CISO Panel1

[Music] [Laughter]

[Music] welcome back after lunch it's our job to keep you awake so this is the cso panel thank you for coming out this is something that we've done in the past at b-sides and usually at the end of these i always run up and said i'll get you linkedin and create business cards today i have the privilege to be up here and so i'd like to do a kind of brief opportunity to say here's what we're going to do we'll allow each member to introduce themselves anyway although steve is not going to give you what he sent me which is his entire life story i kind of printed out pages and they said send us a bio like boy

i'll be in the room next door three hour starts we're in the ilo steve room and then we'll ask each of these folks to introduce themselves 30 seconds a minute or so to kind of you know where they are what they do or something like that then i've got some prepared questions we can roll into do you think that prepared questions working for you or if you got a better one you can interrupt the show and do that but not enough to go in case everybody falls asleep we'll keep answering those questions so that's kind of the ground rules here my name is g mark hardy national security corporation i work as a cso actually virtual cso for three other

companies i must do besides a lot of other things like that so it's a privilege to be here i also have a podcast called cso tradecraft and i've totally had a face for radio i just recorded my 75th weekly episode [Applause] uh hopefully it's kind of a giving back to the community if anybody knows how well i can monetize it let me know

[Applause]

um yeah i just uh i used to be with uh sykes enterprises um just here in the beer camp building in tampa and exited a 25-year degree with sykes last year after securing building individualized and customized security infrastructure for 400 of your top well-known brands from the phone you holding your hand and the console your kids play on the bank that you bank with um so yeah so realistically i had a 25 year career which is unheard of from cso's purely because every single day was different i was really securing 400 companies at once which was which was great and not challenging at all and now i'm with mad mobile we are apple's primary go to market

payment provider retail restaurant qr codes all things you guys are looking at and going oh my god we love i used to live in china for a short time and um when i came to the us 10 years ago i couldn't believe you guys were writing checks and then when i went to china and you're buying food from a street vendor on a cart with your phone and nobody carries cash and nobody carries cards and then i come back to the us and i'm like oh my god we've got a long way to go and then that's exactly what mad mobile is trying to do they're trying to put the whole payment processing away from

the old pos swiping card um devices and i love the fact that pos stands for point of sale and something else that's what we're trying to do rolando doris from abaco hey uh you know good afternoon everyone hopefully you know we can keep you entertaining now so you stay awake uh i am co-founder and ceo of ava code uh any you guys familiar with avacu we're in local consultant firm we uh you know we provide cyber security and compliance services for you know companies in the u.s south america and europe um me personally i you know i originally from puerto rico so there's a little bit of an accent there which i love there's uh

uh you know i'm former accenture i was 16 for 16 you years that help me have some of the i guess discipline and uh rudiment on what we should like working 70 hour weeks as you can imagine and uh you know we started avocado about eight years ago very much focused on uh cyber security then we are the spin on compliance uh adding you know focusing uh cyber security specifically on the standards that are required by the industry all the ones that are you know recommended by the uh you know the the agencies and the uh you know the government so uh i hope we can have a good time today and i hope so yeah

next we have christina shannon from catalina marketing welcome okay i don't have a uh you know i was gonna supposed to say i don't have a cool puerto rican accent i got this like twang thing from growing up in ohio and then living in arkansas for 12 years it's working for a little retailer named walmart uh but uh so i got my start i'd say 2007 uh rsa security um it's funny because when i was asked to do a bio for this i was thinking about well i started security and what and it was during a time where hard tokens were the thing no one wanted to use soft tokens and then today it's like right you're

trying to you're using push you're using uh maybe not so much wanting to use push but um there's so many different options and when you say hard tokens today people are like what is that so i've kind of aged myself i guess but uh spent uh many years at walmart uh both at working as a partner or vendor and then also working for them uh then did a sit i kind of did a stand over the what i guess is known as the flyover stage or the middle of the country because then i was a cso at a quick trip which i was just telling someone earlier that they're the wawa of the midwest and then uh then was that raymond james

a senior security director there then spent the last three years at anchor glass and the cio and a cso role and now i'm at catalina marketing in the cso role catalina is cool in the sense that it's a data-driven company that was one of the reasons why i wanted to go work for them because their whole mission in life is to work with retailers and consumer goods to figure out what they need to do to use data to give insight that you know turns shoppers into buyers so and if uh i'm bored or i get bored easy a little fidgety so if you see me throwing this ball around just ignore me you can throw it up here we'll throw it

back

[Laughter]

thank you very much it i'm dave summitt um wow you know we're talking how long we've been in the field um

long enough that i i left moffitt interesting to see 11 months ago i was there for a little over six years prior to that as a cso at the university of alabama birmingham health system from petersburg the bay front health system before that was 21 years with the defense department navy um doing all kinds of work there i really enjoyed that but how i got into security was basically my time with the defense department there's so many things going on that i just absolutely loved and it was during the good years of the reagan administration when we had all kinds of money to do whatever so yeah i left there and i kind of took some time off

we may talk about we may not but it was a period i realized that everybody anybody in security can get to a position where you start burnout i was in a burnout period and i just did i got to get away from this for a while clear my head because i know there's there's there's actually believe it or not guys there really are is life outside of cyber i found that out this past year and i've absolutely enjoyed this last year so i started my own company after i was out for a while on consulting and advising and absolutely loving doing it there now take taking the shameless plug that you did for your podcast i started a

podcast this year too three-point cyber and i will hit you up after down here take that take that sponsorship away from me that's enough for everyone absolutely yeah we're actually before we talk we're probably going to do some work not anymore but well with this this panel is is for you and so it's an opportunity to talk to some seasoned professionals from different backgrounds different career paths who have found themselves working the role of the sea so a lot of times we think of a cso it's sort of being kind of the apex job that we get to normally like where do you go after see so another cso right more than a vc so it's

compared to following on and saying let's be the ceo or founder in some cases it works out pretty well but you know what we want to think about though is making this your question answer but i want to start out with the first question which everybody asks but i'm not going to ask it it's going to be amazing see we're not going to ask what keeps you up at night what did you do this past year that helps you sleep better at night so we're actually trying to turn that into a sort of a positive thing which is another way of saying what's working really well out there that you see from exercise yeah no i think i think

finding that uh you know work-life balance is important um you know yes we working a lot hours but you have to you know be able to to disconnect to a certain extent right um but i think the most important part from the professional side is you know understanding that you have done everything that you can right you know cyber security is all about managing risk and he's never going to be 100 correct you know there's always going to be risk you're going to have to deal with that you're going to have to manage it and uh and being able to say yep i've done everything that uh that i can if something were to happen you know i'm

not the first one i'm not gonna be the last one right i have everything in place to deal with the situation and when you're able to reach that point very much oh no i may be a little bit more anxious than you because for me [Music] i entered into uh our i think that um i like keep football analogies right so i like nfl football i'm a cincinnati bengals fan uh i love them i know i even went all the way out there because i thought they might not ever get back say very good but anyway you see a lot of the defenses in football they'll do these fancy defenses live four three three four and then they and

then they'll still miss the tac they'll still miss the tackle that enables like a 60 yard bomb right and it's like it's because they missed the tackle and like what i've discovered or what not discovered what i've a pattern i'm seeing as you see more cloud explosion is you see people stop taking inventory of their software and their hardware it's like so asset management's gone out the window i feel like a lot of companies that have gone cloud first uh and so what we did was uh looking back it was kind of a blessing in disguise we had what we thought was a major incident uh couldn't figure out uh we used product terminology couldn't

figure out what was hiding the product right because the product wasn't what attackers go after attackers go after systems and uh i was like well this is his product right but all the stuff under it no one knew so we put forth an exercise to go and figure out what's it what's across 32 clouds subscriptions and uh get it documented and now we're working to make it dynamic but it's one where you can't really have a detection or response strategy or an endpoint you know strategy if you don't know what you got right you can't even really quantify what your uh your investment should be until you know what you got so i would say that i feel i was able to

sleep a lot better at night because we went through an exercise to get better at asset management and every company is the same no matter how big they are 160 000 people and 4 billion revenue across the globe is where we exited 2021 we had we had no no asset management track no and two breaches they're in our sec filings um but you know our problem was we couldn't get our own way um at the first breach we couldn't get out our own way we knew we had to fix couldn't fix it fast enough so what makes me sleep better at night and what keeps me up is i changed jobs i was offered two

opportunities and they were vastly different i moved away from it so i don't report into it and i go to a company that doesn't have a c i went to a company that doesn't have a cio because we're an afghan shop but unfortunately now what i found is we don't have asset management and things like that so we've got a lot of work to do so now i'm wearing two hats and i'm the i'm the de facto cio as well as the ciso and now i have to write the ship based on the experiences that i have and the good news is my board and my my ceo who i report into are bought in and

that's the biggest thing what helps me sleep at night is my executives are bought in and i don't work for it that's really cool they thought sometimes real quick i turned my computer off at 10 o'clock good

[Laughter] wake up have breakfast cut that podcast great job if you can do it so we're talking about different reporting structures and ultimately ceo is responsible for the organization and so from your perspective kind of like self-reporting here what are the top metrics the ceo should use to measure cso effectiveness that is to say how would you like to be measured by the big boss and held accountable yeah i think the ultimate kpi is don't get breached right without a breach that's uh that's the ultimate one and i think you know that's uh it's it's an interesting question because what we find in the industry is when it comes to cios and cesos there's a lot of folks

that don't talk the business language and translating you know what is going on from the security and compliance standpoint to the business language of a ceo or cfo is very hard so um you know even establishing kpis right what is it that i'm going to use as a ceo to measure you as a cso for cio in terms of successful cyber security program it's hard i think i mean obviously not getting rich is one uh being able to maintain you know a a information security management system that is monitored and that is up to date you know only on a regular basis uh getting any certifications that you know uh are meaningful for the industry

you're in that's another one um and uh i would say you know the one that is coming up very very very uh uh you know quickly for many companies being able to maintain your semi risk insurance and i think many of your contracts are attached to being able to have insurance and many of your insurance policies now are going to require uh your company to be able to comply with certain standards right and you know and that that that's meaningful for the ceo because that's business right i don't have insurance i don't have a contract i lose revenue what's going on here right if i told a ceo i don't have a asset management i don't have access control i

need opt i need this and that is like what you're talking about right i mean that you're getting lost so so it does those kpis have to be very much business driven kpis business driven kpis other thoughts i would say um along those lines uh you know the incidents and if there was financial impact right metrics around incidents and then what was the uh was it a surveillance and was it a low impact was it what was the monetary impact i'd also say fishing metrics and then tie that to training right so does the trend go up or does it or does the trend get better when they do training after they've clicked on the

link right for the next exercise um i think trending on vulnerability management i don't think that you go to a ceo and you try to get them to understand what a vulnerability is as much as you well you do at a high level but you get them really to see if the trend is going up or down right i mean ceos know what applications are they know what systems are they at a high level right and so if you say you know most of the infrastructure most of the things we have is you know more vulnerable than not they get that and i get the exposure from such um i also think that i think probably the most valuable for a

ceo is doing a penetration test that that tests basically can you reach their crown jewels whatever the crown jewels are for that business and then having some kind of because ceos like charts and uh i had once one tell me once he only deals in numbers so they like pictures and so it's like basically showing it to them how many you know for that x like i like doing the internal penetration test right give them a basic set of credentials and one role i had it was like see it was manufacturing so i was like see if they can get to our production can they shut us down and they got there within a day

and that was the only thing i could do to convince a ceo that had the highest risk tolerance i've ever seen to spend on cyber but it worked right so i'd say do metrics that work that are tied to your business yeah i think um i think it could be from a ceo perspective you're i didn't care all the technical stuff that's going on in your program yeah quite frankly they don't they don't really care what kind of levels your people are they just want to know are am i secure and where is my risk area so for me the most effective way to measure the effectiveness of the program is is by third party assessments

you can do all your own assessment all day long which is really needed and i would do that all the time but to have an independent someone come in the ceo can take that report back and look at it goes a long way that's a good point and my perspective also on that is how has security enabled the business to be more successful typically we think of security as a tax or a friction a draft and i think our goal is an effective ciso is to be able to go to the ceo and said look we've been able to do better faster maybe cheaper but the point is we can do things that we could

not do otherwise if we didn't have an effective security program in place and therefore when you do run into something that impacts the business such as mfa or whatever to be able to demonstrate there's a huge difference in terms of the benefit to the organization versus the momentary oh i got to learn a new thing and when i've got my executives trained that within a month of arguing first they're going to be defending it saying i want to do it and so that's how human nature is is that they will people will tend to object to change but then after they'll defend what they're doing and so you can take advantage of it so it rolls all the way back to

the buy-in the executive buying you can't get your executives brought in if you don't understand the business um my ceo asked for a 90-day plan in my first week the mythical 90-day plan right um and i evaluated the environment so there's no way i can deliver a 90-day plan i'm going to give you a rolling 30-day plan because i've got a lot of to fix measure me on the difference i'm making right and then i'll come back with a 90-day plan then i'll come back to the two-year plan and push it from there i just wanted to comment on that so i got the same right my current role it was like i want to see your 90-day plan so

then you whip out what you do is you do qualitative risk assessment so you look at the nist framework you're looking at cis and then you're interviewing right that's really what you're doing and then and then we happened so i you know based our plan off of those because that's what i had and right with the understanding that i don't know what i don't know then we had a major incident investigation and uh we went back to go answer all those questions and the dancers looked a lot different so yeah it's interesting when you're just doing a paperwork drill yeah cmmc migrating from oh we have to inspect and prove it to oh just self-certified we'll see how that works

how can you deliver a 90-day plan if you don't know the business and learn the business so how do you how do you your how does your ceo measure you learn the business develop metrics that match the business and then produce on those metrics and make a difference how many of these how many of you work for the board or work for legal i work for the board and the ceo nice so where i work is a major competitor to walmart we both my colleagues here we both our signature blocks say legal i'm a staff level threat hunter nobody wants to get my email and the interesting thing about reporting through legal as i'm sure

you'll be able to report is that if your company is doing an acquisition remember when verizon acquired yahoo and way along the process after price had been said oh yeah by the way there's only three billion breached accounts why was you don't sit at the grown-ups table on the acquisition thing you've got legal you've got finance you've got the executive team you're trying to figure out how do we squeeze money out of it but with cyber security tucked under legal you now have a seat at that table and you can do the risk assessment with your own team and say you know what the numbers look great and the business model looks great but there's a problem here is a red flag and

let me show you what you might be getting thoughts on you being illegal which is different from your peers here and how that works your advantage or maybe even music i'd say it works to your advantage for all the examples you just use definitely and then also too when it comes to things like our third-party risk management program for example other than it's still being questioned q a based um it's integrated in our procurement process which was the first time i'd seen that and that was because the procurement team has lawyers on it that report in their legal right and so that merging i thought was on the risk side yeah and contracts and uh a lot of

synergy i think that there's a lot of um benefits in terms of like the big picture types of things we're trying to do in the downside i think or the don't let this happen to you warning is uh sometimes you can show up to an environment where for five years they've been in the cloud and there's 32 scrum teams and there's x number of products and the security team's focused on the data center so i would tell you that that's the downside is that sometimes it guys run away and you lose track of them let's just want to tie on to that so um i've been involved where we've had security engaged as part of the m a due

diligence beforehand it was a new process right and as soon as we got down that path we found all sorts of things that were making the deal less favorable right we shut it down we actually blocked an m and acquisition what's interesting is business teams now hate security right before they were happy hating on lawyers right so the legal team shut it down to like okay well you know we need those guys but it's understandable security is different because i don't think the business teams have yet quite understood what the impact can be when you buy a lemon right there's a lot of lemons for sale and so it's just interesting it's it's a developing sort of industry for the

business world and like you're seeing the sec say hey we want cyber security people in the boardroom but i don't think yet it's caught on because i'm still seeing the hate from the business teams when you come in and shut a deal down because they're going i'm trying to grow and you're stopping me why can't you just fix this yeah you know to your point i was just going to say so recently i had an example where i said we do a lot of proof of concepts because uh county is a data company right and so a lot of uh a lot of our clients they want to use our data and so a lot of the

the data contracts and uh i review those in terms of the just to make sure there's a lot of them contain brief notification clauses right and there was one that was notified if it was a suspected breach within 12 hours and uh and then they had all these other things around it that just weren't feasible and i'd shut that down which i would have never seen it if i was at the seashore okay you know i wanted to add that uh you know this is something that i tell to my my team is when you look at cyber security as a business enabler the conversation changes right so um you know when you do an assessment

of immersion acquisition you can say okay well you know this is the level of risk because there's always going to be risks right i mean you could there's no perfect company right you can measure the level of risk in terms of financial impact as well as how how much it's gonna cost to fix what you found then you have the prospect of being able to add that to the transaction right instead of just shutting down charging all together so i think that's that's a big difference because when we position it as they don't buy because it's a mess right that's very negative because the business guys want to do business right this i mean there's not stopping that

the train right i mean they want to continue to move forward and uh right you just need to to be able to position that in where it's okay well you're buying a 10 million dollar arduino property right or company and now you're probably gonna need to spend an additional million dollars in fixing all the issues that you have and by the way before you even think about integrating them into your system make sure you fix them right because that might be the conduit in which your bigger company gets preached right so if you put it in that position i think you know it makes a complete difference now you are a business partner right now you are

talking about their language i think that's the way we see it or if you finding like for example we had an m a recently where it was like open source um there was too much open source code right and the product that we were looking to buy and so that was one where i think the business actually thanked us because it was uh we would have been in trouble later down the road how we bought that so i don't know i think that there's i think that the maturity though on the business side i don't think it's there yet and i think that um we just keep i think the industry keeps like publishing things and like to try and

push it there but i think something else has to be done i don't know about it though but you've got to be a partner you've got to establish trust then you've got to go in with quantifiable data because if you don't it's just an opinion yeah and then they're going to hate you for your opinion but to get it beyond the board i mean like or to get the board to where they're like more savvy or to where there's more understanding about what we do and the ebb and flow like i think that what you're saying works in the organization but i just think there's a broader like industry focus

so this is kind of a multi uh not your question but so whether if you don't have a cio or if you're working directly with the cfo especially if you're hit by compliance whether that would be you know hippo or pcs or whatever it is so let's say you have a budget that's not conductive to having all the security things in place that require you to meet your certification and you're kind of put in a place where you have to hit a check mark or you actually have to build out an actual security platform that would kind of work out how do you navigate being able to stay compliant but at the same time have all the aspects of your

security program to actually be secure it's great to see andre good to see you oh no i'm not taking that

that's a very detailed question yeah so as a cso

just for the sake of compliance there's too many false things that come out of checking things off for compliance purposes checking it off doesn't make you secure my job is to ensure that the organization's secure now if i'm hearing the question correctly how do you how do you juggle that in the budget i would yeah see i would much rather say i can't we're not checking that off for compliance purposes which elevates the visibility to someone higher than even me why are you not going to check this off well here now you've asked me the question now i can give you the reason why we're not going to check something off just for compliance right and it might be because i don't

have the resources the budget to do it which now opens that discussion what do we need to do to ensure we're compliant but we're more secure than what we were going into that host situation right so that that's that's been mine and it's worked well for me over the years i again i will never just check something off for a compliant purpose it's not just we have never been breached the bad guys don't give a about her scope how many people i have worked for a private equity company and i've had boards tell me to outsource security and um it seems similar to what your question is in the sense of is the ass to prioritize compliance uh

basically to just check the boxes and don't do any more is that kind of the direction you've been given well i guess the question stems from like you guys you don't have an unlimited amount of money right yeah and you're responsible especially if there's no cio to to make sure that with the budget that you have you're kind of stuck between business continuation right you can't you can't you're in a dual role but in a way yeah okay all right so all right so i think i uh have a better grasp for your question now so i'm gonna just give you my own personal experience i worked for a very a ceo who hated security

uh he had a very high risk tolerance way beyond my comfort level and it's really hard when you started a place like walmart that's doing sophisticated security programs in like 2008 and then as your career evolves you're seeing it get worse because the companies you join like it's hard for like my brain just exploded with that person but anyway so what i did was i looked at um i reverse engineered uh basically like what is our basically what's your crown jewels find your crown jewels um and then go secure those first and then um like make that your top priority where's your crown jewels and go secure this and then that's where your budget goes and

um that's how i would basically and then i'd use a penetration test to show what would happen if they don't do that but that because it kind of sounds like you're in one where you can't do it all you've got to pick and choose so what i did in that life was i went and found all my inventory and i got a really good mdr solution that i can count on with automated response so if i may for a couple more seconds so i'm in consulting in a professional services role so a lot of times when you get brought in is to do gap bill and things like that right and as as a consultant you're sitting there trying

to explain to you know a ceo or somebody higher up that like you have these things that would in a way put you out of compliance right and you're asking me to fill these gaps but the budget that you have listed out as what you're willing to spend on this isn't conductive to what you're trying to do so you're in a you're in a supportive role but you're also limited by what your client is is kind of putting you into this box right so you're in a position where you're stuck in this box and this box isn't conductive to what they're trying to do and you're trying to explain to the client that you you kind of have to do it right and

then what is the best way to go about that it's always option c there's always option c which is do nothing yeah yeah one more thing about that thought because christina is brought up to see all too often security programs have wrong priorities and they we have such a wide range of things to cover in an organization and every organization is going to be a little bit different so it's it's the it's the asset inventories it's the crown jewels of your company combined with what are the threats that your company could be facing right now and that's where you focus your attention why why am i covering a whole wide range of cyber security for a

company if this area over here has an extremely low probability of ever causing the issues and this one over here is really high which one am i going to focus on and i've seen too many organizations do a team that they try to cover everything they try to do everything it wants that will not work if it's an advisor role and you're advising i mean it might be at the point where you just lay it out there here's your options and then you let it go yeah you know what you have you know when it comes to compliance right specifically you know hipaa compliance some of the other complaints are which are required to do business right right

uh you have to build a case on the business side of what is a stake right so as you know is it the the viability of the business are you gonna meet some contracts right or are you uh at the uh uh risk of being fined right by the department of of uh um of uh health health health services right so so if you're able to position that from that perspective obviously they spend right after we go commensurate with the what you're trying to save i'm the size of the company right i mean maybe the budget is the budget because the company is making the money right um reputation reputation right but you have to be able to explain it that way

because it also happens as well and we see it quite often right um in the technology professionals they tend to have a laundry list of things they want to buy the ceos are really like very very cautious about you want to buy everything out there right so very you know uh um sometimes they don't believe that the budget that you're putting in front of them is they really need it right but you know like uh and i think then he works for you know with me it's uh here you know every time i bring a a like a need i brought us a security product for our our ceo and our cfo i always attach that to a requirement this

is required based on our cyber risk policy for instance right this is required based on our iso 27001 compliance right this is not because it's a cool gadget right it's required and we when you put it in that in those words now we're talking about business right because if i don't have my azure 27 0001 and my suck 2 tech 2 compliance well i'm not able to do business with those companies that require that my country right so you already have like a value associated to what is a state and i think that's the put how i position budget in a request or hire a scottish cio who doesn't like spending money hey guys i've got a question from uh

remote from bill he says what are your thoughts about the latest news that the sec is pressing to formalize csos as part of the overall executive level c suite of the organization and report to the board of directors i had not read that so that's news to me but how do you feel about making a cso go right to the board of directors or more precisely for publicly traded companies that being mandated compared to finding something that works because you've got something that works it seems i actually briefed our our board and our our ceo on this and i've got a follow-up briefing coming up on monday because it's from the centre of breeze mines and one of the things

that's often missed is they're now requiring beyond that the actual board themselves has to have cyber security bench strength within the board so instead of your board being a bunch of business leaders and investors your board now has to have somebody on that board that is going to be able to deliver cyber security accountability down through the organization um as well as your ciso or whoever you appoint as the head of the security in your organization has to be qualified now that's the that's the kicker right it doesn't mean certified doesn't mean you go to ceh and you get their certified ciso because if you're a certified cio and you've never taken the time to be a

business leader you're going to be a failing ciso certification is not going to get you what you need it's it's got to be experienced it's got to understand that business and apply the context of security to it but now the sec piece the proposal's in everything's being drafted boards are inherently asking questions and the questions they're being encouraged to ask is to christina's point what are our crown jewels do you know where they are what controls have you put in place to secure them and then what are your detection mechanisms and then how are you working through incident response all of that's in the csf so as a cio realistically to answer that question how do you how do you then

approach and deliver what the sec is proposing build your security framework around this csf because it's got everything and simply understood terms you're not going to blindside your your board or your investors your cfo with language they don't understand identify your assets protect them detect when they're being hit and then respond quickly and then recover and build it in and learn the process again continual improvement continuous life cycle that's how you address the sec filings and now we we discussed this at guide points that we see wf i say i always get less west florida side security lines the other day and it's front and center in everybody's minds everybody's asking the same question i hope that

helps so it kind of related to that is question three pretty good we got through the third slide by after 40 minutes but yeah what are the potential implications of governments requiring cyber security licenses that is to say should a ciso have to be certified like a cpa now this is going beyond just the sec environment to say you've got to have a ticket it's stamped by some thing other than like a training organization or certifying private company to say yeah like an md or a dds or something like that you can't just declare yourself to be a doctor or a lawyer i think it's yeah i think it's all great news right i think what that's

going to result is on boards improving more balanced budgets for security right um definitely more uh ceases you know in in high-level positions it's definitely gonna require the seasons to get ready to talk the business language right being able to put together your dashboards and your you know one to two slide presentations for the board not the uh 100 page report right which uh which we're very much used to to read on a daily basis and i think you know the the um in terms of the certification as a cpa perhaps it's uh it's a good idea right because i mean it will uh it'll definitely identify which are the best you know uh researchers out there

for the ones that are not at the level they'll have to get prepared to to be certified and then there's cpe you know credits you know that you can take which uh you know perhaps uh most of the css are doing some additional work to get those i think it's all great news i think what is going to really result is something that we need in this country is cyrus oh it's going to be reduced because i mean what we see right now in terms of uh you know the day in and day out breach it's really just you know mismanagement of cyber risk for the most part i mean we think about cyber attacks being

highly sophisticated but in most cases are just very simple you know uh things that are being exploited uh and we're still you know 10 12 years after you know we're still dealing with those right i mean we haven't been able to to catch up hopefully this will accelerate to catch up so we can get to a proactive stance to manage you know risk uh uh with um you know with more uh a more systematic way where right now you can really focus on what is highly sophisticated attacks and you know you know the risks have been breached for something that is very simple but everybody pays attention to what the rest of the world's doing and what

legislature's doing singapore has passed the law um their their government agency has passed the law saying if you're a cyber security company looking at any vendors in the room um and saying if you're a cyber security company then you have to be licensed by the government to operate and pass some very stringent tests in order to operate as a cyber security company in singapore you don't pass those tests you can't do business they shut you down now the gov the world is watching how that's working right and that's going to affect all of us and there's 45 45 states have passed or are passing cyber security legislation over the last year in 2021 so it's coming we're going to get more

and more regulated as an industry because when the government start regulating cyber security in general and not just government agencies having to do cyber security government vendors it'll roll to the public sector and the private sector and then we'll all be in the same way i think what he said it's it's coming i mean we're just in a day and age cyber feels maturing rapidly it's changing rapidly and i think we're gone from the 15 years now with a teenager here that's kind of where it's all all going but i i i'm on the fence i don't i'm not sure about that i would number one i would like to know who are you going to certify me against who's

going to be the certification i'm i'm definitely not for the government coming in stepping and saying it's going to happen

you got to be medically certified to practice as a doctor if you want to give this field a moral arab legitimacy then there may need to be some kind of certification process no doubt about it i think that's where it's headed and i think we saw that back in the rockefeller snow act of 2006 and eight i think three times was introduced into congress which is basically for those who want to go dig back through old congressional records there was an effort to do that to create some requirement about 14 years ago to do security certifications from the government but of course the question is who in the government is qualified to do so because like we talked about in my

talk this morning at 10 o'clock there's kind of a diode that says you get trained in the government you go out and you make more money outside it's usually only later in life when you say okay i've made my money i'll come back and be an advisor to the president or something like that but you want to do some rock star type job instead of saying i want to come back and kind of work third shift in some particular stock question yeah i had a question i didn't want to skip anybody else who was maybe before me um if you had your hand up i thought you had his hand up before me i would go

after him all right so we'll go to him thank you very much for your courtesy yeah i think steve well i think you're right like there should be something from the government that could help certify but the problem rises like in russia china the government for cyber security companies or any company says okay you have to qualify blah blah blah but put our certificate in your product the chinese government required a tap in every telecom data center yeah so then it's like well then we can't trust the companies to protect ourselves you can't trust them so it's like you know this is already happening right i mean for for federal agencies if you have a

platform right it has to be fed ram compliance and uh you know there are strict requirements around that right i mean it has to be in the golf cloud how aws is favorite compliance it could be in aws it has to be you know have the uh the controls that in this 800-53 implemented you have to use fips 142 compliance which is you know they want to approve by the federal government so this is already happening that doesn't make you secure well i mean obviously the controls are being put in place but it does require well fedramp is coming to the state level it's called a state ramp now even by texas and uh so what that means is you know

if you have a software platform that you want to sell to the government you know at any state you'll have to comply with these requirements right we're saying the same thing with the dod dip right the defense industrial base now you have to be cmmc compliant right so there's a requirement and there's there'll be certification eventually it's taking a long time so there will be certification by reporting you know i said so like an audit firm also the dod will send their own auditors right to check your business so it is happening already i think it's happening more uh for the providers services to the dod and the federal agencies and the it's a state government

but the same thing will happen uh as well for the service providers for the commercial side eventually i think yeah can i tack those two things together because you put on a really important point and you i want to laser in on what you said sorry i didn't catch your name thanks nice thanks um so we we were formerly a bpo with my last company um so servicing the needs of all sorts of organizations including verizon so verizon was one of our clients so verizon does business with the federal government now we're getting third party risk because now verizon are outsourcing their customer support to us so when you think of cyber security customer support you know you're

handling customer data we had to be pci compliant for verizon you know processing phones all this kind of stuff however from a physical security standpoint right so totally the other side of the shop not talking cyber anymore we're talking physical access control requirements cctv camera requirements ah but wait remember the space shuttle was built out the cheapest parts right so physical security cctv cameras we're using hikvision cctv cameras heat vision cctv cameras we found to have a chip in them which if they were published with their interface externally that chip could be accessed by the chinese government we never published any of our ctv cameras we were mitigated however verizon doing business with the us government

had a mandate that said you cannot use hick vision across you or your third party so verizon came to us and said what cameras are using we're like well that's a strange question okay depends on where we are costa rica philippines where are we but mostly we use pinkvision okay rip them all out don't have any hick vision any sense of where you've got horizon we had to change it we went with hanoi different side of the shop right still cheap still got the job done but didn't have the chip so it's that third-party risk component hardware software mandates by the federal government not just to you but possibly to your clients and that all

rolls down here [Applause]

materials that was proposed in the president's cyber security proposal back in may of last year i think you're at the time the question is more theoretical and um this has been a great panel um speaking and i know we have people against the government but to me and i know i don't know i'm against more taxes government more more taxes taxes how many taxes we had in this country in 1900 one none from scotland 42 income tax by the way i'm so grateful i live in florida now i know there is a position but do you think that we're going to get to the point when there is like a ceso for the united states i know there's been people

that work there we have speakers that come there but it's not like official and when we think of defense we think it like the secretary of defense which is you know the military and stuff like that but do you think we're going to get to the point where there has to be like a cso for the country somebody who's the top security guy and like you say trickles downhills to the rest you know to his peers which would be you guys and then go down do you think we'll ever get there or do you think we need that because i truly believe we need something like that like national level skateboard come on i'm gonna i'm gonna put you up for that

position i'm going to nominate you for that i have another exactly i don't think we'll ever get there i think there's still a lot of things going to change i think there are initiatives right now that are making government private and public sector stuff more collaborative but when you get to a place where you have one person that's going to be responsible for the entire united states when i say response i mean you're responsible for a company but of course you have your peer you know you so if you want to if you want to go down that right there already are yeah you have to see so far i don't think anybody needs me

that's that's the guy right there or the one for the national security agency or even right now i don't feel like all of them kind of go up i kind of did their own things and we would check in and get help if we needed it right there yeah there's way too many arms out here the government's got in different areas and found that in in my long career with the government too we we would have all these different people doing almost the same thing and they would never talk to each other about it the left hand doesn't know what kind of stuff we're seeing a rapid change in cyber security right now but the bigger the

companies it's is it's i call it big company disease it's like people stop talking to each other and they talk to each other and like that's why i like what the cisa is doing public private government partnerships together that fusion center model that worked so well right yeah it was one of the intents of the ice acts yeah all the ice acts start talking together the information sharing and analysis i said i said yeah what we did at hacker conferences for the last 35 years imagine that i i think we're down yeah i think more than anything we need more soldiers and less generals because the big gap we all have is that there's so few people that

actually technically know what they're doing but there's plenty of people that can describe to you but never get specific but that's not going to that's not going to change and the only thing the only thing that's going to fix that is automation i disagree automation's a big problem yeah that's a whole other topic

a couple minutes left let's kind of put away a little bit from working with the government here's an interesting thought all of us probably have to do at some point on both ends the best way to perform a third party risk review and any thoughts on alternatives filling out client or question [Music]

moving from meaningless red work to meaningful gold work and that green work in the middle which is that no man's land so how do you get your team moving from the red work of completing 500 questions six to the goal work of what actually matters give them a tool that'll automate it because 75 percent of those sigs are the same question yes realistically the rest are the nuances the same questions asked a little differently so um so we hit on two vendors um i'm not gonna name them i'll i'll leave them nameless but but one in particular allows you to take the first sig that you've done or successful things that you've done which have one new business

not ones that necessarily haven't take all those responses make them cookie cutter put them in a platform use the ai the ml whatever you want to call it so then read your next sig and go we think that this question should have this answer yes no yeah i agree with that yes okay move on and it pre-populates the rest of it moving from red work that's quite approaching and i do the same on the third party questionnaires that i send out i hate them i would love to just have an automated system that pushes it to a vendor and just goes hey you've got any pre-canned responses just put them in this platform real popular

thoughts sir i'll keep rolling because we're trying to do a couple more questions what do you see on the horizon from a technological perspective this could be a game changer in this industry you were talking about being at a significant inflection point but i was gonna say like one of each if you don't mind like something i see from a people perspective that i don't think enough people are talking about is that there's a lot of security teams and big companies that are still going out and buying software and installing it on vms unaware of how far the cloud's evolved and how devops teams are configuring security in the cloud so i think that what's

happening if uh folks don't start talking about it more soon is that a lot of security people are going to wake up where infrastructure people were in 2008 when storage and all those things started getting consolidated and clouds started being talked about and then infrastructure people like me i see a storage girl thought crap i should go do something else let me try security uh but i feel like i see the same wave happening right now it's like and i saw it as my best example is my company it's like uh they've made these ecosystems now where all your workloads are in the cloud and all and it's point-and-click configuration to go across the nist

domain for a lot of controls and that doesn't cover at all but people need to know that that's going to be a part of the companies they join and how they're working with the world so it's just i think that's a that is probably something i'd say that's not happening and something cool that's happening i think is the proliferation of how use cases for blockchain um i think that um you know anybody who's coinbase um yeah i mean that's all blockchain so uh and i just i think that that's i think there's some uh it's also at the point where you know your technology and technology that's so new if they don't do security by design then

it's flawed like iot and other things and so there's some inherent risk there but i i don't know i'm a dig block chain and where it's going we're getting pretty close to the end of our time slot we got someone else coming in behind us so what we'd like to do is thank our panel here

[Applause] there you go so we'd like to present you with is a presenter here is a little kid from besides hello thank you very much [Applause]

efficiency how are efficiency