Episode 150: Edgard Capdevielle

Edgard Capdevielle is President, CEO and co-founder of operational tech and IoT firm Nozomi Networks. Edgard brings an extensive background in successfully managing and expanding markets for both start-ups and established technology companies to his role as CEO. Previously he was Vice President of Product Management and Marketing for Imperva, where he led teams that made the company’s web and data security products leaders in their space. Prior to that he was a key executive at storage companies Data Domain and EMC.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:21)
You are listening to Kbkast, the Cyber Security Sector Security podcast for all executives cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen.

Karissa (00:36)
Joining me today is president and CEO Edgard Capdevielle of Nozomi Networks. And today we're discussing critical infrastructure. Edgard, thanks for joining. It's wonderful to have you here.

Edgard Capdevielle (00:47)
Karissa, thank you for having me. It's an honour to be here.

Karissa (00:49)
Critical infrastructure, it's a big one. So I want to talk to you about your observation about critical infrastructure. What are your thoughts? At a high level?

Edgard Capdevielle (00:57)
Critical infrastructure is extremely important for most nations, as the name implies. It includes critical systems required for humans to be around. It includes energy, the production of energy, the production of electricity, oil and gas in many countries is extremely important. It includes transportation from buses, metro, airports, ports. It includes the production of pharmaceuticals, many other manufacturing sectors. It really is the fundamental systems that support life as we know it in this modern world. So critical infrastructures is extremely important. I think over time it has been automated, it's part of our digital transformation, but it really hasn't followed the same security evolution. Let's say our financial systems or any other system that is initially monetizable, but by hackers or other evildoers financial systems have gone through great extent to protect themselves. Anyone who has credentials that can be monetized has gone invested quite a bit on cybersecurity. And for the longest time, critical infrastructure has not had the need or any immediately monetizable asset that either a hacker or an evildoer could put steal. So for the longest time, it hasn't really invested in the same way that, say, our financial systems have.

Karissa (02:21)
So do you think I mean, you obviously based in the United States that the Colonial Pipeline. Do you think that sort of shone a spotlight on critical infrastructure, for example?

Edgard Capdevielle (02:29)
Absolutely. I think a lot of people describe the world before and after Colonial Pipeline. Colonial Pipeline was a very significant event. It started as an It oriented hack. It got really close to becoming a critical infrastructure hack from the perspective of attacking critical infrastructure systems. It stopped short of that. But the impact was pretty dramatic. It affected, obviously, liquid gas, gasoline distribution in the United States, and it got the United States really close to having major outages in terms of availability of energy resources. So, yes, I think a lot of folks have ingested that episode as and divide the world, if you will, the timeline in terms of before and after and after the Colonial Pipeline attack. And it has changed the way people think about critical infrastructure and how vulnerable it is and how much more attacks into it we're going to see.

Karissa (03:22)
Yeah, you're absolutely right. And I think that the key thing here that you said the impact now again, like gas distribution, that's a major one. But if you look at water, for example, imagine if we just couldn't get water, like how ballistic people would go, right? So it's the thing if no one wants to be breached or as DDoS and if something happens or company goes down, but you can't get like a necessity like water, for example, that really does change the game. Do you think people out there think like this though, maybe that people aren't thinking about like critical infrastructure and if we can't get water or gas, for example. So do you think that there will be more of an importance, whether it's in the United States or here in Australia, that people be thinking more about what happens if because we've had a lot of breaches here in Australia, as you probably would have heard of in the last couple of weeks. If something like critical infrastructure gets breached, do you think people are considering the impact of the magnitude of some of these events?

Edgard Capdevielle (04:18)
Absolutely. And I think you touched a very important vertical, which is water. In the United States we had right before the Colonial Pipeline incident, we had the old Smart water plant incident in Florida where the attack was slightly different. Colonial Pipeline was more of a ransomware attack. The old Smart water plant in Florida was more of a remote access attack where somebody came into the plant, changed the chemical composition of the water and fortunately it was caught in time. I think as you pointed out, water, just like any other critical infrastructure, is fundamental to support human life. The impact that this attack could have had in terms of people poison or otherwise would have been pretty dramatic. So yes, the impact is being felt more and more across the globe because the more developed, the more automated the system, the more developed the country, the more you're going to be vulnerable or the impact of these attacks is going to be more in your particular country. And of course Australia is a powerhouse in terms of different markets and automation. The degree of automation that has been implemented into these critical infrastructure sectors, including water and of course is equally susceptible as the United States.

Edgard Capdevielle (05:30)
So of course the impact is being appreciated a lot more.

Karissa (05:34)
So I'd like you to stay with that example on water. So just say use that example. Imagine if the water got contaminated. Like people would get sick or potentially die. Talking a little bit more about hypothetically water, ransomware attack, whatever it may be, what can people sort of expect from this? Like you said, potentially it gets contaminated, people get sick or die, we can't get access to water. What do you think happens then? How do people start reacting because again, it is a necessity. Right? Like people can't cook, they can't drink water, they can't have showers and if you're looking at that across a very big country like the US is 330,000,000 people, for example, that's a pretty big impact. So talk to me a little bit more about the impact on not only businesses but to consumers as well.

Edgard Capdevielle (06:20)
Yeah, I think the the primary impact, the initial impact obviously is to find substitutes. So of course, if you cannot get drinking water, you try to get bottled water or or you try to boil water or or find alternatives to to regular tap water. But that's just the initial impact and similar with colonial pipeline or any attack with critical infrastructure it starts by having either a workaround or an immediate substitute. But the larger impact, and again, depending on who is attacking and what the ultimate purpose is sometimes the ultimate purpose is just financial, monetary by one of these ransomware gangs but sometimes the attack can follow ideology. There are certain geopolitical pressures and governments that do not like or want to affect the impression of somebody else's way of life, transform it from being safe and secure to less dependable and equally as unreliable as their own. So that is the second impact when you start mistrusting the processes that are critical for regular life, regular functioning. Some of them are government owned or government operated and sometimes some of them are private sector operated. Depends on which country water may be highly regulated or publicly managed versus privately managed.

Edgard Capdevielle (07:38)
And you start losing trust in institutions that today we take for granted. And it's it's about a reversal of the conveniences that we've grown to expect and not question. Does that make sense?

Karissa (07:51)
Yeah, you raised a great point. The operative word trust. So for example, you're in Australia with all the breaches, people are losing trust in these organisations. They're big companies, they have been breached quite significantly in terms of the fidelity, the amount of people who have been breached as well as the sensitivity of the information. So you may get to a stage which I hope not we're not sitting there like getting water of a tap and people are questioning if it's being contaminated or not. Do you think people will get to that level though?

Edgard Capdevielle (08:18)
I think people can. I think that the duty for the private sector, the public sector, is to elevate the level of cyber security, security so that these type of breaches did not become a common occurrence. Like I said, the beginning of last year in the US they started to become a little bit of a common occurrence and he caught the different critical infrastructure sectors off guard because we have not invested in the same manner to protect it. But the answer is not to continue that trend and have the public mistrust critical infrastructure providers, whether they're part of the public. The real answer is we need to elevate the level of protection that all the operators of critical infrastructure implement and match those that have been best in class for the longest time. Like for example, the financial sector.

Karissa (09:08)
Yeah, very interesting point. So you made a comment from understanding that critical infrastructure is highly vulnerable, as we've clearly articulated already in this interview, towards like a tax and is under prepared. Talk to me a little bit more about this. What do you mean by under prepared?

Edgard Capdevielle (09:23)
Well, like I said, for the longest time critical infrastructure was not monetizable. You could not penetrate critical infrastructure and steal credentials or money. So again, the financial sector which owns money or the retail sector or anybody that is in the business to consumer where credentials are available, needed to invest cyber security to protect those credentials, to protect that money. And the cat and mouse game which makes you evolve, the bad guys get better, the good guys get better, helps you advance the level of protection. So you could say banks and anybody in retail that holds credentials is protected to a higher degree. The regulations and the guidelines exist and there's significant infrastructure and investments made to protect these assets. Now, when it comes to critical infrastructure, for the longest time it wasn't monetizable and there was really nothing to be gained other than to disrupt systems and processes which don't only follow the kind of the ideology type of attack versus the profiteering type of attack. But when ransomware and Bitcoin changed the game, they basically said any industry where uptime is important, which includes critical infrastructure, I can monetize that, I can monetize that with ransomware and Bitcoin.

Edgard Capdevielle (10:45)
If you care about the uptime of your process or critical infrastructure system, I can apply ransomware, I can disrupt it and you will pay me. So the uptime became possible. So all of a sudden, from one moment to the next, industries that had not dissipated in this kind of long term evolutionary process of investing in critical infrastructure and therefore they don't have the budget, they don't have the inertia, they don't have the skill set they're required to have the budget. The inertia and the skill set invest and protect themselves against kind of some of the most sophisticated actors out there. So it's really unfair because again, the defenders haven't really prepared for it and the attackers come from being fairly evolved and therefore at the very beginning they started being very successful.

Karissa (11:29)
So Edgard, would you say that critical infrastructure is more under prepared than say, banking and finance for example?

Edgard Capdevielle (11:36)
Oh absolutely. There was a study done by Deloitte I believe it's a fairly global study where you can actually use the investment in it for example or the expenses in it as a proportion of your revenues to group industries and you would find finance and retail insurance in the top where the investment into it as a proportion of your revenues. It's pretty high. And in the back of that list you'll find critical infrastructure sectors like oil and gas, electricity, water and so forth. And there was a further study done by McKinsey, I believe, where not only did they look at the It spend as a proportion of revenues, but the cyber security spend as a proportion of It spend and they found that it was even lower. So not only critical infrastructure sectors are investing less as a portion of their revenues, but their investment in cyber security securities are even lower. They're just starting to go up the digital transformation curve. Cyber security. Security is an afterthought.

Karissa (12:35)
That's really interesting. Why do you think that's the case, though? Because I asked this because I used to work in a bank in security. Yes, it's awful. The people use their money, but it's just money. Right, but if you're contaminating water and things like that, people could lose their lives. So why is critical infrastructure have less of a focus considering the impact is hot?

Edgard Capdevielle (12:53)
Yeah, I think the impact is in the eye of the beholder. So again, for the longest time, could you do something and have something monetizable back very quickly? And when you can clearly see that in a bank, banking websites and all sorts of financial platforms or applications were protected from the very beginning because the money or credentials or any type of fraud could be immediately monetizable, something that you do to what for the longest time was not monetizable. So unless you were following some ideology, type of incentive for the attack, you wouldn't do it. There's nothing to be gained. And again, ransomware changed. That right. Now with ransomware, I can attack, say, going to the pipeline or anyone else. That for example, affects your supply chain, affects the ability of products that you really care about, may affect your transportation, may affect your electricity and ransomware in combination with bitcoin changes. That monetization factor, it used to be zero monetization to now I can monetize it in the same way I can demand some bitcoin to be deposited somewhere and without much more you can get monetization from attacking critical infrastructure. That's fairly new and that's why the investment trends have not been there.

Karissa (14:08)
Got you. Okay, that's a great point because now there is this monetization factor which you've just spoken about. Is that going to influence the government now, for example, put more regulation in to say, hey, this is their standard, or you need to be compliant here, here, and here what's that going to look like. Because again, going back to the impact is greater. Losing money is like one thing, but people literally dying because they're drinking bad water is another thing.

Edgard Capdevielle (14:32)
Yeah, absolutely. So in the US. For example, Nasomi and several of our peers have formed the OT coalition. In addition, we have partnered with Visa in the US. Again to facilitate and provide our industry input in terms of guidelines that are coming out for different industries. It started with the world of gas, but it's evolving and including going forward, the world of transportation, air transport, ground transport and so forth. Of course, here in Australia, you have a lot of guidelines that are coming out. Critical infrastructure is one of them. And implementing risk programmes and providing guidelines for notification when that cyberattack happens is the beginning. I believe the world is evolving in that way. Governments are providing guidelines, critical infrastructure operators and critical infrastructure operators are going to have to meet those guidelines regulations and start that budget or spend inertia. That is a normal habit in the world of, say, financial institutions. But it's a new muscle when it comes to critical infrastructure.

Karissa (15:33)
Well, I guess, as you would know, the government brought in like soccer in that type of regulation recently, so I guess that will help. But again, it's not a flick of a switch. It's all going to be happening overnight. It's going to be a bit of a process, it's a bit of a journey. What are your thoughts on that?

Edgard Capdevielle (15:46)
Yeah, unfortunately, it is a little bit of a journey and I think the I referred to as inertia. So you'll have a slow start. I think meeting these guidelines is extremely important and I know some we refer to the stance that people have initially towards these guidelines as the pre breach mentality or pre attack mentality. And what we recommend is in terms of how to think about all this is to try to adopt a post breach mentality. So if you think about whether you're this water operator that I mentioned or you're colonial pipeline or whomever, your approach towards appreciating some of these regulations and trying to meet them changes dramatically whether you are pre breach versus post breach. So the ideal solution and of course let me just maybe describe it pre breach people are seeing this guidelines as maybe like a nuisance or like something that you have to do and you may want to delay it or do the as minimal as possible. Post breach of course everything changes when you see your systems halted and your computers under ransomware attack and unable to come back and your availability of your services is significantly compromised.

Edgard Capdevielle (16:58)
It's pretty traumatic. And your view around these guidelines and regulations and how you should spend into elevating cyber security security stance changes in a significant way. The best outcome or the best practise would be how do I adopt a post breach mentality without the trauma of having to go through a breach, which is, of course, not easy. It's really hard. It requires courage, creativity, commitment and executive sponsorship into cybersecurity programmes.

Karissa (17:26)
Okay, so I want to look into your thoughts on the pre breach mindset. We can get to post breach in a second, so we often talk in the industry, as you know, about performing tabletop exercises, like being prepared, having a plan, practising the plan but then this often just gets pushed down the list. Other things pop up. People got to get their head above the water, keep the lights on. When it comes to security, there's a lot of things going on. So what would be your advice to keeping this topic of pre breach mindset top of mind?

Edgard Capdevielle (17:54)
Yeah. As you point out, it's really hard to be good at this because there's always the day to day business. We're already trying to do too much. You want me to do one more thing? And the worst one is actually when I don't appreciate the fact that this event that you're talking about, for example, hasn't happened here. So it hasn't happened here, and you can't tell me statistics around it happening anytime soon. So why would I try to protect against it? That's actually the toughest one. If I may make an analogy, right? When any one of us gets into our cars, we put on our seatbelts, right? And that would be the protection. Some people have never had a car accident, but you are fairly aware of car accidents. You can get statistics around car accidents. And everybody knows that in 99.9% of circumstances, wearing your seatbelt is better and it's easier to do. And every car has one. And you don't have to it's not a hassle or an investment required. They come with a car. So this is a good analogy because some things are similar, some things are extremely different. Cybersecurity does require an investment.

Edgard Capdevielle (18:59)
It does require significant effort for us to exercise the muscle that we don't have. In terms of the mentality, it's hard, harder to appreciate how water in Australia, for example, could be affected in a negative or impacted in a very negative way when it really hasn't happened in Australia. Nobody has any Australian memory of something like that happening. It hasn't happened here. It would be probably your worst enemy. And of course, it has happened in the US. And the US problem is different. Or water infrastructure from a financial perspective is regulated and doesn't have a lot of investment money laying around. It's a cost plus industry where every investment needs to come from somewhere. It's either government owned, government financed, so it's much harder to change budgetary availability for investments in cyber security. Don't know exactly how it is here in Australia, but you can see the elements of the pre breach mentality coming together to slow things down and providing creative inertia in that respect.

Karissa (19:56)
So I definitely get your analogy about the seatbelt. Great way of putting it. How do we get people in our teams, our boards, our executives to be like, think of the seatbelt. How do we get people there? Because at the moment, everyone's just getting in the car and they're going for a joy ride and there's no seatbelt. There's probably even not even a seatbelt installed to some of these people. What would be your advice?

Edgard Capdevielle (20:15)
Yeah, I think that we have a great example in the US. The role that CESA is playing in the US. When it comes to critical infrastructure. And the good example, and how we take some of these good examples to social and to greater distribution is a good set of examples to copy here, for example. That would be my recommendation. If you look at what CSA is doing, they're not only providing guidelines that are applicable to specific verticals and that has started with socky. Multifactor authentication for example, is the easiest thing most bell like that all of us should be doing, we should all have multifactor authentication kind of mandate it almost because it's the easiest thing to do. It is how most acts start with a compromise around user, whether it's a phishing attack or social engineering and multifactor authentication assists and prevents misuse of credentials, which is how everything starts, right? For example, CS has been advertising and promoting multifactor authentication for the longest time is the easiest thing. First step that we should all be doing, in addition to providing some of those vertical guidelines for particular industries, you can go always the extra step and say, well, listen, all networks that support critical infrastructure should be monitored.

Edgard Capdevielle (21:29)
People should have a list of assets that are connected to critical infrastructure. You should know what they are, you should understand the vulnerabilities. Saki is starting to do that with the part of Saki that really talks about implementing risk management programmes. Those risk management programmes of course could include monitoring of critical infrastructure networks, understanding assets connected to those critical infrastructure networks, understanding authorised access or abnormal access to critical infrastructure networks, and so forth. But you can also start really simple, like I mentioned, with the most seatbelt like recommendation, which would be multifactor authentication when it comes to users of critical infrastructure.

Karissa (22:03)
Do you think as well you mentioned before, that especially in Australia, for example, a water incident in terms of critical infrastructure hasn't really happened. Do you think people rely up? Well, it hasn't happened in X amount of years it maybe won't happen which maybe sinks in a little bit of complacency there I think it does.

Edgard Capdevielle (22:19)
We have the world to watch, right? So right now we obviously have a lot of geopolitical pressures happening, a lot of critical infrastructure being affected with physical attacks, but as well as cyber attacks. So the geopolitical pressures today they're all about Russia and the Ukraine, tomorrow they may include other actors, other regions that have different type of ambitions or different type of ideology and yeah, Australia is not too far away from the rest of the world.

Karissa (22:48)
Sure, it doesn't feel like that sometimes, especially when you get a flight of the US. It's a pretty long flight. So I want to now talk about maybe let's talk about still in the pre breach mindset of Practising incident response plans, for example. So when an actual incident occurs, people seem to forget the plan, which you probably are aware of. So what would be advice to keeping people on the right track? Because, again, emotions run high, people feel stressed, they feel overwhelmed. So it's easy in theory to practise it when you're in a controlled environment, but when things are going out of control, very hard to keep you cool and to keep people doing the right thing. What would be your advice towards that?

Edgard Capdevielle (23:27)
I think my best advice would be practise, practise, practise. I think I come from the world of data management, and specifically backup and recovery. Everybody talks about all your systems, especially your critical systems, should be backed up. And sometimes it's very easy to say, cheque the box. This server over here is backed up. There's a backup process that occurs with some frequency, which is great, but when you have a major situation, having a system backed up doesn't provide any benefit. Backup by itself is useless. The only important part of backup, the only reason you backup, is so that you can recover. So checking the box after servers backed up is, in my mind, really silly. You should cheque the box only where you're able to recover in the same fashion that you would need to recover when something happens. So, for example, again, let me just stay with backup for a second. Backup is a very asymmetrical process. You can back up a machine or all of your machines one at a time, but if you ever had to recover, you had to recover everything at once, or you would have to recover systems in the right order so that the services come back with the right priority, importance and precedence.

Edgard Capdevielle (24:40)
And people don't necessarily practise those scenarios. The servers backed up, can you back up the server? Yeah. Can you recover the server? Great. But that doesn't really implement the kind of asymmetrical nature of backup where you can back up one server at a time. But if you need to recover, you need to recover, and massive so. That's just a quick example of practise, practise, practise. You should not only make sure that every server that is critical is backed up, but you know exactly how, in what order, which, what priority servers need to be recovered and brought back online. In the case of cyber, backup is also a very important part of the answer. You must have a resilient organisation. A resilient organisation is one that can be attacked by ransomware and you know exactly when ransomware you can detect. When ransomware enter, you can detect the last save point, saved snapshot that you have of your systems and you need to go back to that world and recover. If you have never practised that, then you need to follow the maybe less desired path of a ransomware attack, which is pay. And even when you pay and you get credentials to decrypt your machines, you don't have the right speed and processes to bring your systems back.

Edgard Capdevielle (25:53)
You may have 1000 servers that were impacted and even now that you have the keys after you paid, now you have to apply that key to 1000 servers and you don't have any processes for that. So I think you talked a little bit about the playbooks and everybody forgets the playbooks. I think sometimes the playbooks are non all inclusive of everything that needs to happen and contemplates every single decision, whether you are trying to recover based on your last save point or you're actually paid and have the credentials and assuming that you got the credentials after you paid. And now what do you do with those decryption keys?

Karissa (26:26)
Okay, so going back to your point on Practise practise. Practise, great point. How often should people be Practising? At once a week, once a day? How many hours? Who's involved? Can you talk to me a little bit more about that?

Edgard Capdevielle (26:36)
I think it really depends on how digitised the process is. What's the scope of the process? I think the processes should be implemented with the right cadence. The backup happens once a day. In most cases there is a full backup as a syrupmental backup. Sometimes you have active, active disaster recovery. It really depends on what the scope and the process is. The full recovery should be something that is practised. Again, depends on budgets and the criticality of different systems. You may not have the budget or the need to do a full critical recovery every month. Some people may do it once, twice a year, but you should do it. People should understand what it entails. And to your point, I think have a playbook that you're not going to forget. When something bad happens, you practise it once a year, two times a year, three times a year. It's going to be harder for people to forget their playbook when something bad happens.

Karissa (27:32)
So, as a rule of thumb, would you say once a month or once a quarter is reasonable? And I understand it's always going to depend, but if you had to give a number perhaps for people, what do you think is safe sort of bet like once a year is obviously not enough, twice is definitely not enough, but every day is obviously too much. But do you have somewhere where you'd say, hey, this is a good general rule of thumb?

Edgard Capdevielle (27:52)
I don't think there are general rules of thumbs. I think there are going to be best Practises by industry. Like I said, Water for example, has a lot of scarcity when it comes to resources on people, on backup, on everything. So demanding that they do the same thing as a bank is not reasonable. So I think each industry and industry consortium has to come up with their own best Practise, minimal requirements and we shouldn't have one dictated for everybody else. And I think what CESA is doing, for example, is trying to come up with guidelines. Associated with verticals because verticals tend to be grouped by the same characteristics, same attributes, same set of needs and availability of resources. So maybe that having some of these guidelines, some of these requirements, some of these best Practises by vertical may eventually prove to make the most sense.

Karissa (28:45)
Totally hear what you're saying and absolutely there's not one size that fits all. So if we had to get an example, I don't know whether it's water in terms of vertical guidelines. Do you have any sort of insight on that? If we focus on water or whatever example you want to use, do you have any sort of indication?

Edgard Capdevielle (29:00)
I think water, and I think my experience is primarily with the US. Water, as I mentioned, is one of the verticals where you're starting the most from scratch. You may have some of the oldest systems, the lower Practises when it comes cyber security, I think all smart regardless of what the Practises were there. I think people who were there were doing their best with what they had. But it proved that it was not too hard for somebody to gain remote access into the system. In that case, it may be having best Practises around, segmentation around remote access, secure remote access specifically. And again multifaceted authentication going into and that again is to protect yourself against a remote access attack. In that case, ransomware was not an issue. So the whole conversation that we just had about backup and doing a full recovery does not apply because the attack is different. But if you wanted to protect against ransomware, then of course you want to make sure that every single one of your services backed up, never stop there. Having all your services backed up is not enough. You have to be able to prove to yourself that you can do an orderly and full recovery once you have identified a safe point in time to recover to or to recover from.

Karissa (30:12)
Okay, so I'd like to talk about post breach mindset. You've obviously raised it a few times. Talk to me a little bit more about this. What does this look like from your point of view?

Edgard Capdevielle (30:20)
In a post breach mindset, you've already gone through the trauma of an attack, so you already changed the priority level of cyber. It is the point in time where you think wow, if I did have if I had implemented multifactor indication, for example, it would have been harder for people to steal credentials and therefore harder for the initial ransomware to penetrate my systems and harder for that initial malware to do lateral movement and identify systems and reach that command and control server that was able to extend that attack through our modernization. It forces people to think about this more. I think it's pre breach man said it's a nuisance. I don't want to deal with it. I already have too many things to do. Uptime is my number one requirement. Everything else is a distraction. Two, cyber security. Security is one of those pillars and requirements for uptime and I need to start focusing on them and I need to elevate and bring my cyber security investments, practises and skills to par to support my availability requirements, my goals of availability in terms of the system or the service that I'm providing. So that's the main difference between pre breach and post breach is the importance, elevated importance.

Edgard Capdevielle (31:28)
I wish I would have done a lot of those things. Some of those things were fairly simple to do. Again, I keep using multifacet authentication, fairly easy to implement and secs, putting your seatbelt before you start driving your car.

Karissa (31:41)
So what do you think from your experience, people struggle more with? Is it pre breach mindset or post breach mindset? I mean, it's not good or bad, it's just they're both completely different. But what are you seeing people really.

Edgard Capdevielle (31:54)
Struggle with specifically when it comes to critical infrastructure? As I mentioned, for the longest time, these attacks were not common. So it's really hard for a new category, critical infrastructure to insert itself into the budget mix and postgraduate mentality, it really doesn't matter. The money has to come first number and we have to start today. And that's one of the biggest advantages of being able to position yourself into a post breach mentality, hopefully without the breach or the attack.

Karissa (32:23)
So I want to get your thoughts on moving forward now. Is there any sort of hypothesis in terms of the future of critical infrastructure you would like to share with their audience today?

Edgard Capdevielle (32:33)
Yeah, absolutely. So number one, critical infrastructure is going through the same motion that all systems and everyone of us is going through, which is called digital transformation. And digital transformation is all about everything becoming more digital, things becoming more automated. When you look at the growth of IoT, what is the growth of IoT? People are talking about IoT. It's having a lot more sensors, a lot more information about a particular process, a lot more data science and analytics applied to it. And that is only going to increase. And as we increase this, we're going to get more out of our data and specifically out of our critical infrastructure data. The attack surface is going to increase either because we're adding more sensors, so we're digitising more or automating more. So if you look at the other side, the geopolitical pressures are not going necessarily to be easier or lower in the future. And the existence of attacks and ransomware gangs is not going to disappear all of a sudden. So the propensity for attacks is going to be higher. I think we've seen it, they're more common all the time in different countries. Initially was the US, then it's Germany, not necessarily critical infrastructure yet, but you've seen very significant attacks here in Australia, both in the public and the private sector.

Edgard Capdevielle (33:49)
So the level of attacks is going to continue to evolve in the same cat and mouse pace that I signal earlier or that I talked about earlier. One of the things that I would expect is all sectors affected, which now include critical infrastructure, need to enter into that evolution of getting better over time, matching the skillset, toolset and investment of the attackers so that the incorporation of critical infrastructure into that cadence or cycle is something that we should all expect.

Karissa (34:26)
Thanks for sharing. I think there's some insights and just to maybe include our interview, is there anything that you'd like to in terms of final comments or closing comments you'd like to leave with our audience today? I got anything that you'd like them to think about post our interview today.

Edgard Capdevielle (34:40)
Well, we talked about the importance of critical infrastructure. Sometimes we take a lot of our critical infrastructure for granted. We wake up in the morning, electricity is there, we can make our coffee, we take the train to work, or we get in our cars and gas is available. Critical infrastructure is fundamental to life and human life. And sometimes we don't think about how cybersecurity is going to cyber security. The threat around cyber security, the attack surfaces that it continues to grow, could affect and impact our lives. The world has changed in a significant way. We're now in the post colonial pipeline world in which, in the case of colonial pipeline, it was all about ransomware. But it could be, especially with our geopolitical pressures, all about ideology. Your country must be part of my country or I don't like the way you live because my way of living is better or maybe yours is as bad as mine. Those geopolitical pressures and ideologies are going to start affecting our lives more and more in ways that we're not necessarily prepared to handle. And I think the sooner we can start in this journey and I think governments have a great role to play when it comes to providing initial guidelines.

Edgard Capdevielle (35:50)
But all of us, in terms of our standstills, these guidelines and our willingness to get the wheel turning in terms of investment, skill set preparation and so forth, is extremely important for us to come out in the best possible light here in this digital transformation journey.

Karissa (36:07)
No, thank you. I think that yeah, look, as you mentioned, that we want to be able to illuminate and put more of a spotlight on critical infrastructure and really highlight the impact that would have on us as consumers, like you mentioned, whether it's catching the tray and make a cup of coffee, whatever it may be. So I think that these are the things I'd love to, but I wanted to get you on the show to really share your thoughts because, again, this is real, it's happening. And again, it's not to scare anyone, but it's also to make sense of a very complicated and complex industry. So I really appreciate your thoughts and your insights and thanks for your time today, Edgard. I really appreciate you coming on the show.

Edgard Capdevielle (36:43)
Karissa, thank you so much. Thanks for having me. It's been my pleasure.

Karissa (36:46)
Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes.

Karissa (36:57)
This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. This is Mercksec.com to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KBI Media, the voice of Cyber.

Share This