How Should You Prepare for Connecticut's New Cyber Strategy

so let's get started on our next talk I'm going to introduce Lauren mother mother and the name of the talk is how should you prepare for the implementation of Connecticut's new cyber strategy so give her a warm welcome all right thank you great I heard that so I know someone's awake which is awesome 2:30 in the afternoon is always my favorite time slot to draw because it's a little bit of a coin flip on how many heads are still here and how many heads are actually looking up so I'm gonna be watching so you know I have nothing to throw but I will find something if I need to but two quick things before we jump all into this

first off I am NOT a technical person you're welcome you're gonna get something a little bit different here for the next hour because there is nothing I'm about to tell you that is going to make you snazzier at what you do it's gonna make you more aware of what is going on through other parts of your company and what kinds of priorities and things people like me are out there telling your bosses to do and the kinds of advice that they're getting that will eventually at some point likely impact all of your lives so this really is sort of a let's think of it as a broader educational opportunity into what's going on from the business side

of the world quick background on me I am an independent consultant I own my own strategic communications company focusing on cyber security and defense issues my background is primarily in national security communications policy politics spent over a decade in Washington DC Capitol Hill Department of Defense national security council always doing communications policy politics rolled up into a big swirly mess of I don't know make it up yourself and figure out what to do for us so that's what I like and that's what this job lets me do now that I get to be my own boss so it's been a few years doing corporate communications in New York before launching out on my own so have

always enjoyed being in roles and finding places to understand different parts of an organization different parts of a company different parts of a government agency and what all of their priorities and needs and assets are and how we bring all those things together to move forward towards whatever those organizational objectives are whether they're policy objectives whether they're business whatever they may be so firmly now in the cyber security space spend a lot of time with clients particularly around IR planning because obviously that's one of the key places where crisis communications and things like that can play a role we'll talk about that a little bit later on but Connecticut's got this great new strategy that outs out there and

strategies are awesome because they tell you what the strategy is and then they stop talking so now the next step is to figure out how we actually take those great cool ideas and actually turn them into something that requires action and there are so many ways that that could go right now we're still in the figuring it out I keep saying we and I really just mean whoever the smart people in Connecticut are that are doing this because I'm not one of them figuring out what they're gonna do and there are a lot of examples that we can look to in other states and other industries and other sectors that have tried to do strategies followed up by action plans

to see most recently the Department of Financial Services in New York I'm sure that is lightly and to say the least touching on many of your lives but that is something that I've been digging into and speaking about a bit as well and there are a lot of similarities between what they did and good lessons to be learned that can play out in the situation and I think we can what I'd like to do today is dig a little bit into some of the highlighted sections that I see of the strategy that give us some insight into what the authors were thinking and combine those with some very broad high-level trends across the quote cyber industry right now and look

at some of the things that we've seen work with DFS as well and kind of combine all those into okay great what does that tell us about what may be coming down the road for us and how can we take what we think may be coming and use that Intel to actually take concrete steps right now as an organization or as a business so that when somebody actually requires us to do something it's not this huge giant burden it's something that we've already started moving or we've already done and now we all have to all we have to do is maybe check a box on a new form and we're done so that's what we're gonna start out with

today we're gonna look at a lot of different buckets of things and if I'm lucky this keeps working every time I push the button so like I said not a tech person so this is directly from the strategy itself and there's not a lot in here that says here's what we're gonna do next for an action plan but the word action comes up like 36 times so one of the things the strategy outlines are seven foundational principles and we're going to talk about those and insights we can draw from them and what they mean great here all of those principles they line up they make this great little pathway and we're all going to hold

hands and march down it towards this great new place and anybody can do this and it's gonna make us all awesome and then seriously this is probably what's gonna happen this is why I have a job because more companies than you like to think are this guy and normally this guy is pretty cool not so much these days unless he's hiring me and then he's still cool so we're gonna talk through the strategy we're gonna get some trends we're gonna talk action plan you can tell I came out of a very list oriented life so we're gonna do a lot of bullets I'm not writing it down if I'm gonna say it because you can read what I can say

so bottom line big take away money slide right here I apply this to whatever's coming down the road from Connecticut as well as what we've seen with the DFS regs in New York you can view this as just another compliance issue as just something else you have to do another box you have to check something else to spend money and time just clearing the hurdle or you can view it as a chance to actually establish a comprehensive wrist risk-based cybersecurity program that effectively brings your company up to the level that it should be today and if you do that that in itself creates opportunities for your company for your organization that is where you can

actually use that to propel yourselves even further so his business opportunity within this if you choose to view it and approach it through that lense bottom line right there take it run away if you have to leave this is where you can go so the strategy what it actually says it covers five sectors and each sector gets lots of detailed attention lots of love lots of stuff going on what they have done things like that it looks at the five sectors that it shows that it has chosen it states that it's done so because within the state of Connecticut these are the main targets you know if you took everything in Connecticut and broke it down into five groups you could

probably put all of them in these five groups so it's more of a classification system than it is a winnowing down but if something were to occur and the strategy document itself approaches a lot of these sectors and a lot of the principles it addresses from the perspective of if something really big happens in our state as opposed to if a company gets breached here it's more what happens if the grid goes down what happens if like something happens and chip blows up it's kind of big things like that so there's a lot of a recurring theme related to disaster response because that is something that the state has planned for that it is something that the country as a whole

has done so much better planning for over the last 15 years or so so there are a lot of parallels that it draws to those frameworks that are developed but these are considered to be the biggest targets and the people most likely to have responsibility for responding to something in some way shape or form these folks are gonna have to take action so you have the Connecticut state government obviously we're big government we hold all your stuff we have all your information and of course people want to come to us because we have all the cool things the municipalities I have to say I have lived in the state of Connecticut for five years and you guys are a hot little

mess of swirly little municipalities scattered around the state thank you there are towns there are groups of things there are government entities organizations I just want some cities and counties if we could just clear that up that'd be super helpful so municipalities get their own attention here because it's such a structure here in the state it's very unique businesses specifically focusing on critical infrastructure financial services insurance and defense obviously very large industries here in the state with very valuable data higher education another very significant industry in the state higher education is such a unique you know as an aside such a unique sector to really look at because when you think of financial services you

think oh yeah they want to steal my credit card information they want to see on my bank account number that's awesome well they've got that in higher education too they've got your social security number they've got your financial information they've got all the health records of their students they've got all the employee data related to their staff they've got all the data related to the research projects they're doing and the subjects who were in the research projects the data sets that have been brought into that the levels and just sheer quantity of data held within a single higher Institute of higher education is just phenomenal and people rarely look at it to that extent so that's a that's a

whole little bucket in itself law enforcement and security obviously always a big part of us so those are the five big sectors that it breaks down into but it also explicitly states that the types of lessons drawn and the types of focus for each of these industries can be applied across the board and ironically it's not one of the sector's listed here but the strategy makes a really really big emphasis on regular citizens normal everyday people if there's one thing that I think they would want you to grab and run with from this strategy it's that this is the thing for everybody everybody has a role everyone has a part to play everyone has a responsibility everyone's a target

blah blah blah all those things but that if we all come together and we all get smarter in our own small ways about what we're doing and how we're securing our small piece of this whole puzzle then overall the state becomes more secure and not only that it actually becomes a business driver here in the state and if there's anything Connecticut would really love to do its drive economic development drive business drive new residents drive new jobs for those new residents chicken in the egg don't care which comes first just keep coming here by creating connecticut as a entity that is known for being cyber secure and for having that ecosystem built up that is

something in the long term that drives all of this and that will come up a little bit here later on so the seven principles that it talks about each of these come up in various ways shapes and forms in different sections both deep dives in and of themselves and also related to the different industries but leadership obviously has to play a large part in all of this it really emphasizes you know before we jump into these another little aside nothing in here is rocket science nothing at this level nothing that talks about trends nothing that talks about industries and specifics related to them is rocket science but putting it all together in one way shape form so everyone's moving

in the same direction I'm basing it on the same information is something that actually makes a difference so obviously executives drive culture everyone knows the more the culture of your organization is driven in a cyber secure direction that direction comes from the top nobody down sitting at a little desk over in the corner you know punching buttons all day is gonna make anybody else feel culturally cyber secure you may be able to have a really great secure corner but that's it the bigger change has to be emphasized from the top it also drives resources that's where the decisions are made about priorities for resources that is another theme that will run throughout this is that resources drive so much and

we'll talk about that a little bit to literacy there needs to be a baseline level of knowledge across both entities as well as individuals employees students k12 college students staff regular everyday Joe's walking down the street everyone needs to know something preparation risk-based plans are key and basing those plans on the existing disaster frameworks that the state operates on and I'm not even going to start listing off like acronym gobbledy soup that is in here about all the different types of frameworks and organizations that exist to share information and have frameworks that you can base off of but the state has really done a big focus on disaster response and a lot of those lessons

translate easily into the cyberspace so we can expect to see a lot of similarities there I think coming down the line response is another key area it's not enough to just have a plan you have to actually execute your plan well based on what you see on the ground and information sharing is a huge huge huge thing across the board and we'll talk about that again in a minute recovery obviously mitigate the threat restore your operations get everything back up and running keep it running business continuity kind of critical here and evaluation evaluate what happens how it went and what you can do better next time that's a piece that you know applies in any type of disaster

response I'm I used to work for many many years on Capitol Hill right after 9/11 I got there and the office I was with had a lot of folks in it who were there on 9/11 and every time we would have a fire drill from our third floor corner office and our convoluted building we would go outside someone would hold the door we'd go down the stairs so I'm going to hold the door we'd leave and then we would spend two hours evaluating how effectively we held the door how effectively we went down the stairs maybe we should go down different stairs those were too crowded maybe someone else should hold the door evaluation is good it's not everything

you can evaluate only so much there's only so many ways to hold the door so communication major major piece here on information sharing a lot of people have done a lot of things across a lot of different industries there's a lot of best practices out there there's no sense in recreating the wheel if you guys are just down the street from each other you know Connecticut's big it's not that big somewhere somebody should be able to trade information breaking down silos sharing information public/private big big thing government private sector increasing those lines of communications makes a big deal to is not everybody has the you know sole ownership over good stuff verification measuring and reporting progress on each

these principles as a way to sort of focus improvement going forward I think we'll see a lot of that and then so the strategy is 20-something 30-something pages long I should know that exact answer by now and I don't I've blocked it in my brain but it has a lot of stuff in there these five themes it specifically calls out in the beginning saying these permeate through everything and we've just talked about some of them they do education and training everyone everywhere at any level in any position any desk always at the ready everyone's always ready for good ready to go so you've done your training you've done your simulations you've got the education great that's all there

we're closing the skills gap between what people know and the skills that exist in the state now versus what we need going forward and I know skills gap is a phrase that we apply across the board you know put it in manufacturing we have a huge skills gap put it anywhere but in cyber particularly information sharing we just talked about threats and best practices break down silos budget priority anytime you use the word budget in Connecticut right now everyone kind of like shivers a little bit it's like a twitch but the idea is that cybersecurity needs to be raised to the level of any other general public safety consideration any other budget line item that has to do with police

fire anything like that cyber security in some way shape or form needs to be at that level it's an annual consideration it's annually funded because it's such a consistent part of our lives and it permeates everything consistent adequate funding everybody has a role to play we talked about this too nobody's immune we have a culture of security across our state not just within an organization same thing people at all up-and-down levels are focused on this or at least aware of what's going on and making it a hallmark of the state making it as business driver here like we talked about increasing companies jobs residents all those good things that we want more and more of this is a great

way to do that because it's such a growing field with such an extremely high potential so what's next one of the specific things this is actually directly from the strategy and we're talking about pulling together all these clues to figure out what we can do and what specific steps we can take engage with the sector's put together a plan action plans clarify the steps here are the things that we should focus on with our action plan whatever they may be as they come up whether they're industry specific whether they're across the board whatever whether they come through regulation whether they come through tax credits however it happens carrots or sticks here's what we're focused on critical infrastructure

information sharing and closing the talent gap law enforcement my favorite is activate our citizenry to be lifelong learners that's probably really super specific and I'm sure we'll have an entire way to regulate that coming up shortly it's probably gonna be the most low-hanging fruit out there so another clue take it for what you will I like to think of the strategy within the context of the trends that we see across the broader cyber industry and I say cyber I say security someone else may say InfoSec someone else may say risk whatever same thing you know we're talking about but the big trends that we see that make a modern cyber security program modern cyber security practices

within a company security to resilience we're gonna dig into each of these here but like I said I like lists security to resilience planning and responds whole of enterprise less firewall more ecosystem so security to resilience this is kind of the big one here that it's not just and again this is gonna be a whole big section in here that it's gonna be preaching to the choir and if it's not I'm sorry you're in the wrong choir pay attention so security to resilience it's not just how do you defend yourself anymore it's you know I'm gonna say the it's not if it's when if I hear one more person say that's me as if it was brand-new then I'm walking

out of whatever room I'm in so I have to couch that with you I know you've heard that a lot but it's relevant here for this it's not just defense it's not just keeping someone out it's assuming they're going to get in want to reduce the likelihood that they come in but you also want to really really improve your process for what the hell you're gonna do when it happens making sure that business continuity is a huge focus not just getting your systems back up and running but actually making sure your company continues to function evaluation and improvement are a natural built-in piece of any resilience effort making sure that you're learning constantly from what

you're doing and I think a theme of constantly doing something has been running throughout this day from your threat evaluations who whatever they were talking about before and those kinds of things but the idea that this is always evolving there's nothing static about cybersecurity if you become static then you become stale training and exercises can't just be focused on you and your system they have to be realistic if you're really going to test a full plan across an organization small medium or large there are ways to design scenarios that give you a realistic sense of what you can expect and I really emphasize this coming from a communications place because that is a big piece of what I see a lot is

companies spending all this time and all these resources and all these man-hours on training to their plan exercising accept their training to something that's never in the world gonna happen why are you spending so much time trying to figure out whether or not you're CEO can withstand some really tough reporter questions if your CEOs in front of a reporter you already lose you've already done something very wrong so training and exercises must be realistic to really test the resilience of your organization not just your defense abilities so acknowledge they can get in you should be able to mitigate the damage without bringing down your company for good resilience it's both planning and response it's not just as

my plan really good you need a really good plan but then if you take that really good plan you stick it on the shelf and you pull it down and you start trying to follow all those steps in the you know fog of war after something's happened again you already lose so the ultimate price of a breach and again I have an entire bullet up here that I threw into Equifax because this has been something that I have been standing on my little soapbox screaming about for ages and then they just walked right into it and gave it a little textbook example you can respond and make it so much worse you get breached it sucks something went

wrong it's gonna cost you money you're gonna have to fix it all of that but if you handle it so so so poorly in your response your bad problem becomes a ginormous problem nobody in a standard data breach gets hauled before the Senate Finance Committee you could hold before Senate's Finance Committee because there were so many headlines about how you sucked then now the senators want to ask you questions and throw bombs at you so that to me comes in that sort of non-traditional planning stage that's where good communications response plays in so reputation resilience is a thing that I hammer on all the time resilient networks are great but if nobody trusts you enough to

use them after you clean it up who cares you don't have a business anymore somewhere somebody pays you to do something and that's your business whatever those things are fill in the nouns how you will if those people stop paying you you don't have a business anymore so you have to maintain that trust you have to maintain that loyalty and a good response based on a good plan lets you do that non-traditional security functions yep got all of that so it's not just putting together plans to keep on the Shelf it's pulling it off the shelf and having the wherewithal to actually implement it the right way the right way and the right plan is more than just the IT team it's

more than just tech folks security folks sitting in a corner going here's how we're gonna make it all better you have to have the whole team and no all crises are not created equal all data breaches are not the same you guys know this but that also means that the response is not always the same the building doesn't burn down every single time sometimes it's just a little spark and you know maybe your desk catches on fire fine that's a different kind of response but a good plan fully built out and comprehensive to all the different possibilities of what may happen what may be required in the event of an incident have to bring in multiple

members of your team I loved that part of I'm sorry I'm not skinning the room fast enough if DevOps guy is still in here but go make new friends step one go make new friends go meet people in IT legal Human Resources go meet your communications team go meet procurement all of those folks are going to have somebody that they interact with regularly outside of your company who cares that this thing happened to you or who may care and whether or not they do you need to already have those relationships in place so that you can get that information to the right people at the right times so your whole team has to be a part of the solution here

and this is how good I am at trying this is where we talk about it's not just you it's not just what's in your network what's in your system what data do you own what users do you have what controls are there you know what kind of monitoring all of that you are now responsible in more ways for that full ecosystem that full ecosystem not only can impact you and what you're responsible for every day in your little corner of the world but it can actually impact your overall organization's ability to function look at target who knows how they got hacked anybody I see a lot of heads nodding so I'm gonna start throwing out some words here yeah

the HVAC vendor you know who doesn't actually control your point-of-sale machines the HVAC vendor you know who is a great fabulous weakest link the HVAC vendor so let's just take that and put it here you need to be responsible at some level for the security across that entire ecosystem and from the perspective of a company and a business that's used to being all internally secure that sucks because that is a huge shift in mindset that's a huge new approach and so much more work it's also an extremely wired piece of the DFS regs that came out so if you're subject to those or you're working with someone who's subject to those this is the piece they

hate the most it's also the piece that they have two years to implement because it's such a cumbersome process it's also incredibly important because that's what people are focusing on it now so action plan these are the trends that we've talked about we pulled some pieces here and there from the strategy but now specifically without knowing what exactly you're gonna be required to do by the state of the Connecticut in some way shape or form whether it's going to be actual regulations that are very specific or whether it's going to be less prescriptive one of the highlights I think of the DFS regs is that they're not prescriptive you're required to meet functional steps along the way there are

functional requirements but it is left open to the company to decide how best to meet those functional requirements given their specific situation and their resources so as long as you have shown that you have made a good-faith effort to do these things nobody cares how you do it so the action plan the pieces that I have pulled for this that to me are the most obvious are the lowest hanging fruit of what you should be doing anyway you probably are doing these already if you're not don't tell me but if you're not these are the most basic immediate actions that you can initiate tomorrow you can't finish them tomorrow but you can start them tomorrow start the

process that move you significantly closer towards a full modern cyber program program practice whatever you want to call it so five steps so like five more bullets this is important risk assessment we're gonna do more with the ecosystem we're gonna talk about I are planning tailored solutions I think is key we're going to talk about off-the-shelf and why that's super irrelevant and I think the opportunity there's a huge opportunity for business positioning and Industry advancement here I think visa V competitors so I think overlooking that would be you know an unfortunate lost opportunity so step one everything should start with a risk assessment too many companies just want to run out and buy tech this tech that throw it in

we're secure not necessarily that's not how it works probably not actually you need to really understand the status quo of what you're dealing with with your company first the idea of a risk assessment like I said not rocket science but really important to emphasize the value of starting right there you need to know what is unique to your company what do you have what's valuable what's not valuable what's you know rank it what's more or less valuable you need to know where the weaknesses are your people your systems your vendors whatever that may be and you need to know what the threats are directed towards the type of valuable information you have there's also a big

piece of this again putting back on my little communications hat where there's a whole element to a risk assessment if you're really doing it right that evaluates your standing in industry because that will have a big say in how people react to you if the goal of being a resilient company is to make sure that you still have a company when this is all said and done and that maybe you can still function while it's going on then you need to know and have insight into how people are going to react to what happens to you so knowing what your current industry positioning is knowing what your current industry footprint is particularly severe competitors who may

or may not have an opportunity for themselves to take advantage of the situation knowing that that's there is a big deal knowing whether or not oh yeah that's right we just screwed something else up six months ago so they're probably gonna take this news worse than they would have otherwise knowing that context is really important so fully and comprehensively reviewing the risks associated with your company helps you determine where to allocate your resources to shore up the weakest links to plug the biggest holes and you're not wasting time on things you don't need particularly money and everything comes back to resources particularly when you're talking to as he audience so appropriately allocating limited resources starts with a good

risk assessment so you know where they need where you have a need for them ecosystem due diligence this is almost directly from DFS because I can get laid it out really well from the DFS regs you need to know what's in that third party ecosystem not just that they're there and you should probably ask them some questions but you should really know seriously know what the hell's going on in their networks because they are plugging into yours you want to identify in it and this is again this is big I'm not saying this like this is something you can go out start it on Monday you're done with it on Friday yay good job no this is much longer than

that there's a reason this is the final implementation step for DFS because it takes the longest to do it right particularly if you have thousands of vendors not everyone will few but identifying and assessing the risk that comes from those third parties knowing what they access what they do and really having a handle on that matters due diligence like you really have to put in the work to evaluate their systems you have to ask them questions you have to go out and like poke things and see if they work you have to go on-site and see if it really is the way they're telling you it is establishing minimum standards within the contracts makes a huge

difference having actual contractual obligations for these vendors to do business with your company that says they will maintain the standards of security that you have set for them and then periodically assessing that they're actually doing it they didn't just do it to get in the door once they're in the door they have to keep doing it that's not the point it's like getting into college you got in now you have to keep doing stuff so the ecosystem piece can be small medium large it can be as intensive as your organization decides it's necessary necessary but some version of due diligence has to happen I are planning this is my favorite place where I pretty much play all the time so

I promise not to talk really 30 minutes about this but basically a good ir plan has very basic steps to it even a basic ir plan that's not that has a bunch of really basic boxes you have to check and a bunch of basic steps to take in my mind 75% of the work that goes into taking those steps can be done ahead of time you don't have to wait until something blows up before you actually start figuring out like I wonder you know where our weak points are well it's probably the thing that just blew up so building your team accounting for all the different priorities across that team you know there's gonna be a different set of

priorities and this is you know again one of my personal favorite places is understanding that your communications and marketing team has a different set of priorities than you do a different set of priorities from the security folks from the technology team from you know the sales team but you all need to be part of the same conversation so that at a minimum you understand that everyone else is bringing something different to the table and all of that doesn't just turn into giant fighting and whoever's the loudest wins the plan at the end of the day because that is not a recipe for a good response assigning your roles and responsibilities so that's anything you can do to minimize the amount of things

you have to do in the chaos of a breach matters every little thing you can clear off before something goes wrong helps you assigning your roles and responsibilities something that basic who's responsible for talking to which stakeholders who's responsible for talking to the board who's responsible for talking to you know the sales team or the you know client management folks like who's Manning the phones and who's gonna get that guy information establishing procedures how you're gonna do things how information is going to flow the background research that goes into just knowing who your stakeholders are how do you talk to them what do they care about so that when you talk to them later you don't anger them in the way

that you've spoken to them that was a big problem with Equifax they put out their first statement and the very first thing they said was we're really disappointed this happened you know what so the hell is everybody else like no one cares that you're disappointed you just lost all my stuff so knowing who your audiences are and why they are gonna care that something happened to you and how you should talk to them do you need to build new channels do you need to build new tools and then training with realistic exercises we talked that nei airplane you put together you got a trade and you got to train it the right way practice makes perfect when practiced

perfectly set ring a bell with anybody anyone come from sports family anyway that's relevant here if you have to explain to you why if that's relevant here then it's not worth the time but I are planning super important super easy to start and initiate and definitely going to be a part of any requirement that comes down the road because it just is so significant these days in determining the actual impact of an incident solutions so tailored solutions a lot of times you'll find a company or an organization that hasn't put a lot of thought into cyber yet and all of a sudden they're like oh my god I have to do something and they either run out and

they buy that box on the shelf and they bring it home and they hand it to you and they make you open it and do something with it or the first three vendors in the door get contracts because oh my god we just need something tomorrow none of that actually is relevant for your company it's not a smart way to approach anything you guys know this a lot of times that people cutting the checks hopefully know that already but it gets trumped in their head by the sheer panic to just do something quick quick quick so take the time now before you're required to meet an implementation deadline to actually match solutions to need and this goes

back to your risk assessment you know what your risks are you know what your vulnerabilities are you know what holes you need to plug you know what your system requires go out and find things that actually manage your specific risk with your specific resources don't waste your time on unnecessary shiny flashy things that use all the right buzzwords just cuz I walk in the door and I say oh well my machine learning supercool monetary control II thing don't buy that unless that's what you need if that's what you need cool buy it um good luck with it but still you've done something that's better than nothing so a lot of these functions that must be met with

tailored solutions again stole a lot of this from DFS because a lot of these are the very basic requirements that covered entities the companies who must meet those regulations have to fill and they're left open to decide how to fill resources risk etc again show your work on everything because that's what the regulator's go back to to see that you've really done this the right way so I'm not even gonna read through this list because this is all the stuff that you guys probably do and know and live in your sleep or at least pieces of it so somehow all of these functions have to be met cool do it in a way that meets

you and then opportunity this is a little bit more jumping into what we said before if you view this as an opportunity to really implement and develop a risk-based cyber program then it's not a burden it's not a compliance burden it may be a burden because it will take time it will take resources it will take hours that you'd rather be spending I don't know doing something else but your company can take advantage of that moment in multiple different ways that they couldn't when they weren't doing it so one of the arguments that's or complaints I should say that I hear from folks a lot is that well this would all be super fun but nobody will

approve my budgets nobody will give me the resources I need to like really do that's right okay well you're getting ready to have regulators breathing down your neck so someone's gonna decide you need to do this right this gives you an extra maybe a bigger stick to swing around and try and get some more money for your budgets yeah good for you providing a better customer experience this really gets into a lot of the like I don't know voodoo of the marketing world there are certain companies who shall remain nameless that are always at the top of customer trust surveys you ask customers who do you trust who are the financial services industry specifically do you trust and there is a

specific credit card company that ends up in the top one two maybe three over and over and over and over and over despite the fact that they have been reached over and over and over and over and over you know why they mark it on security that is a big push for them as they reach out to their customers so they have become known as a secure company that really cares about their customers and their security if you actually care about your customers in security because you're doing all of these other things and you're actually implementing a comprehensive program it's always easier to sell something that's not so that's a good thing your marketing team

will thank you because they actually have something cool to go talk about the overall business outlook this is a piece where again this will depend entirely on your organization on your company but the fact that you have brought different people from different parts of the organization together and you've locked them in a room and you've made them be friends with each other and you've made them trade phone numbers you made them all talk about their hopes and dreams and priorities can only work out well for your company it helps break down silos and anytime you're doing that for any purpose you will have second and third order effects that will benefit you from that so you know think about it

as we're bringing everybody together okay you're not bringing everybody together everyone's not going to suddenly love each other and want to play more but the fact that you have forced people to at least acknowledge and learn something about other parts of your organization will make everything else function a little more smoothly and again part of the marketing thing if you start doing this now before you're required to do it then down the road everyone who's like oh sure they're requiring us to do this and they're scrambling you got this you have a leg ahead and depending on the advantage you're able to take of that situation puts you at a competitive advantage and that can actually make a big difference

for your company and that's not something that you guys think about every day but there are a lot of people who paid a lot of money sitting on the other side of the building who do so if you can take something to them that helps them do their job more easily promise you everyone's gonna be happier in the long run so that is a very quick run-through and I'm looking at time I think I kind of nailed what I was aiming for there so that is like I said it's it's all guessing right now nobody knows exactly what anyone's going to be required to do but we have some really good leads and we have some really good

directional you know ideas of what may happen so if anyone has questions about any of that there was a lot of stuff all thrown in there and John very very lightly so yeah

regulations that are necessarily needed so many of the corporations in Connecticut are just in terms of the demographics you've outlined so how do we if we the people come to that collective how do we get this shut down or at least how do we make it go to somebody else and not touch us that's what I think I heard you say right right how do we make it go be valuable for somebody else yeah no I think I think all and there's definitely I'm because we don't know what they're gonna be asking us to do I'm totally with you I think you know it's a coin toss right now as to whether or not we're gonna get

heavy-handed redundant regulation oh my god this is the worst how do I kill it or we might get something that says great here are the things you need to be doing just show us you're already doing them well how can make you do them again but we want to make sure I from again just from what I have seen in the strategy and knowing that there are all these other frameworks regulations requirements things out there that overlap on a lot of the industry that's here in Connecticut a lot of the requirements you already have to meet for different things I think the objective of this is not and again benefit of the doubt to them based on

what we've seen so far is not to suddenly create these regulations that sweep across and that everyone now has to meet something new the idea is that there are spots that are within the different industries that are doing really well that do have really great comprehensive programs but it's not everybody and it's not across the board so let's find a way to raise the baseline level of security you know that sound I'm rolling my eyes at myself as I even say that because it sounds so cheesy but let's find a way to take all those places where there are gaps in their holes and there's people who aren't taking this seriously and let's raise them to that level so

that everyone is to an extent I think the municipalities are probably a little behind the curve but I would say they are not the only group I saw on that list who sometimes sucks at this you probably have an amazing system of culture that might be part of what comes out at this I think right now my understanding is that conversations are underway with different sectors and across different players within those groups to figure out what makes sense and it's not going to be some like voice in the sky oh man behind the curtain when I'm going to curtain whatever who says do these things it sounds to me like that is the plan I think that again

it could go so many different ways and your version of what that should look like might be different from your version of what that should look like and I may think you're both crazy so there's a lot of room for subjectivity when it comes to this but I think there are some very basic understandings of what needs to be done and I think the municipalities absolutely are an area that have not always just based on simple size and capacity have not always taken this as a serious concern so there's definitely places where they have more work to do than others but you know I wouldn't let the rest of the the list off the hook

and say oh I'm sure they're fine because they're probably not you know I think higher education is another similar area where there's a lot going on but it wouldn't be everything please go ahead I like things in groups of three draw chance huh what so let's say something really happens what should we as we the people expect for Malloy it depends on what happens I think one of the biggest misunderstandings of Adam not saying this is implied in your question but one of the biggest misunderstandings of someone who isn't in this space every day like we are is what can I expect from the law when something happens because it's never gonna look the same

it depends on what happens you're gonna expect very different things from your government if a financial institution is breached or you know the sub-base goes down I mean there's a lot in between if the power grid goes down I want to hear a hell of a lot more from a lawyer than I do if you know UBS loses some stuff I think there's what you can expect is being proactive being involved I think what I counsel clients on when they're putting together plans for response and it's always on that what do we say what is our executives say what do we say as an entity and it's always you have to say something so if you're silent that's

a problem you have to say something you have to address what you know while acknowledging you may not know everything and you have to do so in a way that makes me understand that more will be coming not that your story will be changing but that information will be updated as we have learned more and I think to me if there's more than that in the beginning of any kind of breach whether it's more you know an executive somewhere else having them be involved and to tell us in a transparent way the steps that are being taken to resolve that problem in addition to the steps that are being taken to make sure something else doesn't happen like it

matter those are the things that to me would say good leadership good job got it okay you're on it your team is doing it I trust you to be taking care of this that helps

silly complexity mm-hm

yeah

right I think that is one of the biggest challenges right now that organizations face is that in the grand scheme of things this concept of you know cybersecurity and regulating that cybersecurity the idea that cyber security is something that can be regulated is fairly new and the grand scheme of things so as industry industry groups States you know places like New York and others are starting to decide more needs to be done they're not seeing it move at the federal level sometimes they don't care if it's moving in federal level they just want to take care of their stuff because that's the nature of deep politics like that's how it works you want to take care of what

you're responsible for and businesses such as yours and others that are across States you know throw in a whole new level of entities that operate on a global level and oh dear Lord I don't know how they do it but I think that the place in the trajectory right now where we find ourselves is that there's still more coming there's still more little odds and ends the patchwork quilt isn't done yet there are still patches being added to it with new states and new regulations coming and everyone's trying to scramble and figure out what to do you know a sign like you said while yours and exploits over here and over here and over here because everyone has

to balance it out I think at some point we will see that pendulum swing and it will you know whether there is an uprising corporate America I don't know what it will be but I think eventually those state laws may not go away but we may see some type of money the direct forcing function but a really strong push towards a singular framework that people can use and I don't honestly think that in federal govern a long time I think we're ever gonna get a singular framework that everybody everywhere says yes we don't need HIPPA we don't need DFS regulations we've got this so we're gonna happen but you may find states agreeing to adopt similar frameworks

that aren't creating such competing priorities and compliance issues for companies so I think I don't think we've gotten over that hump yet I think there's more still coming as it builds up but ideally at some point States and all will realize that balancing it out helps so good luck sorry next you and then it's over yeah I

think the insurance piece is gonna be a big driver of a lot of it because I call cyber insurance the Giant Wild West right now because anything goes like talk about having to read the details I mean seriously you have to read the details because there could be anything in there and you could be paying for anything or nothing and not even know but I think that as the insurance policies are evolving and becoming more mature and companies are becoming more inclined to buy them and to have cyber insurance and are starting to demand coverage for things they didn't demand before I think there will be in a sense sort of a leveling out and standardizing

there of what's acceptable for what becomes an acceptable base level of insurance coverage and requirements to get that insurance coverage that could be a framework that impacts or influences and applies to other you know states at all to I mean it's just another thing that companies have to comply with in order to get their insurance but it could be something where that becomes the thing that influences all the other new things help [Music] I think the I actually honestly don't know the answer to that I don't know if this came from legislation or if this came from you know an order from the governor's office as a priority woke up on a Tuesday I thought it was a good day

it initiated on Thursday I don't know I've seen strange things happen strange ways but um I think that to your point about people just kind of not really caring right now I think that's fine there's nothing care about its strategy you know the whole government produces a strategy every wouldn't say like whatever it's a strategy that's not true but they're pretty common so I think that people that's why the implementation plans and the action plans matter so much because you only make people care by forcing them to care it's it's a company it's a business it's an entity they don't care because they like to care about things they care because there's money somewhere involved

and whether that's regulated requirements whether that's you know sign they're gonna get hit with or something that's the time that they're going to care and my point about getting ahead of that curve is that there are a lot of things that you care about that this can help you drive that you can do now before it's a requirement so that when it becomes a forcing function it's not the big of a deal because you've already done it or you've done a good chunk of it anyway yep yes it's all over I reckon flip back

my expectation and again not based on any knowledge that's legit is that it will be a way to facilitate information sharing both within industries and between the government and the private sector because there's so much Intel there's so much knowledge and it's not just about threats that's the most obvious thing that people talk about with information sharing but it's also best practices it's also things that work things that don't work things you've tried etc but there were a lot of different places throughout the strategy where they reference facilitating the sharing of information I think there there are a lot of pockets of knowledge and a lot of pockets of information and Intel that exists both within you know

from something as obvious as the FBI to state government to you know large like financial institutions that do this themselves and I think that one of the main things we'll see come out of it that's not really a regulatory type of thing is the creation of entities to facilitate the exchange of information because the you know the more you know I think that's gonna be a big piece that comes out of this so whether it's between law enforcement and industry whether it's between government and private you know there's not really a good way as the federal government's been learning to mandate sharing but finding ways to facilitate sharing can go a long way so my expectation is that

we'll see something that takes that kind of a shape that isn't just the forcing function of a regulation so there could be there could be something good you never know you never get out there should be something valuable here yes that's what

yeah yep I think it would not be far-fetched to expect that somewhere at the end of the day the government will make some money off of this I think that's I think that's probably not crazy now I'm you preaching to the government choir like I'm I am cynical I was cynical in it but you know to be cynical and Mike I'll show you an idealistic at the same time but you can do it I think it's absolutely seeing something along the way that involves a fine I don't think it would be crazy and oh so that fine happens to go back to Hartford oh that was surprising I think that's that's not going to be super far-fetched

but whether it's something as crazy and intense as GDP are or something that still is kind of TBD like DFS's to an extent like you know we've just took the first deadline still kind of waiting to see what that shapes up to be for the long haul or whether it falls somewhere in between I don't know yes yes yeah there that might be a fun little secondary reason that that implementation timeline is two years yeah so I think we're anywhere I've done thanks thanks for the 98 percent of you say Rick