CISO Track Panel
Show transcript [en]
[Music]
[Music] just a little bit on the format today uh we're going to try bowling uh just because we want to make sure that you guys are engaged and that um we listen to what you guys want to hear about um what we'll also do is we'll take probably the last 30 45 minutes depending on how it goes U where we just open it up we had a lot of success with that last year um so we wanted we wanted have an open conversation uh just but you guys have audio back there good the thing uh so so on the polling just a quick instruction what we'll do is uh we will you'll see the question up
there um what you guys should do is either use your phone go to that website you shouldn't have to register it might ask you a name but I think you can skip it um and then or you can just send a text I was testing this yesterday and the text works just fine um to answer each question if that becomes too difficult we'll just go straight to raise your hand make it easy but first um before we do any of that let's just do I'm Christina J um had the pleasure and privilege of getting to host the last couple years before that Mark was hosting and I gotta be on hisel so uh this is my third year
exactly I got uh third year besides uh this is a great event right because it's something that we do we put on it's uh not flashy not Joy but it's a great way for um us to get together as a community collaborate learn each other uh thanks again to all of you for coming out give yourself a
hand not easy to take a day on Saturday right and go to a conference or whether it's fun or not um it it's appreciated that you guys spend time or spending the time um so my background is a I'm a CIO a company called K super products uh it's one of those names you wouldn't know but if you go to the store and you buy Comet cleaner or if you go and you need antifreeze and you buy cresto those are some of our products we're the largest uh private label Manu police manufacturer in the North America uh before that I I was a ceso four times uh I got my career started at uh Walmart way back in the day their
security program I grew up thinking that how all companies uh wanted to administer a security program and learn a lot after I left there um and then um was AO for a company called quick trip if you're in Atlanta or North Carolina You' recognize the big QT side col Midwest is what I call um and then had some time at um Catalina marketing and theno and then SPS Commerce and now I've some people say I've gone to the dark side but so with that being said let me introduce the real star panel here you guys have m you guys want to go and introduce yourselves I would say introduce yourself um and then name one
thing that reason
[Music]
I can
L hello hello all right um that so uh Larry Whit Jor uh I'm currently the ceso of Rex scale Rex scale is a continuous controls monitoring platform uh I've been a seven time ceso as I think about this it's been a long long long time in a lot of different Industries healthare energy Financial Services um you name it um Consulting it's been fun fun Journey um not sure how much fun it is now uh with the risk to the rooll but um the thing I like about being the C so honestly if I if I really thought about is seeing the big p picture and how I get to translate business into security right right that translation is fun
right when I when I think about what we're trying to protect what we're trying to do for the organization they really can't think I'm Andrew Gada I've been doing this since I had a full head of hair so that's more more years than I'd like to admit actually we're on the yeah same mine's on purpose mine's on purpose too um I'm 35ish years of doing this this is my first real job I'm the the global SEO for Prima water Corporation here in town you know us as Crystal Springs uh we're up until 12:29 of last year we were in 22 countries we have divested our European and Israeli businesses most of them so now I'm a
global C so with a couple of countries instead of 20 some OD um most of my career has been in Consulting in some way shape or form I I I moved to the dark s side for clarity coming over to be AO four and a half years ago uh what do I like about being a SEO yeah um I'm sure there's something no I honestly what I like about being so is having the opportunity to interact with my peers in this community I i' I've had the luxury of being in this community for almost 30 years I I I can't imagine being any place else most of us know each other in some way shape or form and
we're still willing to be on the panel well they're clearly poor judge characters because they saw my name first and still accepted this opportunity so that's me Kyle ready I uh I work for a company of restaurants um blooming Brands may not be most recognizable name until I stay out back we Bas Flemings and then we have a small little uh startup that we're we're trying out Aussie by Alpac um kind of our most recent one um we have franchises around the world uh we have a large presence in Brazil I was there last week visiting with the team my background was I was in the 21 years um started out enlisted uh commissioned as a what we call Chief War
officer uh stayed in it but uh really had the opportunity from you know it cyber security all the way up through uh the last store was here in Tampa still uh doing offensive cyber Ops against really bad people in really bad places in the world that I can't tell you about but it was really cool just trust me um a lot of fun uh I guess what do I like to I like I I think it's you know kind of a combination of the two not not to you know just take their answers and and give it right back but really the business doesn't understand cyber secur right at all I mean it's it's it's trying to teach it to fif
graders right in a way but at a at a much more professional level obviously um because they they are intelligent people they just don't understand cyber secur right they focused on business they're focused on financials focused on a lot of other things cyber security might well right but how do we how do we integrate Solutions and and interactions with our guests our customers um to support the business and do it secure um so that's what I find interesting um and taking that you know strategic level requirements and translating it down to operation tactical not to sound too military but that's really what it is about thank you for your service thank you thank you
um can you hear me now yeah okay uh I'm BR hman I'm the ciso at American Century Investments um they're lying to you they all like the free alcohol that we get and ever since Co it gets shipped to our house now so we don't even have to interact with them so that's that's the number one reason for being the has has done some work yes I have never had so many gifts from my neighbors now so they like me um but uh yeah I I was um I've been a c for the past 10 years U couple of different Financial companies before that I was at the FBI um on the other side of the
Cyber game um but I think the coolest part of this job right now is I see it changing a lot with what our role is but also this the the talent that we're bringing in now I think when I started there was no expectation that you know I can't even meet it today I never could meet it but you had a Litany of uh expertise on a piece of paper that they wanted to see and now I see us uh expanding what we're going to be looking for and really not necessarily hung up on the computer science degree necessarily but if you get someone in here who can critically think and work hard uh and stays up to date on on that
stuff the entire landscape of our our our peers is changing uh the people that we work with is changing and then how we work with the business is changing so pretty cool right I'm Dave Summit um this is my fourth bide seeso panel everyone of we had such a good time with and I'm hoping this is going to be another one of those good ones so little bit about me um most of my career was with the dod uh defense Department Navy um did that for 21 years did uh went off outside of that and did some Consulting work decided they didn't like Consulting work um and then entered in healthcare so for the last 14 years
I've been basically doing Healthcare security um which was a huge culture shock going from DOD structured stuff to huge difference um but you know I I what what do I like about being a ceso c had the title of ceso now for about 10 years um in at least four different organizations um I I I guess the biggest thing I say would say that I like about ceso position is I get to see and do a lot of things in a lot of different are right um and you now some of my team members have called me older than dur probably I prob thought I probably knew Moses um and with that being said even though I've got 40 40 years of
experience in technology um I can tell you as a seeso having team members on my team the teams that I've built there's not a day that goes by that I don't learn something from my team members because the biggest thing about and that's exactly why I like being a sea um because I I'm not I'm not the type of leader that will bring you in and tell you what you need to do I'm bringing you because you have some expertise that I need and when I do that I'm listening to what you're telling me and with tech technology changes that are going on so rapidly that's the only way I can stay H so I that's the biggest thing I I enjoy
is that that people side of the SE so g hi I'm Kate Mullen and I actually started accounting and budget and then audit and then I went it and uh in my journey um by the way I'm going to apologize I found incredibly boring I found budget all about meally I liked it a lot but it oh I liked audit because you could oine so I was very opinionated that hasn't gone away um and and then um I liked audit because I got to tell people this is broken but I couldn't make people fix it so then I went into it so I could fix it but it turned out it didn't really want to fix it because
they only wanted to do the availability stuff so then I went to security and I love it um by the way I have worked and my pleasure to work with a whole bunch of people that are on this panel um hi Andrew um I get to speak internationally I don't know why people want to listen to me Mark and I have uh speak at some of the similar conferences by the way he's got a podcast you should listen to um yeah plugging um what happens is the people in the information security Community are phenomenal um and and the other thing is that I learn so much because it is changing all the time you you in so many other
professions it's really boring cyber security is not but it is translation and that's what I love I love the fact that I am translating business to it and I am translating it and security to business because what we do is all about the business and we lose perspective on that so there is a thing called a tiso a technical information security officer and then there are cesos and the people he talking to right now we're cesos we're looking at the business and what's important about the business well thank you J my name is g mark Hardy and the host of ciso tradecraft if you haven't heard the podcast go follow us on LinkedIn or go
in your Podcast chat and I'm pluging it not making money when you listen to yeah got but everybody went oh for the last 175 weeks I have pushed out a weekly podcast episode to provide you with the information knowledge and wisdom to be a more effective cyber security leader okay so where you are now is probably more important than where you were I had 30 years of misspent Youth in uniform as a naval officer uh 10 years as a principal instructor at Sans now I'm doing the podcast thing plus I work as a ciso for a couple companies where you can see where I have the back phone alongside my regular phone in case something blows up the thing I love
about being a ciso is tied back to what I wrote 20 years ago G Mark's corollary to Mo's law half of what you know about Security will be obsolete in 18 months and if you think about it 18 months ago I don't think any of us are playing with generative AI the way it is now 18 months for now all those windows 10 boxes you're supporting are deprecated and no longer supported by Microsoft so you've got to invest yourself into continuous education continuous learning to be effective in your job and as a see so you get to not only learn a lot but then you get to go ahead and impart that knowledge to both the business decision
makers as well as influence your team to help them with their career growth and career development and that's what I find satisfying about the job thank you so can I say something real quick I need to balance this out so I've heard Navy a couple of times Air Force represented in the for Air Force officer we won't talk about that real quick and and I'm us I a US Naval uh uh brat
Sor uh just wanted to say we're uh saving the best for last my co-host here that I forgot to introduce as a co-host so now I'm trying to make it up to him anyway thanks my name is uh Jim Buy in the ciso right now Tam General Hospital um director of cyber Ops at mfet after d left um and uh I started law enforcement that's where my professional cyber security career happened and went just structure screen for a while so my job today I think is to keep these guys G see that see that the SEC is already coming after you bro what about the panelist right we've got a we've got some really great panelists give them a
hand
I was I I was listening to him talk and I was like I think we've got about every industry covered uh we might be missing one or two but uh you're going to get a lot of uh wisdom and uh learnings and we'll learn from you too so with that being said uh go ahead and do our first question it looks like a lot of you maybe have already responded uh the question is what do you think is the biggest challenge in cyber security today a involving threat landscape B lack of skilled professionals C C AI D budget constraint if you haven't already either um join by the web uh and then put your answer or join by
text I can vote twice I thought I set it up where you couldn't vote twice but maybe can and we will um maybe click on responses
all right so evolving threat landscape looks like that is our winner
um all right crew so evolving threat landscape is what they' identified is the biggest cyber challenge today how do you suggest organizations handle this effectively who wants to go first do you have a mic that works I'm sorry I um always the contrarian I don't think it's really evolving I think the thread actors are the same I think our fundamental problems are the same and I think we need to address them in the fundamental ways and and by the way the one we always ignore is business email compromise and there's like no it solution for that well well I'm going to say something different but similar I don't think bu email compromise but I do think we haven't
gotten the basics right right so yes the the threat landscape is evolving but they're taking advantage of the same things that we've been failing at Forever how many people here know every system that they have inside their organization they've got it categorize they've got a lab they they right no okay how long have we been talking about that I've been doing this for 30 years so I know Dave and I have been talking about this for 30 so we still hav a gotten that done right okay great identities identity access management who here thinks they've gotten identity access management right across their Tech ecosystem oh no all Al failing that's a basic fundamental know what you
have know who has access to it okay third data now we've had an expanding data landscape with data lakes and more and more data great got it anybody categorize their data no so we're failing at the three fundamental things that we are supposed to do as a technology ecosystem it's not about the threat landscape changing it's that we've never got good at the basic things if you raising children and never taught them to walk you can't expect them be track stars that is issue right so I I agree with what what he's saying the evolving landscape right it's just they're faster to exploit and make Tak advantage of our mistakes but why why do you think the
evolving threat landscape is a threat because I don't hire I work in cyber security right in Fr of me that's all I work theing lands we look at the threat actors are the threat actors themselves involving be anything businesses are not doing the fund no no I correct yeah yeah what I'm asking is you you saying that the threat landscape is but but if you think about it right the threat landscape is primarily they're using Technologies ex the technology that they have that they can use against you is evolving at a much more rapid rate right to exploit the same things so so that's how I would look at it right now right if you if you if
you're still bringing it back to what's the risk to the company and each company has a different level of risk but for for this group and I'm not putting yours down right I mean everyone the bulk of you still feel that the evolving threat landscape is there we have an opinion on how we look at that but you're looking at it a different way so I'd like to know about that so for instance we were just talking in one of the other talks about fishing fishing used to be very easy to spot because you now I get it it's the same exact but we're talking about being able to spin up a website an hour that would typo squ
a specific thing that I'm responding to versus days and multiple people so it is the same problem but exp a that's a great example except for I I will say on that one specific example um because social engineering that's my challenge okay and and what happens is it was actually intentional to use poor English because basically if you can catch somebody with a poor English fish it tells a lot about the exploitability of that individual so so what happens is those really perfected fish those tend to be the ones that you want to use for targeted individuals and yes we can use AI to find some of this stuff now so AI is detecting some of the fish
so the technology but you actually have to go and look at the psychology of the individuals that are doing the social engineering thank you were going to say something
I would say they're not necessarily not but everybody is so busy simply notay attention just so I would I would challenge that everybody that's in any kind of leadership role here has put in some type of cyber security aess training go through the training they know what they're supposed to do they just don't do it let me say this how many fish education programs I almost did once except my it gu fli through why you do
that you know now usure prot I think when you start talking about uh fishing and that you know the evolving landscape I again we already can predict almost what the landscape is going to look the following year what I see is uh the fishing attacks were coming directly into you know our internal customers now they're coming from our external customers so you're P they're pivoting from external uh vendors partners and our customers and that's where the trust between the internal customer and the external customers there and those are hard to fight but again our tools are evolving to catch that too I'm going to I'm going to go back to what Larry was saying because you for
those of you who know me um the biggest area that I think we've always had a problem in it's fundamentals it's it's basics for for an organization to continually be told they need to be doing something or the answer is we go out and we buy new new tools and new state-of-the-art software pieces and here's the box that's going to fix this or here's my promise that you're not going to have this problem anymore all that is fluff and we have a tendency to bring in tools when we're not fixing the fundamental foundations of our of cyber security that that's really where the basic problem is and I think that's been the biggest challenge for me of going
into any organization is the very first thing I look at is what fundamentally do you have deployed that is not working and the and the fundamentals that are missing and more often than not I find a lot of stuff that's missing out of an organization at the fundamental level and yet we're spending a lot of money on bringing in new stuff to try to fix things that can be fixed at the foundation and I think that's one of the biggest things budget up here was one of the one of the items up there budget is not cyber security challenge whether you got the budget or not cyber security issues are there and they're going to
continue to be there so the the difference is what I have to do as a ceso and a leader is educate enough for the people that make those decisions to buy the right things to put into place that's where my challenge as a Cil comes into the budget level that is not a challenge for my analysts and my engineers and my Architects to do things that's my challenge so that's a ciso challenge right as not an overall cyber security challenge the the educ the qualified Personnel we've got a lot of qualified people out there the problem is the organizations and how they're screening the people to take the jobs to begin with that's one of the biggest problems the
then we're looking at the I'm I'm understanding his point on the the changing landscape it's not necessarily the changing threat landscape of cyber it's technology is changing and it's changing at a rapid pace and because the technology changing so rapidly things seem to be going in a how more mature way of getting things done when it's really not even more mature it's just simpler to do and and and I can back that up just by I don't have to know how a fish works I can go buy the service I don't know how I have to know how ransomware works I can go buy the service and then I can run the service and not know a thing about the threat
you or the vector right I don't have to do that um so I I would say again going back to the very Basics it's not up there but I think the biggest problem in cyber security is the lack of foundational structure in any organization and and I will Pig you back a little bit on that when you talk about bu a large part of my job is not getting budget for me it is getting budget for it to do their operational tax to make sure that they are running the tools that they should be so they don't have default passwords and all of those other wonderful things that they're patching that's not my job that's theirs so I
need to make sure they have the budget I need to go to the chief risk officer or the chief finance officer and get them to budget for the those Technical Solutions that they need to have cyber Risk insurance that's not that's not information Security's role it is the chief risk officer role to make sure that the budget is there for those things so part of it is translating business risk to the appropriate business owner so that they are budgeting appropriately not me anybody still want to take this that hasn't already has everybody got it go ahead
coolest thing I ever did help move my
organizationid so I got seats for my team I got seats and they attended that class and byass on Saturday by Sunday we had LOL turned off already getting signing on get vers one I mov more in that time thany to fight that for years you're a team M you're part of a whole group of people you need
all good feedback thank you guys uh so now we're on to the second question which security strategy do you believe is most effective for managing the risk of a business Interruption from a cyer incident a employee train B Advanced thre detection tools EDR MDR C strong policy enforcement D trisis testing next time I'll have to add like an other right we'll fill in the other so go ahead and uh either join web or do the text and give it a minute or two and look at the
results all right so very clear training right think about that part I'll on this one so we we spend a significant amount of time and money resources proper in security awareness training and education it's a core fundamental issue we still deal with business ental compromise we still deal with account takeover we still deal with all of the things that we just finished talking about but I think one of the things that we have done in the last year is is we've started adding a a weekly threat Intel brief that our team develops and we send it out to the organization as a whole and it's not anything very specific about the organization yeah we talk about the
folks that haven't done their training yet we call them out and embarrass them a little or a lot conv upon who it is but um we just bring ideas to our user base and we have found time and again like for us knowing that that awareness is happening my story of success on that is when I get phone calls or emails from our team as an entity saying hey can I share that last page that talked about why passwords are important with my grandmother who just had a business email compromise taken and I make it very clear don't take the middle Pages out because that there is some very specific corporate info in there but
absolutely I still think that no matter how much money you spend spend on training It's never enough no matter how much training you do it's never enough and that's not just basic security awareness training that's training for folks in this room and that's not just technical security training I think it is very important and the reason why we've all been able to do this for a hot second is we understand the business side of it as well so training for me I think is it's something I'm certainly passionate about here the passion that because that's been a major Focus that I've done for the last several years and again you know podcast you don't pay to listen to the C
tradecraft podcast it's out there is a contribution to the community to say let's get smart now my focus for that audience is not hey let's go do a deep dive and packet happing or how to go ahead and do something amazing like here's a cookbook for going ahead using burp Suite that's that's a different area of cyber security but if you want to learn how to be a manager a leader a director if you want to go ahead and Inspire your people to understand how to influence them to do the right things they should be doing while having a sufficient enough knowledge yourself of the technology to be conversent without being deep dve because I'll tell you one
thing that you learn as a ciso if you haven't learned it beforehand is that technical knowledge when you get to the senior ranks becomes a liability we laugh at that but we know that it's true and we think all the bestos are the ones who can go ahead and hack the best no the best seos are the ones who can communicate the best who can obtain the resources your team needs and also advise the decision makers so that they can make informed risk-based decisions and if that's your capability then you're able to do the right thing I just want to say something real quick one of my favorite memes is basically the answer to that question
there's two leaders having a conversation one leader wants to get their people and it doesn't have to be cybercity it be the business in just in general wants to get their people training and the the other leader says what happens if we pay for all this training and they leave and the response was what happens if we don't and they stay I had that conversation two weeks ago did you not right and and I I think if we look at the alternative we didn't train our employees if we didn't invest in that cyber awareness training what would that result be we'd be in a much worse situation right we put all the technology in place in the world we
already know we're not doing the fundamentals right and so without that education across the board not just within the security teams not just Within but across the business you have to make that investment you have to take time out cyber awareness month is a great opportunity to reach out to your employees across the business and and and push that message but it can't just be once a year can't just be one month out of the 12 right it's got to be continuous and you're going to get both ends of the spectrum right you're going to get you're going to get users that that identify business email compromise uh emails awesome right we had a we had
a woman in treasury she would send them to us all the time on the opposite end I had a person that would dump their entire junk folder to our spam of use mailboxes every damn day right but I'd rather her do that than than than not right and so but you're going to see that and it's
[Applause] okay yeah I just think a different way I feel like Ping vide
so understand and I'm sorry when I think about this training is a broad thing a lot of times we think about okay we need to train we need to train on secur principles we need to train reality is training them on expectation right so part of that question was talking about incident respond right of being able to respond to it how do you train them on that right and then it's going to happen help training has got to be much broader thing than
just the things that app not just add from their work space but from a personal wanted to share that with but also helping them understand hey when aach happens here are things that we as an organization hey president CEO board of directors everybody across the entire ecosystem from the mail room to the boardroom have got to be trained holistically on everything related to cyber and the response to cyber because in event going to happen and guess what if you didn't train them on what to do during an event you're going to fail because every organization that has had an Adit they aren measured because they've had an Adit theyve measured based on how they respond and and part of that training is
you know there is a value for can training but but I think you want to look at things like okay this employee failed fish a fish test okay everybody's going to are you leveraging that to train the people that are administers administrators of the of laptops and workstations to ensure that those individuals don't have ad privileges are you going that next step that ad training was phenomenal when you are talking about you know the Can training doesn't help teach a developer that they should not have a public GitHub repository you need training that is specific to the roles and and yeah monthly training is great and it can really help don't look at annual training annual training is like the
bonus on the I teach Executives monthly because guess what stuff comes up
monation just standard cyber security pass things like that all of a sudden they're not going to use winter 2024 two also
bersh yeah Qui we ask I just want to go back to what this gentleman was saying like I think what you were trying to say was like test themselves they bring awareness right and they take people from unconscious to conscious I think that is really like the there's a struggle in the training and being infected in my opinion it's probably that right people are email they're in a hurry um and so then it's like you're doing the fishing test it brings back that awareness oh yeah I know this slow
down yeah yeah um so I actually think that fish more or less useless possible to like architect you know that it neutralizes I've done this for instance um suppose that someone gets fish right and they have the ability to assume the role of glal administrator that ATT they can't actually do that unless they specifically you with fishing resistant MF this means even if you work to fish that individual like and you successfully got you know their token refresh token which I've also prevented that being possible using access right even if you did that you would still not be able to assume that privileged role because you're not presenting what is contextually required at the point in
time no but we disabled MFA to make it easier h and that didn't stop the person in accounts receivable from receiving an email and sending out the entire blist of all accounts receivable including the names and addresses and that type
of um and I'm probably still on that same side of the house I don't like fishing tests don't like them but there's they have a place and where they have a place sorry I say tell it but don't tell it yeah so where they have a place is for me to understand the Baseline of my community my my users where are you with all of this stuff how can I train how can I set up my program to start training you what the problems are with email because I can tell you I can go into an organization I can do a baseline fish test and and I may get 60% clicks right that tells me some
something is wrong with my training program so I start my training programing that now to routinely fish my users I don't like that from a standpoint is they're tested day after day after day anyway with email and initially when the company started coming out for all this fing and there's some great ones out there right now I'm not I'm not Downing any of the companies the problem with them first coming out is and and they This Is How They tried to sell me we can fish your people and I'm saying I don't need you to fish my people they're already being fished and I have the data that I could grab my own information off of it from all of my own
logs to be doing this so I don't need you to correlate all this and tell me what my problem is I can do that and then it kind of morphed into more of a training scenario and then I started coming a little bit more on board with fishing tests but I am not one that will allow routinely and and and just all the time fishing of my of my organization I think it's needless and I think it's just something that causes more of a problem than it than it does anything because at some point I can tell you users get to a place where I don't know whether this is a test or I don't know
whether this is real I'm just going to throw all my email to the to the IT people and let them sort it out and so it brings up an interesting question let me go out to the audience on this one who believes that emails radio I got question who believes that for people who click on fishing emails they should either have some sort of negative event or good put on report or have to do remediation or some of the consequence for screwing up okay who thinks that people should be treated in such a way to make a mistake their own face plan is enough punishment who never raises your hand when you're asked raise your hand
that all right so the reason I bring that up is as follows I want it and I security to be viewed as a partner I've had senior Executives call me up on the phone said g mark I think I just clicked on something I shouldn't I just enter by Pastor word shouldn't have been okay let's look at it we went ahead corrected the pastor change and 15 minutes later the patch panel lit up with all these attacks trying to come in from countries they couldn't even pronounce so it was pretty sophisticated actor the point is what if you've get somebody who is not feeling embarrassed they're not feeling that there's going to be a negative
consequence they called and said help help me spot then what they're going you're going to be able to do you have a much better effect and if someone says I screwed up maybe it didn't notice I'm the bre so so I want to address something that you were talking about so everything you said is true there's many many controls of things you can put in place but that comes with maturity right and the reality is the sunshine world that we would all love to live in we're all extremely across ourem but in the reality of the Dungeons and Dragons that we playing and it's not even close to that you have some business users who are mature so you got
small pockets and you have others because of the technology they use they're not mature at all manufacturing all right so so we have this balance and SE so we've got to balance across the entire Global organization to figure out what we can do in some places what we can't do in many other so as much as we would like to be able to havep deploy doesn't have context ability to be able to understand all of our data guess what we don't know where all our data is but sometimes it's SharePoint and Exel or somebody's laptop so you don't always have the context to be able to put that type of maturity blend across the entire ecosystem of
back Bas I want share a real quick story I was office next I work at home and so she works for a large insurance company she's pay a lot more attention I do for sure and so a thing popped up when she was that she wasn't used to seeing and she saw this and she like knew about preaches that have happen so she called help desk right away right and D's like I'm sure it's fineing [Music]
I think it's fine so an hour out of the day to get to leadership and go is this fine and finally say yeah it's fine but I think there's that this collaboration where these silos well I'm saying silos get created right between administrators and users until that I just saw that real time I was like oh my God that's happening here it's happening all over the place that's a great call out because there there's something of that like um saying like I say sometimes it I would say that and even security sometimes it's like we don't need food and we do basically tell users all day long do this do this do this but then the users
try to tell us like here's the problem right like you know better so like no no no not that so I think you called out a really um I don't know how we solve it yet
can you guys hear back when you're speaking we can hear very clearly okay not with everybody else being loud enough I can ask him to be louder a lot so so you guys talked a lot about business fishing training I it's great you guys were talking about this earlier I think it's it goes back to the fundamentals how many of your infrastructure teams actually have security targeted training their roog what a compromis desktop not security analy but the I think that's missing the fundamentals are shy because we spend money on training employees for fishing training and what to do to do we don't actually skill up our fundamental infastructure teams to actually build the things be so those fundamentals we
go out do kind of
job you're exactly right I I want to point out one thing on that one because this is really really important for all of you people here and you're here I'm assuming because because you're all you're all working in cyber or wanting to work in cyber so here here's my here's my challenge to all of you in a perfect world I've always said that a cyber team should not be necessary in any organization it should be trained in cyber completely everybody should be part of it everybody's responsible for that and if everybody in it understood what a good security role is you wouldn't have a need for a cyber security team okay that that's I've always believed that that's a perfect
world we don't live in a perfect world therefore all of you that are in cyber should part of your job going forward is education you have to educate the people in it you have to educate your users and there's a proper way to do that and the right communication method to do that so I would also strongly suggest that if you're all an it and even if you're following a ciso track or not take some communication classes and learn how to properly communicate what you're trying to say okay so I did have a question here it's actually you kind started answering it before got asking part that I think been plugging you here like I
want to understand some strategies that you guys use you talked about you just spent endless amounts of money in your organization to get training for people and yet people or you know getting people to implement security the F they won't do it so as D Carnegie would say what strategies do you use to arous others your want to implement security to uh take the chain and take it seriously so here's the thing you know I am a Serial C and I stopped counting at eight so I've been see in a lot of organizations with varing levels of success so uh one of the organizations I'm working with now I am CEO and I mean I am CIO and C so reporting to the CEO
and we've changed organizationally so every single job in the organization has some level of security responsibility in it it's an enormous cultural shift um I have worked in organizations where we have plucked out people out of development train them in security and secure coding practices and put them back in so that they could teach each other so part of it is this whole if you can work in an organization that allows people to switch roles between departments that helps and then there are certain there's this there's a couple fre tool there's one uh purple Knight and another one pink castle those free tools show all kinds of problems with active directory and and if if your
it Department isn't running that if you can convince them to run it and then once they see those problems you can have the folks in cyber teach the people in it how to fix it and some of it's partner relationships depending on the size and some of it is encouraging people to join olfs join Isa Issa join ISC Square join those free resources for everybody in it you know teach them about podcasts darket Diaries or or gmarks or a million other there are so many free and available ways if we just talk to each other and by the way I've got little kids that are listening to some of these podcasts I'm sorry if you
ever listen to jimy R she's got this lovely Liverpool accent it's wonderful I mean there are so many ways that we can teach this that is not on us it's it's as cesos as individuals it's on the community so we lead by example and and you know I actually challenge you to start spreading the word um you should see my father okay he's in his 80s and when everybody ever forwards spam took he actually teaches them now how to rec Iz that it was a Spam it's great how many people do you know that are 8 that do that but it it just took them a little bit of time to teach it so summed
up she'd like you to go to a different area and learn it yourselves Charisma is not a d for I was going to say that there's a lot of I'm G te plug real quick and just say there are a lot of cool like products coming out in the sense of um like the just in time awareness was bringing up earlier like Po like I say email security tools that I'm seeing that are having the labels right like on the email that basically shows you like you know this might be there might be something bad here you might not want to click on this link I think as we evolve you'll start seeing more of the tech
making it easier for people to not always have to be aware I think that I think that combination combined with security awareness is where um your your your question too was also what do we do to try to get training out effectively I I I I will share one with me that I know has been extremely successful no matter where I live and and I'll ask it this way with you and your family what's more important to protect your family or your business family why are we not tailoring our training to the users family and the dangers of the family because I can get guarantee you my philosophy of of making this work has been if I can get my users
to understand all the dangers in using a computer improperly or all the email that's coming in that could potentially cause them harm within their own family members going to be a lot quicker to learn it and use it and apply it and bring it to work with them instead of trying to get them to understand this is going to be harmful for the company build build it y going to take would you take advice from someone or are you going to listen to someone who doesn't have a family versus someone who does if you're coming from the area of the family so how do you then translate that back to the business the EAS are
going to take a little bit more note if you have a cyber Champion who's an EA who's telling them hey these are the things we need to worry about in what we do for our job and so if you start getting those Champions and actually having them be your voice in the different in the different areas of the organization it usually takes off better because then there not trying to figure out who the security team is all the time if something's going Li they're not clear on something they know who they're going back to in their department and that will always get back to you so this will be our last one so to that point um so we're felt
about they Shar these stories in their thing right so uh one of the stories I shared two weeks ago in my world was about how husband and wife who own their own business uh the wife fell for texting for and and click on it and then got a call from a number that actually Maps a number on a credit card where they said they had the issue they ended up losing $147,000 right um but what she did and action she took is something that most people follow but then when you hear the whole story and what happened when I Shar with my organization so many people like oh my God I didn't know this it's
possible they send it to their spouses they send it to their parents so for us education again talk about education being broad it comes in so many ways we can't expect Just Fish uh just user awareness education is a very very broad spectrum and helping everybody understand applying it to their personal life understanding this entire ecosis of what education is if you think broadly about it it'll make it stick more okay uh there's one last thing I before when I said we're moving on one last thing I want to say and gentlemen you did ask basically what strategies right yes it goes back to what are like for example what are the crowd rules right and if you can figure out what
those are one or two things what's the worst thing that can happen right like for example my industry we're chemical manufacturer so we have chemical manufacturing plant L Char we one of the biggest producers of Sal in North America right um so if something happened manipulate our control system we wouldn't just have a Cyber attack we would have a major environmental right so one of things this be something do right find and
like then you or someone above you here's our risk exposure right and then that gets people's eyes that's where when people start wanting to listen to you more that's when they want to start investing more you tie the things that the audience cares about and asset wise to the RIS that you're not typically guys all said that one way or another but I just thought i'p that off by saying that typically is what gets you the progression Beyond people okay so uh this is going to be a fun one uh so so it looks like how do you proceed the role of artificial intelligence and enhancing cyber security measures in your organization looks like most people
think that uh they think the role of artificial intelligence is beneficial and enhancing security measures anybody want to take that all right crew so AI here I'm going away we can't hide from it the enem is going to use it we may as well adopt it how are you going to do it yeah right so who wants to take how they're going to address AI in the organization so I can I just gave a presentation at uh Washington University in St Louis around AI so um honestly we's the tip of the iceberg right so if anybody's ever seen Iceberg syndrome where when you see an iceberg right there's only this much a small percentage of it that's above the
water and 95% of it is below the water that's where we're at with AI the theoretical components of where AI is going to go is going to massively disrupt the state of humanity right so get on board and figure it out right now the biggest piece goes back to data like at the end of the day organizations are trying to figure out how to use llms to actually take advantage of this big data landscape that they have in their organization right but we as technologist still haven't figured out how to protect data so at some point these two things are going to collide with each other right thread actors are already utilizing AI we talked about our fishing emails being
more precise now being you can't really tell them the the the old way we used to identify well that's one small component AI has been used in so many ways against us already right social AI is like the number of of fake accounts that are in social media now are off the charts right but now deep fake right how many people have seen multiple deep fake videos and different things happening right so now we're getting to a point where AI is going to be used in a way where you get on a zoom call there's going to have to be built-in mechanisms into the video conferencing tools that we use to be able to verify that the
person on the other end is actually the real person because there's defect technology that you can install your computer to make you look and sound like someone else so it's here it's not and it's not when they start using it thread actors are using it actively today so you've got to figure out where's your organization trying to go with it to enable the business and what are the strategies that you need to implement based on that business strategy to secure it period Point play it's going to be different for everybody but today for those companies that are trying to utilize some form of llm like you need to figure out what are they doing are
they going to offshoot this to chat gbt well that's a problem depending on the contract that you have with them and I would still say it's going to be a problem regardless so you need to understand your business's use case for AI because if you don't know it then you're out of the loot because I guarantee every business here is having the conversation so uh being in a manufacturing organization uh shocker we don't do a lot of tech as an organization right we put water in bottles bottles on trucks trucks on the road bottles on your front door surprisingly when we when when chat GPT started making inroads into everywhere we saw on average 30 to 40 different
individuals in in our entity going out to the major players daily we start digging in and trying to figure out what they're doing and it was everything from hey grammar check this to make it sound like I'm less of an idiot than I am or take these financials that we haven't released to the public publicly traded company and do the analysis on it and send it back to us but don't worry they're deleting it as soon as they're done Larry nothing nothing appear so we we took extreme position on it and blocked all of the major players initially and for the record don't write the policy using chat GPT and then send it to your corporate
counsel she doesn't find it anywhere near as funny as I did but in the last three three or four months we we've started to change that we've actually brought in an expert out of NYU who is helping us put in a an AI task force so we're working on three or four very specific business cases and and why they're going to be used and then we reinforce time and time again the minute you hit send it's there in the cloud so we have to good good processes in place I look forward to the next level of our EDR MDR I all the DRS that are out there really enabling that process to speed up the time to respond and they're getting
there so the ones that we use are already implementing it in some way shape or form I still think we're about a a about that far away from the Matrix in some way shape or form but you have to have it in your environment you have to figure out what to do about it you have to figure out how to use it to reduce as like no matter no matter what industry you're in healthcare Finance it doesn't make a difference difference you never have enough people on your team I don't care I can think of one entity in all my years of Consulting that had a huge security staff spread out the right way doing the right thing we compromised
them in about two days but you you need these tools to make your job a little less painful
I mean I think looking at it from a couple different ways right how one how does the business use it right to to our advantage how do we use it from a security perspective to our advantage and then what are the negative consequences by using it inappropriately right sharing material information publicly before it's released to the public um it's a it's a significant challenge I I think you know initially I think the some of the solutions that are out on the market today are Levering AI to to respond to threats quickly and that's really the only way we're ever going to keep up right if we go back to the the very first question about
fundamentals right we're never going to be able to to do everything we're supposed to be doing manually the oldfashioned way with people right we got to leverage technology we got to leverage AI to to to have that agility um the business has to have the same same speed right we have to be able to use AI to our advantage right whether it's marketing campaign we we sell Stakes we exchange Stakes for money right they exchange bottles water for money um but how how does the business leverage AI appropriately to have that advantage over our competitors right how do we have better marketing campaigns how do we have better Communications with our guests and and and learn from
that and and continue to evolve our messaging to improve it the only way we're going to do that is through Ai and and and other Technologies um but look at from the flip side the attackers are doing the same thing how are they leveraging it to get into our environment faster quicker easier less detected how do they get around the solutions that are leveraging AI right we we talked about email multiple times throughout this this panel um we we had an event where a um basically an email that should never have gotten through got through two layers of email security right because the attacker knew what those tools look for in in the first X number of lines of
that email right and they just suppressed it down further than what those tools are looking at right and the tools I don't see anything more here let it let it through even though there were other indicators that should have been identified um and then it goes back to that training conversation right there was a there was a typo squat domain that was the sending uh domain so all the technology in the world and the user still failed to recognize it it got through cost company you know EXs six figures in that a uh transaction so you got to layer it you got to and it's never going to be perfect I I think you you but it comes back to the response
right how do you respond you can't just lay down and cry right you
got whiskey good whiskey so uh so I am going to circle this back a little bit to the family so um I have a a CMO that's a chief medical officer not marketing a CEO and a CMO that do a lot of public speaking and they are at high risk related to to um artificial intelligence impersonating her okay because they talk about their families they talk about everything all right and they're recording to so one of the things that we go back to are some of the fundamentals of were any of you latchy kids or had latch key kids yes did you have a secret password if a stranger came by to pick you up from
school you need to look at going back to some of those oldtime fundamentals in terms of being able to to recognize who people are when they get phone calls or when there is video conferencing to recognize those things teaching people about the fact that an unverified caller on a teams meeting should be called out and they should be disconnected from your teams meeting is something that these guys don't even think about because they have been trained in it so the social engineering aspects related to Ai and the potentials of I'm sorry you need to be teaching grandparents that people calling up saying that they're grandchildren and they need bail money you know how you know they need
secret passwords for that going back and and doing some of those things because of the capacity of some of these Solutions it's really important to look at soone want to tell you a little story about copilot quick I just was going to say that um the audience said beneficial for using AI security me as you can see there's a bunch of up here right yeah little story about copilot and how you can you can use AI to help you fight AI uh how many co-pilot in your organization turned on all right have you ever asked it how many files do you have access to with nine digigit serial integers you know who that will get
you a list of files that have social security numbers right and Mar ID numbers andil and anything else posi it's not good yeah it's not and you can say show me all the files I have access to right so my CIO came to me like hey I want okay I said we're not mature enough for that he's like why not and so I showed him that right I said show me all the files I have access to I said now ask it to draft you a response to the team about dising actions and how they should be taken and it pulled in a write up he had done another number of thing and that would have been spread
out to other people so it's like we don't have that maturity level so we used a tool not going to say what tool it is that helped us catalog our entire data infrastructure right identify every piece of over shared uh files we had because people by default were just allowing everyone to see what they needed on SharePoint and exchange uh exchange online and that tool was able to use AI to help remove all those permissions so we went from 2 million over exposed files to zero in 3 days because of it so that's how he's I had to fight we want that
tool hey guys are we doing anything Microsoft secy co- pilot my team's right over here I don't think we are no that's a no tell that was
right our our chief Appliance officer our chief marketing officer Chief technology officer It's a combination between legal it security and so we basically make right we policy governance committee another week or two um and that's then basically decisions about the comp's use of AI is all going to be
initially one thing to think about is also so I just uh record an episode with graffy G anybody know who he is yeah he's guy who WR ceso mind M who just came out with a 2024 version of C mind map on the 30th of March and so that episode will drop a week for Monday and what you're going to hear then is if you've ever never heard of it go to his website ra.com or go Google C easier to spell for a lot of people and what you'll find that is he has almost 180 different elements of responsibility for a CES and so your answer the question who owns it probably a good idea to look at that
because of his initiatives for 2024 AI is the new one and we have a whole little section on there we covered that in depth on the episode so let me offer that so is own the has to have his ability to and understand right so to your question who owns it um honestly this is an important topic it's governance it's not about ownership most organizations right are are failing because they don't have proper governance in place we always go to oh somebody has to own it and then that person who owns it we're going to tell them what to do well but a lot of times when somebody owns it then everybody says oh well they own and they
got and we're not going to deal with it so so right the racy Matrix so this whole aspect of governance is so wildly missed across so many organizations right because we think okay well it owns it and I'm going to tell them what to do and then go away but but it doesn't realize what you're tell them to do should be part of the governance committee telling them what to do and it's not just a security thing it's the governance committee saying hey here are the things that we need to do these are the guard rails that we need you to operate in AI is going to be hugely important to that and being able to
build that out because AI touches so many things his example is one of the many many examples co-pilot uh um so one of the guys who's building co-pilot spoke at the AI Summit that I did you and it was absolutely frightening like the thing that they are starting to build into it this game it's absolutely frightening but it's going to change the dynamic of how we operate and so if we don't figure out some of our fundamentals if we don't anybody done data governance well in their organization yeah right stop it Eric you tell so it's we we are going to really be forced to look at our own dog food right here really really soon as things
continue to progress so we've got a lot of work to do and and I love all the tech vendors I think the advancement of technology in the cyberspace has been amazing but we're going to have to focus on some basic things to what uh uh uh what my good friend Dave said and get start working getting those rights and I think a lot of it has to do with building committees to take on this building the models getting an understanding of what the rules are and then starting to move forward um go ahead go with the question again so I like AI for questions I might have and I have an expertise in like your
question about you finding some files and help me categorize these I can see AI very beneficial in that area but like on your comment U and I don't want to St you but you said something about like the only way we're going to win we have ai and I I'm going to kind of question that because there a guy who works in the Operation Center I already get alerts is this alert dat to go through and if you throw an AI and just like that's bad I'll be like tell me more I don't understand so some I feel like it's going to slow me down I'm worried about positives or even true positives
I'm so just just real quick just to clarify right if I said that I don't we're not that's not the only way we're going to win right but what I mean is we're never going to be able to review all those alerts manually to keep up right we're going to have to leverage AI to to filter out some of that noise and Elevate those true positives up to our visibility right if you if you have a team if they're if they're doing every Alert review manually they're losing right they're they're going to drown suicide right so that that's what I mean by that right we have to we have to leverage AI to to filter out some of
those noise but really Elevate those true positive alerts that we need further investigation without AI we need the expertise to review those
so I'm I'm I'm in agreement with majority of you as well I I think it's beneficial but I think it has its place and I think the hard part is understanding where that place belongs and what it's being used for how many know that the latest study of today's Ai No matter who's doing AI by the way is 19 to 20% inaccurate have you heard that figure that means one out of every questions you've asked is going to be a wrong answer that's the hallucination side of the AI world and I think what we typically have a tendency to do is we love technology when a new technology comes out we are quick to embrace it we
are quick to throw it out there and we don't think is it mature enough to be used for the intent that we're getting ready to use it for now from from my standpoint I love that idea of of AI in research being from a research institute I think it's an absolute must and it must go forward I think we're going to make great strides with it however Healthcare itself how many of you would like to know that you're you're sitting there in front of your doctor talking something very very specific that might be impacting you and he gets up and or he or she gets up and walks out of the room comes back in and he they explain
well I just wanted to go check with my chat GPT in my diagnosis it's happening I mean right now because I've had that I've had experienced that at least twice in two different Healthcare organizations where the Physicians are wanting to turn it on to help them with their diagnosis and it's like I don't think you're ready for that now is that a cyber issue it's not a cyber issue that that n goes back over to the compliant side of the world from my from my side because they need to be determin determining who's going to be liable when the wrong answer gets applied and it hurts someone yeah that's that's where it's at maros we will move on okay so so what
I on AI you look at gener AI 3.5 who here shows up The Bu for 4. otherwise you're like using a 10-year-old cell phone because the things CH with but what is gener AI it's a sequence prediction model that's it it doesn't think it doesn't take it breath when you tell it to all is doing is trying to pick from a statistical sample of logically the most popular thing that comes next in the sequence peanut say butter peanut butter and peanut butter and dry again it's until finally you find out PE up the elephant or something like that and go W it's creative it's not creating things with is doing is is taking low probability associations it's putting
them in front of you you go wow I hav thought of that of course you because it's stupid just maybe it's like w this is cool but using it for medical diagnosis you said is really bad and remember this one thing about statistics 86.4% of them are made up so so understand real thing that happen the important thing about ai's use case there's a lawyer who actually Ed chat GPT to right well there's one he actually got like disbarred and like it was a whole mess because he created his brief and presented it to the judge and the thing gave him entirely fake case law like everything in there was fake
Cas right which didn't exist right so so in that use case like well du but when you think about your business saying hey how many people here have pedabytes of data in their organization right so how valuable do you think it is for your organization to be able to easily search and find important data in there right they've been Gathering it for a reason so that's where AI is going to become a player and you got to understand what the use case is for your organization because the next piece to that use case is is access management cuz do you want somebody in marketing asking your inter AI solution about financial projections that is in
this big data model that they probably shouldn't have access to right so it's not all Chad gbt and all the public generative AI yes those are their own problem but thinking about how you're going to use it internally because you know you got a [ __ ] ton of data what are you going to do how are they going to throw AI on top of that to try and make better use of that data to be more efficient as an organization is where the risk is going to start to come what about your youth with a vendor are you looking into the aspect of how I coordinate with a vendor and what they're using absolutely to help against
or for your network if a vendor says they have ai right built into their solution I
want we're sending everything that gets to a risk assessment and they check they have ai it shoots off a whole different line and has to go to a whole committee so it should be in your risk assessment so that's my risk assessment [Music]
so what we can do is we can keep asking questions you guys keep doing the calling or we've got roughly 35 minutes we have 35 minutes I we from you what happen you guys asked want ask um and uh you have great quite a story you came last year and you were like maybe just tell us like what's happened in the last year okay I'm glad you remember me hi my name is Kelsey castri I currently work at a retail company but I'm actually taking a sabatical starting next week so I'm going to be traveling for three months um starting it off going to black hat and Singapore so I'm very excited for that um and I wanted to
thank everybody on the panel um who who's here today and who's been here since like last year um because you guys gave me some really good advice I'm not going to start crying because you guys were like really Hing me up whenever I was down during a time while I was looking for a new opportunity didn't get that opportunity but I did get friends and the friends we learned along Long Way um but um I did have a couple questions well oh you asked what's happening what Happ you didn't get that opportunity remember you did get another opportunity that no but I do have I do have a new opportunity after I come back from the
sabatical so unfortunately it wasn't something that happened like within like 3 months of when we last spoke but you know um I do have like a lot of my plate like I'm a competitive figure skater I do like Ta fundo on the side as well so so I I just do um it was it's kind of tough like job hunting when you're also like doing a lot of things I feel like job hunting is like a full-time job especially like whatever you're um like in this economy at the moment but exactly so um it wasn't easy but you know I I didn't really give up and I worked on myself and also like doing things that I like doing because
you know I'm younger than some of us
here yeah so um I've I've been a go-getter for like a long time and I just realized I'm like you know what I like life and I kind of want to enjoy it and I don't want to be even when I work from home I don't want to be in the office all the time you know so I just you know uh do a for plot right but uh back to cyber um question for you cuz I haven't heard from you in a bit um sorry I forgot your name um but how do you how would you combat the push back that comes from users or anybody else when ease of usability GES goes down in order to put Security in place
so like yeah okay well let's try with a softball question and then so so I think you're going to get pushed back wherever you go right I mean that's that's sort of the the ying and the yanging of cyber security right we're we are naturally introducing friction into a frictionless area but um typically what we do is and what what has made it a lot better in in my experience is when I come in and I'm speaking from the vantage point of the business and they believe that I understand what they're trying to achieve and that I'm actually there to help them achieve that it goes a long way versus I'm coming in from Left Field
I have no understanding of what they're trying to do I don't understand their process I don't understand what their objectives are but you will put this in place and so you doesn't mean that I have 100% of people on board with me right you're still going to have natural push back but we take the time to listen to it even if it's I mean look uh we I've had people explain to me why MFA just will not work for them okay I can dismiss that and that's not going to get me anywhere it's going to cause a bigger Rift where I can listen to it and understand it and then eventually bring them back to but but we have to do this
and here's why completely understand what they're trying to achieve I found success in um making sure that my team and myself are very involved in the business that we understand what the business is trying to achieve and that they understand why that's going to help them so um you know take let's take uh passwords for example um something as simple as that we will talk to the business about I I hear what you want to do but let me show you what your customers are coming to me with and asking me and if I come back and say well we don't do this because you didn't want to your customer is going to come back and
go you're no longer my customer and then you're going to scream at me saying why did I check that box why I check the box because you right so it's so but if I have that conversation I tell them like we do this then when that when that report comes out I have to check this and they're probably not going to go with us so that that changes the dynamic versus well no the nist requirement says that you must have like I've lost them so that's typically how I will approach it and then if I'm coming into a new new company I I'm meeting with them about what are they trying to do what's their
business objectives what are they interest like I'm not there to sell my piece yet I'm there to understand what they're trying to achieve and how my piece is going to come into that that answer a question one more question since nobody took the mic from me um hold on sorry uh this one's for Kathleen um with your background um or anybody honestly um so how exactly does cand work together to get um everybody's objectives Complete because I'm sure like finance and cyber always Bute heads but always but also there's like HR and maybe even like the stakeholders themselves everybody wants money cyber costs money but also we help save so here's the thing cyber doesn't necessarily cost
money and it is a misconception Okay so so what happens is part of it is understanding the business and the business and the business needs but and and and sometimes it's upfront money and then it's reduced so if it is maintaining a whole bunch of different legis um Legacy systems and they have to have a larger team to maintain it because of that going through and analyzing what the risks are to the to operational efficiency cyber security can actually assist with that if I can assist so that the cyber security Insurance costs less money or that they can have cyber security insurance that makes a big difference to the business so some of this is actually understanding what they
need and then the other thing is I'm sorry I get bomed by Tech vors all day all night it is amazing how they find some of my personal information I mean they I mean I have I have channels that there's no way they should be able to get through and that's why I know how good can be because they social engineer all the time what happens is it's not always about the technology it really really isn't so those those discussions and decisions are risk based decisions so being part of the executive level helps a lot because we have a decision to make about business risk and it gets balanced by everyone and so hey we have this
opportunity to do this this will cost money I mean I can healthare we have one of the organizations I'm advising with they have one of their best physicians refuses to move off paper it makes everybody in the organization insane cuz guy won't move off the paper and there's a risk the paper and and guess what the business has accepted the risk because because this gu's reputation is phenomenal it is a business risk and at some point in time he's going to retire or win the lottery or whatever and everything will have to be digitized and they will move on but it is a business risk that was actually accepted at the executive level I I I went into one
organization that had a fishing solution that will not be named and we had one of the top surgeons at one of the hospitals he quick because assed what is considered ative level security awareness training because he clicked on he forwarded the fish to the security team and that triggered that he had clicked but and he didn't read it just hored it we end up dropping that entire solution because and and we ate the cost okay that was a monetary cost but I hate to tell you this losing the top surgeon at a hospital not an acceptable risk so you really it's and I go on forever iiz Andrew Larry your thoughts on that so I'm going to disagree I love you
[Music] we I've had a huge security cost and that's a challenge right because they don't right for a long time this Roi thing was out there how we understand our invest I just gave you A50 Million last year now back help understand so understand milon security I longal finan but um uh so reality is we do cost money um but the money can be too The Bu I think you're trying to make offset based on on communicating import right putting security controls in place prior to an in happen actually saves you 20 cost of what you were investing right a lot of organizations don't understand that so being able to communicate with the executive leadership team that simple fact hey you
know what yes you giving me 50 or 7 million right to run my Global Security team and run all the tech things we have to do however if we have an incident of this application the think we're going to do down for 2 weeks that's a $200 million off business so in theory right I'm a cost cost savings for you based on the of prot that's one application so it's really about how you communicate and to your point that you were getting that where you got HR you got each of these different business they all have their priorities but the reality is if they go to the get everything appr everything is approved of what they're going to do for
what they bued to actually accomplish so to the point was making earlier when you get into a role as a c your first job to be to become bestead of build the proper get get all your job description written properly all the non r that require analy years all that not uh number two is understand the objectives and priorities of every business lead across your entire organization understand how they going to get bonus understand how they going to get incentivized to achieve their goals and then help them understand how you are going to help them achieve because guess what that 100,000 200,000 $300,000 bonus that every business lead is going to get based on achieving their
target goals they want that money to drive so if you're going to help them get to that easier they all welcome you live they're going to listen to your strategy and they're going to support right maybe extending the project two months right and support you and the budget that you need to enable them to be support and and to go along with that part of it is looking at getting their bonus structure modified to help make the security goals of right so it's one of those they still get the bonus it got two months but it was incented because ex leadership said that
risk one thing got to be careful of is the Microsoft secure score I lot La up here that is a sales technique for Microsoft by the way you cannot get up a certain level unless you go from 35 oh then you go have to then you have to go ahead and this and it's basically a marketing to so when somebody says how you're not at 90% above is because well it's just about enriching Microsoft so that's kind of a counter example But I'm warning people about that is the security score does help to a certain extent but if you were to Max that thing out you run out of budget and your machine would run crawl
but you so so metrics they have five different levels right operational metrics right for for me me time to detect me to response have been operational metri of measuring my my operational security team right that that's a huge because understanding where we're at as it relates to that at the board level my metrics are really around our really to meet five controls I pick five controls that align to our business and those are the controls right and it's it's from the framework that we chose and that framework we use UTM to the map out to all the other Global things we have I think five controls that manag is and I get that approved at the board and and be Myers
early on and those are the five Mets because those controls have multiple different components built into it right that make up the control but as things happen inside the organization that change that control from green to Yellow to Red I'm recording I'm doing this report once a month hey here's where we are with these controls for me My overall goal for the is achieving certain [Music] AC well I do something similar it took me 10 years to figure it out so thanks for telling me about that that's where we're at now like that is B the most that has resonated the most with the board they can follow it they understand it they understand what
we're looking at to understand what the RIS levels like so we do the same thing we we pick I think we have about five or six controls and that's our focus and that's what we talk about but below that different teams have different areas and that's different but at the board level that's what they focus on and that's all they care about a control could come in and out but but but we try to keep it as what what you don't want at least what I don't want is the next month or the next year like all new controls like am I just changing everything to to meet my Narrative of give me more money type
thing no so I I I don't really see those controls changing all too much unless the business is going off in a vastly different direction from a business perspective right so with AI right if you got a huge initi around something complely different than anything You' ever done you may have a new control that you that you want to report on based on that outside of that use the same control
work on a proposal which security teams are going to like this um one of the I've always said one of the biggest any in any business that I've been in any company that I've been in my number one department has caused me the most problems has been the IT department it is speaking it Department enough so it's I'm sitting here thinking how if you're struggling trying to get the ID Department to come on board with security I I woke up the other morning thinking you know what this might work and so I started writing it all down and my next proposal that we're getting ready to work on we're going over and performance Stuff how to properly do
performance and my thought was wow I've got a bunch of server admins that if I tied a certain percentage of their annual bonus to how well their server is in the area of having patched why would we not would I would I here have my problems of non- patching in my server environment I'm like you know this might work so I'm actually working on that metric right now um take a good look at Dave now because he won't look like that my hair can't get any greater I'm telling you yeah so back now back on some of the other question you had one of my personal metrics that I've had is has to deal with teams because one of the
things that I love doing is building teams that's that I just I love going into an organization I love building teams and one of the personal metrics that I've had um is that that I look back at all the teams that I've built over the years and I I keep track of how many people came in and started working for me and left because when people leave organizations it's not because they're it's really not because they're going after more money I mean some people will do that but overwhelming majority they leave the organization because they're not happy with who they're working with and they're not happy with how they're being treated right so I always look at how how many
of my team members have actually left me in the past and I use that one as a person metric because if if I if I go into a place and I've got people that are I got my team members that are not happy with me and and they're now telling me you know I think I'm going to move on or something like that my first question is why are you moving on because I want to know whether it's something I've done to them or whether it's something else um and you know I can honestly say there's only been I've only only lost one team member in my 30 years of building a team and it wasn't
because he didn't like the way I was doing things it was because he had a family problem um now I've got some former team members in the room and I will say I've left them before but it's not because of the team it's other things that have happened um and that's kind of the reason but I use that one a lot because that's a way for me to self-reflect and how I'm how I'm trying to manage teams and in the leadership style that I'm trying to put forth what did
[Music] so my metrics are a little bit different and and they are actually tied directly to buiness schs so um and and the thing is that the reporting I do is really Department by department so there's the board reporting um and I do not give them things that that boards are responsible for monitoring that we're doing our jobs they're not responsible for doing our jobs so I do not provide them details that would create the reliability so I don't give them a whole bunch of job um and I look at and talk to the CEO about what it is the board wants and how they want it as opposed to giving them things that I think they
should have although I will talk to them and teach them about that I think they should have a order but each department gets different reporting so what it gets is much more detailed and what the IT department gets and what people within those individual departments get are completely different things because it's what do they need to do to be more effective and the other thing talking about job descriptions Etc if it's not in your job description to do that patching you're not going to do that patching it's just not it's just information security throwing stuff at you so getting those job descriptions changed is enormous um oh yeah so we got a couple more questions the one thing I was just
going to say and it's not all the way there yet but I am finding some success when it comes to metrics and working with my CFO on risk quantification and and putting it more in financial terms from a business impact standpoint um like I said it's it's probably like halfway there and um but it is showing promise right because when you think about your audience and when you're talking to a CFO or CEO it's going to take them a really long time to understand what your stock metrics or what meantime detection are meantime response and I love those metrics like you got to have them um but when you're talking to a CFO they care
about I mean they're the cash guy they care about how they're going to bring in Revenue how they're going to protect Revenue right so I've been heavily focused on well how do you protect revenue and we got a partner in we're looking at um and we got some TCH in and and it's showing a lot of promise and it is going to start um it's it's moving the conversation further than I've seen it go in a long time with that audience so uh s GE you have a question yeah so what is your guys opinion on sharing law you find helpful useful useful absolutely in I really believe that if you are in a leadership security leadership position
you do not have those contacts already shame on you if you have to be able to speed dial the FBI DHS conent upon what industry you're in out there crazy one of two Absol the bureau's done a lot better I say last five years or so they've done a lot better I'll give you so they the FBI Baltimore Field office put out like don't plug into you know don't don't plug your charger into airport what and we hit them up like are you kidding me like we're doing this again and they they got they got the build off to take that like they are doing much better poning their message and actually being there to help they recognized like
10 years ago if you were a certain size company they probably but doing a much better job so
ab's alone and I I agree I I'm I'm with you I I've got I I have the numbers of the local FBI agents in the in the field office for things but I'll will also say this if you're in that position and you get that information and you need to make sure you talk to your legal counsel
first I'll
just process you're calling that means there something happened that's got you to a point right that part of your in response
process and what information can you share right so more more than just having the contacts in your phone before the event I I actually had Rob Haven seen yet but Rob Price Tampa FBI office aesome awesome he [Music] he for said that
he so Robin into our office last October for our cyber awareness month and he talked to the business just in general terms about cyber security right and it was phenomenally received right and so he he better understands our business our people understand what his role is with the FBI what the FBI's role is really for us um so it's more than just a contact and a phone number or an email to reach out to right you have to build that relationship same we have similar relationship with Secret Service I brought him in Rick Dean and he spoke with our it leadership right just different topics different different groups and it's it's amazing what what value they bring to the table
but you have to know what you can share when confer
legal from trying to see something I will say a much better relationship but you have to remember what you're going after and what we're trying to protect are not always
alone did you see the system rules last week okay so for those that haven't seen you're critical infrastructure I think is almost everybody you have to report within 24 hours the ttps the M like once it goes into effect there so that for you our lives miserable now I've got to take one of these guys and make sure he documents all this stuff while I'm trying to fix servers and make sure that sister knows everything need to know that doesn't help me them but got lastek no the government just as bad at we securing stff so this is all this conversation next year when you ask this panel how's the SIS thing going we have a Prett process what we
we something happen in my area it wouldn't be that sale coming to you because we already have that to contact know what we're all to we're to so a lot of
that that's not I'll tell it's way better than it was 15 years ago when FBI and Secret Service fought over who had responsibility [Music] yeah much different than Army Navy Air Force now I will say though I had an incident once where there was a secret service because it was skimmers right and I didn't know that that was until I was in the incident that that Secret Service uh answers those calls it's hard to get engagement though when they are on a major um election campaign so it happened to be when I incident was when my secret service representative was on Hillary's campaign in 2016 and he was like yeah I'll get back to you yeah I'll
get back I got to go to this event no I was just joking but question so there are a lot of students in attendance here I think seeing a lot of people about my age that probably came technical background first and then into a security Ro but a lot of these kud are getting cyber security degrees before they program the first server before work record so is there anything that we can tell them I want to help and I don't want to be like I'm so sorry you need to take your degree and now go get the job you could got with a high school diploma so that you can learn how to do the job you want so what should we tell
them so experence well let me answer that one because I interviewed somebody a couple of years ago I met her at the airport I was flying out and I said come just finished your master's degree so security with something like a 3.96 average so some so I just came up with eight simple questions that I thought were simple such as um what goes into an IP header okay well tell me the I'm off and her basic it stuff and she didn't know a single one of them and it wasn't a criticism on her it said there's nothing wrong with you but I think he just wasted $40,000 because they gave you a piece of paper and you're all full of Hope and
excitement say I can go make this thing fungible and whatever they taught you is not fungible in Market because you did something but you didn't understand the basics so I encourage students to make sure if you're going to go to cyber security is understand networking understand what's going on a little bit lower level if you can't say physical Data Network session keep going application okay fine it's been long day that backwards but it means you're understanding what's going on and if you understand what's going on at that level you don't have to stay there but now you get it and when something comes in and you go okay we got a block an email how's it getting there how does how do
bad guys get in how does maware propagate how's getting what does a lateral movement really mean other than two words lateral arue I'm going to arue so I'll start L jump in look 95% of cyber security is common sense we don't teach Common Sense anymore right I I also think you don't have to be if you're going to be a technical security person by God you better know what goes into IP but there are so many facets in this industry like you could be a lawyer the after mention love for attorneys look I love my legal staff you could be a a data privacy attorney you don't need you'll be better if you do but you
don't have to know how to reverse engineer Mal it you could be a security awareness person yeah it's important to understand the basics of it I think the most important fundamental of infos is common sense and the ability to communicate effectively in your organization at whatever level you are we bring college kids in that expect to be paid a billion dollars a year have no real no real experience doing anything and and then are just flustered that they're not out there cracking into organizations or reverse engineering Mal dude you can do that and there's absolutely people that can do that straight out of school but I I I think just come in and learn be a sponge that
in of itself will help you be successful in this industry I I do believe to your point though if you're going down the tech route spend time with your own lab hands on keyboards figuring things out breaking [ __ ] fixing it breaking it again fixing it again that will some of the best hackers that I used to manage these guys chriso the guy that wrote ncto only you old guys were remember that Chris worked for me for a decade Chris is an English major didn't know anything about technology when he happened to to stumble into a job at Capital One and grp with other security team before we stole of away like just be
curious be patient don't be afraid to ask like so many people in our industry are afraid to ask for help or questions like I don't understand that because sadly we don't do a very good job of not making it feel stupid so but just I'm ask a question everybody here is hiring people has H people would you hire which would you hire someone with pass [Music] why what I know but that's my point that's my point you're talking students that's teal [Music] work if you're if you're talking about a forensic guy they have to know the if you are talking and and the problem is we're talking cyber how many are in your guys road map if you are talking
specifically about forensics then yes if you don't know how to code if you don't know all of the all of the uh the The OSI model plus layer eight um if you don't know all of those good things then you're going to have problems in pars but for everything else and if you're talking about being a SE it's a different thing yeah it's a long trail that's a long tra I'm inter roles into an organization I've had dozens ofes in my organization you didn't even know dick
about increasing diversity in the field ofite right we've been running that organization since 2014 I talk to thousands upon thousands of students from middle school to high school to college on a yearly basis around the United States this is the biggest misn in our industry and is keeping so many people out because we keep saying oh man if you don't go ask you can't RSE engineer you can't hack bull crap find the passion that the the industry of cyer is this freaking L and it goes from deeply technical where you want to be a foric analyst to all the way over here you you want to freaking no policy guess what if I can find somebody who can
write policy well I would hire the ass an entry up but what I need is someone who is passionate about something in this spectrum find something in this spectrum that you're passionate about because what happens is when you are passionate about it it doesn't feel like work you will put in100 hours a week and won't even think about it because of a [ __ ] like that because you love what you're doing stop falling for this I must be technical because you are driving yourself to an area that you don't love you're going to hate it and you're going to quit I guarantee I'm the least technical person on this listen right now black women are leaving
this industry at the highest rate of any demographic period because they've been driven into areas where they were told they have to go and they hate right find something that you are passionate to can just can talk to this right find something that you're passionate to you find people who want to be in it tell them hey go look at all the different AC cesa has an entire thing about all the different fields that align inside of security go find read through that what is it that oh my God I love this I want to read more about this find that passion if you don't find your passion maybe this isn't for you but don't come
in to this for the money don't come into this feeling have if I could one of the best pieces of advice I got as a as a young you know teenager I I got certified to school I has nothing to do with cyber security by the way I got certified to scuba ey when I was 12 years old I loved it this this what I wanted to do since I was 10 jock custo like just that was me 17 I know I know um 17 years old I'm getting ready to graduate high school and and I'm thinking about you know what I want to do I think I joined the Navy at 19 but I
thought I little scoid I want don't to to be a diver the best piece of advice I got was don't take what you love and turn it into a job you will hate it right what L is suggesting is don't don't take cyber security and make it a job because you'll hate it what he's saying is find your passion and make it a career it doesn't have to be a job it'll never be considered a job if you're that passionate about it the money will come the opportunities will come but don't don't look for that the certification that's going to get you the six- year salary right out of right out of college or right out of high
school and you don't have any experience right because you're going to be miserable trying to gain that you're going to be looking for that that opportunity right that that's never going to come because when I interview somebody and they got all the degree and all the certifications in the world and I ask them some simple questions walk me through an incident just the last incident you were involved with just walk me through some of the steps what was your responsibilities I've never been involved in that St what was I can't bring you on the team and make you part of the team if you if you don't have you're applying you're not even applying for an entry level role right
you're applying for a midlevel role and you never been involved in this how that's not it doesn't match up got search so why right but that's that's the view they got all the so for me I ask people what is it about this role you love why why are you applying for this role what do you love about what do you like about what would you see how do you see yourself in the RO if you got to go 150 hours in week next week right what what is it that that going to drive you to do that so for me it's because again they going to be weeks when you work 40 hours going to be week when you
work0 right and if you haven't found found a way to be at peace with that because it's something you enjoy to listen we talk about the RO just right but you know we love it you know why she done it multiple times they done it multiple times he done it multiple times we've all done it multiple times we didn't love this right with all the pain that it brings with all the long hours with all of us going on vacation and having our phones with us on the beach or wherever we at up you just put your phone yeah I think something going with the team right so it happen I I apologize I've been up here our phone
system is completely down right now our support Des can't take calls that's what I've been dealing with on my phone for the last hour right but it it not I didn't have to step away right we can handle it I got a team that can handle it but to your point I think every one of us has gotten a phone call on a plane as we're leting for a family vacation hey turn around then you back in the office I thought the drinks were starting at the panel is why I'm here I thought it was with drinks I thought it was take questions with drinks be our uh real quick so Dave one minute this gentlemen and if we can we'll do
you and then kick out here're done
oh God I'm still not
sure hey uh just got a question he for anyone in the audience or anyone the panel um that goes off of what you guys were just talking about um young people in in the conversation of young people how would get them addressing your questions I that's on this side of the house I hear that a lot and then I hear also the same arguments that you all are making all valid arguments young person coming out of high school where do you see their opportunity right like um think about all of you how you started kind of it at the in the grind right you're a young person you're at the health desk is there a place for young people um a low
paying high skill low paying J $15 an hour $12 an hour in an IT shop grinding yes you know what I mean our our internship starts FR here at the bottom of the Barrow but we like we take our interns we take our interns uh right after high school not but I'm saying they start there and if they do well in that internship we keep them on throughout the year most of the big companies now are grabbing them when they're younger and saying okay well let's keep you on and then let's go figure out you know you've got the good attitude you're you're you're willing to grind and you have critical thinking great now let's figure out where you
fall in our Spectrum Embrace that grind Embrace those young people bring them in then they find that place that passion they don't know where that passions that at a young age we we work a lot with the local high schools and communities here at the University for I'm a faculty here at the University and we do a lot of community work and one of the things that we're trying to get we get a lot of money this a lot of money comes in from the state on this kind of question very conversation and the thing that we're trying to find a place for out there is make change in these things that you guys are talking about get away from
this and see this andboro County School System yeah absolutely so we've got you know I had a huge Grant last year wrote a book deployed it to 880,000 Children across the state all the high schools to teach them the fundamentals of Information Technology over a half million dollars dedicated to that in one year and went all up and down in the State of Florida I hear a lot of these Echoes and a lot of what they want to see is a lot more opportunity maybe it's there if it is there there should be a more voice for it but if there's a lot of money that says Where can we put them right out of high school right because I
agree with it we have programs and and we put them through these knowledge and you ask them hey they can talk you through say something but they've never done it and I could see where you would be hesitant to hire anybody like that but I think I wonder how much there's a voice out there for the young people to get them off of this and in this at a low paid job in shops where you put them in circumstances that make sense and sweeping the floor and they're dusting off the desks and talking to people and finding where the safeties are in the technology to bring that basic knowledge back that we didn't have that we we grew
up on and uh and I see that the industry has gotten very privileged like you said there's also the diversity is not there right so I think a lot of it is in in all areas that we can solve it like some of the things that she was mentioning it yeah it could be in the home but these young people they're looking for a family and you could you know and you you see it I'm out there in the field I see these real things and I think if there's more opportunity for young people to get in there and sweep the floors and dust D dust off the old PCS I think that we might see a new generation
that can that that you can make for that maybe you are taking interns I'm not denying that but like the actual jobs you know like the Public's jobs you know what I mean the jobs the jobs of the grocery stor those kind of but this generation also has to be motivated there's so much free tech for them to train and play with and do if they can demonstrate hey I built this environment in AWS I took a free account I was curious about it right so to his comment about stay curious go out and build something on your own build a GitHub lab go out and do something and on your resume coming out of high school
you're like hey yes I just got my high school diploma but I've also built these things experience again the whole aspect that everybody said here passion passion that best H I've ever had in my life is I took a guy out of the development shop who built his own security architecture in AWS and I made him the head of my application I love that I mean I love the passion from all levels and it's it's easy for us to say these things I to agree with you I don't disagree with anything you said but young people don't they need a little bit of something well I think I think we have to manage expect not a home saying so we're finding ways
to inspire that so I think you have to manage expectations a little bit right I've got one person on my team that that is on the team that had zero cyber security experience before him right after kle done know we got to probably head here 3:15 is the keynote so if they can if they can find a rooll on a help desk a rooll on on a server team a desktop team a network team like get in and grind their ass off they'll get recognized and be brought over to the security team I think that's the easiest answer hey guys we just want to say thank you [Applause] [Music]
[Music]
Related talks
1:55:46
39:15
59:13
49:58
42:16
51:48