Today's Cyber Resiliency, Why It Matters to You?

I'm a recovering ceso okay I've done basically all of the jobs in the know executive speak for better herever I've been at you know a lot of companies some for a short period of time since I the water and you know some of the things we talked about here the sort of flavor of the day when comes to talking about the board of directors and your cyber insurers is a state called cyber res so I going to give you a little bit of my take on Cyber resiliency and sort of how this fits in with you I know we end of this conversation you guys will understand not just sort of like Cil R that's all

great but this isn't really about the Cil R this is about what the cil's world cares about what matters to the business and how we want to know so without further ado um does everybody know what cyber resiliency is straight off of the rip from Mist okay this is basically the CSF right the same thing right the ability to stand and recover for something bad in essence sounds great but it's also something that's really tied to business initiatives first part that's pretty technical in nature the second part it gets a little bit more nebulous right every business is different every threat model is different different there's not a lot of design principles to consider when you're talking about

it the intent of my conversation up here is not to walk you through all of this stuff this is just hey okay but to be complete there's the background here education that requires conversation some of other things the business has to adhere to in order to truly understand the risk framework and make risk management decisions it turns out things that we can do it for an awful long time while now it's called cyber residency fa okay you guys remember Disaster Recovery we take okay now we understand this 321 principle of making sure you have three avilability zones two regions one offsite all place for cloud and you know so on and so forth but so the game

really hasn't changed too much these strategic design princi goals are really about how do I take and build the structure of an organization and security program so that it can be effective it can be measured it can be eventric this should also look familiar to you maybe not in this particular example but if you look through each of these structural design principles you're going to say huh yeah but that resp I get that a lot I know what that relates to and I put this in here specifically for wi because yesterday we talking about cesos that don't understand how risk looks when CA doesn't understand how risk works the rest of the organization is going understand how

risk works you don't understand this works we have a different conversation the executive team has a different conversation they're uninformed inappropriately we don't really understand how thisis relates to the business and we also can't put something on the risk register that says hey uh yeah we know we do this right we don't really have a plan to fix it but this is a risk we accepted or this is a risk that we're going to have to deal with or this is a vendor risk or I just got here and before I get screwed as a seil I'm going to get a$ Z attainer with a breach response company and I'm going to lay down all the residual risk

today right to make sure everybody knows what that means you guys familiar with the term be your whole job right running a security program is not in with the newspapers that's what we think but the business thinks this is all about making sure you maintain business as usual so of the concerns we have about that is what is business as usual I quantify that somebody says hey uh you know we transact a billion dollars worth of you know Financial from this company to this company I'm a payment processor I'm a broker I'm a transactor business as usual is a pretty substantive thing if you run an ice cream shop business as usual it's keeping the

doors open that's yes sir so the context of what business as usual means is different it's important to keep it clear in your minds when you think about those design concerns for what resiliency is sounds great as Mike Tyson says everybody's got a plan so I punch him in the face the challenge we have isn't whether or not you design things appropriately follow resiliency framework right I've got a maturity bottle I've got spreadsheets things get real things are real and some of the challenges again from a CA perspective when I bre the board I have a set of regular vetcs that I go through it's never a good idea to surprising work when we talk about cyber resiliency

right and the connotation around that is again business as usual that means everything that I say in the board is not business as usual if it's an interruption if it's a metric that doesn't look right all of it when we think about this in the context of today's environment you got the cyber security review board only investigating Microsoft right you've got some compromises that scaled out to 75 80 million people you got an unknown level of death of foreign compromise of Microsoft credentials Keys certificates and maybe a lot of other things and we won't know the grounds and deaths of that for years we also know that it's a relatively recent proposal suggests that zero days are now used for ransomware

right last year $1.1 billion doar of pay out for ransomware so I'm going to keep coming back this St forward is this is isn't this usual feels like it look at the trend of the last you know you look at 2023 last year in the first nine months of the year we already pass cber

tax a trend perspective that doesn't really sound terrific to me and to see so and notice in here right this ominous warning to cesos right I'm going to talk a about this throughout this talk not just because uh something I'm very close to um at least one of the TC that have been indicted uh are good friends and they know what they're doing but also because the importance of what it means when you have a conversation again about cyber resiliency what does that mean to the board what does it mean to the executive staff what does it mean to the

investors everybody knows this okay one of the metrics the board doesn't get is a metric that I give to the executive team right how are we doing on vulnerabilities do you really want to know that answer yeah we've got 100,000 vulnerabilities shocking off okay how many those are critical well I mean less than 5,000 so I mean you know statistically that's pretty good and okay cool what's the trend on that what is the impact those vulnerabilities have okay those things matter those things help you understand business as usual right those things might interrupt my $1 billion transaction profile and so I I do care the executive team does care their teams the risk owners right do

care challenge we have is understanding which wants are the ones that matter oh it's critical according to him right sneak says this cool Cisco says that well let say Paulo Al says that for and then you've got sis who has an opinion about you know commonly exploited vulnerabilities or no exploited vulnerabilities sorry so when you think about that is it's what we know right adversaries have their own opinions then we probably don't have CD these World things right that they have fully weaponized right quick aside what does that mean us this is usual on the security industry well there's a little bit of yelling in L void you know that there say hey this thing came out

are we ready somebody about it right I'm actually not one of those cesos that calls my guys and says Hey so uh we'll Ty them so how are we doing but at the same time sort of the context around all of that is if the business saw what actually happens in a lot of cases behind the scenes when some real thing happens here right this is sort of the conduit by which this entire industry is run right and yes there's a little hyper here this this is a lot of focus that happens in incident response uh just a quick show of hands I'm going to people have been in an incident last 24 hours it's just like riding a motorcycle

just because you haven't been down doesn't mean w be that kind of a situation is a regular operating procedure at most of the large places I've been there and the challenge there is how many times a week how many times a month how many are you how do you contend with that so you part of this is well business as usual is me briefing an executive team and probably being involved in incident response and briefing the executive team in this capacity as well most of the time that level of folks not getting up on Saturday not 2 in the morning on a Friday right and so that level of understanding of what business is usual

is is very

disu some would ask well who actually owns this proper cyber resiliency and uh this is a little bit pointed I don't want you to take away from this this is the way that it is everywhere okay but I always think about something as you know there's a plan there's a strategy there's a theory and other's what actually happens a lot of cases what we talk about here isure companies following CMC they have governance risk and compliance Frameworks they have an organization that Brokers the risk for the organization itself they have owners of those risks those risks are tied to risk to the business the DP of engineering right owns the risk of those own abilities for example or SC of

engineering depending on you know where you are what you're doing HR owns those risks for personnel not the C contracts contractual risk not on by the ceso even if you do a third party a who's that on by legal D go that legal risk is something that you're going to help validate but you don't own that risk okay that man sounds good but the truth of that is if you have a vendor that's been compromised and you did the vendor new diligence on that who are they going talk to yeah c why is it different everybody knows what a cio's role is it's been Define for a long C is not a new role but it is

utility player and the challenge with that is it's not just the ciso but the security program everybody involved with that program also has to know how does the mail work how ship software yes I do as a respon that's my primary goal to thing how does business make it money how long does it take for these transactions only process so we know that's normal behavior what Partners actually deal with all of our Revenue so we can assess those guys on a regular basis they got ability Totie your business first three things that you set up when you go to a company show me the flow of every piece of data here give me an Access Control Matrix and then show

me what logs we have and don't have right and then I'm calling a Zer reach respons container immediately following right you have to know the whole thing so when we think about what does it mean when we say who owns cyber resiliency obviously that's a business problem obviously that's the conversation you have with the board not all cesos brief the board and not all cesos have full autonomy to make sure cyber resiliency is in fact in place you might own the risk

okay let the statistics so K okay most of these companies Fortune 500 have some of the best Security Programs in that's what Security Programs in the world a large shoe manufacturer in Portland has 198 guys people working on this problem got research got Response Security operations reversing they've got the entire sweep of folks doing this work there's nobody on the shoe manufacturer in Oregon Flor that would reflect the same level of understanding of that problem why because as usual how much for a transactional basis can that possibly affect oh if I can't wasun a shoe that's a thing if I can't wasun a shoe because of a Cyber attack okay we second so some things to think

about that zombie dude probably would see so and that's also a parable for down the food chain right because the rest of the team is probably feeling some of here shaking his hand that that could be the chief Revenue officer right it's a new suit looks good zombie guy slept in this and that's how it is and so it's really important to understand that one of the things that goes along with this it's not just you know the difference in the roles and it difference the impact the understanding of resiliency it is also what happens when you take that man right what does that mean to you what does it mean to the family all

of these other types of things your life style is different your burn is different all these other things why am I saying all this you guys know this already how many you guys plan to be in this career for five years how many for 10 this is your career how about 20 okay so from the other side of that thing now it's different than it once was being able to maintain this if you look at that veracity and velocity of the types of threats we facing today and you think about what the requirements are resiliency you know it's not like when we grew we were J about this in the way over it's not like when we grew up sorry

genx uh it's not like when we grew up you didn't have seat belts in the car okay or you got in the back of the car and you R around that part of the front of it right now it's like the cars are less safe right they're not made of steel and maybe it's some idiocy that happens around that too but the Cula safe c a little bit sharper every turn you make has a much different set of consequences than it once did it's not the same thing it doesn't mean that looking at 500 Megs of traffic capture in 1998 wasn't the coolest thing there ever was 500 Megs today yeah sure my phone does

that and it also run for me the when you think about this a lot of these same questions that we're asked to do from a resiliance perspective should be part of the practice we've been doing for 20 years right if you're screaming into the void so I think about this when you take those standards and you bring that into the context haven't done this for a long time and we know what this problem is and they probably have a program that addresses this these are recent statistics as in the last 6 months 20% of cyber security Executives and Pros wouldn't bet a chocolate bar on their cyber

security 92% of cesos and sea level exx are always confident in their organization security I might take out of that one I don't think anybody's stupid in that particular set of consequences but the impact of what that means is different not every ceso has come up through the ranks there are a lot more requirements for a business to have a sees there are a lot more requirements for I need to understand how a security program works and if you're just getting out of school today and you're going into the job market we talk about that in a minute cyber street is getting read by reference to what it was like first getting into the industry and you

know having the amazing honor to be in touch with people that invented stuff today those people aren't doing things anymore they're on fire the number of people that understand this problem has gone down the number of Executives who are no longer fly accountable for the things has gone up and if we think that all is Rim it's at least helpful to know that you know 90 96% of the cesos know that you can Ro sh whether that's a good or a bad thing but there's a bunch of Articles out about this that talk about president's Council advisors right starting to think about cyber physical right there is government influence now being spread here because of some of these concerns

and gaps not just in the company's ability to honor a cyber resiliency model but also in their ability to execute that here kind of the way I think about it um you know add add some seasoning here your m very do do I do refine this for every place that I go but these are some pretty high level sort of things that we talk about from a metrics and a policy perspective that help me shape the board's opinion and I do a couple of things here that are becoming very common practice okay I don't like to surprise the board it's bad for me it's bad for them nobody wins their I like to let them know hey answerers an email let me

tell you about what's happening here's how we're prepared for this here's what we're doing because again how many of those guys have cyber experience in the fort 500 right 12% the board AIT share maybe is written code sometime in their career probably not and this is the storyline that we have to work with so these are just some general some of these are parino metric some of these are legitimate and and you know some of the things that are really critical about this is you know if you you showed up in my shop this is what I'm going to try to make sure the company understands clearly and also board directors now I'd like you to take a

note here secure by Design protect the brand protect the workforce what's this

always two of these pictures are AI generated as you might imagine two easer closer to real one of them's probably Clos to real for

real what's missing is you know technology check process Frameworks check [ __ ] forgot about that what do we do there comp's get compromised and everything's kind of an incident right some level right whether or not it's an incident right look I lost KN got scars like we're good don't worry about it go back to your cby and you know be a and do whatever but we're good we have this don't real sweat here but at the same time there's a number of other things that whether You' been in this industry for 20 years or two that are now pretty revolutionary right and we're just we don't yes I know there's a a standard for AI okay but that's

gr putting that into practice so far away from not being reality right it's a conversation for cyber insurers right now we're nowhere close to yeah you know what let me practically apply much stuff you WR poliy I don't know how you're on it

K guy we proba on to the folks we have right they're talented this is a daily well this isn't really a daily thing I mean if you've seen this before probably not um this is actually a military par in India but um I just love this picture because look at the choreograph that has to happen here to balance okay I love to think that if my team or teams had a spirit animal they'd be these

guys you got to figure out how to do more with less today budget cuts people leave the company no back fills right we can't do that right now read you can't do that right now let's going back business as usual what if not bringing those folks into my neighborhood impacts your business as usual right this is the conversation it's a regular conversation zombie guy knows it he knows it all the time

okay a lot of people will talk about m okay working from home I love it I have a problem it's called OCD and so that's why I mean some people Jo hey look 10 start yes now I have one because I can't consent with anyone else's OCD so it's mine but the traits you made for the business the trades you made for your family to provide right has a lot of uncertainty and there is no rest for the Waker when you respond to an incident when you go through the process dealing with the breach that is exhausting it is emotionally exhausting 50% of employees holds th000 people in 500 different companies have said and that's

not giant but look look statistically speaking if 50% of the employees said that if they found out their company had a breach they'd look for employment elsewhere now you've got B on your shoulders right your friends you're commiserators right Co eBay guys in the fox with you they're not all security people security guys probably we've got five minut things you you to Le about it's fine they're r b okay I insecurity did a study on incident responders and I realized I am spending a lot of time on it for response but IR respect with the maturity of the company it has an awful lot to do with Staffing decisions and it's awful lot to do with your business culture about how

security isray about education level training it does well out of this frequently right look over here at the far left so something we don't talk about a lot there's residual Damage Done when you do stuff like this that stress adds up and it comes out in various ways depending on who you are I encourage you guys to go take two books that sort of do some self analysis for you you probably very Cal strength finder and emotional intelligence 2.0 okay everybody should understand where they sit in the atmosphere because we all comes down to it all of your plans all of your strategy your Frameworks it comes down to the security team at some level

right we might think so it's not always true but we might operate that way and that leads to right some of the people that do this job Mission driv it you have purpose you want to make a difference you want to make an impact any that St familiar you believe in doing something right you want to make the world a better place you might want to secure things you want to be the top person in your trade craft you want to inspire others a lot of these are terrific and aspirational and the business probably doesn't care sorry we'll talk about later you got a plan here a lot of outside influences okay I'm not weighing on the

on the politics of any of this this is these are facts so there's nothing to argue debate about right a lot of stuff happening in the United States right now a lot of effects uh globally as a result of what we do do here a riple effect we may be witnessing something that is transformative for the first time in America's history you may be witnessing that right you can't be immuned to how that feels scaming the void I don't know about you guys but I'm 50 I I could run the president somebody please

the average person today and their ability to exist above the poverty line we have military personnel that use food St today in this economy in this country we have millions of EVS we cannot fully operationalize and we have gas prices we don't control even though today we produce more gas than in the history of the United States I don't know about you guys but I live in Seattle gas there for me when it gets the $6 a gallon I feel like I need to move more on that later sh did have the highest gas price in the United States W last year I make sure I thought people that but aside from this ge political

termo right this national elections uh you know standing is they Happening Here who's try for what things and whatever you also know that there is unrest in the rest of the world when America looks away things happen things are happening what happens next right I don't know about you guys again I'm talking about your personal cyber resiliency plan I care about this stuff personally right a lot of veterans in here handful of veterans in here thank you thank you for your service I still feel like I'm in a fight but I'm not so I have to time box my experience with this information to 15 minutes a day or you will find me under my desk in the fal

position with a try to figure out what to do next

there's a lot of inter but they affect our wellbe maybe not directly dra yeah this challenge of skills now cyber smart people we need to be the genius at AI too now you need to understand how that affects the entire business no one does we're in experimentation and exploration stages yeah I'd love to hear again so that's great I had this debate yesterday on a on a podcast is hey cool I'm super glad there's a framework okay now tell me how you're going to enforce it with you know the 10,000 employees that work remot me on their laptops okay zero shs BL blah when all of a sudden I need something done quickly somebody's I don't remember

the class I need to put in here right fix this w and all of a sudden right it's no longer a decision it's not a policy you can enforce that's the world we live in yet there are standards again who doesn't fall back on to figure out how to solve some's problems in its early days some of you guys might not remember this movie grandma get okay but I think about this all the time B Murray says Don't drive Angry Grandpa's driving if you feel like you've had this conversation with a leadership team multiple times and it's still not happening for you okay you're having your own gra G that's a regular thing it's a Well understood thing think back

to my question how long do you want to be in this industry how do you manage that how do you influence that then there's the hey you know what yeah I'm working from home that's awesome I I don't know how to turn it off I hand an incident off to somebody there's a critical thing that has to get done yeah probably you know CE so had on I'm going to have that risk hang out for four days I can do that Saturday morning I don't takes all day Saturday I thought it's 4 hours 8 because I don't want to have that happening it's also by the way my personal reputation we see two cesos up

here okay both them were one of them's criminal one of them seem to be a criminal okay the far right guys know Sullivan was the Uber right set this whole thing in motion wasn't work he prosecuted so these cases like as some of the first things that were done Jo was a really smart guy you got hung out to dry there's a lot of opinions on this but the facts are he out to drive he probably could have made some different decisions had he known he was going to be person AL Wild for them when you made different ones I guarantee you the much actors of the world This Will Blow that thing out because they don't want to get hammered

like that so these are some of the internal things that we also have to contend with in order for us to understand

that I like s by way Jim car I mean look what a come back thank you um I was fortunate enough to get to work with a guy that was a what I would consider maybe the best CEO I've ever spent time with and he happened to be the CEO at 12 and yeah spons a great company and all that at that time in that place but I got to spend regular amount of time with Gotham solvin uh how I Le up starting Security in Street practice all stuff that next SW we'll save for another off the table conversation later Shadow rules butrey would never have a meeting if he was exhausted never why is

that well the CEO can't have a down day can't have a down meeting can't so he can't be that dum SC up you know 48 hours in an incident right probably work so imagine the CH laid out to the so imagine you parlay that out to maybe some other folks that are involved now you think about are they getting sleep do they make good decisions new scrolling on what's Happening and telegram for you know what's happening in in Israel and Gaza right I want to know what's happening except then I find out and I go to the field position the job wasn't changed so every day I want to get up and do the same

thing what do I do well today was hard so I got got up and I hammer back an energy drink or I drank on potic coffee sounds good not sustainable not for 20 years watching holes in walls there a limited amount of wall

SP Journal about it I I've never been able to do it but some people have found a way that this actually helps so a couple of years ago I got a career coach and again some of this feedback for you guys is from doing this for a long time I came up through the race I'm a practitioner of my trade if anybody ever calls me out says oh well you didn't you haven't BL blah blah blah no and I still do so go back to wherever you were it's the thing that helps you understand how to make what you do habitable to others okay for 20 years how many guys girls people do you run

into that are crunchy J cynical prickly they might have earn it but that doesn't matter some of that's because we don't take care of the basics and some of that's up to you in fact I'm going to say the first two are absolutely up to you if you think about it right we started with there's all this industry compliance there's all this data point around what the company is building for cyony then there's your responsibilities right for your Cy resen I'm going give you a couple of points here of things that I've picked up along the way that have helped me because I'm not prickly but but if you want to go to guns with me in an IR situation where

you don't have the context and I do I'm going to be less empathetic ises that wi overall down the road well again less through the Fox right doesn't really work well that try not to do it l belonging Safety and Security physiological needs again salt to taste here okay physical fitness I was doing a thing uh we buil the Cyber weapons platform for the Air Force put 192 bases use find bad guys blah blah blah in order to do that I was literally working 7 days a week 18 to 20 hours a day I put on 80 lbs yeah unhealthy I probably kept like you guys the rock okay Dwayne Johnson zoa yeah he owes me a part of the

company but also what do you do you you also take comfort in things that you probably maybe you eat maybe you drink you don't talk about it but you should and so keep those things in mind to be resilient means you are not constantly putting yourself in har way and that odds it's not to say you should have a good time and you know gr drink it is to say think about what you do with some discipline and some riger because you know you're going to do this 48 hour thing and it's going to hurt it's going to hurt and again over a long period of time do you have a diaspora for you to

talk to do you have a group of people I mean uh set Cas he's pretty cool you have a group of people whether it's at your company a bunch of companies that you can really Hammer this thing on and spend time get consensus talk through ideas you're crazy talk about your friends you want in do something you're not good at all the time I'd love to tell you I'm an amazing guitar player I started playing guitar so I can put catalog because I'm a zeppelin freak and I can mostly do that don't ask me to do a whole lot else okay but I do that because it's challenging for me my son's are far better than cars I am which you know

good for him it makes me a little angry but you know what in theing home I will be the best Los is this is important there's a bunch of trade-offs that you make every day you're in charge of those for the most case okay your work life balance right these sweet spots of figuring this out people don't know your SP a great manager May figure it out with spend some time to figure out where you sit in this there are polarities required for you to trade here keep those in mind is anybody familiar with the ladder of inference here's how we make decisions we do this every day this is how we decide what is it do and

inherently we have a thing called cognitive bias okay I don't have time to spend through the latter of inference for you but here's what I'll tell you in brief summation and you should spend time on yourself your cognitive bias may affect your L of inference where do you start and where you end up so what does that mean s reflection on whether or not you really have the right outcomes from the decision you made great here's an example example so or I don't like going to movies paying for a movie the movie sucks you know I mean Netflix is really improved okay but got Netflix while P you know 699 for it we're going to watch this I don't care if it sucks

and it's better than General I agree you could just turn off right your decision tree should be regularly about don't get comfortable and saying that your decision making process is what it needs to be forever R train yourselves your I your what happens when you don't the time of being a rockar without having EQ is gone on as a ceso as a stre professional part of your s resilience is longevity won't give it away emotional intelligence to go check it out read up on emotional intelligence Dan B is a brilliant dude and I think from a psychologist has popularized this notion of how this works self-regulation okay help understand how you manage your emotions how many of you have a I'm

going to go couple minutes over sorry we went a couple minutes late so we're going a couple minutes late guys give me a couple more minutes when you get into a situation where you're having a conversation and escalates how do you escalate that how many of you have a big red button in your chest it says hit meat dumb ass if you want to talk about something that really really makes you emotionally upset well don't give it away it's you worse maintain control of yourself do that by pausing do that by taking a step back do that by recognizing hey you know what like I don't need to have this conversation right now this is an inner

talk track just walk out of the room go back later personal resiliency why are you guys here he sign is cool there's stuff to do workshops training presentations memes all the things I come back to that diaspora question find somebody today that hasn't been in cyber sec in 20 years and spent some time with not just today mentorship is not an right is a you that person will make you better Mr I the industry parts of all and as a person coming into the industry understanding the context you enter so that you are equipped with the skills necessary to win find somebody that you don't normally get to spend time with I mean I'm blessed because I don't get to see

you guys very often I haven't been here five years so it's like Meer find somebody else that needs help right the community here is really strong I need that super cool that people will and do reach out but spend the time while you're here while you're in these sessions while you're at a CTF the after party I know our say it's SP2 right so I mean do what you do finally friend figure out how you can help someone else achieve those steps and M's needs that you have figure out how to establish a way for you to be a contributor and a participant in a place where you might feel prickly you might have some of

that residual stress and some of that will help people's self-esteem some of that will help you become the person you want to be not just the sideb person you want to be with that I'd love for you guys to have a great day today I'd love for you to embrace King side for work is please visit our sponsors and if you would like to get in touch and you need something from me please reach out thank you