Shannon Murphy [00:00:00]:
Think at the end of the day, it all comes down to proactivity. I think that this is challenging some conventional thinking that we had in have had in cyber where we’re constantly in firefighting mode, where we’re constantly having to respond to things and be super reactive. I think that we’re in a place, and we have the predictive technology where we can actually anticipate the adversary much better and own our own attack surface before someone else can. So being proactive, I think, is really, really key.
Karissa Breen [00:00:53]:
Joining me now is Shannon Murphy, Senior Manager, Global Security and Risk Strategy from Trend Micro. And today, we’re discussing the c suite security challenges. So, Shannon, thanks for joining and welcome.
Shannon Murphy [00:01:00]:
Thank you so much for having me, KB. I’m super stoked to be here.
Karissa Breen [00:01:04]:
Okay. So, Shannon, I follow your journey. Before we started recording, you said you’re actually in Canada for a month, which I think is quite rare for you because you travel around a lot for work. So perhaps let’s sort of start there. You know, you’ve got quite a unique perspective because you do travel quite frequently. So what are you what are you sort of hearing from people around the globe that you can share with us today?
Shannon Murphy [00:01:25]:
Absolutely. I think, you know, when it comes to strategy and cyber strategy and threat landscape and tech landscape and all of these different categories, what’s so important is to talk to as many cyber professionals and as many practitioners as possible so that those anecdotes start to become trends. And by doing that, this is how we’re able to build scalable, you know, products and solutions and approaches in order to get in front of these challenges that people are facing. So one of the benefits to your point of my role is that I’m able to spend so much time with people who have hands on keyboards in order to start to identify these types of trends. But when when you’re looking at some of the challenges in the enterprise today, I think it boils down to a really simple concept, and it’s the different pressures that we’re facing. So the first pressure comes from infrastructure shifts that happen in the in the enterprise environment, whether that’s, you know, digital transformation or this AI transformation or different tools that are being adopted and these different changes that that you need to secure. And that comes with different, you know, protocol, ramifications. And then on the other side is adversary ingenuity and this cat and mouse game that we’re constantly in with the bad guys and how we actually have to change our our strategy to to account for that adversary ingenuity.
Shannon Murphy [00:02:52]:
So these are these are the two fundamental things that we’re looking at, and I’m happy to
Karissa Breen [00:02:56]:
dig into either side of those first. So when you’re traveling as well, do you see any sort of trends or, like I mean, this is generally speaking. So in Australia, generally, this is sort of some of people’s concerns or questions. And then in North America or in Europe, is there anything like that? Do you sort of see commonalities in terms of different countries and where they’re at, would you say? Certainly on a maturity perspective.
Shannon Murphy [00:03:20]:
And however, with that said, the the main threats to the business are very common. Right? So basic attacks, for example, like password hash cracking, those are becoming a lot faster and easier for for adversaries to do. And organizations, regardless of what geography you’re in, have to, you know, implement different simple hygiene solutions like, you know, multi factor authentication and the number matching and that kind of thing. More recently, though, what’s been top of mind for a lot of security leaders is this idea of more customization when it comes to social engineering, for example, as a result of open source reconnaissance. The adversaries can do using different generative AI tools as well, which is influencing things like phishing and business email compromise. So I think, you know, the the problems, maybe there’s some comfort in this. I don’t know. But we are really all in this together, and we’re all facing a lot of the same challenges.
Shannon Murphy [00:04:19]:
And in that way, we’re able to learn from one another and, of course, build together to actually start to counteract these types of trends.
Karissa Breen [00:04:26]:
Okay. So just before we go back to adversary ingenuity, I wanna talk more about you said customization. So do you mean more I think there was, like, a finance worker that paid, like, a bunch of money because it was a deep fake from a CFO. Is that what you mean by that?
Shannon Murphy [00:04:42]:
So this is an example. Right? So deep fake, for sure, this is a whole other challenge, and deep fake and audio fake and how impersonation has gotten the efficacy has gone up so much. And before, we were looking at technologies like generative adversarial networks, and that helped. Essentially, what that technology does is you have a generator, and then you have a discriminator. So you have something creating the media, and then the discriminator calls out anything that might appear as fake or inconsistent. And in that way, you’re able to get a really high quality output. Now we’re seeing things more like face swaps. Right? So in the instance that you mentioned with the finance worker, it it actually ended up being a UK architectural firm.
Shannon Murphy [00:05:22]:
That was a that they had multiple recorded deepfakes on the call, call, and they essentially boxed out the junior employee from the conversation, and they were just tasking him. So he didn’t actually really have an opportunity to interact with them. And that works, you know, when you look at social engineering because they architected a scenario that selected a vulnerable employee who was junior and didn’t feel empowered to push back against a bunch of executives. Now with things like face swapping, you can have highly realistic voice notes for audio, but then you can also have real time discussions with someone who is not real. And this is a level of social engineering that is above and beyond what we’ve seen in the past. However, when we’re looking at, you know, phishing and business email compromise, the customization when it comes to the content of that email can be so precise. In fact, our own red team targeted me using, you know, open source or condensate’s tool, and the email was flawless, KB. It was like, hey, Shannon.
Shannon Murphy [00:06:27]:
We saw you in Dallas at this event. Love that you talked about these topics. We would love to work with, you know, this person on your team. Like, it was so perfect, and it appeared to be sent from someone who had commented on one of my posts on LinkedIn. So they’re taking all of that available public information. And as you know, I I post quite a bit, so there’s lots to draw from. But they’re taking all of that public information, and they’re doing the research very, very quick in order to do target selection, so victim selection, and then also to customize the actual content. So whether it’s an email, whether it’s a phone call, whether you’re, you know, on a FaceTime or a WhatsApp video, whatever you’re using, the this is new risk that’s being introduced to those, you know, social interactions.
Karissa Breen [00:07:15]:
Okay. So there’s a couple of things in there which is really interesting. So going back to you said before target selection or victim selection, would you say in your experience, I post a lot too. Would I become am I more of a victim or someone on LinkedIn that doesn’t really post at all? Like, who would you say would be more of a a target?
Shannon Murphy [00:07:33]:
It always comes down to data. Right? The more available data, the higher the risk. That’s even in, like, really simple you know, people use their birthday and their username on Instagram, for example. Like, that is valuable information that I can use to start to to build a profile on someone. So I do think it it comes down to a matter of people process technology when you want to protect against these things, and part of it is being aware that adversaries are using these tactics and techniques now in order to in order to craft these phishing campaigns. So I would say, KB, you and I, we gotta be extra, vigilant because of our post history because of our post history.
Karissa Breen [00:08:17]:
So then going back to the phishing email that you said worked for you, but you’re obviously someone in this space. Right? So imagine just, like, the everyday person that doesn’t think like this, thinks everyone’s innocent, isn’t skeptical, isn’t looking for certain things. Where does that sort of put most companies?
Shannon Murphy [00:08:35]:
Yeah. Absolutely. And this is why I think you know, I always after you hear in security, you know, your employees are your weakest link or you’re only as strong as your as your weakest link and this type of thing. And, you know, to me, it’s it’s true, but it’s it’s also a little victim blame y because, ultimately, we need to be pushing the vendor community, and that includes, you know, that includes us, to have technology do more of the heavy lifting. Because at this point, when those emails are so customized, the links look good. There’s no lead speak. It’s personalized to you. It references something that you’ve done by someone who you’ve interacted with.
Shannon Murphy [00:09:15]:
Can we really blame that employee anymore for not being able to detect it on their own? Right? So we do want to, you know, be modernizing things like email security, going beyond gateways and doing different kind using different AI detection techniques. Right? Using things like deep state detection, inspecting content in the email in order to do more of the heavy lifting and protect that employee. Of course, there’s no silver bullets. So when companies are looking at things like, you know, financial verification or data transfer verification or they’re working with sensitive contracts, you wanna be looking at your processes for that as well. Whether you do whether you have, you know, pre preset list of stakeholders who can approve those transactions, whether you have multi stakeholder approval, whether you require a face to face interaction if it’s above a certain dollar threshold. Like, these are really simple process changes that companies can make, but the fact of the matter is is that they do need to be making these changes.
Karissa Breen [00:10:18]:
Okay. So I wanna so going back to the face swapping, there was a story recently. If you saw it, there was a woman in France. Apparently, she thought she was engaging with Brad Pitt, who doesn’t have any social media, accounts at all, fell for it. Obviously, she got scammed out of, like, a bunch of money, etcetera. We’ve seen these things happen. But, I mean, in recent times, I’ve seen some of these videos that people say, oh, you know, I fell for it. But it it does look fake.
Karissa Breen [00:10:41]:
Right? So do you think that comes from someone from, like, psychologically hoping that it’s someone that they can fall in love with, for example? I think still today, romance scams in Australia is still the number one scam. Or do you think the technology is getting better? Because I mean, I’ve seen it, and it clearly does look fabricated in my eyes.
Shannon Murphy [00:11:00]:
For sure. And I mean, romance scams, pig butchering scams, this has existed long before this level of AI sophistication has been in our lives. So, certainly, adversaries are sophistication has been in our lives. So, certainly, adversaries are always going to prey on the vulnerable, prey on, you know, individuals who are not super tech savvy or, you know, are in a position to be to be targeted in that way. So, of course, on that side, we are looking more, one, at, like, education, for example. But there’s also tools available today. For us, for example, you know, we have two big sides of our business. We have a really large enterprise business for our security platform, but we also have a consumer consumer business as well.
Shannon Murphy [00:11:41]:
And on the consumer side, we created a a tool called scam check. And, essentially, for that Brad Pitt, you you can take a screenshot of that interaction and upload it to the scam check, and it will tell you whether it’s legitimate or not. So there are tools available in the market today to even help individuals who have been victims or targets of a romance scam or a pig butchering scam.
Karissa Breen [00:12:04]:
Do you think that even if someone uploaded it to a tool, if it was more of a psychological issue, do you think that they’d still believe, no. It’s definitely Brad Pitt that’s trying to hit me up. Like, do you think that people will still think in their mind that this is the reality irrespective of what the tool says?
Shannon Murphy [00:12:19]:
I think, you know, this is getting out of my specialty area a little bit. I think this is a little bit more of a a psychology question. But I think at the end of the day, we have to do the best that we can when it comes to education and giving people tools in order to make the best and most informed possible decision, and what they do after that, of course, is out of our hands.
Karissa Breen [00:12:39]:
So you mentioned before, Shannon, technology to do the heavy lifting, and you said that we should be pushing the vendor community. So how can clients or people like myself, What do you mean when you say pushing, like, in terms of, evolution of their tools? Or what do you mean by that specifically?
Shannon Murphy [00:12:55]:
Yeah. Again, you know, I said pushing, but I think a lot of the time, it really ends up being a little bit of a beautiful partnership. I think working together to define the outcomes, to define the challenges, and getting really creative on how we’re building products and how we’re building solutions, this is this is how we get to the best possible outcome. I always joke that, like, the number one product manager is our customer because they’re always informing us, and we’re always building kind of hand in hand together. But I think that it is, you know, really encouraging and demanding to innovate and to look at what’s happening in the threat landscape and how nation state actors and ransomware gangs are are innovating. And, you know, we have threat research teams who dig into those topics in order to inform how we can do better detection, how we can leverage new and emerging technology in order to modernize detection models and detection techniques as well in order to keep people safe and to keep businesses safe.
Karissa Breen [00:13:55]:
So we’re speaking at the start of 2025. Do you envision what we’ve sort of discussed? Like, obviously, these things will probably stay on the radar, but do you think that, obviously, there’s gonna be new things that emerge in terms of trends and threats, etcetera? Because how the industry is moving now, it’s, you know, very it’s moving at velocity, and things are changing all the time. Even in my sort of space, like, there’s not even I can get across every single thing. So where do you sort of see this year now with where we’re where we’re at with the world, with how quickly vendors are coming to market with new products, tools, etcetera? Can you help me make sense of some of that?
Shannon Murphy [00:14:28]:
Yeah. Of course. Like, for I my position is, you know, important problems are complex. Right? Absolutely. There’s higher volume, higher speed, when it comes to threat landscape. There’s more zero days than ever before. There’s been, you know, maybe some possibly overblown, some legitimate concerns around AI creating new types of malware. But, ultimately, the basics are still the problem.
Shannon Murphy [00:14:53]:
Right? Unpatched assets, misconfigurations, phishing campaigns, flat networks, not having MFA deployed. These are the things that have persisted for years and I believe will continue to persist through this year. However, these more novel and emerging threats, so, you know, these AI influence threats, deep fake audio fake, automated reconnaissance, these, like, North Korean fake employees, that we saw in 2024. I think that these threats will become, if not increasingly sophisticated, higher in volume. Right now, I still say that deepfake audio fake is novel and emerging, but it’s not prolific. I do think throughout the year, we will absolutely see higher volume of these types of attacks. And for that reason, like, there’s no better time for businesses to plan than right now and to start threat modeling for these different campaigns and getting prepared to mitigate these different risks and having a plan in place, essentially, to protect themselves.
Karissa Breen [00:15:58]:
So you said before being prolific. Do you think as well, now with everything you just mentioned, in terms of, like, cyber criminals, and they’re probably gonna try for every angle, not just attacking a businesses, but they’re either gonna try to go through the individual. Because what you’ve just said, like, that’s doesn’t see it that’s not gonna be a lot of work for them. Right? Like you mentioned, like, people that have got big profiles like me and you, you know, it’s quite easy to craft something. Do Do you think that has to be more targeted, or do you think still they’re just gonna try to go for volume and see what happens? Because some of these, you know, old school phishing emails, it’s kind of like, well, I put five minutes worth of work into it, and they’re probably only gonna get maybe two percent of people. I mean, it could be higher, but just if you look at it, it does look quite fabricated. But but for some of these more targeted attacks, are they gonna take longer in terms of energy? Where do you think these cyber criminals’ heads are at?
Shannon Murphy [00:16:44]:
No. I think that they’ll be able to do it at scale a lot faster. Like, the customization that I went over, you know, you could think of that as a manual process. But if you’re if you have the tools in place that are doing the scraping for you and doing prioritizing victim selection, this starts to become very, very fast. And at the same time, in the criminal underground and on these different criminal marketplaces, you know, people are buying and selling data constantly as well. So there’s lots lots of information available, quite frankly, in order for this to scale up and get a lot faster. So So I do think for sure you’re still going to see those kinda classic old school campaigns, but I think that as adversaries start to understand the technology and potentially even create services, Cybercriminals, they behave just like real businesses. Right? They sell products.
Shannon Murphy [00:17:34]:
They also sell services. So I can totally see you know, you’ve heard of ransomware as a service. I can totally see something like reconnaissance as a service emerging in the criminal underground this year, where people are doing the victim selection, and then they’re selling those lists to another gang, and that’s how they make their money. So, yeah, I I absolutely think that the degree of sophistication and customization and phishing will become much more automated and is going to scale relatively quickly.
Karissa Breen [00:18:02]:
And just in terms of sort of, you know, the victim target or the victim selection, historically, it used to be more like if it was someone of high caliber or someone in a senior role. But hearing what you’re saying, it could effectively be anyone now in terms of a high target that someone, you know, is not necessarily like a CFO or CEO. It could just be an everyday person with a, you know, a large YouTube channel, for example. But that’s sort of the shift that I’m hearing that you’re saying. Yeah. I think any path of least resistance.
Shannon Murphy [00:18:31]:
Right? This is adversary mindset to to protect yourself, I think that’s a good way of thinking of things. But, yeah, it’s gonna be path of least resistance. And the way that we talk about this is we use a term called data actionability. And how and what that means is how immediately valuable will this credential be, or how immediately valuable will this information be. And, certainly, if you can identify any opportunity where you can identify a vulnerability so that you can get in and start to move laterally, that that is a value and that’s actionable. And to your point, that really could be anyone. Of course, executives will still be targeted because they’re the whales. Right? But if I can be crafty and if I can find a way in or if I if I’m specifically looking for you know, say that you’re an administrator, IT administrators, you know, director of IT or that type of thing and you have that on your LinkedIn, well, you know, I’m gonna be downloading that whole list of of individuals from LinkedIn.
Shannon Murphy [00:19:32]:
Right? So any way that I can get credentials. Right? So that’ll be through a phish. If I’m looking for and then there’s lots of other different access techniques as well, VPN gateways, open RDPs, lack of MSA, that type of thing. But, certainly, any way that I can get in, then, you know, you’re up for grabs.
Karissa Breen [00:19:51]:
So then let’s flip over now and talk about c suite leaders, etcetera, boards. Given your travel and your discussions with some of these people, where do you think, generally, their head’s at? Certainly, I’ve seen a
Shannon Murphy [00:20:03]:
massive trend toward boards being much more engaged and much more cyber aware than they have ever been in the past, even, I would say, within the last twenty four months. In The US, for example, we see that because there’s a change in SEC regulations, and boards are now liable, and they’re on the hook for cyber breaches. So they wanna get they wanna up their cyber IQ. But I do think that this trend is transcending around the world, and I do think that there’s a greater appetite for boards who have access to, you know, accurate risk reporting and how are we in a good position, or one of our competitors just got breached. Are we next? And if you’re a security leader, you want to be able to answer those questions with a good degree of confidence.
Karissa Breen [00:20:50]:
So I’m aware that Trend has released a credibility gap report, which shows the disconnect between c suite and security teams. So I’ve got it in front of me. So I wanna sort of talk through some of the stats, which is quite interesting, and one of which was 79% of global cybersecurity leaders have felt bordering pressure to downplay the severity of cyber risks facing their organization. So on that note, you sort of mentioned before that, you know, things in the last twenty four months, and maybe it’s part of, you know, having that personal liability attached if something goes wrong, you’re on the hook for the the board members and and executives. But why do you think people are downplaying it? Is it because, like, oh, it’s a problem. I sort of if I downplay it, perhaps, you know, people aren’t gonna focus too much there because if they focus there, I don’t have all the answers to it. I don’t have the budget for it. Where do you where do you think that stat comes from? That’s quite high.
Karissa Breen [00:21:43]:
At the end of
Shannon Murphy [00:21:43]:
the day, it probably comes down to prioritization. Right? And I I do think that there is a perception shift happening in cybersecurity where it is starting to be seen as a as a value add versus a cost center. But site you know, in the context of financial risk and operational risk and all of these other priorities in the business, I think that there can certainly be maybe an early formed appetite to downplay certain risks if there’s, you know, really large competing priorities. But with that said, I do think people are understanding that cyber risk is a business risk and, damage or destruction to your data, loss loss of customer faith, loss of, you know, reputation. If you’re encrypted and you’re not able to do your work, if you have, you know, security in place that’s disruptive to your business. Like, all of these things impact a company’s ability to be profitable and to act in a productive, manner. And I think that is being realized now, and, hopefully, we do start to see that number drop. But at the end of the day, I think that it comes down to priority.
Shannon Murphy [00:22:44]:
And the better we’re able to communicate the impact of cyber risk to the business, the lower we’re gonna see that number.
Karissa Breen [00:22:52]:
So if we zoom out for a moment just on that point, where would you say is the biggest disconnect between c suite and security teams?
Shannon Murphy [00:23:00]:
The biggest disconnect between c suite and security teams. I think often, you know, sometimes if if nothing is happening, then there’s a question of investment. So it’s like, well, we haven’t been breached, so why are we paying all that money? And it’s it’s a little bit of, a paradox. Right? Because the reason why you haven’t had a security event is because you’ve made all of these investments. Right? So I do think that sometimes justifying investment, and justifying spend cannot often create a disconnect. And I think that comes because in the past, we haven’t had access to really defensible and transparent reporting. I think the more transparent we are, I think the better we communicate with the board and with c level executives on the business side, the the better we’re able to to bridge the gap between these two between these two things. Ultimately, in cyber, you know, we have the business might see it as disruptive.
Shannon Murphy [00:24:02]:
Right? If you’re blocking access or denying access, if you’re buying things and they’re not being deployed properly and you have, you know, a shelfware problem, you know, these are reasons that can maybe impact the reputation of cyber within the business. But if you can report on what you’re doing and how you’ve brought the risk down and the KPIs that your team is working against, if you’re able to actually do cyber risk quantification and you can actually quantify the risk within your environment, that really starts to get the attention of the Sun Suite. And the more we’re able to speak the language of the business, the more, serious we’re able to be taken. So doing things like risk measurement, risk scoring, risk reporting, as well as translating into dollars really starts to narrow that gap between these two groups, and that’s exactly what we wanna see.
Karissa Breen [00:24:56]:
So just pressing a little bit more, going back to the 79%, there’s another further breakdown here. So it says 43% say it is because they are seen as being repetitive or nagging. So, I mean, nagging is obviously, people seem frustrated by security person sitting up there saying, hey. I need more money, etcetera. Do you think from your experience, Shannon, talking to some of these c c suite people, they have turned around and said, you know, I feel like these security people really nag me.
Shannon Murphy [00:25:24]:
I I think, again, it comes down to speaking different languages. Often in cyber, we’re we’re in highly technical environments. We’re dealing with, you know, lots of jargon and specialized knowledge. And when you bring that language to someone who has no background in it, who doesn’t who doesn’t have the context, I think that it can create a lot of friction. Right? When we’re able to speak on the same field and align our goals and match our goals, this is when that type of claim around nagging or I’m annoyed or I don’t understand. Like, a lot of the time, frustration, and this is almost more psychology again, but where frustration comes from is from a place of misunderstanding. When we’re able to speak the same language as each other, that’s when we really start to feel like we’re on the same team.
Karissa Breen [00:26:18]:
But then we’re in this conundrum in the industry, which I’ve seen myself is, you know, if someone’s someone’s in a senior position, for example, and they’re not technical, but they’re better at influencing people and getting money from board members as opposed to perhaps super technical person that is seen as nagging or repetitive or doesn’t get their point across. And then often you you see this rather in the industry to be like, well, you’re not technical enough. It’s like, well, you’re gonna have soft skills. But, like, soft skills, like, it’s hard to deal with a human being. You can’t configure these people. Right? You have to deal with their emotions. So where do you sort of see this sort of trend now in terms of I spoke to a scientist yesterday, and he’s like, I’m not from a technical background, but I can, you know, win friends and influence people. Are we gonna start to see more of these people in these senior roles that have a bit more of an understanding on how to manage people that they’re not you’re not getting you know, Trend Micro is not running reports saying, like, oh, you know, nagging and and repetitive.
Karissa Breen [00:27:15]:
Are we gonna start to see that now as a trend?
Shannon Murphy [00:27:17]:
I think that we’ve started to see the emergence of kind of a new role in some larger enterprises called BISO, b I s o, business information security officer. And that’s not a replacement, of the CISO. It’s almost like a complimentary role in order to help bridge that gap, and these two roles are working together in order to influence the best possible security outcomes for the business. And I think that, you know, a challenge and then the tight rope that we need to walk when we’re looking at communication is and maybe this is where this idea of nagging comes from is, you know, when you’re over reporting on individual alerts and you’re really overwhelming people. But then on the other side of that that you also don’t wanna do is, you know, just paint a really rosy picture in order to make people feel good. Right? You you need to walk that line in order to paint a realistic picture that’s tied to the business outcome that you’re after and that is still championing those, you know, security outcomes and often those compliance outcomes that you’re off that you’re after as well.
Karissa Breen [00:28:26]:
So the other thing I wanna ask you about so of the 79%, forty two % were viewed as overly negative. Now that doesn’t surprise me. Would you say it goes back into what you were saying before around, you know, how to manage people? You know, I’ve been in roles before where it’s like, oh, this person’s quite negative, and maybe they just don’t understand on how to how to manage other human beings, and they get perceived as being negative. So do you think there’s a bit of that then in there too in terms of the people perhaps on the front line that are trying to educate these c suite members might not be the best person?
Shannon Murphy [00:28:57]:
I think that my guidance is is always that you can’t bring problems without solutions. And this is just again, it goes back to communication one zero one and really influencing a culture of, you know, good communication within the security practice. So I think the maybe the solution to this idea is when you are bringing a problem, you want to have a corresponding plan for how you’re going to tackle it. And I think that that is a really proactive way to engage with the business and make them feel like you’re on the same team.
Karissa Breen [00:29:30]:
So do you think when you experience people are taking problems to c suites and being like, well, I don’t have a solution, or they’re like, hey. I don’t have one, but I’m trying to figure it out. Or do you think they just come and say, hey. This is a problem, and then that’s the end of the meeting?
Shannon Murphy [00:29:42]:
I think it’s all about justifying your request and your investment with sound data, and, you know, the business makes decisions based off of data. So if you’re able to tangibly show, this is how I can reduce the risk. These are our top vulnerabilities. These are our top misconfigurations. We need more head counter. We’d like to leverage a service. By bringing that information to the table, you’re able you’re able to have a really solid conversation. So so, yeah, I I think it’s all about justifying your spend and speaking again, speaking the language of the business and, you know, finding some common ground.
Karissa Breen [00:30:19]:
And is there anything else in terms of when you’re speaking to c suites that they’re sort of saying to you in terms of some of their frustrations with security people or vendors, etcetera? Any sort of insight that you can share?
Shannon Murphy [00:30:28]:
Again, like, I do think that I I really genuinely believe that the divide between the business and security is getting narrower. I think that people understand the impact of cyber risk within the enterprise. I think that this is really, really the trend that I’m seeing. And it I think that there’s some, you know, best practices when it comes to this as well. You want to be able to tie what you’re doing to the business and IT goals. Right? Businesses just wanna operate in a seamless, profitable manner and have their make sure that their employees are happy. Right? So if you’re tracking toward those common goals, that is excellent. Any way that you can do that.
Shannon Murphy [00:31:11]:
You want to set goals for your metrics. So if you’re particularly risky in a certain business unit, you you wanna have a plan to bring down that risk there and and communicate and articulate the impact of that. And then you also want to get past the sort of easy to count things. So, for example, malware caught by your EDR or, you know, the list of configurations that you can’t change because if you change it, it’s gonna, you know, dramatically break something. You wanna be able to get to a place to share metrics that are meaningful outside of security as well. I think that these are these are best practices that are going to continue to influence what I think is a positive trend towards cyber being considered an equal business risk compared to things like operational or financial risk.
Karissa Breen [00:32:01]:
So given everything that we discussed today, where do you think we go from here as an industry?
Shannon Murphy [00:32:07]:
Yeah. For sure. I think at the end of the day, it all comes down to proactivity. I think that this is challenging some conventional thinking that we hadn’t have had in cyber where we’re constantly in firefighting mode, where we’re constantly having to respond to things and be super reactive. I think that we’re in a place, and we have the predictive technology where we can actually anticipate the adversary much better and own our own attack surface before someone else can. So being proactive, I think, is really, really key. Second, I think, is around AI and how we can leverage this technology and how we can be aware of this technology in order to better enable our security teams in order to secure our go to market and in order to actually secure that adoption as well or that infrastructure change that I mentioned at the beginning. And, you know, KB, it’s not sexy, but ultimately, I think really taking care of the basics and using, you know, different types of tools in the market like attack surface management or exposure management or CTEM, these types of things, in order to in order to do that and to discover our risk events, to assess that risk, to prioritize that risk, to to get in front of it in order to drive down breach potential upfront.
Shannon Murphy [00:33:24]:
I think that this is absolutely the way forward, and I think that it’s going to make a huge difference in how we secure, the enterprise moving forward.
Karissa Breen [00:33:34]:
Just going back to the conventional thinking. So I have seen a shift towards people being a little bit more open minded to different things. Do you think that it’s just hate to say it. It’s just time? Sometimes, you know, we have to give people time to, you know, do their own research and to have these conversations with vendors and service providers to actually understand where the landscape is at. Because even when I came into this space more than, you know, ten years ago, people still had a very narrow way of thinking. But to your point, things that you’ve shared with me today, of course, other people that I speak to as well, there seems to be that thinking outside of the box. Will that continue now? Would you say do you think as well that maybe some of the leadership has changed? And, again, like, things are changing every day faster than they ever have. So would you be of the belief that if people are not challenging that conventional thinking, that they can be in a real situation?
Shannon Murphy [00:34:26]:
They absolutely can be in a real situation, but where I feel really energized and excited is that people want this. Like, I I mentioned earlier that, you know, we partner really closely with our user base and with different CSOs who who we work with every day, and they’re coming to us with this need and this want to be more proactive. They want to get ahead of the adversary. They want to have a way to track their risk. They want to be able to speak the language of the business and meet the business where where it’s at. So I I feel I feel fairly optimistic that, sure, it takes time and research and how are you building your tech stack and, of course, there’s you know, that’s that’s its own process. But, ultimately, I think the mindset shift is there, and people ultimately want proactive cybersecurity and proactive practices practices because, ultimately, KB, they’re so done with this fight or flight position that they’ve been in. So to me, that’s energizing, and and that’s, you know, a sign of things moving in the right direction.
Karissa Breen [00:35:26]:
So, Shannon, do you have any sort of final thoughts or closing comments you’d like to leave our audience with today?
Shannon Murphy [00:35:31]:
Sure. Maybe just, you know, we we’ve talked about a lot of different things from from threat landscape and tech landscape, but I think, ultimately, we’ve spent a lot of time talking about risk. And I think what it comes down to is, you know, if you’re measuring risk in silos, this is not going to be the effective way forward because you’re missing context. You’re missing relevant data. It’s imp it’s impossible to prioritize risk if you’re looking at it in in different places and you don’t have a common risk measurement framework that applies to all of those different assets, all of that different data. So in that sense, I do think that this trend toward not just platform, but greater integration as well is really super cool. And, again, I think the vendor community is reflecting the demand that’s coming from the the practitioner community. And I think having these two groups work really closely together in order to get in front of things is really positive.
Shannon Murphy [00:36:32]:
And, again, you know, other trend at the end of the day is looking at, you know, best ways to to leverage AI in our day to day, whether that’s, you know, you’ve heard a lot about agentic AI and, you know, predictive, you know, chat bots and attack path mapping and all of these different things. All of this great innovation is really coming together to give an edge to the good guys, to give an edge to the defenders. And I think that in cyber right now, we have the talent and we have the investment and we have the speed that is actually putting defenders ahead of the bad guys right now when it comes to leveraging this technology. And I think that that’s something we can we can have a lot of hope in.
