Navigating Forward

Cybersecurity: Trends and predictions with Matthew Rosenquist

Season 4 Episode 2

Matthew Rosenquist, CISO at Eclipz, joins Mike Halstead and Creighton Adams from Launch Consulting to talk about current trends in cybersecurity, plus predictions for the future — from AI to quantum computing to government-funded malware. 

Security teams are under increased pressure with budgets decreasing and risks increasing as new and powerful technologies are weaponized by bad actors who tend to adopt new technology sooner than the good guys. So, what can organizations do in the face of all of this? Check out the episode to find out what three big steps you can take to help mitigate risks (and how companies and bad actors are sort of like hikers and bears).   

To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.

Follow Matthew at https://www.linkedin.com/in/matthewrosenquist/
Follow Mike at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow Creighton at https://www.linkedin.com/in/creighton-adams/

Narrator
Cybersecurity is one of the most important and most complex aspects of modern business. Ransomware and other cyberattacks are skyrocketing. Millions of security jobs remain vacant, and in the age of AI, new opportunities and threats are growing quickly. In this special series from Navigating Forward, security and business experts from Launch Consulting explore the evolving landscape of cybersecurity across industries. Along with a slate of distinguished guests, we’ll discuss how organizations can build healthy habits and practices that promote cyber resilience for the long haul. Join us as we uncover what businesses need to do now to prepare for what's coming next. This is Navigating Forward, the Cybersecurity series.

0:49
Mike Halstead
Hello and welcome to Navigating Forward. I'm Mike Halstead. And we will do a deep dive into the cyber secure world exploring current and future states and what you can do to better safeguard your organization. Today, our focus will be cybersecurity trends and predictions. We are joined by our special guest, Matthew Rosenquist, who's the CISO at Eclipz. Matthew is also a cyber evangelist, coach, teacher, and strategist. I'm also joined by Creighton Adams, my partner in fighting crime at Launch Consulting Group. Creighton leads the cybersecurity engineering teams. A little bit on myself. I lead the Cybersecurity Strategy and Solutions team at Launch. I come from a long career at an international bank and the last 11 years in cybersecurity. My passion is to help explain to businesses what is real, help simplify what it means, and help our organizations understand cyber risk. Creighton, could you do a quick introduction of yourself? What is your background and passion? 

1:44
Creighton Adams
Absolutely. Creighton Adams, Director of what used to the Enterprise Systems now cyber. I love working on computers. I always have since the age of ten. There's a video game called Diablo that I couldn't get running, so I hacked it to make it work. And every day from there forward, I've been addicted to computers and how they function. One of my first official jobs was dealing with Active Directory when I was 15. Got that done correctly and then it continued on forward with ISP management as an engineer and went from a basic NOC technician all the way up to a Principal Engineer for a couple hundred million dollars to over multibillion dollars. Call myself a silicon mechanic if you will. I love how the computer functions and the boring stuff is exciting to me.

2:27
Mike Halstead
Awesome. Thank you, Creighton. And finally, Matthew, our special guest. Please introduce yourself, your background, and your passion. 

2:33
Matthew Rosenquist
Matthew Rosenquist. I'm a CISO and cybersecurity strategist, but I've been in the industry for 34, almost 35 years now. My passion is really around making digital technology more trustworthy and cybersecurity, privacy, ethics, all those kind of things are important foundations to that. So, I spent 24 years at Intel as a cybersecurity strategist. I built their first security operations center and managed it. I was the first incident commander for Intel, so any time that a company got attacked anywhere in the world, right, I lead that crisis team. I managed the security going into the core chips. Did the strategy around protecting our global manufacturing, all sorts of different things. I built out and managed the security for the multibillion-dollar A.I. group. So, throughout my history, even with Intel, I was working very closely, and I still do advise and consult academia, businesses and governments around the world in regards to industry best practices and what's coming next, because that's really where our eyes need to be. We can't be just looking at yesterday or today. You know, you will always be behind. You will never catch up, you will never win, you will never get close to winning. But you need to have your eyes on the horizon to see what's coming. So that's what I tend to focus on. And I do a lot of blogs and podcasts and I speak internationally at conferences and things of that sort, because we all have to communicate, we all have to collaborate. It's all of us against the bad guys. 

4:12
Mike Halstead
Awesome. Thank you, Matthew, and really love your background and then what you can bring to this podcast with your experiences and can help our organizations better protect themselves. So, Matthew, it's been a few weeks since we last spoke and quite a bit has transpired. Not that we haven't had enough volatility to already deal with the ongoing wars in Europe, threats of war, faltering economy, rising inflation, interest rates, elections, you name it, right, dominating kind of the news today. We had a collapse of banks. We have the US government putting pressure on TikTok to sell. The White House just issued a new cyber security strategy. And then lots of discussions around AI, with ChatGPT and also Microsoft recently coming out with Copilot. So, let's unpack that a little bit. So, talk a bit on the bank collapse, and so certainly banks are part of the critical financial infrastructure, and they are very reliant on one another for this to work effectively. So, Matthew, my question to you is, what is your opinion on the potential cyber impact that the bank failures or the struggles that they're having may have? 

5:32
Matthew Rosenquist
Well, first and foremost, I mean, you listed a whole bunch of very interesting things just piling on to the chaos in our world. You know, the first thing we have to recognize is that digital technology, therefore, cybersecurity is tied into all those things. It's tied in to how we live our lives and how we celebrate our freedoms and everything else. The strength of modern countries. And so, anything that goes on is going to have some type of tie back to cyber. And many of the things you talked about were deeply ingrained in what we consider critical infrastructure. The banking sector is absolutely part of the critical infrastructure. Therefore, it is a target for various reasons. And so, when we talk about cyber security, that has to protect it, right? That's part of that complex puzzle that has to protect it. Now, cybersecurity won't protect against bad business decisions if a bank decides to go and invest in something and get shorted or whatever. But they're, you know, banks are notorious targets for cybersecurity. So, yes, cyber plays a role in all of those. And when we see events like that, it's not even necessarily from a cyber perspective worrying about, oh, it's just that bank or it's just that piece of news. Right? We suddenly saw when, you know, these banks, SVB started failing, we saw a whole bunch of new domains be created. Right? That we're seeing that, yeah, the attackers are using those for phishing and for scams. Right. So even though you may not have been a customer, right, or even a customer of one of their investments, it's still going to impact us because now you're going to see a whole slew of things, right? And so cybersecurity is woven into all of those. Now, I haven't seen any major failures come out in the cybersecurity sector. And, you know, people are talking that it may be more difficult to get money for cyber investments and new innovations. So, there will be a long-term ripple effect, but that also is true for other types of digital innovations.

7:45
Mike Halstead
Thanks for that. Yeah. I'm kind of looking at the COVID days. You know, we saw new scams now dressed up as COVID and as you had mentioned, we'll start seeing more of that on the financial because that's where people have their money and they're concerned about their money. So, they need to really be careful before what they click or, you know, someone posing as your bank, right, before they respond to them for sure.

8:14
Matthew Rosenquist
Attackers never let a good crisis go to waste. They never do. So even if you weren't a customer of that, you're a customer of, let's say, B of A, you're going to start seeing scams about that because now you're nervous. And if you see a phishing attempt, hey, B of A is closing, you may want to click it, right? So just don't be lured in. Take that pause and decide what you're going to do. 

8:37
Mike Halstead
So, do you see also, as the banks, I'm guessing they're all getting together with their risk committees and looking at their financial portfolios and where they invest to make sure that this doesn't happen to them. Could that create a distraction in that cyber bad actors love distractions? Do we potentially see that as a distraction? 

8:58
Matthew Rosenquist
I'm not sure if it's a distraction to cybersecurity. Right. Cybersecurity is always an uphill battle. You're always fighting for funding and the hope is you'll never need to use it, right? You won't get attacked. It won't be that bad. And cybersecurity is often seen as a cost sink because to truly justify cybersecurity, you're really investing in something you don't want to happen. And imagine this. Let's say you're a perfect I mean, just a perfect cybersecurity team. At the end of the year, management is going to go, wait a second, we just spent all this money, and nothing happens. Why are we wasting money on cybersecurity? Nothing happens. What a waste. Cut the budget. And if you go to the other end of the spectrum, let's say you are the absolute worst cyber security team, underfunded, incompetent, whatever, and you've been impacted. Again, the C-suite and the board at the end of the year are going to go, wow, we just got brutalized, black eyes, this is terrible. You guys suck. Why are we investing in you? Why are we even spending this money on you? Right? Get out. Let's do something different. New. Let's just get cyber insurance. Right? No matter where you are on the spectrum, from the very best to the very worst, there will always be scrutiny and pressure to spend on cybersecurity. And that's one of the things that the CISOs and the leadership in cybersecurity, we have to come to terms with that before we accept the job, right? That is some of the politics that we have to inherently deal with. And there's not a single CSO out there that hasn't encountered that problem, but that's kind of one of the dirty little secrets in managing security. It's a losing proposition by default and you have to constantly work against those headwinds. 

10:49
Mike Halstead
Yeah, for sure. So just pivoting over to TikTok. So obviously the US government recently banned TikTok on US government devices. However, now there's a lot of pressure coming from the current administration for TikTok to sell and/or shut it down. So, this has been going on for some while now, right? TikTok has already collected info on our Gen Z population, including my three kids who use it. But, that being said, there’s certainly social engineering risk, you know, propaganda, privacy angle, I guess. Matthew, what is your view of the TikTok situation and maybe then expand on the dangers that social media can pose?

11:30
Matthew Rosenquist
Oh, that's a huge topic in of itself. Right? But it's interesting because the government is following a brand-new playbook. This is the Huawei playbook, right, where the government identified, okay, Huawei had networking equipment that's potentially bad. We're going to ban it, you know, for our government use. But now we're going to try and push that out because we know critical infrastructure, which is run primarily by private industries and everything else, we're going to start pushing it through and working internationally to do the same thing. So, they're following that same playbook because they realize that there are systemic risks for a potentially or for an aggressive nation state who has deep hooks. And in this case, it is it's, you know, networking equipment for major telecoms. What this is, is this is the end user device. And you're talking about an application installed on the end user device, an application that end users are launching all the time or have constantly running on an end device that may also be doing other things, other work, other communications. Again, around critical infrastructure, and government is obviously a critical infrastructure. It's one of the sectors. So, they're saying, hey, this is too great of a risk because if they do in, let's say the next update, push surveillance or malware or something like that, right? Now, that creates a material risk to everybody that's using it. But you also bring up the point, hey, you know, this is social media as well. And given that you can start gathering information. And you would think, what does China care about Mike's kids, you know what they're interested in, what they eat for breakfast, whether you know, the latest gossip in their classroom, who cares? Well, the reality is China is notorious for sucking up all that data, not necessarily because they care exactly what happened in class today of your kids, but they're able to start to aggregate data as part of the long game. Right. They can start mapping. Well, who are Mike's kids and who does Mike know? Right, on and on. You start building these maps and understanding who's experts in what fields, who do they know. And you can use that very simply for malicious purposes. If I know your children's names, and because they're talking about what school and what classroom. Mike, if I send you a malicious email that's from your child's teacher, because I know from that class and say, hey, we had an incident today here and we recorded it, please click on this link. I own you. Right. So, the more information I have about you or anybody else, right, the more I can maliciously use it. So yeah, there's lots of things. And they play the long game, right? They look at the 100-year strategy. We look at a quarter strategy. That's the way we think in America. They have the 100-year strategy. So, it's not only what are your kids classrooms today, what are they going to grow up to be and what access will they have in those companies or government agencies or anything else? And if they've been tracking your kids since grade school, they know everything about them. 

14:47
Mike Halstead
Yeah, great answer. Thanks for that. Next one. White House recently issued a new cybersecurity strategy, the framework protecting critical infrastructure, as you already mentioned, including hospitals and clean energy facilities, but also collaborating with international organizations of partnerships to counter threats to the digital ecosystem. And also in there, I believe, is putting pressure on the software vendors to play a big role in defenses. So, it seems to all make sense, but it seems a bit high level. Just what is your view on the new strategy, and does it hit the mark? 

15:23
Matthew Rosenquist
So, the strategy covers a couple, several different kind of areas. You see things in there that we've stated before and they're restating to give emphasis to them. Things that we should have been doing already that we weren't. Right. Some housecleaning, good practices, whatnot, communication things, collaboration, public and private, all those kinds of things. Protecting critical infrastructure. Nothing too surprising there. But there are those two things. And you mentioned one of them, right? You mentioned, hey, we want to start positioning the industry to be more accountable for the products and services that they provide. Up until now, and even right now, it's kind of been we expect that the market forces will compel organizations to put out secure products because their customers, right, are going to use that as a competitive advantage. And if you don't do that, they won't buy your products. But we're not seeing that. And unfortunately, we didn't see that. If you dial it back, we didn't see it with privacy as well. And for a long time, you know, the governments and people were like, hey, clean your act up. Make sure you're respecting people's privacy and companies, oh, yes, absolutely. We will. We do. Until it became evident again and again that they didn't. So, it required legislation to actually come into play. And we're kind of behind the curve in that as well. Right. So, I think one of the signals coming out of this, the National Cybersecurity Strategy from the White House, is to say, guess what, time's up. You had your chance. We're now going to start going down this path like we had to do with privacy. It's probably going to be ugly. You're not going to like it. But we need to start putting enforcement things in. It's no longer we're going to expect market forces to work. We know that doesn't work very well. We're going to establish more functional criteria for the greater benefit of everyone. So that's one thing. The other thing that's really interesting in this cybersecurity strategy is, for the first time, they've actually come out and said, you know what? Not only as a country and a nation, are we going to be defensive in protecting our infrastructure and everything else. We now recognize that we will need to, as a government, take offensive preemptive actions, and that may be hacking an aggressive government in their planning stage of hacking us. That may be proactively taking down Internet infrastructure that's going to be used or is being used, right, to undermine security interests of the United States. That means attacking before even you get attacked. And that's something that we predominantly have not done and it's something only government should do. Right. Your individual companies shouldn't go off on a hacking spree. But this is something, it's a fundamental change. And I'm very interested to see how this will manifest.

18:30
Mike Halstead
Thanks for that. Yeah, you're spot on. I think, you know, while this may be higher level, certainly there will be more rules and regulations that will be much more prescriptive coming down the pike as is when you know the FFIEC issues guidelines, they generally end up being requirements and what they will examine you on. So, thanks for that. And then one final topic around AI. AI’s been operating behind the scenes for some time now, it's not new. However, with the evolution of ChatGPT, now it's coming to the forefront. Everyone's using it. I think people are really excited about it. It passed the bar exam, so we see the power that it has. Microsoft recently came out with Copilot, kind of integrating all the Office 365 suite together. This seems to be very transformational. So, I guess the question to you is what is your view on how this fundamentally changed the game for the good and also for the bad? 

19:34
Matthew Rosenquist
So, there are wonderful innovation in technologies and AI’s been around for a while, but we really have seen an uptick as expected as it was predicted in the hardware, in the software and everything else, especially as you get into machine learning and deep learning. You know, we've seen an accelerated pace of advancement and that's not going to slow down, by the way, right? We're using AI to help make AI better now. So, it is on an acceleration path. Everybody agrees to that. But AI is one of many different disruptive technologies. So, when you look at AI or blockchain or quantum computing or whatever, all these technologies are incredibly powerful. Now, they're just a tool, though, right? The thing is, with a powerful tool, you can use it for good, but equally you can use it for harm and malice. And what we see with every single powerful tool that has come out in the digital world is they’re used for both. That is the reality, right? An attacker is not going to stand back and go, wow, really powerful tool that can make me a lot of money or get me to the objectives that I want, ahh, I'm not going to use that.

20:46
Matthew Rosenquist
No. In fact, attackers tend to lead the pack. They tend to adopt very powerful technology well before anybody else. And that's part of the nature of the game in cybersecurity, right. The attackers tend to have the initiative. They decide what to attack, how to attack, what methods, all that. And defenders tend to respond to those attacks. So, this is the nature of it. Yes, AI is that next tool, powerful tool that is being embraced by the attackers. And the defenders are having to, okay, respond to that. How do we deal with this? And they're going to be using those same tools in a defensive manner to be able to predict, detect, respond, and even in some cases prevent some of those attacks that the attackers are going to use. But we're always going to be one step behind. So, yes, new technology, powerful, capable for tremendous benefit, but equally so, we have to recognize the risks that there is an equitable amount of potential harm that we need to try and think ahead and get ahead of, right, before we feel the pain. But there will be pain.

21:58
Mike Halstead
I would also expect, just similar to even cyber, it's going to take the government some time to come up to speed on it and how they would regulate it. So, it's going to be an interesting challenge for all.

22:10
Matthew Rosenquist
And it may be very difficult. AI may be one of those things that it is exceedingly difficult to even consider regulations because AI is used as an efficiency tool in every sector you can imagine, right. And then you also, as you turn the dial forward and it's not just an efficiency tool for everything from scheduling and logistics and communications and knowledge sharing and whatnot. Right? As you dial forward, you start getting into autonomous systems and the risk there, right, with all this great powerful technology is if you overregulate it, you start slowing down the adoption and the investment in it, whereas other countries are going to be pushing on the gas and they want to get ahead.

22:58
Matthew Rosenquist
They want to be the world leader. And one of the foundations of the United States’ strength is our power to innovate and push things into the market and create standards and be seen, right, as the experts. Do we really want to fall behind and not be the world experts on A.I.? Probably not. So again, there's going to be some great challenges, right? You're not going to tell a factory don't use AI because that could make you 20% more efficient. No, you're not going to tell the government don't use AI because you can service the citizens better. No, right. So, it will be a momentous challenge if they even try and tackle it. 

23:41
Mike Halstead
Yeah, good point. Okay, so before we go to the next topic, which is really the predictions and trends, Creighton did you want to opine from an engineering perspective and/or ask Matthew any questions?

23:53
Creighton Adams
One thing that comes to mind for me, especially with the modern policy, ever since the FAANG trials over at the Congress was that Facebook, Apple, Amazon, Google, so much happened from there to get the business ownership to the table of discussion instead of saying, I don't know how that happened. What went through my mind is how in the greater cyber edicts from Biden's POTUS office, how are we going to separate the military from the domestic? Because when you're dealing with cyber, it kind of permeates all sectors. But classically, and correct me if I'm off, the military functions offshore and then domestic, like FBI, NSA focuses on onshore. How are those going to be shared policies, shared intelligence? It's just a question I had in mind, because usually they're separated for good reason. 

24:46
Matthew Rosenquist
Yeah. And so, if you look at the United States government, you've got actually most of the agencies focus internally, right? Department of Agriculture, Department of Energy, things of that sort. You do have certain agencies like CIA, NSA, that are focused externally. And then you have some that are kind of both, right? DOD has tons of facilities here, but also abroad and does, you know, operations and so forth. So, there are different rules and it's typically it's baked within those organizational policies. So, you've got your internal, national, you know, government agencies, they will follow certain requirements and they have certain requirements. And then when you talk to DOD and you talk to NSA and CIA, they operate under different rules, rules of engagement, rules of operations, rules of security, all sorts of things. And there's oversight processes for those typically in Congress, right.

25:43
Matthew Rosenquist
That have certain oversight policies that have to support certain objectives. But they are bifurcated. And so, I would expect the same because cyber is just going to be a policy. It will use the same frameworks that are already established for different types of policy, including rules of engagement and scope and operation visibility and whatnot. They'll use those same frameworks that are still in place with the same oversight structures. It will simply be stronger and tighter with higher expectations that's going to drive through those organizations for policy wise. And many companies that service, for example, intelligence communities, DOD, things of that sort, they in many cases have bifurcated their companies as well. Right. Especially if they need ITAR or something else. Right. Certain requirements that they have to operate within specific for that government customers. Many times, you will find a bifurcation within that and in some cases an entirely different subsidiary to be able to meet those requirements. So, there are structures and frameworks out there that will continue to be used. They'll just simply extended them out for more depth to cyber. 

26:54
Creighton Adams
Yeah, that's what I was picking up on from the writeup that the White House was issuing recently, and I was, like I said earlier, I get really excited over the boring stuff. Their process flow was genuinely impressive on how they were handling details from department to department. I was like, that is neat. And when you're looking at designs coming out of the federally funded research institutions such as MITRE and NIST, the MITRE 800-160, volume one and volume two, how to build was it trustworthy systems? That's some good data in there. And then you lean that against the monetary fiscal policies of CCPA California Privacy Protection Act, which came from our good old friends of the European Union, GDPR, and we're getting there. So that that's what's going through my mind in trying to translate that policy into intent for the engineers to carry out in code. It's going to be a journey that we're all going to be on. 

27:46
Matthew Rosenquist
And it's a tough one. And you had mentioned privacy, CCPA, and that's a whole different beast. It's definitely tied into cyber and that's a huge challenge. I mean, we've got now 50, over 50, different states and regions that have their own privacy regulations. We now have more than one state that has actually declared privacy to be a constitutional right, right. California was the first, we put it in our Constitution here in California. But now we've got, I think, six or seven states that have done that. So, there's a lot of variation in that. I think on the cybersecurity, pure cybersecurity side, especially with the government, their initiative to go to Zero Trust, which started last year, it had groundings even before that. That was more of a unified let’s kind of figured this out and move towards that.

28:39
Matthew Rosenquist
And these government agencies are embracing it because they felt the pain. They've had the data breaches, they've had the attacks, they've had downtime. And so, moving to that system and then starting to talk with each other, there used to be a lot of different fiefdoms, even within D.O.D., that would go, no, I'm going to do this. Well, I'm going to do this. I don't like that product. I want a different one, right? And it just, chaos and mayhem. That started, the Zero Trust started to unify that, which really helps those architects and engineers. Right? You don't have to re-engineer and re-architect and then custom support that beast. Right. Moving forward when you can start sharing those resources, ideas, architectures, frameworks, technologies, vendors, right, configurations, it becomes much more of a standard and it is much more cost effective and a whole lot easier to engineer and sustain over time.

29:34
Creighton Adams
100%. 

29:35
Mike Halstead
Awesome. Thanks, Creighton and Matthew. And just for the last segment of our podcast, Matthew, if you could walk us through any predictions, trends from your perspective on what organizations can do better as they navigate forward? 

29:48
Matthew Rosenquist
Okay, I do predictions every year, and I've been doing them since, what, 2006. I think that was the first time I publicly did it, but I was doing beforehand for Intel, McAfee, things of that sort. I've published my 2023. 2022 is out there. You guys can always go check to see how accurate I am. Please do. But for 2023, I'm looking at a couple of major themes, right? First off, because of well, let's just say some international activity, we're seeing nation states, especially aggressive nation states, waking up and consciously deciding I need to have a well-oiled offensive cybersecurity capability. I need to be able to essentially attack other countries, even ones that I'm not bordered with and go after their critical infrastructure or their finance, their political system, all sorts of things. I need to be able to sway their public opinion about whatever topic I want, and they were making that conscious decision. And as part of that, they're also making a decision that I'm willing to deploy this.

30:56
Matthew Rosenquist
I'm willing to go after. Now, there's all sorts of variations there. And yes, they want to be able to have plausible deniability and they want to, but they want that capability. It's affordable, it's effective, and it only gets better over time. So not just defense, but offense. And on the back of that, once a nation makes that decision, it comes with funding, it comes with support, it comes with the potential of even, you know, allowing a PMC, right, a private military company to start evolving into that. And that's different than the cyber mercenaries we currently see, which are scattered all over. And sometimes very disorganized, sometimes somewhat organized. But when you get into this to the level which is head and shoulders above that, when you get into something like a PMC and we're familiar with that in the news, right, like Wagner or Wagner Group. Right. The Russian Wagner group that we see, you know, we see them in in helmets and carrying machine guns. They actually also have a misinformation group as part of Wagner. So, you know, it's just another step. Now when you see other countries start to promote that, it's not just we're going to throw you some money, we're going to give you access to our intelligence, we're going to give you a ton of money, research.

32:18
Matthew Rosenquist
We're going to give you potential physical assets around the world that you can leverage. This is a fundamentally different kind of game. Okay. And you might think, hey, I'm a medium business owner, small business owner. That doesn't matter to me. Well, you know, Wagner is not going to come after me. Well, actually, it does impact you. It impacts every single one of us, because here's what happens. A government spends a billion dollars on a new piece of malware, super complex that could only be funded, right, at a government level. All sorts of different vulnerabilities discovered, exploits to go after them, sophisticated professional code. As soon as they hit the button and it releases into the world, it's open, right? You have everybody out there, not just the security researchers grabbing it.

33:12
Matthew Rosenquist
Everybody, including other cyber criminals and cyber researchers and black hats. They grab it, they tear it apart. Let's find some interesting stuff. What does a billion dollars buy you? Wow. Look at all these zero-days. Wow. Look at all this professional code. They start grabbing that, and like Frankenstein, they grab those pieces and put it into their malware. And their malware is going after grandma. It's going after you. It's the phishing attack, right? It's the ransomware attack. They're going after just anybody that's available. Right. Their motivation is money. You got money, we’re coming after you. So, it is everyone's problem because now you have top tier quality code and vulnerabilities used by everyday little petty hackers. And that is a problem for everyone. So that's kind of the big, big overarching theme that we're going to see. It is a chain reaction. The decision to create these organizations, which leads to funding, which leads to release and use of those organizations, and that has a cascading effect not only on their primary targets, but everybody after that, which includes anybody that's connected in this digital world. So that's a big, ugly thing that we're seeing, decision and money flows into this.

34:33
Matthew Rosenquist
This is, it's been going on for a while, but this will start getting much, much worse and much more professional. And it doesn't end at the end of the year. This is a new sustaining capability that they will continue to grow over time. So that changes are industry. Number two, I would say again, you talked about some of these tools. We've got some changes in quantum that are coming, right? We've got a cliff that's coming, you know, coming towards us. And we're seeing some interesting papers that are coming out that they're shortening the requirements for the hardware and improved algorithms and everything. There is a risk that our primary means of securing our communication, right, when you go to your bank, right. And you had that secure transaction, that could be undermined, your credentials or your security for when you log into work, right. Or a server to server, right, connections. That type of encryption technology is at risk. And we know at some point it will be undermined. There's not a question. It will be. The question is when. And we're seeing more and more investment in that, more and more results coming in and lessening that time frame.

35:40
Matthew Rosenquist
Right now, we're thinking maybe 3 to 5 years, but it may just be the next white paper that says, no, it's six months. We don't know. So, we need to worry about that. And you had mentioned AI. Powerful tool. Oh, yes. Bad guys are going to use it. Absolutely. Bad guys are going to use it in ways that we can't even conceive of. Don't underestimate the creativity and persistence of our adversaries. They find ways. Right. And it's impressive how creative attackers can be. They're going to use AI. They're going to use every variant of AI. ChatGPT is just one, right? They're going to use everything. And it may be to masquerade as somebody. It may be to create vast numbers of digital, new digital identities. It may be creating a synthetic 3D interface that I can completely masquerade as Mike. Video, sound, voice, right, even mannerisms, right. And if I can get on a bridge or I can contact, there's all sorts of different things. Finding vulnerabilities, writing malware. Yeah, guess what? AI can do it all and it can do it all at speed and at scale.

36:53
Matthew Rosenquist
Okay, powerful tool. So, we have to worry about that. So, I'm very interested to see the creativity of the attackers and how they're going to use these latest tools in 2023. And they're already starting. We're already seeing it start to happen, especially in the phishing and spam. The last one that I would touch on is the kind of global economic downturn. We're seeing it with the banks, we're seeing other things. But if you're in the security industry, as we talked about before, it's always an uphill battle to justify your budget, right? And to keep resourced. We know the threats and risks are going up. We just talked about all of those billions of dollars being poured into new attacks. Right. So even if your budget stays the same, you’re still losing. The attackers are gaining in their capabilities. But with global economic downturn, companies need to tighten their belts. They need to be very more discretionary in what they're spending on. And honestly, cybersecurity and privacy, we mentioned privacy, too, they tend to get kicked in the teeth first. Right? We're going to we're going to preserve our product engineering and we're going to preserve our sales, sales and marketing team because that's how we make money. Everything else, slow down, cut, do something. But the expectations of security don't go down. Just your budgets, right? Just your staffing. So, we will see a lot of organizations struggle and many are going to get cut. Many aren't going to be able to keep pace, which means the result of that is more hacks, more data breaches, more exposures, more loss.

38:40
Matthew Rosenquist
And oh, by the way, the government may also be implementing new regulations to where you need to be even higher, you know, higher up in your in your capabilities. Oh, and cyber insurance is tougher to now get, and they have higher requirements. So, the expectations go up. But your budget goes down, the threat goes up, but your budget goes down. This will be one of the fundamental challenges that cyber security leadership has to deal with. And we go in cycles. So, if you're experienced, this isn't your first rodeo, but if you're new, as many cybersecurity professionals are, this is, this is crazy. It's a crazy time. How can you have that expectation of us when you're cutting us down to the bone and the threats are getting worse and your expectations are growing. It increases the stress and the burnout level as well. 

39:29
Mike Halstead
Great. So, this can be a bit daunting listening to this, Matthew. And I guess the question is, is that what are some things that organizations can do, like if say, well, we have offensive nation states that can be very scary, right? They're obviously not going to be able to manage that on their own. But what can they do to protect themselves from either a targeted attack or a collateral attack as a result of this? What would you say are the, you know, top three things that they could do. 

40:03
Matthew Rosenquist
First and foremost, do the basics. And you would think, oh, well, of course that's do everybody understands that. Yeah, it makes a whole lot of sense. But unfortunately, a lot of organizations out there don't even do the basics. And if you're not even doing the basics, you're, you are, it's guaranteed you are going to suffer. You are going to learn some very painful lessons eventually. But do the basics. So, you need to have the right people to help you do that. And if you don't have them in house, well, then, you know, work with an external vendor or supplier or consultancy to help figure out what those basics are. Right? And it's not really rocket science. It really isn't. You need to target the technology that you're operating in and using. You need to target the people that touch it, and that includes your staff engineers, your third-party vendors. Can't forget them, right? But also, even potentially your customers downstream. In between the technology and the people, right, there's this process element and you have to be able to to cover that as well, because that makes sure that you are comprehensive and consistent over time.

41:21
Matthew Rosenquist
If you just do the basics, just one day, doesn't matter. Right? Because tomorrow now you get weaker and weaker and weaker. So, step one, basics. Step two. Right. And this is really kind of head and shoulders above that, is you actually want to be competitive. So, look within your sector. If you're a bank, look in the finance sector, if you're a hospital, look at the healthcare sector, see what your peers are doing. Right. This goes back to the analogy of, you know, hikers running across the bear who's charging them, right? You don't have to outrun the bear. You just have to outrun the guy next to you. So, the simple fact is, don't be the easy target in your sector, because if the attackers are going after the healthcare sector or attackers are going after the finance sector, guess what?

42:13
Matthew Rosenquist
Most of the cyber criminals, they're kind of lazy, just like you and me. Okay, not lazy, let's just say efficient, right? They want the path of least resistance. Where's the easy button? Am I going to go after big bank with all these security controls, or am I going to go off to the other bank that's kind of weak? Maybe they already have the basics, but there are a lot easier than that big bank over there. You know where they're going, right? So don't be the easy target. That's rule number two. And the third thing, and this really gets into, it helps number one, and it helps number two, leadership. If you don't have good security leadership, you're not going to be able to do the basics, I'll tell you that. And you're certainly not going to be able to understand what your competitors are doing or be able to see it from the enemy's perspective or understand what their capabilities, their methods, their targets, their processes are. You won't be able to translate what NIST standards are or what MITRE’s doing or, even what you know, privacy or the government or cyber. You need to actually have good cybersecurity leadership, and if you put a good leader in place that good leader is going to make sure that they've got a good security architect, a good security engineer, and good security operations.

43:31
Matthew Rosenquist
And it might be in your organization, it might be outsourced. But it all starts with leadership, because if that leader cannot convey the value proposition to the C-suite and the board, doesn't matter. You're not going to get funding; you're going to be cut. We already talked about that. You're going to get cut. You're not going to have resources even if you do have grandiose plans. So, you need to start with good leadership. Hiring somebody that knows what they're talking about that can get it done, that has the experience, and let them do their job. Cybersecurity is not about being impervious to attack. That security leader has to find that right balance between the cost of security, right? The acceptable risk, as well as the friction to your environment and to users. But it's finding that right balance and getting that buy in by the C-suite and the board. This is right balance, right? These are our right security goals. Great. Now I need to be funded. You bought into that. This is the cost, fund and support this. That's where you get a long-term, mature cyber capability that can remain nimble enough to adapt to the evolving threats. So those are the three things you need to do. 

44:46
Creighton Adams
One aspect I wanted to ask you, we may have to do that for another time is what is the role of open source have to play in this for individuals that can't buy, and they have to build. But that might be chapter two of our discussion. 

44:59
Matthew Rosenquist
I'd love to have a conversation about that because there are there's a lot of very interesting nuances, and it's not just the little companies that can't afford it. There are huge companies that are also integrating open source because it is so fast and they're racing to market. So don't think it's just the small and medium businesses. I know Fortune One Hundreds that also have, let's say, an exposure to open-source risk. 

45:20
Mike Halstead
Matthew, love to have you back to have that discussion. We're going to wrap up now,  just kind of reiterate what Matthew said is that, you know, focus on the basics. Know your asset inventory. Protect that asset inventory, be competitive in your sector. Know what others are doing to protect themselves. What are your threats specific to your sector? And then finally, leadership. You can't have these hybrid cyber/IT teams. You've got to have dedicated leadership and teams who focus on security. So, thank you, Matthew. Thank you, Creighton. I learned a lot and looking forward to doing that with you again. 

46:00
Matthew Rosenquist
Sounds great. 

46:02
Mike Halstead
All right. Thanks, everyone. 

46:04
Creighton Adams
Thanks all.