Karissa Breen [00:00:12]:
Welcome to KB On the Go. Over the course of the week, I’m coming to you with the updates from the AUKUS Advanced Technology dialogue in collaboration with 2020 Partners. Our first event kicked off at Pier 1 in sunny Sydney before traveling over to the capital of Australia, Canberra, where the Australian Strategic Policy Institute, more commonly known as ASPE, hosted us in their offices. Stay tuned for the inside track from some of the up and coming technology companies, as well as some you already know. KBI Media brings you all of the highlights. But for now, to set the scene, you’ll first be hearing from founding partner, Greg Sim, who will share a little bit more about 2020 Partners and what their vision is all about. Joining me now in person is a founding partner from 2020 Partners, Greg Sims. So, Greg, tell me more about 2020 Partners.
Greg Sim [00:01:09]:
Well, thanks, Karissa. Well, 2020 Partners is a it’s basically a private network of senior security operational
Greg Sim [00:01:17]:
people.
Greg Sim [00:01:17]:
It was founded well, 2020 is a giveaway in the name, but the people that I was lucky enough to meet over many years being involved in cyber, some of them I got together with at the end of 19, during 2020, and suggested that between us, we knew a lot more people globally, global global allies, obviously, very much AUKUS focused, but other allies as well, other countries, and how we could maybe formulate it more, not formalize it, and there was a reason for that. We took on 1 or 2 different iterations of what the network could look like, but what we’ve ended up with is something very unique. And its uniqueness comes in the fact that the network has has is is autonomous. It’s no commercial connection to any individual or any entity. It’s not even a known for profit. So basically, given that unique side to it, we’re able to collect people that are very senior former people, some very senior current people, because current people generally, current, what I mean is they’re already in either government, federal government, law enforcement, even private sector. They either have ethics issues or they’re they’re not allowed to be part of any organisation. So this organisation is not an organisation, it’s a it’s just a network of people.
Greg Sim [00:02:31]:
So it gives them the ability to be part of the network without giving anybody any conflict. And what does that mean at the end? Well, what it means is that we have a collective power, and I always said from day 1 in starting this network is if we can harness the collective, these types of people and that seniority in a collective entity, then we can do things. We can move the needle. You know, any one individual, doesn’t matter who they are, it’s very difficult to move things. With this network, we can’t.
Karissa Breen [00:03:02]:
So when you say you want people to do things, what do you want people to do?
Greg Sim [00:03:06]:
Well, the the balance of the network is very important. So we have a mixture of people that come from former in intelligence backgrounds, current intelligence backgrounds, government entities, military, private sector, and those types of people, we’ve mixed between those operational people and also those practitioners. So we have a lot of, CSOs, CSOs, CIOs, and and actually will one of our, objectives going forward, in my opinion, will be to attract some global CEOs, because with the the dynamics of the world, as we all know, and and the extreme polarization that pretty much most countries, have, It’s more important that geo everything from geopolitics to cyber and digital. It’s all it’s all mixed together now. You know, everything is digital. Digital is cyber. So our ability to bring these people together as a collective and to discuss things, you know, and we as you know, Karissa, we don’t do events for the sake of them. We’re not an event company, but it’s a great way to bring these people together who normally might not be able to discuss things.
Greg Sim [00:04:16]:
They can just discuss things under a policy level most times, but being able to meet their old friends, new friends, let’s say, and they talk about talk about issues that are really relevant to our allies and our allied countries is very, very important.
Karissa Breen [00:04:30]:
So a couple of other things as well, Greg. Why do you believe this network is needed from your perspective?
Greg Sim [00:04:36]:
Because nothing like it really exists. There’s pockets of it. You know, if you go to, say, Washington, there’s always little pockets of networks and, for different things. Nothing’s really done what we’ve done on more of a global allied scale, you know, meaning that, you know, even under AUKUS, I mean, of course, we’re very much AUKUS focused, but we we have our colleagues in Singapore and Japan, in France, in Germany, and and and about to be in Spain. So I think when you can take different attributes of how people see security and not just operational people, but people, for instance, in geopolitics, then I’d we think that we’ve got a far better grasp on how to move the needle than pretty much any entity because, as I said, most entities are really locally focused. You’ll have them in Australia, of course. Those entities that can do that, but we’re able to kinda call it raising the bar. We really raise the bar on things by the type of people that we have.
Karissa Breen [00:05:34]:
And that’s interesting because that leads me to my next question. There are these pockets of these things that exist. However, I think in my experience of talking to people in the industry would be these these groups, these other entities that exist, and this is me generally speaking, is that they say, but what’s their affinity to the space? And I think by from what I can gather, 2020 partner network has a very extensive cadre, high caliber, strong pedigree of people, which I think is the difference. Would you agree with that?
Greg Sim [00:06:04]:
Yeah. I I I totally agree. It’s it’s really about the caliber of people because, you know, if you think about when when you have the type of people that we’ve got, and you know quite a few of them now, Karissa, if you can harness that brainpower alone and that experience, I mean, it’s it’s incredible that you can start to think the application of that could be utilized. I mean, if you if you could capture what we have in the network and say an AI engine, can imagine the type of output that you could that you could probably achieve from it, it’d be be quite I mean, it would be incredible. And and, of course, the other thing I’ve not mentioned is it’s also important when you create a network like this that there’s a balance. We can’t have too many of one and not enough of the other, and our technology partners, and we call them partners, are very, very important. They they’re great supporters of the network, and, of course, we have our own policy within the network that the technologies that become our partners are those that already that come from within the network. So they’re already known to the network, or the senior people in the network because a lot of the senior people are are advisors on different companies and they see things and, and and and the second one is that they’re already operation within 1 or more of our allied infrastructures.
Greg Sim [00:07:20]:
So that gives a high level of validation, and I like to use the words validation by association. Because when you have a cadre of people that we have and you have the type of brainpower and and these technologies, it really is a big validation for everybody. It’s self validating. And I kinda like to say that we’re trying to level the playing field, so anyone that comes into one of our gatherings, whether it’s a drinks, etcetera, or event, we want to make sure everyone’s on a level playing field. There’s nobody higher than anybody else. For instance and even even with the technologies, as as you know, we we have a no sell rule. And that’s important, very important, because when you have the practitioners, especially those that consume technology, there’s just there’s an awful lot of technology around. There’s an awful lot of of snake oil in a lot of these technologies.
Greg Sim [00:08:15]:
So for them to they that everybody’s tired of being sold to, everybody’s trying to sell something, but they don’t want to miss out on anything. They want to know if there’s something there that can really help my organization, my government entity, or whether it’s intelligence, whether it’s defensive, offensive. They want to know especially because it comes from within our network, so it has that high level of validation. We’re not discounting anything. We’re not discounting innovation, of course. I’ve always come from an innovative background, but I think that innovation to us needs to reach a certain level before we’re gonna say these and and and so we we do keep that balance for them, and our our technology our technology partners, they enjoy it because they get to be associated in these environments and are able to talk about their subject matter, their expertise, their threat intelligence. And so we’re being asked a lot actually by governments, law enforcement entities to actually help them and and bring together nothing to do with Selim, but been able to come and do briefings for them, for instance. So we’ll take some technologies out there.
Greg Sim [00:09:25]:
Specifically, we’d like more information around an issue, you know, whether it’s, you know, identity, mobility is always a big one. You know, big data transfer or we we we’ve just got such a great reach in to find these great technologies.
Karissa Breen [00:09:43]:
Joining me now in person is Michael Lowey, cofounder at Tide. And today, we’re discussing the current approach to cybersecurity, which is broken. So, Mike, thanks for joining me back on the show, and welcome.
Michael Loewy [00:09:56]:
Thank you very much. Glad to be here again.
Karissa Breen [00:09:58]:
Okay. So the industry is broken. Tell me, what’s broken about it? List all of the things that’s on your mind.
Michael Loewy [00:10:05]:
I guess first to the evidence as as to why why it’s broken. It it doesn’t take a cybersecurity expert to say that you open the news on a daily basis, there’s another mass data breach, compromised infrastructure. And with new technologies like AI, we’re we’re seeing more and more obnoxious and more more damaging breaches, and and they’re, you know, they’ve become commonplace. If you look at that from a market perspective, over $300,000,000,000 are invested into cybersecurity every single year. As of last year, the damages, the corresponding damages, was somewhere around 10,000,000,000,000. And that figure is compounding annually at 23%. So clearly some something’s not right.
Karissa Breen [00:10:45]:
Something clearly isn’t right. Do you think that this cybersecurity, yes, is broken, like, globally in terms of, like, the approach, but it just feels like in Australia, it seems to be more broken here. Would you agree with that?
Michael Loewy [00:10:56]:
I think we have a tendency here to wait, to look for permission in a sense, to try something new, to to innovate until it’s happened in the US, it’s happened in the UK. So in in in some respects, and this is like a, you know, big generalization, but I think we we we’re not on the front foot, generally speaking.
Karissa Breen [00:11:18]:
Why would you say we’re not on the front foot?
Michael Loewy [00:11:20]:
I think it’s just a general tendency in in Australia to be risk averse. We’re more cautious. We’re more careful. We’re also you know, we’ve lived on on an island for a very long time, and that’s protected us in many ways. We don’t really feel adversaries, you know, directly and kinetically like others do, And and that means that we, maybe slightly more complacent.
Karissa Breen [00:11:45]:
So it’s probably it can be a good thing, but also a bad thing because we become more into the the complacency side of things because we are on this isolated island surrounded by water. We don’t have any adjacent sort of, other countries right beside us in terms of how other, like, places like Europe and how they’re structured.
Michael Loewy [00:12:03]:
Correct. You know, the incidents of, you know, with with Optus, Medibank, and others was was a good wake up call and definitely, you know, shook things up as, you know, be interesting to see where where the dust lies, you know, in the next year or so as to whether that has the impact that it hopefully will should.
Karissa Breen [00:12:20]:
Do you think that people have to suffer in order for people to do something? So what I mean by that is you go back to it, seat belts, and there never used to be seat belts on a car until people started dying from car accidents, etcetera. And then eventually, like, oh, we should put seat belts in. So it sounds terrible that, you know, I was involved in some of those breaches in terms of my personal information, which is not ideal. So I’ve personally been impacted as a consumer. Businesses are impacted. Do you think it has to get to the point where these things happen in order for people to move and make decisions?
Michael Loewy [00:12:51]:
Yeah. At some level, yes. Like, if you if you look to where most or a lot of cyber innovation comes from, you see a lot of stuff coming out of Israel, for example, where you, you know, you’re you’re in an environment where you have to create solutions that work, and you have no choice. And that kind of breeds a way of thinking and and an approach and and, I guess, risk taking that forces you to shrink outside the box. With what you have, you need to win. And in that adversarial environment, I think it it it breeds solutions that wouldn’t wouldn’t come out of the type of thinking where where you don’t have that kind of pressure.
Karissa Breen [00:13:29]:
So another comment or something that goes on your mind, Mike, is that, you know, products are band aid solutions and don’t really fix the root cause of breaches. So why are companies constantly buying new products then? Do they, like, oh, new things out. We’re gonna buy that.
Michael Loewy [00:13:42]:
I think we’ve got a tendency. I mean, if you look at just the way that the the whole digital world exploded, I think very few people saw it coming and couldn’t have even imagined how quickly it would grow and how it would be just, you know, so integral in in in our daily lives. And the approach we took to secure it was almost an extension of how we approach physical security, which is like something that we’ve been trained to evolve over, like, 300000 years. We build walls like firewalls. We we install surveillance monitoring systems. We place guards, identity and access management systems. But the digital world is is quite different from the physical world. So applying those same principles when the digital world has properties that you can utilize to your advantage from a defensive perspective, but also have to treat differently.
Michael Loewy [00:14:28]:
I think that tendency to approach things in in that in that way is is kind of why we’re we’re in this situation. And and being a a CISO or an IT team of of of any organization is hard. You’re you’re you’ve got this complex dynamic environment or threats that no one can really keep track of. Every day there’s a new vulnerability discovered. You need to patch that because if you don’t, you’re vulnerable. So you’re playing this game of whack a mole that you can’t win.
Karissa Breen [00:14:55]:
Do you think at a Wii?
Michael Loewy [00:14:56]:
Only with a different way of thinking and with a different approach.
Karissa Breen [00:15:00]:
People don’t like being different, though. They wanna do especially, I would say in Australia, a reserved market as we you and I have discussed at length about this anyway. A reserved market, people don’t like to color out inside the lines, so it’s probably a cultural thing here. But how do we get people move beyond? Well, if we don’t act differently, we we will be in a state of, you know, serious breaches and, you know, the the increase of cybersecurity attacks that we’re seeing already. What do we do differently? Like, what are some tangible rubbers to the roads that have aconines that you can sort of pass on for people listening?
Michael Loewy [00:15:35]:
Well, I think you can you can look back to the cloud before it was a a thing. Just the notion of of telling someone, hey. Instead of instead of your your sensitive data and your infrastructure sitting here with you where you can control it and you can protect it, just pop it in this place where you have no idea where it actually sits and and you’re blindly trusting someone else with it. It was you know, obviously faced a huge amount of resistance, and now it’s it’s pretty much part of every environment. So you’re always gonna face resistance and pushback no matter what jurisdiction you’re in. Doesn’t just have to be in in in, like, a in a more conservative nation. But I think, you know, when I when I when I mentioned the like, that kind of catalyst of of Medibank and and Optus really kind of introducing this to to the consumer consciousness in a way that it wasn’t before, I think it’s got people searching for a new approach, realizing that the current approach is not working. And what you’re finding is the people that are now responsible for securing systems, that responsibility is now a c level responsibility.
Michael Loewy [00:16:36]:
Whereas before, it was somewhere in the dungeons in the IT team. So that’s a change that I’ve already seen. And those people have a target on their back. So the fact that you’ve got people with this this powerful ball target, like like, if you look at the last pass breach, the, you know, the attackers cleverly followed DevOps engineers in their home, in installed malware on their home computer waiting for them to log in remotely. So, really, you know, the the threat is is following people into their homes, into their personal lives, and and no one wants that kind of target on their back. And I think that already has has people looking for a new new way of approaching things.
Karissa Breen [00:17:14]:
And we say people are already looking for a new way of approaching things. What does that look like? So going to to forums like this that we’re at today, listening to podcasts like this, like, what does that look like from your perspective?
Michael Loewy [00:17:23]:
I suppose that at the moment, they’re looking to certain things as a as a as a potential salvation, like the 0 trust model or zero trust methodology or philosophy, whichever way you wanna look at it. And so the the which which I think is a positive step. But even even then, even even in your most robust zero trust architecture, what you find is that your system is no longer implicitly or blindly trusting the identities or the devices of the data interacting with your system, but you’re concentrating a huge amount of authority in in certain core systems, like your identity and access management system, for example. And when when those systems get briefed, it’s game over.
Karissa Breen [00:18:05]:
So in terms of, like, moving forward, obviously, we discussed it’s broken. People are starting to look at new ways on how to do things differently. What do you sort of see on the horizon? Like, we can always say things are changing, but how quickly is that dial going to sort of change? Do you think it’s going to be the next sort of 12 months? We’re going to start to see the needle move. It’s going to be next 5 years. Obviously, now as we’ve discussed at length today, but in general, like, you know, with AI now coming into play, like, people are moving a little bit faster than they did before. So, I mean, what what comes to mind when I ask you that question?
Michael Loewy [00:18:37]:
Well, I can tell you from our own experience. So 5 years ago, when we started developing our technology, had we had this conversation and and we had conversations with CISOs or or listed companies who, at the time, their their answer was, look, if we get breached, we’re in good company and, you know, it is what it is. And I I was shocked to hear it, but we would describe our our solution. And our solution is to effectively take authority away from the organization, away from from those that have kinda super user godlike authority inside of a system today. And the idea of relinquishing control, or if you think about it even from a consumer, context of of giving consumers rights to to say, actually, you can’t have my data. 5 years ago, it would have been a very different conversation today where breaches are being felt on the on the bottom line. It’s, you know, it’s it’s a massive liability. So the the notion of saying, you know what? I don’t want all of your data.
Michael Loewy [00:19:35]:
I don’t want to have anything that I don’t need. It’s a change in attitude, and we’ve noticed a a powerful difference. Like, when we introduce a technology that effectively takes the keys to your kingdom and make sure that no one no one has access to them, People, understand that for them to hold the the keys to the kingdom is a liability. And so they’re open to, to new approaches like ours.
Karissa Breen [00:20:01]:
Joining me now in person is Daniel Church’s sales director at Color Tokens. And today, we’re discussing breach readiness and containment in complex supply chain environment. So, Dan, thanks for joining, and welcome.
Daniel Churches [00:20:13]:
Karissa, thank you. Thanks for having me.
Karissa Breen [00:20:15]:
Okay. So what does breach readiness mean to you, Dan?
Daniel Churches [00:20:18]:
Yeah. You know, it’s a broad answer to what seems like a straight question. But in in short terms, it’s helping organizations understand that a breach is likely inevitable. And, therefore, what steps can they take in alignment with their business continuity planning to be in a better position to recognize that they’re under attack, perhaps contain that attack, and do it in a manner that allows the business to continue to function while they remediate the attack without having to shut down the organization and and suffer the consequences of organizational disruption or loss of data and critical infrastructure and, you know, critical information. So building a plan with that in mind so that you’re in a position to manage breach scenarios.
Karissa Breen [00:21:05]:
Hey. I’m gonna ask you a tougher question. People say about getting a plan. Getting a plan is easy. Actually remembering the plan, remembering how to find it, remember who’s responsible for what, getting people to not be stressed out of their brain when an actual situation like a breach is happening. How do you manage that effectively?
Daniel Churches [00:21:21]:
Well, there’s a lot of things that are already in place for that because most organizations already have business continuity planning in place, and they do trials, and they do, you know, run throughs. So that’s standard. But in this scenario with, breach readiness, find an organization, and and we provide this, and I know others do, that can allow you to do simulations. So it’ll allow you to do run throughs of the policy settings you’ve established to try to ready yourself for, certain scenarios and do a simulation of those settings to see how well your business functions under, you know, under attack, and then see how well your team functions in their given roles to step through the processes, and then do your self assessment. It’s kinda like a penetration test, but of different sorts. It’s an attack simulation, and then you test yourself on that. It doesn’t have to be arduous, and it doesn’t have to burn too many cycles. It’s just something that a business can stand up in a relatively stable short amount of time.
Karissa Breen [00:22:13]:
And how long is a short amount of time in yours?
Daniel Churches [00:22:15]:
Well, how long is a piece of stream? Because you’ve got a situation like how many servers, how many endpoints, what kind of bridge scenario are they readying themselves for. But in in our work organization, we can deploy agents across a client’s environment in a matter of days, and that’s a whole of an environment. So if you wanted to do a shortened version to that on a POC, in a matter of days, you could nominate 30 or 40 devices. And these are you’re not in enforcement mode. You’re just in observing mode. So you’re just checking the flows. You’re checking your policy settings, and then you do some trial run throughs on various attack simulations to see how well your business stands
Michael Loewy [00:22:48]:
up to it.
Daniel Churches [00:22:49]:
Now when that’s a full deployed solution with across the organization, well, then it’s a different scenario when you do your trial run throughs on different attack scenarios. But it, again, it doesn’t have to be a high impact, and it’s what businesses do anyways. These kinds of business continuity run throughs or simulation things are common stand or common practice. So it’s not an introduction of something wholly new to an organization. It’s just another component that you’re adding to your cyber resiliency attack framework, your your cyber resiliency cyber framework. It’s not a heavy lift piece of work.
Karissa Breen [00:23:21]:
That’s like another thing people gotta do. And what I mean by that is here’s here’s what was coming by line as you’re saying that. Someone go and exercise. Oh, but you gotta drink this special drink in the morning, and it it’s 15 different ingredients. But, you know, it’s part of the overall weight loss journey, but it’s like another thing that is yeah. It’s one more thing, but it’s another thing that sort of makes up 15 more little things to get the thing. Now I’m hearing what you’re saying, but does that also people think, oh my gosh. My laundry list just keeps getting longer, Dan.
Karissa Breen [00:23:50]:
I’m over it.
Daniel Churches [00:23:50]:
Yeah. That kind of burnout is not uncommon. But the unfortunate scenario is that these attacks keep happening, and the attackers are are very sophisticated and, you know, well funded. So they’re constantly finding new ways and and attack vectors to, penetrate. So what we have today is one of those scenarios where there actually is something in the marketplace that organizations can add to their cyber response to cyber capabilities, and it happens to be microsegmentation play that allows them to address for the organization while under stress and attack. So what I’m trying to emphasize here is that the the benefits of adding this component to a cybersecurities, you know, stack far outweigh what might be just another component and another thing for their team to have to get their minds across. The value to something like this is not just that you’re able to you know, our solution allows you to, say, isolate the attack path. And then within that isolation capability, you can then quarantine it and allow the rest of the organization to continue to function.
Daniel Churches [00:24:59]:
So that equates to uptime for the organization. Now that by itself is very measurable, in line with business continuity planning. But where it’s also measurable is, today, I don’t think many organizations have properly assessed their own risk tolerance to a breach attack. And what I mean by that is they assess they they surmise that, well, when we’re under attack, we might pay a ransomware, and we’ll just we’ll just deal with it. But that’s not risk tolerance. That’s just enduring the pain of a ransom attack. Risk tolerance says how much revenue and growth targets will you sacrifice to the remediation of the attack and to the audit and the forensics process. And most organizations haven’t taken the time to measure that and set that as a standard to ascertain and to set in the organization, and I’m saying it doesn’t have to be the case any longer.
Daniel Churches [00:25:52]:
There are now tools in the marketplace that let you determine your own capabilities of what your risk tolerance against a breach and the remediation and getting back to organizational uptime, organizational function with up to a 100%, and we can help organizations establish that for themselves and get back into, you know, a 100% function. So I’m being a little bit wordy here in my answer, but I guess what I’m trying to say in a short short reply is there are new tools in the marketplace that allow businesses to quickly ascertain what should be best practice and to measure the value of that and to implement it across the organization, and we happen to be one of those vendors.
Karissa Breen [00:26:30]:
When it comes to micro segmentation, obviously, you’re speaking to people every day about what you guys do, for example. What do you think typically is what people don’t get about it? What do people not get? What do they miss from your perspective?
Daniel Churches [00:26:41]:
Yeah. Another good question. And I’ve kind of touched on it already. And the idea is that many organizations in pursuing 0 trust, they look at network segmentation, and they think they’ve already met their needs of their organization because they have network, deck the functionality and capability of network segmentation. And what we speak to is that ours is more granular, hence the word micro segmentation. So when you’re dealing with an attack at a network layer only, you can see the attack zones, segments, if you wanna say it, but your ability to respond to that is is heavy handed. We’re at a micro level, which is what I mentioned just a second ago, the attack pathway, which is what we provide. The observability at a micro level says that we can see that pathway, we can quarantine that pathway, and that’s our ability to stop the breach at that point and therefore not impact the rest of your secure environments, the rest of your critical infrastructure, critical applications.
Daniel Churches [00:27:38]:
They need to continue to function so that the business maintains its and and stays up and running while you remediate that attack. That is my the capability in a nutshell of what micro segmentation delivers to businesses, that attack pathway, monitoring applications, containing things so that the rest of the business functions continues to function.
Karissa Breen [00:27:58]:
So you’re saying that happens automatically. Something starts happening, it automatically stops, looks at it, quarantines it before they do the micro segmentation, or how does That
Daniel Churches [00:28:08]:
because that micro segmentation functionality is in place, it the process is then automated through policy settings for a business to, contain any anomaly traffic anomalous traffic between assets.
Karissa Breen [00:28:19]:
Okay. So policy settings. Good point. Alright. So part of what you guys do, would you say it’s just that look at a blueprint across health care companies, have these sort of policies, we’re gonna mirror it off that, or how does that work? Because people are not good with policies as we know.
Daniel Churches [00:28:33]:
Yeah. So we do have industry standard policies that we deliver out of the out of the box or out of can. So we have industry specific to health care, to bank and finance, to critical infrastructure like resource energy and mining. Health care is a very strong vertical for us because of the nature of the assets that are in their environments, whether it’s legacy assets or whether it’s IT, OT, cloud. We have the capacity to monitor traffic across all of their environments, communications between assets, And it doesn’t matter to us if it’s agent or agentless or containers in the cloud. We can do it all. And that means in the health care space and in the critical infrastructure space, in those operational tech environments, we can give that visibility for them to then manage the cybersecurity strategies they want to have and control and protect their data into critical critical systems. Not every vendor can provide monitoring in OT environments, and that’s the differentiator for us.
Daniel Churches [00:29:29]:
And that’s why we’ve got
Karissa Breen [00:29:30]:
Why can’t they do that?
Daniel Churches [00:29:31]:
Well, try not to get too technical. I’m trying to avoid. But in in for us to give the kind of monitoring controls that we can give, we deploy agents. And in the OT space, you cannot deploy agents, and so we’re able to go agentless. And that’s how we then can, provide these services in those environments like health care where you have to go agentless because of the nature of the medical devices and and such that are in those different environments. So because we can go agentless, we health care vertical is a very strong space for us, same with critical infrastructure where those organizations can tolerate zero downtime. They cannot go down. It’s critical infrastructure that says what it says.
Daniel Churches [00:30:10]:
Energy, supply, gas, water, but also in health care if systems go down. So that’s what we that’s why it’s a strong space for us because we can provide these services.
Karissa Breen [00:30:19]:
Swimmer followed critical infrastructure a little bit more. I was interviewing with something the other day, and the guy was saying he really he’s a infrastructure, you know, OT expert, and he was really talking around, like these people that are, you know, running these SCADA systems, for example, they they just they’re just unwilling to change. They’re unwilling because, you know, he said if set if it’s like a regional area, for example, and, you know, it’s a council that’s looking after these things, and they can clearly see there’s a huge hole in the roll in the road. They’re gonna go fix that first because they can see it. They can’t see these problems. So would you say that there’s a little bit of out of sight, out of mind, can’t see it, so I gotta fix the road, which is more important because I can see it.
Daniel Churches [00:30:58]:
Out of sight, out of mind. No. I wouldn’t quite say it that way in what would be the hesitation for organizations to implement, you know, cyber resiliency strategies. I think it’s more the case of they know that because of the digitization of all these environments and, therefore, the communication that’s now commonplace between OT environments and IT environments, they know that they have a particular vulnerability now. And they they know that they need to address it. But there are any number of other security solutions that they have to be on top of, any other security projects that they’re trying to implement. What I run into most in my conversations with senior security leaders in various organizations is they appreciate that there are solutions in the marketplace, but they have any number of projects that they’re not getting done because they don’t have enough resources. They can’t get done what’s already been budgeted for.
Daniel Churches [00:31:48]:
They’re under stress to try to meet that demand. When you come in with another solution that is completely viable and they appreciate the technology, it just becomes another one they need to add to the list. Now there’s different kind of urgency around different solutions in the marketplace. One might be more urgent than the other, so they have to bump that to the front of the queue. And in many instances, microsegmentation becomes one of those because of what we can promise in organizational uptime. Right? And, therefore, the savings and the benefits that come with that. But I think I think senior security leads in organizations today are, they know that there’s a hole in the road, and it’s not for lack of wanting to fix it that they don’t that they don’t get to it. It’s for the fact that they’ve got any number of projects that are as urgent as that hole in the road, and they simply just don’t have enough resources to get everything done that they’d like to.
Daniel Churches [00:32:37]:
So it’s just a a queue that you get into. And if yours has a different set of urgency around it, then you might be be bumped up in the queue. But these guys are working under a huge amounts of strain and stress with a lot of variables, and the landscape is always changing from the attack vectors and the the hackers that are coming in. So, yeah, they know that the holes in the roads are out there. They’re just trying to get to it all.
Karissa Breen [00:33:01]:
Where would you say you guys are in the queue?
Daniel Churches [00:33:03]:
Well, again, it depends. So I’m speaking to government agencies, and I’m speaking to create infrastructure. And if I can speak to someone who wants to talk about organizational uptime, business continuity planning, that’s not a technology conversation. That’s a completely set different set of urgency. And and in those regards, we do kinda move up the queue. But many times, we’re in the queue with all the other solutions that they’re, trying to stay on top of. But but to be honest with you, Chris, when I am having more and more chats these days, it’s less and less around tech, and it’s more and more around uptime. Business continuity planning, cyber resilience, organizational resilience, organizational resilience.
Daniel Churches [00:33:43]:
You know, I made a comparison the other day about 5 nines, and businesses want 59 uptime. They won’t tolerate more than 2 to 3 minutes network unavailability in any given year. And I say, so what’s your risk tolerance around organizational disruption? How much you it costs you prepared to endure around organizational disruption? They haven’t set a dollar on it. Organizational disruption related to an attack and a breach, they think they’re gonna pay a ransomware attack. And I say, okay. That’ll be whatever $1,000,000 it is. But how about the disruption to your organization to get back to a 100%. Have you set a dollar figure on that? What’s your risk tolerance around that? They don’t have answers.
Daniel Churches [00:34:18]:
Because they didn’t think that there was a solution in the marketplace that would let them set a benchmark. And that’s when I table that for them, and I do the I do the business case with them, then I get bumped to the closer to the front of the queue because it’s a business result that I’m promising them. It’s not technology for technology sake. It’s a business outcome.
Karissa Breen [00:34:34]:
Remember just speaking to someone, a few years ago, and they were running this something in the US. It was selling mosquito repellent. They were doing lots and lots of big numbers. Apparently, something happening with a deed also. Something happens in this whole website offline. They lose revenue. Right. And it was like quite a fair few 1,000,000 of dollars of just having a mosquito repellent website offline, not having the uptime.
Karissa Breen [00:34:59]:
They lost so much money. And something is, you know, correct. Imagine a big manufacturer, a hotel like this, like we’re sitting in here today. Like, is this thing that people are thinking about or they like, are people thinking about this?
Daniel Churches [00:35:12]:
Oh, they are absolutely thinking about it.
Karissa Breen [00:35:14]:
But they don’t know how to think about it properly. They don’t they don’t know what they don’t know.
Daniel Churches [00:35:17]:
I don’t know if they know how to frame it correctly in the sense of what truly will be the impact. So another component of this organizational disruption that I talk about and the getting your organization back to a 100%. Businesses already measure staff productivity. That’s already part of your BCP planning. Right? But here’s another component of, organizational disruption. If you’re operating at 70% for 3 months because your forensic team is going through your network to try to figure out where the breach occurred, that forensic team is robbing you of organizational productivity. Are you gonna make your revenue targets this year? Are you gonna make your profit targets this year? The breach isn’t what caused you to miss your profit targets. It’s the 3 months of forensic process because they don’t know where the breach occurred, and they don’t know how to unpack all that.
Daniel Churches [00:36:03]:
So the the forensics and the audit process is often more disruptive than the actual breach was.
Karissa Breen [00:36:09]:
That’s the part of people I don’t think pay attention to.
Daniel Churches [00:36:11]:
They don’t do the economics on it.
Karissa Breen [00:36:13]:
Why?
Daniel Churches [00:36:13]:
Because nobody’s unpacked it for them. That’s what I’m doing. I’m unpacking it’s usually you paid a couple $1,000,000 in ransomware. That’s not where your costs stop. And they talk about reputational damage, and I say, your reputational damage isn’t because of the breach. Your reputational damage is because you didn’t have a response, a policy, breach readiness strategy in place. Because you weren’t able to manage the breach, that’s where your rep say reputation went down the curler, not because you got attacked. Everybody’s getting attacked.
Daniel Churches [00:36:43]:
But because you didn’t have a plan. That’s where your reputation is suffering.
Karissa Breen [00:36:47]:
So I’ve asked this question a fair few times to you on this show, and there was one guy. I think he, I think he worked for Qualys, actually. He was quite good in how he responded to he’s actually done the mathematics on it on long tail impacts. Breach happened 7 years ago. You know, is that still impacting that? Look at Medibank. In 7 years’ time, will people who remembered the breach still take up a policy with Medibank?
Daniel Churches [00:37:12]:
If they have a better option, they will go the other way. If they don’t have any better option and the marketplace is as tight as it is in Australia around insurance and superannuation and if it’s a double player field between Coles and Woolies and they have no other option, I guess that’s where we’re gonna go. But I’ll never I haven’t forgotten about it. But if I have other options, and then I’ll make different choices, I’m gonna make different choices. So it’s market influences. They can’t say where we’ll be in 7 years.
Karissa Breen [00:37:37]:
Yeah. And I think that this is the part where it’s just really interesting to me as a journalist in this space is there’s not enough people paying attention to the long term impacts.
Daniel Churches [00:37:46]:
And they’re measurable, and it’s known. This isn’t this isn’t vaporware stuff. This is stuff that’s been reported for years, long before cyberattacks became the paramount thought of people’s minds. Just in general terms, continuity planning and business impact, organizational impact, this is all standard stuff. This is measurable for years. And so, you know, that’s what I was talking about a second ago when I said, organizationally, if you’re down to 70% because forensic teams taking 3 months to build a 3 year environment, that impact is due to the breach. But because you’d had poor planning and didn’t have the right solution in place, that’s on you, not the breach. And so, therefore, you’re gonna miss your revenue targets.
Daniel Churches [00:38:24]:
You’re gonna miss your profit targets, but they don’t measure that. That’s completely overlooked. As part of a planning process, they feel it later when they look back on it in hindsight and say, we missed that one. But as far as the planning and you know what else they do? They don’t build that into the cost modeling to invest in this next level solution. First of all, they don’t think this option’s out there. That’s why that’s why I’m preaching so loudly. I can give you that option now with color tokens. We can give you the option about breach readiness, contain the attack while the rest of the business functions get back to 100% organizational operation time as quickly as possible.
Daniel Churches [00:38:57]:
Now I can measure that investment in our solution against your business continuity planning. BCP, that’s always budgeted for. So I don’t have to go find an unallocated funding. I don’t have to go find some, project and fund it from, something that hadn’t planned for. I know BCP is in there, and this is the kind of way we can, work our way into the front end queue and help businesses implement something that gives them that, well, if you think of it this way, they need to report to the board of directors that they have a cyber resilience strategy, an organizational resilience strategy. They need to be able to report to their cyber insurance company that they have a cyber resilience strategy in place, organizational uptime in place. So these are 2 key things, and then don’t forget all the legislation that’s just been passed. So now they can meet their legislation, their compliance obligations in reporting to the market what they’re doing.
Daniel Churches [00:39:49]:
You just take 3 legitimate boxes for senior leadership. This isn’t a technology conversation. It’s organizational business continuity planning.
Karissa Breen [00:40:02]:
Joining me now in person is Simon Hodgkinson, adviser at Semprest. And today, we’re discussing identity being the foundation of the digital ecosystem. So, Simon, thanks for joining and welcome.
Simon Hodgkinson [00:40:12]:
Absolute pleasure.
Karissa Breen [00:40:13]:
Okay. Simon, you talk about the identity being the foundation of the digital ecosystem. Tell us, what does that look like in your view?
Simon Hodgkinson [00:40:20]:
Yeah. So to look at any business now, they’re a digital business. And if you end up sort of thinking about the business outcome people are trying to achieve, you map that back to the business process. You map the business process to applications and infrastructure. Underpinning all of that is the identity platform. Organizations move to a centralized identity platform to make it easy to manage user identities across thousands of applications. I mean, most organizations probably have north of a 1000 applications. Now with the cloud, more and more applications are being consumed by businesses.
Simon Hodgkinson [00:40:58]:
In order to manage the identity in a secure way, you centralize it. But that means it’s at the very heart of every different business outcome you’re trying to achieve, and therefore, it’s the center of your digital ecosystem. If the identity platform is down, your entire organization is down. You can’t access any of the applications. Therefore, you can’t fulfill your business objectives.
Karissa Breen [00:41:20]:
So is there a centralized identity? Do you think, you know, in the industry, when they think about centralizing things and having all the power, that seems to worry people. Do you think people are worried about that perhaps if they think, well, all my eggs are sort of in the one basket?
Simon Hodgkinson [00:41:35]:
No. I don’t think they are worried about it. It’s become the standard architectural pattern that everybody uses. Because if you think of the reverse of that and you think of the thousands of applications I’ve talked about, if you were to try and manage identity in each of those applications individually, that makes the whole process impossible. And therefore and that’s when I started in technology in the mid eighties, that’s the way we used to do it. And it was, it you know, if somebody joined the organization and you needed to add them to, I don’t know, say, the finance organization they joined and you need to add them to all the applications that were included in the finance business process, you’ll be adding them to numerous different applications. If they move their role, you’d have to remove their access or change their access. If they left the company, you’d have to remember to delete them.
Simon Hodgkinson [00:42:24]:
So actually, the centralization of that identity has actually improved the security posture for organizations. But that said, it is an aggregation of, of risk, I guess. So it’s really important what you do is do everything possible to make that environment resilient. And when I talk about resilient, I mean the ability to withstand an adverse effect or an adverse event or recover quickly from it. So you’ve got to make sure you put the right detective and protective controls around the identity platform to hopefully stop bad things happening. But, you know, 9 out of 10 attacks attack the identity platform. Most organizations use something like Active Directory. Typically, it takes people days, if not weeks, to recover Active Directory if they don’t have dedicated recovery capability.
Simon Hodgkinson [00:43:15]:
And therefore, that’s why you need to focus as much time on protective and detective controls, recovery as well, and your ability to recover quickly from that adverse effect.
Karissa Breen [00:43:26]:
Yeah. And that’s a good point around and probably that’s where my mom is going around the, aggravation of the risk. But you raise a great point, you know, even 15 years ago when I had logged in to certain platforms. It was quite annoying. Right? And then all of a sudden, you know, when I went to the bank, it’s like, why do you have this level of access? So from the, you know, privileged account management side of things. So there’s a lot to manage then with that. And I think with anything, there’s always gonna be some element of the risk. So then what say with with your background and, obviously, your adviser at Semprit, what do you think is sort of going on the identity space at the moment in terms of what are people’s reservations? Because obviously, we’ve seen identity grow and evolve and change and, you know, a lot more people are now talking, you know, around that, even password list and, you know, all of these sort of things.
Karissa Breen [00:44:10]:
Because, again, having passwords is annoying, and there’s that focus on convenience, but then managing the risk element too. What sort of comes up in your mind when I ask you that question?
Simon Hodgkinson [00:44:22]:
Well, 1st and foremost, I think most organizations aren’t worrying enough about the identity platform. So they’ve become very accustomed to it works. Typically, it works, and they don’t put an awful lot of effort into managing a technology. So when we talk about the identity platform, it’s worth saying that for 95% of organizations, that’s active directory. It has hybrid identity on top of it. So you’ve got your Oktas, your Enter IDs, etcetera. But the very core of the identity platform is is is Active Directory. And and as a result, it’s been there for 25 years, and it’s just worked.
Simon Hodgkinson [00:44:59]:
It often sits buried in infrastructure, so it’s not necessarily in the security organization. So it’s not necessarily getting the profile that it needs. And having, been CSO at BP and my prior job to CSO at BP was running global infrastructure and operations. You know, in infrastructure and operations, the expectation is you do more with less every year just because you become more efficient. And active directory then therefore gets lost in that kind of that amorphous maths of your your, core infrastructure and doesn’t necessarily get the attention it needs to do. So I think people need to focus more on that. Given 95% of the organizations use AD at the heart of their identity platform, 9 out of 10 attacks go after the identity. So that may means you should be investing in those protective and those detective and protective controls and also making sure that you have a really solid recovery position.
Simon Hodgkinson [00:45:56]:
I don’t see people doing that. On the subject of the evolution of identity, I still, I think I heard, a stat recently. When you look at multifactor authentication for organizations, it’s still woeful in terms of the amount of organizations that have deployed multifactor authentication. Now most attackers, the way they get in is through things like password spray attacks, just randomly trying to grab somebody’s password. At least if you got multifactor authentication in place, their chances of breaching your organization are dramatically reduced. So people need to be focused on that sort of evolution of getting the basic foundational controls in place like multifactor authentication People often, in
Karissa Breen [00:46:57]:
People often in my interviews, Simon will say, it’s about, you know, the foundations. But foundations are hard, like patch management. It’s hard to do patch management. It sounds easy when we’re talking about it in this comfy, podcast room, but when you’re out there doing it in reality, it’s difficult. You mentioned before woeful. What would you say is woeful about MFA? I mean, what comes up in my mind, when I’m speaking to people is, oh, it’s annoying because it takes extra it reduces friction. And how do we find that balance between the whole security thing, but then still making sure that people can, you know, do their day job? And business continuity still needs to keep happening. We can’t obviously engineer things to the point where people can’t do anything.
Simon Hodgkinson [00:47:36]:
That’s a great point. I I think I think it is woeful in terms of the amount of organizations that have deployed multifactor because everybody knows that that’s a very simple control to put in place. It’s not hard to deploy multifactor authentication, but it does potentially create friction with the end users. Our job in security is to try and make it as easy as possible. We are we’re there to enable the business to be successful, and therefore, we gotta look at mechanisms to put in place to make whatever we do as frictionless as possible. But I’d also say, in your personal life, would you access your bank account if it didn’t, give you multifactor authentication? Probably not. You probably wouldn’t trust that bank. So I actually think we also have to find that right balance to say to our users, yes, there might be some friction in the environment, but here’s the benefits the business get as a result.
Simon Hodgkinson [00:48:33]:
So it’s you gotta sell what you’re doing through a whole business change program. This isn’t about deploying technologies, people, process, and technology. Any sort of major digital transformation, it’s about business change as well.
Karissa Breen [00:48:47]:
So you said making this as easy as possible. So just coming back to that for a moment in some friction. So you use the example of having a bang, but I’d care a lot more because it’s my own money. But when I’m working for if I put myself back into working in a corporate historically, well, it’s not my company. I don’t care as much as while I care a little bit more if someone were to steal money in my personal bank account. Do you think sometimes people feel that the onus is like, well, it’s not my business, so therefore it’s someone else’s problem.
Simon Hodgkinson [00:49:13]:
That’s culture, isn’t it? I think with organizations, you’ve gotta get the right security culture in place. You gotta get people to understand their role in security. I mean, you see so many CISOs now burning out in the industry because it’s all on the CISO. Actually, the CISO’s responsible for security. Accountability for the security is with the CEOs. And the CEOs, therefore, need to be able to explain to the entire organization why this thing is important, why cybersecurity is important, and therefore, what your expectation of people are. So I come from oil and gas background. I’ve been in finance and all in the past, but my last 18 years with with an oil and gas company is absolutely embedded in the culture.
Simon Hodgkinson [00:49:59]:
Nobody would walk past, I hate to think anybody would walk past, a bit of liquid on the floor because there’s a risk of somebody slipping on that and hurting themselves. We gotta develop that same culture in cybersecurity and, you know, make sure that that same ethos is in embedded in everybody in the organization, that they’re accountable for the outcome of the business. To your point, you’re always gonna have some people that just turn up at work and don’t really care. But, and therefore, actually, a little bit of friction in their life may not be a bad thing.
Karissa Breen [00:50:31]:
So you use the example on the liquid on the floor if someone falls over it, you know, they’ve got a problem. Do you think as well and you sort of mentioned it before around, you know, being buried in the infrastructure earlier. Do you think as well with cybersecurity, in my experience of interviewing people like yourself over the years, has been out of sight, out of mind? I can’t see the thing. We can see there’s liquid on the floor. We can see that the building’s on fire. I can’t really see a lot of these things in cyber. So do you think perhaps because of that, maybe things do go to sort of the wayside?
Simon Hodgkinson [00:51:01]:
I think that’s the skill of the organize the secure the CSO and the security organization or CIOs to to make sure that you actually build a security behavioral change program, but it doesn’t. So you’ve gotta be able to articulate why it’s important. And even though it lives in this sort of digital ether, being able to explain to people the the problems, a good way of doing that, of course, is sharing information. So when you get incidents in organizations around the digital platform, in the same way as you’ve had somebody slip on a bit of, some liquid on the floor. We use what we call near misses. So, you know, if there’s liquid on the floor, it’s a near miss. If somebody falls over, it’s a safety incident. We need to use that same ethos in cyber.
Simon Hodgkinson [00:51:47]:
And each of those things we would talk about. So if you have incidents, organizations should speak about those incidents. They should get people that have been the victim or impacted by the outcome of a cyber attack on the business to talk about why. What what happened? What made did you click on that link? Why did you do? What did you learn from it? How can you share that with the organization? If you think back to the airline industry, there’s a fabulous book called Black Box Thinking by a guy called Matthew Syed. And it talks about how safety performance in the airline street has improved. And it all came from openly sharing near misses, so things that went wrong that maybe didn’t cause an accident. If we all do that in the security community, that will help improve our overall security posture. So the more we share the problem is in the security area, nobody wants to talk about the fact that they’ve had a security incident because you’ve got lots of negative connotations with things like regulators, etcetera.
Simon Hodgkinson [00:52:48]:
I think we need to break out of that personally and actually make sure that there’s a free flow of information among like minded organizations and and individuals to share those incidents so that everybody learns as an industry, not just your own organization.
Karissa Breen [00:53:06]:
So you raised an interesting point around articulate why it’s important. Historically, I used to write I was a cybersecurity analyst, but then I was a reporting analyst as well. So I used to basically write the narrative for the CISO to present in the bank to get more money. Right? So in your experience of being a CISO, at BP, what would you say the key things are to share why it’s important? And I asked this question because I interview people at all different various levels. And one thing I often hear is it’s hard to communicate at that level. I struggle because I’m a technologist at heart, so perhaps they focus too much on the technical components rather than maybe the broader narrative of business continuity. You know, if you’re running a, you know, a warehouse, you need things to keep running. It’s the long tail impact.
Karissa Breen [00:53:49]:
There’s things that I’ve seen in my career that perhaps people miss. But with your background and your pedigree, I’m really curious to know what were the things that were sort of getting the the folks of your you know, executive folks to really lean in and listen to actually take the change, perhaps, to become the norm for?
Simon Hodgkinson [00:54:02]:
That’s a great question. I think the first first and foremost, cyber isn’t special. It’s just another business risk. In the same way as you got liquidity risk, repulational risk, regulatory, legal, cyber is just another risk. Organizations manage risk every day of the week. You have to be able to explain the risk in business language. So back to our opening comment about why identity is the heart of the digital ecosystem. It’s not just the heart of the digital ecosystem because every company is now digital.
Simon Hodgkinson [00:54:35]:
It’s actually at the heart of delivering that strategic outcome for the business. So being able to create a narrative that a executive team or indeed a board as you’re talking to them is able to normalize, say, a health and safety risk or a liquidity risk along with cyber risk. Every organization’s got constrained resources, constrained money, and therefore they need to have a balanced way of deciding where do they deploy that money. Do they deploy it in in digital to fix some cyber issues? Or do they deploy it in in, say, in oil and gas? Do they deploy upstream to to get more assets out of the ground, to get more oil out of the ground? And one example I use is we were talking in the in the session earlier about somebody mentioned OT security, operational technology security. So when you go to a rig or refinery or a terminal or what have you, those guys are managing health and safety risk. They’re managing uptime risk, you know, processing risk. They’ve got all of these different risks they’re managing. Cyber’s just another one of them.
Simon Hodgkinson [00:55:38]:
Now when you go to the operations manager and say, actually, you need to upgrade, you need to patch patch that server within 24 hours, they’re gonna look at you and say, no chance. You know, we gotta keep the plant running. So you put things like mitigating controls in place so that, you know, they don’t have to to do that. You work with the business because everybody then understands the narrative. Then when it comes to where do you get money to, say, fix that Windows server, say Windows 2,000 and add server in an OT environment, they could it’s gotta be done in a narrative that says, well, I’ve got also got corrosion in some my pipeline or, you know, some m and e mechanical and engineering device in there that has some issue. Where do I deploy my dollar? Do I fix this Windows 2 1000 server, or do I fix this, heavy engineering asset? And that’s our job is to say, this is just another business risk. I need to explain the risk in a way that you can make a informed decision on where you deploy your constrained resources. It would be lovely to think it was unlimited money and unlimited people, but there just isn’t.
Karissa Breen [00:56:44]:
So I have those changed gears slightly. At the lunch or at the other day, you sort of gave a little bit of a presentation. But you said something, and I was really curious to sort of explore this a little bit more, and it was around, minimum viable business. So talk to me more about this, and what does this sort of mean?
Simon Hodgkinson [00:56:58]:
I’ve started to hear the terminology a lot more, this this notion of minimum viable business. And it comes really off the back of some of the big ransom ransomware attacks. If you think about most risks in an organization, they tend to be geographically constrained. So if you’re a kind of heavy industry or something, it might be a plant in particular part of the world or what have you. There’s very few risks that could impact every part of your company at the same time. Cyber is probably the one that is most likely to do that. The thing is then when you come to recovering from that event, say say ransomware is like NotPetya took down the likes of Maersk, widely reported in the press. The what happened there.
Simon Hodgkinson [00:57:45]:
How do you recover from that situation? So the business then has to figure out, right, how do I how do I manage continuity to deliver my outcomes to to my customers whilst the IT guys have to start recovering things. But in order to start to recover it, for instance, you’d have to bring back active directory first so that you got your identity platform back. But then you need to know from the business what are the most important business processes they need to recover. So for a retail organization, it might be the point of sale systems in in the shop. But you’ve gotta go through the hard yards of figuring out through, say, crisis simulation exercises to say, if this event were to occur, sit down with the business and say, what are those most important business outcomes we need to achieve? Map that back through the infrastructure and the application landscape so you know what are those core business outcomes. The minimum viable business. That’s where the context comes from, that the business needs to get backed in order to be able to deliver its strategic outcomes. If you look a lot of the cyberattacks, people tend to take several weeks to get that core functionality back.
Simon Hodgkinson [00:58:58]:
If you look at things like some of the attacks on the health system, the long tail is enormous because, actually, they got so much legacy applications and infrastructure that they need to bring back. But so long as they get that core viable business back, they can operate again. So it’s about understanding what that core of your business is and what that priority is. The char the challenge, of course, is it’s temporal. So if for instance, you’re in, year end results processing, maybe the systems that the business process, the year end process, and the systems that underpin that change and may be different from those if you were in a quarter in the middle of a quarter, etcetera. So, you you know, it’s good to plan that out, but you’ve also got to be flexible to the fact that when the event occurs, which sadly for most organizations it will, when that event occurs, you’ve got that flexibility to change.
Karissa Breen [00:59:54]:
And there you have it. This is KB On the Go. Stay tuned for more.
