Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
Episode 312 Deep Dive: Agnidipta Sarkar | Why Should We Have Invested in Cyber Defence Yesterday
Cyber Resilience
First Aired: June 04, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

In this episode, we sit down with Agnidipta Sarkar, Chief Evangelist at ColorTokens, as he explores why organizations should have invested in cyber defense yesterday. Agnidipta highlights the increasing pace and impact of cyberattacks despite rising cybersecurity spending, emphasizing that the real challenge is a matter of mindset rather than budget. He discusses the evolving role of boards and leadership in prioritizing digital resilience, the need to treat cyber defense as a fundamental business cost, and the critical distinction between risk and danger, especially for sectors like critical infrastructure.

Agni is a CxO Advisor specializing in digital resilience and cyber defense, with a primary focus on strengthening digital environments to ensure that organizations are adequately prepared for cyber attacks as they reap the benefits of digital business. With over three decades of insightful experience in the fields of cybersecurity, continuity, crisis management, privacy, and risk optimization, he actively advocates for and promotes zero-trust principles across complex systems, including on-premises, cloud, and operational technology/industrial control systems (OT/ICS) environments. Agni is a highly regarded speaker and thought leader, contributing his expertise to various industry forums and standards organizations, such as ISO and the Cloud Security Alliance, where he plays a pivotal role in shaping the future of cybersecurity practices for a safer digital landscape.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

No results found.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Agnidipta Sarkar [00:00:00]:
It’s not really about money. It’s about mindset. As you said correctly, everyone’s busy, but I would see themselves as engines for strategic growth. Leadership sees themselves as serving the board and making sure that the operations go on as smoothly as possible. The CIO is focused on the next innovation. The CISO is focused on investing in cybersecurity. We have not empowered our CISOs and CIOs and the board to focus on cyber defense and on resilience. And that’s the reason that I am an evangelist.

Agnidipta Sarkar [00:00:30]:
That’s what I’m telling the world. That’s the message I would tell everybody to focus on.

Karissa Breen [00:00:50]:
Joining me now is Agnidipta Sarkar, Chief Evangelist from ColorTokens. And today, we’re discussing why should we have invested in cyber defense yesterday. So, Agni, thanks for joining, and welcome.

Agnidipta Sarkar [00:01:07]:
Hi. Happy to be here, and I’m so so happy to be talking to you.

Karissa Breen [00:01:11]:
Okay. So let’s start right there. Why should we, as an industry, have invested in cyber defense yesterday?

Agnidipta Sarkar [00:01:20]:
Well, the fact is that we’ve been investing in cybersecurity for a very long time, and we have not seen the real benefit come because as investments are growing, probably reaching to about a trillion dollars, The cyberattacks are also growing. They’re not slowing down. So somewhere, something is wrong. And I think their main focus that we need to make a slight shift is to be able to defend against cyberattacks knowing that attacks will happen. It’s not a question of if they will happen, but when they will happen. And even if you look at all the surveys that everyone’s doing, the boards are slowly shifting focus from cybersecurity to digital resilience because businesses have become going digital. So there’s more to attack from an attacker perspective. And the current investments I mean, even even yesterday, there was an attack on Coca Cola.

Agnidipta Sarkar [00:02:16]:
Coke, I believe, as you know, is one of the most in in a companies who have probably the best in class security tools, but they were attacked. So attacks are not going down. I think we should have invested in cyber defense yesterday so that we are able to defend ourselves against an oncoming attack by combining all our resources in a structured manner.

Karissa Breen [00:02:37]:
Yeah. So what’s not coming in my mind, given your role as sort of chief evangelist, and you’ve got more of a you know, you’ve obviously got a global role, what are you sort of hearing now from customers? Because everyone that I I mean, I’m at a conference now as I’m doing this interview. And the same sort of conversation we’re talking about here today, Adney, is really what I’m hearing a lot from people as well, but then people I’ve got, you know, limited budget. I’ve got, you know, so much to do. They’re never ending to do list. I’ve got people who have burnt out. So where are people sort of where are priorities sitting? The way how how do you sort of see that?

Agnidipta Sarkar [00:03:08]:
I think their priorities are shifting, but the main thing is it’s not about it’s not really about the money. It’s more about the mindset. You see, boards often see themselves as primarily as engines for strategic growth. And I believe the information that the attacks are increasing in spite of despite investments is not reaching to the board. But But in a world where, you know, one cyber breach can freeze operations, tank share prices, or cost millions in penalties, that mindset needs to evolve. And it’s not evolving primarily because we’re not treating digital risk as governance level responsibility, which separates basically the reactive board from the more resilient ones. But what I’m hearing from the customers that I’m meeting is that they are invested and they’re willing to learn the shift that they need to make beyond, you know, quarterly updates and asking hard questions, anticipating vulnerabilities, figuring out where is the weakest part and how they can, you know, make that little better. That’s what I’m seeing.

Agnidipta Sarkar [00:04:13]:
It’s increasing. The focus of the board on resilience, on cyber defense is slowly increasing. And the more the larger ones are more invested in it. The more agile ones are less invested in in it. And, I mean, they were always less invested in security as well. But the ones that are invested in security and who are focused on making the organization’s reputation work, they are focusing on it. In fact, I if I remember, there was an MIT Sloan review done last year where they they interviewed, I think, 33 CEOs. And all of them said that they thought that they had invested and they were ready, but they now realize that they need to shift towards cyber defense.

Karissa Breen [00:04:53]:
So would you also say, though you said before, like, the money isn’t an issue, but I’m hearing a lot down here in Australia that people are always worried about the budget. Obviously, we’re a smaller ma a smaller market. Know, we have 26,000,000 people here, which is still smaller than the whole state of California, to just give an example, for folks who aren’t living in Australia. Obviously, our GDP is smaller as well. So do you just think that perhaps, currently, Australia is a smaller market, so maybe budget is a more of a a worry perhaps?

Agnidipta Sarkar [00:05:21]:
So you think about budgets when you think about return on investments. Right? But cyber defense or resilience is not really a return on investment topic. It’s cost of doing business. So if it’s not about how many people there are, it’s about what is it that you’re trying to invest in to gain what kind of leadership in the world or in in your area. So it could be a much smaller market. For example, it could be, you know, Malaysia or maybe Vietnam, but it really doesn’t matter. What matters is what are you willing to invest in for the business value that you’re trying to get out of digital? That’s the main thing. And that’s why I said it’s not really about money money.

Agnidipta Sarkar [00:06:04]:
It’s about how you perceive that investment as if you’re perceiving that investment as return on investment, if you’re perceiving that as investment, then, of course, it’s about money. But the reality is that if you are in a state let me give you an equivalent example. So let’s say that you are trying to invest in a business to build roads, and you know that you can’t build roads in a particular place because you need to dig it. You’re going to invest in digging. That’s cost of doing business. Likewise, digital resilience or cyber defense is cost of doing business. It’s not an investment. Does that answer your question?

Karissa Breen [00:06:38]:
Yes. Yes. Yes. So what’s come at my mind so you so what you’re saying is and do you envision now, given what you’ve just said, businesses need to write this into, like, their operating cost, so their OPEX. Right? So it’s like this like you said, cost of doing business. For example, I’m gonna give a bad example, but if you’re like a courier company, you have to invest in the, you know, the trucks and the and the cars and the vans and the boxes. That’s just the cost of doing business to run a courier company, for example.

Agnidipta Sarkar [00:07:06]:
Yeah.

Karissa Breen [00:07:07]:
People can’t be surprised. Right? They can’t be like, oh, well, I’ve invested in, a courier business, but I don’t wanna actually buy the van to move the stuff. So people can’t be shocked by that, for example.

Agnidipta Sarkar [00:07:19]:
I got a very good example given to me by a COO, chief operating officer of a of an industrial organization. They were they were making chemicals, and they said and he said the reason that we need to invest in cyber defense is that we treat this as danger, not as risk. You know the difference between risk and danger. Right? So if there’s danger to human life, you don’t want to do it or you invest in capabilities that’ll protect human life. So it’s all about safety, reliability, and efficiency. It’s not so much about confidentiality, integrity, and availability. Of course, those are important. Those are essential or the foundational capabilities that go behind cyber defense.

Agnidipta Sarkar [00:08:02]:
But in the end, it’s about safety, digital safety. It’s about reliability of digital business, and it’s about efficiency of digital business. That’s what cyber defense and cyber resilience will bring on the table.

Karissa Breen [00:08:17]:
Yeah. Okay. This is interesting. So I formally worked at a bank in security. So, again and I’ve spoken about this many times of people on the show with people like yourself. And you mentioned the operative word danger. Working in a bank, for example, is like, okay. We lost some money or someone got scammed or your life savings.

Karissa Breen [00:08:36]:
It’s annoying, but it’s not gonna kill you if you lose your money.

Agnidipta Sarkar [00:08:39]:
Right?

Karissa Breen [00:08:40]:
But for example, critical infrastructure, water plant, something happens, the water’s contaminated, people could potentially die. So how do you start to see the everyday sort of business which perhaps doesn’t have that danger, but equally, they don’t wanna, you know, have downtime. They don’t wanna lose money. How do people find that equilibrium in your experience?

Agnidipta Sarkar [00:09:00]:
As I said, it’s about mindset. So the whole thing is about finding the word that you said the exact word. It’s about the equilibrium. People need to find out what is it that they will tolerate. So, for example, there is a concept called minimum viable business. When you’re thinking minimum viable business, it’s different from business continuity because you’re thinking about having a I call it minimum viable digital business. So when you’re thinking about that concept, what you’re thinking is, in the face of adversity, how much minimum business can I run? So with cyber defense in place, with digital resilience in place, you’re looking at a number between 5080% or maybe 90% depending on how much and where you are investing. The balance then is to invoke a BCP in the 20% that remains.

Agnidipta Sarkar [00:09:48]:
But if you’re not thinking that way, if you’re not thinking as I said, it’s about mindset. If you’re not thinking about building resilience to operate at your minimum viable digital business at about 50 to 80%, then you’re thinking about business continuity, which will be 15 to 20% at the most. Does that make sense?

Karissa Breen [00:10:05]:
Yeah. Absolutely. It’s how do we or as an industry, how do we get people to move more towards that mindset, would you say?

Agnidipta Sarkar [00:10:14]:
So I think that the real thing is where do you want to focus on? And in my experience and I was a CISO in my life before I joined color tokens. The argument that I that I used to take to business leaders is that if we are thinking about doing something new, we must start thinking about the digital innovation and digital resilience in the same breath. If we are not doing that, then we are looking at a situation that the entire innovation could be upset because of a single disruption. So when you’re thinking how much you’re going to invest, you don’t need to invest a lot, but you definitely need to invest in foundational capabilities. Like, if there was to be a cyber attack, can I just put my systems in a in a manner that they are not visible to the attacker? That’s one way of thinking. That’s not a huge cost. That’s not a huge investment. I mean, this has been known to the industry for a very, very long time.

Agnidipta Sarkar [00:11:10]:
It’s not new technology. But people have not been focusing on it by making sure that, you know, okay. I have these critical systems, and these are the ones that I want to protect. That’s another area. Not many organizations have actually, you know, bogged down the number of critical systems they have. Asset management continues to be a huge challenge. Shadow IT continues to be a huge challenge. So if we have to convince the industry on how we can take this forward, we need to stitch all of it together into one big message that says, you know what? We could look at cyber defense, and it could give you value beyond just digital safety.

Agnidipta Sarkar [00:11:51]:
It can actually make sure that you are reliable to your customers. You are efficient in delivering what you promised to deliver to your customers. That’s where the real value lies.

Karissa Breen [00:12:03]:
So I just wanna maybe I wanna zoom out for a moment and perhaps, Agni, talk about the real purpose of cyber defense. So I think maybe before we start to really get into some of the minutiae, I’m keen to explore what you what do you

Agnidipta Sarkar [00:12:19]:
mean by that? So cyber defense is, theoretically, is not much different from traditional defense, except that it’s in the cyber world. Right? So so which means if you had to build defense, you had to know your enemy, and which means you need to plan how you’re going to defeat that enemy. Thankfully, all that information is available today. Publishes, for example, attacker profiles. They can differentiate between LV versus ransom hub. And and and MITRE publishes the MITRE attack framework, which actually documents how an attacker attacks. So what needs to be understood that for for doing cyber defense, we need to be able to anticipate an attack. And we need to be able to do some element of modeling so that we can then initiate those models should the attack happen.

Agnidipta Sarkar [00:13:17]:
Of course, if nothing happens, you’re good to go. But in between that comes a stage where you need to make sure that there are no unnecessary digital services that are just floating around doing nothing. Your authentication is in place. You’ve got your basic cybersecurity hygiene in place. And now you all that you’re doing is you are hardening the enterprise so that there’s there is no way an attacker can just waltz in without notice. That would be detected. Now this is the first phase of preparation. If you’re prepared enough, you know your attacker, you know your exposed systems, you know that you’re not good at for example, you’re not good at vulnerability management or you’re not good at patch management for certain systems or certain systems cannot be patched at all because, let’s say, the vendor is no longer available.

Agnidipta Sarkar [00:14:07]:
And this happens quite often in the OT world. You need to be able to, you know, put them in a bubble so that no one else is able to attack it other than those who really need that information. Or you could make the information one way. Information only goes out. Nothing comes in. You can do all of that if you’ve done that efficient amount of planning. Now this is in anticipation of an attack, and then you build models, then you build playbooks. Should an attack happen, what do I do? Where do I bring in my weapons from? And most companies are investing in cyber defense in in cybersecurity tools.

Agnidipta Sarkar [00:14:42]:
And then there is microsegmentation that my company does. Right? So what you do is you you prepare those models, you prepare those playbooks, and you create templates so that you can disconnect at will should an attack happen. You now know which model to execute when and what would be the impact for how much time you would be able to keep an attacker out. Let’s assume that you divided your organization into 26 microsegments, all that is of the alphabet. Right? So it means that if you have an attack in microsegment, let’s say, a, and if you’re able to contain it within that microsegment by using the models that we talked about earlier, it means that attack will not spread. That’s what I was talking about when I said the minimum viable digital business going up to 80 to nine 90% because you planned to contain an attack before an attack happened. That is the key essence of cyber defense. And should an attack happen, you go into containment immediately.

Agnidipta Sarkar [00:15:43]:
Yes. Probably, you know, 15% of your enterprise will be affected, but then that’s what your BCP is for. You’re able to do your BCP. But the most important part that what happens after an attack is that you can then go and tell your stakeholders it’s going to be a different kind of media report. Instead of saying that there was an unprecedented cyber attack and in in anticipation, we shut down our systems, but we’ll be available back very soon. We’ve hired the best cybersecurity guys. You now say there was an unprecedented cyber attack, but guess what? We are not we are we are back in business. It’s affected one part of our organization, but we are good to go.

Agnidipta Sarkar [00:16:20]:
We’re still delivering value to our customers because we are reliable, and we’ll be doing the work that we were doing efficiently as much as possible. This is cyber defense. This is the view of cyber defense. And if you have done it properly, if you put a management system around it, that means you’re going to evolve every time there’s a cyber attack. Tomorrow’s world is going to have AI in it, which means all this can be done by an AI. And you know how AI works. Right? It learns, and it teaches itself. So the next time an attacker comes in, AI would know.

Agnidipta Sarkar [00:16:53]:
But I’m saying even without an AI, you could do it manually. You could keep improving your systems continuously.

Karissa Breen [00:16:59]:
So okay. So a lot of the things as well that I’m hearing from the community globally around, you know, business continuity, all of the stuff that you just spoken about before, Agni. So I’m keen to really from your perspective, a company, I don’t know, that she’s an ecommerce business. Right? Something happens. They go down. They’re out of business for a couple of days, then it’s a week, then it’s a month. How long given your experience in the field, have you seen a business in terms of the interruption have gone down for a long period of time that just completely ruined them? Is there anything you can share?

Agnidipta Sarkar [00:17:34]:
Oh, there are many. I mean, you know the recent incidents as well. There are companies like the recent Change Healthcare situation that happened. They thought that they are going to have an interruption of, you know, a few days. They they denied they were not prepared for that cyber attack, and then UnitedHealthcare bought them over, and they’re still not clear. In fact, if I’m not wrong, about two weeks ago, there was another another release. I don’t know the exact numbers, but I believe that initially, their costs of recovery were in millions. Now they’re in billions because of the continuous, you know, whatever that’s happening.

Agnidipta Sarkar [00:18:11]:
There are many companies that I know about. Again, I don’t remember the exact names. There was this chemical company in UK that went out of business completely. There was an EdTech startup that went out of business completely. Yeah. There are many of these incidents. So to your point, some high profile breaches either are affecting their top lines, their organization performance. The Oracle breach, by the way, how much has that stock price gone down by? They denied the breach initially.

Agnidipta Sarkar [00:18:38]:
I I don’t I don’t know if you if you were following that attack, but they denied that there was an attack at all. And then the attacker released all the data, and then they were sort of then they sort of agreed that, yeah, there’s possibly an attack. But by the time the damage was done, the share price tanked. The cost of inaction is real, and it is rising. Change health care is one example. Clorox is another example that happened. Again, I just remember it right now, where they underestimated that how bad it could be, and it it just went vertically down. It just went down real fast.

Agnidipta Sarkar [00:19:11]:
Colonial pipeline, another one. When colonial pipeline started off, at that time, there was a ransomware and they had to pay ransom. And as you know, though, when the ransomware thing happens, the ransom goes up over a period of time. Right? They keep multiplying. They basically keep doubling every day. By the time they paid, they paid certain amount. But the real effect happened afterwards because they had stopped gas, and that stopped the traffic. Right? They were suppliers across the entire Eastern Starboard.

Agnidipta Sarkar [00:19:40]:
Guess what happened to the highways because there was no gas. So all these incidents are telling you only one thing that we, I think, are underestimating what could happen. And we are underestimating it. I’m not blaming anybody. I’m actually telling everybody that we are not doing it because we’re not focusing on it. So boards, I believe, should focus on how how vulnerable is an organization to a cyber attack. And if that’s the question they’re driving from the top, the cyber leadership or the seesaws are going to find that out. The business leaders are going to question themselves that should something happen, how much can we be affected? If you think you’re not going to be affected, then there’s no point in investing in cyber defense or in or you can take a call saying I have enough cybersecurity in place.

Agnidipta Sarkar [00:20:28]:
I remember a long time back when I was younger, somebody told me we’ve got antivirus in place, so why should we worry about a firewall? So, you know, we we go from there.

Karissa Breen [00:20:38]:
I hear what you’re saying. And, yes, I have followed a lot of those breaches. So I want to the reason why I asked you that question is because what I’m trying to ascertain from people like yourself is when you’re try if you’re a CISO, you gotta get money from a CFO or board to invest in your in your security business. Right? Have you seen an effective way that cyber executives can communicate or someone in that business to communicate to say, hey. If something happens, for example, and we are not running our business for a week, this is how much it’s gonna cost. To your point around the stock price, I have followed that as well. One thing that no one on this show has been actually really able to answer, and maybe you can, Adney, is around breach happens. The breach that happened here in Australia like Medibank, stock price plummeted.

Karissa Breen [00:21:33]:
Yeah. Okay. It recovered after a while, etcetera. However, what is the long tail impact now of people having a stigma attached to that business to say, oh, but they got breached. How hard is it for customer retention over that period post breach, and how hard is it to actually obtain customer acquisition then post breach? I’m not some accurate you know, actuarialist. I’m not a mathematician, but I’m curious to see, do you have any stats or insights on that? Because that’s something that I don’t see a lot of people in this space focusing on at all.

Agnidipta Sarkar [00:22:05]:
Well, the reason that no one’s focusing on that as well at all is, as you as you right said, you’re not an actuarial, and the mathematics of this is not very well established. The reality is that if you look at all the breaches that happen, we sort of eulogize any breach in the media, and that sort of defeats the whole purpose, what a CISO has to drive when it goes asking for money. Now the gun at your head kind of asking for money doesn’t really work because that no one likes. Right? You don’t want to pay money because you think you’re going to be held at ransom. But what you really need to do is to include them in the decision making process and focus on the breaches that really mattered. What I mean by that is if you remember, LinkedIn got hacked long back. Right? So much of that data went out. What happened? Nothing happened.

Agnidipta Sarkar [00:23:02]:
Right? No one bothered. So personal data getting leaked because of privacy regulations. It’s a big thing in the world. But what is what is it really leading to? It’s leading to personal attacks. It is leading to, you know, people losing access to their banks or or something like that. There’s a community there’s a community impact of a personal data breach. And, therefore, like you said, yeah, that we lost data. We came back.

Agnidipta Sarkar [00:23:29]:
Nothing happened to the enterprise. The stigma of it all is that is something that’s yet not happened because the scale of loss versus the scale of personal loss really has not been calculated. That’s on one side. On the other side, the breaches that have led to physical events, they have been quantized. So if you go down to a COO at a factory where there has been a, you know, large scale cyber attack, for example, oil and gas, Halliburton, if I remember, was a company that got attacked. If you go to a competition of Halliburton, the moment they got attacked and once they learned how much they spent, I think as per media reports were about $3,035,000,000 dollars is what they spent. I don’t think I can quote you exact numbers, but that’s what I remember. If you go to a competition of Haliburton, they were at that time busy.

Agnidipta Sarkar [00:24:22]:
Right after they got they learned about this. They were busy to figure out how much should they invest in protection. And that is what really happens. So it’s not so much about a seesaw going to a CFO and saying, guess what? We are in the business of this. These many companies got attacked, and they lost so much of dollars. So much share value went down, and, hence, we must invest so much because it’s difficult to articulate in that number. But if you go and tell them that you are trying to do business of this kind, of this number, if we had a cyber breach, it’s not about how much of the business will get impacted. It’s about what the loss would be.

Agnidipta Sarkar [00:24:57]:
You’re absolutely right. There is no no one who’s focusing on calculating that number and going to businesses in a positive mindset. But the way I see, most users are going to businesses saying, invest or else. So I think you’re right. No one’s really doing that mathematics, but I think we should start doing that and focus on the community impact. If you are dealing with consumers, focus on the impact to people, focus on the impact to the organization and its reputation, and really play along how much risk are you willing to take as you’re doing this business. And that’s where it’ll even out. If there is somebody who wants to do risky business, and there have been many, there are startups which have gone down and all the stories have we have we’ve seen all that, then it’s okay.

Agnidipta Sarkar [00:25:47]:
But if you want to do business in a manner that’s that is going to add to your business value and to your brand and reputation, you want to retain it, then you’ll invest the right amount. There is never I think someone said there’s never a right amount. It’s all about it’s all related to how much business you want to do.

Karissa Breen [00:26:04]:
No. This is interesting because I I didn’t there’s there’s multiple sides to this problem. So the first problem will be if we focus on again, I’m just using these as an example. An ecommerce business, so you could say, in the month of May, we approximately, again, arbitrary numbers, 5,000 Aussie dollars a day we make through the site. If we were to go down seven of those days, that’s obviously a, you know, decent amount of their revenue. But if it goes for longer, so that’s more you can you know, quantitative and qualitative sort of numbers, but it’s the after Hold on.

Agnidipta Sarkar [00:26:35]:
Sorry. I’m interrupting. So here here’s my point to you. If it’s an ecommerce business and if they’re making that much money, then has someone try to find out what’s the current state of exposure, how much do they know about what’s inside and what’s outside, who’s coming in from outside, and who can come in from outside, who’s done that analysis. If that analysis were to be available, then you can measure. That if these systems go down, then I’m losing so much of money per day, And then you can work back and capture it. Remember what I talked to you about modeling. Look.

Agnidipta Sarkar [00:27:08]:
The technical debt Yes.

Karissa Breen [00:27:09]:
But that was not some that I’m using. That that was cut. I’m just trying to give people an example

Agnidipta Sarkar [00:27:15]:
of Yes. You’re right.

Karissa Breen [00:27:17]:
What that would look like. Because that is one problem. Right?

Agnidipta Sarkar [00:27:20]:
Yes.

Karissa Breen [00:27:21]:
The second problem is something happens in the breach. What is okay. Customers are disgruntled. Well, stuff, those guys, they had a breach. I’m leaving, so you’re gonna see a lot of fallout from that. And then the second part is how hard will it be for a business to earn the trust back to win more customers? That’s the part that, again, to your point, no one is focused. So maybe I’ve gotta go out and find some actuarialist mathematician that can run some potential numbers and model because I haven’t seen anyone use that in the industry to say to their board, if a breach happens, this is what we could be dealing with based on this model.

Agnidipta Sarkar [00:27:59]:
Exactly. That’s that’s what I am also telling you that if you are able to let’s say, since the biggest value that micro segmentation or other color tokens brings on the table is that it can determine that how traffic moves in your enterprise. So small or big, it doesn’t really matter how what the comp what the organization is. Color tokens technology can find out how the traffic moves on a normal day. So if you know how your traffic moves, they we can also tell you what part of your enterprise is vulnerable and what part of it is not, what part of it you are able to patch better than others. If you go down that route, you’re soon going to figure out that I have, let’s say, 10% of my organization. I’m just taking an arbitrary number. It could be 20.

Agnidipta Sarkar [00:28:46]:
It could be 80. I don’t know. But I’m I’m just saying we come out with a number that says so much of your organization is actually hackable. And that means when you start thinking about investments in cyber defense, you need to think of this. To your point, that mathematics, that if this gets impacted, then the numbers are easy to calculate. But without that knowledge, without understanding how the traffic moves. Because what are the two things that are most essential to to control when cyberattack happens or or when you’re doing business? How communication goes outside a particular digital system and how communication comes inside a digital system. Only two these two things matter.

Agnidipta Sarkar [00:29:30]:
When you roll back and look at it from a 30,000 of view, it looks very complex. But downline, it actually matters there. Now when you have a technical debt where you did not you have outdated systems, you have missed patches or deferred upgrades, that’s the time you need to figure out that, okay. This is my number. This is my traffic. And, therefore, this much is more vulnerable as compared to others. And, you know, as I had in once in my life, talked to my CEO, and he asked me, Adi, how secure are we? You know, I had to tell him that, you know, I know that we are about 5% very good. I know that we are about 18% not so good.

Agnidipta Sarkar [00:30:12]:
He said, what about the rest? I said, I don’t know. And that’s the problem. If we are able to use color tokens technology to figure out the whole organization and how they communicate, what are those digital systems that are more vulnerable than the others and which are more critical than others, and then focus investments to make sure that those are protected, those are taken care of, you’re reasonably safer than you were earlier because you’re anticipating an attack, and you’re going to contain the attack. You’re going to live with certain amount of business risk in your digital business, and that’s okay.

Karissa Breen [00:30:49]:
So why would you say, in your experience, people in these businesses aren’t figuring this stuff out? I know everyone’s busy. We got stuff to do or, you know but what would you say? Is it just we’re busy? We’ve got other priorities. We’ve got other holes in our boats that we need to plug first, Agni. What are the sort of responses you’re getting from these folks?

Agnidipta Sarkar [00:31:08]:
It’s not really about money. It’s about mindset. As you said correctly, everyone’s busy. Both see themselves as engines for strategic growth. Leadership sees themselves as serving the board and making sure that the operations go on as smoothly as possible. The CIO is focused on the next innovation. The CISO is focused on investing in cybersecurity. We have not empowered our CISOs and CIOs and the board to focus on cyber defense and on resilience.

Agnidipta Sarkar [00:31:37]:
And that’s, I think, the reason that I’m an evangelist. That’s what I’m telling the world. That’s the message I would tell everybody to focus on.

Karissa Breen [00:31:46]:
But why haven’t we done that? Why haven’t we empowered these people?

Agnidipta Sarkar [00:31:49]:
Well, we haven’t done it because we haven’t we haven’t gone to that stage of realization that it’s only now in 2024, ’20 ’20 ‘5 that we are realizing that, you know, the cybersecurity market is growing and so is so are the attacks. It’s now that we’re realizing that this is something an area of work. I think even in Australia, there was a report, if I’m not wrong, which came out where I think there’s a legislation that’s either come out or it’s about to come out where they are making the board responsible for resilience. So, yes, it’s happening. It’s not that it hasn’t happened yet. It’s happening, but it’s happening now. It hasn’t happened already.

Karissa Breen [00:32:24]:
Why now and not before? What were people doing before then?

Agnidipta Sarkar [00:32:27]:
Let’s put it this way. Until probably before the pandemic, everybody was focusing on cybersecurity. It is during the pandemic that we realized the value of how connected we are. Cyberattackers moved their moved the needle. They started attacking differently. It’s now that people are focusing on resilience. I talked to you about the MIT Sloan report as well. The same question was asked.

Agnidipta Sarkar [00:32:50]:
What was it why why did we not focus on it earlier? We did not because their tax were not so high. Now our tax are everywhere, and your investment is also everywhere. So if you’re investing and you’re still getting attacked, then you’re not investing correctly. I think that’s the reason. It’s all about evolving to to learning where we should be investing now. Look at it this way. Many corporate boards still treat breach readiness as a technical side issue, but they’re evolving as as I said earlier rather than a core priority. If the boards, when they meet to discuss the next innovation, the next investment, the next whatever, also focus on are we ready to face a breach? Just that question.

Agnidipta Sarkar [00:33:32]:
One question. They would be far better prepared.

Karissa Breen [00:33:34]:
I would say most people would say no. We’re not ready. Because even if you’re kinda ready, you know, there’s no blueprint. Not every breach is the same. They’ve all got different DNA. They’re all they’re all done differently. So even if you got breached once, even you had second breach, it’s probably still gonna be ready anyway.

Agnidipta Sarkar [00:33:49]:
It’s not a problem solution approach. It cannot be a problem solution approach.

Karissa Breen [00:33:53]:
But isn’t that what the industry is addressing it like? Are we prepared? Like, everyone has to say no. We can’t say yes because it’s not like the same thing’s gonna keep reoccurring each time.

Agnidipta Sarkar [00:34:03]:
You’re absolutely right, and that’s why it can’t be a problem to solution approach. If you were attacked by, let’s say, Ransom Hub and they came in by exploiting phishing and then they got onto a lateral movement and they took your data away, the next attacker is not going to come like that. It’s going to be different. And that is the reason why we have MITRE, that people need to understand that focusing on tactics and techniques is far more important than focusing on the actual attack on how that attack progressed because a cyber attacker remember, an attacker doesn’t know who he is attacking. Where is the attack going to land from? In the case of the recent attack that happened, there was a credential misuse. Someone’s credential was misused and they got into something, and then they did a lateral movement and they exfiltrated data. That’s not going to happen in the next attack because that road is going to be blocked. So the attacker is going to find another way in.

Agnidipta Sarkar [00:34:55]:
But think of it from an attacker’s point of view. Until they actually land on a system and figure out what that system is and find a route to do lateral movement, they really don’t succeed. They succeed only when they they are able to make that leap from one system to another happen. But to come back to your point, we have to look at it as what you said. There is no blueprint. Your blueprint rather has to be cyber defense. How do I defend when I’m attacked, not what I’m attacked with? That’s how the real life defense also works. You don’t know whether your attacker is going to be cavalry or is are they going to be archers? All you know you’re going to be attacked, but you need to be prepared.

Agnidipta Sarkar [00:35:37]:
Therefore, the preparation is important.

Karissa Breen [00:35:39]:
Would you say that the industry is being focused on how people are attacking? So to your point around, you know, if they’re gonna be, you know, attacking in archery or whatever that looks like, is that what people have historically been so focused on?

Agnidipta Sarkar [00:35:53]:
Yes. That’s how it has been because it’s it’s all about how you go from where you were, where you were not attacked to where you are, where you’re continuously being attacked. You stop one gate and there’s another gate that opens up, someone attacked from somewhere else, and then you try and find the latest buzzword and the latest technology thing that you have to invest in there. Zero trust, for example, much maligned. When it was first when when it first came out in the Forrester report about zero trust, people were very impressed. Zero trust is gonna solve the problem. They soon realized it’s complicated. You need a whole lot of software engineering to do proper zero trust, and you need to use it as a methodology, not as a tool.

Agnidipta Sarkar [00:36:34]:
And you’re right. That’s what people focused on. You you look at where we are focusing on today as well. There are a lot of organizations still focused on how do I stop phishing. It’s not about a holistic cyber defense or a cyber resilience attitude.

Karissa Breen [00:36:49]:
So, Agni, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?

Agnidipta Sarkar [00:36:54]:
My final thoughts are going to be to to tell whoever is listening that this is the time 2025 is the time when you should be thinking of investing in how to protect against the next attack, and you should be doing it now. You’re already late if you’ve not started.

Share This