Cybersecurity: Series highlights

Show Notes

On this episode of Navigating Forward, Mike Halstead and Creighton Adams from Launch Consulting share highlights from the special Cybersecurity series. From trends and predictions to the benefits and potential challenges of AI and machine learning, and from best practices to getting the basics nailed down, listen in for tidbits from the season. Then be sure to check out the full episodes with Matthew Rosenquist, Rami Zreikat and Trinh Ngo, Mike Bochniarz, Jiong Liu, Clement King, and Bruce Hembree — along with a crew of internal Launch experts. 

To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.

Follow Mike Halstead at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow Creighton Adams at https://www.linkedin.com/in/creighton-adams/

Transcript

Narrator
Cybersecurity is one of the most important and most complex aspects of modern business. Ransomware and other cyberattacks are skyrocketing. Millions of security jobs remain vacant, and in the age of AI, new opportunities and threats are growing quickly. In this special series from Navigating Forward, security and business experts from Launch Consulting explore the evolving landscape of cybersecurity across industries. Along with a slate of distinguished guests, we’ll discuss how organizations can build healthy habits and practices that promote cyber resilience for the long haul. Join us as we uncover what businesses need to do now to prepare for what's coming next. This is Navigating Forward, the Cybersecurity series.

0:49
Mike Halstead
Hi, this is Mike Halstead here with Creighton Adams wrapping up the Navigating Forward Cybersecurity Series. We’ve had some great guests and want to share some of the highlights from the series. Matthew Rosenquist shared his enthusiasm and cyber trends predictions for 2023. Knowing that in cybersecurity there will always be headwinds, Mathew explains how to effectively navigate these stormy seas.  

Creighton Adams
Rami Zreikat and Trinh did a great job in explaining the importance of measuring cyber risk.

Mike Halstead
And Creighton, Liz, and Kurt from Launch Consulting helped us understand good customer engagement through asking the right question and being good advisors.

Creighton Adams
Mike Bochniarz shares his wisdom on the importance of a solid third-party management program and why acting now is more important than ever to know your 3rd and 4th parties to ensure you data and information is safe. 

Mike Halstead
Jiong Liu provides us a breakdown the cloud space and shares best practices to help in the cloud migration journey in a secure manner. 

Creighton Adams
Clement King provides a great narrative on why security compliance is critical for organizations to prioritize and maintain and the consequences if they don’t. 

Mike Halstead
Bruce Hembree wrapped up our podcasts with a riveting tour through the world of threat intel and defense using AI and machine learning.

2:00
Matthew Rosenquist
Matthew Rosenquist, I'm a CISO and cybersecurity strategist. My passion is really around making digital technology more trustworthy. So, I spent 24 years at Intel as a cybersecurity strategist. I built their first security operations center and managed it. I was the first incident commander for Intel, so any time that company got attacked anywhere in the world, right, I lead that crisis team. Throughout my history, even with Intel, I was working very closely, and I still do advise and consult academia, businesses, and governments around the world in regards to industry best practices and what's coming next, because that's really where our eyes need to be. We can't be just looking at yesterday or today. You know, you will always be behind. You will never catch up, you will never win, you will never get close to winning. But you need to have your eyes on the horizon to see what's coming. So that's what I tend to focus on. And I do a lot of blogs and podcasts, and I speak internationally at conferences and things of that sort, because we all have to communicate, we all have to collaborate. It's all of us against the bad guys.

Mike Halstead
AI’s been operating behind the scenes for some time now, it's not new. However, with the evolution of ChatGPT, now it's coming to the forefront. Everyone's using it. I think people are really excited about it. So, I guess the question to you is what is your view on how this fundamentally changed the game for the good and also for the bad? 

Matthew Rosenquist
So, there are wonderful innovation in technologies and AI’s been around for a while, but we really have seen an uptick. You know, we've seen an accelerated pace of advancement and that's not going to slow down, by the way, right? We're using AI to help make AI better now. So, it is on an acceleration path. Everybody agrees to that. But AI is one of many different disruptive technologies. So, when you look at AI or blockchain or quantum computing or whatever, all these technologies are incredibly powerful. They're just a tool, though. The thing is, with a powerful tool, you can use it for good, but equally you can use it for harm and malice. And what we see with every single powerful tool that has come out in the digital world is they’re used for both. That is the reality, right? An attacker is not going to stand back and go, wow, really powerful tool that can make me a lot of money or get me to the objectives that I want, ahh, I'm not going to use that.

Matthew Rosenquist
No. In fact, attackers tend to lead the pack. They tend to adopt very powerful technology well before anybody else. And that's part of the nature of the game in cybersecurity, right. The attackers tend to have the initiative. They decide what to attack, how to attack, what methods, all that. And defenders tend to respond to those attacks. So, this is the nature of it. Yes, AI is that next tool, powerful tool that is being embraced by the attackers. And the defenders are having to, okay, respond to that. How do we deal with this? And they're going to be using those same tools in a defensive manner to be able to predict, detect, respond, and even in some cases prevent some of those attacks that the attackers are going to use. But we're always going to be one step behind. So, yes, new technology, powerful, capable for tremendous benefit, but equally so, we have to recognize the risks that there is an equitable amount of potential harm that we need to try and think ahead and get ahead of, right, before we feel the pain. But there will be pain.

Mike Halstead
And just for the last segment of our podcast, Matthew, if you could walk us through any predictions, trends from your perspective on what organizations can do better as they navigate forward? 

Matthew Rosenquist
For 2023, I'm looking at a couple of major themes, right? First off, because of well, let's just say some international activity, we're seeing nation states, especially aggressive nation states, waking up and consciously deciding I need to have a well-oiled offensive cybersecurity capability. I need to be able to essentially attack other countries, even ones that I'm not bordered with and go after their critical infrastructure or their finance, their political system, all sorts of things. And they are making that conscious decision. And as part of that, they're also making a decision that I'm willing to deploy this. I'm willing to go after.

Matthew Rosenquist
Okay, and you might think, hey, I'm a medium business owner, small business owner. That doesn't matter to me. Wagner is not going to come after me. Well, actually, it does impact you. It impacts every single one of us, because here's what happens. A government spends a billion dollars on a new piece of malware, super complex that could only be funded, right, at a government level. All sorts of different vulnerabilities discovered, exploits to go after them, sophisticated professional code. As soon as they hit the button and it releases into the world, it's open, right? You have everybody out there, not just the security researchers grabbing it.

Matthew Rosenquist
Everybody, including other cyber criminals and cyber researchers and black hats. They grab it, they tear it apart. Let's find some interesting stuff. What does a billion dollars buy you? Wow. Look at all these zero-days. Wow. Look at all this professional code. And like Frankenstein, they grab those pieces and put it into their malware. And their malware is going after grandma. It's going after you. It's the phishing attack, right? It's the ransomware attack. They're going after just anybody that's available, right. Their motivation is money. You got money, we’re coming after you. So, it is everyone's problem because now you have top tier quality code and vulnerabilities used by everyday little petty hackers.

Mike Halstead
So, this can be a bit daunting listening to this, Matthew. And I guess the question is, is that what are some things that organizations can do, like if say, well, we have offensive nation states that can be very scary, right? They're obviously not going to be able to manage that on their own. But what can they do to protect themselves? What would you say are the, you know, top three things that they could do. 

Matthew Rosenquist
First and foremost, do the basics. And you would think, oh, well, of course that's do everybody understands that. Yeah, it makes a whole lot of sense. But unfortunately, a lot of organizations out there don't even do the basics. And if you're not even doing the basics, you're, you are, it's guaranteed you are going to suffer. You are going to learn some very painful lessons eventually. But do the basics. Step one, basics. Step two, right. And this is really kind of head and shoulders above that, is you actually want to be competitive. So, look within your sector, see what your peers are doing. Right. This goes back to the analogy of, you know, hikers running across the bear who's charging them, right? You don't have to outrun the bear. You just have to outrun the guy next to you. So, the simple fact is, don't be the easy target in your sector, because if the attackers are going after the healthcare sector or attackers are going after the finance sector, guess what? Most of the cyber criminals, they're kind of lazy, just like you and me. Okay, not lazy, let's just say efficient, right? They want the path of least resistance. Where's the easy button?
---------
9:58
Rami Zreikat
My name is Rami Zreikat. I started a company called xTerraLink. I started it when I left Intel because at Intel I was doing quite a bit of cybersecurity and we were doing, the last project we were working on was a joint venture between Intel and G.E. So, I wanted to come out and take these best practices and see if I can deliver some of that to small and medium business. And my first consulting was for small business as then I moved into doing consulting for the state of California. So, I have a lot of clients with the state of California, and we focus on NIST compliance, on cybersecurity, and privacy compliance. We do audits and we do assessments and write reports, and we also are advisors to some of the state agencies. 

Mike Halstead
Excellent. All right, Trinh, can you give us a little update on your background and passion?

Trinh Ngo
Yes. Hi Mike. Thank you. So, my name is Trinh Ngo, and I have over 30 years of experience in IT. So, I started out as a developer and went into systems administration and then, you know, product and program management. In the last 30 years, I've been in multiple industries. It's been a really great journey. And transitioning from IT operations to cybersecurity and risk management has just been, you know, the culmination of all of that experience. Right now, what I do is a lot of assurance. So, trust, digital trust, and that’s what we hear a lot right now is around digital trust. So, risk management, cybersecurity, all of that. So that's my area of expertise. What I'm passionate about is, you know, educating the next generation of cybersecurity professionals. And you cannot be an IT professional these days without understanding, you know, risk and cybersecurity. 

Trinh Ngo
So, Mike, do you get on rollercoasters?

Mike Halstead
Yes. And I'm very scared of them. I’m scared of heights. It's the going up, right, that I don't like. After that, I'm okay.

Trinh Ngo
So, Vidhya, do you ride rollercoasters? 

Vidhya Sriram
Yeah, I do.

Trinh Ngo
Yeah. What about you, Rami? Do you ride rollercoasters?

Rami Zreikat
I’m like Mike, I am very afraid of heights, and I don't like to scream. That's embarrassing to me.

Trinh Ngo
And the reason I ask is this. Risk is relative when you talk about people, right? What's risky for Mike and what’s risky for you, Vidhya and for you, Rami, may be different for me. Right. And it's different for all of us. So, you have to understand that. So, what you want to do is you want to make sure, like Rami said, it doesn't matter about the tool. You can pick any tool you want because as long as you're consistent when you're doing your risk assessments. But what's really important is that you have somebody who understands risk, who is facilitating that conversation and utilizing that tool correctly. You want to make sure that, number one, you have somebody who understands risk. And two, that they are educating the group that's going to be performing the risk assessment. So that way everybody’s speaking the same language, everybody understands, you know, for your organization what's low risk, what’s medium risk, what’s high risk.

Vidhya Sriram
So how do companies identify what is most critical for me? What is important, what is critical for my business? What are the first principles in your viewpoint?

Rami Zreikat
So that's back to understanding your objective, right? Your company’s objective and what kind of data you have and how do you protect it? So, once you understand the data and what, how important that data is to your business, then that’s what drives the controls or the risks that you want to mitigate. So, you base your risk based on the criticality of data that you're servicing or you're ingesting or you're communicating.

Trinh Ngo
I would say, what are your crown jewels? Right? That's really what the question is. What are your crown jewels? So, once you identify what your crown jewels are, you put your controls, you put it inside of a castle, like maybe up really high right and, you know, a gazillion stairs, you put some knights in front of it to guard the stairs, you put a moat. So, it's hard to cross. With a bridge right with somebody guarding the bridge. Get together and say, hey, what are our crown jewels from a data, like from a data perspective. And how are we, you know, how are we protecting them? What's the castle? What's the guards? What's the moat?

Mike Halstead
Any final thoughts before we close today?

Rami Zreikat
Do not underestimate the exercise. Do not underestimate the need to do a risk assessment or at least understand your threat landscape, right, as an organization. It's very important for you to at least know that any time a server is connected to the internet, within 3 seconds that server is being scanned. So don't think you're not going to be protected. So, understand there are people that are interested in your data. If it's not nation state, if it's somebody who's just interested to practice. So, take that seriously. 

Trinh Ngo
My final thoughts are just this. If you're listening to this podcast, you're already on your way. So, you know, being aware, understanding, and then just trying to identify your risks and then manage them and then communicate them.  Sounds really easy. It actually isn't that hard once you start doing it. It's just getting there and just doing it and learning as you go along. A lot of companies learn as they mature and so that would be my final thought. Just, you know, don't worry about it. Figure out how, you know, where you are if you want to get some, you know, assistance, if you want to learn some more, there’s so many resources and there's so many companies out there, it's just taking those first steps and actually doing the work. So, wherever you are on your risk journey, I wish you good luck. And I'm sure you know, as time goes by, you're just going to get better and better. And thank you so much for inviting me.

Rami Zreikat
Another thought that comes to my mind that I wanted to share is that risk, it is a journey right? It is not something that you do once and then you place on the shelf, then you forget about it. You have to continuously assess your risk.

-----
16:22
Creighton Adams
Joining me today being Creighton Adams, myself, the Cybersecurity Director, and my colleague in crime, Kurt. Why don’t you speak a little bit about yourself.

Kurt Alaybeyoglu
Hello, everyone. I'm Kurt Alaybeyoglu. I’m the Director of Compliance here at Launch. A little bit about myself, where I got into the world of cybersecurity in the civilian world, I was an Air Force cyber warfare officer for eight years, graduated the academy 2010 and went and worked at a number of different locations. Andrews Air Force Base, doing nuclear command and control cybersecurity, and at NSA Georgia on the offensive side, doing a bunch of work with the 105th Combat Cyber Mission Team. Got out after eight years and then went immediately into cybersecurity on the civilian side and found my calling in ICS and OT and developing and engineering solutions.

Creighton Adams
Thank you much, Kurt. And also, colleague here on the engagement side, Liz. And you want to speak a minute about yourself?

Liz Gerson
Sure. Thanks, Creighton. I'm Liz Gerson. I'm an Account Executive with Launch Consulting. I've worked in the technology space for about 12 years now in different capacities, helping to build engineering teams within early-stage startup companies and then working with well-established clients across many different industries, helping to find talent within engineering, build teams, and help solve some strategic initiatives and have done a lot of work with our teams specifically in the cybersecurity and compliance space.

Creighton Adams
Fantastic. Thanks, Liz. So, let's go to the next item. We're working with a Fortune 500 electric and natural gas utility serving several markets. What's some backdrop on that story, team?

Liz Gerson
That's been kind of a fun story, a fun process working with that organization. Through the course of conversations, we started discussing performing a risk assessment of their ACH systems. It was something that they needed to have done and Kurt I'll let you expand on this as far as, I guess, what ultimately they were trying to achieve with this.

Kurt Alaybeyoglu
To give more context around that, essentially it was an audit, kind of. It was also a risk assessment, and it was also taking into account threat modeling. It sounds kind of a strange combination, but a threat is a key part of risk in that risk is actually if you, if you try to break it down into an equation, breaks down into three different parts, that is threat, vulnerability, and consequence. When you combine these three things together, you get risk and most people oftentimes will equate sometimes threat to risk, sometimes vulnerability to risk or sometimes impact to risk. And the reality is all three of these things combined together are crucial elements to be able to identify and quantify risk. So, when I initially presented the method that we were using to conduct this assessment, it started with threat modeling.

Kurt Alaybeyoglu
So, we started with this is your threat profile. These are the bad guys that are interested in you. This is the techniques that they've used in the past against organizations that are similar to yours. Now that we understand that, now that we have your tech stack, now we know what you're what you're using. Now we know what you can actually collect on. So, this allows us to then say, all right, we got your threat model. Now we have your external threats. That's the bad guys that you need to protect against. You’ve also got auditors. Those are a threat for you, too. And they kind of laughed at that. But I said, but no, but seriously, because they're the ones who are going to come in and they're going to look to see whether you've been a good boy or a bad boy or good girl, bad girl, and whether you can follow these rules.

Kurt Alaybeyoglu
So, you need to treat them as an adversary, and you need to make sure that you have the data collection and the pieces in place to be able to satisfy the criteria that they need. And so, once I was able to point that out and show right now that we know our threats and we're able to take that and tie all that together and say, all right, here are your vulnerabilities, here are the things that we know you're not following. And we're able to tie all of that together in a nice, neat bow, and be able to point and say, here are the things that you're following. Here are the things you're not doing. Here's how it affects externally with bad guys and here's how it affects you with audit. Here's how we tie that together in a nice, clean, point-based quantification. And to be able to then prioritize and say, here are the things that you need to focus on. You need to get this A, B, and C done first because it can have a serious outcome, whether it's from bad guys coming in or whether it's from an audit.

Creighton Adams
You know, at the end of the day, we're still also humans. We're working on computers; we're interacting in groups. But when you see, like how I've always read it and let me know if this resonates, when the engineers get together and they keep talking engineer and they're excited about it and you see the energy level rise, just let them keep engineering. I'm going to go ahead and have a conversation with the business owner and the stakeholders to make sure that we're satisfying their needs that came from either external parties or internal needs and then check in every once in a while. Are the engineers still engineering? Are they tired? Do they need a pizza. Like what's going on in that engineering bucket? You know, there's little details that play out because, again, with cyber, there's some sensitive information that might be shared. So how can we build that trust? It's that honest action through time and then bring out other relevant details that we've worked on before that has worked in the past and hopefully that can mold to the situation that's at hand, because, again, it'll be hard, not impossible, but hard to know as much details as some of those cyber leads and translate that to business detail that they need to adhere to.

Liz Gerson
I think Creighton that sort, that leads me to, you know, as advisors, we're not coming in and just telling people what to do or pointing out what they're doing wrong, but partnering with them to say, okay, here's what we're discovering, here's what we're finding, and let's work together to find the best solution.

-------
22:44
Mike Halstead
Today, we'll do a deep dive into best practices for understanding and managing third-party and supply chain risk. I'm pleased to be joined by our special guest, Mike Bochniarz. He leads third-party risk at Cross River Bank. Mike is a risk executive and advisor with experience at large international banking and Big Four. My Launch partner is J.R. Reed. J.R. is Director of Client Services at Launch Consulting. J.R., a quick introduction on yourself.

J.R. Reed
Hey, everybody. I've been a consultant for over 20 years focusing on the intersection of data and analytics, large scale transformation, and the financial services industry. Got an interest and passion around novel approaches to measuring, reporting on, and managing risk. As part of Launch, I run our client services across banking, fintech, and insurance clients. Mike, you want to give a little bit on your background and areas of passion?

Mike Bochniarz
Sure, so I have spent most of my last ten years in financial services, a large global bank and Big Four. Have found my time advising business and functional teams across the industry with whether it's compliance, risk ,and touching into the third party risk space and mitigating risks, you know, through the different risk stewards, whether it be compliance, BSA/AML, your IT, you know, a standard and bringing those risk stewards together to look at holistic risk management principles and mitigating those risks through that third party reliance for your organization.

Mike Halstead
Great. Thank you, Mike. What is third party risk and how does supply chain risk fit into the broader topic?

Mike Bochniarz
Yeah, so when I get that question generally I like to start where third-party risk management and the lifecycle that tie in to managing the risk, identifying the risk, and overseeing those risks. So, it really starts with when you think of the lifecycle, you have planning and due diligence activities that really identify and articulate what that inherent risk exposure could be for that third party relationship. That will also tie in to identifying the risks that you would want to mitigate through your contracting and onboarding related activities. You might have data considerations that you want to bake into that contract, data destruction. You could have all the regulatory and compliance requirements that you may want to build into that contract. And then through onboarding activities, you may identify, you know, through exit strategy perspectives if you were to need to exit that relationship, identifying really before you contract and as you’re onboarding, what components you'd want to tee up for consideration as you move through more on the ongoing monitoring.

Mike Bochniarz
So that really third and fourth lifecycle component, monitoring that relationship risk that might be exposed through that relationship, you know, two or three years in that you might want to evaluate, reconsider, amend the contract that ties into your really fourth and fifth life cycles for amending a contract, looking at offboarding and exiting that relationship, picking back up on the risks that you identified upfront, maybe some of the contractual provisions that you would actually use as your guide for exiting that relationship or needing to go back to the table and renegotiate given current events. As you mentioned in the beginning of the introduction, there might be an occurrence that occurs, a cyber incident. It could be another regulatory compliance matter that you really want to go back to the drawing board with your third party and reevaluate the risks that are, you know, exposed through that relationship and perhaps implement new controls or renegotiate the contract.

Mike Bochniarz
And if that third party is not willing to negotiate, evaluating whether or not you need to terminate that relationship. That's really looking at that lifecycle, the key components across that and tying in to, you know, where you could have disruption of services. So, the inherent risks that you identify early on in that lifecycle through the ongoing monitoring relationship and seeing where there could be a disruption on that third party providing the product or service back to you, whether it's a software provider or a vendor related service or a third party that's providing marketing related services. If they have your customer information, if their fourth parties, well your fourth party, their third parties, or maybe their fourth parties could also have an impact to your overall risk exposure as an organization and looking through the lens of how you mitigate that upfront, monitor those risks so you can be proactive and quickly react to a current event.

J.R. Reed
What are the other benefits of overall kind of third-party management to, you know, both the organization and, you know, its stakeholders, its customers and partners?

Mike Bochniarz
I think key is, you know, it identifies and mitigates those inherent risks. It provides clear roles and responsibilities where you have established frameworks for managing those third-party risks. The greater and clearer that framework is, the better ownership there is across the organization to really own and move forward those third-party risk management principles throughout that lifecycle, whether it's pre or post contracting related activities.

Mike Halstead
How would an organization know if they're doing well in third party risk management?

Mike Bochniarz
So, you like to rely on upfront risk identification, the key controls that you have identified through that planning and due diligence activity and through onboarding of that third party relationship. So, what you would expect to see across the industry is your ongoing monitoring activities is really monitoring that control effectiveness for what's mitigating those risks and then also having tools and systems in place that help automate some of that oversight activity. Looking at industry trends, you know, what are the current trends? What are the exposures to your third-party risks and being proactive in implementing enhancements to those controls that maybe you have already identified, but because of a recent current event, you need to pivot. Reaching out to your network that may be involved in the same areas, and looking and learning about what are the, you know, next up and coming enhancements that can be done within, you know, the third-party space.

--------
28:56
Mike Halstead
Today, I will be exploring a critical topic that affects businesses, organizations, individuals alike – the importance of cloud security. With the rapid advancement of technology, cloud computing has become an integral part of our lives, from storing our personal data to hosting mission critical applications for businesses. However, as with any digital platform, security concerns are paramount. Today, we will embark on a journey to uncover why cloud security should be a top priority for individuals and business. We’ll explore the potential risk and vulnerabilities that exist in the cloud and discuss the proactive measures you can take to mitigate those risks. I'm delighted to be joined by our special guests, Jiong Liu, Senior Director of Product Marketing at Wiz.

Jiong Liu 
Yeah, thanks for having me. So, I'm Jiong Liu, I’m Product Marketing at Wiz. I'm really passionate about helping organizations realize the benefits of the cloud in a very secure manner. So currently leading up messaging, positioning, product launches, all that good stuff at Wiz. And actually prior to that was over at Okta also helping organizations adopt cloud securely as well.

Mike Halstead
So, the cyber threat landscape is constantly changing on a very frequent basis. What would you say are kind of recent trend of the cloud space and why we should be concerned about those?

Jiong Liu 
Yeah, so as you mentioned, the cloud is constantly evolving and actually our research team put together a report recently on some of the top trends that they were seeing, specifically around the threats that they see in the cloud and they came up with four, you know, really notable trends and high-profile kind of attack patterns that we saw recently. So, the first one was really around API security. You may recall last year there was a pretty large-scale breach over at Optus, amongst others, where it was really just a misconfigured API endpoint that didn't require authentication. And an attacker took advantage of and ultimately ended up stealing thousands of their customers’ records. And this is something that, you know, we see pretty frequently in the news. You know, even in my Okta days, this was something that we saw as well because you had a lot of developers, they’re moving super-fast. You know, they want to expose APIs because that's how you move faster. That's how they're building modern applications. But it really is just a very simple mistake, honestly, that can be taken advantage of and expose really, the crown jewels in an organization. The second big threat that our research team surfaced was really the Lapsus$ attacks that we saw as well. Right. This hit a ton of really high-profile organizations last year. Samsung, Nvidia, Cloudflare, Microsoft, amongst others. And, you know, it's not like this was a very, very advanced band of attackers potentially.

Jiong Liu 
Right. The rumors are this is probably some teenagers that are out there, but they attacked a lot of these big companies. And, you know, some of the commonalities that we saw across there was it really was an initial compromise of a user. And once they had taken over that user's identity, they were able to actually escalate their privileges into other parts of the environment and find additional information that they would then extricate. And so, you know, some of the learnings that we have from that is in some ways you have to assume initial access, right? And from there, what else can that person get into? And so again, you know, simple, simple mistake that ultimately led to a much larger outcome.

Mike Halstead
What are the best practices for securing the cloud environments?

Jiong Liu 
Yeah, so there's a few different things, right? And they happen at kind of different altitudes. I would say, you know, one of the best practices that we're really starting to see form out there is recognizing the fact that securing a cloud environment cannot be only the responsibility of a security team. Because the cloud is so decentralized that ownership is sort of all over the place, you have to have security champions across your organization and you really have to think about cloud security as, you know, a team sport that spans security, your dev teams, your DevOps. They have to work hand in hand to understand and control risks across the pipeline. I heard this analogy the other day and I think it kind of sums it up well is you know, what we're doing here, especially with the cloud and all of the advancements that are happening is we're moving from like, you know, horse drawn carriage to a car now to like a train and maybe a plane. And it all allows us to unlock new capabilities, allows us to unlock new business models and allows us just to move a lot faster. And we can't have security just be like, oh, no, we're not going to make these like transformational shifts in our business. It's more about like, oh, no, you need seatbelts, right? And you need your airbag, right? Like what are those security controls that we can put in to make moving faster safer. 

-------
34:17
Mike Halstead
Today, we'll do a deep dive into regulatory and compliance, exploring why this is important to your organization. What are the benefits of being compliant? But also, what are the consequences if you're not compliant and why this should remain a focus area for you. I'm pleased to be joined by our special guest, Clement King. Clement is a C-suite banking executive focused on risk management and controls, and Morganna Hodge, who is a Compliance Manager from Launch Consulting. Morganna, a quick introduction on yourself, including your background and passion.

Morganna Hodge
Thanks Mike! I have worked for the last five years in various industries, from financial to tech to now consulting, really driving their compliance efforts in a variety of scoping and really hammering on the importance of audit when you're thinking about regulatory compliance and how that interacts with your business and your processes. I come into the organization, and I like to say compliance with compassion because it can be an interesting and scary adventure for some people. And I like to take the fear out of that.

Mike Halstead
Awesome. So, is there also an audit with compassion? Because I don't think Clement and I have experienced any of those.

Morganna Hodge
Yeah, absolutely. I think audit with compassion is in there, too. You know, you need the facts and the figures, but you know, there's always ways that you need to address it and establish it and create those plans when you know something's, something scary does arise.

Mike Halstead
For sure. Awesome. And then finally, Clement, our special guest, a little bit about your background and passion.

Clement King
Yes, I'm a senior banking executive. Me and Mike shared a similar organization for a couple of years, which was an amazing experience, really helping to educate the board on what cyber risk compliance meant, helping to educate our executives, and then also how to educate our customers when something actually went wrong. My passions are all about risk management and compliance, but not using those words. And what I mean by that is, it's helping the business achieve their objectives, but making sure we do that with risk management and compliance on our forefront. And it's also all about people and culture. So, separate to the banking world, I'm also a board member of two nonprofits. The reason why I bring that up is because what we're going to talk about today doesn't just apply to the financial industry. It can apply anywhere. Having a good compliance program, impacts your customers, your stakeholders, and everything that works with it.

Mike Halstead
Question for you, Morganna. So, I know we talked about it a little bit, but could you elaborate around why is regulatory compliance important?

Morganna Hodge
Really it's to avoid those legal and financial ramifications of not being compliant, having those regulators come down on you for the noncompliance or inadherence, and so it's to avoid those penalties and fines, even up to some licensure revocations as well, and potential lawsuits and settlements that can come as a result of, you know, not handling your data or handling your environment appropriately. And then also, like Clement said, like at the end of the day, you want to instill confidence with your customers to drive that possibility home. And that's what regulatory compliance does. It signals to your customers and your partners that you understand your business, you understand your landscape, and you're a good place to invest it as well as, you know, protect from cyber-crime as we've discussed and create system and operational effectiveness. If you know what your processes and procedures are against those regulations, it makes it really easy and, not really easy, but it makes it easier to address them and drive your policies and processes to a place that you know that you can attest to for your regulators.

Mike Halstead
Great. Clement, anything you want to add on that maybe, focusing in on the benefits of regulatory compliance?

Clement King
I'd say the first benefit is your customers have a better experience If you always have compliance in the back of your mind, the client experience will be better. The second, especially in today's environment where we're focused on cost, having a strong compliance program means you won't have to pay the large fines that Morganna talked about. And the third, it's kind of a non-negotiable. If you don't have a strong regulatory compliance background, you lose your license, you lose credibility, your stock tanks, so regulatory compliance isn't something that's optional. It's more a matter of how you do it in the most effective way and how you ensure the governance is have those right conversations.

Mike Halstead
Okay. Coming to the last question here and I'll ask both of you, maybe give me two or three best practices that organizations can implement around regulatory compliance.

Morganna Hodge
Make sure that you're creating strong partnerships with your compliance teams and your risk management teams. I think so often those teams are, you know, the scary bad guys, but they don't have to be. If you get us and get them involved in the beginning, it makes the process so much easier. So, driving accountability and driving strong partnership with your, you know, your compliance office and risk office is going to get you so much farther than, you know if you fill them in in the back.

Clement King
I love that because especially as teams build new products, new systems, new processes, getting your risk compliance officer engaged in the beginning, means you can just develop a much better solution rather than adding controls on at the end.

Morganna Hodge
Exactly.

--------
39:59
Mike Halstead
Today, we'll deep dive into the extra credit, or the 20% that's required to help protect your organization from advanced adversaries and threats. We'll provide thought leadership, practical ideas, along with takeaways for your consideration. I'm pleased to be joined by our special guest, Bruce Hembree. Bruce is an Air Force veteran specializing in anti-terrorism. He was part of the Microsoft Digital Crimes unit, an elite unit fighting organized cybercrime, taking down some of the biggest botnets out there.


Bruce Hembree
I come from the Information Warfare groups of the United States Air Force and am currently the Field CTO for the Cortex division of Palo Alto Networks. I did used to run the operations for the Digital Crimes Unit at Microsoft. The DCU is where we were looking at the way that organized crime groups and nation state threat actors were building their threat ecosystems, and then we would exploit the vulnerabilities in those architectures to seize them and take them down.

Mike Halstead
Awesome. Thanks, Bruce. So, we've already spoke about the importance of good cyber hygiene. So, assuming that an organization has addressed the good hygiene side of it, Bruce, what are other areas companies or organizations should focus on to secure their environment.

Bruce Hembree
Then the next thing that I would be looking at is a combination of automation and discovery. Discovery of what you don't know. It's important to understand what you don't know about your enterprise and to make that an ongoing process. That's something that we do internally within our SOC here at Palo Alto Networks, we are continuously doing self-discovery both internally and externally, and then we have keyed automation against that so that if something new is discovered, it is placed in a place where it's not supposed to be or it's in an unpatched state, whatever the circumstances are, we want to make sure that we are responding as well as we can to those things that pop up, because you have to be graceful, you have to be efficient in the way that you defend an organization. And expecting the unexpected is critical. And then make sure that the discoveries that happen there aren't wasted. Don't collect data unnecessarily. Do something with it. Humans are notoriously unreliable. We get bored, we get frustrated, we get angry, we get sick, we go on vacation, all the things associated with being human. If you have automation tied to the discovery process, then it can have that gating factor of a human waiting on them when they return.

Creighton Adams
So, engineers love to spend time building. What has been a good approach to bridge the gap between business needs and their deliverables, while allowing engineering such space and time to develop solutions that are not in existence yet? 

Bruce Hembree
Engineers, they are creative people. They are, they need that time to create. And everybody has our daily workload. Everybody has something that you have to do. That quotidian thing, the tyranny of the urgent that's constantly weighing down on you, that is always going to be there. But there needs to be a time in your day where you are working on that creative outlet. The side projects that ultimately increase the maturity level of the entire enterprise. That was, in our SOC when I was looking at our SOC, the way that our SOC operates, those engineers that live in that space, they are living under the tyranny of the urgent. Before we had our automation in place, before the machine learning was trained as well as it is today, they spent their entire shift dealing with whack-a-mole.

Bruce Hembree
And that is counterproductive to an engineer, to a creative person, and to the enterprise maturing as an organism. Once we got our machine learning and automation in place, it allowed our engineers to break their day into thirds. One third of their day was spent sitting in the queue waiting for one of the manual events that a human has to touch. It needs a human's wisdom. Machine learning is a brilliant idiot. It will absolutely do the most horrible things if you let it, but it has things that it can do that a human can't hope to do. We can never put these things together. We just don't have that kind of capacity within a single human that I've met. And once you give the machine learning the ability to affect change inside your network and you've learned to trust it, then it becomes the ability for those engineers, those humans to split their day into dealing with the things that they have to deal with, the tyranny of the urgent, back to it.

Bruce Hembree
But then they get to go on their creative pursuits. They get to have that time where they are working on the side project that they wanted to get to. Those side projects that ultimately increased our maturity level with things like the zero trust, things like port security and SSL decryption, URL filtering, all the little side projects that you want to get a chance to get to but never get a chance to touch suddenly can happen. But you've got to have the right solutions in place to help the human be human, help the human get that opportunity to do the work that they are so good at, and the machine learning and artificial intelligence just doesn't do well.

Mike Halstead
So, from your perspective with AI, how does it help or hinder our defenses from a cybersecurity perspective?

Bruce Hembree
Developers over the course of the next decade are going to become curators. They're going to become people that are skilled in building the query that the AI uses to build something for them. And you have to be aware of what that's going to do to the product that is outputted. So that output product is only going to be as good as the query that was built by the engineer that put it together. If you give it a query that doesn't take into account all of the criteria that are necessary for it to succeed in the real world, then you could potentially wind up with a product that is again, fragile. And so, you have to be aware that careful construction of the instruction set that you give to the AI to build something must be complete, it must be tested, it should be thoroughly looked at.

Bruce Hembree
And so, developers are still going to be necessary. Absolutely. We can't get rid of the humans, and we shouldn't get rid of the humans. The humans are the soul inside this thing. We are the ghost in the machine at some point. We become that enabling oversight, I guess, if you will. But you have to be good at building that query. And then the product that's produced must have security, secure coding practices built into the produced product. If you just tell it, go build me this, it's going to take the shortest possible series of steps to get that. If you tell it, go build me this, but use these secure coding practices, then you get an entirely different product.

Mike Halstead
There's plenty more from each of these great guests, so if anything piqued your interest, be sure to check out the full episodes. Thank you everyone for joining our podcast. I just want to reiterate that cybersecurity is not an individual sport, it is a team sport.

Creighton Adams
With any good cyber program, there is a people, process, and technology component to what we do, meaning everyone has a spot at the table for keeping our communities and our companies secure. To find our more in the current state of cyber and how Launch Consulting can help you in your own journey, got to launchconsulting.com/cyber. Stay safe out there.