CISO Panel: Modern Security Challenges

[Applause] so thank you very much for being part of see so panel so the panel title is C so panel modern security challenges so as Thomas Matthews introduced you know Robert Martin Michael L guar Cody ma and handyman C I would like to give opportunity to introduce yourself in detail let's start with Robert Robert Merton I'm the CEO at Albert Health Services I've been at HHS for pushing 11 years now came out of the consulting world before that so I was saying that I know probably a third of the people in this room from the fact that we've worked together in various context before that and and so I've been in security since 1996 and if you have a

good few minutes after this we'll give you my my first story around security consulting and my name is Michael Dwyer and I'm with the government of Alberta and I've been with the government for two years before that I was with at co and M bridge previously in various security roles you can check my LinkedIn profile if you really interested but probably

testing testing Gordy Maude University of Alberta I've had the absolute privilege and honor of working with everyone here and either directly or indirectly and we do value the ability to network and share with our cohort and I see that it's great that that people are also doing doing this even as we speak and don't underestimate the power in the value and networking I'm handyman's iam would the City of Edmonton and I've only been there for a couple of months but I've been in the industry for 28 or so years way back when you remember those from tapes you would see on mainframes it's a real privilege to be here and I actually recognize a lot of the faces it kinda

really reminds me of how a smaller community this is and and thanks to to the few people that really put in a lot of effort making first side first besides and I meant in reality so I would like to give a disclaimer as a UFA employee and these questions are coming from me as a security professional not as you have a employ so my first question is how are your organization's staying on the top of current risk when every week something new is discovered that demands your attention you can't be concerned about the the latest name of ransomware attack or the latest IOT vulnerability I think we should do is put in place practices and processes so

that you are you're able to to deal with whatever comes your way and and then also recognize that that you're never going to be secure a hundred percent you can do everything you can to to react as well as possible but I think that incident response and that ability to to figure out how to to stop an incident from happening is is as important as the work and making sure that you have the controls in place at the start yeah Michael Cox I love to just echo what was just said from my perspective it's really about having the right procedures in place before something happens most of most of what you hear in the news can be taken care

of with having a good process a good set of people doing good work in the background by the time you hear it in the news I generally have a second problem it's not how to deal with it because I know we have good people in place and it's probably dealt with the larger problem for me becomes responding to all of the questions from within the organization because when people hear about these things in the news the first thing they do is they'll call the seaso and say I hope this isn't happening here right don't tell me everything's okay and and so when you have good people and good process behind the scenes you can tell them that similarly and and again

as has been echoed because it's not practical to be able to to keep abreast of all the latest and greatest so it's it's absolutely crucial that that you do have a sole security posture and it's interesting I was involved in a presentation recently where where some of the theme was was um same as it ever was yeah that the song from the Talking Heads Big Bird and the dads to say some of the the very similar exploits and exposures from the ten years ago from - 20 years ago we're still dealing with those today and so that again likens to what what the two colleagues mentioned about insuring and that you have that adequate posture and

that now it's it's no longer a matter of if it's definitely when and and so you absolutely need to have that recoverability and similarly we have to try to deploy more of a holistic viewpoint so where previously it's very myopic like one simple example is is that your network team for example may see some traffic traffic analysis and we're not from the master an IP or a specific range of IPs and so don't see that in events of itself and then you're auditing access management people make me see a huge number of unsuccessful Maugham attempts and again that that previously would be in that silo and then your database people may see some excessive amounts of

exfiltration would be a file sizes or file types or pietatis sessions or not and and so so where it's crucial now for for effective response is to have that holistic approach whereas when you can piece piece that that entire picture together it can give you the ability to in a more timely fashion actually address and sorry with respect to to again try and address the impracticality of everything that's new and latest greatest don't feel too too proud to acknowledge that that's difficult in software and again leverage from whatever sources we wait a döner see fully leverage from from colleagues from from from other universities leverage from from whatever sources within and and from professional sources as well hany I I would say the

same as what's already been said I would say that it's a matter of looking at things from a risk-based approach and and not all risks demand the same level of response but I would say that when we look at things we look at what are our material assets and so I react accordingly if I have something that's less material I think you know probably a different approach as if I have something that's very very material to the organization the other thing is I think it's in preparedness and so that preparedness requires that you're not reacting but your your your thinking planning while in advance you're identifying what your key controls are and really getting those

controls and and really stabilizing them as it's already been said it's not just a technology it's it's you want to make sure that you have your people you have your process and yes there's this thing called technology but you get it all fully implemented fully operationally you know operationally implemented and then you have measures to know that things are the way that they need to be and then that preparedness also means that you have a way of responding okay thank you so we heard like lots of gdpr in lately you know in the news so how have new regulations with a global impact like GDP are impacted your organization let's start with you sure sure so directly in my scope but it's

something that we're always kind of watching out for any any third-party requirements any legislative requirements are always things that you're very mindful of and and you're trying to respond to each of them but but really the way that that I like to look at it is it's a risk based approach yet again if I do the right things I will by default start to comply to a lot of those those requirements so we do those right things we manage things from a risk-based approach and then naturally compliance will start to happen but one offs are in my mind not a very cost-effective way to to go after compliance mandates so I don't do something for gdpr that's completely

different from PCI that's completely different from how we protect critical infrastructure for example okay Gordy with respect to the university in scope of GDP are we've we've assessed some of the primary criteria so for instance we do have physical presence in EU Member States the in Italy there's the Cortona The Bachelor of Arts program for example and secondly we we don't actively target or market to EU citizens with respects to the sale of our sales our goods and then thirdly we do conduct some form of automated decision-making based on on personal information of the eg citizens so Fiat Fiat customizing your web experience or or if you're applying and there's a Auto evaluation based based on

your grades or not so so there is that there are some touch points set of scope and then so exactly as that handy mentioned now now what's the risk what's the risk to detainee emergency and to EU citizens and and what respected legislation so we're we're getting a a sense of the magnitude so the number of EU EU citizens we have in our faculty staff or students and and again in relation to to the amounts of activity with with those few physical locations and then so based based on the risk approach that's that's gonna inform our our to tactics and in our strategy to ensure that that were what the combines in a appropriate commensurate means

Michael so for us we started looking at GDP are a number of months ago just like everybody did we started panicking just when everybody started panicking and and and we looked at it from from two perspectives so there's the regulatory perspective and the question we had to answer there was does this apply to us are these are these rules applicable and enforceable here and to our employees and the other side was more what I was involved in which was do we have the controls in place to support those regulatory requirements if they are in fact requirements so our office went through an exercise of going through and saying okay well if if worst-case scenario mm-hmm it applies how does that

impact us and and as the province of course we have a number of people so I'll just give you one example that was brought up if a European Union citizen visits Alberta and and has a problem and ends up in the hospital for example or somewhere else interfaces with the government in some way we generate records on them and then the question was well will we have the controls in place in those systems in order to fulfill the requirements of the use so to make a long story short as I can we do have those controls in place and so we've we're able if if it's applicable to us we're able to respond the question of whether it's applicable

or not is still being handled by the appropriate legal authorities who are coming up with answers there we kind of broken into him I just handled our piece oh yeah so a gortney second point I think was whether or not we're marketing services to EU citizens and our legal counsel determined that we are not actively marketing to to EU citizens so the gdpr didn't apply you know somebody comes to Alberta two breaks their leg and goes into a hospital we're certainly going to give them the services but we didn't think that there was any any particularly additional controls that we needed to apply because of gdpr and we we have lots of controls thank you

so as a security professional I think security awareness is really important so what do you think the affective components of information security awareness program should be so so they can open by saying that the the biggest threat to any organization is the organization and that doesn't mean that people are bad or malicious or stupid it just means that people do things and and and you have to give them permissions to do work and if those things go bad things are or they're compromised you look at any almost any of the large publicized breaches in the probably three or four years they all started with some sort of compromise of the individual yeah and so from a

security awareness perspective I think there's there's really two ways to look at it one is to do as much as you can to educate and inform try to find ways of getting those individuals to understand that this is important to them in their professional life but also in their personal life so we've for years we've tried to put things in place that helped them at home or help them with their kids or help them with their parents so that they understand this is applicable to them not just in a professional context but then the second point is that understanding that there's going to be problems Mike yeah we've come to much the same conclusion about focusing on people as

as they're the most likely vector right now for problems in our environment but and kind of stole my thunder a little bit but we've we've also come to the conclusion that simply focusing on security for individuals at work doing their jobs is not something that that people tend to consume voraciously and actively and so in order to entice them to to get the message we package it with what they can do at home what they can do for their children so that basically there there's a reason to bring them out or to to have them start reading and consuming the stuff instead of just another one of them at the the required trainings III heard that geo a try

fishing employees and then educate we do have but we've tried very hard to make not make it a punitive exercise okay and I think that's important because people don't need another slap in the back of the head for doing something wrong oh yeah we've-- yeah we've-- really we we took a we made a strong point to not turn this into a if you get caught you know big red light and an email goes to your boss saying you need to go for remedial training that's not approach that's just advocate different angle from from the University and because we're robbing my core or bang on we're we're actually trying to assess how how to make our existing

training more effective and that is to say since we've deployed quote/unquote mandatory training we have the recourse now when we're doing reach management to see if said employee did indeed fulfill and comply with their crimes and and and pretty much all the cases that they have so so what is that saying what is the training I'm actually buying us so yeah so we're trying to develop other other types of measures and trying to determine how we need to augment our existing training and also to the point that that Michael makes we want to to focus on on the learning opportunities so for example if you're failing the email phishing testing then then there be some some learning

opportunity but but we also want to leverage from from from all angles of learner opportunity so so even if you you're successful in an email phishing testing there's there's still opportunity to further communicate and also let them know you know great there's a test you could you pass but here's some other things to know thing yep thank you honey I would agree with with what's been said so we talked about key controls or I thought the key controls a little bit earlier and and for us awareness is such a control it's very much a key control and if you look at how how employees work today with with devices that are mobile with with access anywhere and

even even when we look at some of the assets and the fact that they're no longer on-premise some of those assets are now elsewhere it becomes very very important to educate people as to what to do what not to do signs for one thing seem that they're off and a big part of that is is is awareness and and we take it for multiple approaches there's awareness that we would do for an end user as they're being on on-boarded there is awareness that we would do people with administrative access because of the level of privilege that they have and the potential of what they could do to a system as well as training that we would do for for executives

because of the kind of access that they have and the authority that they have to be able to make decisions that could impact potentially systems but but I would say going back to some of the some of what I've heard what I prefer the most is is when we educate our employees of how to protect themselves at home I think the same question like the City of Edmonton is doing something different for the people like general public for security awareness cyber security awareness well so in in the two months that I've been there we're in the process of planning that that hasn't quite started yet okay takes a little bit of time to get those things in place but what I'm very

much used to and what we're going to be looking to do is around awareness around doing it through things like fishing campaigns around advertisements and so on mm-hmm and a big part of it as well as looking at it from a positive point of view making sure that we don't use it in a punitive way as what mike has said because the last thing you want to do is you did something wrong it's you know we're trending and we're trending in the right direction and here are some of the benefits of doing that but it's always looking at it from from what's good because the last thing we want to do is is disable functionality or have you

know systems be less used we want people to access the systems to be able to use that information we just want to help them in knowing good practices from potentially risky practices we have some of our awareness materials that we make publicly available if you are external website because there are messages that we want to keep internal where there are things that are are useful and there's a there's a lot of people that go to the AHS website and if we can catch a few of them we can we can do that it's same thing the city the city is obviously a big part of things that we can do that are just beyond our thank you so we

heard internet of things these days on TV like cyber security conferences everywhere so what has been the most surprising issue related to the Internet of Things encoder encountered inside your organization so I think I'm gonna answer that mystery two ways okay the first way I'm gonna answer that is it's just another threat vector it's just another thing you have to deal with and if you are chasing Internet of Things because that's the thing that you think you have to chase then you probably don't have your PCI controls and your Sox controls and you probably don't have key controls testing you probably don't have all these other things that are a problem to be honest though or to be fair though I think the

the work that we've already done needs to be extended into that space and that's where the trick is going to come in it's not so much that we have no issues with regards to those devices whether they're medical devices or building management systems or or what did Tim say the vacuum cleaner with the the camera on top I'm not sure why do you have a it's not so much the specific devices it's the fact that you have to understand that those now are assets on your on your and so that's the first way that I take a look at it it's the things that you do as part of your hygiene program as part of your operational

excellence program those are the things that you have to do across your depending would irregardless of the type of device specifically I think the thing from my maybe not HS specifically but there's been lots of issues reported in the medical device community about issues and vulnerabilities being exposed on some some of the medical devices in there in the industry and I think the thing that's been most interesting about that is NIST in the United States is coming out it has come out with their standard on how to secure Wireless infusion pump so infusion pump is the thing that pumps the drugs into your veins that is indicative of the fact that it's obviously a pervasive

problem that needs a solution and so without giving the details of what's it in our environment I think that's the most the most impressive thing is that it's got that much ability that people thank you Michael so from my perspective the surprising thing for for us and our team has been an actually a lack of awareness amongst the business folk that these devices are technically IP devices and that they exist so our networking teams generally don't manage these devices and a lot of them have been with in government for a long time and so you have business people who know that there's these controllers in place doing various things in the government but they they're in the back of their mind it's

not an IT device to them not the same way that their laptop yes and so we a number of years ago we did an initial scan of our environment to say okay well what what do we have in this space what would our risks here and we came up with a very large number of devices and when we would go to speak to the business folk who they were oblivious they had no idea that these things were actually on the Internet yeah so your question about what's the most surprising thing it's been a lack of awareness amongst non-technical people about how much connectivity there actually is and yes your your Smart TV is they're not aware

of that so it's been a lot of raising awareness amongst them big brother is watching us yeah girdi similar term micros last point what's surprising is did degree in magnitude to which we're already in it and and so we'll find out through our close interaction with our facilities folks be at parking meters the vending machines SCADA systems the building management systems new or not n and as Robert allude to hopefully and fortunately in some cases that there's really coverage through through existing manage device it controls and we're not and where there's not then vendors new flags flags raised first and similarly in in the health health sciences theta Council and a lot of them the biomedical

IP IP enabled devices it's it's surprising how much work we really into it and it goes on and on with four other disciplines in faculties yeah and so again on the one hand hopefully within in place we're ready for device management and and how are you account for for risk from under managed devices in stone support we can provide adequate coverage but then there's just a lot lotta work to do because it's it's only growing even more magnitude we get into some more similar challenges where some people will say well do I have this is this real is this a real concern and and and I think to some people it's not they don't think it's here yet but the

reality is we are you know with with IOT or industrial IOT today where Wi-Fi was 2025 years ago people didn't know if it was just a fad if I was going to become a reality and it's it's a part of how we live every day this is here and it's an in volume and it's gonna continue to increase so so one is we need to get the right executives aware of that that reality and what it means and in some cases you look at these facets and you go well are they generating information and how valuable is that information and and there may be cases where it is but in some cases it's the function that those

devices perform whether it's industrial control systems or in health and safety and and so on so the reality is it's it's a new kind of asset but it's not that different and the approach that we take in in treating that asset is not new we already know what to do how to deal with it we're a key controls are how to protect ourselves and we need to look at these systems based on the materiality apply our key controls understand our risk and we're never gonna get to zero risk making 400 decisions but as these systems become more and more risk so here are likes people who are from different organizations so they might be wanna

know about managed services security provider so some of organizations like including I think utilize services of managed service security provider while others are considering it here are there any highlights comments or horror stories no offense you can share related to MSS peas there will be no horror stories if there's something I could say that that to be mindful of or to think about before you go to a managed service provider something that we've been trying to come to grips with after the fact when when you go to a service provider and you set up your contracts they'll be you know expected deliverables of course what you expect from them when you when you inspect expect it and often

like what we've done it's it's essentially a black box service right you're it's you're paying for a service from them so that's that's well and good from our perspective when I'm when I'm thinking about well do I have to have staff and I don't have to manage those staff I don't have to manage the budget for the software I don't have to do the patching alright all of that goes off the table but what what often gets forgotten is that if you do that and your organization is planning on maturing in the future and and looking into like for example I have a team that does threat intelligence yeah and and so in order to do good threat intelligence

you need a lot of data from all of your devices if you've outsourced to a managed service provider mm-hmm as a black box service a lot of that data is being aggregated outside of your environment you're just getting you know views of it summaries of it and in order to do good threat intelligence you need to be able to mine a lot of that data and so the trouble people can get into is if your service provider is also servicing other clients they'll have one common set of tools for example that yeah that they use and they're they'll be very reluctant to give you access through those tools into their environments so the one thing the the take away for for

for next time or somebody considering it that I would say is aside from the services and all that think about your future considerations where you want to go and if you're going to lose a lot of that that big data to mine yourself you might want to include that in the contract somehow or factor in you know getting it back from the from the vendor after it's been aggregated I mean it's true that it all comes from you in the first place that's true but after you've pushed it all out it's a lot easier to go grab it from one source and to go back in your own environment to find it again in eight or ten or 3,000 different

places absolutely that that aspect about integration is is huge and we're taking a serious look so whether it's from management security service provider which is a managed service provider generally speaking or a SAS service or what have you as you said there's data out there in disparate silos now and so our interfacing needs our integration needs were were not wanting to be five years more the down the road and realized that that that it's not and it's not practical to have some some means of integration and interface so we're we're looking at at some solutions now with respect to manage the service providers generally speaking we've always held that three sort of general principles you you as the customer owned data to

you the customer and the service providers share the responsibility for securing the data and number three years you the customer beard are responsible for assuring that the service provider has adequate the privacy and security of the data and and so it's it's a traditional adage how you can't outsource your responsibilities but but um just just wolf with their proliferation of SAS service isn't and we're not like that that's never been more true yeah thank you I need so I would manage services or managed security services are just another way in which to operate your assets and and you have to really understand the pros and the cons of of the different options they have available to you and go with

what makes sense but you should do this with anything but especially when you start moving that some of those functions out really understand what your requirements are and make sure that you you document those and ensure that those are injected in in the contract and ensure that you truly understand that contractual agreement its terms its conditions your responsibilities that if your of your providers and ensure how you would repatriate that asset should you ever choose to that sometimes now it's something that's that's often thought about but finally you know devotees point understand that you you were asking someone to do something you're assigning them that responsibility but that accountability still sits with the organization it's

still your asset and it's still your risk no matter what it's still gonna come back to you so really really understand your responsibilities of no no but look this was so in the last several years we've even source pretty much everything that and the main reason that we've done that is the main two reasons I would say is one contracts that we had in our outsource arrangements were old and not reflective of the modern and IT environment so you know we contract so that we can do that second of all we spend a considerable amount of time probably a decade now as AHS to consolidate and standardize our infrastructure or processes whether it's IT or buildings or whatever across the

province and it's probably impossible it's certainly not practical to start outsourcing when your processes internally aren't consistent or we have different architecture and different different applications across various zones so we don't have a lot of experience looking at outsourcing because we haven't done it because of the consolidation and integration thank you so honey checkbox compliance is slowly being replaced by risk based decision making so how have your organization or risk management programs adapted to this current trend so I kind of alluded to this a little bit earlier but but it's really compliance is sort of what happens if you do risk management yeah the right way and if you're just chasing compliance you're gonna spend a lot of effort and you may

hit some of your compliance requirements potentially not all or at least not in a very effective way so so yes it's it's looking at you know your risks how to manage your risks potentially identifying and focusing on those key controls doing those things wrong and it's not just the technology it's the technology the process and the people and continual measurements and and then what you'll do is you'll want to identify how these controls that you have helped you meet the different compliance requirements and if you do that they'll be very few things that are left over that you may need to do specifically for one compliance requirement versus another but it becomes more the exception handy

to do we call about fifteen years ago you said to me that checked us at compliance it's it's a lot of noise it's a lot of noise I do yeah you were ahead of your time as always and and the time was interesting because at the University there's a few mechanisms we we have a Enterprise Risk Management Committee which it's a cross-section of the key portfolio across the university and so in in itn and for information security where we're looking to augment the traditional sort of checkbox the traditional more flat y axes and x axes of likelihood and consequence and we want we need to do compose on to their asset value we need to superimpose onto

their other data points other criteria that will empower the senior leaders to make the risk-based decisions and where we'll be at financial recipe a reputation of risk and we're not and that's that's how we need to the frames is similar to what what Tim was speaking to the first thing in the morning as well needing to the frame frame some of the questions in in a meaningful manner and and because IT and security shouldn't be making decisions in these fiscally troubling times where some difficult decisions need to be made so yeah so that the timing is interesting with what this question were we're evolving to to become much more business based in our in our security management yeah thank

you yeah so from an organizational standpoint I found that the transition the transition between going from check boxes - to managing risk is very I don't want to say it's easier simple but from our perspective it's well understood and very easy and you know in a way simple but the larger the larger challenge with it is the organizational challenge which is getting the organization to accept the idea that risk instead of existing with the tech nerds and see so it belongs to them and so we're we're trying to evolve in our environment with with the business partners that we have a relationship whereby they see themselves as owners of the technology owners of the data and

we're advisers yeah and getting to that getting to that stage for some organizations can be very difficult because there's there can be a history in some places of you know nobody wants to take on responsibility especially when it comes and I can feel for them especially when it comes to technology for not a technology person and somebody like me shows up at your door and says you know we're changing things and now you're responsible for yeah server this and this application and all this stuff and I used to make these decisions right like do can we apply this patch it's your decision but it's gonna cost this these were decisions they didn't have to make before so there's considerable

resistance and we're working through that and it's the right thing to do but I guess my only comment about this is that we can't expect it to happen overnight in an organization because simply because of that any kind of change like that takes time and people have to start accepting their responsibilities instead of us just dumping on them because that's that never works there's probably 15 or 20 different points I can make is this is a really interesting question if you saw oh I'll kind of tackle a couple points so one is my counterpart on privacy Linda French doing the same sort of thing with regards to well actually Michael this is your responsibility and

they would go oh no no that's not simple actually it's always been your accountability possibility we just weren't very good at communicating before and you work really good at understanding that before I think that's a well it's a it's a funny thing to think about but I think people the leaders have matured and our programs have matured we've matured as leaders to get to the point where we can have those conversations we probably couldn't had that even even ten years ago just because the or we weren't in that position and IT was in that position or risk wasn't the other thing that I would say this from a purely titling point of view we went through a

reorg five years ago inside of i THS and i changed our team name from IT security and compliance to information risk management and that was strategic in that i wanted to get the focus on risk but it was actually amazingly transformative because the conversations changed when you have compliance in your title people go oh my god right when you have and literally the toner wasn't dry on the draft org chart when one of our counterparts and IT on the ops side picked up the phone and called me and said well you guys are the risk people how can you help so how can you help me solve this problem and it just sort of changed the flavor of the conversation

because we can help manage risk instead of being about compliance the last thing I would say is one of the things that I've learned over the last several years whether it's COBIT or ITIL or PIM Bach or anything the pedantic application of theory is never a good thing and even today we're continuing to mature how we look at the kibitz and I tills and the ISF IRM stuff to figure out what's gonna make sense from our perspective mm-hmm how are we going to build in our organization the the controls the the tools the frameworks that reporting so that we have something that works for AHS and if if I were in Hana shoes I would do a different thing because those

frameworks wouldn't necessarily frameworks wouldn't necessarily work at the city and I think that's the important thing what's gonna work for your organization thank you I would just if I could if I would just add to what Robert said in the sense that for this to continue to evolve we need to continue to speak less technical that that's that's really the only way to move forward in a successful way and and and yes we're the accountability ultimately rests it's always a bit of a you know a balance but at the end of the day if we take it and we speak it in business risk it starts to become an easier conversation to have and where it

lands becomes a little more obvious yeah ed went back to you I think over time I've seen in my career a lot of times that IT would say well the business doesn't want to do that or the business will never accept that or the business and it's like well let them decide what they want to take on and yeah I think you'd be surprised at the maturity in the level of understanding so like in we live in Alberta so we pay for like insurance like home insurance car insurance no it's like cyber insurance so how many people are here like looking for like you know cyber insurance in for there are conditions can they raise

their hands there one day - there we go

yes so was he needed to know what I guaranteed you before you paid for it first my question comes to what is your perception of cyber insurance

[Laughter]

I can't get a word in edgewise it's a interesting question that timing wise as well so at the University were coming up on two years in with offer our first ever cyber insurance policy and prior to that the antecedent influences so for about five years prior to that point where we finally signed signed and online probably been longer yet been no every year we'd be queried and you know so so previously but because it is such a evolving and an new sector of insurance there that there are some issues everything from an extremely high deductible most the data detect those would be a quarter of a million dollars and then the premiums and cells within a

range of the world happen in order and and then so just again what it's such a new entity and trying to negotiate a low premium but as why the coverage as possible and as as high as possible things things just working out that there's also previously a lot less clarity around around if the coverage includes class-action lawsuits for example or punitive or other penalties from legislatively or or predatory basis and there's unclarity if father king ransomware for example if if if the coverage would would I could account for that and other sort of showstoppers at the time where that previously if something hits the fan and you call it in that the practice was that the insurer would parachute in

their people they have a list of the of their standing incident responders and you were to stand down and step aside and so as you can imagine that that was a complete showstopper like we the time it would take for for a new brand new set of eyes to to get even somewhat effective know it would the environment will make sense and just just a step each other's toes and so and so forth so that that was not absolutely showstopper fast forward to now some of those issues and changes they've they've um they've been remedied so so for example now specifically around the instant response management it's it's ala carte so if you call it in there they'll offer you know

that they can have have the PR but media experts they like they can provide to legal experts they can provide the digital forensics the forensic examiner and just adjust so what so it's essentially what you need and and then there's more clarity about the scope of coverage now so actually our thoughts are or that we but we do see value and and we've been to two years in so the question was posed to me come several times over a number of years as to whether or not my answer was always no and I always said what you're gonna if we're gonna spend that much money on cyber insurance give me that money and I'll put it into controls so a couple

things changed one started coming out of the finance budget so that was easier to I think like like Gordie said the that meant that whole model in the church and we got to the point where the value ads coming from Under the broker is is compelling enough the cost is low enough and and the the the deliverables are clear enough that it made sense so we signed up earlier this year actually and and I would say that my initial reaction was very negative because I said I wanted to spend the money on the controls but in the times that we've had to just have even conversations with them that value-add is good and and because we do a lot of

the things we do the forensics and we have these incident response teams and we have a very good communications group etc there's a bunch of things that we didn't need but we really said well what about this the breach coach and what about the coverage of caught covered covering the costs for Equifax or transmuting that kind of thing and we got a we got the cost down to where it actually is valuable for the organization and and the value add to me is the leader from thank you so we've taken an approach with it it's funny I had almost an identical reaction as Robert did when when the discussion of insurance came out and we were talking

dollars and and they were large amounts of money and I was a little surprised and dismayed not at the amount of money but at the fact that management was prepared to consider that but I've been asking for other things to you know build better controls in our environment which we've never been on the table but yeah all the sudden insurance was in the news and it's a new thing and everyone wants to talk about it yeah okay well now there's money for it so I was a little put off at the beginning and had a very similar reaction but what what what was difficult for us to wrap our hands and heads around was the fact that

it's a very new industry I mean even the insurance folks aren't sure how to price yet because there's not a lot of precedent and history so we we were doing a lot of back and forth with them and it turns out that in fact when we would ask them a lot of very pointed questions about well how much would this cost if we got just this Alucard kind of service and can we break this stuff oh they didn't have any answers to any of that and in fact unfortunately within the insurance provider there was very little technical knowledge as well yeah these are underwriters by nature they're not technology people so sucked when when you're - you're asking them well if I

have this managed SIM service or something in place and we have this and here's our controls and our control set and whatnot what kind of rate does that get us versus not having it they can't have that conversation so so we step back from it what we've chosen to do instead is invest in a few of the strategic services for disaster recovery and whatnot that we know we would need in the case of an emergency like that and almost insource them but it opened the door to a good conversation in our organization about okay let's talk again about what could really go wrong and if we don't want to pay for insurance for it how are we going to cover off that

risk and that was sort of new new money coming in so it was a good conversation to have but unfortunately we did a lot of this around the mulberry bush when we were talking with the insurance companies at first because it was it's a very immature space yeah honey I would you know IIIi agree in the sense that if I was when I was asked that question a few years ago I wasn't really a big fan I'm now much more you know I look at it much more favorably now because because those those sorts of policies have really matured pricing has kind of come down and and you do have the ability to have some kind of card whereas in the

past that was you know much more restrictive what I would say though is is each organization needs to look at where it is to make a decision look at you know what you have how how mature you are if there was to be a breach whether or not you would be covered because if for example there was a breach and then they really looked under the hood and said well you don't have some of the basics would they cover you or wouldn't they and and then really understand when there is an incident what it is they would cover and what things would be and and you just need to look at it as a return on investment and does this make

sense but does it not but I think it's become something that you should seriously consider at this point okay thank you I think we are running out of time here yeah so I have time for one or two questions max so we are open to public here okay thank you it was a great panel discussion I'll give you a context before asking the question so there was a Asaka study done in 2016 which says there is dearth of by 2019 there is going to be dearth of cybersecurity professionals two million we would need so now this panel discussion is great because I'm sure it's inspiring so many students out here in your role as cecil's

what are you doing with your organization respective organizations do you have any programs in place to develop the internal talent to help your own organization as well as to help that long term for a problem and if no are you planning any programs or do you think there are any challenges in building those program with organizations I appreciate you for an answer we have constraints about the potential of partnering with some academia because there is this shortage and and we want to have some of these people kind of with that knowledge school and so that we can kind of start using leveraging some of those people more quickly and I think I think it starts with with many

things but I think first and foremost we need to get this in our schools I think we need to get it in our secondary education because I don't think we do enough of it as the father of two girls very passionate about getting them in in technology at least having it be an option for them and we looked at things like stem programs and I know I got him in one I was very fortunate because there aren't many but I got him in one this this summer but I know that not many of the provinces in Canada have it such that every student needs to take computing science as an example so you can finish high

school and not have to even computing science and I can't imagine when I graduate high school I just say that I think that it's not that we have to have more people in IT programs even though I will say that we had success obviously in the IT programs it's the skill set and the tool set that's important and and and I think we need to as leaders we need to be able to look beyond just a traditional program to say well is there an aptitude for that person that's gonna fit into our organization instead of just saying well I need this person because she's got this degree or this okay thank you