Speaker 1: 0:22

Welcome to this new episode of Techzine Talks on Tour. I'm with Tia Hopkins today from eSentire. You're the Chief Cyber Resilience Officer. I had to look that up. Thank you for joining us and welcome to the show.

Speaker 2: 0:36

Thanks for having me.

Speaker 1: 0:38

Well, what do you do? Your title is sort of self-explanatory, but maybe just briefly introduce yourself to the audience.

Speaker 2: 0:51

Yes, chief Cyber Resilience Officer means a number of things. I am responsible for our end-to-end resilience strategy and what that looks like in the way of how we take our products and services to market. I also lead what we refer to as our exposure management services, so we look at resilience the same way that NIST does the ability to anticipate, withstand, recover and adapt to cyber incidents or any incident. But my focus in terms of the teams that I lead is under anticipate, so I lead our vulnerability management team, virtual CISO, dark web monitoring, phishing, security awareness, training all of the preventive type of services.

Speaker 1: 1:29

And you're not exclusively in the cybersecurity industry, as we kind of know it right, so you also do some other stuff.

Speaker 2: 1:39

Yeah, so I'm an adjunct professor at Yeshiva University, linkedin learning instructor those are cybersecurity things but I also own a women's tackle football team. I'm also the head coach.

Speaker 1: 1:51

So you're very versatile in that sense. Does the sports thing help you in your business endeavors as well?

Speaker 2: 1:59

Absolutely. I think a lot of who I am as a leader comes from what I've learned on the field, working as part of a team, pushing, being comfortable with being uncomfortable. A lot of those, yeah, a lot of what I learned in life that I've taken into my career, and especially in a leadership, came from football.

Speaker 1: 2:15

Yeah, so you've been here for about a day, or? More or less. What were your? What's your body? Your first impression, especially coming from the from, from where you're coming from, from the resilience angle and the proactive angle. What are your impressions when you walk around the show?

Speaker 2: 2:35

Yeah, I'm always interested to see how vendors are positioning their services. I was surprised to see a lot of resilience talk. So we've been talking about resilience for a couple of years and it's been part of conversations, but I've I'm not quite seeing it as a focus as much as I have, and it can mean different things as well.

Speaker 1: 2:53

Absolutely it can mean, because if you look at it from a, for example, from a backup perspective, resilience is very a reactive thing, yep, but if you look at it, you can also interpret it as a proactive thing one thousand percent, percent. And I don't think there's enough clarity on what we mean. And it's an overused term right now. Right, that happens with every term that we use, unfortunately, yeah.

Speaker 2: 3:16

I mean, if you ask 10 people what resilience is, you'll get 15 answers, and that's why we make it a point to be very clear that it's all the things, it's not just how quickly you get back to normal, it's not just how you do when a breach happens and it's not just how proactive you are before one occurs. All those things working together drive a resilient outcome, and the better you do all those things, the more resilient you are as an organization. You can't just focus on one piece of it.

Speaker 1: 3:41

But it also makes it harder to actually do it right, it does. Because you need to focus on everything all at once, right, yeah?

Speaker 2: 3:48

But being able to, I would say, segment it, not silo it where you're focused on okay, how well are we doing from a proactive perspective? How well are we doing from a okay, there's something going on, can we hang in there? Can we keep the business functioning? And then how quickly are we able to get back to normal? It gives you a way to kind of measure and continuously improve over time, versus the traditional where we just got to identify all these risks and mitigate them. But but what's the intended?

Speaker 1: 4:17

outcome there, but that's always hard to do, right? Yeah, because security teams and security people in general want to. They have a. I would hope and I expect and I know from lots of this discussion that I've had a real drive to foot to solve all the problems, yeah, and to squash all the other things that are happening that's immediately setting yourself up for failure.

Speaker 2: 4:39

I always say you know insecurity and journey in general, but especially with resilience, it's a journey not a destination and we have to sort of accept and acknowledge that. Right. We say, oh, the threat landscape is ever evolving. True, our businesses change every day. True, our users have bad days, things get misconfigured, so it's never a you know, we made it, we're done. There's some pretty religious debates around whether it's appropriate to say we're in optimized mode or we're in maintenance mode. I don't think you ever really get to a maintenance mode where you can just sit back and say we're good, so I prefer optimizing.

Speaker 1: 5:13

it's more, more active but that always that also makes it a bit of um, I wouldn't say a fool's errand, but it also makes it quite challenging challenging to actually, because mentally this can be very disheartening if you, if you, if you think I'm doing the best I can, but I actually I'm still behind, basically that that's, that's what a lot of people that I mean. That's not the sentiment that you want, right, but I think that it can happen it can happen.

Speaker 2: 5:42

I mean, especially if a breach happens. You know, because we don't go to work every day and not do anything. We do a lot to ensure that you know major breaches don't occur. So when they do, you know that can be a heavy hit. But I mean the mentality really has to be bend. Don't break. If we're going to keep saying it's no longer a matter of if, it's a matter of when, then we have to know that at any moment something could happen, that at any moment something could happen. And we have to be in a position where we got a bend but we just we can't break, it can't be. I'm trying to get to the, the finish line, because there's really no such thing.

Speaker 1: 6:14

I think the if and when thing is very defeatist. I mean you can interpret it as very defeatist. I don't.

Speaker 2: 6:21

I think it's realist, you know, if you say we're never going to get breached, well, no.

Speaker 1: 6:27

But it's like. It's like it also have has a connotation of accepting acceptance, and I think acceptance is is is a bit too much yeah that's why I prefer acknowledgement.

Speaker 2: 6:42

Yeah, because if you accept it, it is the fetus you just can't. Well, we're're gonna get breached anyway. But if I acknowledge that at any moment something could go wrong in my organization, then that puts me in a position of being vigilant, not defeated. That's how I prefer to look at it.

Speaker 1: 6:58

Yeah, but I have heard actual customers and talk like that a little bit right. Look, I don't have the money, I don't I mean otherwise, and so I'm just, it's just yeah, I'm gonna accept that, I'm gonna. If people want, or if the attackers want, I'm gonna be screwed basically, and that's I, and I understand that. That, that kind of notion, yeah, but you shouldn't you shouldn't.

Speaker 2: 7:24

I mean it's, it's not unrealistic to feel that way. It's human, it's hard, but it has to be a passing moment. Just feel it, but know that you chose this career and this is what it is, and you've got to keep going because there's a lot riding on the work that we do.

Speaker 1: 7:41

And don't take it personal, I think, as always.

Speaker 2: 7:43

It's not about you.

Speaker 1: 7:45

Sometimes it can feel like that Absolutely personal, I think, as always, because sometimes it can feel like that absolutely, if you've been putting in a hundred a week, a hundred hour week efforts into into securing your company and or you can't get the buy-in to keep something from happening. Yeah so you're saying there's quite a bit of some resilience on the on the floor, yeah, here.

Speaker 2: 8:05

Either talk marketing on the boards. A lot of marketing, yeah, a lot of marketing, for sure.

Speaker 1: 8:13

So that's a good sign. Is it improving, do you feel?

Speaker 2: 8:19

I guess I'm not a paid pessimist, I'm a realistic optimist, I guess. But it's good and it's bad because it's out there. So organizations are thinking about it. But to the earlier point what does it mean? You can't buy resilience in a box, and it's not just one piece of the puzzle that drives a resilient outcome. So then comes the challenge how do I look at resilience? Where do I start? What do I do? What do I need now? Because there's a billion things here that I could go buy and I have budget for like three if that?

Speaker 1: 8:51

Well, that's one of the things. Right, there's so much choice. Recent statistics three and a half thousand security companies around that. That's just not seeing the four through. The threes, right, that's just, it's a lot. The the forest for the trees right, that's, that's just, it's a lot. It's a lot, yeah, and it's especially if you, if you want to be as resilient as possible, you may be tempted to buy more, yeah, but that doesn't necessarily solve your, your problems, all doesn't yeah so it is a.

Speaker 1: 9:24

It is more of an organizational thing, and I wanted to get back to what you mentioned before, to segmenting it right and not siloing it. Siloing is a bad word nowadays. I don't really agree with that. By the way, I think silos are there for a reason, but let's call it segmenting. How do you go about deciding how to segment your organization into the resilience pieces that you talk about?

Speaker 2: 9:52

Yeah, I think really, when it comes to prioritization like what do I need to focus on now? It really has to come down to what's going to be the most beneficial to the business. So security leaders have a lot of jobs, but the main job is to understand where the business is today, understand where the business needs to be tomorrow and bridge that gap every day. So it really is important to have the business context in order to make the right decisions, because it might look like spending a ton of money on multi-factor authentication is the right thing to do, but, given what the business is trying to do that year, or the biggest risk based on threat intelligence, it may totally be something different.

Speaker 1: 10:32

And it's also sometimes companies sell you something like MFA or pass keys. After that I haven't heard about pass keys for a long time. But they're selling you MFA and this is going to solve all your all your identity problems, and then afterwards like, oh no, it wasn't as secure as it. And I think that selling motion and I understand why they do it, because marketing and sales and all that stuff very important, but there's a lot of a lot of overselling as well, right yeah?

Speaker 2: 11:01

because we have to. And I'll say this a bit of my frustration with the industry is I think there was a time where we were really focused on solving problems, but it sometimes feels like, to your point, it's selling things and I might have a tool that can solve the problem and, if I can, I want to sell that tool. But I also want to make sure my buyer knows how to leverage that tool to solve the problem. Otherwise they're just going to keep buying and buying and buying, because they have these little gaps and they're not fully optimizing what they have in their stack, yeah, and then you get the lip service to certain things you get tools, sprawl and you try to solve security problems, but then you create operational problems because you need talent and they got to have the skills, and then you're worried about training them up and then going somewhere else.

Speaker 1: 11:46

Well, and now? Obviously, to solve that, we have AI, so more investments into AI. It never ends. I get the idea of a layered security and that you need to do more than just buy something in a box, but there also doesn't seem to be an end to it. So the layers are stacking up and now it's oh, now we have AI, but now we also need to secure AI. But we also need something to monitor that security of AI, otherwise, we don't know whether it's doing a good enough job.

Speaker 2: 12:22

Well, it's layers for sure, but I mean it's layers of Swiss cheese. Every tool you buy has a hole in it. We're saying there's no silver bullet, there's not one thing you can buy that's going to cover it all. So there's layers and layers and layers and layers and layers, but there's holes at every layer. So you pick them all up and you can still see through somehow. And that's why the operational aspects are important.

Speaker 1: 12:48

That's why resilience is important, because we have to be ready for the things we don't know could happen, or the things we thought we covered that we didn't. Are we are we overestimating the impact of the technology per se? So did it, and so the actual technology layer. I mean it's necessary, but, for example, if you look at cloud security I'm just thinking of one of one of the aspects there's so much on offer. Is everything so different from each other that you can actually say, look, you need to buy this one because that's the best one, even though it's also about how you use it and what you do with it and how you incorporate it into your organization. Are we putting too much faith in the technology every now and again, you think?

Speaker 2: 13:22

I believe that technology is there to help us drive an intended outcome. I think an over reliance on technology is is dangerous because there is a human that has to configure it and if it's misconfigured, well, you know I always say a great technology without a proper program around it is just a great technology and we should not over rely on on technology so in the isn't getting back to the, to what you're actually focusing on, the proactive kind of stuff that's what your main focus is now right.

Speaker 1: 13:53

How do you see that evolving? Because we've had so much focus on detection, response and the if and when discussion and all that stuff. Do you feel short-changed? As a proponent of proactive and preventive stuff.

Speaker 2: 14:14

There is a bit of slippage. And look, I don't blame organizations, right, because there's a lot going on. You have to. Well, what are we going to do when something happens? We're saying not if, but when. What are we going to do when something happens? So that puts a focus on detection and response and we're also kind of, I think, a number of years out from the evolution of okay, well, we can't fully rely on preventive controls, because what happens if something bypasses them? So I think that we kind of got comfortable with where we were in prevention perspective and now focused on detection and response. But the reality is we're not really preventing breaches anymore.

Speaker 2: 14:50

They're going to happen. What we're preventing is business disruption, but in order to have to fight less fires in detection and response, we need to manage the threats better, right proactively.

Speaker 1: 15:02

I think prevention got a very bad name.

Speaker 2: 15:07

I think prevention got a very bad name Because prevention was sort of synonymous with old school IT stacks with a firewall with your proper, everything inside your own building and easy to do.

Speaker 1: 15:19

And I think it was partly a logical reaction to move away from prevention a little bit because of the move to the cloud. At first we didn't want to go to the cloud because it was very insecure. Borderless networks work from home, yeah so it made sense, but I think you have the same opinion. It's time to correct that wrong.

Speaker 2: 15:40

It's time to double back and make sure we're doing the right things.

Speaker 2: 15:43

right, I think, from a prevention perspective, we've been heavily focused on vulnerability management, but we kind of need to expand that and think about exposure management where it's not just hey, I need to patch this technology. We're looking at people, we're looking at process, we're looking at technology. We're pulling in business context, thinking about threat intelligence and making good decisions around. Where our focus needs to be in the business, it's truly understanding the attack surface, what needs to be protected proactively, uh, seeking ways to reduce that attack surface and then fortify the areas where you just can't, and it's a heavy lift.

Speaker 1: 16:19

But now what about the? The thing that you mentioned earlier about the funding? Right, so you usually as a, as aO or as somebody responsible for for cybersecurity you have a fixed budget. You can buy three things or four things or two or whatever, depending on how big your budget is. Right, we all would like to buy lots of stuff and integrated and do very nice things, but that's not the reality, right? Yeah, so if you now invested in all the detection and response pieces and you also have to invest in the prevention piece and your budget doesn't change, right, do you need to take some stuff away from the detection and response piece to actually put into the prevention piece, or do we really have to accept that we're going to have to up our budget a little bit?

Speaker 2: 17:08

I mean, I think it's a little bit of both. You know, I think when organizations go back and evaluate what they're doing from a preventive perspective, there might be some things that are already being achieved with the, you know, technologies capabilities and have to come with detection and response.

Speaker 2: 17:22

But I think it's a matter of evaluating the stack, making sure you're getting the most out of what you have, that you don't have duplicative technologies. A lot of organizations do, and you'll probably find ways to save in there. Also, streamlining teams. You know, having six, seven, eight different technologies mean you've got to have six, seven, eight types of skill sets. So where you can streamline on technology, so you can do more with less, that's helpful as well to find those savings. But if you're a streamlined and lean operation and you've already done those things and you need further investment, then yeah, you do have to ask for those things.

Speaker 1: 17:56

Do you think that existing teams that have been working on detection response are also fit for purpose when it comes to, when it comes to the prevention piece, because you've mentioned the skills, skill set that you need right.

Speaker 2: 18:07

It's a different mindset as well.

Speaker 1: 18:10

Do you need to find all the hard-to-find people? Or just call companies that offer managed services and do it for me.

Speaker 2: 18:19

Yeah, I mean that's where a lot of organizations are shifting right Outsourcing, because it is hard to keep up, it's always changing, it's hard to keep talent and I don't think the same person that's going to be, you know, in a security operations center hunting for threats, responding to threats, is the same person that's going to do vulnerability management or security awareness training, right? Those are very different skill sets and mindsets and desires in terms of what those resources want to be focused on.

Speaker 1: 18:49

Do you think it's a? Do you have a positive outlook on this proactive kind of thing?

Speaker 2: 18:56

I mean I do because there's a path.

Speaker 2: 18:59

There's a lot of work to be done, but I mean it's path and it's one that gives us the ability to not feel defeatist right to the points you made earlier, because it gives us a way to okay, I'm going to look at my whole program and I'm going to prepare for what I know to prepare for, and then I'm going to have a plan for if something comes up that I wasn't ready for and there's no way to say I'm done. You just have to understand where you are, the priorities are and continue to improve. The hardest part is getting this in place In the first place, but then you get it. You know functioning like a well-oiled machine and it feels less defeatist because you're always getting better. You know, you feel like you're better prepared and you get positive outcomes more buying from the business, things like that.

Speaker 1: 19:41

I think that's a very important point, right? So preparing for this brave new world, so to speak. And I think you're right when you point out that that's the hardest part, because it is. There is lots of easy talk around, ah, but you should first know what's important to you and you should look at this and that, but that's not as self-explanatory as you think it is right.

Speaker 2: 20:07

A lot of stakeholders, a lot of opinions.

Speaker 1: 20:09

And also it sort of forces you to really have an introspective view on things. What exactly am I trying to do?

Speaker 2: 20:19

And you have to build relationships right. There's conversations where CISOs don't have a seat at the table, so they don't have visibility into the strategic initiatives of the business to make the right decisions, and so doing this well requires building those bridges, fostering those relationships, having a seat at that table at least enough to get the information needed to drive the program forward like to end with some concrete tips and things that you can, that you can tell people that are struggling with this concept of how to incorporate proactive into my some proactive resilience with all the other resilience yeah yeah, are there any concrete tips you can give them?

Speaker 2: 21:04

yeah, like I would say, don't boil the ocean. You know there's a lot of advice out there, but every time someone asks me, how do I? My answer is always it depends, right, Because you have to know where your organization is and where your organization is trying to go, what your budget looks like, what your resources are and that's going to change for every single organization. So establish a baseline, establish a goal and then put a plan in place to get you from A to B. But, most importantly, make sure it's aligned with business outcomes so that when you're talking to leaders that are listening, in dollars and cents, you're not talking to them in bits and bytes. They don't care about that stuff. Right? And something very important to remember is yes, as security leaders, security teams, we're responsible for protecting the business, but we're also responsible for enabling the business. So the more we can articulate that that's what we're doing, I think, the better off we'll be in terms of getting what we need to do it.

Speaker 1: 21:57

And that makes perfect sense, but it's not always easy to do right, it's not Because there are some things that you need to get budget for from people that are thinking in dollars and cents, or euros and euro cents or whatever your currency is, that you don't really have a concrete roadmap or path forward for right and you may not even know how much you need from them. I was thinking specifically about the PQC, that now that's happening as a post quantum kind of stuff. The security world is already working on that for a long time. They actually do things and progress in that area, but there's still this talk oh, it's going to be 2030, 2040.

Speaker 1: 22:44

But you need to prepare for it now, because otherwise, I heard a story yesterday or the day before from somebody at a bank. He said well, I have to be PQC ready with all my 30 million endpoints, whatever it is. That's going to take me 10 years, but you do need to get budget for doing that. But you don't know. So, of the three or four things you always have to ask for or explain to somebody who's given you budget, yeah, you only can say, well, I only have one of the four.

Speaker 1: 23:17

Yeah, yeah how do you?

Speaker 2: 23:20

that's a that's also a real thing right it's a real thing, but I think it's about being realistic about time frames, right here's. Here's what we need to do right now for today. In 12 months, we should be thinking about this five years from what we need to do right now for today, in 12 months, we should be thinking about this Five years from now. We need to be ready for this right. So, if I have one thing that I can get budget for, well, I need the thing that's going to drive something in the business now, but that doesn't mean I shouldn't present the things that I'm worried about, you know, that are coming in the next 12, 24 months, whatever that is, so that the business leaders can start to think about that.

Speaker 1: 23:53

So it's not a brand new conversation. I hope they do so.

Speaker 2: 23:55

it's not a brand new conversation when that 12 to 24 months passes and it's like, okay, now remember that thing I've been talking to you about. It's time for us to go do that.

Speaker 1: 24:05

But it'd be realistic as well, right, yeah, absolutely.

Speaker 2: 24:12

Sometimes I say I need $10 million million dollars, 20 people and 30 new tools. I'm probably going to say good luck, great, and we won't see you in the next meeting.

Speaker 1: 24:17

You're not the right fit no, but I mean, yeah, there is, there is a gradation or there is a different levels of resilience as well, right? So you need to find the sweet spot in terms of resilience for you, for your organization as well, right? And that, yeah, you need to find the sweet spot in terms of resilience for your organization as well, right? And that's not the same for every. It is not, so that's always something to think about.

Speaker 2: 24:37

Absolutely.

Speaker 1: 24:39

All right, I think if you have any last kind of message you want to share, feel free to do so. I think I have all the answers to the questions I have.

Speaker 2: 24:50

Yeah, no, I'm good. I mean, the big thing for me is just for organizations to really evaluate the way they're managing risk, because traditional risk management is not enough to keep up with this rapidly moving hyper-connected world we live in today. So a resilience mindset is absolutely necessary.

Speaker 1: 25:04

But understanding that and just to be clear, what is the traditional risk management mindset?

Speaker 2: 25:08

Just identifying risk and choosing a risk response Mitigate, transfer, avoid. We have to do more than that. We have to be more proactive, because we do a risk assessment maybe once a year, but our risk changes probably every day.

Speaker 1: 25:24

I think that's. I've heard somebody coin the term continuous compliance, maybe continuous risk. Those things are linked somewhere, in my head at least. Don't make it into something that you have to do once in a year or once every six months. Make sure it's continuous.

Speaker 2: 25:45

At the very least dynamic right. Because, going from once a year point in time to continuous can be hard, but dynamic is a stepping stone in between there. So we were doing it once a year.

Speaker 1: 25:56

Maybe let's revisit once a quarter to make sure we're focused on the right things and graduate eventually to continuous and that may need new technology, but then you should look to people that you consult with or whatever can help you to get there. All right, well, thanks a lot for joining. I think it.