DennisChaupis

[Music] all [Music]

right see so we're getting okay that sounds like you he's on

my yeah yeah

right yeah right who's got the in the room

as

cred we okay they can hear online okay perfect

yeah I just one this

I mean a proposal an idea from Dennis and I from previous experiences on how how can actually you weaponize GRC just basically take advantage of that and yeah just grab it up and maybe answer some of your questions

cons years and now I still do Consulting but for consulting firms so one another uh May expertise inclc KPMG and some other security me mostly F on the strategy yeah that Hansson gentleman is me so I tie my hair just to so we just bad joke and something Dennis didn't mention we oh it's funny like well they got this prease we just sold you this I'm like

information

mine doesn't have the frequency on anymore same with

[Laughter]

yours

yeah they're more

points yes yeah don't be shy don't be shy all right all we are all in the same team right

so okay now who is here okay so

you okay the we want to are you also try to focus onic specific questions hopefully not for the next5 minutes okay so let's go yeah we'll try we'll try all right so our problem statement is like I've run all these different amazing offensive security engagements but but uh in reality where do these all different observations goes and that's me trying to put somebody hitting a baseball ball and going through up to the chain right I mean bottom that's us humans and all the way up to the boards of directors of a company and we'll say and those red dots are basically just a baseball ball just arriving somewhere right with a little bit of black so you

get all the way on the top maybe these social engineering uh you know campaigns or fishing campaigns right I'm sure all your Executives in your companies they want to see those rates going down right I mean they understand right because it's human behavior and if you keep going down maybe the executives gets a little bit more involved into red teaming exercises that is probably now a transformation a new security program to execute into your sock whatever audit also becomes relevant right nobody wants to go to that performance review with some findings on the table yes you want to make sure those get fixed later on some penetration testing exercises from a previous talk I heard some folks do not like the testing

world but it's just testing way we have that CH as well that produce some results and on that kind of like towards the end the more conventional vulnerability scan your nesus your qualis your green bone uh open source scanner if you're familiar with but that's basically what all those different um offensive security results right end up on BAS on what I seen in ALA winky wink I'm not sure how it's on the esos on the financial services maybe then he can share a little bit more but I'm not how many of you relat with that or have felt is this way just me it's okay all right so uh what if it's named after your company name on the domain and

everything else huh that looks a little bit more interesting let's attack that that's where it's sort of morphed into more of a you know mimicking the real world and really trying to make it so that attackers go systems that aren't just like oh it's an open port now it's like oh this is looks juicy let's try

that onbox I configure this for a specific function whether it's an SSH server an FTP server and then I just look to see who in maybe I want to grab their credits uh nowadays it's more more into an industry platform play right where there's act out there building platforms around value because they bring so much experience from outside the

world FKS who are building this out uh to integrate that into other see a lot of Industry players from you know the security side creating set their product alsoa into other products that's platform really helps cyber SEC strategy when it comes to se Ops

using

access but when we add deception technology in we're creating a lot of friction in that attacker process and life cycle um so in slowing them down incentivizing them to examine systems that provide no benefit um and this gives defending teams the opportunity to intervene a lot sooner or just gather more indicators that are useful for hunting and other activities so big benefit in terms of winning backs in time against attackers that traditionally are much faster than Defenders right so like I would say you know some of the biggest things are for example honeypots back in the day threat researchers would throw them on the

Internet solution in place so this we'll get into a little more details explaining for those with what it is there what we proposing is like Leverage this information in order and better ex why you have the data some sort of vulnerability we do certain things that you know collect that information information about it and now we've kind of flipped that script and said well in today's world it's not just windows boxes or Lin Linux boxes or you know SSH compromised uh hosts it's a wide range right it could be you know Android devices it could be iPhone devices it could be SCA devices for example and that's really I think the power of deception technology today

versus what we saw honeypots were doing you know even like five years ago right so still a lot of Honey Pot projects on get oh absolutely useful services but like Mar was saying if you're not able to manage these tools they can become a deficit to your security operations like there's lots of adversarial projects do fingerprint honey pots and identify them ahead of time or like quick in their life cycle um because he risk um I don't know scare we actually want to be we want to make our businesses Risk Takers right I mean taking risk typically brings a a big reward so I'm sure sure that will resonate with a lot of your leaders and

organizations that are trying to capitalize in some sort of another so challenge yourself look at your RIS register on others say what else can I do to maybe provide a mitigation others and make us Risk Takers and compliance we keep it super simple you definitely want to perform those controls on a regular basis right so you don't get in trouble you don't get your boss in trouble and we you avoid penalties but yeah this is a whole year

is that of vulnerability now you know did I just create a security vulnerability by trying to create perception or like a Honeypot uh now you don't have to worry about it right you can just pick a vendor and say hey let's do something with what I've done today we have today we've done a lot of emulation around files and identities right uh so what we do is essentially within our active directory structure if anyone's familiar here with like ad aad um you have user accounts you have service accounts you have principles right A lot of the times um there's certain management tools and you know I guess just scripts or whatever you see a lot of admins running these things and

saying okay hey I need to like enumerate all of active directory I need to go in here and maybe find a user right a lot of things like uh even just aduck or you know non-native active directory management tools or something like Azure Powershell uh you're going to be reing or grabbing or quering ad a lot right is specific technologies that canic the back end of user objects to essentially not really create something that's there but for an attacker's toolkit or an admin's tool kit create something that we can monitor for and we can trigger on and then tie into a bigger operation right so what do I mean by that uh we're able to essentially

take a calculation okay someone scraping ad is $10 million right but let's say to your organization something goes wrong I mean uh the there nothing or the regulator could come to you and say hey I'm just gonna charge you $2 million it's up to you to take that into a risk discussion right or it could be Beyond a risk discussion right and just decide how to move things forward again I'm not trying to encourage go to that financial decision but those some of the vbl right that I Tak in business into account right to approve a budget for you to execute your cyber security program so keep that in mind um and back to that red dot which is uh where we are

trying to grab up the discussion about is uh hey your defensive security teams I mean that people I mean they're not all the time sitting in a basement with hoodies and black stuff like we seen people like in Las Vegas on the top of a you know a rooftop swimming pool with a lot of amazing food have having the time of their lives making 10 and thousand millions of dollars so use that information as a hard work they they do and that's that that amazing database of information right they could fit us to your see your compliance to uh I don't know miate more effectively yeah y this like you said the trip wires you there's a trip wire do I see

anywhere else no well gr noise of Showdown these people don't know about the scanner and it's only hitting me no level of reaction point to it going like huh why is he only hitting me and why is he looking at P yes now

okay FOC cool cool yeah so yeah as the slide shows right you know the idea of deception technology is to really integrate and kind of mix itself with real assets and again you know yesterday's technology it was really like a server that You' configure and you'd manually manage and then again if you wanted to redeploy it then you'd have to either a build a golden image or whatnot but nowadays with new deception Technologies we can automate a lot of that but more importantly there's other elements to deception Technologies too like like we haven't really talked about it but things like you know honey personas that you know Eric M want to expand on that yeah so Paul I like what

you're saying with those fake active directory principles um and something I'm like interested in is honey people honey personas so if I have my deception technology platform that's creating these user accounts on the lure services that it's providing or I have these fake objects in my ACT directory I can associate those with social media profiles LinkedIn or otherwise make these credentials more enticing by making them appear in OSN so I'm incentivizing attackers when they're doing their research doing their reconnaissance how my organization trying to harvest aist emails whatever it is I can incentivize them to start working with or remembering these funy personas that they're going to camper later and it just adds to the depth and

the believability of the platform so there's a lot of ways that you kind of wear these bits together to uh make it very deceiving and cause the attacker to spend a lot of time wasting uh like deception as a platform gives you the ability to generate real services for a lot of different Services right so I can have fake remote access Services they're real I can have those tied in with my honey people I can have those tied in with my fake credentials that are on those other services as well so I can really kind of incentivize them to come through perform their attack move on to the next part pivot in my deception Network and glean a lot of

their ttps and then if I see those frat hunting in my sim otherwise I kind of compar right right oh yes you could yeah absolutely I think so right I mean you know we're we're basically creating something to insens snare someone else right

yeah honey see that right more realistic actually coming in a funny thing no it is it is log in that who they are and you have to make enticing character just say how do you make enticing a user you go makeing sound you're selling it initial access to some to your H and then you get all the data about it say do that I don't know the

legalities for sure for sure I think think uh I think the other aspect that's interesting again and I'm touching on this specifically because I know Paulo is working with it but is an OT networks so especially when you're trying to protect an OT Network you realize you know a lot of those OT devices they're old they're not patchable you can't install an agent on them right if even if you wanted to like like again for example you wanted to run xdr or EDR on it's really it's not going to happen and I know Paulo you you deal with OT in your job feel like C technology kind of can help I guess you know uh secure it a

little bit maybe expand on that if you don't mind yeah OT networks are definitely interesting like there's a lot and a lot of it you can't really touch right like you're going to have systems that can't be upgraded you're going to have things that can't be patched the best thing to do most of the time is just build a giant wall around it and just like cross your fingers and hope that wall doesn't break right um but I think it comes down to two things so let set of deception Network monitor and Analysis is all what's usually recommended from an OP standpoint which is great but a lot of the problems is that that method is essentially you're

finding a on a Hast that's what that thing is for what what needs to be prioritized for your GRC team to you know follow follow up with different asset owners asset custodians I mean objectives are as well as Denis mentioned to stay away from penalties right make sure you keep happy some of your insurers right I mean I'm sure most of you go through this annual review of how your environment looks like and insurers are becoming a little bit more anal each year to make sure you have a a reasonable set of controls right to uh stay safer and from a compliance stand for it's like you cannot fix the whole word there is going to be still a few

exceptions or deviations just bring those back to the system right and everybody's happy you have that one single plane of glass where you can see all different issues you have on on your environment and uh yeah this same idea that I just explained so okay so now that we know that thec will have basically a lot of the different pieces of information about the company what does this actually mean you is actually us about the company who saying that actually we're see the left side of the company we know anything that is wrong or who believe that is giving us you know the nice view of the company which will be the right side of the who say

the left side raise up your hand okay who believes is the right side who has no idea so the real question is actually my personal prefence is like it depends what you're trying to show the reason why I say that because yes we have identifyed everything that is wrong and important and material actually will have some sort of impact in the organization but that could mean the right side of the picture why because now I've made an important decision on do ab specific risk therefore my facad of the

building right like started the OT Network because that's low low frequency low noise but as you start building up that framewor alerting and the pro and it doesn't happen then you going into those busier networks like

it way your offensive security now that I know all these different areas and the impact of those specific

weaknesses security call it red team call itle team Call It Whatever it is even testing all those ones can be theing information that will make them better we have better results that's what we are proposing here lots of contents of this slide and den is gave it to me so please bear there with me [Music] um again some I need to give to some other folks in the past again my fam me straight uh yeah there is something about on the operational teams th is you might have heard before and it's about practice practice practice right uh tabletop exercises or fire life fire drills so basically more you train more your sweating training the better

prepared you will be whenever you need to go to handle a real incident as we are saying up there is like the the less you B basically will be bleed in battle you so uh let's reach out to those off offensive security fols right you have all this massive amount of reach findings and information to you

know exception that was used to win World War II this is actually probably one of the most pivotal things that happened in World War II The Story Goes so during World War II during the planning of the uh um the landing of nor as I think most you know one of those things that you know the Allies win most people don't know is the fact that there was a lot of planning that went on before that Invasion or Landing happened a lot of it actually had to do with trying to trick the Nazis in Germany and in the fact that they weren't going to land in Normandy in fact they they put all these fake tanks they even have fake

ums down and actually fake radio Germans that they were actually gonna land either Norway or the P instead of Normandy and they actually nor is actually uh you know what we're gonna say is like the fake gonna land and then blah blah blah Story Goes is yeah Hitler bought itler remov all their tanks to the p and when Normandy happened it became a lot easier for them to actually invade and take go probably one of the most key turning points in World War II that's deception technology in in the real world so with that I guess we're kind of moving on kind of how do we see deception technology being now again this is talking about you know an example of

world real world use case this I wanted to kind of told me a story once about one of his friends who's a top level hacker he can pretty much circumvent anything and uh you know what I'm going to let K tell the

story

working on a real issue that the company your company experience versus something that you copy from ch gtt um the third the third one in the middle is is talking about controls right that we throw in our in our organization to keep ourselves safe but the way to look at it too as you're going through these Cycles is like if a control keeps on failing and it's not detecting that security event that you wanted and like how did you know that see the control is really not providing that value I don't know a big vendor is telling us right so maybe we don't need to buy that much money uh governance again that 360 is giving you that

broader visibility on uh on what's going on across the environment and again the last one is about being proactive for finding change seeking for remediation transforming to that champion for being a remediation obsessed right and again teams are going to appreciate it I mean the easier the cleaner an environment is the less chances you hopefully get to experience a major cyber event okay so that basically covers let's call it the the theory weide the theoretical uh part of the of of of the talk now what we have next actually are four examples where we put this into practice into what you guys actually can do and now these examples are based my experience personal experience that I

have into a different organization and his experience as well so we see this actually happening already in different places to to one or more extent okay so the first example I'm going to go with a red team example Yes red team continues to a a Hot Topic in the in the market and organizations I mean wor I talk about this on why right so let's set up a little context right overall question open question for those red teas and four or five hands that I see that I saw halfway up what is the first activity when the red teaming there's no wrong answer scope okay I like what else okay we're going to a little more on the

technical part so reconnaissance yes I know I'm I'm I'm turning more into the note the scoping I it's more into into that area but Ying is specific because the first activity here you got to set up what are the objectives because that's what is going to set up your specific scope like I'm going to go until this specific assets until this specific items IPS what or individuals right whatever it is but why I'm putting this into context because now I want to see the GRC influence into this specific definition of objectives for a red teaming what if we leverage right some of information that I had which I said over and over again right in order to

better Define these objectives for example going from let's try to access the IC OT environment from the it Network which I see over and over again we want to test that that's very generic right uh from a ram perspective if you don't necessarily have five months to do this assessment you literally have two or three weeks so it's very limited what you can do but what if you know actually hey what are some Crown uls in organization that actually will have a better higher degree of impact if something goes wrong that will affect this operations so why not going from example access the I environment from the right let environment to access a breaching system that will have

operational impact for example it's supposed that the colonial pipeline the reason why they shut the PIP shut the pipeline now down sorry is because they were able to encryp the nomination system that therefore they will not able to control and build the clients for all the product that was going through the pipeline not because you know the pipeline is not able to move product no but because if you cannot control and measure you cannot build that's Financial impact right there so why not use that as an example on like what is best and as a consultant I rather this example than this one although this one in theory is easier to demonstrate whether I achieve it or not because it's

open to interpretation right where are the benefits ongoing from here to here it's more provide a more realistic view State and posture of the asset that you are going against of that spefic specific objective it's more meaningful results it's no longer generic oh yes no one can get in but can really no one get in or no one can get into that specific door that you try to open right to the specific area that you were trying to poke right it's less open interpretation as I said and you got you know what you will make your red team work harder and if they are Consultants they are going to suffer more why because a Consultants we get paid to

actually prove that we're able to get in right so you're going to make them work harder you're going to have better results it's a win win Wing in every situation now yes this in in some stages of the planning means that you may to coordinate with more individuals to set up these specific objectives but if someone in the organization is already paying it you have your trusted agent work with that trusted agent to give you the information for which you know what you provide the best value for your buck in the end okay right you gotta make those Consultants work harder right they charge so much money and uh on the previous example too like uh this came from a i let's call it

some new I run somewh operator right like for the one squ familiar with critical infrastructure you have your activator sensors anything that is on the physical side on on your field systems pump stations gas stations Etc so you have those assets and you have that other system that is feeding that commercial information which has basically what as was saying I'm going to use that to build people so you as a rware operation actually ask yourself where can I get more financial benefit like what is the long hunging fruit in some other talk this SP a whole different set of dmcs on were show where is my attack easily right to be deploy right and then you start thinking about

that ska system right that place where the billing is happening as easy targets right to to commit to commit your goals anyways so uh this is my lenses so this is you know weapon I and Red Team the talk so that's what this red circle means but another example is uh I'm not sure if you have been put yourself into these situations but maybe your ciso wants to ma measure your industrial Control Systems inan response process right I want to measure the effectiveness including type of detection type of response type of containment and over all you know making sure everybody follows the process right so uh what are the challenges very similar to what Dennis was sharing

before like what to Target I mean there's so many things out there way too many n networks which which asset should I prioritize right uh how many tactics techniques are procedures right which is miter framework or whatever attack framework whatever you follow right like how many of those does it make sense to test uh wasting my time actually doing the test if I have a bunch of firewalls ipss and others in the place protecting me I mean I'm more important sometimes I heard this from you know offensive security team players it's like I mean are they ever gonna fix it like it's okay you know I'm just gonna keep on reusing the the password that I captured

three years ago and use it over and over right until uh I mean I don't know somebody out there decides to drive a change so this is happening with our offensive security teams keep that in mind so use the data right because he start talking he's going to start talking about some material threats right as I was mentioning before maybe one of your findings maybe internal audit funded like maybe that endpoint detection and response Next Generation endpoint security product is just in monitoring mode so what you need to do just you need to challenge them more right whenever you are maybe planning an audit or designing a new defensive security project is there some manual

intervention through the system right especially an IC environments we don't Engineers do not really appreciate full automation they like automated things they want to have the authority to approve to approve certain actions on others and we also need their help to sometimes interpret some of the events that we see on those networks so that just creates by default a manual type of analysis that from an inan response point of view could sometimes really slow you down but you know that so not fully integrated response plan as I said and sometimes in some places they should remain nameless there is not necessarily an AAP type of process right to split your corporate type of environments from your

industrial Control Systems so opportunities I bunch of opportunities in there so you have all that MRI information really good go chase after those offensive security individuals I mean they'll be so happy to share with you so wins you can get right away improve material weaknesses to your organization right you have the full picture don't filter out those type of topics those there was another thought I was talking about augmenting low vulnerabilities and others on top of the others uh you end up having a potentially higher risk right if you uh versus just looking at them individually complimenting them correlating them will give you a different sense of impact uh test and tune that Incan response

process right on this particular example L I'm sure you have been asked on the past you have a massive list of risk and the question is where do I start right you can calibrate L hanging fruits you can calibrate where is where do you really need to invest a big amount of money to fix some issues and just keep on improving hopefully little by little and as you can see so far with these two specific examples this is not adding any complexity to any type of test that can be done or are being done at the moment is anything but as I was saying it's leveraging the information that these organizations already have that your

risk professionals already have it's just matter on whether unfortunately For Better or For Worse within the same organization there's not necessarily much sharing all the time so the other individual may do a greater job if they know this but well they didn't ask and they didn't offer either so the less I know the better I sleep but if you think about the whole picture again it's better for the entire company in the end because the company does well employees are well the stock does well everyone wins good bonus at the end exactly someone's bonus at the end but now how can we start extrapolating into some of these area so we talk about you know red team we talk about some of the

inci response let's put it into something a little more different let's put it so let's say on the sdlc governance key workor sdlc governance okay okay governance aspect we have a pipeline you know where you have one anten this is a coding pipeline this is not a oil and gas pipeline just FYI okay now for the most part it's like guys you are developing whether is that's one code whether that's 10 lines of code whether that's a thousand lines of code you got to test everything that's 10 15 20 years ago do you really need to test everything what are you guys guys think the right answer is depends as usual maybe the right answer is always

depends right so what if actually there must be a better way to you know embed within the development process the testing criteria because in the end from a security point of view whether you have a software development life cycle and then you have a secure software development life cycle where you have already defined hey if an application is Crown jeel if application is internet facing if an application is internal facing over you will only go through this type of testing for example you don't necessarily need to do a line by line C review for you know if you are creating a a small tiny plugin but if you are creating you know a new functionality

within again nomination system that you may actually want to right to make sure there are no backles or whatsoever and that will determine also what type of SAS do to what level you may want to do whether peneses required Etc but you have already those things defined why not embed those ones into your development process why don't leverage that through your ERC solution you can include those ones in fact most Financial organizations coming from someone that actually works with them in Toronto this is what I see more and more at Le at least in the big five banks they try to push all those things like the common is that cliche lady right shift left push all those things early

within development right so leverage that information that you have there in order to have better product in the end right okay perfect I'll do that so now instead of having a thousand results I may have less but what do I do with the results well those results can still continue going if they haven't already and then just put them in your ERC why what did we say at the beginning your year is this big lake of results and then you have now put try to put the pieces together I have the view on the application layer I have the view from the network point of view I have the view from the architectural point of

view and you have all that from a system then you have a much better picture of what your actually overall posture for that specific system may look like right so again you're are not adding any complication you are just doing things better now okay well we said you don't need to fix everything there's going to be deviations who's going to track it guess what your GC solution would also have already your reception process your tracking process everything is there you may make the JC people life a little more difficult but well someone has to suffer with it right Your youc solution in Excel spreadsheets right hey hey no one say it has to be like service now

whatever it is right sorry no I I meant power tools right that's yeah exactly you can do queries right so but what is the outcome in the end then you will have software that has been built with a security mindsight from the beginning yes we keep saying that over and over again but do we really do it well if you actually are you know if you are your C or the or product development and you're struggling with it then that's what I said at at the beginning of this slide you have to partner with your own team in order to build better right so your Security will not be like a roadblock and this your security in this specific

development example is not just one more requirement in fact I use it to build more secure products we keep talking about um sdlc and devops to you know let's make sure that we're empowering the developers but the developers they don't necessarily know or care about security but if they have already this embedded into what they are doing then it will be already embedded there and just last one last bonus and I think uh I didn't think about it but now that I meditate is a year end so performance reviews are coming so this might be relevant to your year year End discussion so this is a SEO over asteroids like basically enabling your CIS right to be in a good position to to

answer questions anybody anybody at that seed level could potentially make him right it could be the Chief Financial Officer the chief auditor whatever they mean but anyways let's get started so you coo the CFO your C you CIO they all run their own engagements right we we talk about it at the very beginning guess what eventually some of that in a shape of fashion ends up as an internal audit finding that goes in this very nice memo to your ciso and then your ciso says hi and your ciso send it to you know GRC manager to I don't know track and fix it and then he's like okay hold on this was just a we wanted to get an

external party point of view on how good we were doing and all of the sing is an internal finding all right anyways it ends up when your in that jrc platform right so we are the ones who understand owners custodians all right yes one more line to the to the SE of the tiger and yeah could be more work but it's kind of like an invitation for you to know like how much power you have like we heard through the talk like you have lots of visibility you understand a lot of you know those dirty little secrets and you also understand about risk and impact to your business so yeah use it use it to

make some change right so uh to prepare your ciso better and if we go to the last Chevon it's like uh these are some of the benefits right aside of enabling and arming your SE so to have those quick answers to any questions from anybody from vulnerabilities audit findings attacks vectors etc etc you can also use it as an ammo to potentially train your red teamers get that red team internal audit run with a third party get the report give it to your own internal red team or to even to your Defenders right it's like have them go through that I don't know maybe reproducing the attack right to make sure that actually the issue was solved

wouldn't your CIS be happy like I said hey you know what we got a report before the next AIT of course comes he's like you are proactive you he engaged all his other peers and then hey buddy you know I retested this you haven't fixed it yet internal a is coming again to hit us so you better fix it right away so what I mean that's you're already building that strength relationship a partnership that we ultimately need right so you put him in a good location you made you make him look good and you also have him prepared to answer any questions he could be asked on these audit Boards of committees another important topic at

least in albera um again TSA sorry that is very related to that topic only VPS and above at the ciso level get actually an insurance approv like solar winds for example right you all know what SE is doing with the big head right his sue the company saying hey you know it's that was your role and the person is counting basically on his own personal insurance so in Alberta only VPN above are insured so watch out for those cisos who are only director and Below nobody insures them it's on their own so you want to be that manager or that lead on the JC team who can keep him with a job right and make sure you put in your

performance review anyways uh it's just again yet one more tool to you know keep you ciso informed aware and ready to you know have those conversations to drive change so what we try to cover in this in this talk and where where a time I like it is that offensive security doesn't need to be blind right but we're not saying that doing a blind test is wrong no in certain cases I'm sure in most of the cases it has its purpose it has its meaning on being covered for a reason if you're doing a red team that is fully covered that's okay because you are quote unquote mimicking what a real person an attacker from the outside is

doing but at the same time if you are engaging whether you are first line Second Line third line and you actually want to have different and arguably more meaningful results then leverage the information that you already have as I said it like five times already get more for your buck okay so that's at the end of the day where we're trying to to to to propose with this with this view that's what we call it offensive security through the lens of a GRC rather than something else to avoid confusion because in the end and I like I like this specific uh last one sentence is like so this the security posture of the organization is not

necessarily measured as a whole right because in the end you need to find the weakest link whether that's a person whether that's an asset whatever it is and if something happen to that person to that asset that is going to have the bigger impact across so if you know what are your weak points go to the doctor use the information get tested to certain extent to have a better remediation later yeah and maybe just one thing that make me think the previous talk about import syndrome so um and I'm I'm maybe going I put myself on on the JC ins side of the house leading a group of people it's like professionals who started their careers

and just looking at risk compliance controls right very high level uh they're craving to learn more about technical stuff so guess who love to tell you right away how somebody broke into a network I mean all these protocols Sports and everything else anybody want to volunteer is on the name of the chat right offensive security people they want to reach out to you so they want to help you they want to train you you get rid of that you know feeling is oh I don't really know what I'm testing right you become you level up your game right you bring more value to the table and you also recognize the great work they do and there is a very

positive you know virt Circle that you know brings value to the company at the end of the day and of course get that bonus we all one at the end of the year and I think that's okay unless anybody has some questions anyone has questions or yes go ahead one thing I'm really curious

on try to find impact your executive and and to get budget and again I know you work with a lot of banks it's a whole different story here but for a regular Enterprise or large customer size customer it's very difficult to together the data to be able to make the case of what impact and when I say impact the other thing I would say is that when Auditors come in or when you do audience a those are once a month let's say even let's say quarterly you get that data but things change and so to try and articulate the impact of the risk is from what I've seen is very that's why for the most part in my opinion risk

uh the impact can translating how much is this going to cost us right because pulling the data it may okay has it ever happened no but it could happen but it could okay but that's why you have we're talking about insurance you make your due diligence whatever it is and in the end of the day someone needs to sign whether that's your ciso whether that's you being the ciso whether that's your CIO CTO whoever it is but at the end it will come in my opinion to quantification and whether you have provision for that and have a business reason why not to fix something should they or be the needs as in the end like many security professions will

be like you go over and over and organization and it's a grer cheese you have holes everywhere that's normal right because the organizations made that decision and they were conscious with the best information they had but at the same time you got to revisit it Whatever frequency it is six months a year usually because something that you may be okay with today tomorrow is happen something else you may not be okay with it anymore but your exec are like we already went through it nothing has changed okay you need to sign again okay now give me more data because I think they may have changed because otherwise they're like it's okay you need to sign again okay now you're

making it personal that's where they are like okay okay I need to think this again and is there any uh [Music]

risk risk will your organization bear and I think sometimes like quantitively I love the dollars thing they don't like it's hard for them to say put that into dollars or reputation what what's the dollars behind cuz you you cannot it's very difficult to quantify it it's not impossible to quantify it right say like oh I may be hit by a run somewhere attack but it will be like okay but where in which part of the system or the entire network no that's not going to happen right but the best way I think that more Executives and companies are learning is by someone else's experience you think right now you you mentioned it right solar W what is happening you

think most major organizations are like I don't want to be in those shoes but now for the most part I bet they are like hey legal let's make sure that we executives are protected right from now on at least right and whatever happens there hey we are protected yeah the other thing too is like uh sorry just this about i' say risk cure I mean we all handle risk every day right like uh it a snow yesterday I mean I I changed into winter ties like two or three weeks ago but I'm sure some of you have not done yet so sometimes it's just a matter of having that conversation and as Dennis mentioned we're gonna compare to

each other right and at some point you're probably gonna be like oh crap should be wearing winter ties you know I don't want to be that or don't walk outside with white shoes like I did today and I was I was holding to him sorry you have a

question there dies or whether somebody uh we have international reputation damage you can all high risk that and The Business understands that and all you talk about here if you tie it back that suddenly you'll start understanding and turning back your head like oh that's somebody could die do something that comes back to your uh I guess this more second and third line will your your operational sorry your risk taxonomy where something is operational or something is brand where something is just for life and that because let's say damage to the brand how much is that that's potentially more than if your system goes down on

some

yeah

yeah that way when someone says oh this is medium risk everyone knows what medium is within that specific component where that's operational with much most it cyber security will fall may have an impact on brand let's say run somewhere something happens well your brand is going to be damaged because let's say what happens to sois a few months ago right they couldn't do anything no names please no names but uh and cure too like how many companies has under value safety I mean that's a big thing in some of the operators of critical infrastructure and utilities so then Executives simulate that your versus maybe somebody I know who how many times have in pop they're

making lots of money you're still using what happened to No Name names it's okay it's not it's not in Alberta he's not in Alberta so we're good these are known things anyhoo any other question anything else home yeah thank you for being patient yeah I hope you find this useful and yeah enjoy the [Music] conference [Music]