Contextual Security and Beyond: The Future of Cybersecurity

Jim [: 00:00:00

Hello, and welcome to another edition of Razorwire. This is the second part of the state of info sec 2024. As I mentioned in the first part, today, we're gonna be bringing on Richard Cassidy, as well as Oliver is coming back to sit down and kind of look at where we think things are, some of the concerns that we have, some of the challenges we think we're gonna be facing going forward, and it's a companion piece to that first part that we've we've already seen. So today, to talk about some of the interesting stuff that came out of the recent RSA conference, and this has been fueled specifically from some of the stuff that Oliver has recently posted, or posted a little while back, just after he got back. And, obviously, we brought in Richard, Cassidy, and Oliver Rochford to talk about it's the Byron report, isn't it, Oliver?

Oliver Rochford [: 00:01:00

Yep. Yep. It it is indeed. It is. It's it's,

Jim [: 00:01:04

So tell us about it. What is it?

Oliver Rochford [: 00:01:07

Yeah. You you know, so so the best is this this freelance journalist called Byron Akihito. He used to work, like, for some of the big US news agencies, and he's got his newsletter. And I so I met him at RSA. We were one of the AI panels at the VC listening to 3 of the actual founders talking about their product. And he came away writing a blog. He's got a blog called the last watchdog. It's pretty good.

Oliver Rochford [: 00:01:28

It's free information, which I think it's high quality information isn't actually that easy to get, especially in our industry. And he did a rundown, and his big takeaway was that rules based security is out, contextual security is taking over. And so, of course, which begs the question, what's contextual security? Why why is it taking over? Why is why do we need it? And why are we seeing a push for it now? Right? That's essentially why is now the right time for this? That's in fact the same way investor would ask you. An investor would say, okay. You have a solution, but is this the right time? And he seems to think it is, but I think it's a good one it's a good one to discuss because my own perception walking across RSA was indeed there's AI being sprinkled in everywhere. Some people are more vocal about it than others, But what you're seeing is essentially a whole bunch of data science techniques coming together. Knowledge graphs, you know, these kind of, like like, graph based, display of different activities. You're starting to see, of course, LLMs working a little bit in the back end.

Oliver Rochford [: 00:02:28

It might not be obvious to people how they're being used, but they are starting to creep into basically being able to enrich and tag data. And, of course, this isn't just some one area like security operations, maybe monitoring. No, it's everywhere. If you think of security vulnerability prioritization, you need to have context. If you think of alert prioritization, you need to have context. If you think of threat modeling, you need to have contact. It's almost a missing piece almost everywhere because it's not in isolation, we're not an ivory tower, all of that around it matters too. Yeah.

Oliver Rochford [: 00:03:04

So I'll I'll hand over to you guys now because that that was me a long talk, But that that's that's the driver behind the topic today.

Jim [: 00:03:09

Yeah. Okay. Richard, go for it. What are your thoughts?

Richard Cassidy [: 00:03:13

Yeah. Do you know that was one of the one of the first comments I honed in on. It it this it did make me chuckle a little bit, you know, you know, rules based securities over context based security is taking over. I mean, I think they rely on each other. You know, context drives the rules, which drives the outcomes. So I think context as well as rightly put it is is an able part of, of kind of rules based security. Because you you have to have rules. You have to say, I don't want these things to happen, or I have a risk appetite for x.

Richard Cassidy [: 00:03:42

And if it exceeds y, then I need to do something about it. So, it was an interesting comment. And and the companies that he mentioned, you know, are are I don't think they're doing massively different things, Oliver, unless I'm wrong than what we've seen in the industry this past decade. You know, context based analysis has been around for some time. But it is good at least to see somebody helping CSOs and decision makers kind of think more about that than than trusting the vendors to deliver the outcomes they need. You know, and and interesting, I I was at infosec, just for a day, the other week. And I I was, there with somebody called Gorka Sadowsky who, Oliver and I will both know from Exabean days. And and Oliver will know probably wider in the Gartner space.

Richard Cassidy [: 00:04:28

You know, and he we sat at a coffee and he said, he just put his hands in his head and just a big sigh. I went, oh, what's up? Because it's it's just unbelievable that, you know, every stand you go to, you know, we're we are the best in application security. We are the best in UEBA. We're the best in this. And, you know, I try to put the customer hat on when I go to these events and go, oh my goodness, how does anybody make a decision in the midst of all of this complexity? And then, and I wasn't at RSA. You know, I should have probably gone, but I felt maybe it was a similar thing there. If I look at that that report, the Byron report, you know, it seemed to have very similar sort of messages for me. You know, people talking about their products being the greatest, in industry.

Richard Cassidy [: 00:05:12

And and, actually, what I think we need is more of a platform play. You know, and I'm it doesn't mean that I want the Palo Alto's of this world or, you know, the, you know, the Microsoft's of this world to take over. Right? Because it can't be a monopoly. But, you know, Checkpoint did it years ago with CrystalSec, and and that kind of filtered away, or or for some reason. And other companies are trying to do it, like the the XDR Alliance, which Oliver knows about. You know? Okay. We're moving in the right direction, but we're still too solid, I think. I think vendors are still far too solid in what they do.

Richard Cassidy [: 00:05:46

But in the last 12 months, I've definitely seen a lot of good steps with the major players. Right? So CrowdStrike, Microsoft, Palo Alto, etcetera, are definitely starting to build a narrative that's more about, bringing in existing vendors and coming up with a consolidated story. And what that means is driving the outcomes from 1 from 1 platform. Right? So it doesn't matter what's behind it. It's business outcomes based solution selling now. And and that's good to see, but I think we need to get we need to push the button harder on that and move faster because, you know, too many companies are the best at what they do in isolation. That doesn't help anybody in my opinion.

Jim [: 00:06:24

Absolutely. And funny enough, so we were just discussing that. You know, I I was I was I was kind of a bit lost at infosec, I'll be honest, walking around when I was there. And I I I again, I didn't go to RSA. I'm I you know, it's a very expensive endeavor. Gotta justify it to my financial officer, and she's a she's a tough task master. Maybe next year, I'll go. But, you know, at the end of the day, from my experience with Infosec, I I agree with you.

Jim [: 00:06:56

And I was a bit as I I was just saying before, I was a bit lost. There's a lot of people saying they do a lot of things with a lot of solutions, a lot of solutions I've never even seen, never even heard of. Yeah. You had the big boys there and all the rest of it, but I I don't know where security is is on the whole going at this moment in time. I suspect I know what's gonna be happening in the next couple of couple of years. But we're so being we're so we're finding it so difficult. I mean, you know, you're just looking at the how fast these breaches are coming, and we were discussing it on the previous previous podcast to this because this is a back to back one. The world is hotting up a little bit politically.

Jim [: 00:07:39

Well, quite significantly politically. And we're starting to see more and more attacks. And contextual based security has always been one of my sort of more favorite aspects of of of any product. You know? I've used some of those products, and getting context as to what's going on behind the scenes rather than just getting the raw data, which doesn't really tell me anything. Or if I'm trying to find something, takes me hours to hunt through various different blogs or hunt down really what's going on. And that's more traditional way of kind of doing this with things like scenes that give you context. You know, they look at events, and they they they will kind of put events together and then put, you know, put a picture in front of you. Is so much more valuable.

Jim [: 00:08:25

It means it cuts down the amount of time that I need to spend worrying about, you know, trying to find specific logs, especially if the management are turning around and saying, okay. Well, all of this sounds really good, but it's all very high and technical. Can you give us some context as to what's going on? I don't know. I it's it's it's a funny it's a funny market. But then RSA is obviously over in states, and they tend to be a little bit closer or a little bit further along than us. What happens over there tends to say couple of months or maybe a year depending upon what's going on. What were you seeing over in in in RSA, Oliver?

Oliver Rochford [: 00:09:01

I had quite a a positive experience at RSA. I thought that was a large, vibrant, industry. There's a lot of experimentation going on. I mean, I agree with you, Richard, that like synergies are important, whether we have to come from a platform provider or whether it's just based on better standards interoperability, it's kind of I'm agnostic to that, but interoperability is vis synergies, not working in the ivory tower in isolation. That's the whole contextual thing. Right? You can't just look at a network log and make a decision. These attacks are far more sophisticated. They're stealthy.

Oliver Rochford [: 00:09:33

You have to look at a bigger picture. You have to understand what everyone is doing, and I think that that's what people are aiming for. But the reason why there's so many small niche companies is because that's how you start out. Right? It's basically, you're not gonna be able to boil the ocean when you're a small startup. So and so it's confusing for the end user because what they're seeing is just all of these very quite similar sounding on the face of it, you know, companies and they can't choose between them. But actually there's a high level of specialization between them. Once you drill into it, I think like security operations where I work primarily, you have 3 vendors who will sound the same, but then you realize one of them only does it for Splunk, one for Snowflake, one for Databricks and one for ClickHouse. And immediately you realize from a buyer perspective, I only need one of these probably Like getting that information out, I think is harder, they're not doing a good job of providing that, interrupt, but interoperability.

Oliver Rochford [: 00:10:27

You're right. We need to have better interoperability. And I think it's we need large platform providers to drive fast. They are like, like, they they are they have data gravity. What Ross Halliuk says, data gravity, because you're basically aggregating a lot of your stuff into these solutions. And so if you hone in on that ecosystem, you can get these synergies. But with standalone, if you're a small provider and you wanna deliver everything yourself now, that ain't gonna happen. It's impossible.

Oliver Rochford [: 00:10:55

Right? You you can't do it.

Richard Cassidy [: 00:10:57

Yeah. I I'm I wanna I wanna talk about a little sideline story, and and does have a link back to the point. So let's let's talk about octopuses. So, and this is a presentation not by me. It's the current CISA of ABN AMRO, and it's a publicly available thing. You should definitely look at it. I love this concept. So he starts out talking about octopus, and and he talks about the lifespan of an octopus and the fact that, it lives for a very short period of time.

Richard Cassidy [: 00:11:25

It's a very highly specialized organism. And then in its dying phase, it completely deconstructs. It literally breaks down the cellular level. And not like decomposition, but the DNA literally completely deconstructs. And he said that is the problem with cybersecurity today, is that we think in these short term periods. We completely deconstruct what we're doing in 3 or 5 years maximum, and then we start again. We jump on the next treadmill and away we go. Now some of that's down to the fact that there is a lot of innovation in industry.

Richard Cassidy [: 00:11:52

And and with that level of innovation, you do kind of have to relook at things. But his call was for something called Cyber senescence, and senescence being, the term that sort of describes the process of growing old. Right? In fact, in biology, senescence is a is a process by which cells age and parent apparently stop dividing, so they don't actually die. And so he he said, you know, what he feels is is not working for us is we're not thinking long term enough. CISOs are still calling the 3 to 5 year life cycle. What if we thought 10, 15 years as a business? What if we designed a a a data cyber, you know, strategy around audit and compliance that that went beyond the 5 year period? Would that fundamentally change how we put hold our our vendors' feet to the fire and what we want to do? And I was thinking, noodling on it for quite some time, I think he's got a point. I mean, yeah, technologically, it may be very difficult because the market's not set up, I think, for that. Although there are some vendors which have way older than 10 years and and and could potentially show that they had a life cycle that worked in that respect.

Richard Cassidy [: 00:12:55

But I do think if if I was, you know, a a seesaw at a major organization, I would want to be thinking long term. Now I don't know what the board's appetite would be for that. That's probably the biggest challenge. But I think, technologically, I would wanna sit with my vendors and say, this is my business, and this is the journey we're going on. Okay? And we have a 5 year plan. In fact, we have a 10 year vision. And I need to know that that you're going to be with me through these phases. And so I'm going to stress test you every year.

Richard Cassidy [: 00:13:21

I'm gonna ask you, this is what's shifting. This is what's changing. How are you enabling me to to meet the needs that I need to meet? I'm not just talking about cybersecurity. I'm talking about regulation, audit, all these things. I think it's a great concept, and and I think it's something we should be thinking a little bit more in industry, a much longer term view of what we're deploying and why we're deploying it.

Oliver Rochford [: 00:13:42

To what you're describing is Germany.

Jim [: 00:13:45

Yeah. But but but but

Oliver Rochford [: 00:13:47

but secondly so I I tell you that so there's there's 2 challenges I see work with that approach. The first one is that you cannot plan longer, then things change. And AI is a very good example. I there's a there's a PayPal situation awareness by one of the OpenAI, former a OpenAI people. And he says, by 2,030, we're going to have basically self improving AI. How can I have a 10 year plan? And and the the second challenge is that, what if your plan is a different tool of my other customers' plans? What if everyone has a different plan? How can I meet all of these? What about my plans to grow as a business, as a vendor? Obviously, I can't attach my fate just to you as a customer. There has to be a mutual thing where where we all have the same goalpost in a sense, rather than trying to find someone who's going to basically, because I'm not sure that's feasible because nobody executes a 10 year plan in this day and age.

Richard Cassidy [: 00:14:44

Yeah. They don't. I Does

Oliver Rochford [: 00:14:45

that make sense?

Richard Cassidy [: 00:14:46

It does. I'm not saying there's answers to it. I just think it's, it's it's an interesting concept that that I do think has merit. I mean, you're right. There are technologically there are technological curves that that oh, sorry. There's waves that come and go, and you're right. It's very it's very rare to see ones that last that long. But I think we're in a phase now.

Richard Cassidy [: 00:15:05

We could potentially think that longer term. And, you know, and data is a good example of that. I mean, you know, let's just talk about data growth as as it exists. Right? You know, reports state that, you know, in the next, you know, 3 to 5 years, data growth will be about 5 or 7 x where it was last year. So, you know, you know, so businesses at least should be saying, well, if that trajectory is gonna continue, then what can I do to not have exponential data growth and and support it in a way that makes sense to the business? So ask the right questions, you know, make sure we're not we're not we're not doubling up on our data needs and make sure that we're getting the right data we need to to do what we're doing cybersecurity operationally. I think those sorts of things that we can look at longer term because that has a net effect on how we then secure it and and and and control it and things like this. You you're right. So there are pockets of things that we can't apply to, but I think there are some areas where we can and maybe we should.

Jim [: 00:15:58

As a CSO or having been a CSO myself a number of times for a number of different organizations, you know, I always try to do a long term plan. It's kinda hard to communicate that sometimes to the c suite. They they they tend to think of things in the financial year perspective, maybe a few years, but but never quite as far as 10 or I've very rarely ever come across that. Maybe a few sort of business owners who are actually still on the board as opposed to a board in CEO or or something like that. And I think, you know, in many respects, you know, the principles for infosec have never really changed. They've been refined a lot. You know, I'm not saying that 20 years ago, we were we were much better or anywhere near where we are now. We weren't.

Jim [: 00:16:41

You know, there was we were still learning our trade, you know, at a time when technology was rapidly advancing far faster than anybody really considered. And it doesn't mean a lot to the younger generation who are watching this. But believe you and me, I remember a time when I didn't actually have a mobile phone because they hadn't been around. Or if they were, they were just giant brick thing that you carried along,

Oliver Rochford [: 00:17:04

and

Jim [: 00:17:05

they looked more like a car phone or a phone that you'd have at home. You know? Yes. I am that old. And it amazes me to think that, you know, the the mega drive that I had when I was, what, 17, I mean, my phone now outstrips that little piece of technology that gave me so much pleasure all the way back in the day. So technology has changed quite, you know, extensively, and it continues to speed up. You know, Moore's Law is completely busted now. It's gone way beyond that. You know, and with AI, whether you love it, whether you hate it, it's gonna increase even faster, depending upon how it's used.

Jim [: 00:17:47

The principles of infosec don't really change. But the application of it changes quite dramatically. I mean, yes, let's look at, you know, I I try to look at some of the security through cultural shifts. So one of the biggest cultural shifts recently was lockdown. It's a good example. Really simple thing. Before then, I used to do business continuity, and I do use to a bit of Doctor with with some of my customers. And I'd always use, weirdly enough, pandemic as one of the higher end issues.

Jim [: 00:18:16

What happens if? Let's just spitball it, workshop it. And they'd always used to say, no. That that will never happen. That'll never happen. Boom, then it does. And then we go from people being in an office to not being in an office or working from home literally overnight. And then once the lockdown stopped, nobody wants to go back to the office. There's a big old, no, we're not going out.

Jim [: 00:18:40

The whole economy starts to fall apart. But, you know, due to the fact that all the commercial industries have now fallen apart. So all the, you know, all the food and eateries that were around those businesses over in New York, good example, have all been dying in droves, you know, recently because the less people that are in in in New York. And if you've ever been in New York, I've never seen so many bloody homeless people there at this moment in time. So, you know, the changes and shifts that we need to do within infosec need to be a reflection of the the the times, and we were discussing just before. You know, malicious actors are getting a hell of a lot more aggressive, so we do need to look at things like contextual security to try and figure out what bloody hell is going on in an environment. But we still don't have the budgets for it, And there's still a lot of confused CISOs looking at the technological stack that they've got available to them and say, right. I've got all these little jigsaw pieces.

Jim [: 00:19:37

I can't afford all of them. How the bloody hell am I gonna deal with this? Oh, and by the way, your GRC tool has just got up by a 150%, you know, on your renewal. So I don't know. It's it's a tough one. I mean, you know, I guess I'm just a bit lost, guys. Come on. Give me some insight.

Richard Cassidy [: 00:19:59

It is interesting. Is it you so there's reports well known. Right? The the the, there was some reports by the 10 guards.com article that cybercrime, will cost the the global economy about 10,500,000,000,000 by 2025. Right? So it'll be if you if you keep that figure in your mind, it's the 3rd largest economy right behind, the 2 big economies that I won't mention. And so, you know, I and I was at an event. It was probably about a month ago. It was a government event in London, and it was all about supply chain, attack management. And and and this is what drove me nuts because I went on stage and just showed this slide and went, okay.

Richard Cassidy [: 00:20:37

Right. If if you really believe some of the conversation we've just had are still gonna put you ahead of the game, I think you're you're quite mistaken. And and and there were other messages around that. But one of the key messages, one of the vendors was that we'll we'll do assessments of your third third party supply chains. We'll do it every 6 months, and we'll give you a report every 6 months. I'm like, are you kidding me? You think that you think the adversaries run-in 6 month cycles? I I mean, if if that's your window of understanding of your of your your threat surface or or what the risks are that could potentially lead to supply chain breaches, you're way behind the curve. And that goes back to some of the things at RSA. Right? It's all about context now.

Richard Cassidy [: 00:21:15

And then some other interesting facts as well is, you know, cyber attacks are now a more and this is according to an insurance company, an European insurance company. Cyber attacks are more likely than physical theft or fire to to businesses. And so to your point on budget, I I think there's a huge mismatch, on on what's being spent in this area, versus what we're up against. And and if you think about the 3rd world the world's 3rd life of carnival 2025. You know? And I'm not saying, you know, that's one big group of adversaries. It isn't. It's it's spread across everything, but, you know, even the groups themselves are getting more enabled. If you look at all of the the blog posts or you or you you do look at the dark websites where they they normally talk to each other, there's a lot of recruitment going on at the moment.

Richard Cassidy [: 00:21:58

And these ransomware as a service groups, these malware service groups, they're getting bigger. They're getting more enabled, and and it's all with one goal in mind. Right? And if they're not activists, of course, the goal is to to to make money. And so, yes, we really are at a difficult crossroads with again, how much do you spend, and where do you where do you apply it? I mean, I know the answer to that question, but I think a lot of businesses don't because they don't ask the right questions. But I'll stop there and let Oliver chime in on his thoughts.

Jim [: 00:22:23

Just before you do, one thing that I just wanted to pick out that I found found, you know, important there is the fact that, you are right. You know? The the the application of security is changing. It's not reactive anymore. It's proactive. And even things like pen testing, and you mentioned before, you know, having a security check with your 3rd party is great every 6 months, but it's no reflection of how secure they actually bloody well are. Same with the pen test. You can have your yearly pen test, and that's cool. Okay.

Jim [: 00:22:50

In May, you know what your situation is. But by July, it's all old news, and you, you know, you're screwed. So that's why people are moving to more this continuous pen testing kind of idea. They're looking at more kind of ongoing management of their supply chain through similar kinds of solutions just to understand the cyber risk that they're up against. I mean, you know, look at what's going on with Snowflake at the moment and some of the other stuff that's happening in the industry. You know, all of this is supply chain stuff to organizations who are who are getting the brunt of the issue, and we haven't fixed it. But I'll go over to Oliver because I talk too much. Go go, Oliver.

Jim [: 00:23:32

Sorry.

Oliver Rochford [: 00:23:32

No. I I so so so it's interesting because, like like like, the the the slowing down, for example, having long term planning. If you ask me, I think that horse is bolted. That chance was 15, 20 years ago to bake security and not bolt it on when there was only a few countries dominating it. What's holding us back from that now is that we'd have to do it globally. If everyone because we're basically in a Mexican standoff. If you pull back and the other side doesn't, that's the the situation where people believe we're in. Right? At the same time, most companies right now, what they're dealing with is volatility, uncertainty.

Oliver Rochford [: 00:24:09

The problem is they don't know if what we're investing in now is gonna be viable in 5 years' time. AI is a very good example because there's gonna be a lot of dead ends, obviously. If you look at the amount of companies, most of those aren't gonna survive. If you buy into the wrong company, that's a multiyear transformation project right there, which is gonna sculpt your plans. I think that's hard to make long term decisions when the whole market and the industry and the world is basically changing at a very, you know, slow phase. I I I agree with you. I wish we could slow it down because that's the problem because we're still trying to externalize securing this 100% onto the end user, and that cost has to be distributed across the supply chain. Still ongoing.

Oliver Rochford [: 00:24:53

Like, and we haven't done that at all. Look at AI. Right? If I like why are they developing AI brand new and I have to buy an AI WAP? Come on. Have we learned nothing out of the past 20, 25 years? And it's that rush to market and being quicker than the others that's pushing that. That's psychological. That's not technological, and you can't fix that with technology at all. Right? That's the wrong way to fix it. Yeah.

Oliver Rochford [: 00:25:19

But but the context and the timing comes in with that, and the last thing I wanted to say was that you mentioned the 6 months. Well, that's the problem with context in the past. When I worked in a sock, I needed to call somebody to say that asset that I just saw exfiltrating data. It's not a legitimate transfer and that that had a delay in the response. I'm not sure the technology is going to fix it because the problem is centralizing with data. It's all very well saying an LLM is going to read my documentation if I have documentation. Right? So there are other things we need to fix in parallel. It's a data problem as well to a certain extent.

Oliver Rochford [: 00:25:55

But yeah. But, I I I think it it it primarily, it's hard for us to deal with this when it keeps changing on a rapid basis quicker than we're able to adapt maybe. That's part part of the problem. Technology takes time to transform and deploy, but actually the changes are right now possibly occurring quicker than some companies are able to execute that, you know.

Jim [: 00:26:15

You're absolutely right. I mean, you know, the tool that you buy today may be completely redundant next year. And if you've kind of tried to save some money by doing the 3 year deal thing or the 5 year deal thing, you end up with a tool that you're paying for for a year or 2 years or 3 years or whatever that that you don't bloody use anymore, that just sits there in mothballs.

Oliver Rochford [: 00:26:35

Or or platform. The last wave of platform platformization. Yeah. The last last phase, 2, 5, and the 14, 2, 5, and the 15 that you mentioned earlier. RSA, EMC, Symantec, McAfee, IBM, HP and Co, people moved there because it was a pricing strategy, because you've got a bundling price. And indeed, if you look at CrowdStrike, their last quarterly statement, $300,000,000 on logs, Not because Humira is a great sims, because they bundled it with the XDR. Right? And that is a motivator. The problem is you get this best of breed tool that gets acquired, and 2, 3 years down the line, it's not best of breed, especially not across the whole portfolio.

Oliver Rochford [: 00:27:10

Some, maybe not all. You know, what what Cory Doctor, of course, But, basically, the the the quality of the product declines over time because they're trying to extract more and more profit out of it. That is also a reality that Azizo has to deal with. I think all of these things make long term planning really hard, but I think that's why we we yearn for it. We yearn for more stability to be able to plan because it's actually the big stress factor.

Jim [: 00:27:38

I like to use GRC tools as an example of that. You know, you buy your GRC tool, you use it for a year, 2 years, you come very reliant on it, you plug all your data into it, and funnily enough, there's very few ways to pull that data out because, obviously, the vendor really doesn't want you to do that. You know, they really don't want you to be able to migrate it to a to a, you know, companion tool. And I've I've said before, I've known vendors who they wait a year or 2 in the GRC space. They wait till you're nice and reliant on this tool. It's like it's like being a heroin addict. Now I've said heroin. Of course, YouTube are gonna hate this.

Jim [: 00:28:17

But, you know, once you get them hooked on it, they can't get off it. And you have to start paying more and more price, you know, to to your dealer, which is the vendor in this case, to be able to do the same thing and to continue with the with the the unless you wanna go through the pain of completely pulling yourself out of it and then bringing things on board. You know, it's it's it's tough to to to to plan for this, you know, but you've gotta be aware of it. And a lot of CISOs, especially younger CISOs who aren't experienced because there's been an explosion of the need for CISOs, get burned really quickly by this.

Oliver Rochford [: 00:28:53

But I I was gonna turn this around to to to to to Richard, because I think Richard's absolutely correct. And as much as that, a large provider should have a team of people doing this crystal ball gazing, and they should help you provide some of that stability and consistency. Right? That's essentially what you're looking for, in in a vendor, but, of course, it requires a partnership. And you say that the industry doesn't do this well, we do do it. We have companies like Broadcom, like OpenText who acquire mature incumbents, and they will give you that 10, 15, 20 years you're looking for. But it comes at the cost of innovation, and I guess that's a bit that's broken. How do you sustain it while still remaining innovative?

Richard Cassidy [: 00:29:32

Yeah. I I mean, it it it's a good question. I'll I'll come to it in a minute because, I I think the consultancy houses a lot to answer here, but, we'll we'll so just pop that for a second. Yeah. So, look, so so so so SaaS was the answer.

Jim [: 00:29:46

I'll sit quietly in the background here.

Richard Cassidy [: 00:29:49

Well, because I've sat with a lot of them this past year and, I've just anyway, we'll come to it in a second. So SaaS was the answer or it supposedly was. Everything is a service, consumption economics. You know, you you just lock in for 12 months, and if we don't deliver, you can pull out when you like. And to your point, James, getting out wasn't as easy as they thought it was. And I think we're seeing a little bit of a shift in industry, in that, you know, there are vendors, you know, Snowflake, DIVO, etcetera, etcetera. They're allowing you to centralize your data somewhere else. And then they don't care what you do with the data.

Richard Cassidy [: 00:30:23

You they give you API and and and good sort of access to it from other vendors' tool sets, which is great. And and we need to build on that in all the security tool sets as well. We need to have, you know, industry agree to standardize a lot of the output so that if I do shift from Palo Alto to Fortinet or whatever it is, that there's a language that we can use that's understandable. And it's there. Right? I'm not saying that stuff isn't there. It's just not utilized enough. And there's an awful lot of proprietary still baked into a lot of the SaaS solutions, which makes it painful. So, you know, customers should be pushing harder on these points.

Richard Cassidy [: 00:30:57

We're saying, look. I need to know what the exit looks like. Because you get into it, it's almost like the the the honeymoon period. Oh, yeah. We've made the decision to go with vendor a, and we love you, and and it's always gonna be perfect. Right? And then the divorce comes and and and and the pain hits. No. Prepare for the divorce.

Richard Cassidy [: 00:31:13

Ask your vendors, what does the exit look like if we wanna move away from you? If you fail to deliver, how do we get our data? What does that process look like? And if that's painful, guys, then maybe that's not the right relationship to enter into in all in all in all honesty.

Oliver Rochford [: 00:31:26

What does a vendor prenup like?

Richard Cassidy [: 00:31:28

Some prenup.

Jim [: 00:31:30

But we we used to do this when when cloud first became a thing. You know, first virtualization and cloud start to start to get to become a big thing. Funnily enough, it was one of the questions I used to ask a lot when people were moving over to the new you know, to back then to the cloud vendors. Because like now, there was a 1000000000,000,000 different cloud vendors with a billion anybody with any IT skills is creating a company that did cloud. And my god, there was a lot of them. And one of the questions I was used to ask when when my customers were looking to onboard them is, how do we get the data out? How is it how much is it gonna cost us to get the data out? And we've forgotten that little question. We've we don't ask it anymore. You know, we're so used to SaaS.

Jim [: 00:32:17

You're right, Richard. You know, what what does the divorce look like? We should be asking that question again. And who who are your suppliers as well? Because I mean, you know, let's let's look at Pure. They're not particularly happy with Snowflake right about now, are they?

Richard Cassidy [: 00:32:30

No. No. Exactly. Yeah. But the vendors do a great job, and and Oliver and I have been enough and and Oliver's interviewed more than I have in his time, where they they're very good at saying, if you buy us, we'll show you how easy it is to migrate from the competitor to us, but there's never the reverse story. And and when you ask the question, it was really hard. But I just wanna touch on on supply chain for a minute as well, because I don't want the vendors getting off the hook on this. My so I don't wanna beat up Microsoft, but, oh, come on.

Richard Cassidy [: 00:32:59

Again, right, Microsoft zero day out click sorry. A zero day attack, 0 click Outlook remote code execution exploit. And and this is a very recent one, and and what's really annoying me here, it's driving me nuts, is in this particular one, they're saying, well, we're not gonna re we're not gonna release everything. This is the research group that found it because we want to present this at DEFCON, but it's a zero day and it's a it's right now, you can be hit by this and arbitrary code can be executed and yada yada yada. Like, come on, industry. Are you absolutely kidding me? We're gonna wait till August until we tell organizations how to prevent against this attack. And and I wanna make I wanna make a wider statement on this, which is Microsoft, Adobe, you know, all of the major vendors, when a a breach occurs in your code that is as a result of you just not doing the basics well. And I and and I'm not I'm not holding their feet to the fire on these these true zero days, and we can even argue what does that mean, that potentially they couldn't have found in in in breach attack simulation and and secure coding practices.

Richard Cassidy [: 00:34:02

But they've got to have some liability. And, you know, the the the US government at least is starting to have these conversations about, you know, vendors now need to be have more responsible fiscally for the damages that may well be caused in the supply chain. And there's much of a part of it as the service providers deliver the services industry. And I really want customers to start asking their vendors, what's your liability if this goes wrong, and it's something that you could have fixed. Because it's just it drives me nuts that these vendors can go, oh, yes. Sorry. I made another mistake. You know, sorry that your business has just lost 10,000,000 in ransom payment.

Richard Cassidy [: 00:34:36

Sorry that you're operationally inefficient for a week. That is not acceptable anymore. We've got to change this.

Oliver Rochford [: 00:34:42

It it's worse than that. It's the vendor says to the end user, you have to secure our software. And the the end user says, well, why don't you do that? And the vendor says, that's way too expensive. I do know.

Richard Cassidy [: 00:34:53

Exactly an old script. Yeah. That that is crazy.

Jim [: 00:34:57

If you're watching this podcast or listening to this podcast and they're thinking, what should I do? What should I get into in the infosec space? I think there's gonna be a really, really, really lucrative sort of, like, legal kind of side of things when all of these kind of lawsuits start flying around. Because let's face it. No. You know, if some of these some of these supply chain issues that you see, I don't I don't think I've seen who sued who afterwards, but you could bet your bottom dollar that it's it's there. And it will get bigger and bigger and bigger. You know? If if your cloud storage supplier, for instance, for your awesome SIEM solution, has a breach and all your data is nicked from all of your customers, you're not gonna sit there and take that on the nose, are you? You're gonna be unleashing the lawyers. See you later. You know? So there you go.

Jim [: 00:35:51

I might become a cyber lawyer along with my AI companion who tells me the law.

Oliver Rochford [: 00:35:59

Yeah. Because the argue because the argument for a long time has been that that, software is exceptional. And the truth is that you can prevent 100% of vulnerabilities, but we can prevent far more than we do. And and and indeed, if you think of the law of diminishing returns, there's a certain percentage where that's cost effective to do on the developer side. Beyond that, returns diminish. And then there's a certain percentage that's sufficient to do on the end user side. Right now, we have an imbalance there. We're expecting to do too much on the end user side.

Oliver Rochford [: 00:36:30

That last 20% cost more than the first 80 to think you know, to to to mitigate. I

Jim [: 00:36:34

mean, it's it's people not facilitating due diligence throughout that supply chain either. I mean, all it takes is Yeah. You know, one supplier for, you know, they they provide a a solution, and they haven't looked after their code. They haven't done DevSecOps. They haven't done anything. And all of a sudden, 12 companies who are, you know, utilizing a product that you oh, my camera's just died. Utilize the product and, get affected by this. So who's at fault?

Oliver Rochford [: 00:37:02

But but how how are we financing this? I mean, that that so I I wrote a paper a few years back with doctor Stefan Frei from EHT Zurich, and and it was actually cited by the OECD. And we calculated how much a global bug bounty program would cost, and it was something only like 0 dot 0 dot I think 0.04% of GDP. And that's to cover basically open source, that kind of stuff. Because right now, it's unevenly distributed. But most of all, companies aren't exactly paying a tax to to pay for security. That that doesn't exist. There isn't a separate tax for that or a separate anything for that. It's just basically between the end user and the vendors.

Oliver Rochford [: 00:37:41

And you can imagine both sides are a bit reluctant to wanna pay.

Jim [: 00:37:45

We're trying so desperately to secure our own organization and to try to understand how all the piecemeal pieces that that make up all the critical solutions come into play and what they're doing. There's so many pea organizations who are doing the barest minimum. I used to lose my mind when I would go in to do PCI DSS compliance to an organization who I know are a big e tailer. I know that there are massive amount of money that they earn, and they say, you know what? We wanna do the minimum required to meet the compliance. And I would have conversations with these these organizations, say, okay. The minimum is the standard, and the standard tells you this. So it's useful useless for you to turn around and say, you wanna do the minimum required, the cheapest way of reaching the level of security required to secure your environment. But are you thinking about your customers here? Are you thinking about what this would actually look like? If you do the barest minimum, you are still likely at some point to have a security event By adding a little bit more on top, you know, a bit more effort, a bit more monitoring, a bit more above and beyond what your compliance says, you're actually probably not only protecting your customers, but you're protecting yourself.

Jim [: 00:39:04

Because you are the ones who are gonna, like, bloody idiots. If you have a breach and say you're facilitating all the major supermarkets TILs, you know, or refrigeration units, and somebody uses your network to hop on to the localized networks of those big supermarkets, and then you compromise the tills, because that's that's what's happened in the past. It's frightening. It's scary stuff. And can I mean, you know, we've moved way off the contextual security thing, but let's put some context into why you need to secure yourself in the first place is because no one else is going to? What are you gonna do? Plead with the malicious people who've just ransomware due to please give us back our data and don't release it. They're not gonna say no. They're gonna tell you to f off and then charge you 30,000,000 quid.

Richard Cassidy [: 00:39:52

Yeah. Absolutely. And and look and and on that market, that's that's shifting too. Right? You know It's getting more

Jim [: 00:39:58

expensive, isn't it?

Richard Cassidy [: 00:39:59

It's getting well, not only that, but hackers are turning to to, you know, just extra training the data now. There's there's been a massive increase in just extra. And even just small amounts of data exfiltrated, it's still a bad day for an organization, isn't it? So, you know, but, but to your point, I love I love the point that you made there. You know, is if you think about protecting the the customers, the consumers of your service, then you should be able to work out the blueprint of what bad looks like for you, what your worst day could potentially be. Because I think it's it's and maybe obviously differently, but every CSR I've spoken to spoken to in the last 3 months alone, okay, I hear the same old thing, you know, it it's about our environment, it's about our data, it's about our business. And I have asked the question, okay, what about your customers? You know, and and and I'm not gonna flog some Cenovus, too hard, you know, the the the the whole issue with NHS and Bloods not being able to be there because their systems are down because of an attack. But I'd imagine if if there was just a look there at who we servicing here and what are the critical components of that service, then they may well have had a a better system in place to kind of prevent what has happened. And I'm not saying they would or wouldn't.

Richard Cassidy [: 00:41:12

I'm just saying there's a highly likelihood that they would. And and even even if you look at I mean, Snowflake, again, a good example, you know, they allow I mean, customers weren't forced to have multifactor authentication on, and and that's been partly, you know, attributed to what's going on here. I mean, come on. These aren't new problems, guys. We we have to get better at at working out what our what our risk are to our consumers, our customers, and then help them to mitigate their risk. Because and the risk may not always be on the business, by the way. It may be on what the customers are doing. In in self paced case, you weren't turning on standard security functionality you should have.

Richard Cassidy [: 00:41:46

And and and work it both ways because I don't think it's all in the business. I also think it's on the the user of the data as well, you know, and and not too easy to resolve, but there you go.

Jim [: 00:41:55

There is also an element, I think, with with that particular vendor that you mentioned, where there was a business decision they don't want to enforce it because it would annoy customers. You know? Don't forget, security is annoying to some people. When you've gotta sit there and wait for your phone to ping so you can press the yes, it's me, or business owners don't necessarily want the customer journey to be affected by security. They want security to be nice and invisible. But I bet you bought in dollars a hell of a lot of bloody SaaS and various other vendors at the moment of of going in and clicking on the must have MFA.

Oliver Rochford [: 00:42:34

That's because because criminals prey on the greedy and the impatient. That's just the way it is. Right? That is

Jim [: 00:42:42

brilliant. That is brilliant. I like that.

Oliver Rochford [: 00:42:44

It is it is true that it but it is true, but I because I it is a friction point for people. Right? And it adds up. But, what's interesting about what you said Richard is that that so Ashley Ashley Madison, there's there's a great Netflix documentary in the moment about the breach behind Ashley Madison several years back, and and people don't realize that they invested 0 in security. It was a known secret within the company that they had zero security, and people suffered from that. There were divorces, suicides, and everything. Nothing happened. And I've I've thought about this. Why why SolarWinds slammed? And then you have, you know, basically actually, the massive difference is that one was a private company, the other one was public.

Jim [: 00:43:21

And one was servicing government, and one one was serving government officials by all accounts.

Oliver Rochford [: 00:43:27

One lied to their investors, the other just lied to their customers.

Jim [: 00:43:32

Yeah.

Oliver Rochford [: 00:43:32

That's the fundamental difference between however you're going to get prosecuted in the moment or not. Who you are basically working with, and when you're right. So, Rich, that worst day, what's, what's the worst day for our customers, should be the question. Not our worst day. What's what's our worst day in relation to our customers? What would our customers think is our worst day? That's probably a good scenario. But with actually Madison, it costs them nothing. The reality is that the company is all going strong.

Jim [: 00:44:02

You know? It is. But, I mean, you know, one of the the to be honest, you've you've just described one of the first things that I do when I go in and be a CSO for any organization, virtual CSO or when I have been. You know? It's like, okay. We can we can analyze and do the business impact assessments with all the departments internally, but what I'm actually really interested in is talking to the person at the top, the CEO, whatever. So what keeps you up at night with regards to security events that affect the business, that affect your bottom line, and affect, you know, your relationship with your partners, with your customers, with the people who rely on you? They seem surprised at that question when I ask it. It's like, well, what do you mean? It's like, well, if, you know, you're a financial institution and all your financial records suddenly get get get stolen, exfiltrated out, and then shoved out onto the Internet, what are you gonna do? What what what are your thoughts on that? Oh, I don't like that idea. Okay. Well, let's do something about security again.

Jim [: 00:44:59

It goes back to Jack Jones, you know, when I interviewed Jack Jones, an amazing man. You know, there's a lot of hero worship there for me, but his model on fair is so good at showing what the effects of risks can be. And we need to remind ourselves as InfoSec professionals that we are risk based. We look at the risks. We look at the outcomes. We look at the possible incidents, the most probable, the worst case scenario, and we make a decisions based off of that. But we also have to inform C suite as to what their decision making of not putting money into security and not taking the easy route so we don't piss off customers or piss off partners, would feasibly be. You know, they don't like that communication, but they've got to understand it.

Jim [: 00:45:43

They've got to know it. It's their business, ultimately.

Richard Cassidy [: 00:45:46

Yeah. It's a it's a tough one to answer. I mean, I I always say when I meet the CISO, I and I and I you've heard this so many times. Right? What are you protecting? Where does it sit? And but the most important question is the third one for me, although I'm gonna add, what's your customer's worst data that? So it'll be 4 questions in future. It's who are you protecting or what are you protecting your data from. And so what what an adviser sees to do at the moment is understand that that attack surface, understand through all of the data that we have about what APT or UNC groups are out there that target you in the way they target you, then analyze the technology and services and systems you have in place, and then identify the gaps. And go back to the board and say, we've gaps here. It's a realistic gap because they're doing this stuff at the moment.

Richard Cassidy [: 00:46:30

We haven't got coverage. You'll move. And and and that's not always the best way to talk to boards. It's a very passive aggressive way.

Jim [: 00:46:38

But I like to give them 3 options personally because normally, they'll pick one of them. I've seen I've seen what happens when CSOs go into a board actually and say, I found all of these problems. You need to fix them. They're like, oh, great. Thank you very much for that horrible information. You could leave now. You know?

Richard Cassidy [: 00:46:56

Yeah. And and I agree with you, James. Your move is right. There are 3 outcomes. We do nothing. We do this, or we do this. And I and I always say, choose the one you want. Tell them you want this, but they've got 3 options.

Richard Cassidy [: 00:47:07

And and then hopefully with all of I mean, think about regulation, man. I mean, you know, the c suite are now good are now, you know, liable for custodial sentences. If I was to see, so I'd want to make sure I've got a full paper trail of I identified it and show them how to mitigate, and the board said no. So they go to prison, not me.

Jim [: 00:47:26

That's why in every risk management solution or or implementation you put in, there's a nice little section in there called, you know, risk owner along with what their decision making was. And you're absolutely right. You know, the old adage of ass covering in this space hasn't changed in all the years that I've been here. You know? Because when the shit hits the fan, there will be finger pointing. And if you haven't done something because you you didn't do it, because you didn't perceive it, okay. Fair enough. But if somebody made a decision that was a bad decision, you could bet your bottom dollar they don't want to be the ones fingered in that particular situation, metaphorically speaking.

Oliver Rochford [: 00:48:11

Yeah. Yeah.

Jim [: 00:48:13

But hey. Right. So my camera has failed. Time is drawing thin, and I know Richard and Oliver are very, very busy people. We've been podcasting all morning. I think I think there's been some really good info in there, and I think it's definitely, good for people out there to to really kind of sit down and rethink what they're doing, their defense in-depth, where they're going from a security standpoint. Rule based security is good, but you need contextual security as well. You need to adapt from a reactive security and have a good measure of of proactive security as well.

Jim [: 00:48:44

The world is changing whether you want it to or not, and we have to change with it. But my god, the the purview of Infosec is increasing by the day. Alright, guys. It's been an absolute pleasure. We'll speak to you all again soon, and thank you very much.

Richard Cassidy [: 00:49:00

Thank you. Cheers.

Jim [: 00:49:02

And thank you for listening or even watching the latest edition of razor wire. It's always good to get feedback. Please feel free to reach out to us. You can reach out to us via LinkedIn or through our website, www.razorthorn.com, if you feel that there's something that we should cover maybe a little bit more in-depth, a new topic or something of interest to you or the community at large. We'll even do interviews if you've got any recommendations, or you want us to interview people, we'll reach out to those individuals and see if we can get them on camera, so we can ask them the important questions about infosec. So it'd be great to see what your feedback is. In addition, I do have a book, recently come out, the Cyber Sentinel's Handbook, a primer for information security professionals. Now this book is very much geared up towards professionals all levels of their career.

Jim [: 00:49:56

Be they starters, be they newcomers, be they people who've been in there for a little while and maybe looking for a little bit more direction, albeit the older ones looking to maybe reground themselves in some of the more important aspects of the trade, that maybe they've forgotten over time. I've had lots of good feedback from a lot of different readers of a lot of lots of different levels, so please feel free to get yourselves a copy. We've got the e copy. We've also got the paperback copy, and if you don't want to spend any money, you can go on Kindle Unlimited, and read the book for free there as well. So thank you ever so much again. Look after yourselves, and we'll be seeing you again soon.