Introduction (00:21) You're listening to KBKast, the cyber security podcast for all executives, cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:37) Hey, everyone. It's KB. Thank you for being an active listener on the show. And thanks to you, we've been downloaded in 63 countries. If you haven't already, please ensure that you follow and subscribe to the show for the latest updates. Now, time to get to the interview. Joining me today is Ricardo Galbiati, Chief Technology Officer, Australia and New Zealand, from Palo Alto Network. So today we're discussing First Principle's Thinking applied to cybersecurity. So, Ricardo, thanks so much for joining. It's wonderful to have you here and I'm so excited to hear some of your insights today. Riccardo Galbiati (01:12) Thank you, Karisa. I'm very excited to be here as well. Karissa (01:15) So, okay, talk to me about First Principles Thinking. How could this apply to cyber? And I think the other thing is as well, what do you mean by that statement? Riccardo Galbiati (01:27) Yeah. So this is something that I've been working on for, I'd say, a few months now, probably a few years subconsciously. But the idea of first principles and applying that to pretty much any type of problem solving has been around for, I guess, thousands of years. It came from philosophy back in the Greek days, and Aristotle came up with the idea that once you start asking questions to find the truth about something, you end up with some basic foundational blocks that he used to call first principles. So things that you cannot deduce anymore or go backwards from. And you can only start with those basis to go forward. And this type of approach can be applicable to many use cases and many problems in the modern world, including cybersecurity. It's a little bit like thinking from the scientist's point of view. So if you are really working with a scientific approach, you try to break down to the most basic components of what you're working on instead of relying maybe on previous knowledge and building up on top of that. It's an interesting concept that for some reason has not been applied in many fields. Riccardo Galbiati (02:39) But where it has been applied and successfully has led to pretty much revolutions of way of solving problems, of creating new markets or new opportunities for businesses, for organizations, for strategies, and so on. Karissa (02:57) Why do you think it hasn't been applied in many industries? Because what you're saying makes sense, right, in terms of the theory? Riccardo Galbiati (03:04) Yes, I think the main problem with that, and you can tell it's almost like a philosophical discussion, is that people tend to rely on assumptions, on things that have been discovered before or have always been done in a certain way. And change is difficult. So if you're being used to run things in a certain way and suddenly you're like, hang on, we've been doing that for 100 years. How about I come up with something completely new to solve the same problem and see where it goes? It's hard work and it requires a lot of thinking. One way to put it is like sometimes when I think about first principle to make it easy to understand is when we grow up and we are kids, and that happens to me on a daily basis because I still have young kids, sometimes you get asked those famous why question by the kid, right? Why do I have to go to sleep? And I start answering, Well, because if you don't, you're going to be feeling tired tomorrow. Yes, but why? And you go back and say, Well, because if you don't go to sleep, your brain cannot memorize all the things that you learned today. Riccardo Galbiati (04:06) It doesn't change to rest. Yes, but why? This keeps going back until effectively you yourself as an adult, realize that you don't have the answer and you probably cannot go any more backward to find that. And that's where the first principle thinking starts. And it allows you to come up with actually the real knowledge behind what you're working on. In modern days, there's a saying that has been around again for probably a 1,000 years that we are like dwarfs standing on the shoulders of giant. Have you heard of that one? Karissa (04:35) Yes. Riccardo Galbiati (04:36) So that came from Bernard de Chartres back in, I think, the early first millennia. And it's a valid argument to think that we can only progress by relying on knowledge that has been created before us. But at the same time, I feel like sometimes we've got to slay some giants in order to find out new solutions. And this has been done before. And when I say revolutionary results happen from this, I think of approaches like the success of something like SpaceX. Elon Musk is one of the biggest proponents of first principle thinking, by the way. He has been trying to solve problems that have been common for a long time, but with completely new approaches. And one of the examples that I normally bring up is the one of SpaceX. How do you solve the problem of sending rockets to space, to the moon or to Mars with the fact that rockets are too expensive, that most of the rocket components gets completely discarded. He managed to rethink the whole strategy behind it, including the idea of having reusable rockets. That was never even considered. He didn't do a progressive, let's say, incremental addition to what was done before. Riccardo Galbiati (05:50) He completely rethought the problem from scratch and came up with a completely new solution. Karissa (05:56) Your kid's asking why I was that kid and so was my brother. And Google didn't exist. So it drove my parents crazy. They had to get encyclopedias. It was always, but why? But I still think I still ask why, which is why I love running the show. I want to know why. I'm curious. So I think that I don't know whether I haven't grown up and become an adult, but I still have that mentality like a kid of knowing why. So I think that it's so interesting that you say that because I can relate to that when I was a kid. Do you think as well, though, Ricardo, I've spoken to people, whether it's casually or in business, I feel that people just can't handle when you ask them, Well, why is that the case? Now, it's different on the show because people like yourself, they come on here, they like that I ask those questions. But I found in my life that when I'm asking someone, W ell, why is that, or why do you think that way? Or, Why are you doing it that way, it's like they just can't handle it. Why do you think that's the case? Riccardo Galbiati (06:55) Well, I think you hit an nail on the head right there. So first of all, to be a good journalist, you need to ask those whys. So I'm glad that you do that. But secondly, whys and asking whys is really digging into deeper inner knowledge. And sometimes that makes people uncomfortable because, first of all, they're not sure they know the answer. And then you're requesting to think outside the box. That's the whole idea of putting yourself in that first principle mindset. Why am I doing things this way? Have I ever really questioned myself? And this is where it comes down to cybersecurity. I talk to many organizations on a daily basis, and you'll be surprised how many times I ask them, Why are you spending so much money or focusing on cybersecurity in the first place? What are you trying to achieve? And sometimes even at the CISO level and beyond, they don't have the answer. They focus maybe on, Oh, well, because I need to protect my devices, or I need to protect my employees, or I need to but if you dig down into that rabbit hole, you figure that they don't have the real answer because they've never thought about it. Riccardo Galbiati (08:08) And in some cases, the answer should be pretty much the same for all these organizations. If we think about cybersecurity, nowadays, used to be an IT problem, right? So on IT side of the business, you normally had reporting lines into the IT business, and people thought about cybersecurity experts as IT. But I would argue that nowadays we can clearly say that it's a business function. Cybersecurity is now helping the business itself, not just the IT element of business. So if we boil it down to why cybersecurity should be in place and finding that first principle applied to cybersecurity is probably to make sure that the business keeps running in spite of cyber attacks. That should be the overall mission. So avoiding the risk of reducing the risk and probability of a cyber attack impacting materially your business. That's the answer to the original why. And not many people and even CISOs and as I said, security practitioners have the answer in their head. Karissa (09:10) I totally understand what you're saying. Don't you think that's a little bit concerning, though? I mean, if you're a leader and you're not asking, why is this being done? Do you think that warrants being a leader then? Or else that just feels like you're just following the bouncing bull? You're not really creating change or innovation and potentially saving money or saving your organization from cyber criminals or adversaries. So I don't understand why people are not asking why more. Do you think it's because people perhaps don't have that capability? They don't want to lift open that door and discover what's underneath it. Are they lazy? What is it? Riccardo Galbiati (09:50) I think there's a few reasons behind that approach. And the fact that people don't go that deep is because probably they're, first of all, too busy. There's a lot going on in any medium to large organizations, the amount of tools and controls that a person in security responsibilities has to manage is overwhelming. So if you actually stop focusing on those and go back to asking yourself questions, you feel like you're wasting time. You're wasting valuable time, or you might let your team down, or you might let your infrastructure not working properly, or feeling like you're missing the day to day operation side of things. That's I think one of the reason. And the other one, as I mentioned before, is the fear of change. So maybe you find out that one approach that you've been relying on for many, many years is not as effective as you think. But change in that is going to take a long time, a lot of money, different people to be involved, and it's just too hard to move on from. So they compromise or settle on, Well, we're not ready for that change now. It's probably not the right time, and we'll stick with what we have, and we'll keep floating as far as we can in terms of not going under or being overwhelmed. Riccardo Galbiati (11:07) But we're not going to make a change that could drastically improve our cyber security strategy in the first place. Karissa (11:13) Yeah, and I understand and I do get it. And I do have empathy because it is hard to do. But how do we find the balance? Because you can't just keep saying, oh, we'll just float along and see what happens. But we also don't want to come to the point where you're asking why and wanting an answer for every little trivial thing, perhaps. How do you strike that balance in an organization? Riccardo Galbiati (11:35) There are some, let's say, obvious assumptions that have been around for many years that have started to be questioned, even by the industry in itself. I'm thinking in this particular publicity, obviously in cybersecurity, things like being strategic about your cyber security program might not mean relying on overused tactics that effectively are not strategic. I'm thinking defense in depth. That is probably one of the most popular approaches to cybersecurity that derives from the days of military engagements and fighting of soldiers in between countries and how they lay down trenches and obstacles for the other armies not to be able to cross. It's a very passive approach that hopes basically that an attacker stumbles on one of these controls, and then if he manages to pass through that one, he hits the next one and then it gets stopped there. And if you think about it, there's not really strategy there. It's more of a, as I say, passive way of trying to limit movement, but expecting that to happen anyway. So that defense in depth approach, I see it very much still present in companies nowadays that rely on multiple layers of segmentations or putting these redundant controls at multiple places, again, hoping to catch an attacker, but not really actively focusing on the main goal, which is how do we stay in business in spite of cyber attacks? Riccardo Galbiati (13:07) And that mindset is starting to go away. I have made a lot of conversations with organizations that are effectively removing parameters, for example, which is directly associated with the approach of defense in depth, thinking that, well, actually, a perimeter is a very legacy way of thinking about protecting my assets. And we've demonstrated over multiple years and iterations that even concepts like zero trust are effectively targeting the inefficacy of parameters. Because once you breach a perimeter, in the majority of cases, you are free to move within that perimeter. And so parameters are starting to disappear. And I see this applied to many other areas of cybersecurity. I can think of the Security Operations Center on how, again, through many years and iteration, it has evolved into what it is today. And in most cases, it doesn't really serve the mission of cybersecurity because it's overwhelmed. It's focusing on collecting alerts instead of operating cybersecurity, which should be the purpose of the stock itself. A lot of pockets in cybersecurity are starting to realize that long serving preconceptions and assumptions can be broken and probably changed by new approaches. And that's part of the first principle thinking I'm referring to. Karissa (14:33) Okay, so let's start with assumptions. Now, you said you speak to a number of different people in different organizations, so you've got a pretty good view or handle on what people are saying. So what are some of the assumptions that people have about cybersecurity? Riccardo Galbiati (14:46) Yeah, I'd say, for example, one I just referred to that perimeter should be used to protect networks. That's a very common assumption. I don't know any company that doesn't have a perimeter nowadays or builds parameters using firewalls and other controls and tries to put them at the edge of their organization or internally towards their data center. And that's been the bread and butter of cybersecurity for probably 30 years. Another big misconception, I'd say, or preconception, is that you should focus on every single attack that hits your network and prevent it. That's been around for many years. As soon as you hit your f someone gets the sense that there is an attack going on of any kind at any level on any type of device, they feel like they need to chase that and protect against it. And again, it's a misconception because you first of all don't have the time to change that chase all these attacks at the same time. And then you realize that not all of them will cause material impact or will even come close to limiting the operations or the goal of your own business. One other one that I think about a lot is data classification. Riccardo Galbiati (16:02) Going back to the first principle, I would say, or one of the first principles to cybersecurity, keeping in business, how do we keep in business? What do we have to protect to stay in operation at all time? Well, in the majority of cases, we have some assets that we need to protect above all else. We can call them crown jewels, we can call them critical assets, but those are the elements that without which, again, the business collapses. In some cases, they are related to data. Not always, but more often than not, organisations in any vertical hold some sensitive data. It could be intellectual property, personal identifiable information, patient records, payment systems, and so on, data that you're storing. So if you know what that data, the most critical is, and you know that you're protecting it appropriately, or you have the highest level of controls around it, you don't have to classify the entirety of your data storage across the organization. And that is a misconception. People think that unless you have done complete data classification for the organization, you cannot actually start prioritizing where to focus. These are just some examples, but there are many that, again, have been applicable to cybersecurity. Riccardo Galbiati (17:21) One other that just pops up in my mind now is the security operations center. Going back to that, I am too small to run a security operations center. I don't need it. I can't have it. I don't have the stuff or the skills to run it. Is that true? Well, if you are thinking of running the security operations center in a completely manual way, using people to run it, yeah, probably it is true. But we are now to the point where we can leverage a lot more automation. We can screen through the noise of the alerts that are thrown our way in leveraging artificial intelligence, machine learning, all these buzzwords, if you will, but effective capabilities that sort out the overwhelming amount and make a very small team be able to run the stock. This is where I normally think when I refer to misconceptions in cybersecurity today. Karissa (18:10) Great examples. I'm picking up what you're putting down there. You said keep in business. Now, I've spoken to many people on this show about a cyber security practitioner is thinking enough about how the business works, how it makes money, how we stay in business, the mechanics. So what do you think about that, Ricardo? Do you think people are thinking along those lines? Because at the end of the day, if the business is not making money, you don't have a job as a security person, really. If the company goes bankrupt, it doesn't matter anymore. So I'm curious to know, from your perspective, are people thinking about how do we keep in business? Do you think people are doing it enough? And then if not, how can we encourage people that this is what they should be leading with? Which, again, falls back to your philosophy on the first principle first principles thinking? Riccardo Galbiati (19:02) Yes. I don't think so. As I said, when I speak to organization, it's rare for me to find someone who actually tells me that they are focusing on maintaining the business in operation. They normally focus in their own little pocket of influence. If you are in network security, you focus on establishing proper policies of access in between the network. And that's as far as you think you're contributing to the business. If you are in a network operation, it's all about availability. If you're in endpoint detection and response, you care about securing those devices where they are and making sure they don't get compromised. We can't have everyone thinking about everything at the same time. But the strategic element applied to cybersecurity should be top of mind for who is directing these entire team of people that are focusing on these smaller pockets. The idea, again, and I find that the SOC is probably the right place where the solution could be found is all these areas of pockets eventually produce a lot of information and data that can be centralized and should be centralized, but not just for collection purposes, but also for identification of patterns and remediation back into those tools and control points. Riccardo Galbiati (20:17) So I always think of the SOC as the, let's say, central nervous system of an organization from a cyber security perspective, where you would want to collect all that information and then give back into where that came from in order to correct and operationalize change. And if the CISO or the SOC operation team has in mind how to efficiently operate the information they're given, they are serving the higher purpose. They are effectively coordinating all these smaller pockets where the teams are not thinking big picture. But at the SOC level, you can think big picture. You know that you've detected some attacks. Which ones of those were actually targeting our core critical systems, our crown jewels, so they are serving the higher purpose of the business itself to stay in operation. Karissa (21:09) That rattles me. Now, you said that's quite common that people aren't thinking about how does the business keep in business, for example. So couple of things. Number one, because when you think about it and you zoom out, you're not there to just do security stuff or practice security, as I mentioned multiple times on previous podcast. But you're there to actually serve a function to a business. But then do you think because they aren't focused on how do we keep in business, security people are missing things? Riccardo Galbiati (21:41) Yes. So as I said, there are levels and hierarchical levels and responsibility levels that have a different focus. You would wish, obviously, that someone that runs your firewalls thinks about for a forum. I don't know, an energy company thinks about how important it is for our electricity to keep running through the various houses and businesses that we are provisioning today. But in reality, they have been delegated with a smaller task of the big picture. And that is absolutely normal. You can't just apply big picture thinking to every single piece of the puzzle, I'd say the cybersecurity is comprised. What it would be nice, though, is that all these little pieces of puzzle are easily mixed together, that they integrate with each other, that they can talk to each other so that a couple of layers up, the picture is very clear. So if you have pieces of puzzle that don't connect and then you try to draw or see the whole picture that the puzzle is trying to represent, it's going to be very complicated to keep it together. While if these pieces are designed in the first place to communicate, to share information with each other, to contribute to the bigger picture, then a few layers up, that mission is achieved. Riccardo Galbiati (22:55) So we can't expect every single security practitioner to align to the very first principle of maintaining the organization in business at all time in spite of cyber attacks. But at the bigger picture level, at the C level, that should absolutely be the mission. And it's changing. It's slowly but surely changing. One of the biggest conversations I have at the moment with organization is the reduction of fragmentation. As I said, you want the puzzle, you want the pieces, but maybe you don't need a 1,000 piece puzzle. Maybe you need a 20 piece puzzle. So takes less time to assemble. It's easier to see the picture earlier. Pieces communicate with each other and you overall get a better outcome. If you have a thousand pieces, have you ever done a thousand pieces puzzle? No. It takes. Never. It takes a long time. My mother in law loves puzzles and sometimes I see her working for days, if not weeks or months in putting them together. But it's really hard to get there. It takes a long time and we don't have that time in cybersecurity. Karissa (24:01) From a team member perspective, I get it, you can't be thinking big picture. But as you said, there are layers to it. But as a leader, and you were saying before that some leaders don't think about this, that's the problem. If you're a leader and you're not thinking about big picture and what we're here to do as a function to protect their business and keep in business, that's where I see there's the unravelling. Riccardo Galbiati (24:23) Yeah, absolutely. Look, it's not always like that. I'd say this type of mission, this type of thinking is normally in the back of their mind. And it also connects to the way they report. Who does the security leader reporting to? Is it the board directly? Is it financial officer instead? Or is it a risk type of chief risk officer? Depending on the reporting line, normally they are much closer to the business needs and they feel the demands of the business falling down on them. So they are reminded of the mission behind the cybersecurity program itself. But in some cases, and especially where a lot of fragmentation is happening, as I said, they are too busy keeping the pieces together than focusing on the big picture. So they eventually delegate. They delegate a lot, maybe into the project side of things. We need to deploy endpoint solution because ours is obsolete. Yes, but have you actually thought about how is that contributing to the overall strategy? What specific contribution does it do to stay in business? Is compromising one of the laptops of the employees critical from a material perspective? Is it actually going to move the needle in the overall security risk perception, or is it just a nice to have? Riccardo Galbiati (25:46) And this type of approaches, again, going down towards the reduction of fragmentation, are what normally brings back the awareness of we can do more with less. We can actually do or achieve more with less capabilities if these capabilities are better integrated. Again, one of the biggest indicators of this approach being successful is companies are starting to focus less on the best of breed approach in deploying cybersecurity. This was a big topic in the last 10 years, I'd say. If you think about how security technology is developed, normally there's something new that gets created, like a new way of offering the service to customers, a new way of storing information, maybe in the cloud or accessing it via API. And then we realized that that system or that methodology is so effective and advanced, but it uses new technology that we don't know how to secure. And so a new startup gets created to solve the problem. And there you go. You got another best of breed tool that does exactly that and tries to fix that issue right then and there. You need to have it because if not, the new technology you are using to service your customer better is not protected. Riccardo Galbiati (27:02) But if you play that game for too long and with the speed and in developing new solutions and new technologies, advancement, you will end up with hundreds of best of breed products and capabilities. And that's where the focus ends up being instead of saying, What are we here to do, really? So that consolidation of best of breeds into platforms and consuming the capabilities from platforms has become a trend that facilitates, again, the thinking at a bigger picture level. Karissa (27:34) I hear what you're saying. So how would you recommend, Ricardo, like you spoke before around things being fragmented, how can people be less fragmented? Do you have any recommendations or any advice? Riccardo Galbiati (27:48) Yeah. So as I was just referring to, the platform approach to cybersecurity is becoming quite mainstream. There's a few statistics about how many of these single best of breed tools are utilized by companies now to secure their environments. And I think it ranges between the 70s to the 100s. So between 70 to 100 individual products on average are used, and that's way too much. So what we're seeing is that when these capabilities are adopted into a more of a platform approach where you can subscribe to the platform and choose which capability to consume from it, it becomes much easier, first of all, to access the capability itself. The platform normally guarantees that there is communication between the various capabilities or modules that the platform is comprised of. So it solves a lot of the language barrier between tools that are not designed to talk to each other. Besides, the benefits from a financial perspective that in some cases are relevant when platforms are consumed as opposed to single individual tools licenced at different times. These have been quite successful strategies. One that I can think of immediately is the SaaSy or SaaSe to your access service edge approach that has really identified that we were again going down the rabbit hole or the mistaken path of fragmenting our approach to securing access from remote locations to cloud, to data centres. Riccardo Galbiati (29:29) We have so many capabilities like secure web gateway, zero trust network access, proxy and Euro filtering, and all these things that were delivered by individual tools in the cloud, but again in a very fragmented manner. And SASE has pretty much defined a new way to consolidate these capabilities into a single platform, which means you deploy one solution that does all those services at the same time and provides a single conduit for access between every user to every application, to any location, and enfor those principles of security like zero trust. They are required to do it in the most effective way. So that mentality, as I said, is starting to get traction. And if security analysts like a gardener are predicting that this is the way to go. And by now, in between now and 2025, 80 % of organizations will look in consolidation of these capabilities into a SASE, mostly single vendor approach, then we're seeing that there is change happening. Do you think. Karissa (30:37) People don't like change, though? Because as we know, we're creatures of habit, no one likes change. How do we get past that part? And as you were saying before earlier in the interview that, yes, maybe people just compromise because it's like, yes, I probably should do the thing, but it's okay for now because I've got other things I need to focus my attention on, or it's going to take too much energy to change it. How does the mindset around this change going to assist with the adoption towards SASE, for example? Riccardo Galbiati (31:04) Yeah, change? No one likes change. I don't know many people who are like, Oh, I can't wait to change by everything I do on a daily basis. Routine is what humans are trained to like or mentally able to accept in a much easier way. Change is hard because, well, first of all, it forces you to learn new things and that takes time and effort. And in some cases, it's expensive or it can feel complicated. Now, one trick in order to make that less daunting for people to accept change is obviously offer transition path, for example, making sure that whenever you are trying to change your network architecture, you don't completely throw everything out of the window and start from scratch because, to be honest, no one can afford that. You can't stop business. Again, that would be contradicting the first principle we were talking about before staying in business. Well, if you got to change, you got to stop operations. That's not going to fly. So transition and the easiest way to transition to something that will deliver a completely or maybe a better outcome by using less technology is key. And to be honest, when we are discussing technologies like SASE and maybe changing from standalone VPNs or secure web gateways that provide two different services that could be consolidated into SASE, in the majority of cases, since we leveraged the cloud for SASE secure access services, implies that you're delivering those services from the cloud. Riccardo Galbiati (32:34) It makes it quite easy and flexible to get into that type of architecture. And the architecture, proper SaaS architecture is designed to grow over time. So adding the initial use case, maybe for your remote users accessing your applications, that could be your first use case to adopt a SaaS solution. And once you've sold that, you realize that you can add on to that seamlessly. So the change doesn't become so much a complete 180 degree reverse to what you were doing before. Let's say constant and effective way of adding on capabilities over time. So as you. Karissa (33:17) Mentioned before, Ricardo, you said that you're obviously speaking to a number of people in the market, and so you're talking to them about SASE, for example. What are some of the commentary that people are saying? Yes, in an ideal world, it makes sense. Maybe next year, you're getting much push back or people on board because it's not going to happen overnight. It's not a flick of the switch type of thing. It's going to be a bit of a process. So what's the word on the street? Riccardo Galbiati (33:41) Yes, I'd say, well, to be honest, it's not a flick of the switch, you're right, but it's also not as complicated as you may think it could be. As I said, with a proper migration approach, it's not that hard to adopt SASE for some use cases in a matter of days. We've had organisations that adopted SASE solutions in a matter of literally a couple of weeks, especially when they were rushing through the first pandemic days and they needed a solution to deliver that. Now, you don't want to do it that fast, most likely, but it is easier than most people think about. But yeah, the approach normally to change from what has been done for many years to moving to something like SASE requires, first of all, an important step, which is a lot of these capabilities that I mentioned before are siloed in the technology itself, but also in the teams that run it. So in the majority of cases, you have maybe security people taking care of how the traffic is secured towards your cloud applications. But then you have user experience people that are focusing on remote access. And then you might have network people that focus on the VPN connectivity itself. Riccardo Galbiati (34:52) So all these siloed team are the ones that need to be brought together to the table in order to propose the transition to an architecture like SASE. And the most effective ways I've seen that is when these teams have actually designed the requirements for the solution to be deployed, set at the table, confronted each other with how things were done for many years, and figured out that they could eventually solve each other problems by coming together. So what I really like of the approach, again, of going back into first principle thinking is that sometimes even these silos that we've created can be broken down if we start asking those why questions. And bringing together people is the quickest way to then adopt solutions that are designed to consolidate capabilities. So with everything that we. Karissa (35:41) Discussed today, what would be your recommendation for people listening to this interview and then thinking about what you've said and then how they can move the needle with their organization? Do you have any advice for people to take away from today's interview? Riccardo Galbiati (35:58) If you're working in cybersecurity today, especially if you're a leader in cybersecurity and if you're not thinking about what is the primary mission that your cyber security program should focus on, what is the most important asset or crown jewel or element within your organization that should not be allowed to ever be compromised? If you're not answering that question, you should probably go back to the drawing board and try to understand if you are overcomplicating the issue in the first place. If there are areas of optimization that you can focus on, especially in reduction of fragmentation of capabilities that is distracting you from that mission. Once you have realized that cybersecurity is a function of the business and not so much a function of just the IT department, you will probably find that you've answered some of the first principle questions and you can think about your cybersecurity strategy in a completely different light and probably get on the other side of this tunnel of thinking with a better idea, better solutions, probably a better budget in the medium to long term, because you're going to realise that most of the capabilities you're implementing today are probably overlapping and unnecessary to achieve that main business goal, which is staying in business, running or servicing your customers or your organisations without being disrupted by cyber attacks. Riccardo Galbiati (37:24) Do you think that some. Karissa (37:25) People are not aware that there's overlap, or do you think they are aware? But again, it comes back to, well, I've got other things to do and I got to prioritise things. What are your thoughts on that? I think that. Riccardo Galbiati (37:36) Some people are aware that there is overlap, and in some cases it's quite obvious. As I said before, defense in depth, I wouldn't call it a strategy because for me it's very tactical, but it's an approach that requires overlap as part of the design. So in some cases, this misconception has been so embedded in the mentality of cybersecurity practitioners that it's hard to go away from. But in other cases, they do not realize that there is overlap. I'm pretty confident in saying that if you have over 75 security products and you are the leader of the security team like the CISO, you probably have no idea how many of these are doing the same thing or overlapping with each other or conflicting with each other. That is quite common. So doing a proper assessment of even how many tools you have, which, again, sometimes there is a wake up call and realising how many of these tools could be consolidated is the first way to realise if you are overlapping and how far you're doing that. Karissa (38:35) 75 is a lot. You said 75 to 100. Yes. Can I guarantee you some of them not even being utilised at all. People don't even know the full functionality of some of these tools that are out there. Correct. Riccardo Galbiati (38:45) So in some cases, these things have been deployed at a specific technical requirement, maybe towards a new technology or even specific type of attack that was over the last few years and then never utilized. Either never utilized or never utilized to what the original intent was, and maybe put into place and forgotten. Policy is never reviewed or misconfigured. And if they are utilized, as I said before, they normally tend to create alerts that get sent to the SOC and either discard it or not connected to the rest of the visibility that should be required at that level. Karissa (39:28) I've heard this a lot from people on the show around the tools or people have purchased a tool and then that person's left and then people don't even know that it exists there, or there's a political thing as to why they want a certain tool because they leveraged it before in a previous company. There's a lot of that that goes on. So do you think that over time, you just got to really, trim the fat and start to ask those questions, do we need all of these things, right? Absolutely. Riccardo Galbiati (39:54) That's exactly what consolidation is about. To give an example, I did last year and I asked them how they were managing their SOC and how they were ingesting alerts from all their tools, which they had a few dozens of. And they told me, Oh, yeah, definitely. We are using a SIM, Security Information Event Management System, where we're collecting that. But it's quite expensive to license the tool. I said, So what are you doing about that? And the answer was, Well, obviously, we don't want to spend that much money in having all that alert stored, so we filter out. Before it hits the scene, we get, let's say, a million alerts. We can only process because we want to pay only for 200,000. So we reduce the injection rate into the Sim. And I said, Have you actually thought that you are completely overriding the utility of that tool if you don't feed it with all the visibility that you can? So clearly you have tools that are sending alerts that you don't care about, or you only care about how many you can process, so you're missing the big picture. So that's what fragmentation is. Karissa (41:06) It's counter intuitive. Riccardo Galbiati (41:07) Exactly. It's exactly counter intuitive. You're hoping that your security operations center, your CME, is the one that has the biggest knowledge, has the vastest ability to visualize these alerts, but you're filtering them out to save money. That is not serving the business and that is not serving the overall mission. You're missing out because you're seeing the small picture and not the big picture. But can I ask. Karissa (41:30) On that front, you obviously work for a vendor, but wouldn't the vendor be like, Hey, I totally hear your point, but maybe we can work this another way. How are they okay with that? Because like you said, it's overriding the utility of the tool or the function. How can a vendor sit there and actually be comfortable with that for their customer? Riccardo Galbiati (41:47) Well, in some cases, the vendor is counting on the fact that the more, again, if your licensing model is based on the fact of how much you can ingest and how much you can store in your own scheme, let's say, then it's in the interest of the vendor itself to make sure that that is the largest amount possible. But the correct approach would be, well, instead of filtering manually these alerts that are coming towards your SOC, how about you implement some automation that takes care of the overwhelming amount of alerts automatically and then lets only the ones that need to be acted upon by a human? So that solves the problem of storage. It solves the problem of human skills shortage in the SOC because you need less people to run it. In fact, one of the most recent evolutions in our product line is twisting effectively or flipping around the way that alerts are processed in the stock. We have been used to the idea that we have humans that receive alerts and they ask machines to help them sort them out. Well, what we want to do is the exact opposite. We want machines to sort out all the alerts they can and then let humans intervene after whenever something cannot be processed by an automated process or an artificial intelligence algorithm. Riccardo Galbiati (43:10) We see that that is a much better approach than instead try to limit ingestion for the sake of saving money. Karissa (43:19) Yes. Look, I think each vendor to their own in their approach. But again, it's always about looking after customers. I think that you make an excellent point there at the end. T hanks so much for sharing that. So in terms of any final thoughts or closing comments, Ricardo, is there anything specific you'd like to leave our audience with today? Riccardo Galbiati (43:38) I'm optimist towards the future and the fact that given the conversations that I have on a daily basis, the approach towards consolidation and reduction of fragmentation, of removing of the silos between different teams is showing that there is a new trend in cybersecurity that is aiming to answer in those first principle thinking type of question. We're going back to finding out what is the true mission of our team, of our cybersecurity program, and that is absolutely positive. What we need to see happen is probably the whole cybersecurity industry coming along with that approach. I still see a lot of, let's say, small startup being created for the sake of solving an individual technology issue in the cybersecurity space that eventually will get peer and not deliver any particular outcome to customers. I hope that the cybersecurity industry will come together and try to partner up more than silo because if customers are going down that path, we would expect little bit also the vendor side of things to do the same. Karissa (44:46) Absolutely. Thank you so much for your very frank and honest conversation. I didn't expect anything less from you. Thank you so much for your time and sharing some of your insights today, Riccardo. I really appreciate it. Thanks for coming on the show. Riccardo Galbiati (45:00) It's been a pleasure, Karissa. Thank you. Karissa (45:01) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit mercsec.com to connect today. If you'd like to. Find out how KBI can help grow your cyber business, then please head over to kbi.digital. This podcast.Was brought to you by KBI. Media, the voice of cyber.