Wendy Thomas [00:00:00]:
This is a shared responsibility, the building of trust. As customers of businesses, as leaders of businesses, we all have a shared responsibility as global citizens here to be willing to invest in just a little bit of friction, a little loss of convenience to be able to be more collectively secure. Because while it may not be you today that’s damaged by that breach, it is your fellow citizen who’s damaged by it. And by caring enough to protect them, in the end, you’re really protecting yourself too.
Karissa Breen [00:00:52]:
Joining me today is Wendy Thomas, Chief Executive Officer from SecureWorks. And today we’re discussing rethinking trust and security. So, Wendy, thanks for joining and welcome.
Wendy Thomas [00:01:00]:
Thank you for having me. Glad to be here.
Karissa Breen [00:01:02]:
Okay. So when you say rethinking trust and security, now there’s, you know, in my tenure in this space, which is about a decade or so, like, everyone’s sort of thrown around the word trust. And what does this mean? So I’m really curious to know from your perspective with your role and your experience, what does this sort of term mean to you?
Wendy Thomas [00:01:22]:
Well, trust and security and frankly in technology generally is becoming increasingly important for organizations to to know that they are doing no harm, as they say in terms of securing their operations, but also leveraging technology to scale their, their business, their organization. But I always talk about the sort of the power and the peril of introducing new technology, whether it’s cybersecurity or AI, fill in the blank, that there’s always a balance there of of of moving too quickly to adoption without thinking about the implications of what that means for data privacy or trust in the results of what that technology is telling you. And getting sort of ahead of the the game and the thought process and thinking proactively about that before simply experimenting with new tech, which is attractive, but not necessarily creating great results for us again and again. It’s just a shift I think we need to think about as not just leaders of these technology businesses, but as global citizens of balancing consequences with adoption.
Karissa Breen [00:02:30]:
Okay. Okay. So when you said before doing no harm, what do you mean by that specifically?
Wendy Thomas [00:02:34]:
Meaning that the that the benefit of adopting that technology is not offset by the externalities, if you will, of what that technology means. In so many cases, you know, we are the, the product of, of these various technology companies where it’s our data that we’re giving away for free. And I don’t know about you, but I’m not reading all of the extra long legal documents before I agree to use an application. And if we’re gating our ability to use, applications or technologies that that create a lot of convenience for us and frankly, interoperability with others and communications with others. You’re sort of signing your life away in the process of doing that. And what you don’t know is the is the harm that can come from that exposure of your data that can be that can be hacked, it can be used for advertising to you, feeding you, increasingly, information that is not necessarily a wide view. I think it’s time for us as as consumers, if you will, of these technologies to start to push back on what is the implication of that as opposed to just focusing on the convenience of being able to use it.
Karissa Breen [00:03:43]:
This is interesting. Now I’ve spoken on the show at length around the term side of it, what they mean, how they are, you know, written, perhaps convoluted to you know, with the intent that people don’t understand it. But to your point, harm from the exposure, signing up for the platform, you know, it’s it’s easy, and we’re sort of, you know, willing to trade convenience and security and all those types of things. But do you think in today’s day and age as of today, do you think people really care nowadays? And I ask that simply because I’m I’m looking at it through, yes, a consumer perspective, but then also, you know, people would argue even to me saying, oh, well, KB, I don’t really care because, you know, I’ve been in, like, 6 data breaches, specifically in Australia in the last few years. So, like, why do why do I care? So, like, what’s another thing that, you know, that potentially could harm or expose me because I’m already exposed?
Wendy Thomas [00:04:32]:
It is. And I think you, you, you said a couple of key things there. 1, sort of trading convenience for security, and security does go beyond just that identity and personal information until you feel the consequence. And so what happens is when, when that data is exposed and you aren’t necessarily the one that feels that impact right away, you don’t realize every single time, these threat actors are able to use that information to wipe bank accounts of the, of an elderly citizen, if they’re able to fund the the next exfiltration of data, they’re able to fund that next attack. Essentially, they’ve created a very lucrative economic model. And while we may not be individually impacted on every given breach, we are part of the collective that’s still fueling that economic model. And so this idea of us treating a little bit of convenience, being willing to take a little bit of friction, those harder passwords, putting, you know, a second authentication on logging into pretty key sites, like a bank account or, you know, a payment account. If we’re willing to trade just that one extra step in order to break that economic model for all of us, even if we aren’t directly impacted in that moment, we can really start to turn to turn the tide of friction that makes this a more costly, business model for them to be in.
Karissa Breen [00:06:07]:
Okay. So following that note around the economic model. Now you may not be aware, but, you know, recently, there was a company, like, within the last 12, 18 months, recent. They’re a big retailer. They had a breach. Now I went down the path in speaking to them, and, eventually, I got a statement from them. But I’d said, were you trading security for convenience? Because, again, like, when when you’re looking at a ecommerce platform, so example, and I know you’ve got a finance back end, so you appreciate as well I make. If they’re gonna add an additional step, right, that means they’re gonna induce that friction, which potentially means card abandonment, which then means loss of revenues, etcetera.
Karissa Breen [00:06:42]:
So, therefore, do you think companies out there are really gambling that with the intent that hopefully it doesn’t happen? Yes. We can have the right controls. But then at the end of the day, you know, companies do get popped. So this was an example of that. But I do believe that this organization traded on the fact that, well, if we add an additional step of friction, we may lose out of x percentage of, you know, revenue or whatever that look like. Do you think that companies are thinking like that?
Wendy Thomas [00:07:12]:
I think they are thinking if they are the only one that does that, then certainly they might lose an edge. My counter to that is right. 1st, it has to start somewhere. But if you, if you use that as a branding opportunity, if you say, you know, as it is the, as the, the circle is rotating on the website as it’s loading, we’re doing this to provide extra security for you and your credit card information. What a message that sends to people to start to expect that from the companies that they do business with. I, I think there’s a messaging part that goes with trading that convenience that says we’re actually doing something because we care more about you than just a quick sale. That that could be quite powerful.
Karissa Breen [00:07:56]:
Okay. This is interesting because when I’m speaking to internal clients, so size of their friends, they’ve started to ask that question, like, how do we engender trust, like, from a client side. Right? So that’s about service providers and vendors and all those types of things. But do you think more companies now need to use what you’ve just said as an example, as a way in which they can brand to say this is how we’re engendering trust because it’s something that I have started to see perhaps from, like, a banking perspective, but less so in other areas. What are your thoughts then on that?
Wendy Thomas [00:08:28]:
Think of an analogy here of cybersecurity should enable a business to move faster in the sense of like brakes on a car, right? They’re not meant to stop the car from moving, but to enable the car to move really, really fast, but safely. And, and so business uptime and no unnecessary friction is, is the balance to be struck against optimal security here. And because as we saw, right, just a couple of weeks ago, how incredibly interconnected we all are in terms of technology, interdependence, interoperability, how much our daily lives are dependent on our phones in a way that used to be just electricity and water in our homes. I think that the, the willingness of us to, to say we are introducing this so that everything can in fact move faster safely is a branding and a communication strategy that does in fact build trust because it’s true, right? Always start with the, with the truth. There’s, I think, enough awareness now in the, in the public mind to, to understand the implications of not being able to get gas or not being able to take a train or your flight is delayed, or surgeries are delayed, that we we actually care about those consequences enough to to sort of adjust our behavior and our mindset.
Karissa Breen [00:09:54]:
Okay. One thing that’s interesting about this is I wanna talk about just going back to your example for a moment that, you know, on the screen, we care about. We’re doing this for your own security. But how much of that is genuine? Now I asked that because I feel like any marketing person in large companies would be like, okay. Cool. We’ve just gotta put up a little little thing on the side that says we care about cybersecurity. Right? Like, anyone can do that, but is that the truth? So how would you sort of position that trust from going from a, you know, something on the website to actually living and breathing that philosophy that’s being engendered then on the site from the organization.
Wendy Thomas [00:10:32]:
Well, just like when you’re, when you’re embarking on sort of a personal health plan, they, they say you always stick to it when you hold yourself accountable by telling others about it. And while regulators are certainly moving in the space of asking for disclosure around cybersecurity policies and practice and, you know, where you where you stand inside of certain frameworks, like NIST frameworks of, of cybersecurity posture. You can absolutely disclose those practices in a way that maybe other businesses can learn from that. But your, your customers can also hold you accountable to, to walking the walk and not just talking the talk.
Karissa Breen [00:11:11]:
Another observation that I’ve seen in the in the market last few years around customers really holding companies accountable. Have you noticed that too in your career, like, you know, as opposed to, like, even 10, 15 years ago, people now like, companies, I feel there there’s a lot more due diligence that they need to create that trust with their customers. Because, again, like, customers will just leave and abandon a company if they feel like they’re they’re greenwashing or they’re, you know, they’re not being true to what they’re saying. Are you seeing that as a trend?
Wendy Thomas [00:11:44]:
I think we’ve seen instances of that where it’s sort of it it takes hold. It has a a viral moment, if you will. But I would say we as sort of consumers of, you know, whether goods and services for our businesses or for us personally, we’re still trading convenience over sort of taking a stand on that front. It’s more sporadic until it catches a movement, if you will, around a particular company. But those are often more short lived than I would like in terms of just kind of raising the expectations generally and consistently around how companies behave in this sense.
Karissa Breen [00:12:23]:
Okay. I wanna keep following this notion around trust. So I want to get your thoughts, Wendy, on would you say people aren’t trusting companies like they used to as what we’ve just explained here now, but I wanna extend on this a little bit more because I worked in a bank before, and I wanna use that as an example because they’ve been around forever. And, you know, people back in the day had this loyalty. They go down the branch, and they knew Martha there, and Martha knew everything about Joanne and all of these things. Right? That doesn’t even happen anymore. Like, there’s barely any, like, branches of people in them here in Australia at all. So do you think people are just not loyal to brands like they used to be? So does that trust element still exist in your eyes, or would you say it’s a new version of trust? And so what I mean by that is people as in consumers are more focused on, well, if I can go to the company and get what I need from it, therefore, I kind of trust it.
Karissa Breen [00:13:20]:
They don’t really think about it. They’re more so, is this company gonna get me the outcome that I’m chasing? What are your thoughts then on that?
Wendy Thomas [00:13:29]:
I think we’re we’re all, you know, personally included operating under a different sort of social contract, if you will, where there are so many companies and, and things are moving so quickly in terms of capabilities that we want to consume, especially on the technology or the mobile app side of life, that we aren’t sort of blindly loyal to a brand anymore. But I don’t think we’ve abandoned this idea of you are promising a certain outcome for me as a consumer, but I expect you to fulfill a certain fiduciary protection inside of that transaction. So while I may only come to you if I’m getting the outcome I’m looking for, but that doesn’t absolve you from, from handling that particular transaction or engagement in a way that protects my data, doesn’t sell my data wantonly. And I know we’ve seen a lot of regulation from, from various government entities across the world on this front because companies weren’t adhering to that sort of social contract and looking to monetize data and information in in multiple ways than just the transaction for which someone came to them. And it’s unfortunate that that regulation has come into play for some of that. We know it when we see a common sense of how how people would want to be treat treated in that interaction. I think it’s a new, it’s a new paradigm given the high-tech, fast paced world that we live in today, that you can’t just go to a one one place and be loyal to that brand for forever.
Karissa Breen [00:15:04]:
So would you say as well, Wendy, companies are focused on trust?
Wendy Thomas [00:15:09]:
I think they are focused on trust. I think the, the, the pace at which now your brand can be undermined by a single event, a single behavior, a single transaction, that is a very difficult thing to recover. And we’ve seen seen examples of that brand damage that materially impacts a business and then and then can’t be returned from. So I do think that that companies understand and know that the value of trust as part of their brand equity is something very much to be to be safeguarded and not taken lightly in terms of the the way that they behave. And you see that with with quick messaging out acknowledgment of footfalls or or events and apologies to customers, because they do understand that you may be very convenient, but if you’ve lost consumer trust, that’s a very difficult road to recovery.
Karissa Breen [00:16:06]:
Okay. There’s a couple of things there which was interesting that you said. So going back to, hey, we’re sorry. Now I’ve been observing I mean, media of course, I’ve been observing the situation. So there’s some people that had said, I don’t think the CEO was really sorry. So I feel like it’s a catch 22. If you say it, someone’s gonna say something. If you don’t say it, someone’s gonna say, well, I can’t really didn’t say it.
Karissa Breen [00:16:29]:
So how did that sort of conundrum sort of play out? Because, again, it’s not an ideal situation. It happened. But how do you sort of then recover from that? And then what are some of the sort of long tail impacts, especially financially? Like, perhaps customers abandon the brand. Perhaps there was a renewal process going on that that doesn’t happen or, you know, in 12 months time, it’s like, well, you were the company that had the issue. We’re not gonna sign up with you. What does that financial impact then look like that sort of aligns to the trust coin you’re you’re
Wendy Thomas [00:16:58]:
on. So it’s very much real. Now in coin you’re you’re on. So it’s very much real. Now, in terms of the online world, if you will, assessing the veracity or the sincerity of executive communications or marketing communications out of a company, you can please some of the people all the time, right? You’re never going to please all the people all the time. For me, that really starts with the truth. People can see in the way that a company behaves over the long run, not just in the first, you know, moments of a of a crisis, but the moments of that crisis. Then 3 days later when we’ve moved from crisis mode to sort of recovery and ongoing mode, you have to walk that walk for a very long time as a brand, as you recover from some type of footfalls or mistake.
Wendy Thomas [00:17:55]:
And people can see through that over time. And it’s just the vast majority of customers that have to witness that over time. So speed is not your, your friend. I know we like to make a quick apology and then, and then know that it’s over. It’s just not how it works in the real world. And so you build a brand over a long period of time, you recover a brand over an extended period of time. And it’s consistency, both of your actions and your words and consistency over time, that really is the tell in, in any type of business relationship or, you know, customer business relationship.
Karissa Breen [00:18:31]:
Okay. That’s interesting. So would you say that and this is really important because a lot of people out here are talking about trust, but I’ll give you the examples, but I think you’ve you’ve demonstrated that today. So I want to drive this a little bit more. So you you made a great point around the behavior of a company or a brand over the time. Right? So just say there’s an incident that happened, not about the next day or the next week. It’s about the next 6, 12, 18, 24 months, and so on to walk the walk to to your vernacular. Would you say that’s what companies fall down? So maybe it’s like, well, the thing happened and I’ve done it for a day or maybe a month, and then the dust settles and then something else in the news happens.
Karissa Breen [00:19:08]:
So the news cycle tears away from this company, but they’re still not showing up and doing the walk every day.
Wendy Thomas [00:19:14]:
Right. And there’s not fundamental change underneath. Like truly, have you, have you materially changed the risk of that happening again? Or are you just putting something out there as we were talking about in the examples saying, you know, we’re, we’re protecting you, but, but in the underneath of the covers, you know, behind the scenes, processes, technology, you know, staffing have or have not fundamentally changed and altered the probability of something like that happening again or something similar to that happening again. What what you have to see from the CEO down to people on the front lines facing a business’s customers is that you see a difference in the way that they are engaging, operating, communicating, staffing. That’s the only talent. And it goes back to what we talked about of, and you have to disclose that. You have to talk about how you’re treating things differently. Where are you investing additional dollars? Where have you shifted resources to change your approach? And unless you see those proof points consistently over time, as opposed to, Oh, we survived that, the dust is settled, you know, go on as we were and pray for the best, people see that fairly quickly in terms of organizations.
Wendy Thomas [00:20:31]:
And and that does start with with the CEO and the board to a great degree.
Karissa Breen [00:20:37]:
K. I wanna give you an example of something that’s personally happened to me, which I think demonstrates walking the walk. Now in 2022, I was in the US. I was coming back from San Francisco. There was, like, some blizzard or something had happened, and all the flights were canceled so I couldn’t get back to Los Angeles to fly out to Sydney or flying on Southwest. Now whether you love or hate the brand, it’s immaterial to the conversation. Ended up, couldn’t go back for a number of days. And then, obviously, as you know, you’ve just come to Australia.
Karissa Breen [00:21:03]:
It’s quite a long flight. I ended up missing my mom’s birthday, and there was a whole thing around all of these personal things that I had missed out on. But what they did was they actually you know, we wrote sort of a a document saying the situation about what had happened. And not only did they respond, and they said, we’re really sorry to hear that. They actually wrote something back, and they had sort of helped us out a little bit, like, financially, and they’d said, here’s a bunch of points. I felt that in that moment, we were frustrated because it sort of was a domino effect. But then I felt like they kind of recovered by how they handled the situation, which I was surprised that given an airline. Because when I look at airlines here in Australia, I’ve had this happen before, and it’s like, well, here’s an $8 voucher for the airport, which gets you probably half a coffee here in Australia.
Karissa Breen [00:21:47]:
So I just wanna use as a personal example that I thought that was a frustrating situation that happened, but then they sort of recovered and, you know, walk the walk. Right?
Wendy Thomas [00:21:56]:
Exactly. And there are really four elements of what you experienced there. 1, sincere apology. We’re sorry this happened. They may not know that you missed your mother’s birthday, but they’re assuming you’re flying for a reason, right? It’s a, it’s a long flight. It’s it’s a definitely a lot of money to to buy that flight. So you had something that you were trying to do at a certain time. And so they’re sorry for for messing that up.
Wendy Thomas [00:22:21]:
The second is they they provided a clear understanding of why it happened, right? Sort of the the root cause analysis. Why did this happen? They may or may not be to blame. But they don’t spend a lot of time on on that blame only in the sense of the third part is they tell you what’s going to be different about that. I’m gonna get you rebooked. We’ve fixed the system, you know, whatever the whatever the action is to make that happen. And then the 4th is they make up for it in a way that is commensurate with what you experienced, right? So it’s not a $8 coffee voucher. It is, it is something more that you care about. Get you on that next flight, take care of a hotel, you know, remunerate you for some or all of flight cost.
Wendy Thomas [00:23:06]:
It’s something that feels commensurate, balanced, just or fair to you. And those are the 4 things that have to be there for consumers to trust a brand or businesses to trust, you know, a business providing services to them after they have made a mistake. We all make mistakes. Businesses, people. It’s really how you make people feel in that recovery process that makes all the difference to your brand and trust.
Karissa Breen [00:23:34]:
The other observation that I’ve seen as well, and you can appreciate this because you are an American. I’ve noticed I go to the US quite frequently for work. I feel that US is very driven by customer service. Now I’m going to say this and people in Australia might not like me, over Australian based customer service. It’s very hard, especially when there’s people in the US living here. They’re like, hey. Like, customer service is just not existent like it is in US. So would you say from a brand trust perspective, US based companies are more focused on it? I think it’s just engendered into your culture a lot more.
Karissa Breen [00:24:07]:
Have you noticed that now that you’re down here in Australia in terms of how these businesses are operating?
Wendy Thomas [00:24:13]:
Well, what I what I can say, and I’ll I’ll contrast it to to Japan as well is that the the US consumer is not afraid to voice their dissatisfaction and expectations around around service. And sometimes that gets that gets action. I think the real question is fundamentally, all of us want to provide that great customer experience. And it’s really the degrees to which we we define what good looks like, right? And in Japan, that is a, there’s a really high bar even compared to the, to the US of what kind of customer experience they want to create. So there’s, there’s 2 sides to that coin of, of what the provider thinks good looks like and what bar they hold themselves to. And then how sort of noisy the, the consumer of those goods or services is about their expectations and frankly demanding, demanding that. And we’re not shy in the US about being pretty demanding.
Karissa Breen [00:25:12]:
That is true. So maybe Australians are a little bit more, not as forward with that approach, but just following that a little bit more, would you say this comes back to full circle around, you know, redefining what trust means and starting with what does good look like? Do you think companies are starting to get to that point? Or is that what you would advise someone to say, hey, What does this actually look like for our customers at the end of the day?
Wendy Thomas [00:25:37]:
I think we’re not there yet in terms of what good looks like and being willing to invest in relative to, I don’t know, the, the cost benefit. So it’s not just sort of like the, the, the example that we walked through of being willing to apologize and not being worried about the, the lawyers that are going to come after you, right? There are real financial consequences to sort of admitting guilt or fault in a situation. And I think that’s made companies too hesitant to acknowledge and sincerely apologize for, for things that have happened. It makes them not ready to explain the why in a really clear way and what they’re going to do about it because of that legal implication. And so in some ways, there’s companies are choosing on this line of, of sort of legal liability in addition to what does good look like in terms of customer trust building and engagement. And there’s a financial implication for sort of making up for your mistakes. You had that revenue for that flight and now you’re, you’re giving some of that back on top of all the trouble that you just went through. I think too often, it’s an economic equation as opposed to a long term economic return of a brand that is trusted that we’re, we’re not quite where I’d like to see companies operate today.
Karissa Breen [00:27:06]:
So where would you like to see them operate today?
Wendy Thomas [00:27:08]:
Where I’d like to see them operate is in that place of, we can honestly acknowledge where we’re doing well and we should, and where we’re not, and what it is that we’re going to do about it when, when we’re not. I don’t think it’s possible for any one of us or any business to, to never put a foot wrong. But it is possible to, to own that and action that, that even just the effort, even if it’s not a perfect response and in, in the situation, that the sincerity and the effort around that is what lets your customers give you the benefit of the doubt. And that benefit of the doubt is something I think is, is often lost these days. It’s kind of an assumption of bad intent and instead of an assumption of good intent. But imagine a place where we could actually operate with good intent and, and enable others to trust that we’re doing that. And how much friction that would take out of the friction and frustration that could take out of the way we interact with each other. And frankly, to come back to what matters to me, operate in a way that that is willing to sacrifice a bit of a bit of convenience for security and trust.
Wendy Thomas [00:28:24]:
And I think that’s, that’s something we should think about in a world that’s that’s moving awfully fast on rapidly changing sort of technology landscape.
Karissa Breen [00:28:33]:
You raise a great point. But these things cost money, time, resources, and then, you know, people would say, well, Wendy, that’s really nice, but that’s gonna cost us 10,000,000 US dollars, and we just don’t have that right now because we fired half our sales team, and we, you know, we don’t have any rep you know, not the same amount of revenue coming in. I know you got the finance background, because this is really important because I think that this is some of the disconnect that I see in this space around, you know, security practitioners have this perfect world, but it’s gonna cost $10,000,000,000. But you obviously get it from you’ve got that finance background. You see you you’re CEO of a sub security, you know, firm out here. So it’s like, how would you then start to convert someone to be like, yeah. Okay, George. But if we spend maybe 2,000,000 of that, we could potentially get 8,000,000 back because you’ve engendered trust, and we’ve done all these beautiful things.
Karissa Breen [00:29:24]:
How would you countermeasure someone’s argument to that?
Wendy Thomas [00:29:27]:
So I think about this from sort of an economist lens of dollar of risk reduced versus dollar invested or spent. And when you start from a, from a willingness to invest in, in security, or in this case, kind of more and more broadly in trust, you can’t think about this in the sense of extremes. You have to think about things on a on a slide rule. A slide rule of your your risk appetite, your ability to, to not, for example, prevent a 100% of breaches, but you invest in your, your ability to contain those to the minimum damage to the business, to the brand, to your, your uptime, your ability to operate to your customers relative to what that costs you to do that. And you invest in recovery time. So to be able to come back, from something within a day instead of 2 weeks. So those, those two elements let you invest at a much more reasonable targeted level and over time, relative to protecting or reducing that risk to, to your business, to your brand, and to your customers. To me, that’s, that’s math.
Wendy Thomas [00:30:44]:
And that’s the kind of math that you know, SecureWorks helps customers do around their, their areas of real risk versus not going to do much damage to the business and to focus their security posture accordingly over time, right? Rome was not built in a day. Security is not built in a day. So as the business evolves, as the capacity to invest relative to the, you know, where does the revenue come from in a business? We tie security to, to the actual source of economic return inside of an organization. And that makes it very easy to prove the return on that investment to those who aren’t necessarily close to, to security and who look and say, well, nothing happened. It’s kind of like insurance. I just spent a lot of money for nothing to happen. But you can actually provide some quantification of a minute of downtime, a loss of, you know, 2% of the customer base because you’ve had some kind of brand damage from a data breach, and they’re not willing to trust you to do business. So those things are able to be quantified and put into sort of sensitivities, if you will, relative to the dollar investments that at least I know for, for our, for my board, makes it much more decisionable and actionable and frankly aligned around what we are and aren’t willing to to invest relative to the risk along that slide rule.
Karissa Breen [00:32:10]:
Okay. This is great because I think this is the part I’ve I’ve I was a reporting analyst in a security function in bank. So this to me is very interesting because this is how we go and present and get more money from the bank, right, which was like, to your point, quantification. Would you say this is the part that people perhaps in this market are just not getting? Because it’s like, oh, we’ve gotta buy all these tools. We could do all these things, but it’s like, yeah. But to your earlier point, your recovery time. So if you’re running an airline and you’re down for an hour, that’s gonna impact you quite a lot. Not only just, like you said, the flights that you missed and all that, but then also, like, hey, Carissa Breen missed her mom’s birthday.
Karissa Breen [00:32:47]:
Therefore, it’s gonna cost me an extra couple of grand because she missed it and then she got a problem. So those are the long tail impacts that perhaps attach in a pen to not only the the downtime, but also the aftermath of that. So would you say this is the part that people really need to connect the dots? And I just I just don’t think that they are out there.
Wendy Thomas [00:33:09]:
I agree. And, and here’s what I see happening is that we try to get it exactly right. And the answer is, it’s not about getting it exactly right. It’s about, it’s about sort of scenario and sensitivity use of things to your book. How much does an hour cost an airline versus how much does an hour cost a, you know, a lumber, producing company for construction sites? Very, very different. And when you can understand where the the sort of points of leverage in your business or your organization are around either revenue or the things that really damage your customers’ trust in you and things that they don’t care about relative to what costs to protect against that risk. And to your point, I always say like, just spending money on a bunch of tools, buying a treadmill does not mean you lose weight. But that’s what we wanna do.
Wendy Thomas [00:34:00]:
We wanna go out, we wanna buy the workout clothes, we wanna buy the treadmill, buy a subscription to a gym. And then we wonder why we didn’t lose weight because we didn’t focus in on the sort of root cause or the source of risk. And and that’s where I see that gap happening. If you don’t understand your business and where the where those points of leverage are in terms of revenue and brand, and then tie those to what has to change, regardless of whether it’s a people or a tool or a process to reduce the risk to that part of the business. You’re starting with the, the treadmill instead of the, the weight loss
Karissa Breen [00:34:36]:
plan. Okay. I like the analogy. So why would you say people, people maybe the industry, etcetera, are just focused on buying the the Peloton? Like, as you mentioned before, like, why have we even gotten to that point? Like, why has it been so hard for so many years of people to to earn their stripes to prove that their area needs more funding, etcetera?
Wendy Thomas [00:34:58]:
To me, it is a mindset of activity over outcome. We bought a tool and we implemented it. Check. I’m not to blame. The reality is there, there is no try here, right? As Yoda said, do or do not. It’s not okay to say I bought the tool and put it in place and it’s not my fault. What you’re looking for is I’m accountable for the outcome here. And it doesn’t matter whether you buy 10 tools or no tools to get that outcome and and and ensure the high probability of that outcome.
Wendy Thomas [00:35:28]:
That’s harder. It continues to hold you accountable. It’s just not as satisfactory as sort of checking off a tactical to do list. And it’s ongoing. It never stops. And I think that’s the part that once you get into the mindset of this is a living, breathing daily fight, it changes the notion of this being a project versus this being a lifestyle.
Karissa Breen [00:35:54]:
That’s a good point. And I think just to follow an example a little bit more, it’s like, well, cool. You’ve gone out. You’ve got the personal trainer, and you’re putting everything on Instagram about going to the gym and, you know, the fancy clothes and all that, but it’s like, yeah. But if you’re not doing the thing, it’s not gonna result in losing any weight, for example. So it’s like, you bought all these tools, but if you’re actually doing things properly and you’re just doing it for the tick of the box to to your point, it does nothing. Do you just think that people perhaps fallen back on that a little too much and sort of outsource the responsibility to other people in the company?
Wendy Thomas [00:36:25]:
I I think it’s less that than than sort of a false sense of security from that action. Where, where we think the job is done by taking that action or buying that tool, as opposed to knowing that what it really is, is not the big post on Instagram, but, but every single day you make your lunch or you order that salad when you go out you know, instead of the instead of the fries. It’s the quiet, daily, consistent, working the plan versus the sort of big bang things that everybody else can see that make the biggest difference. I continue to see in security that we talk about all these different technologies and tools and such. The same three things cause breaches that are incredibly simple to fix. Hard passwords, multifactor authentication, you know, not clicking on that, on that link, just awareness. It’s not fancy, you know, quantum computing fueled AI that that threat actors are using to make all this money. It is just good old fashioned basics that if we’re willing to introduce just a little bit of friction would make a material reduction in their success rate in terms of what was the ransomware market last year? Last year? $30,000,000,000 right? People spend a $100,000,000,000 on security services
Karissa Breen [00:37:42]:
and tools.
Wendy Thomas [00:37:42]:
Think about that. So spending money is not necessarily the answer. Finding the right answer, in fact, getting advice and help on, on tying those business outcomes and business risk to those investments in a way that’s credible. I mean, we’ve been doing that for, for 25 years in this space. So we, we understand the work. It’s not always exciting. The basics can make such a big difference to really sound sound security and, and keep and build that trust.
Karissa Breen [00:38:16]:
So Wendy, do you have any final final thoughts or closing comments for today’s interview?
Wendy Thomas [00:38:20]:
Well, I just want to thank you for the opportunity to talk about something that I think sits underneath of the surface. And for, for me, this is a shared responsibility, the building of trust. So it’s, it’s us as, as customers of businesses. It’s us as leaders of businesses. We all have a shared responsibility as global citizens here to be willing to invest in just a little bit of friction, a little loss of convenience to be able to be more collectively secure because while it may not be you today, that’s damaged by that reach. It is, it is your fellow citizen who’s damaged by it. And and by caring enough to to protect them, in the end, you’re really protecting yourself too.