Cybersecurity & The Board: Choosing success over the Sarlacc Pit

well thanks again everybody it's a real pleasure to be here uh again today's title is cyber security and the board choosing success over the sarlacc pit um a little background where this title came from i actually have a podcast series called the cyber security effectiveness podcast and i interviewed a number of board members from public companies private companies tech financial services health care so on and so forth and one of the board members i spoke with said that every time a security executive like a ciso goes to present to the board it's kind of like they fell into the sarlacc pit and i'm sure everybody on this call knows it but of course the starlock pits

from star wars uh return of the jedi and uh jabba the hutt explains it as enduring a indescribable suffering that will as you're slowly digested over thousands of years so pretty much a horrible situation and the point was it doesn't have to be this awful situation it should actually be very bi-directional a security executive should get content from the board and the board should get content from security executives to make the organization more successful overall but unfortunately sometimes the language that people are speaking and the direction people are are going in these meetings isn't really aligned with uh the business strategy and i've pulled some quotes out of this uh out of these interviews and tried to sprinkle in some

other data points to make it interesting so let's just jump right in a little background about myself i'm vice president cso for mandy advantage i've been in cyber security for about 25 years i've worked in over 50 countries uh fun fact actually they when i first left the united states and started doing real heavy business travel spain was the very first place i went to i was with bell labs at the time and i was doing a project with telefonica and i spent several months in in spain mostly madrid and then went over to uh latin america and spent a lot of time in brazil argentina chile a lot of time through central america etc so spain

kind of started off this 50 country six continent journey that i had going on so i started with disa the defense information systems agency as part of the us government and as i mentioned before bell labs mostly based out of sao paulo brazil and then i came back to the us and i just started building companies or helping to build companies uh i've had a couple ipos i've had a bunch of acquisitions companies like arcsight imperva mcafee solera silence and a whole bunch of others my latest company was verodin which got acquired by mandiant just a couple years ago i've written a couple books my last book was with the former director of the nsa and i did a cyber war documentary

with general michael hayden the former head of the cia in the nsa so enough about me all this to say that i've been in security long enough to see how a lot of things are done incorrectly uh agenda a very short historical perspective on threads and technologies kind of a little bit of a fun background but the whole sort of thesis of this presentation is trying to morph uh security executives to have a a broader perspective on things something that's not so focused on the technology the bits and bytes the attacks the apts etc etc but actually the business uh as a whole i'm going to pull out some quotes that i've had with some of these board members i'll talk

about business relevance as well as bring up some of the sort of hot topics that uh they they tend to bring up when you look at the sort of the aggregation of these interviews there's certain threads that pop up again and again so starting off with some of the history one thing i noticed and this is this is based on a larger presentation that i do which is sort of a historical analysis of threats is that the threat windows have really been shrinking over time if you take things like sea air space and cyber and you sort of look at the first time they were commercialized and evaluate how those threat windows have morphed it's pretty

interesting so for example 3000 bc in the mediterranean sea was about the first recordings that we have of people using the c for commerce right the first consumerization of the sea we didn't have the first recorded pirates until about 1300 bc so there was about roughly a 1700 year threat window between the first time somebody said hey let's sell something between point a and point b over the c and somebody just said well let's just go ahead and rob that ship so that's a pretty significant threat window in today's terms then we take air so 1859 john wise tried to commercialize the use of air via hot air balloon to deliver mail and other goods it was a

fantastic idea it crashed and burned it literally crashed and burned but it was a good idea again the first commercialization of air we didn't see the first hijacking until about 1931 so it didn't take 1700 years for that threat window to catch up but it was certainly uh pretty long based on today's standards then we go to space so a couple years after sputnik we had telstar which was a t satellite that was being used for television broadcasting and that was about 1962 so that was the first commercialization of space if you will we haven't really seen a lot in terms of satellite warfare or attacks that are uh specific to space the barriers to entry

sort of make it uh not worthwhile to most attackers but there have been some isolated incidents uh one was the trilla data theft in about 2015 and that had to do with a command and control system that was actually leveraging satellite technology then we have the commercialization of the internet so in about 1988 nsfnet had a bunch of users and they were charging them to use email and then mci at the time had a bunch of users and they were charging them to use email they said hey guys why don't we charge our customers so they can communicate with each other uh by today's con ideas what a novel concept let people email each other

but right about this time is when we had the morris worm and a cavalcade of other attacks as well and there was worms and there were there were uh viruses and other attacks before this that were focused on um dex systems and the brain which was focused on pcs uh that predated this but again this was the first time it was sort of something was very prolific across the internet as a whole another thing we see is basic technology can really shift advantage so if any of you have seen the movie 300 you've seen these you know greek greek warriors uh in about 323 bc and they had iron and they had bronze that those were their metals that was

the advancement of their technology and they would fight with a phalanx unit where they would move as one unit and they were highly highly effective for a very long time by today's standards not very technologically advanced bronze and iron in fact relatively simple technologies but highly effective at the time and because of that they were able to rule the ancient world until the romans came around and the romans had this sword called the gladius sword which uh incidentally was a design a spanish design so anyways but they had this sword that was made out of steel so at the time wow there's this new technology called steel that's uh much harder and stronger and can keep a

better edge than bronze and iron and uh the flexibility that this allowed them is they didn't have to just stand in front of the greeks and fight this phalanx head on they could flank them they could fight them on hills in the trees and the rocks in the mud in areas where the phalanx were not that successful so not only did the technology help shift advantage but as a result of the technology they could change their processes as well so again basic technology but you can kind of see how that really shifts advantage moving into the future a little bit into the 1400s we've got the ottoman empire modern-day turkey and these folks were called the janna series and what was

interesting about them is they weren't the first military to use gunpowder uh or have muskets but they were the first one to really embrace it in mass and say this is a game changer and what this had to do with was complexity complexity because teaching somebody how to use a longbow for example and actually be good at it could take years just to just to be lucky to hit your target with a musket you can be trained and pretty good with it in a few weeks you might not be an expert marksman but you know how to load it you know how to clean it you know how to fire it um they weren't really that accurate to begin

with honestly but if you've got hundreds of people with muskets all pointing the same direction statistically they're going to hit something especially when the people charging them have leather armor maybe chain mail they're armed with pointy sticks and swords and you've got a big army with gunpowder so that dramatically shifted advantage and one of the reasons was it reduced the complexity of training people a relatively modern uh or somewhat modern example is world war ii so before that i'll actually say in world war one um the united states and and our allies and in uh and england and france uh had uh a lot of armored uh vehicles plant plenty of tanks and things of that

nature the germans at the time didn't think that armored warfare was really uh that valuable it wasn't really something to be embraced but after world war one they figured it out and they said wow mobile armored warfare is the way to go so in world war one germany had about twenty tanks not twenty thousand twenty they had twenty tanks by world war two germany had a hundred and sixty thousand tanks and other armored vehicles as well now what's interesting about this tank is this was the tiger tank and the tiger and panther tanks again a movie reference if you ever saw the movie fury with brad pitt these were highly advanced on paper they were the most sophisticated thing out

there for sure they were powerful they were complex and they were built like a fine-tuned clock the problem it took a lot of time to train people how to operate these tanks and if something happened to these tanks because they were their manufacturing tolerances were so tight because they were really sort of a masterpiece in design that was an achilles heel because if you had to fix something you needed a supply chain to provide mechanics that could fix it the parts that need to be replaced the tools that they could leverage in the field and generally if you're in the middle of the battlefield you don't really have the all the supplies you need it's not the

safest place so even though the us like the m4 shermans and the tanks that were being developed by the russians paled in comparison in terms of capabilities they were far more successful because if you could drive a car you could drive one of these tanks and you could be highly successful if one blew up that's okay you'll just pump another one out because it's so easy to train people they're so easy to produce so because of that of course uh that was one of the reasons the allies were far more successful so let's just jump into that that all kind of gives you some background just changing perspective on complexity and technology shifts and things of that

nature toward the seeds of this part here so this first quote is from art coviello he's been a mentor of mine for years and art was the former executive chairman for uh rsa um brilliant brilliant guy has been in security forever it's been running businesses he's on the board of public financial services companies and a ton of tech companies but he says all companies bigger small public or private must embrace cyber security as a key issue with today's threat landscape if you don't you're not meeting your fiduciary responsibilities i like the simplicity of this quote to kick things off because if you think about it they're just saying look it's it's not a question of

whether you should talk about cyber or not at the board level you have to and if you don't you're not addressing your fiduciary responsibilities which is the number one thing that board members have to concern themselves about so cyber isn't a nice to have it's a must-have at these conversation points so board members want to talk about this but more importantly they have to talk about this so you're already in a situation where they want to have these discussions and furthermore and i don't have art's quote for this but one of the other things he told me was the most powerful committee now on a publicly traded company's board and boards are made up of various committees

audit committees and finance committees and acquisition committees but the most powerful committee on a publicly traded board today is the audit committee and they've stopped asking cyber security leaders do you have security controls in place to mitigate risk because the answer is always the same of course we do but we still need more money we need more money for more tools for more training to hire more people what auditors are now asking is can you prove to me can you prove to me that the security controls that we have in place are actually effective across endpoint email network and cloud are they doing what they're supposed to do and the people in the processes are

they effective and furthermore can you prove that that money that you're asking the cfo or the ceo for in terms of further investment is absolutely necessary and we can't get that money out of other solutions we've already purchased so it really comes down to evidence and proof these days another thing that we found is it's not really about cyber risk when you're having these conversations at the board it's about the financial the brand and the operational risk that comes from cyber board members and other executives they think of risk thousands of different types of risk it's a risk to open up a business in a new country it's a risk to embrace a new product it's a risk to

inquire that acquire this other organization so there's lots of risk cyber is one right and when they look at it they don't look at it because oh this is ransomware botnet or a new trojan or new apt they look at it from an impact analysis to finance brand and operations and now you're seeing a lot of ceos in the news even from sort of lagging adopters in cyber technology people like power and energy companies where they're going on tv they're going they're doing interviews talking about the importance of cyber security not because they woke up one day and felt it was the right thing to do at least in most cases that's probably not it

they're doing it because they have to their shareholders and their stakeholders are demanding it they're demanding that they address these issues because they have to because back to arts quote fiduciary responsibility that's why cyber risks are being found and they're discussing it in annual reports corporate governance documents uh committee charters all these official publicly available business documents are now mentioning cyber as one of the risks that they have to look at and at this level you have to be able to measure your security effectiveness like other strategic business units so if you go to a cfo for example and the ceo asks hey cfo how much money do we have in the bank and her response is well

i can't give the exact number but we do pci audits and miter attacked this and this that and we just did a red team exercise and patch management and vulnerability it just wouldn't fly they just want to know how much money is in the bank right and we've gotten kind of a pass on that in security we have a very kind of squishy risk based response well that doesn't fly at this level so boards demand evidence measures that are tangible there's no room for guesswork there's no room for assumptions they want facts just like they get from sales and finance and operations now we've been asking to have security have a seat at the board level

for decades well now it's happened but now we have to adop adapt as security leaders to make sure that the information that we're sharing with these board members are in a format that they can actually leverage that it is strategic it is based on facts and is based on measures there's about six things that kind of across the board all these board members uh kind of agreed on uh this is sort of the major six this is what they really care about at the end of the day and again none of it's based on specific attacks it's are my communication services secure things like email are my financial services systems all the systems that are attracting the

actual money of course those are those are key customer data and intellectual property is that safe are the critical applications and the infrastructure supporting those critical applications are those secure are making sure that only the people that are supposed to get access actually have access and can we demonstrate compliance that's it those are the big six nowhere do we see ransomware apt and things like that not that those things are important those are feeders into these specific points but you have to speak it at this level or else you get invited to talk to the board they give you an hour and then next quarter they invite you back they only give you five minutes because they

just don't have the cycles to process everything that's being pushed out this is alexa king she has an interesting background because she's a lawyer in addition to being a cyber security executive and a a member of a number of boards and alexa says if you provide boards with evidence-based data that word again evidence regarding your cyber security posture trends intelligence effectiveness etc they should be able to provide you with valuable input based on their broader perspectives so it's bi-directional this isn't just the cso or other security executives doing a dance in front of the board this is also supposed to be the board giving input to security executives because theoretically and hopefully the board has a broader perspective they're having

conversations that the security team isn't privy to they're working with other organizations supply chains partners they have this broader maybe not security specific but broader perspective that could be impactful to you just as what you say could be impactful to them so it's a give and take it's education on both sides and you should be getting as much as you're as you're putting in now business relevance so across all industries businesses rely on their critical assets and this is to generate revenue be competitive drive value all these things that we think of when we think of business relevance but as a board member as a non-technical non-security executive even everything kind of falls into these

categories of business relevance um the other one is business continuity how do i keep the the business running access to data and customer systems and critical infrastructure what about regulatory mandates and compliance and privacy concerns and legal issues and then critical asset protection which we talked about before everything from intellectual property to customer data and finally and i think my the most important point here is rationalization and optimization it wasn't until maybe five or six years ago yeah maybe five years ago the first time we ever saw somebody with the title a vp of security rationalization or seeing a security rationalization team and the whole point of these new teams i i started seeing it first in financial

services now i see it in a lot of groups they're rationalizing security investments to make sure that they're actually getting value from the tools they've bought if i spend a million dollars in firewalls am i getting a million dollars in value or am i only getting like 200 or 300 000 worth of value do we have a lot of overlap do my people know how to use these new tools are the processes still effective how much budget do we really need and how do we prioritize where to invest next rationalization and optimization ensuring that you're getting the most value possible out of your tools this is becoming highly highly important because again like sales and finance and

operations they always have to rationalize and security now has to do the same thing so because of that you're seeing groups out there that are specifically focused on rationalizing and optimization um here's jayleek jay was the former ciso for blackstone huge financial services company publicly traded and then he became a cyber security uh investor and was the co-founder of a vc called clear sky and jay sits on a ton of technology in cyber security boards just brilliant brilliant guy and jay says boards and business executives can generally quantify risk brought on by economic downturns political challenges natural disasters but understanding preparedness and impact analysis for cyber is often based on assumptions because a lot of

evidence-based measures and that comes up again and again with these guys evidence-based measures not assumption-based security again there's zero tolerance for guesswork for hopes and prayers for assumptions at the board level they want facts what's working what's not what's optimized what's providing value where are the gaps these are the types of things that we need to see so some of the things that we see uh just in general in organizations that really reduce value because again these conversations come down to how much value are we getting are we getting from our group things like um week out of the box configurations when somebody does a poc usually default out of the box configurations are designed not to be so

loud that it scares off the security team and they think it's going to be too much work so they don't want to buy it and not too quiet because they don't want to think that they're not getting any value from this thing so they kind of aim for the middle which is probably fine for a poc but it's never the right design for a production environment however we see a lot of weak out of the box default configurations because of that even some of the basic attacks aren't being prevented because it could be seen as being too noisy for example lack of resources post deployment maybe there was a lot of time and focus spent

on deploying this new technology and you had different consultants and vendors and everybody in there but a week goes by a month goes by a quarter a year and there's no post deployment support for those so they just kind of sit there and rock you don't get the value out miss configuration or under configuration uh on average we usually find that people are getting about 20 of the value out of the security controls whether that's endpoint email network or cloud it's not because of bad tech it's not because of bad people generally it's a function of there's just so many different security vendors on site most companies on average have about 70 different security vendors that they

leverage i've seen banks that have over 200 which is nuts to try to even keep those devices running let alone get value from them things like sim issues i like to use sim as an example because sim is a superset and i spent about seven years at arc site so i kind of saw the sim space evolve from zero customer zero revenue all the way through uh us taking it public in sim you have to make sure that ntp is right and and parsing is correct and all the ips's and uh and firewalls and everything reporting up into the sim are actually getting the information there properly and that it didn't throw up a syslog a proxy server that's blocking

syslog now the sudden your sims not working accurately so sim is the superset of all these other devices then you get to the point of doing pattern discovery anomaly detection volumetric analysis temporal analysis correlation rules and alerting hoping that everything below it was right so it's a very expensive investment it's very hard to get right because you you are dependent on all these other things working properly so if you haven't optimized and ensured that all those security tools reporting to the sem are actually working effectively they're being parsed properly everything's accurate chances are you're not going to get value out of a product like sim and i've spent thousands of hours writing rules and pattern discovery anomalies and all the

detection all the stuff in sim the other big problem is you have no way to test it once you've written all this so how do i validate that all my security controls my sim are reporting properly if i don't have any way to test and validate because they're so complex you're just writing these things and hoping that when a real attack happens they actually work and again assumptions don't work in security um here's matt biggie uh matt's been an investor and a board advisor for several decades and primarily security companies but a large number of tech companies he said that our communities evaluate a wide range of risks from standard accounting practices to the composition of boards we talked

about all those committees earlier in cyber security historically audit committees have lack controls effectiveness evidence validation measures against threat intel and optimization metrics so that that thing that we saw before validation evidence but also now fret intel and thread intel has come up as this big topic now not as a lagging indicator of compromise for iocs in other variables about uh you know the latest threat actors etc but now it's becoming this sort of tip of the spear if you will so i want to evaluate all my security controls against the latest threat intel and then measure their effectiveness and then i can report that back to the board when the board says well where do we stand

how secure our systems well we've evaluated all of our security controls against the latest threat intelligence this is what's working this is what's not this is what we can kind of put some compensating controls on this is where we need additional evidence it's very black and white it's just right there in front of you so again the validation and threat intelligence go hand in hand and when you're talking about this validation it's really a completely different approach to security security has a lot of things that are better but not different so this firewall is better than that firewall this ips is better than that this cloud security uh solution is better than this one but what about something different so

validation breach and attack stimulation all of these types of solutions are really designed to think about this different so identifying the the the gap then tuning to make sure that you address that gap then testing to make sure that those adjustments you made actually mitigate that risk then automating those tests in perpetuity to make sure that that thing that was working last week is working this week and will work next week being able to rationalize being able to very simply say this is what's working this is what's not i'm going to map it to miter attack or nist or oasper sans i'm able to report on what i'm finding and demonstrate the value of my team to the

board at the same time by showing we are strategic we are measuring effectiveness like other strategic business units do uh this one's uh bill kroll so bill and i actually wrote a book together several years ago brilliant guy he he was the deputy director of the nsa for several decades and uh so he probably knows more about threat intelligence than most people on the planet uh in addition to that uh bill sits on a number of boards today as well so he says having an intelligence intelligence-led approach intelligence-led is something we'll hit on more in a moment but having an intelligence-led approach to cyber security doesn't just make the security team more effective it provides the

evidence leadership needs to ensure that your goals objectives and priorities are aligned with their business requirements in the face of the latest relevant threats and threat actors iocs and ttps great we need that information but if you don't have intelligence that can be personalized and operationalized you can't have a threat intelligence-led approach if you do have a threat intelligence-led approach meaning that you're taking this threat intelligence in real time in an automated way and validating that is my end point able to block and detect mimi cats uh can i stop uh command and control and beaconing what if someone's trying to tunnel over icmp and having these capabilities where you're actually testing in real time as these iocs and

ttps are coming through then you're not really leveraging threat intelligence to its best capability and you can't have an intelligence-led approach if you can't have that then you're not actually helping the business as much as you could um so having this intelligence-led approach again this is a theme that kept on coming up it's become the new tip of the spear again it used to be kind of like a nice to have threat intelligence um then it became yeah it really is important but i use it forensically as a lagging indicator a compromise and now it's becoming highly highly important um how relevant are my security controls right in the face of these latest attacks can i personalize these attacks

if i'm a financial services company i don't really care that much about the threat intelligence that's specific to plc's and uh scada systems right health care organizations have different requirements etc what are my safety levels what's my outcome awareness if we were to get hit what's the impact does this mean they'll be able to get customer data or get into the critical infrastructure that supports the systems that have the customer data and can i report on this and based on these reports can i talk about what my security spending needs to be in my budgets and then i want to be able to leverage this process of taking new threat intel because by the time i

test something for threat intelligence something new is right behind it that's the thing about threat until it's constantly constantly changing so having an automated approach where you can leverage threat intelligence is becoming really key according to these board members karen nortman uh sits again on a number of boards a lot of investment in the cloud security area as well she says companies are embracing cyber security services at an increasing rate so i think we've all all know that mssps and red teams and incident responders and all these other services can be leveraged they've been around forever but now we're seeing this embrace an increasing rate and she goes on to say this trend will continue to

intensify augmenting your cyber security controls your teams and your sas solutions with specialized expertise means greater security eye and reduced risk well it also means scale yes it's gonna hopefully you can leverage these experts because you're not gonna be able to hire enough or train enough or retain enough to do everything yourself these days and threat intelligence is a great example most organizations don't have the staffing capabilities to have a really effective threat intelligence team maybe they've got some security folks that are dual hattered with threat intel but it's hard to really scale that way as the organization grows so leveraging an organization that has some kind of threat intelligence or multiple i'm a big fan of having multiple sources of

threat intel and then being able to automate that process again so you can tip at the sphere of it make an intelligence-led approach to security really helps you scale it's not just thread intel it can be validation as a managed service it could be you know incident responders that you can um you know you can call if something happens so you have them on retainer for example so augmenting with services is becoming the new paradigm it's been around forever but i think because of scale and opportunity cost people are saying we really have to leverage services a lot more so my final thoughts on this as we as we wrap up here are security of course is strategic

if you want to have these conversations with the c suite in boards you better make sure that you're not talking with assumptions you have to talk with evidence-based metrics or unless you're going to be laughed out of the room you're not going to be invited back and you have to be sure to let them know when you're speaking to the board security is just not about the tools it's about the intelligence the expertise behind them so not only your people and your processes within your organization but the ones that you can augment that through as well validation is one approach to this breach and attack simulation is another approach to this but anything that you can do to

help you measure the effectiveness of your security controls in an automated way in perpetuity to make sure they're doing what they're doing adds tremendous value and gives you those metrics and those that evidence that you need and if it can be intelligence led me you're just not looking at these old stodgy sql attacks from 20 years ago which you still should test against because they still work in a lot a lot of cases unfortunately but you're also testing the latest iocs and ttps to make sure that that latest intel is being validated against your controls and finally you have measurable value and roi you're showing the value of security what it brings to the business

again just like sales and operations and finance now i cherry picked a few uh a few of these interviews just to share because i don't have the cycles to talk about them all of course but i've done over 100 interviews um again it's the cyber security effect in this podcast you can find it on spotify or itunes whatever you use to listen to your your podcasts and we try to keep them very vendor independent with lots of experts red teamers blue teamers reverse engineers ceos founders lawyers venture capitalists board members ceos you name it it's a pretty broad broad spectrum um so with that i'd like to thank everybody for uh their time today and i really

appreciate being part of uh besides barcelona thank you so much