Protecting the Digital Trust Currency: Building Cyber Resilience in the Cayman Islands

[Applause] hello it is very difficult to be the first after lunch um and so I'll do my best to keep you entertained um so my name is Jules I am the CEO and founder of Revolution cyber um started the company back in 2019 and I'm probably going to be walking you through a lot of the lessons that I learned um attempting to help clients move Beyond security to what a lot of CEOs um heads of state leaders are more concerned about is this idea of resilience and the keynote today is protecting the digital trust currency so we're all in the Cayman Islands it's one of the most um not notable spots for uh money transfers

and and for companies and uh countries where they're storing their money so if we think about the importance of security in that we want we want to consider the result not necessarily the activity of security but what is Security in the Cayman Islands supposed to be working towards and I would argue that it's about protecting the the what we're calling the digital trust currency this currency of trust and this idea of continuous cyber resilience in order to better secure our digital ecosystems so I often hate to go into the who or my speech but you have no idea who I am so I'll start there um I I I am now a mom I've got two kids in the

back there but I'm also an attorney um who I would say decided years ago that I was probably a better salesperson than I would ever be an attorney but I didn't know when I made that decision so many years ago that cyber security even existed so as I don't practice as a formal attorney in any country but I review contracts every single day and so you can imagine how much my parents are upset at me that I wasted a degree and I can't call myself Esquire but um over the last few years I spent a lot of my time talking about how the industry needs to move Beyond this idea of traditional security um and thankfully that's resulted in me

being um deemed a LinkedIn top security voice I've actually appeared before the House of Representatives twice to talk about how to enable the cybercity workforce in the United States and I've also been part of the team that led huge engagements for Fortune 500 organizations who are looking to scale security culture across their organizations typically within 6 to 12 months so what I want to want to talk to you today about is I want to reframe this idea of security like I mentioned I want to talk to you about how to build um a defense mechanism so we want to talk about continuous defense and talk a little bit about the ID a framework which is a framework that my company

coined it's a five-step framework around resilience it's investigate declare respond re um recover and then adapt and then I want to finally talk to you a little bit about what it is that we could do to strengthen trust in the Cayman Islands and across the Caribbean so I'll start today by talking to you about why I started my company um Revolution cyber started after I was SVP of a company called Fortress we had eight people who were tasked with one of the largest global cruise lines in the world to do a few things one they wanted to build a global Maritime security awareness program and they wanted that program to help them educate not only the technical people

but it had to be relevant to the people in the kitchen the people who may never touch a security system had to understand at a basic level of of security security um at a foundational level ultimately what we were able to do is take eight people some of us who are IC Specialists myself never being in security for that long and we we went aboard three cruise ships in the Bahamas and it was awful the Bahamas is awful it was so terrible to go there but we made it work and as a part of that trip what we were able to do is that we assessed the IC the um the operational technology risk associated with their closed system

um uh Clos systems on the cruise line we also had three mandates one we could not do an assessment that impacted their revenue by a scent meaning when the cruise was set to leave it had to leave when the um when the uh Engineers were off break they had to go back to work and we could not impact any passengers experience so prior to getting on the ship we've been told we're having issues where our cruise line is going out to sea and it's stopping in the middle of the ocean and over and over again we think it's an engine failure what happens is we bring someone from the vendor to come on board they fix the engine we continue to float

into the the the ocean and the engine stops again because no one on the ship was aware of what it what the issue was had no idea of cyber security they kept attributing it to an engine problem and this was costing them millions of dollars because not only did they have to fly someone to meet the ship where it was they had to stop the ship they had to dock the ship and then they had to do lots of things on that ship in order to ensure that the passengers were never impacted so what we were brought onto the cruise ship to do was over three days three ships and a fullblown um assessment of all the systems on the

ship the only way we could do that was by interviewing every person who had any connection to the engine and ging an understanding at the background of why they thought that this that these incidents continue to happen we took some time went through some of the documentation CU they document who was on the engine uh whether the captain was in the room what had happened prior to the ship sailing and as a result of our assessment which we presented to the CEO Chief procurement officer Chief um information officer the Chief Information Security Officer and various other Executives it turned out that they were being hacked remotely the ship had was being hacked remotely in certain parts of the ocean

by people with smaller boats who were tracking the ship we could have only found that out had we gone on onto those ships because you can imagine what they told us there's no way anyone's able to get into our systems because they're closed systems there's no access they assumed that all of their vendors were also trusted so the vendors wouldn't be a risk to them but we had determined from our assessment that Not only was a system not closed they had allowed a vendor to be monitoring using it technology the operations of the engine the fuel level um the amount of oxygen the man managing how its maintenance was going and that vendor had been breached

and had not reported it to the cruise line ultimately we got off the ships we took that information presented it to the board and we were tasked with creating policies and then also a baseline level of knowledge that everyone on the ships needed to know all of the administration in the cruise line needed to know and this is across the globe this was for this uh Cruise Line was rolled out to a 100 ships across the globe and translated into 40 different languages so the scale of this operation made me realize that the work that I had been doing before that really focused just on security awareness definitely wasn't enough because it wasn't enough for people on

the ship to just be aware each person who had an impact on that business also needed to be aware they needed to understand their specific responsibilities they needed to be communicated with regularly and they needed to be set up as Frontline resources because the security team was too small to react globally and so my idea was that we wanted to start to build out an off offering that I call security culture at scale why does it matter today well it matters today because we're getting more and more connected to each other more and more organizations for their revenue are relying directly on their third parties so the conversations we're still having traditionally about this idea of first party our company and

third party their company it's a lie it doesn't exist some of the work I've done with really large Aviation companies think about companies and and then we haven't worked with Boeing but imagine we did fly here on Boeing but we we we haven't worked with Boeing but imagine I were to tell you how many parts on the planes that we all fly on every day are actually provided by a third party in the end does it matter if the engine came from another company but Boeing is responsible don't you also want that partner to have some basic knowledge about how to keep that system safe so it doesn't stop with just a company that I know I'm doing business

with it matters across the digital ecosystem that the everything in that ecosystem can be trusted and is resilient so one of the things that I found interesting because I really really really hate to go to talks with people are talking about things very generically and they're not being as specific about what the most important pieces are of what you need to know today and how is relevant to the space in which you exist and so for this I did some research um as an attorney I can't help it but what I wanted to do was bring to the table the fact that nothing I'm saying here is actually new Thea uh the Cayman Island monetary

Authority they actually put these rules and guidelines in place for regulated entities well before I got here back in 20120 the Canan Island monetary Authority they proposed regulations that should be followed that would allow for four primary things one building a cyber resilient Workforce two ensuring that there was continuous adaptation for resilience their focus starts with cyber security but if you read their guidance it talks about keeping systems up can anyone tell me the difference between when I say security and when I discuss resilience what's the difference anyone want to give it a a guess I'm going to start pointing people out I'll I'll pick you yes you yes cyber resilience versus cyber security I never

heard so I'm gonna have you

guess to what end for what purpose oh there you go security is the action it's what you do for in order to protect and resilience is the outcome it's what happens as a result of your security efforts and so what I noticed with the what what SEMA wrote is that they were basically saying we want everyone to focus not on the doing of the thing we want people to focus on the outcomes we want a more trusted Workforce we want a more trusted systems and if you think about what it is that most of us are thinking about with regard to to Cayman Islands we want people to trust our currency and that can only be done if we

focus Less on the activities of security because everyone here talks about an assessment but I can tell you I can tell in about 3 seconds the difference between a good assessment and a bad assessment the the good assessment tells you what they found the problems how to solve and they also proposed the the remediation the great report ties it back to the business and talks about the impact and the bad one is a laundry list of what you did wrong good luck we have a lot of bad assessments that we see in this world I don't know if you guys have read them I read them to laugh sometimes why because they're not designed to solve the

problem the problem is we are losing trust in our ability to do business online and based on what Cayman um the Cayman Islands monetary Authority says we should be holding the people at the top our Executives responsible for that why you cannot create a culture of resilience if you do not have buyin at the very top of the organization so one a trusted Workforce two continuous adaptation three we want to make sure that the leaders of the organization are responsible and accountable when these things don't happen and then four we want to continuously adapt our risk and our threat efforts based on the business size scale reach I work with a lot of companies I've worked with one company they

started really really small about four years ago what we proposed to them then was Tiny because since then they've expanded I'm and and I'm based in the US they've expanded into different states they're now working with the federal government they are now part of the utility industry's um third party ecosystem part of their supply chain if I propose to them in 2024 what we proposed to them in 2020 they would fire us and yet every day I come across companies that are getting the same kind of feedback the same quality of material that they got years ago because the Auditors want to make it easy so we can't rely on Auditors to make us safe if you if you watch some of the

videos that I have online sometimes I'm saying compliance is security and compliance can be security but resilience is the goal you can start to make your company compli but you've got to end at the point where you can adapt and quickly recover so your organizations aren't spending hundreds of thousands on you millions of dollars in investment so that they can say they do security they're spending it because they want to actually be able to demonstrate they're secure and the problem is the only time you know that is when there's an incident when there's a breach so if if the answer is we only know whether we're secure when an incident happens then speed matters then accuracy is

everything and so I'm trying to motivate everyone here to really go back and look at what is it that I am doing that is providing value for the people and the places that my efforts support because if I can't change your minds today we will not be able to do the thing we all need to do and we've got to stop focusing on just doing the thing we've got to start challenging what what we even believe so that we can get everyone to a place where we're all on the same page have the same Baseline of we need to make this country we've got to make our own countries and our companies we've got to make them resilient and

that's a heavy lift it's not what we're used to so as I was thinking about because what I was looking for when I started to talk about resilience it didn't exist um every time I would go to someone they would Point me into nist or they'd be like have you seen ISO oh you know and I I'm actually part of the first nist privacy privacy team so I'm very familiar with nist but what nist does is it makes suggestions to you of what you should do it doesn't say You must do these things it says you can it it's a guideline it isn't a mandate but what I wanted to do was say if it were my job to help others become

much more resilient how would I go about that and there are a number of ways that I could go about that but I think the the the primary place I would focus is on response is on instant response how quickly can we save an organization if we knew that it was at danger and it was In Harm's Way so I call it the ID R A framework it aligns with all of the major um uh Frameworks so you can use it but it's this idea that we need to do a few things one we've got to anticipate and assess risks as quickly as possible but in order to do that we've got to prepare we've got to be

ready I talked to people all the time about the idea of firefighters there there are two examples of what I'm saying when I talk about resilience firefighters firefighters are trained to go into fires to run to the bad to run to the harm and they spend years training for these few moments and so if you think about what resilience means it means you need to be able to get the call understand what the impact and the risk is declare what the actual event is is it a fire is it a bomb what's going on you also need to be able to identify who are the people that need to know this information as quickly as

possible and then you also need to protect and maintain whatever systems you can so when a firefighter goes on site they're assessing these things really really quickly it's the same thing what happens with in a cyber incident you're assessing the harm really quickly is there someone in our Crown in our in our critical systems what access do they have what data are they um accessing are they taking data out of the en enironment are they able to um uh uh to Pivot and escalate into other systems the ID framework says it's most important that you respond but as quickly as possible to minimize the impact and to ensure you can quickly recover we also want to talk a little

bit about being able to talk because I because we also separate security and privacy quite a bit they're not separate one is designed to protect the data and the other one is to ensure that it's for its proper purpose data that's stolen by hackers cannot be used for its proper intended purpose because most people are not giving permission to a hacker to share it online or to use it for its monetary gain so we want to think about all of these things in Split seconds the quicker we can get at this the more we can make our organizations more resilient so there there so I talked about this idea of preparedness um in in in in responding but I also want to talk

about mitigation right how are we reducing the impact of the breach how do we quickly get in how do we quickly get out and how do we ensure that the all of the stakeholders in your organizations they're ready and able to also act as Frontline defense in their roles that can't happen while you're at the side of the fire while the incident is going on you've got to spend a lot of time talking to people making sure they understand what they need to do how they need to do it and where you will communicate it we also want to talk a lot about post incident analysis so when the incident happens what do we do after

it happens are we talking to the team doing post-mortems are we building what we've learned into future efforts are we doing more training it's so important that this becomes a life cycle we want to go from preparedness to mitigation to the response to recovery of systems and then return to normal operations when I was talking to the CEO of a major I would say they're they're a fast growth tech company um and I was asking him what he thought that his value proposition was what did he believe was the thing that they did most important and differently than anyone else and his answer was that we protect our customers before they know to protect themselves think about that

business as a promise and then you have a breach and then you don't protect your customers so he's not worried about security he's worried about being aligned with what he's promising his customers that's what they're willing to spend the Millions on that they can protect the brand protect the reputation so breaches that we consider to be tiny have huge monetary impact and we're seeing it happen over over and over and over again and we're not seeing that reduced and what we're also noticing is that companies are connecting more and more so the only suggestion I have is everyone needs to better protect themselves and by doing so then they can protect their entire ecosystem it's this idea of trust is

that I'm doing the right thing because I understand my relationships to the other people that I work with and I trust that they're also doing what they need to do so when I talk about digital trust it's we're all working together for the outcome of better companies but also better um economies better ecosystems we I and and and I'm always trying to round it up because when I'm talking to the Business Leaders they're often so confused about what we do and they'll say Juliet we spend so much money we don't even know what we're spending it on so what are we seeing over and over again companies are land off their entire security teams we're

seeing them Outsource whole capabilities in the security department but what they don't understand is that when you don't invest in yourself you don't invest in the response you're going to get exactly what it is you put in garbage in garbage out so what I think is important also is that we talk about this idea of of trust being a team sport and you can hear me talk about all the various stakeholders that are part of this it's not something any one person can do alone all of these people that you see listed I want you guys to to to kind of figure out if any of these roles exist in your company today are you seeing a

resilience leader I've seen more and more cyber resilience leaders hired in the last year than I've seen in a very long time I've also seen um this idea of process owners people who own a process in an organization why does it matter if we secure a process rather than a technology does anyone know what about

it thank you that's exactly it we can be technologists if we'd like but we're actually securing processes and if you think about process security which doesn't exist but if you think about the importance of securing a process all the technologies that impact that process are important for us it's a chain when I talk about a process I'm talking about let's say receiving revenue from customers the the the critical system that every company I know is talking about now was protecting Salesforce right protecting their member portals they're looking to protect ways in which they get paid protecting invoicing systems those are processes and technologies that support Revenue so even if we were to step back and think

about resilience if we were just to move from technology to process we would already be going half the way we don't want to individually think about systems we want to think about how those systems impact the process and how the process impacts the entire company and how that company manages itself we also want to think about this idea of resilience in action as I mentioned each of the five phases have specific details in each of them in fact I removed it because I didn't want to overwhelm with too much information but if anyone wants to get more of this information I have the full deck for you in each of these phases we're a ble to see like an investigate

the idea of investigate involves several people one it's whoever the resilience leader is or the ceso it also is the person most likely to be monitoring the systems at the time does everyone here have a company with Sim s anyone familiar with Sim and SAR yes put your hand up I can't is anyone who doesn't have SIM and s in their organization the smaller ones how many people here are part of really large organizations put your hands up midsize small business ah okay um federal government or state local government okay that's a good that gives me a good sense out of the five phases are any of you responsible for any of these phases as a part of your

job which which phase all of them what's your role really okay great and so you help other companies perfect who else has anyone seen anything like this in terms of the the the phases themselves is there anything else you're using that's similar no is there anything missing is anything you're hearing that maybe I haven't considered that you've thought of because I know we we're all in this and doing this work is any is there another phase that should be added that is not included here the review and the improvements that would be in the adapt phase but you're

right it's ad that's an adapt so are are are would you say that your organizations are good at the adapt yeah talk to me what do you guys do at the adapt stage at your company you can't share anything God I would pick somebody who can't share got it anybody else oh sorry is what oh talk to me about that

how how are you addressing that in your organization

today so where would you fit that as a phase in

this right so ownership is this idea of what like delegating responsibilities to individual people and having them own specific Parts okay and would you say let me see so before you could respond in phase three you would have to have people owning their particular roles yep owning them great all right who if you could decide would be part of your response what inside your teams who would you say are the best people prepared to respond I would say most most likely leaders the individuals that are responsible for creating an environment where the organization should strive so leaders would be the individuals that would own the risk or own the problem are you finding that they typically are the ones who don't

want to own it most likely because it comes it's very daunting it's very scary if they can't identify or can't solve the problem got it so there is hesitance got it or there will be some hesitance should I say got it okay can an organization be resilient if the leaders don't own the

responsibility you understand the question U not not really because leaders and being in position and constantly being in a phe where things are evolving and adapting I think as Leaders we need to go with the the trend we need to educate ourself and we need to be constantly evolving yes so in order for us to be resilient we need to go with where the technology is going yes that's great point it it l what you're saying definitely aligns with what why this by this particular framework exist is because trying to build that into a process I like this idea of ownership and maybe building the ownership piece out of the declare would actually extend some of what it is that

I'm saying here but that's that's a great feedback so to go back really quickly so if we talk about each of the phases individually one when we think about phase one investigate we want to determine the impact we want to look at the risk levels and we want to identify the stakeholders we don't delegate yet we just want to know who we're supposed to be talking to so we want to proactively seek out what the primary risks are in the environment we also want to start to think about deep threat analysis what is it that we need to look at how do we need to look at it are we using what ttps are being used what

vectors are they thinking about all of this has to happen in Split seconds because I think sometimes when I speak people think when I say resilience I mean this very flowery language I mean forensics needs to be done too I mean we need to have whatever not penetration testers but we need offensive security so nothing in what I'm suggesting is not about security itself but what it's saying is in this phase resilience looks like all of these things not some of these things we also want to talk then about declare and the reason why I thought declare was important is because a lot of times you know in organizations when when there is an attack people are

trying to hide it no one's stating very clearly we're having an an incident and as a lawyer I'll be honest um I sometimes advise clients not to publicly state it depends on a lot of different things that they should consider but it's also really important when you're declaring an incident that people know to stop talking to stop telling people outside the organization amongst themselves because often times when fines are levied and when people come back and create liability it's because of what was said during the incident but you need a trigger point that says we are now formally in incident and these are the things we're now asking everyone to do we also want to look at so phase

three I think is one of the first and most important um phases it it really is about ensuring at this point that's how you can tell your posture so whatever your security posture Reports say whatever assessments you're doing if you don't respond better every single incident you're not becoming more resilient if you have a breach one year and then the next year you have a minor incident and your response times aren't different and in alignment you're actually not getting better and that's what this is all about so we want to for um talk a little bit about Cayman Islands because recently um there was an incident I believe in February of this year and in everything that I read

because I was not personally involved the nature of the response was fantastic considering what had happened immediately based on Cayman Allens they notified the public they did things where they um they communicated to some of the entities and governments so the US government the British government and a lot of the steps taken were done publicly and within a month or two they were able to address they're still addressing but the primary pieces of the response were addressed within 2 months I'm from Columbus Ohio I live there not with my family but I'm originally from Brooklyn New York so I'll never be in ohioan just want to say that I'm also my family's Nigerian um but we my my city had an attack in July

70% of their systems are still down the mayor is publicly declaring every week that they're near a point where the system cities are back up and they have not been able to bring those systems back up up they've been investing in security for years and during the attack access to basic systems were down companies that did business with the government were unable to be paid uh the city of Columbus was unable to complete contracts that they had in systems I got a you know two Monon uh subscription to experion thankfully I don't I don't even know what they why they give that out but essentially people like me had our data stolen the notifications that the data

was stolen didn't go out for 30 days and the worst part there was a city government employee who noted some of the ways that the government was trying not to publish this information and they brought charges against him it is in fact one of the worst responses to an incident I have ever seen and it's a city that shares my data so of course I'm taking it pretty personally so when we talk about the difference between resilience and security you can invest millions of dollars for years but if you have an attack that takes your city down for four to five months and the most you can get to is 70% back online you're not resilient and then

there's no argument about it they can't argue because it's very clear that response was out of alignment with the risk that they posed and their importance to various people who use their services so that's why I want us to kind of move this along because you can imagine that I don't trust the city of Columbus with my data anymore I won't be moving unfortunately but you know right so response is always so important I like to talk a lot about recover too because some of the questions I want people to think about if they're thinking about resiliences what systems do we need to get up and what I loved about the Cayman Islands monetary authorities guidelines

you need to measure and recover three metrics maximum tolerable downtime how long can our systems be down recovery Point At what point can we get our systems back up to so those backups become really really important at what point so is it 24 hours of data is it data that we sto stored over the last year you've got to determine what your RPO is and that and and that guidelines expressly States how to use that information and defines it but it also talks about um your RTO so your recovery time how long can you be how long can you be down your systems be down each of your systems needs an RTO in resilience so if you if Salesforce is

critical to your organization some companies if Salesforce is down more than 6 hours they will go out of business if they're if they're M maximum tolerable downtime some companies if they're down fully as a company with all the processes or most of the processes unable to deliver for more than two three weeks they will go bankrupt 60% of small businesses that have a cyber secur breach go bankrupt within 6 months so it's why I really really really want to caution us to not talk about security about resilience and even operational resilience because if it cannot operate it cannot be secure so if you have a really safe Salesforce that no one can access who cares right so it this so I I like to

think about security as like a business imperative this is important in order to ensure the business runs business continuity means that we're continuing to do business regardless of the impact of a hack a threat or any harm that we did not foresee adapt and adapt is what separates security from resilience so we want to spend time here cyber security is a moving Target we all know that we hear that all the time but how do we begin to embrace constant change nothing changes or stops because we're securing it when the when the the CEO told me that they wanted us to help them but I could not cost them a cent I realized that his Focus was on

resilience and not on security we had to do it in three days and we had to build the entire program within eight months and there was no waffling he was very clear it cannot cost us anything they paid us but it couldn't cost them business and so adopting meant the next time they had an incident which they did of course they were quickly able to identify what that incident was they were quickly able to have people who were working on those systems tell the um the captain what they thought the problem was and more importantly they recovered their systems back as quickly as possible one thing I didn't mention in the adapt St in the

recover stage you need to sometimes identify other alternate physical sites to to bring the company back up again so if you imagine there a breach but it is impacting physical systems you may need to move all your people and systems to another physical location so it it's pulling together privacy trust we're talking about physical security we think of all of this as being so separate but once we talk about resilience it all matters and it all has to be done correctly for it to work properly we also want to talk about continuous Improvement because it doesn't matter where we are today what we can invest today as long as the goal is to keep improving I will tell you

most you know um regulatory bodies will give you a little bit of leeway if they can see that you're better than you were and you have plans to do better than you were so think about that the next time you're going to audit if you don't have something already prepared or if you you've done something you know you you never finished you want to ask for leeway if you can demonstrate continuous Improvement we're better than we were we understand the risk and we're putting a plan together for the future that is what resilience is so culture of resilience for me means and I like I like the gentleman's conversation about ownership culture a culture of

resilience means that from the bottom to the top of the organization everyone every person is critical to the ability for the company to to recover for the company to adapt and everyone owns that their peace is critical to the operation of whatever security results or initiatives that we want to happen I started to talk about culture rather than awareness because I know a lot of people who are aware but don't care a ton can you imagine making them watch a video and then telling them to save the company during an incident who's watched a video where they could you know build a car who's ever watched a video that allowed you to go out and do surgeries on people

why are we doing videos and telling people that they should be more cyber cyberware we just we're actually still in the month cyber security awareness month I'm hoping that we'll one day call it something else because we're still thinking people don't know but what the truth is people know and they don't care so the question of resilience says how do we do we make people care how do we get people more engaged what do we do and say to communicate the importance and have them align it with what their own personal motivations are culture says what people do when the security team is not watching culture is culture always exists by the way your culture

today is either resilient or it's not resilient but it isn't resilient or not resilient because you know it what people are doing when you're not watching them is really your true culture so I like to tell people that I've raised great children and the way that I know if I've done it is when my kids go to someone else's house and they tell me I have good children we've got to stop telling ourselves we're great giving ourselves Awards when a lot of the time we know if not for monitoring systems people would be doing all kinds of crazy things because no one we're not even building digitally native um uh digitally um knowing uh children our

children know how to use tablets but do they know how to stay safe online do they know how to spot someone who isn't of the right age or has an untoward um um um purpose in speaking to them do they know what it means to be socially engineered resilience starts when we're young I grew up in New York City in Brooklyn and there's this really funny commercial it's like A Tree Grows in Brooklyn just one just one Tree Grows in Brooklyn New York but what I can tell you that New York teaches you when you grow up there is one you don't get really attached to trees cuz there's only one but then two I can go anywhere in the world and

survive because just the very nature and the culture of New York is about survival there 8 million people and they all want to ride the same train into Manhattan at 8:00 a.m. so you're either going to get on the train or you're not what I've learned is every part of the world requires a different part of me as a New Yorker and that's what the Cayman Islands monetary Authority is teaching us our culture requires us to adapt to every new scenario Place risk impact that we come from front because we're not going to be standing still and every time we go into a new place our business grows into a new Geographic Market we expand a

new customer line we roll out a new product our idea of what it means to be resilient has to change we can't just keep doing the same thing we've always done because the way in which we're interacting and connecting has changed and so how do we deliver security on the go in that way how do we make security so that that it is able to Bob and weave with the company because a lot of times we're quick to say no when the answer is yes and if we say no to the business we're saying no to wanting to be paid in the future so culture means the business gets its way and they allow us to build

defenses that are Dynamic adjusting adaptive and so culture is not this very um amorphous thing it really is important that we talk about how culture drives Behavior how we talk about how securitys like psychology is one of the most critical things we can do to build a better security organization about how Workforce enablement making other people responsible for security to own it is actually much more important and is a force multiplier than if we were to buy we were to hire hundreds of security people despite $50 million spent by Jamie Diamond JP Morgan Chase in 2014 they've had several breaches since it's not for a lack of an investment they're putting the money forth but are they more

resilient and I think that's for them to know cuz the breaches are not going to stop the the attackers are not going to stop coming after them but they've got to change how they navigate themselves how they move how they operate and so I I I put this up because honestly I like to think about sort of all the ways in which in this world now we are bound and so when I talk about this idea of cyber resilience it really is about trust driven Innovation we do not have the technology now to do what I'm saying a lot of what we're doing now has to be manual because the the industry now is built on

individual vendors selling us individual technologies that don't always talk to each other but we're not going to get less and less connected to each other so we've got to figure this out so I want to provide a call to action I want you all to keep in mind that trust Remains the foundation of progress us in our digital world and we've got to invest in it today invest in resilience today in order to secure the cay in for tomorrow it means that as we're sitting here today we want to think about what it is that we're like I said bringing of value today but we've got to think about where we think this country and our our countries are going

we can't resilience requires that we be adapting to tomorrow as well and I want to also drive everyone to think about when they leave here what is it that I could do today to automate everything I'm doing to scale it because we're seeing the a the um Ai and and and look this idea AI taking your jobs we don't have to worry about it at our level what AI really requires is that we all go up to the next level so I like to think of it as like a room and water gets into it AI is going to be doing the the minutia the the the the repetitive tactics those things that we really should be doing um

automated anyway it requires that we move to more strategic thinking more Dynamic thinking more human thinking because what AI will never be is human so one of the solutions to this problem is AI but one of the risks and threats to this problem is AI because it also has its own security risk and what I'm saying is we've got to think today about how we can incorporate tomorrow's Technologies in order to make a lot of this work the way we want it to work thank

you oh no questions sorry I've got about eight

minutes someone's got to have a question great

what's your name again what's my name oh it's my daughter Mom thank you any other questions Jules you know I'm a huge fan I'm a big jws fan girl I I do I love this concept of culture and I want to share a definition I have for you that you can that you can improve on because I think you can make this definition better my definition of culture and understand I come from a knowledge strategy Knowledge Management background that means anytime you hear aligning people processes and technology that specifically is Knowledge Management how I Define [Music] that how I Define culture is what we know has individuals plus how we share it with each other yes and then how we

hold each other accountable for not keeping the social contract that we have right I love it so that's when you think about culture it's this really big concept but I think you can simplify it I know that Jules can make that better I will go to it all right any any more questions for Jules thanks sure sure all right um you were just talking about the the resilience right to make sure nothing bad happens um I was thinking what what if right you do have complicated situations like what you were saying suppose you are even um friends with a person right and they know they're not supposed to bring their USB to work and you are the boss right

and suppose um they say they complain to you like no I paid for this USB um and they constantly bug you about it like come on I I paid my money for this USB you didn't provide it and they constantly breach your security and you feel like if you do tell them no they're going to get fired right how do people um deal B dangerous situations like that I love that so um the Old Guard would tell you to show them a policy which don't do that please it it doesn't work um there there are a few ways that I would think about that so first the question always is what do you believe your responsibility is is it to

this person or is it to the company because then if you think about that then you understand the answer very quickly it's like if someone is deliberately doing something that you're aware of that you're not addressing because you don't want to make them get fired then they should fire you right and in fact in law and in in law enforcement you would be and you'd both be an enabler and an accomplice and so I don't know that I want to go to that that extent but I want each person to own their own responsibility and your own set of principles because then you don't have the questions right I work with a with a number of companies and a lot of my

clients are my friends and I always they'll do things that I know are wrong and I set my line here's where I will not go with you right so you have an opportunity to put this USB away and and we can just forget it because there's no impact but if it happens again I'm going to have to report you and you've got to make a decision that you're okay with that first because the truth is if you're not you're in the wrong job right okay excellent oh thank you hi it's Jules right it's Jules Jules your presentation was absolutely fantastic I thoroughly enjoyed it thank you um but I I want to touch on something that you asked a question and

I thought you were going to answer the question because I wrote something here as a response but I think you kind of skipped over it which where you talked about if everything should have an owner it's something to that effect you didn't you didn't actually answer it and and I scribbled here because your I your framework ID r r a yes is very similar to some of the others that that are out there I I like yours actually but um it's very similar and when you asked about the owners I I had I made a scribble here that in my world and how I see it all processes should have owners and those owners should be

established ahead of time yes because you don't want to be making those decisions and determinations when you're in a crisis trying to deal with a cyber incident so you're nodding your head saying that that's because I I didn't actually hear you say so are you're saying that that's that's why it's supposed to be all the processes should have owners pre-assigned yes so we have to do a business impact analysis before that's exactly it so that we understand our our landscape so I I so when I started my practice one of the big gaps that I saw was that um security is very heavily focused on the technology and then the business was focused on the

business systems and yet security was responsible for protecting Business Systems one of the things that I've done as a part of our practice at my company is we EST we do a Bia immediately or we review the Bia because we can't figure out what your crown jewels are and what to where to pull the most resources if we don't know what your critical processes are today there is no platform that actually maps that out automatically because the purposes that is being done for are not aligned with I want to know who owns the process and all the technology that align with that process that doesn't exist yet so yes every process should have an owner in

addition every process owner should be trained on what to do if their process is ever breached or impacted to your point sure

I I hope I'm not stealing uh the gentleman from these Thunder but great great um uh presentation but awesome question uh because I want I want to connect the dots to that what I call pretext of social engineering take a guess if you recall a previous thing on social engineering steps what do you think the next thing the guy's going to ask you to do right you need to walk this USB stick out the door and you're already in for a penny in for a pound with me no cuz like for for business email compromise they're almost always looking to find through Linkedin what your role is and who likely you're connected to and then they assume what

what processes that you would also be willing to approve so I get emails as CEO all the time that go I'm looking to change my banking account and it's funny because I don't own that process so every time it comes I know it's it's someone trying being recruited yes exactly so to your point that's actually good to think about is how to train on social engineering based on your role in the process that you own sure all so I get the honer of the last question I believe you do um so you you talked about the importance of uh regulations and particular relation to resilience what's your view on having punitive measures for failing to reach

those is should it be the carrot or should it be the stick ooh um so unfortunately as a lawyer and as a culture person the answer is it depends um but what I'll say is culturally like I find Banks and financial institutions they prefer the the stick and it's because when a process is failed or when someone doesn't do their job the impact is so immediate that negative motivation works better than hey you know we'd love for you to help us over here right but I often find tech companies they use the carrot because they're very much about their culture collaboration and being punitive impacts their ability for the organization to work the way it wants to

work so I think it really is about the culture and I will also tell you you need to set a corre corrective action plan the corrective action plan says first time here's your we're just going to give you a slap on the wrist the second time we're going to take it to your management or something and then some companies go to third time fired right three STK are out but other companies go at that next stage you're either going to have something that impacts the way that you do your job so that you understand what needs to happen those things need to be communicated when people are on boarding or as a regular part of how the organization

runs but I don't think that there's one way to do it it depends on the the organization and actually it's a stick for executives it's a it's a stick for people who have privileged access and it's also a stick for anyone in the organization that has access to any kind of um intellectual property or sensitive data they should know that as as a part of their job okay did I answer that yes okay thank you all so much [Applause]