how best to do deal with Amy and if Amy has too much to drink she has really really no no access to Applications so those are all available now once you connect Amy to an application um let's not stop there again we're talking about zero

trust or really not trusting as much as possible in fact don't trust whatever I'm saying really honestly so the in the traffic flow between the user and application can and should be inspected because I think Michael was uh saying just now about inside the threats right whether it's malicious intention or you know by accident so the the communication between Amy and the application should always be inspected for malware should always be inspected for data extration it happens right so stop and think for a moment how this is very different from how you've used to provide remote access to your users and again this is not static assessments should be continuous because people change things change I left my

well I did leave my iPad outside and you know who knows what happened thanks for keeping it so you know it happens accidents happen I mean that's the reality of it now I've talked a lot about this zero trust model but if you were to compare and contrast with a lot of Industry guidelines things like Gardner Forest n and so on and so forth they sort of say the same thing but maybe using different languages or emphasizing different points but this really what I want to impress on you guys is here's an opportunity to to make yourself really a bit more secure uh in a very new paradigm uh I was speaking prior to this with a colleague of mine

different company where we had a conversation about cyber insurance right so uh MFA was sort of a big topic for a lot of organizations I think renewing the Cyber insurance this year uh if you have a chance to look at some of the question asked that cyber insurance companies are uh giving out for a future to renewals they may not explicitly mention zero trust the term because you know it's shed with a lot of marketing but a lot of the elements of it is there so it really just a matter of time now to summarize I mean if you think about the traditional way we do things you know network-based controls you're really giving the user too much

visibility to what's going on no matter how you implement it we really should be talking about providing visibility at the right level and when you do so if you spot it you see certain things you wouldn't have seen before lastly um this is happening whether you like it or not uh you know don't follow the way of the ostrich now um we're going to be here for the next couple of hours hopefully this was informational uh come talk to the octave and zaler team we we're right out there um I'll send you guys the the link to the ebook if you're interested know just good to to read out of what's happening and if you ever want to get in

touch feel feel shy to to talk to us today you know you can get a hold of us and thank you very [Applause] much thank you Michael and Ian for the wonderful presentation um any questions

okay my question is uh to Michael about the structure of the um cyber security function in organizations uh you showed a a couple of areas that uh kind of form the cyber security function I'm interested to know about the reporting structure the current trends and your own opinion should the ciso report to the CIO or should they report to the chief officer or to the CEO directly that's one number two is about uh three lines of Defense so it's kind of a new uh Trend in uh management of risk in cyber security now there has been kind of a duplication of responsibilities between line line one mostly in line two I saw in one of the slides you showed a

governance risk and compliance group should that group not be part of a second line instead of line one and what will be the differences between that group GRC and uh line two where cyber security and it risk management is uh is owned thank you thank you for that question great questions by the way the answer is yes um okay let's let's first of all talk about the placement of the ceso the placement of the CIO and where they fit in the corporate uh structure um I've seen seen both the ceso reporting to the CIO and and not to the CIO so I'll I'll start with that one to begin with um and and in my two CIO jobs in in one case at

Corrections the ciso was reporting to me at the RCMP they were reporting elsewhere in the organization I'm a firm believer that the ceso needs to be heard the ceso needs to be heard at the highest levels of the organization and has to be able to carry on conversations with elt a in the case where the ceso reported to me we created a dotted line to the commissioner of Corrections so that he could go talk to the commissioner any time he was not satisfied that he wasn't getting my attention or the attention of the technical group um so so that that worked out well I think that uh but you can have either construct you just have

to understand governance and the roles that we play if I was designing you know if we all came together today and we were going to design an organization together I would not have the ceso reporting the c i I just would rather see a different line the other thing about the ceso is he or she should not be buried down in the organization such that they're not heard because once again what the ceso is reporting to the organization is is all about risk and and who better to handle and understand that risk than the leadership of the organization and and the ciso needs to hand that risk to seniors in organization so that if they decide

they're not going to fund the program or if they decide they're not going to fund it adequately or whatever the case may be they are well aware of that so does that help from the placement of the the ciso he or she their voice must be heard and by the way I don't ever think that the sky is falling is is a good reaction to anything you know you have to have the ability to once again speak leadership language but speak it in a risk-based way and not tell them the sky is falling and we can't do anything about it I think that just anecdotally is very interesting um you talked of first line second line so on and so

forth and I think um in a lot of organizations compliance will will sit elsewhere in a lot of organizations the risk function will sit elsewhere and you can think of them as as a second line of defense measuring compliance how are we doing from a CL compliance perspective um that is typically another part of the organization they are typically very involved in communicating to the board in communicating to the risk Committee of the board so so I think the second and third lines of Defense are there from and I'll simplify it to say from an accountability perspective from a monitoring perspective from a different voice perspective and as CIO you know when I was at the RCMP one of my best

friends became one of my best friends was ahead of audit and you know sometimes you want to run away from audit right because they're going to make your life your life complicated but we got it to the point where I could go to the chief audit executive and say you know I I really suck at identity we're really not doing a good job in identity here at the RCMP um you should probably audit that you should probably have a look at that because that's a risk to the organization why would I go to the chief audit executive and expose my program that way because for some reason I wasn't getting the funded I need funding

I needed to move the identity program forward so now I had an audit report that said you know you suck at this and they didn't typically use that language but you're not good at this there's a risk for the RCMP and you've got to get better at it then you can help move it forward so I I really really believe in second third line of defense I believe in them from an accountability perspective and um in my talk I talked a little bit about governance the governance of those functions where they reside is is is tremendously important and I'll give you one last example I'm I'm a risk advisor to a large financial and part of what I do is

advise them on their cyber risk advise the board on the Cyber risk and so on and and it's really important because for this financial cyber is a tier one risk so it's got everybody's attention now the deal is what are we doing about it and how are we moving forward and all of those players that you mentioned and that you asked in your question have our world to play does that help perfect thank

you I think we are out of time if you have any questions please meet Michael and Ian at their booth and thank you again for sharing your insights about cyber race and how zero trust can help resolving some of

them