The Voice of Cyber®

KBKAST
Episode 264 Deep Dive: Christy Wyatt | Cyber Resilience In Today’s Threat Environment
First Aired: June 19, 2024

In this episode, Christy Wyatt, President and CEO of Absolute Security, brings attention to the lack of maturity in the cybersecurity ecosystem compared to the regulatory environment. Her discussion delves into the disparity between the accountability on a Chief Security Officer (CSO) and a Chief Financial Officer (CFO), and the importance of responsible behavior, accountability, and conversations about risk tolerance and investments to mitigate risks in cybersecurity. Christy also emphasizes the need for continuous testing, measuring impact and probability, building roadmaps, aligning risk appetite, and maintaining resilience in the cybersecurity journey. She tackles the significance of cyber resilience in maintaining security posture and responding to incidents, along with the key steps involved.

Christy is President and CEO of Absolute, the only provider of self-healing, intelligent security solutions and the only endpoint provider embedded in over 600 million devices globally.

A Silicon Valley veteran, Christy has deep experience and expertise spanning cybersecurity, enterprise mobility, embedded platforms, IoT, enterprise software, and data science. Prior to Absolute, she served as the CEO of Dtex Systems and Chairman, President, and CEO of Good Technology (acquired by Blackberry). Christy has also held a variety of technology leadership roles at Citigroup, Motorola, Apple, Palm, and Sun Microsystems. She currently serves on the board of directors of LM Ericsson and Silicon Labs, and has previously served on the boards of Quotient Technologies, Good Technology, Dtex, Centrify, and the Linux Foundation.

Christy was recently recognized as CEO of the Year by Globe and Mail. She has also been awarded one of the Top 50 Women Leaders in SaaS in 2019, and has been named one of Inc. Magazine’s Top 50 Women Entrepreneurs of America, Information Security’s CEO of the Year, and a Fierce Wireless “Most Influential Women in Wireless.”

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Christy Wyatt [00:00:00]:
Say the cybersecurity community is quite good at peer networking and sharing best practices between organizations, especially within verticals, And it’s great insight, again, to share between management and the board because I think the board is trying to calibrate, are we doing enough? Have we thought of all of the things? Is there something that we’re not seeing? And one of the best ways to do that is by listening to folks outside the building. We often get so deeply entrenched in

Karissa Breen [00:00:43]:
Joining me today is Christy Wyatt, CEO from Absolute Security. And today, we’re discussing the power of cyber resilience. So Kristi, thanks for joining and welcome.

Christy Wyatt [00:00:55]:
Thank you. Thank you for having me.

Karissa Breen [00:00:57]:
So let’s start with the term cyber resilience. Now I wanna ask you, do you think this sort of term’s been overused in the market? Because I hear I’ve heard it a lot, especially a couple of years ago as well. A lot of people sort of banging around on social media saying, you know, we gotta be more cyber resilient. What are your thoughts?

Christy Wyatt [00:01:14]:
You know, I I think of it less as it certainly is a very used term, and and and when that happens, we tend to get a little glazed eyes when we hear it, but I think of it less as an overused bud word buzzword and more as an emerging category. When we look within global organizations, banks, governments, etcetera, we’re actually seeing sort of a third leg of the stool. You have your CISO, you have your CIO, and then you have your cyber resilience team. And so I I see it more as an emerging category and emerging set of capabilities for security and IT connect and think about the overall effectiveness of the investments we’re making in security.

Karissa Breen [00:01:52]:
So when you say an emerging category, what does that sort of look like from your perspective?

Christy Wyatt [00:01:56]:
So if you think about the other two legs of this tool, right, typically, you have your security professionals who are thinking about all of the bad things that could happen and what are the the mitigations or controls or technologies we can put in place to prevent those bad things from happening. If you think about IT, oftentimes, sort of endpoint management or or the technology team within the organization is responsible for the deployment. So how do how does that technology actually land on your device? How does it get installed? How does it get updated? How does it get fixed? The cyber resilience component of that either of that work or that third department, depending on the size of the organization, is really about how do you build that with a higher level of fidelity. So believing that not everything is gonna go perfectly, how do you maintain your security posture? How do you, respond or adapt when things actually start to go wrong? And and things can go wrong in any number of different ways. And so when we think about a security breach, we often think about the the bad thing that happened and maybe the data that was taken or the ransomware that was demanded and how do the how do we get that bad thing off of all of these other systems? The part that we typically don’t talk about, it’s not quite as sexy or fun is is then who’s gonna come and mop that up? Who’s gonna who’s gonna get that all back to work? If you had 5,000 employees working remotely and they all just got disconnected because they got impacted by by malware, how do you actually get those users back up and running? If you’re relying on something like a CrowdStrike or Itanium to protect you or to find those bad things and those security controls become disabled, IT did their job, they installed it, but who’s gonna prop it back up again? And so cyber resilience is really about making sure that we have the adaptability and the responsiveness to maintain our security posture and to get the business back online.

Karissa Breen [00:03:51]:
You know, that’s a great point because I’m really at the face of this industry, speaking to people like yourself all over the world, all different sized companies, etcetera. And that is a very valid, point that you raised around, like, who is gonna sort of mop that up? And it’s something that I have observed in the market around, well, what sort of happens after, you know, an incident happened or was there an attack or something happened? No one really talks about, well, what happens next. So what does happen next from your sort of point of view, and how sort of effective do people sort of get back in business and back up and running like they were before the incident happened?

Christy Wyatt [00:04:22]:
So if I just sort of set the stage for a moment and think about the fact that most organizations still have at least some percentage of their population working remote some percentage of the time depending on where you are and what industry you’re in. And so, you know, the the answer used to be if your, security application that you’re relying on for multifactor authentication, right, challenging you when you’re logging in. If that stopped working, you would pick up your laptop and walk over to the IT department and say, could you fix this for me? Or they would come and knock on your door and say, please let us fix that for you. If you got hit by ransomware and you were, you know, sitting in the office, again, something bad happened and they would say, no. No worries. Fix it. Now when you have employees that are broadly distributed, the world is very, very different. So, you know, when we talk to customers and we say, so what do you do? I was talking to a global bank a little while ago when I was asking the CISO.

Christy Wyatt [00:05:14]:
So if you had 5,000 systems impacted, what do you do? And they said, no. No. We have a disaster recovery plan. We know exactly what happens. We have a playbook. Certain number of people get into the local office. They work on clean systems, and we can continue to, you know, to take transactions or continue to conduct business. And I said, so but that’s great, but then then what do you do? And he’s like, I don’t understand.

Christy Wyatt [00:05:35]:
We’re back up and running. I’m like, yeah. But but, like, that long tail, like, what do you do? You’ve got 5,000 people out there who can’t do their job. So what do you do? And the the ugly answer is, you know, they they box it up. They send you a FedEx box. You box up your system. You send it back in. Or, you know, if a security application has been taken down, you, again, you know, get to a local office or box it up and send it back in, or you get online with tech support and they try to step you through it remotely so you could do it.

Christy Wyatt [00:06:02]:
So these are klugy expensive flow systems that are not working at the the speed of risk. And so, you know, when we think about cyber resilience and and how to how think about that differently, we’re really kind of thinking about how do we do that at that moment in time and how do we minimize the downtime for the user. And it’s important to think about we’re applying resilience at different moments in time for different reasons. When we think about your security posture, let’s say your organization has said, you need these 5 applications always installed. It could be encryption. It could be, you know, your your multifactor authentication tool, your whatever it is. Right? They’re they’re special sauce for how they’re going to protect you. At that moment, we’re really focused on prevention and detection.

Christy Wyatt [00:06:45]:
And so resilience in that world means how do we make sure those applications are always up and running and that they’re always protected? Later on, if your device actually becomes compromised, we’re thinking about resilience differently. We’re thinking about how do we mitigate the risk? How do we contain the risk? How do we kind of you know, defend against that attack? Or if we have to, how do we rebuild and restore that device so that the user gets back up online? So so it’s really about that adapting and response

Karissa Breen [00:07:12]:
after the fact. So you mentioned before, like, how do you think differently about cyber resilience? Do you think maybe there’s just different versions and definitions that people have in their mind and therefore gets a little bit convoluted on, like, what this actually means? And then furthermore to that, do you think people are actually even thinking about this?

Christy Wyatt [00:07:30]:
When people think about cyber resilience, you’re really thinking about kind of these 4 steps. Right? You’re thinking about how do I prepare, think about all of those bad things, how do I protect, what are the things I have to kind of go put in place, to protect? How do I respond when something bad is happening? And then how do I recover? Like, how do I clean up that mess? And so I think it is not really about interpretation. It’s about what is most appropriate about keeping shields up and maintaining the integrity of the business. Right? We like to talk about the technology. People like to talk about the breach or the attack and the but what we’re really protecting is the business. Right? How do we keep the business up and online? For a long time and I have a very large customer who used to say, you know, this is the third question. When the CISO has to stand in front of the board, they ask the first two questions. What bad thing could happen? Did we install the good thing that could prevent the bad thing from happening? Nobody ever asked the third question, which is, is that stuff working and are we protected? And the reason is because nobody had a really great way of measuring it.

Christy Wyatt [00:08:33]:
And so this evolution, as I talked about cyber resilience coming to its own, it’s really about a maturing of the tools and the frameworks and the visibility to be able to see, Right? Are we protected to be able to measure our response, to be able

Karissa Breen [00:08:46]:
to measure our adaptation?

Christy Wyatt [00:08:48]:
So it is that really that third piece, right, that third question or that third leg of the stool.

Karissa Breen [00:08:53]:
So on that note, how would you measure if it’s working or not?

Christy Wyatt [00:08:57]:
Well, I think there’s a variety of different ways to do it, but the way we do it and I’m very specifically talking about endpoint security now because cyber resilience is much broader. Right? There’s a a view of this about cloud security. There’s a view of this around network security. But if I’m thinking very specifically about endpoint security, right, what we what we’re constantly measuring, and it’s not just at one moment in time, it has to be continuous, is we’re really measuring compliance. Right? Where an organization has asked those first two questions and said, I know what 5 things should be installed to protect me from the 5 bad ideas that could come after me. What we’re continuously monitoring is, are those 5 things installed? Are they working? Have they been tampered with? Have they been corrupted? Did they miss an update? And I realize these sound like very basic things, but you understand the complexity of the systems that are that you’re working on right now. Right? There’s over 300 different versions of Windows 10 with a variety of different configurations and patches. The average device has a 100 applications on it.

Christy Wyatt [00:09:56]:
Maybe a dozen of those are security applications. Every one of those apps has its own update and upgrade cycle. We have a variety of different network configurations and firewalls. I mean, the the layers of complexity. And so there’s a whole host of reasons why things could stop working. The way we look at it is we’re just constantly testing that compliance and if we see something that has either stopped working, been removed, tampered with, we will reinstall it, reconfigure it, we will call home and redownload it and bring it back up again and that’s really because we’re uniquely positioned in the hardware itself. This is actually really helpful when you’re thinking about things like 0 trust or comply to connect. These are some sort of new security architectures or strategies where folks are thinking, listen, compliance is a big part of security.

Christy Wyatt [00:10:43]:
If you doesn’t matter how much money you’ve spent on security, if it’s not running, it’s not protected. That is kind of the first line of defense in resilience.

Karissa Breen [00:10:51]:
Talk to me more about comply to connect. What does this sort of mean?

Christy Wyatt [00:10:55]:
When I say the old world, I’m talking about a a a world where all of our employees used to come to the office and we used to have this secured perimeter And we used to trust that if you had gotten through the front door with your badge and you’ve been able to log into your system and onto the network that you were who you said you were, and and we’re gonna give you access to everything, everything that you’re entitled to. You know, we sort of shifted to started having this conversation about 0 trust, which essentially says, you may be on the company network. You may not be. It doesn’t really matter where you are. I wanna continuously understand the context of what you’re trying to do. Are you really who you said you are? Are you in a location I recognize? Are you doing behavior that I think is consistent with what you’ve done before? Is your is your device compliant? Is it secured? Are there things I’m trusting? So an example would be, I may not let you access the same set of applications or the same data if you’re sitting in an airport in a foreign country that I never expected you to be in, and you’re sitting on an unencrypted device in an insecure network. I’m gonna treat you differently than if you’re sitting in a trusted secure space, and I’ve really authenticated you are who you are. So that’s 0 trust.

Christy Wyatt [00:12:05]:
Comply to connect is kind of taking that one step further and saying, you know, before I even let you connect to the network, I wanna ensure that shields are up. And so I’m gonna test for that compliance, I’m gonna look and make sure that your encryption is running, that all of the things that I’m trusting, including your 0 trust tools, are actually working and effective and functioning before I’m gonna let you connect. And some you know, that if you try to connect to the to the network and you’re not compliant, you’re on an insecure network, you’re not running a a secured device, whatever it might be, most access capabilities would deny you the connection. That’s great for security, but not great for productivity because you’re telling employees they can’t get their job done. Oftentimes, you may see strategies where they’ll quarantine that device. They’ll say I’m gonna move we’re not gonna go let you connect, but not not gonna let you connect to the company network. I’m gonna let you connect to this little face on the side where we’re gonna work on fixing whatever it is that’s broken. So we’re gonna reinstall.

Christy Wyatt [00:13:04]:
We’re gonna redo whatever it is we need to do to get you to compliant be compliant, and then we’re gonna put you back into the net.

Karissa Breen [00:13:10]:
So I wanna talk more about you mentioned everything about the cyber resilience side of things, but then also I want to sort of draw the parallels between everything you mentioned before around checking to see if things work. How would then a company sort of determine whether they were resilient or not and then asking those right questions internally. Because everything you mentioned before, like you said, is quite complex, and it’s not sort of a binary answer straight away. It could take a bit of time and process to understand whether the company was resilient or not.

Christy Wyatt [00:13:40]:
Yeah. We we work very hard, and I think this is an emerging opportunity for for our ecosystem. And we’re just one of many, but, you know, we work very hard to publish very clear data. So we published this research every year. We published it this year just prior to RSA conference, which is our cyber resilience index. And what we did is we took a look across millions of devices that are connecting to our enterprise service and sort of read out on the average compliance of those devices. And the the the facts are quite interesting. You know, I think it’s about 25% of the devices connecting to an enterprise are not compliant in any given moment in time.

Christy Wyatt [00:14:19]:
Maybe that doesn’t sound like a big number unless you sort of translate that to mean 25¢ on every dollar you’ve spent on security is wasted because that’s not actually protecting you, or 25% of your attack surface is exposed. But what we can then do with customers, is we can actually run that benchmark within our product within their particular organization. So our product is actively giving them the resilience score, but it’s not just measuring the gap, it’s actually closing the gap. It’s actually showing them that we can get them to 98, you know, 99, 97% compliance across all their applications and keep them compliant over a period of time. And so so I think that as an industry, you know, we’re sort of working to use the data to not just sort of show the risk, but also come up with sort of some clear scorecards and metrics that organizations can use with their boards. They can say, here’s the investments we’ve made and here’s how well we’re protected and are we comfortable with our risk appetite? Do we think we should be doing more or less based on the business that we are? And I think that’s just a sign of the maturing of this part of the ecosystem. We have great dashboards in

Voice Over [00:15:27]:
other parts of risk management, but cyber resilience is one that

Christy Wyatt [00:15:27]:
is really and important because nobody’s really going to be comfortable with the answer, you know, how did you why did you sleep well at night knowing that you were secured if you didn’t actually have the scorecard to back it up?

Karissa Breen [00:15:50]:
Okay. This is interesting. And you actually were going down the path that I was gonna ask you next around scorecards slash benchmarks. This would I’m assuming it would vary, though, from vendor to vendor because I I have seen, other companies out there, and they they give you a risk rating and a scorecard, etcetera, everything you’ve mentioned. How does the company sort of then determine because it sort of feels like you’re comparing apples to oranges if you’re looking at different vendors. How does that sort of work from your perspective?

Christy Wyatt [00:16:15]:
I think that many of the benchmarks and scorecards that you’re seeing, they do reference common frameworks. So for example, this is a broad ecosystem of of vendors and partners that can help you assess your matureness or your your readiness against something like a NIST framework. And so that’s essentially saying, here here’s these different categories of risk and have you deployed appropriate controls into those areas? Within cyber resilience, we’re answering a different question. What we’re saying is, of the things that you deployed, are they working well to protect you? Are we keeping those sort of shields up? There isn’t a great industry standard for it right now. We think we have a very One of the big challenges that a lot of other partners or other, vendors might have is that they try to do it from the cloud. Well, here’s the challenge. Right? It’s if your device has been compromised, the first thing they’re going to do is kind of disconnect you from your network. So so now you no longer have meaning that that device is, you know, if they I’m going to compromise a device, you know, I may take down things like Tanium or CrowdStrike or other things that are trying to report that a bad thing is happening.

Christy Wyatt [00:17:22]:
So when all of those things go down, even if the OS goes down, right, the only thing that’s still standing is kind of absolute because we’re in the hardware looking up, not in the cloud looking down. So I think there are a variety of different strategies for how vendors may collect the data and how resilient or reliant that data could be. Oftentimes, folks use our data, they take data from multiple sources and they line them up together and they sort of say, I need a source of truth for what assets I actually have and what’s actually happening and I wanna compare that to different sort of data artifacts that I’m getting from other systems. I really feel like as an industry, the piece that we are kind of missing is a consistent resilience framework for how we think about resilience from the cloud all the way down to the endpoint or IoT devices. There really is that measurement answering the question, are my investments actually working? Right? And that would mean need to be different instrumented differently in different areas. You would do it differently in a cloud than you would on on a laptop. But, ultimately, if you talk to CIOs and CISOs, that’s the view they want. Right? They want the view top to bottom of I’ve spent a lot of money on security over the last however many years.

Christy Wyatt [00:18:26]:
My board is asking me, am I protected? I wanna show up with the receipts to show them that I’ve made the right investments against a common set of frameworks and that I am actually monitoring the effectiveness of those controls.

Karissa Breen [00:18:38]:
So on the receipt side of it, showing the receipts, what are people sort of doing now as an interim step? Because you are right. And historically, I’ve done a lot of executive reporting, etcetera. These are the questions that people are asking, hey. This stuff costs a lot of money. You know, I can’t really see it. It’s expensive. And you’re sort of trying to justify the cost of these things, which are not, you know, chump change. So how can someone sort of start doing that effectively now? And as you mentioned before, there is no sort of consistent resilience framework out there.

Karissa Breen [00:19:04]:
What would you advise on that front, Christy?

Christy Wyatt [00:19:06]:
I’m, of course, biased. So I’m going to say for endpoint resilience, you should add a network resilience. You should absolutely come in and talk to absolute. You know, I would say the boardroom conversations that I see a lot of companies having, that is that sort of third question that that we don’t see them going all the way. Right? We see them saying, here’s the framework. Here, we tested ourselves against the framework. We deployed it, I have x percentage of visibility across all of my devices, I have x percentage of systems covered, but most of the time they’re talking about that I have gone out and installed. What they don’t have is the real time data to tell them here’s how many are protected right at this moment, but more importantly, here’s what happens when they go down.

Christy Wyatt [00:19:48]:
Here’s my resilience strategy for when an app fails, a device fails, a device gets hit. There is no such thing as a perfect deployment, this is all about rapid recovery. And so while there’s a team of folks figuring out what bad thing happened, kind of going deep on that, there’s a parallel team of folks focused on business continuity and getting it back up online, whether it’s getting that app back up online, which we can automate and do without without them touching, getting devices back up online, which, you know, we can do within minutes. But this is about you know, if you read some of these breaches like I was reading about Clorox breach last, which is a well known breach here in North America last year, you know, they reported in August and they said cleanup of this event will go well until 2024. And so they’re not talking about the cleanup of the ransomware virus. They’re not talking about the cleanup of, you know, they’re talking about this, they’re talking about how long is it gonna take them to get all of these systems back up and online and people back connected and with the right data and the right access. I mean, it’s a that’s the long expensive tail that that folks are trying to get their arms around.

Karissa Breen [00:20:53]:
And why would you say people don’t sort of discuss this in-depth? Because you are right. Like, what does this actually look like in terms of, you know, moving forward, long term impacts of businesses, continuity, etcetera. Do you think people are perhaps afraid to share those details?

Christy Wyatt [00:21:08]:
I think because the data visibility hasn’t been perfect, and so it’s been very, very hard to measure. And if you didn’t have something and I’ll just, again, stay focused on endpoints for a moment, you can try to collect the log files from 15 different and try to correlate them and see, are they all talking to the same devices, and is anybody missing? Like, it’s messy and it’s complicated and it’s a big data problem. So if you don’t have something like Absolute that kinda has that permanent connection to that device that’s kinda giving you that source of truth, Right? There’s a there’s a a lot of messiness in trying to piece all of the different data pieces together and say, what is what is my truth? What is actually working? There’s also a latency to it. Right? If if the device let’s say you had an applications on a device and something was going wrong and 3 of them got taken down, it’s gonna take the team a while to see that there’s an absence there because other things are still working just fine. And so the other third piece that we hear a lot from customers is just the alert fatigue. Right? Even if those devices even if something does throw a signal and say, hey. By the way, these 3 applications stopped calling in from that person’s device. Maybe something’s going on there.

Christy Wyatt [00:22:22]:
It’s sending it to a human who is getting 1,000. The signal to noise ratio is massive, and we all know that there’s a talent shortage in cybersecurity. And there’s we’ve read all about the breaches where bad things were happening and they were getting alerts, but they were buried in a bunch of noise and garbage that nobody could pull out. And so if you don’t have that source of truth and that anchor into something solid, we don’t wanna tell folks that something bad is happening. We wanna tell them that we fixed something bad that happened. Right? These things went down, and we propped them back up, and, you know, you can go dig into the data about what happened and why, but, you know, we’re not we don’t wanna be sitting around waiting for someone to get around to see the next alert on this. So what do you think most people or companies overlook when it comes to resilience? Because we spend a lot of time talking about on the IT side, we spend a lot of time talking about asset management and asset visibility. On the security side, we spend a lot of time talking about risk management and ransomware.

Christy Wyatt [00:23:19]:
I just think that when you talk to these practitioners and you talk about the bad thing happening, there’s so much going on and so much focus around how do we get to the other side of the attack that it’s kind of passing the baton on to that 3rd piece that says, how do we mop up the mess? And it’s not that it’s not in the conversation. When I ask folks, are you contemplating the cost of that? Are you contemplating when you’re thinking about planning overall, are you making sure that they have sufficient resources to be able to do that work? It’s not that it’s invisible, but it it feels separate. It’s like, okay, then I’m gonna I’m gonna hand the baton off to those guys and they’re all just going to clean it up. And so we do think that there is an opportunity as an industry for us to just shine a much brighter light on that and say, gosh, what would the cost of FedExing 5,000 laptops to a central place, reimaging them and sending them back out, and how long would that take, and what could possibly go wrong? And there are certainly professionals who are obsessed with that and who are working on that, but it’s usually not in the headline of the conversation when we’re talking about the breach. We’re talking about the bad guy and the bad thing that happened and what cleansing thing enabled it. I mean, that’s where so much of our attention and honestly, where so much of our spend goes, right? When we when we talk about the the breakout of the spend within the cybersecurity industry, you know, a huge amount of those dollars have gone into that detection and prevention bucket almost at the expense of some of the resiliency side. And so so this is really about that shift and that balance kind of rebalancing.

Karissa Breen [00:24:54]:
So what you’re saying is majority of the the funds are not going towards the mopping of the mess historically.

Christy Wyatt [00:25:01]:
I think that when folks are talking about their incident management plan, they maybe stop the tape, before they get to the end. They sort of play out the exercise until they get, you know, the bank able to get transactions again or the retailer to be able to take orders again. They don’t play the tape all the way to the end, they don’t. So what is the actual long tail of cost and expense and damage that we’re still we’re still dealing with long after the rest of that work is done.

Karissa Breen [00:25:31]:
Yeah. This is interesting because I was doing an interview last year, and I have interviewed, as you know, so many different people. And I was asking someone, like, is there some sort of actuarialist out there that’s actually predicted the cost, like you said, of, like, the long tail cost, impact damage, brand reputation post an incident, and what are those numbers? I haven’t really spoken to anyone on this show that has any sort of indicative numbers on that. Do you have anything on that front?

Christy Wyatt [00:25:58]:
We have a lot of data about the resiliency and the gap and the exposure. And, actually, this was a big point of conversation last week at the RSAC because because we’d love to sort of dive in and take a look at that with a small group of folks who really kinda wanna dig in and figure out, you know, how do you scope that and actually assess it. Because it as I said, in a in especially in large organizations, it may be sitting in a different bucket. And so I do I would love to see the data. If you do find it on your journey, by the way, I’d love to see it because I’m right there beside you. I have not seen it in any quantifiable way. And when I look at a lot of these breach reports and the cost of a breach and the scope of a breach, it really feels to me that these numbers can’t be baked into that. Like the cost of a breach can’t be $4,000,000 if that includes all of the rest of this work, right? I think it’s an area where we have a high level of interest and also sort of chasing that down.

Christy Wyatt [00:26:54]:
A lot of our work has been very much focused on the exposure and really bringing to light customers who feel like on every other level they’ve done a great job. They’ve done the NIST framework, They’ve bought the good stuff. They’ve deployed the good stuff, and they’re sort of high fiving in the hallway and going, we feel reasonably good and haven’t really had a lot of visibility into just this natural decay of your security posture that just naturally happen as a result of the complexity. And and, honestly, you know, our focus is on helping them understand how easy it is to actually mitigate them.

Karissa Breen [00:27:29]:
And I just wanna run with another example. So here in Australia, there’s a large insurance company that got breached. And so, again, part of this interview that was asking, like and I know that people don’t necessarily have data. It’s nothing to really think about around okay. So people are still even now, for example, Equifax, people say, oh, well, you know, you guys got breached. It’s still a bit of that. So with this company, insurance company here in Australia, is this gonna go on for 20 years that they potentially they’ve lost new customers or they’ve lost retained customers? How long does that go on for because of that brand name? And I guess it’s really hard to put a number on. It’s just something that, again, if you’re doing board reports, you may be able to sort of demonstrate, which potentially may result in getting more funding to say, well, you know, some very smart person out there

Voice Over [00:28:10]:
has come up with some financial model that has said, well,

Karissa Breen [00:28:16]:
you know, after a breach with this type of company, it could take 20 years to build back ARAB, and it could take 20 plus years to start building back that customers that we may have not necessarily have lost before the breach happened. So this is something that I there is still not a lot of transparency on, not a lot of fidelity on that there in the market.

Christy Wyatt [00:28:35]:
I agree. I you know, we had an event last week and we were we’re talking quite a bit about this, and I think that one of the complexities to that is also the lack of maturity in our ecosystem compared to the regulatory environment and I am seeing this all around the world, especially here in North America, but but we know that a lot of other countries are experiencing it as well where, you know, we really as an industry have to separate this concept that a company is bad at security if they get breached. There are certainly those that have under invested or not taken it seriously but it’s kind of the the analogy I draw is sort of if we think about financial risk and fraud risk. Right? We have a very mature ecosystem around there for how we measure risk, for how we talk about materiality, for how we measure materiality. We have checks and balances through auditors and internal audit and we’ve over time sort of created the infrastructure that you can talk about risk in a safe way. And if a company misstates something and it wasn’t fraudulent, it was just natural behavior as the company’s growing and there’s some amount of risk within that, there is a framework of of how we talk about that. You know, was it material? Was it not material? What was the and I think that we don’t have that same maturity, certainly in the security ecosystem. We don’t have that equivalent of auditors or checks and balances.

Christy Wyatt [00:30:00]:
We don’t have that same level of definition. You can’t you know, there isn’t a consistent description among countries, among companies, among stakeholders anywhere about what materiality is. It was a material incident, it’s kind of up to the organization and the board of that organization to sort of describe what that means to them specifically. And yet we have this cyber, regulatory landscape that wants to kind of put almost kind of the same level of accountability on a CSO that you have on a CFO. You know, there’s an an interesting debate going on in the industry because they’re a little bit out of sync. Right? If you if you if you put the that that happens too soon, where the infrastructure is not there to support the same quality of risk management in cyber that we have in finance as an example, then you’re going to discourage folks from taking that career path. You’re going to see the best and brightest wanna go do something else because the personal risk is just too great. And if you think about that as a national security level, regardless of sort of where you live, that’s not a good outcome.

Christy Wyatt [00:31:01]:
Right? We need to make sure that incredibly bright and talented people continue to come into our industry and protect our employees and their data and our business. So so there is a, I think, a maturing that needs to happen across our ecosystem that helps separate the reputational damage. Like, if a company gets breached, that doesn’t mean they did a bad job. It means that I actually had a a CEO of a very well known, company that’s experienced a breach say to me, I have to get it right a 100% of the time, and they only have to get it right once. Right? And and and there’s really not another profession where we where we sort of have that same level of accountability. Company could do all of the great things, they can do the standards benchmarking, they can make the investments, somebody could come up with a zero day that nobody’s ever thought about and that is just a fact of life. And so what we’re shooting for here is responsible behavior, people taking accountability, people having the conversation about what level of risk is tolerable, how much should we be investing to mitigate that, are we being responsible with people’s information and with and and with the assets of the organization? Are we being transparent about our behavior? That’s kind of our commitment. It’s not perfection.

Karissa Breen [00:32:17]:
Yeah. That’s an interesting point. I I wanna go into this a little bit more. Do you think people are saying that, like, hey. We’re responsible? Now I asked this question because there was a company here in Australia. They had an incident, and I’m dealing now with their corporate affairs and, you know, with I’m trying to get a statement from them because I was like, look. I I don’t think you’re being responsible because you gambled with your customers in order to and I can’t go into much of the specifics, but they basically gambled with, with this security controls with the intent of, well, if you put too many controls, it means that, you know, people are gonna abandon their cart, which would then mean they’re not gonna make as much revenue. But they’re like, no.

Karissa Breen [00:32:52]:
No. No. We have been responsible. So I’m seeing a bit of pushback because, obviously, I’m in media. I’m gonna ask the questions. Right? And people want answers. So I’m seeing pushback from companies saying, well, no, Carissa. We absolutely were responsible.

Karissa Breen [00:33:05]:
But then if you really look at it underneath, it’s like, yeah, but were you, though? That’s the part that I am still not sure about. Do you have any insight on that front?

Christy Wyatt [00:33:13]:
I mean, I don’t I don’t know the company or the breach that you’re talking about clearly, so I wouldn’t know. And I would say like any other industry, you certainly are going to find organizations who may not be living up to to that level of responsibility. But I would say just because somebody identified that some bad thing could happen and then eventually that bad thing happened, doesn’t mean the company wasn’t responsible. When you go through these tests, you identify every bad thing that could happen, and then you you’re measuring and securing what is the impact and the probability and how do we mitigate it and you build a roadmap and you’re working your way through as many as you possibly can. And so there is always a long And by the way, if you did everything on the list, you’d run the test again and come up with a new list. Somebody said at an event that was at last week, Could you have a zero risk world if you were willing to spend enough? Possibly you could. I don’t know what that would look like because we’re always striving to say, well, okay, we figured out how to solve and protect against the things we know. Now, what are the next bunch of things we didn’t think about? And that’s where this concept of risk appetite for the board is really, really important.

Christy Wyatt [00:34:18]:
I think there needs to be an alignment between these security professionals and the board of directors about what is the risk appetite, are we well covered, do we have resilience, do we have coverage, is there exposure, and are we comfortable with where we sit within that? You know, that is a that is a tricky set of conversations to set up, you know, with the board and the security team, but I think increasingly as an industry, we’re seeing more boards take on cyber experts. We’re seeing that become a bigger part of the conversation within audit or within some other committee. And it’s critical, right, because that is not an individual decision. That is really a board conversation.

Karissa Breen [00:34:53]:
So one thing that plays on my mind is staying the course. There are a lot of people out there. I mean, I sort of the analogy I drew upon is, like, going to the gym. Start of the year, everyone’s like, hey. I’m gonna go to the gym. I’m gonna lose weight. But then by, like, January 15th, everyone’s back in bars and pubs, and they’ve forgotten about that that journey. Right? So then the same thing applies to, hey.

Karissa Breen [00:35:12]:
We’re gonna embark on this, you know, resilient journey, one thing, but how do people sort of stay the course and manage that stamina towards it? Because I’ve I’ve seen it’s easy to get started or say you’re gonna do something. It’s a lot harder to maintain it.

Christy Wyatt [00:35:25]:
That really is the whole purpose of Cypher Resilience is because if we talk about the prevention and detection and we think about all of the things that we should buy and install to protect our organization and those are big projects, take a long time, And then we we go and we do the work and we install them. It is a little bit like you went to the gym and you lost that £10 and you’re feeling great and then you, like, high fives, and then you’re like, I suppose I could have another glass of wine. I mean, or I could have dessert. I’m sure it’s fine. And you’re right, right? It’s not a one time moment. It’s not a one time event, and that really is what this shields up cyber resilience really is about. It’s about how are you maintaining that cybersecurity posture? How are you maintaining of the investments you made? How do you make sure that they’re still going? And then how does your overall security process within the organization, how do you make sure that that is an evergreen conversation? That as you are identifying new risks, they’re getting, you know, sort of incorporated into the process and that you have a consistent way of measuring those and sizing them and scoping them and planning them and sort of lining them up. And so that is a huge part of, as I’ve described, this third leg of the stool.

Christy Wyatt [00:36:37]:
The security side pen tests are great. Benchmarking is great, but those are moments in time, right? What you really need is this continuous monitoring to make sure that you are continuously keeping yourself protected and and secured.

Karissa Breen [00:36:51]:
But I sort of wanna zoom out now for executives because this is an executive podcast that are listening. How do you sort of start that quest to being more resilient? Now it it does seem like a very rudimentary question, but I ask this because, you know, people are they’re busy. They got a lot of things on their mind. They’re trying to keep their head above the water. They’re trying to hire more people. They’ve, you know, they’ve got all these requirements out the eyeballs.

Christy Wyatt [00:37:12]:
How can people think about that and then start to move down this sort of path? If you are a senior executive within these organizations, I would say start asking the question. What benchmarks and data are you using to ensure that the investments we’ve made are actually protected? I know we bought these things. Are they running? Tell me that they’re running. Tell me your benchmark data against these frameworks, the NIST frameworks, you know, and how do I rank against my peers? I do think for organizations, it’s very helpful to get an external voice as well because the peer benchmarking or the peer feedback is actually incredibly helpful. When you are trying to determine your risk appetite and calibrate that and make sure that you’re doing all of the things that sort of line up with that, it is very helpful to get external voices, consultants, etcetera, that can provide that 3rd party view. I’m not just talking about pen test. Right? Running a test to tell you all of the scary things is helpful as an input into that process. But I’m talking about benchmark of companies in your industry, in your size, in these kinds of parts of the world or whatever the unique dynamics of your business are, are they thinking of things that you haven’t thought about? Do they have data or benchmarks or risk controls that you haven’t thought about? And so there are external voices you can get to kind of help you get that external voice.

Christy Wyatt [00:38:39]:
There are industry associations or industry events you can join and and kind of do peer networking where where your folks are talking to your peers. Let’s say the cybersecurity community is quite good at peer networking and sharing best practices between organizations, especially within verticals. But that’s invaluable insight and it’s great insight, again, to share between management and the board because I think the board is trying to calibrate, are we doing enough? Have we thought of all of the things? Is there something that we’re not seeing? And one of the best ways to do that is by listening to folks outside the building. We often get so deeply entrenched in the thing that’s right in front of us. You know, getting that that third party view is is incredibly helpful.

Karissa Breen [00:39:19]:
So when you say benchmark against peers, do you mean, for example, like a bank, what they’re doing this, what other banks doing? Is that what you mean by that?

Christy Wyatt [00:39:25]:
Correct. So if you if you network if I’m a CSO or an executive and I network with other executives in my vertical industry, there is often forums where there’s a lot of sort of peer to peer sharing about risks, about controls, about tools, and so that’s very helpful. You can go and look at other participants and kind of the risk like the large audit firms, etcetera. Many of those have frameworks and consulting and advisory services where they can give you really great feedback around how you’re doing, you know, versus industry, how you’re doing, you know, versus sort of categories or cohorts, or against common standards or frameworks where they exist. And so that’s all very helpful in kind of doing that calibration for for

Karissa Breen [00:40:09]:
are we doing enough? And would you say that sort of coerces people to say, well, maybe we’re not doing enough. At the end of the day, no one wants to feel like they’re lagging behind versus their peers. Right? So do you think even having that p to p conversations is encouraging people to step up and do more?

Christy Wyatt [00:40:26]:
I actually think the behavior conversations help people understand where folks have had success versus not so that they can avoid making the same mistakes and wasting time. And we’re all, you know, here in a battle, the last last thing you wanna do is go go die on a hill that that others before you could have told you, yeah, no, that’s not the one. Go go go do something else. And so I think that that is really a way to kind of get efficiency and scale and speed and agility. I think that there is a reluctance. There is a fatigue that’s in our industry. Right? There is a there is a very significant conversation going across the cybersecurity industry right now that folks, they are tired. I don’t think that a cybersecurity professional is under any illusion that they’re ever gonna have a queue of 0 of things to go be concerned about or work against or they’re ever going to feel like they’re funded enough or that they’ve got it all under control.

Christy Wyatt [00:41:18]:
That is just the nature of our industry. We care deeply and we want to do more and we want to make sure that we thought of every single thing, but we also are very aware that there is a constant flow of new risk coming in. I think that the so long as you’ve created a safe space where people can talk about risk, they can talk about the relativity of risk and the prioritization of risk and that that is a kind of a safe place to have those discussions, then I think it’s actually a very healthy data.

Karissa Breen [00:41:45]:
So, Christy, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?

Christy Wyatt [00:41:50]:
I would probably leave where we started, which is, you know, I really believe if you’re thinking about your cybersecurity strategy and you’re not thinking about cyber resilience as a part of that strategy from are your controls working, how are you automating the resilience of those controls, how are you going to get the business back online if something that something bad happens. If that’s not a part of your tabletop exercises, if that’s not a part of your budget planning, if that’s not a part of sort of your holistic approach to to defining, managing, deploying, and maintaining your cybersecurity posture, then there really is kind of a big piece missing to the conversation. We see a lot of organizations when they find themselves in that crisis mode, they, you know, they start thinking, oh, so and so needs to do this, wait, that person can’t connect right now because we’ve got shields up, they can’t get in anymore, they’re working remote. That’s not the moment in time to go, oh gosh, we didn’t really think about that part. This has to be a big part of the conversation and I do think as an industry, we have to come up with a way of putting better sort of scorecards and and dashboards around it that really help give boards and management team visibility and answers the question, is our investment work?

Share This