Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
Episode 331 Deep Dive: Christian Morin | Cyber Security and Organisational Resilience Across ANZ
Cyber Resilience | Governance & Risk | Learning & Education
First Aired: August 27, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

In this episode, we sit down with Christian Morin, Chief Security Officer and Vice President of Product Engineering at Genetec, as he shares his insights on the critical importance of moving beyond a “checkbox” approach to incident response, emphasising the value of regular tabletop exercises and fostering genuine security muscle memory within teams. He highlights the convergence between physical security and cybersecurity, arguing for a unified approach that bridges silos and enhances both protection and response capabilities. Christian also reflects on the growing risks posed by connected IoT and OT devices, the challenges of asset inventory, and the cultural shifts required to improve cyber awareness.

Christian Morin is the Chief Security Officer at Genetec. With over 20 years of experience in IT, telecommunications and physical security industries, Chris has a keen ability to anticipate technological trends and drive meaningful organizational growth. He is a multidisciplinary business leader, having managed the Operations, Customer Service, Sales Engineering, Technical Support, Professional Services, and IT Teams since joining Genetec in 2002. Chris’ executive leadership continues to support the strategic direction and success of the company.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

No results found.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Christian Morin [00:00:00]:
My fear is that as a society get numb to these incidents and to these threats that are around us because they’re just so many. Are we going to get to the point where we stop caring about it and it’s like we just live with it. I hope that this awareness is going to make us change our game. Certain regulations and the governments need to also be more prescriptive and a little bit more forceful to hold people accountable because it’s very easy for somebody that has a great idea. And you want market share, you want your product out the door as quickly as possible. You want the latest whiz bang feature to delight your customers. And security is a cost. You want to forego that cost because you want to go faster and you want to make that product cheaper.

Christian Morin [00:00:52]:
But it has ramifications and we still have ways to go there.

Podcast Voice-over [00:01:15]:
Joining me now is Christian Morin, Chief Security Officer at Genetec. And today we’re discussing cyber security and organizational resilience across the Anz region. So Chris, thanks for joining and welcome.

Christian Morin [00:01:27]:
Thanks for having me, Carissa.

Podcast Voice-over [00:01:28]:
Okay, so the word resiliency, what’s really interesting to me when, I mean in majority of my interviews at the moment is actually all around resiliency. So maybe let’s start there because people are talking about it and it’s, it is sometimes the same sort of thing that I’m hearing. So maybe tell me something different.

Christian Morin [00:01:47]:
Well, I don’t know if I’m going to be able to say something that is fundamentally different, but definitely resiliency is a topic that comes up time and time again. People talk a lot about it, but I would say that not people don’t do enough to actually address it. You know, we have, we live in a world where infrastructure is unfortunately very, very fragile. Starting with the actual humans that are part of the system, all the way down to the little devices that are on the end and everything that’s in between. It’s a weakness that is, or I would say the lack of resiliency is a weakness that is unfortunately way too often exploited by the various threat actors.

Podcast Voice-over [00:02:29]:
Okay, so you said before we don’t think people are doing enough. What do you think enough looks like?

Christian Morin [00:02:33]:
You know, it’s, it’s unfortunately in our business and specifically when I talk about, you know, our industry. So Genetech operates in the physical security industry, which is, it’s is very closely related to the cybersecurity industry, as you would, as you would expect. Yet, you know, physical security always goes on the wayside with respect to proper investments, proper lifecycle management and proper, we’d say, just injections of capital to make these systems either more resilient, more performant and keep them up to date. So definitely in my space, I see that, you know, unless a major incident happens, and not just in MySpace, we’re not the ones that have the monopoly on that, but major incident happens, you’ll get budgets. But more often than not, the mentality of the physical security industry is one of set and forget. I install something, it goes with the life cycle of the facility, of the building, and I’ll get to it when I absolutely have to in the next seven, 10, maybe 15 years. However, as we’ve seen over the last few years with IoT devices in general, you know, these are actually pose a real threat in a real risk to organizations if not maintained appropriately or adequately.

Podcast Voice-over [00:03:50]:
Okay, so if you look at a bit of a timeline, like I’ve been this space like maybe 10 or so years, maybe a little bit longer, and one thing that was really interesting to me, especially when I was working on the other side, on the practitioner side, would be we’re there to try to prevent something from happening. So we’re in that mindset then. We sort of are in the mindset now. It’s like, well, we’re going to get breached. It’s a matter of when. But now we’re in the mindset of like, hey, a hundred percent something’s going to happen. It’s just about how quickly can we recover from a resiliency perspective in terms of operating, getting back online, no real impact to business operations, would you say, given your experience in your role, is that where people, they sort of succumb to the fact where it’s like, well, we’ve had enough around trying to think about, well, it’s not about preventing a breach. It’s just about it’s going to happen.

Podcast Voice-over [00:04:36]:
It’s. It is getting into that resiliency mindset because we’ve obviously seen it change. So where do you think people sort of heads are at at the moment in terms of that pace? Because like I said, it has sort of changed over time given the volume of attacks that are happening out there. I’m just curious to maybe unpack that a little bit more.

Christian Morin [00:04:54]:
Yeah, you absolutely good point. And also it’s not just about responding as quickly as possible and getting back operationally, but also trying to limit the blast radius as much as possible if something does go wrong. Right. So there’s. There’s too much, I would say too much connectiveness or I would say there’s too much kind of flat infrastructures that are out there. So in the event that something goes wrong, you know, it’s not compartmentalized enough, therefore, the impact is much greater. So actually, even though you are prepared for responding in an incident, you know, is the impact properly, again, compartmentalized? And will it just take down my whole system or my whole operation? Just parts of it while, while I deal with it. So that, that is something that is not, I would say, adequately done by many organizations a day.

Christian Morin [00:05:47]:
And the other part is, even on the response side, human beings are bizarre creatures. Is again, you know, yes, that is the right mindset to have. You know, something’s going to happen, right?

Podcast Voice-over [00:05:58]:
It’s.

Christian Morin [00:05:59]:
You’re either in two camps, right? Either you’ve been hacked or you’ve been hacked and you don’t know you’ve been hacked kind of thing. So, yeah, something’s going to happen. So how do you detect and you respond as quickly as possible. But how many organizations don’t even have a proper incident response plan? It’s quite alarming. And I see it ourselves as we do vendor risk assessments with the various organizations that, you know, want to sell us stuff, whether it’s, you know, cloud software or cloud services or furniture or whatnot. You know, many organizations still to this day lack incident response plans. So how can you actually have any form of resiliency if you lack some of the basic fundamentals?

Podcast Voice-over [00:06:37]:
Okay, so this is the part that gets interesting. So a lot of people talking about AAP incident response plans, we’ve got to be prepared, all this sort of stuff. So in your eyes, what do you think is critical in an incident response plan? Because everyone’s like, you know, you’ve got to do all this stuff. Because I just think sometimes in this state of chaos and panic, people aren’t thinking clear to be like, okay, well, let’s bring up the plan and let’s go through this systematically. Like, people are just like, let’s just try to get out of this problem. Because I’ve got. I’ve got people tweeting out of their mind. I’ve got the media calling me.

Podcast Voice-over [00:07:06]:
I’m super stressed out. Like, I’ve got my wife and kids at home. Like, I don’t have time for this. I just need to get out of this instant. Like, people aren’t thinking logically like we would when we’re practicing it Right. So when people start to get into that mindset of chaos, where do you think sort of it starts to really go wrong now?

Christian Morin [00:07:24]:
So I think that one of the mistakes that some people make, or actually the way that some people look at IRP is that it’s, it’s a checkbox item, right? And that’s, that’s not how it has to be looked at. You know, it’s like anything in life, practice makes perfect. And if you never have an incident and you never respond to any incident, you might have the best, best thought of plan in the world. When the incident happens, you’re probably going to forget that there’s a plan and you’ll be too much in a panic to actually exercise it. So, you know, for me, it’s not so much the plan itself, but the planning piece that is invaluable and the activity by which you review the plan on a periodic basis that you conduct tabletop exercises with the appropriate individuals and parties so that now even though it’s not real, you, you kind of do have a little bit of practice. So when the thing actually does happen, you know, the first thing you’re going to do is not going to go. It’s like, let’s look at the incident response plan, page eight, tell us what it, what we should do. Because that’s the last thing on your mind at that point, as you said.

Christian Morin [00:08:30]:
So if, if you have exercised it and you have gone through the motions a few times, and every time there is an incident, you take the time to do a postmortem look at the incident response time. Did we actually follow what we had outlined or did we improvise a few more steps? Do we need to modify it and have this kind of discipline and looking at it not just from a checkbox exercise, I think there is value in there and will let less to chance and to chaos when a real incident does occur.

Podcast Voice-over [00:09:01]:
Okay, so there’s a couple of things in there we want to go deeper into. When you said it’s not a tick box exercise or checkbox exercise, how do you people determine whether. Yes, a hundred percent. I’m just doing this as a tick box. What, what are some key indicators, would you say, given your experience?

Christian Morin [00:09:16]:
So you’re, you’re going to see it based on the data that is provided? It’s hard to distinguish, right? So at least within, within an organization that you control, within the people that you work with, you can see the ones that are just kind of just checking the box just by how the depth on which they do it’s not just the plan itself, but what are the activities surrounding that plan? And do they have any artifacts or any items that they can provide you to actually prove that they are actually following through with whatever it is that that is written in that plan? Right. So if it’s just here’s our plan and that’s it, yes, it might be fine, but you have to ask second level questions and dig a little bit deeper with respect to how are they actually operationalizing it and what’s their overall philosophy to security and what would a.

Podcast Voice-over [00:10:09]:
Second level question look like as an example?

Christian Morin [00:10:11]:
So first thing is like, you know, do you have actually any incidents? Right. So how many incidents have you had in the. In the last year, you know, and how have you addressed these incidents? How do they fit with respect to your incident response plan? Do you do tabletop exercises? So at what frequency? What type of scenarios do you simulate? So these would all be types of questions, questions that, in a dialogue, I would try to kind of dig a little bit deeper to see, you know, if they just have this on a shelf somewhere collecting dust or if it’s something that’s being exercised on a regular basis. And, you know, incidents doesn’t necessarily mean that there actually has been any impact per se. So you can have incidents, which, you know, you. There was an event, there was an incident, but, you know, there was no material loss or whatever. So, you know, every organizations have them. So that would also be, for me, an alarm signal if, if somebody says, you know, everything is hunky dory and we have no problems whatsoever.

Podcast Voice-over [00:11:04]:
Okay, so I want to talk about. And this is related to what you’re. What you’re discussing here now would be common sense. So.

Christian Morin [00:11:11]:
Which is not so common.

Podcast Voice-over [00:11:12]:
Well, exactly. Right. So I. Okay, so what I asked that because there was a show back in the day. I’m going to give you an example. You got to hear me out on this example is that Undercover Boss show. So it’s like the executive that sits in his ivory tower as the CEO would go down at the coal face on the front line with the customers, but then was like, completely useless and had zero common sense. Right? So sometimes what we start to see is, yes, we have these amazing plans that look incredible, but then when push comes to shove, people’s common sense to seem to, like, fly out the window.

Podcast Voice-over [00:11:44]:
And it’s like each incident is going to be different. Yes, they’re going to be in the same family. But then would you say, generally speaking, people’s common sense seems to lack when.

Christian Morin [00:11:53]:
Something’S happening, if you have the right people, again, it’s about having the right people, having the muscle memory, having practiced it a few times. And for me an incident response plan is just like any other process. And we have a saying that we use often at genetic is process is no substitution for thinking. So yes, it’s meant to Capture maybe the 80% of the run of the mill kind of things, but every now and then you’re going to get something that doesn’t fit in the mold. And having a process that covers a hundred percent, well, the process is too complex and convoluted and you’ll never be able to get there or it’s going to be just way too complex that it’s going to be extremely heavy for the organization. So having the right process covers most of types of the incidents. And you know, in, in your incident response plan and some of your SOPs, you’re going to cover some of the run of the mill stuff. Every now and then you have this more major incident which requires the right individuals to be brought in, people that can actually think clearly and not be bound by the shackles of said incident response plan or process.

Christian Morin [00:12:59]:
Because definitely the bad guys aren’t.

Podcast Voice-over [00:13:02]:
And you said before collecting dust, would you say at the moment, and this is, this is just a general sort of outlook on what’s happening. Would you say most businesses in terms of their IRP just collecting dust?

Christian Morin [00:13:16]:
No, I wouldn’t say most businesses. I would say unfortunately, well, some businesses simply do not have an irp. And in some of the compliance that I, that I’ve seen and also we get that often from, you know, engaging with various auditors that, you know, look at organizations where you know, their whole isms is predominantly a quote unquote compliance activity. And then there’s, there’s a gauge in terms of what we do just to meet the standard and check the box that we’ve done it versus we’ve actually internalized and change how, how we do things internally. Cyber awareness is, is an example that I can use. You know, cyber awareness needs to happen all the time and needs to happen through various different channels or mediums. Right. It’s not just something you do in October because it’s cybersecurity month and you kind of do a poster and you do a public blog post that we take cybersecurity seriously and you know, all our employees take that at heart.

Christian Morin [00:14:17]:
So there’s many things that you have to rewire yourself and you have to change how you look at things as you operate a business. You know, if I do the parallel with physical security or more in the physical realm, you know, like people have locks on their front door, people have locks on their car. They, they unlock it, they lock it. They understand what could potentially go wrong with somebody stealing the car, breaking and entering, not even breaking, just entering your house, maybe stealing something. The cyber landscape for many is still so abstract. It’s not something that is innate in the same way as, as what has been ingrained in us over the years with, with the physical side of things. So it’s still this transformation that needs to take place. It’s a cultural shift.

Christian Morin [00:15:07]:
It’s going to still take many, many years. I would say some of the younger generations are more attuned because their whole life is digital and in some cases, you know, they’ve been potentially phished or their accounts taken over. When there were kids, you know, for example, my, my own kids, their Roblox accounts hacked and taken away from them. Right. So as a child, when that happens, you know, it really kind of forms, you form in the future. So they’re seeing that cyberspace is more dangerous so that the awareness there I feel is getting better and better and better. But we still have the demographics in society. We still have people that don’t get it and are extremely vulnerable to it.

Christian Morin [00:15:48]:
So it’s a very complex problem and some people don’t understand the ramifications and they see it as a compliance pain in the behind and they will do the minimal amount of work to meet those compliance requirements without necessarily doing what this, I would say regulation or certification or whatever was, was meant to address in the first place, which is to address a real risk and trying to get people to change their behaviors.

Podcast Voice-over [00:16:18]:
Okay, so I want to slightly switch gears and talk about the physical world, which is where you guys play in. Right. But, but the part that’s really interesting to me is the convergence of those worlds. So do you think companies are aware of how the physical sort of devices are really the gateway for nefarious actors to gain access into networks, for example? Because we’re seeing this a lot in the OT space, you know, critical infrastructure. So not only are you thinking about the cyber world, you’re thinking, well, we’ve also got a whole physical world that they need to work together. Right. So I want to get into this because I find this super interesting because now we’re adding more complexity to the problem.

Christian Morin [00:16:57]:
Yep. And you know, I think the big wake up call for the world was Nirai back. Was it 2016? 2017. That botnet that did that massive distributed denial of service attack, you know, that was a wake up call as to how these IoT devices, these small devices, which are very innocuous and mainly it was like it was edge routers, like small home routers and even surveillance cameras and small video recorders that, that predominantly made up that botnet. This was a wake up call on as to, as to, you know, these devices are small computers and, and we have to secure them. We’re thinking about servers, we’re thinking about laptops, we’re thinking about cell phones and tablets, but thought about all these, these millions of devices, these tens or hundreds of million devices that are all over our network, right. And with everything becoming smarter, you know, smarter buildings, right? So you have smart light switches, you have, you know, your H Vac, so you have all your thermostats, you have in our space, you have your access control, so you have your actuators that locks and unlocks the doors and all these sensors, you have your cameras. So you have all these devices in these facilities.

Christian Morin [00:18:06]:
They’ve been there for a very long time. And in some cases you have these more legacy devices that are using very ancient protocols such as BACNET or mudbus that are being connected to the Internet. For sake of maintainability, for sake of providing, I would say, more value to the users or the operators of these facilities. They’re connected to the Internet now via small gateway devices. And the world, I think, is more aware than ever of this threat. However, I think there’s still a lot of work to be done. Because even though you’re aware that this is a threat, I would say many, many organizations, especially on the, on the cyber side. Right.

Christian Morin [00:18:46]:
Many CISOs, you know, have very poor visibility on the inventory of all these devices that are in their network. I’m seeing more and more convergence where physical security and information security, cybersecurity is coming together within organizations as opposed to being within two silos, which is typically the way how things are today. So physical security does bring a significant amount of physical sensors to the table, but just, you know, facilities and building management piece also also has a lot. But physical security is closer involved there than, than it and cyber.

Podcast Voice-over [00:19:28]:
Yeah. Okay, so this is interesting. So would you say that people are still looking at cyber security and physical security as independent streams or silos, as we say here? Got it. So then how do we get closer to that being sort of more. There’s, there’s more interdependencies with both of them, given what you said. Right. In terms of the gateway and how. How it could open up a lot more other problems.

Podcast Voice-over [00:19:51]:
How do sort of people get into that mindset moving forward?

Christian Morin [00:19:54]:
What I often say is that there is no such thing as physical security and cybersecurity. It’s just security. Right? The main difference between the two is like the threat vectors are different and the controls protect against these vectors are also different. But at the end of the day, you’re protecting assets, you’re protecting people, you’re protecting facilities. It’s just different ways. So I advocate a lot for a fusion of the two, and some organizations have actually went down that path, and you still need to have specialists in both. And depending on the nature of your business, you might have more physical controls and less cyber controls, or vice versa. Again, depends.

Christian Morin [00:20:40]:
It really, really depends on your business. When I meet with customers on the physical security side, I always try to steer them towards talking or engaging in a dialogue with their cyber counterparts, because their cyber counterparts are not there to make their lives a living hell. They’re there to help them and they achieve the same mission as they are often, unfortunately, cybersecurity and organizations, the teams still have, I think, to this day, a bad rep. People are often scared to interact with them because they feel that they’re always going to get a no as an answer. So they’re trying to find out ways to kind of work around that so that they can get their job done with the least amount of resistance. But when I see that there is an interaction between the two, it actually help make things better. And more often than not, the answer will be yes. And by the way, did you know that you can also do this, this and that, and the people on the physical security side, which probably don’t even know, don’t know.

Christian Morin [00:21:44]:
Most of the technical intricacies of what’s happening in the cyber world are inventing obstacles. So we need to get people to talk more.

Podcast Voice-over [00:21:52]:
So you said before, it’s not physical or cyber, it’s a security. So do you start to see that as just being security now, moving forward? Because, like, back in the day, it was like, you know, cyber is on an IT problem, cyber’s a business problem. Like, we’ve heard all these things, right, over the years. So do you think this is what’s going to happen now, moving forward? Because also one thing that probably people don’t understand is like, physical could be. I think even here in Australia, there was a breach that happened through a connected fish tank here in a casino or something. It was a while ago. But like that physical device, that was a gateway into having other problems, right? So people have got all of these things in their businesses or whether it’s the technology because they’ve got to run all these remote meetings and stuff, because people work from anywhere, from home, all over the world. So there’s so many things now that people do have those physical devices.

Podcast Voice-over [00:22:41]:
So do you think that this is something that we’re going to start to see? It’s just security?

Christian Morin [00:22:46]:
I hope so. And when you think about it, a lot of the, you know, if you look at all the security framework you look at nist, for example, it’s not just about cyber. Actually a big part of the controls are also physical controls, right? Physical access to the servers, all your cyber controls are to an extent useless if I can physically get access to the machines that’s running everything. So, you know, all of this kind of plays hand in hand and you have to have a holistic view of things and look at, you know, what is the landscape for your organization and invest where it makes the most sense and have these different layers which are both a mixture of physical and cyber controls.

Podcast Voice-over [00:23:33]:
So if you were to sit like a typical cyber person down talking about physical stuff, do you think that they’d pass the test? And the reason why I sort of asked that is like a lot of people are very focused on the application, all these other sort of things, right? Which is so many levels above than like, like you said, if you can physically get in there, then it’s like it’s game over. Then the rest of it doesn’t really matter. Then how do you think that would sort of sit with the knowledge or perhaps the knowledge gap that may exist in terms of the physical side of it, Cybersecurity? Like, yeah, there’s basic sort of physical stuff, but it wasn’t something that was really like drummed into you.

Christian Morin [00:24:06]:
So there’s, there’s two aspects, right? So there’s the actual physical protection of the assets. Therefore, if you look at, you know, a building, there’s fences, there’s barbed wires, there’s gates, then you have physical access control and various different policies. At one point you can actually start having some form of convergence with logical access control, right? So even greater control over the authorization because you can actually have not just the logical components, but also physical training triggers in your business logic for that. So there’s opportunities there, but there’s just the general physical security piece. But the physical security piece, the technology that is used to implement physical security is IT and OT technology with a ton of IoT like devices more often than not connected to like all the base building systems. So it’s also the, the peering into the window that’s behind the scenes of what actually makes physical security happen. It’s not just barbed wire and guard dogs. Right.

Christian Morin [00:25:12]:
There’s actually a lot of technology that goes into that and you can’t ignore that technology. So it’s also a way to get deeper into the IoT slash OT type devices that are out there in the world.

Podcast Voice-over [00:25:25]:
So would you say that people have typically ignored this in the past?

Christian Morin [00:25:30]:
Like in the past past? Absolutely.

Podcast Voice-over [00:25:31]:
Wait, wait, what would define past past?

Christian Morin [00:25:33]:
Like, like, I would say, like even just go back like 10 years ago, completely ignored. It wasn’t even on the radar. Now it’s on the radar. I would say, like most CISOs, like, if they don’t know that IoT devices and all these technologies are something they should consider, they, they’re probably in the wrong line of business. So I think it’s. They’re aware of it. However, actually executing on it and understanding what’s there is a, is one hell of a challenge. Just making an inventory of everything is tough because it hasn’t been.

Christian Morin [00:26:03]:
It’s not usually managed by it. It’s managed by, for example, the physical security organization. It’s managed by the facilities team. It’s managed by, I don’t know, marketing or whatever because they’re doing something special on the side and they’re putting their little widgets on the network. So it’s everywhere. And it’s extremely hard to get a grasp on it. So having a, a complete inventory, it’s hard enough in the traditional IT space with servers and workstations and whatnot. On the OT side, it’s like, even harder.

Podcast Voice-over [00:26:35]:
Yeah, okay, this is interesting. Even when I was in cyber, there was a physical team. Like when I was working in a bank, no one at any stage from my understanding ever came and spoke to us about anything. And this was a bank. Right. So how do we start to really close that gap? What was some you said before talking to people and that sort of stuff. But what about like executives? They are starting to become more aware that, like, hey, we have all these IoT devices, we’ve got all these connected things that we’re working on that we’re working with every day. Therefore we need to pay attention to this.

Podcast Voice-over [00:27:07]:
How do we as an industry start to close that gap, get them working more in tandem. Understanding that the physical could be the gateway into the security in terms more security issues. Cybersecurity issues. What would be sort of your advice then moving forward?

Christian Morin [00:27:20]:
We ourselves as an organization at Genentech, you know, we’ve taken the approach of just raising awareness at whatever opportunity that we get. I know for myself I speak with customers when we speak at conferences, is to show that, you know, that little IP camera that’s connected there can be a gateway to your networks, right? And you know that camera needs to have it’s lifecycle managed, it needs to have its patches applied when a new security vulnerability is found and there’s a fix that is applied to it. Because again, it is a mini computer. These devices can be gateways even if your network is air gap, right? Because you know there’s, there’s many ways around air gap networks. As, as you very well know. You know it’s, it’s a protected check protection mechanism, but it’s not a silver bullet in any way, shape or form. So you know, these devices can be impactful and the bigger picture is like not only can they be used as a beachhead to access other information systems within your organization, be it the ERP or the CRM or whatever to get access to like maybe source code or whatnot, but in the security systems actually operate in the real world. Right.

Christian Morin [00:28:44]:
If you’re looking at an access, physical access control system, these systems lock and unlock doors. They can prevent people from getting in, they can prevent people from going out, or they can allow the wrong people from going in. Like bad things could happen if these devices are taken over by somebody with ill intent. And this is easily demonstrable. And this is why, you know, people that are in a position in the cyber side need to reach out to their counterparts on the physical security side. At the very least, ensure that they’re doing the right things to manage that infrastructure and if not, lend them a hand and work together in managing it. You might have a piece of software that allows you to manage all the different devices and do the auto updating and managing that systematic with the. Or you might not.

Christian Morin [00:29:38]:
Or if you’re on the physical security side, reach out to the cyber guy. Your security system is completely useless if it’s compromised via cyber.

Podcast Voice-over [00:29:46]:
So what is it do you think people don’t get about physical security? Is it just one of those things where it’s like, oh, it’s fine because it’s physical and therefore it’s like it has to be fine. Like you said, physically locking and unlocking the door and all these sort of things, I mean that’s quite a rudimentary Example, but is it that people just assume it’s fine?

Christian Morin [00:30:04]:
I think people don’t know the extent of the devices and the connectivity that’s behind the scenes that make these systems work today. They were once, you know, you think just use, look at the acronym cctv, Closed Circuit Television. There’s nothing closed circuit about cctv. Modern CCTV systems, in fact there are extreme, extremely connected. Therefore they pose a very significant risk because of their connectivity if it’s not managed appropriately. So people think of these physical security systems. They’re locked, they’re not connected to the outside world. It’s relatively low tech.

Christian Morin [00:30:43]:
It’s maybe locks and just these credentials, but there’s some tech and it is vulnerable and it is connected. So there’s way more to it than just what you see on the facade.

Podcast Voice-over [00:30:57]:
Yeah. Okay, now that, yeah, that’s interesting because I think that again, it’s going back to that assumption and it’s sort of the example I always use is like when we’re at home and we turn the light on, it just works. Right. But when it doesn’t work, you’re like, oh my gosh, like the end of the world. Right. It’s just the assumption you’re not really thinking about, well, how does electricity flow and how does the light and all that sort of work? Because it just, it’s just so ubiquitous now, like devices that we just assume that it works, but when it doesn’t work, there’s a huge problem. And like you said before in that blast radius side of things, and would you say on the blast radius, is that the part as well that perhaps people just don’t really consider to be like, hey, there’s one little device that no one even probably knew about has caused this much, this much issues in terms of the damage. Because I have heard this in a retailer, I think someone had some device at home, they connected their machine and then all of a sudden it really impacted a bunch of things in terms of their actual network.

Podcast Voice-over [00:31:51]:
I’ve actually heard these examples and I think it was they were at their parents house and something had happened. So it was like not even their own home. So do you think that people just unaware of the chain reaction as well?

Christian Morin [00:32:04]:
Absolutely. You still see it today in some of the higher profile, even breaches that occur. And this, this, we probably going too much on the supply chain side of things. But you know, outsourced call center in the Philippines and agent there got malware and then they made their way where the crown jewels are located. Right. So it happens more so than we would think and we would like. But, you know, when you don’t see it, it’s hard to visualize.

Podcast Voice-over [00:32:33]:
And the interesting thing is that’s just how it is. That’s how the world is now because of this, you know, I would say before this, people working from home, but since the whole Covid days, 2020 is, it’s just been instituted now that people are going to work from anywhere, they’re going to work around the world. So it’s just, it’s just the way it is now. So what do you think sort of moving forward? Like, what are your sort of hypothesis or thoughts? What do you think’s on the horizon?

Christian Morin [00:32:53]:
On the horizon with respect to what’s on the horizon? So what I see on the horizon is just continuing that general awareness again, you know, I spoke about the culture shift that we as a, as a society need to continue to undergo. And again, being a change of that magnitude is going to require time, it’s going to require repetition. My fear is that we as a society get numb to these incidents and to these threats that are around us because there are just so many, you know, are we going to get to the point where we stop caring about it and it’s like we just live with it. I hope that, you know, this awareness is going to make us change our game. And this is one where I find that, you know, certain regulations and the governments need to also be more prescriptive and a little bit more forceful to hold people accountable because it’s very easy for, especially, you know, in tech for a, somebody has a great idea and knowing you’re in a startup, you want market share, you want your product out the door as quickly as possible. You want the latest whiz bang feature to delight your customers. And security is a cost. And you know, you want to forego that cost because you want to go faster and you want to make that product cheaper.

Christian Morin [00:34:28]:
But it has ramifications and we still have ways to go there. So we have to continue beating that drum. You know, regulations are popping up all over the place more and more. They are holding, I would say, vendors more accountable, which is good. But also large corporations that are responsible for the spend also need to be held accountable for putting the right controls within their own organization, not just the technology vendors.

Podcast Voice-over [00:34:52]:
So, Chris, do you have any sort of closing comments or final or absolute final thoughts you’d like to leave our audience with today?

Christian Morin [00:34:59]:
I’m going to go back on the convergence of physical security and cybersecurity. I think both go hand in hand quite well. They’re just one security and you know, there’s tons of, I would say there are so many opportunities to bridge information and have controls that span across both worlds. That will only make the overall security posture that much better and make the bad guys jobs that much harder. I think we need to continue on that direction and I think it’s an outreach that needs to happen. It’s not just on the cyber folks to reach out to the physical folks and vice versa. I think both need to reach out and to have that dialogue because I think if the forces are joined together, it can only just make everybody’s life easier.

Share This