Episode Transcript
[00:00:00] Speaker A: Jeffrey, welcome aboard to the show today. So happy to have you.
[00:00:03] Speaker B: Oh my God. It is absolutely my pleasure to be here.
[00:00:06] Speaker A: I wanted to ask you, how did you get into cybersecurity? What's your origin story?
[00:00:11] Speaker B: It's a great question. I always love to do that because I think my sort of finding cyber is a little unusual. I was an IT person. I was a network guy. I was working for a consulting company that was going to get bought. And they basically stashed me in a location because they didn't want me to leave. So they were billing me like four hours a week. And I stumbled across an old website called 2600 and I found a set of columns from somebody named, called the Happy Hacker. And essentially she was teaching you how to do pen testing. We didn't call it that back then. And I said, you know, this is much, much more fun than the networking stuff I'm doing. And I decided that that day I was a cyber person who actually I was an information security person before cyber was even a thing.
I consider myself super lucky and grateful in that my career has just progressed in such a great way. And now essentially I talk about cybersecurity for a living, which is super fun.
[00:01:18] Speaker A: And you got to spend, keep me honest here a whole bunch of years with Gartner. How was that?
[00:01:23] Speaker B: So I had a great time working at Gartner. I was always surrounded by the smartest people around. They gave me the opportunity to really think about things that in a more structured environment I think you wouldn't necessarily do. I got a chance to be up on stage. I actually did some back of the envelope math not too long ago. I think I've given a thousand plus talks to probably 150,000 people over my career. And frankly, talking is what it's my most favorite thing to do really.
And I did some seminal research there. We started some really cool things around third party risk management and board communication. So overall it was definitely a great formative 15 or so years in my career.
[00:02:12] Speaker A: I wanted to ask you, for those of us who are kind of new and don't really know what third party risk means, break us down in the most simplistic way.
[00:02:23] Speaker B: Third party risk is risk that you get because you choose to do business with other people. I think it is no more complicated than that. We hear some people call it vendor risk, we hear some people call it supply chain risk. But when, when it comes to looking at the cybersecurity element of it, it's the same, right? It's. There are companies you choose to do business with and they may or may not be doing a good job on cybersecurity. If they're not, if they get hit with ransomware, they're down for a week. What does that mean for you? If you give them data and they lose it, what does that mean for you? If they're operationally critical and they go down, what does that mean to you? And I think it's no more complicated than that. It's, now it's, it's much harder to do. But to articulate what it is is pretty straightforward.
[00:03:11] Speaker A: So, so what are the techniques or methods that we can really evaluate third party risk? Because it's not as simple. When it's your own systems you can go and just monitor them. When it's somebody else, it becomes complicated.
[00:03:23] Speaker B: So there are a few things, some of them are very historical in nature, some of them are sort of more forward looking. So historically it was very much about we're going to send you a questionnaire with 300 questions, you're going to fill it out and we're going to make a deter as to whether in fact you are hitting the standard of due care that we like. Of course the problem with questionnaires is their point in time snapshot. They're often people's opinions and I would never say anyone is lying or being disingenuous. But frequently they tell you what they know, which isn't necessarily what's right.
Over time we started to see that supplemented by independent evaluations like SoC2s, like ISO certifications, like, like NIST, CSF reports. So having sort of an external party come in and do some kind of an analysis of what you are doing. Again, there's value there, but it's still very much point in time snapshot. What we're seeing now is more real time, what we like to call third party risk intelligence, which is let's gather a bunch of data, let's do some analysis and let's get as close to real time as we possibly can. Yeah, it's great that you said you did this in your questionnaire, but we see data that indicates you're not encrypting, you're not doing MFA or you're not segmenting your networks, you're not patching. So I think it's really about bringing all of these things together, looking at the financial impact of a third party either losing your data or being unavailable. You know, I always tell people if you can't prioritize very simply, how bad would it be if they lost data you gave them. And how bad would it be if they couldn't give you the product or service that you pay them for? And I think that that's really what we need to start doing. And we are definitely seeing a lot of maturing, a lot of growth, a lot of recognition that it's not just about these point in time snapshots. So we need to get as close to real time as possible. And then finally, what people need to start doing is they need to start bringing in threat intel and risk intel. You know, we hear about a new MoveIt vulnerability or a new SolarWinds or a new OpenSSL vulnerability, whatever it is. Well, how do you know whether you're impacted in your ecosystem? And historically, the way you did that was you made a bunch of phone calls or you sent a bunch of emails, and then you waited and you probably needed a shave before you actually got anything back from the other people, if they got back to you at all. And of course, all the CISOs I know, I hate to say that phrase, but all the CISOs I know, they get very frustrated. And I'm like, you don't understand, though. You're sending that out to a thousand vendors. Every one of those vendors is getting it from 1000 of their customers. So they're just overwhelming. So being able to gather data and identify, like, what is the actual risk exposure to us, yes, there's a vulnerability out there, but if our partners don't use it, or if they patched or if they're segmenting and keeping it away from us, then we're not really exposed. So it's really about moving from raw data through intelligence, which is driving better decision making.
[00:06:41] Speaker A: Jeffrey, there's a lot there to unpack, so I'm going to chip at it one at a time.
I want to uncover this topic of point in time. What is the disadvantage or downside of these point in time evaluations? Whether it's. And I'll add on, you didn't say this. Pen testing is also point in time. SOC, ISO 2701, NIST in their flavors, all point in time. What are the problems that that introduces?
[00:07:10] Speaker B: There's one main one, and I think there are a lot of offshoots there, but the main one is just one of inertia in the dynamic world in which we live.
If you say, yes, I patch all my stuff in seven days on your questionnaire, or if the pen test doesn't get in, or if the ISO says yes, you have a great policy, well, 30 days down the road, maybe the, the person running your vulnerability management, maybe they're on vacation or maybe they quit, or maybe you let them go.
The people running governance, you know, maybe the holidays are coming, they skipped a meeting. So we start to see this spread between what you say and what the reality is. 90 days in, you're losing 180 days, 360 days. And I will tell you, not that long ago, I did a training program to get a certification on third party cyber risk management. And one of the other people on the, on the training asked a question. I had to mute myself and bite my finger because he said, so we send out questionnaires to our critical partners every three years. Is that okay?
And I wanted to scream, no, that is not okay. The world three years ago doesn't look anything like the world today. So there's point in time, snapshots, there's just always this inertia, this sort of inherent chaos. And then the bad guys, the bad actors, they're not sitting around waiting for the new questionnaires. They're always looking for new things. And we're starting to see a lot of AI. I think it's illegal now to actually have any kind of a conversation without at least mentioning AI. But the thing that I always tell people about AI, it isn't necessarily giving the attackers anything new, but it's making them much, much faster. And we are not as fast, and we were not as fast before. And the closer we get to real time, the quicker we can actually be at responding to the questions that are being asked out there of us.
[00:09:05] Speaker A: You mentioned, and you have a lot of posts around the psychology of security. It's not something that you hear about a lot.
There is a problem in these questionnaires and in actually our own perception of our security posture that is affected by psychology. Tell us a little bit about your perspective here.
[00:09:24] Speaker B: The human is always the weakest link. It's always been the weakest link. And it is also the hardest part to control. When I, back earlier in my career, when I was more technical than I am now, I used to do a lot of pen testing and I was not a very good pen tester. But you know what I was really good at was social engineering, right? Getting people to let me in where I didn't belong, looking like I belong. I mean, a great example, my daughter flew from Florida up to New York to visit us for the holiday and she has a cat. Well, the airline charges $150 for the cat. I said, you know what, just walk on the plane like you Belong there. And no one said one word. And save my, you know, save this, you know, a couple of bucks. So I think that, you know, human nature wants to be helpful. They want to be easy. My favorite line when I was pen testing was, oh, my God, if I don't get this done, I'm going to get fired. And nobody wants to be responsible for me getting fired. So that piece of it is there. And then I think the other element there is more about communication than it is about psychology. But it's still. It ties back to that understanding. What is it your. Your audience wants to hear? How do they want to hear it? Do they want to see it? Do they want to see charts or graphs or tables? Or do they want to hear it in a story? Or do they want you to be pedantic to them? Do they want you to, you know, do a, you know, a song and dance show for 20 minutes at the board meeting? We need to understand what it is. I am frequently asked what the biggest challenge to CISOs is, and my answer is the same as it's been for 15 years, which is, we are not very effective at communicating business impact as a result of technology.
So to your point, I talk a lot about logical fallacies. I talk a lot about why poor decisions get made.
And the one that I haven't gotten to yet, and I'll share it with your audience right now, is something called the Abilene Paradox, which I never actually heard of until about six months ago. But the Abilene Paradox is a group of people make a decision because everyone thinks everybody else wants it, but nobody really does. So we end up with this group think where we make an investment, or we make a decision, or we make a change. And everybody doesn't really love the idea, but they all think everyone else wants it, right? And it's all based on the fact that a family goes to the city of Abilene, which, if you know anything about Abilene, I don't think is a super fun place. Please, if you're from Abilene, don't get offended. But nobody really wants to go there, but everybody thinks everyone else does. So that piece of it and the soft skills and sociology. And I'll just close with one last thing. When I do workshops, when I do tabletop planning exercises, the first thing I do is I give everybody a different job. You're the cto. No, not today. Today you're the cio. You're the cio. No, not today. Today you're ahead of human resources, and it doesn't always get where you want, but what we do always hear is, wow, I never thought about before. And that to me is a win because it gets people to think about what you care about. And I think that that, you know, comes back to the psychology and how you get people to do, quote, unquote, the right things, the things that you want them to do, and let them think it's their idea because they don't. Nobody likes to be told what to do.
[00:12:44] Speaker A: There's something very unique about stepping into somebody else's processes and shoes, quote, unquote, and kind of understand what their day, what their concerns look like. I did a journey mapp exercises something similar to what you did. Everybody explained what they do, what their day to day, what their process is. There was shock across the organization. The amount of people that put their hand up and said, oh, I can help you with that because I have data, I have a process, I can augment. What I do was both exhilarating and horrifying to the level of that. How segmented and how siloed. That's the word we used to use 20 years ago. We actually are as organization. So I deeply appreciate that.
We started this conversation by talking about third party risk.
Questionnaires to a certain degree are unreliable. Sometimes we think we know, but it's not really accurate unless we have actual continuous monitoring happening on a day to day basis. So we give these answers. So there's an unreliability to questionnaires and even audits because at the end of the day, an audit is a questionnaire with a person then checking that those questions to a certain degree is correct. Show me some evidence.
What is this, you know, you talked about? Oh, we can see evidence that you guys are not doing what you think you're doing. How do you even collect that evidence? How can you have that information at all? Because these things can be internal, hidden, secret behind the firewall. What does that look like?
[00:14:09] Speaker B: So there are a couple of things there. I think the first is having a lot of disparate data sources that cross check against one another. So as an example, at Black Kite we collect 2100 data sources and there are, there's a lot of redundancy, redundancy there. But we don't actually report on it until it shows up multiple places.
[00:14:26] Speaker A: Right.
[00:14:27] Speaker B: Which is really important because what you want to do is you want to limit false positives.
So looking at things like indicators of compromise. So we know a particular piece of malware does this right in the middle of the night. It opens an encrypted connection to somewhere in a country where we don't do business. And it sends 500 megs, and then it doesn't trigger again for a week or a month. So looking for those kind of patterns, trying to figure out what bad actors do, how are they exfiltrating data, what kind of data are they encrypting, are they not? What are their signatures, what are their behaviors? So looking at all of those different things, there's a ton of OSINT out there that we gather. We also have a lot of data that we buy, which obviously I won't share because it's our competitive advantage. But there's a ton of information sources out there, intelligence sources out there. And it's one thing to bring them all in, but it's another to what do you do with it? And how do you actually drive better decisions? And everything that we focus on at black height is all about getting intelligence in the hands of the people who need to decide what risks to accept. So being able to gather all that, track that over time.
As an example, we have an implementation called, of a function called rsi, Ransomware Susceptibility Index. So we gather data and then we look at a subset of controls. So it's somewhere in the neighborhood of 35 controls that we look at. And we can tell you based on the way you've got these controls and based on your policy and based on what we see, it looks like you are highly likely to be hit with ransomware in the foreseeable future. Now, we don't predict, because I don't like that predictive thing, but we can tell you about trends and takeaways. And we know as an example that if you have this RSI above 0.8, you're 27 times more likely to be hit with ransomware than if it's a below a 0.2.
[00:16:20] Speaker A: Right.
[00:16:20] Speaker B: Does that mean if you're above a 0.8, you're definitely going to get hit, and if you're below 0.2, you're definitely not? It doesn't. But if, just like credit scores, we know that if a credit score is above this, you're less likely to default on a loan. If you're doing these things the right way, you're less likely to sort of struggle. And it's really all about looking for new data sources, being able to balance them, being able to articulate why is this something that we are reporting, as opposed to the historical approach, which is you're missing 571,356 patches.
Is that bad? Is it good? I don't know. If you have, if you have two servers, it's really bad. If you have 2,000 servers, it's not as bad. If those vulnerabilities are on systems that are processing regulated data, that's different than if it's on a brochureware site. So, you know, being able to contextualize this and bring all of it together so that you're not just presenting, hey, here's a score, right? Here's a score. And by the way, here's what the compliance documents say, and by the way, here's the financial impact. And oh, by the way, here's what, where you are exposed to a bunch of zero days or recent vulnerabilities that are out there and being able to bring all that stuff together and essentially give people the tools to make better and more defensible decisions. Because ultimately that's it.
We have to make decisions, but we need to be able to defend them. Knowing what we know now, we would make this decision, or maybe we would make a different decision. And here's the plan to actually get where we should have been in the first place. And I also think that people are not quick to admit they made a mistake because they don't want to get held accountable for it. And I think we need to get rid of that. We need to get rid of the policing, we need to get rid of the stick thing. We need to stop the wagging of fingers. We collectively need to make this. We need to make the world safer. That's partially why I left my job as an industry analyst to come to Black Height. I felt like I was so far away from the problem, I couldn't really help anyone anymore. And now I'm kind of not down in the weeds because I'm well past that point in my career. But I'm now working with practitioners and they're telling me, hey, I don't know what to do here, I don't know what to do with this. So our goal is to really help them do that. And yeah, the questionnaires are never going to go away. But imagine if we could collect a bunch of data and say, you know what, instead of sending out 3, 400 questions, you can send out 30 questions because we already know they're doing or not doing certain things based on what we see, you know, through these indicators of compromise and sort of known malicious traffic.
[00:19:01] Speaker A: Yeah, I'll tell you, I was the guy answering these questionnaires and it is, it's somewhere between 80 and 300 questions and sometimes they're sent out in the sales cycle. So myself as a vendor, we're not even sure we're going to get the deal and yet the sales guy is saying, hey, can you please fill this out? It's a huge time, Dragon. So I totally understand the proposition here. My question is this, with this ability to see into the third party risk, what can we do about it? Is it just about saying yes or no to a vendor or is there more that we can do in the process of helping everybody get better?
[00:19:39] Speaker B: Leading questions. So I was actually asked by our customer success team to come up with some use cases for third party cyber risk management that people are not necessarily using. So, so the first one is onboarding. So understanding who you're bringing into your environment. If you have two or three vendors that do the same thing, all things being equal, would you, wouldn't you want to bring in the one that's doing a better job with cybersecurity? So that's the first one. The second one is looking at the financial impact. So being able to articulate not just, hey, this vendor not doing what they need to do, but not only are they doing that, but they have a ton of regulated data. And by the way, if they're out for a week, it's going to cost us $7 million. So being able to do the financial sort of scoring and impact, the third one is really around continuous monitoring. So being able to update your risk exposure in real time or as close to real time as you can ever get, changing. So as an example, we had one of our customers reached out to a vendor because they saw a spike in the RSI and said, so you guys get hit with ransomware? And the vendor said, how did you know?
And we said, well, we didn't know, but we saw that over the last three months your RSI keeps going up, so we just want to make sure everything's okay. So we didn't know they got hit with ransomware, but we knew that they were more exposed.
And then the next one really is about continuous threat intelligence and we have some really cool stuff that we're looking at out to the future. But being able to look at your ecosystem of 10,000, 50,000, 100,000 entities and say, yeah, these 500, it looks like they have an unpatch moveit implementation. So what do we do about that? And then the final one really is sort of about just better workflow management.
We frequently partner with and plug into GRC governance, risk and Compliance tools.
And we have the ability to look at, hey, your RSI just went up, your score went down, your compliance score changed. You now have 20 focus tags open versus five. So being able to sort of do that continuous assessment and continuous monitoring. So I think that all of those things and they depend on varying levels of maturity. And then sort of the final wrapper is really going outside your third parties, going to your fourth, your fifth, your nth party.
You may choose, and many companies do this, to not do business or not put more than one business critical thing in one provider. Well, what if all of your biggest partners are doing that? Right? And not to pick anyone. Google goes down or AWS goes down or Rackspace and all of your partners are using them.
You're exposed and you may not know about it. So being able to look out past sort of just your partners to their partners and their partners. And I'm dating myself a little bit with these to be a shampoo commercial. They tell two friends and they tell two friends and so on and so on. And it just, you get to this multiplier.
As an example, our biggest customer right now is using us to monitor 100,000 parties. Only about 30,000 of them are there third parties. The rest are fourth parties, fifth parties, they go out actually to sixth. So looking at that, I know that was a very long answer, but you should be able to manage this just like you manage any other risk in your environment. And you should not be caught flat footed and you should not be hitting the face with the pie or the pan. The more we know, the more intelligence we can bring, the more interactive, the more collaboration we can have, the better off everybody is.
[00:23:34] Speaker A: Yeah. I mean, this point that you made around understanding the risk that the vendors present to the business is huge. This is a real story. We had what we thought would be a simple contract renegotiation.
The vendor comes back and says that, you know, oh, based on our work for the last year, our cost to service you guys is incredibly large. We're not making money. We need to double our prices.
That got, of course, direct impact on our pricing. Suddenly we need to increase prices. Looking at the competitive landscape, we're not competitive anymore.
And then, and now going into this work with the vendor was actually months and months of integration work. So we can't swap them out. And it creates this situation that actually contract and pricing issue created this huge problem with our business model. Now this is the same when it comes to security risk and many other vendor related risks. So I would say just understanding what is the risk that these vendors mean to you. And the second thing I would say that I would add on to your topic is that having more than one vendor vendor, as simple as that, and having the ability to maybe use a vendor at a lower volume and be able to switch over volumes easily with a turnkey, just having that multiple contracts, multiple vendors, be able to shift loads from one vendor to another, that can save your, you know, save you millions of dollars in, in certain cases. So it's such an important point about just thinking about how you manage and integrate with vendor. I really appreciate it.
[00:25:14] Speaker B: And actually I'll give you a different example too. Sometimes there is no alternative source. I have a friend of mine who is the CSO for a global manufacturer and they had a critical provider who essentially was not doing a good job on cyber. They actually bought $5 million worth of raw material and tucked it in a warehouse because they knew if that company went over they were not going to be able to recover. And then, and I love these things, three months after that happened, that vendor got hit with ransomware, fell over, and my friend's company did not have a minutes hiccup in production. They're being able to go to management and say, look, this is a single point of failure for us. And by the way, based on what we know, they are not doing what we really want them to do.
What do you want us to do? And then maybe then the business people can fight it out.
[00:26:05] Speaker A: What do you do when you identify issues with the vendor's vendor? Vendor when it's third, fourth, fifth in the line in the supply chain? How do you even attack that? I mean, you don't even have a point of contact into that vendor.
[00:26:19] Speaker B: Yeah, that's a tough one. And a lot of it really, this is where contracts become important. Increasingly more and more contracts are dealing with sub processors. And I will tell you that I believe that DORA out of the EU is going going to be a bit of a watershed moment there. Now granted, DORA is targeted financial services, but if you are a provider to a company who is subject to dora, you're going to start getting DORA questions. And I think DORA is much more about third party. So I think it's really just about communication. And one thing we find is that oftentimes our third party doesn't know what the exposure is because they're not doing anything advanced in third party. And again, some of it is just about communicating to the business stakeholders. You know, this is a lesson that I learned at Gartner. I was told never Put a problem in a presentation unless you have an answer. But I fought back there because I said it's useful for everyone to know, hey, you know what? Nobody knows how to fix this, right? Then we don't feel like we're alone. And I fought that battle. And I, and I was actually quite proud of that moment. But I think we need to, again, we need to be much more collaborative. And this is something I've been saying for a while. We're at war. We're losing. And in part, we're losing because the attackers are collaborating. They work together, they communicate. We don't. We don't talk to people in our own company. We don't talk to companies in our vertical, we don't talk to companies outside our vertical. And then on the vendor side, and the vendors are guilty of this, they don't talk to each other. They don't collaborate because fighting tooth and nail over every dollar pound, euro, yen they can get. But I think when they do that, we are doing a disservice to the global sort of, you know, digital ecosystem, I think.
[00:28:18] Speaker A: Yeah. I mean, especially when you compare that organized crime is organized. Right. They are working together. They are a team. You can buy, you know, SaaS offerings for, for malware. Right. There's support lines that you can call up and say, hey, my hacking software is telling me this. How do I achieve this hack successfully? It's ridiculous, the level of productization and professionalism that they have.
[00:28:44] Speaker B: They have affiliate networks, they have customer success teams, they're subcontracting out discovery of news 0 days. It is crazy. You're right. We are head of resources.
Farah Dickbiak actually created an org chart for ransomware gangs. So I'm happy to share it with you and you can share it with the listeners, but it really, like I do a whole presentation on ransomware gangs as unicorn startups. And that one slide is the one that everybody's like, where did you get that? Right? Because there's a CEO, there's a coo, there's a cfo. They're running these things like unicorn startups. And we are still trying to defend like they're, you know, script kitties drinking Mountain Dew and eating pizza in the, in the basement. And it's well beyond.
[00:29:31] Speaker A: There's a really interesting story about this researcher that basically somehow got entangled with a crack gang and then helped them build out basically a professional corporate structure. And they became one of the most, you know, successful crack gangs in the, in the area. If we're trying to get better as a, let's say the defender side of the equation. Right.
Should we just, you know, have everyone agree to have monitoring tools and then we kind of know what's happening with everyone at every point and we can kind of collaborate and share that information. Why not take away all these questionnaires, monitor everything that every company is doing and then if there's an issue, we just help each other out. Why not take a much more aggressive approach from moving from what we think we know to actual monitoring tools everywhere?
[00:30:23] Speaker B: That is an awesome question and I wish I had a really good answer. I've been doing this for 30 years and we constantly see public private partnerships and data sharing in repositories in marketplaces and I just don't think they scale really well.
The second thing is.
[00:30:45] Speaker A: Wait, hold on, let's jump into that before the second thing. What's the scale issue here?
[00:30:51] Speaker B: So we have data on 34 and a half million companies, just as an example. Right. Or 30 and a half million entities.
The biggest repository I've ever seen of third party sort of certification data is 100,000, 150,000. So I just feel like now in that is going to be all the big players. But as you know, every vertical has its own small SaaS players. Well, I can tell you that they're not being monitored on an ongoing basis.
So I just think that's scaling and the immense amount of data any given time. We have one of the biggest data stores in the cloud that we use and half that data is being updated every two weeks on average. Right. It's multi, multi terabytes up into getting close into petabytes worth of data. I just don't think people can handle that. And, and then here's the other thing too.
Mid sized companies, even some of the folks at the lower end of large, they just can't handle that influx of data. They don't have the capability to make decisions based on it. So again, I think it's great to say, yes, let's have these central repositories. But who trusts them? I'll give you an example. We did a dinner about two weeks after CrowdStrike and this is not a hit on CrowdStrike because I think, I think what happened to them could happen to anyone. It just happened to be very big visibility and I can imagine it'll never happen to them again. But I asked at dinner, I said, so you're asking in your questionnaires, do you have an mdr? Of course we are. Well, are you asking what MDR No. Do you think that would be useful information? And they all said yes. And then the very next question was, who do we trust to keep that data repository safe? Because if I'm an attacker and I can find out who's got all these softwares and what they're using to control security, I have information that could make me a more effective attacker.
[00:32:51] Speaker A: Yeah. And that's a key point that I wanted to get to the. You know, and this is the way that hackers abuse us, right. They take the patches that have just been released and then they're hoping that you haven't patched it yet, and they're disassembling the patch in order to create an attack, which is much easier than going and really searching for a vulnerability.
So there is a risk here in basically having a central repository, which really gives you the key to this is how I attack this organization. So there's some embedded risk in that. I.
Jeffrey, if you had to give one piece of advice to every ciso, what would that be?
[00:33:27] Speaker B: I'm going to cheat a little bit. I'm going to give you two pieces of advice. So the first one, first one really is about learning what your business is, learning what your business does for a living, learning how to read your general ledger, learning how to read your P and Ls, speaking to the executives. And it doesn't necessarily need to be the C levels, but the EVPs, the SVP.
Talk to marketing, talk to sales, find out what's important to them and make sure that you are protecting the assets, both digital and physical, that feed up into that. To my mind, if you don't do that, everything else is just throwing stuff against the wall and hoping for the best. So.
[00:34:03] Speaker A: And is this all about seeking that single point of failure that you might not even know exists?
[00:34:10] Speaker B: I think that's part of it, but I think it's even more. I think it's even broader than that. I talk to a lot of CISOs and I say, so, you know, what are your business's goals and objectives? And they don't really have a clear sort of view or clear thing. As an example, if your company is trying to grow by acquisition, well, that's going to have a different impact on your security program than if they're trying to grow organically. Right. Because then you need to have a better process in place for assessing the risk of new companies that you bring in.
If you're looking to focus on customer retention versus customer acquisition, if you're looking to rollout new product lines, all of those things are going to have an impact on what risks are important from a cybersecurity perspective. So I think it's really broader than that. And ciso's never liked to hear me say this, but if you're not effectively communicating the business impact, nobody's going to listen and no one's going to do what you want. So that's the first one. The second one is really more a governance challenge.
Cybersecurity, for whatever reason, frequently sits in its own silo. It frequently currently does what it does without sort of oversight from a lot of the rest of the business. We give, we give to CSO money, we give the CIO money and let them do their thing. But we need to see better governance. We need to see the business understanding. So what framework are we looking at?
How are we implementing? How are we prioritizing our risks? How are we building treatment programs? How are we providing continuous improvement? How are we assessing and identifying where our risk exposures are and communicating that up to the board and up to the non ITC level executives?
They're just not really. There isn't really enough governance in there. And AI is a great example. I did a panel back a few months ago and it was a great panel. And about 2/3 of the way through, I polled the audience. So 50 CIOs from companies, you would know how many of you have, have governance or policy around AI. Only about 10% of the hands went up. I said, so we're going to tell you a bunch of really cool good stuff that you're not going to be able to do. So getting that governance in place, getting accountability, making sure that you as the ciso, you as the CRO, are not the one that is responsible or held accountable for decisions. Your job is to communicate to the business, here are risk, exposure, exposures, here are some options. What do you want to do? Let's do that. And then there's accountability for the decisions we made about risks we accept or didn't accept. I would say those are the two things.
[00:36:54] Speaker A: Jeffrey, thank you so much for joining the show today. I appreciate you.
[00:36:58] Speaker B: It was my pleasure. And I appreciate you for having me.
[00:37:01] Speaker A: Thank you so much.
