Afternoon Cyber Tea with Ann Johnson 6.13.23
Ep 77 | 6.13.23

Best of Season Six


Ann Johnson: Welcome to Afternoon Cyber Tea. I'm Ann Johnson. Today as we wrap up a fabulous season, we are going to listen back to a handful of top insights and advice from our season six guests. We had an incredible lineup of experts and industry luminaries, and I learned a ton this season, and I hope all of you did also. We will start by digging into the top trends we heard this season, from advanced cyber threats to cyber challenges and opportunities of healthcare to business resilience and more. Adam Malone, Jason Barnett, Josephine Wolff, Roland Cloutier, and Sunil Yu will take us through the issues shaping the world of cyber in the last 12 months. I know your time in the FBI, you're involved in several high profile cyber investigations and a lot of events. When you were leading these investigations were there any surprising trends you were seeing again and again? And are you still seeing the same type of trends today?

Adam Malone: I think the answer to both of those questions is yes. You know, I think the first observation that I had is it really all comes down to people at the end of the day. And so, you know, people always played a pivotal role in either preventing a crime occurring or advancing a crime, sometimes intentionally or unintentionally, but that was a big piece of it. You know, I think today, we still hear about the threat of business email compromise. And that's been the most significant financial technology enabled crime, I think over the past two decades. And it was a big thing then, right. And that really relies on people preying on our comfort with one another, and our communication skills, and sometimes our willingness to been processed to ease our actions. And so that was a big thing that I saw a lot in the FBI.

Ann Johnson: So starting at the industry level, Jason, I would love to get your point of view on some of the challenges leaders in healthcare are facing when it comes to cyber. What's unique about the challenges, have they mostly stayed the same over the past few years or are they evolving?

Jason Barnett: They're absolutely evolving, and the impact is increasing as well. I mentioned earlier, you know, the average as our adversaries mature and evolve, their reach has gotten broader. And as a result, more areas of the business are impacted. So no longer are the days that somebody clicks on something and it affects the local PC that a user is operating on. Today, if somebody clicks on the wrong thing, you can have an operational incident across an entire enterprise, affecting all of your applications, affecting all lines of business and you find yourself in a position of having to reassemble that. So I think that's consistent from industry to industry, in terms of what the impacts are. Oftentimes, healthcare is reputed as being behind the technology curve or the immature industries on the technology curve. To whatever degree that's a correct statement, regardless of what side of that argument you fall on. Healthcare is becoming more dependent on technology, both in terms of how care is delivered, technology is used in how decisions are made. Technology is used more heavily in processing payments and claims. It's touching every aspect of the healthcare business.

Ann Johnson: Could you give us a brief history on how the cyber insurance industry has changed and evolved since its initial inception? And what were the initial goals and motivations of cyber insurance providers then? And how has that changed or stayed the same over time?

Josephine Wolff: Absolutely. So I think one of the things that's often surprising to people is how long cyber insurance has been around that we've, you know, gone almost two and a half decades now, with varieties of these policies available for purchase. But you're absolutely right, they've changed an enormous amount over that time, which isn't surprising when we look at sort of how the cyber threat landscape has shifted. So if you rewind all the way back to 1997, when sort of the first cyber focused policy is offered, there's a lot of fear around Y2K. There's a lot of fear around sort of what of all of the computers suddenly crashed either because of malware or because we haven't prepared well enough for this changeover in dates. As a few more companies, I would say especially in like retail start to buy these policies, those concerns are heightened somewhat by states in the United States starting to pass these data breach notification laws. And so that begins sort of 2003, 2004 we start to see more and more states getting interested in that led by California. And those laws start to make companies more concerned about these breaches of personal information of their customers, because now they know they're going to have to report those breaches. They're not going to just be able to sort of sweep it under the rug or not tell anybody about it. And as soon as you start reporting them, you run the risk that your customers are going to file lawsuits. And now, sort of I would say starting around 2015 to 2017, we start to see increases in ransomware. We start to see a lot of concern about sort of infrastructure being compromised and operations being shut down by cyber attacks. There's much more interest in how are we going to pay extortion related costs. How are we going to compensate for lost business during outages related to cyber attacks. And you've seen these cyber insurance policies really expand.

Ann Johnson: So, look, the world has changed a lot since then, right? It's gotten more treacherous over the years. Right now I'm giving a talk with Nadav Zafrir from Team8 on geopolitical resilience at RSA, which is happening, you know, right after we're recording this. And we're putting out a call to leaders that they have to think about how they're going to plan for geopolitical resilience as well as cyber resilience and these inevitable global events and the issues we're having. I'd love your take on this. How do you think leaders in organizations are needed today to build capabilities to ensure success amidst this challenging global environment? And what role does the cyber team play in building these capabilities?

Roland Cloutier: It is such a multi level question. And not that I've lived this for the last few years. But, you know, I'll give you my take on it. So I think foundational bottom line basics where chief security officers, chief information security officers, EI, EIOs, however you want to look at them, they have to understand business resiliency, and really that three legged stool. You know, the business continuity and business impact analysis and how your business works, they have to be business leaders. They have to understand the difference between disaster recovery and continuity of operations, or old school, you know, government folks like you and I kind of cogs. And then the third component is crisis management, and not just cyber incident IR crisis management. I'm talking about business impacting events that require strategic and tactical senior level capabilities to manage through, you know, crisis problems for the entirety of the business. So I think if you focus on those and you have the ability to understand your business, understand what has to be in place in order for that organization to operate. And what are the critical functions that impact the normal operations of business, you're in a great spot.

Ann Johnson: So when you think about that, then, and you think about protect, detect and respond, and the fact that organizations continue, right, down that path, how do you shake them up? How do you get them to change their thinking and move to a point where they realize because I, as you know, I've written a blog a lot and spoken about cyber resilience for the past four years. And you need to understand where your critical business systems are, and get them back online as quickly as possible is the core of it, right? But how do you get organizations moving when they're really tied into the past technologies an the past methodologies and the past architectures?

Sounil Yu: Yeah. So I took a different approach, which attempted to take a complete break from our old way of thinking. And if I were to distill it into a common framework that we in security are familiar with, I used a whole different paradigm or a whole different perspective. And the old way of thinking is what we call the CIA triad and security, and CIA stands for confidentiality, integrity, and availability. The new paradigm or the new way of thinking, one that I tried to take a complete break from is what I call the DIE triad. And DIE stands for distributed, immutable, ephemeral. And the acronym by the way, is intentional as well. So that the DI triad takes a complete break from the CIA triad.

Ann Johnson: Next, we will cover the ever interesting world of cyber investment and capital. The state of the global economy presented new challenges for investors, founders, and stakeholders alike. Chenxi Wang, Dave DeWalt, and Jay Leek offer their perspectives.

Ann Johnson: So can you talk about the last few years and how there's been this huge wave of capital invested in cyber? Why has cyber been so attractive, and then what do you see right now?

Chenxi Wang: So cyber has always been an interesting industry where it may not be as sexy as consumer tech 10 years ago, but it's always been there the undercurrent of technology that everybody needed. And as you and I both see in the industry in the last five, six years, we've seen more and more regulations and compliance requirements that companies announced do spending more money and require more talent to run their cybersecurity operations, and also the threats have changed tremendously. And we've seen more innovations in cyber in the last 10 years than maybe all the years combined beforehand.

Chenxi Wang: And those factors led to what we call a hot rising market in the last two years or so, 2020 and 2021. And I will say the pandemic accelerated the growth because moving from a campus centric company culture to remote working, one of the first factors you have to put in is networking, and it's secure networking, right? Secure remote communication, secure remote access, and all that came back to security. So we saw a tremendous growth in the requirement, in the investment in security technology through 2020 and 2021, which led to a huge infusion of capital.

Ann Johnson: Before we look ahead for a second, can we go all the way back a couple of years? Tell me as investors, you know, what your thesis was? What made a company attractive to you? Why did you just choose to invest in some companies versus others? What type of criteria were you looking at?

Dave DeWalt: Yeah, I can start, Ann. You know, I'm investing, you know, pretty heavily since 2012. A night dragon, this is our 10th anniversary here of investing. I think 41 companies now will pull, you know, probably not near the breadth that Jay has like. You know, we're looking at -- largely I look for at least in the cyber markets a major threat problem that has yet to be solved. That's one of the reasons I became CEO of Fire Eye. I mean, at the time 2012 window Fire Eye was a 10 million revenue company. And nobody really heard of an APT. Well, they had, but not by much at that point. But advanced persistent threats became a new vector of attack, especially in which ways that the attacks were coming in. And I was looking for technology that could solve a major threat problem. My largest thesis with Night Dragon has been all around now. We're are the biggest threats and worse in the world, and what commercial defense can meet that threat in a way that we could hyper scale it with growth capital, to kind of meet the valuation opportunity that's out there.

Ann Johnson: Next, the lifeblood of the cybersecurity industry. As one of our guests puts it, cyber startups and innovations. Marene Allison, Microsoft's Chris Young, and Michal Braverman-Blumenstyk talk about the role of startups and founders have been driving the industry forward and solving some of the most challenging issues. So why is it your view that it's so important to have this vibrant security startup community?

Chris Young: Startups are, they're the lifeblood, I think of our industry. I think th true in broader tech. And they're also, it's also true if you double click down into cybersecurity. And the reason is they move us forward. Here's a good example. I talk about this all the time, which is, you know, if I think about just take endpoint security, until companies like Silance and Crowd Strike came along, a lot of the endpoint security industry was -- it was AV signature based. And in today's world, we've all moved on. Why? Because innovation happened. It didn't happen in the big companies. It happened in the startup landscape, happen to be a bunch of McAfee alums that went out and did it. You could argue about, you know, the outcomes of the companies, you know, obviously CrowdStrike has done really well. We don't see Cylance as much anymore. They're part of Blackberry. But they push the industry forward in a unique way. And I think we're all better off for it.

Ann Johnson: What excites you about the technology we have today and the promise of the technology today? And on the flip side of that, what do you worry about? What do you think the criminals can do based on the technology we have, we are leveraging today?

Marene Allison: I have seen technology change all the way from rack apps and mainframe computing and no Internet to Internet Voice over IP. And it would be very easy for Austin Security to worry about all the gremlins that are going to be there. I think we have to understand how the gremlins might attack the technology. But if we were to do that, we'd still have rotary phones, and we'd have no connected computer devices. And we can't. we have to lean into the future. And especially as data and AI and ML become the way the universe, but think of what can happen. A doctor can read, I think I saw 80,000 articles in their entire life. But can you imagine what a computer can read and all the data it can pull forward? So when as we're trying to solve disease states, you're going to have this huge computing power that's going to be able to look at all this data and look at correlations, like, humans can never look at correlations. Yes, maybe with 5G or quantum computing, it's, oh, somebody's going to crack encryption codes. Yeah, they will. It just is going to happen. Let's plan for it. And let's move to the future where we can overcome that, because when you can use quantum for bad, you will also use it for good in security and in healthcare and banking, all the different areas is going to help us as well as create a potential risk. But we've lived our entire lives. And for centuries, that's how people have lived. You see the new risk, and you move through it to protect and that's what we do as cyber professionals, we get to come up with all those solutions now.

Ann Johnson: Israel, it's been a long center for cyber innovation, and some of those cutting edge technology companies come from Israel. So tell us why that's the case. What makes Israel so special?

Michal Braverman-Blumenstyk: So first of all, you're absolutely right. There is a lot of innovation in cybersecurity. And in high tech in general, that comes from Israel. As a matter of fact, you know, Israel is not a big country, it's only it's less than nine million people, which is about.1 percent of the broad population. But if we look at the investment in cyber, the investment in cyber are in Israel are 38% of all global investments in cyber, which I find amazing.

Ann Johnson: Part of that role I know is looking into the future and determine what technology and engineering investments Microsoft needs to make, how to empower our customers, how to keep our customers successful. So what has you excited? What technology are you thinking about right now?

Michal Braverman-Blumenstyk: So first of all, cybersecurity is very exciting. The reason it's so exciting, it's like playing chess. You have an opponent. When you just develop software, you don't have an opponent. You just have to develop good software. However, when you develop and design cybersecurity products, you always have to be one step ahead of your opponent.

Ann Johnson: And finally, we will explore talent, skilling, diversity representation, and the art and science of cybersecurity. Stacy Hughes, Tim Murck, AJ Yawn, Malcolm Palmore and Tim Youngblood, round out our look back on season six. Stacey, I've heard you talk about the art and the science of cybersecurity. And that concept really resonated with me. Can you explain what you mean by that to your listeners? And what do you view as cybersecurity art?

Stacy Hughes: Yeah. So this science involves utilizing existing use cases and establish frameworks that are currently in place such as Mitre Attack, and that can help you to really system what you're looking at from overall threat modeling. And the art of it requires really partnering with our business, with application owners, and our development teams to really fully understand how applications work and determine what is unusual behavior. And really, the partnering of the art and the science are is what is utilized by teams to really help develop risk based alerting to find that needle in a haystack. And for example, if I were to log in from an unusual location, it may be normal activity for me. But it could also be a threat actor. Or I'm working remotely today from somewhere else other than my home. However, for example, if I log in to a new application that I historically have not utilized before, then that could be defined as potential unusual activity. So it's really the art and the science works together to help provide a very good perspective on the threat landscape and alerting.

Ann Johnson: I frequently talked about how we need people to change the language of cybersecurity and change the methods of education if we actually want the average consumer or those who are younger, people who aren't cyber pros, right. If we want them to understand it, we actually need to change the industry fundamentally. And part of that is how we tell the story about cyber. So what's your perspective on storytelling as it relates to helping people specifically understand complex topics, and then specific to cybersecurity?

AJ Yuan: Good question. There are a lot of things that I can answer on this question. So at first, there's something very interesting in how we learn.

Tim Murck: So when I started at HackShield, me and my colleagues, we were advised by a lot of, let's say, people with real knowledge about how people learn. And they gave us a lot of advice. And I remember two big things, and one was how you create a security mindset. And if you want to create a security mindset, they told us, you have to learn people adversarial thinking. So the simple explanation for me was learn to think as the bad guy. If you know what potential threats are, you could try to avoid them, of course. So the second thing was representational fluency. And it was also very inspiring for us. Because they said to us, hey, if you really want to change behavior, and to learn something, you have to, like, rewire their brains, meaning that you have to use all different parts of the brains to give them the tools to see things differently.

Ann Johnson: So can we start with a little bit of historical context? Why do you think employers have had such a high bar of entry into their cyber programs? And what was the thinking from cyber leaders on the skill sets they needed in the past?

Tim Youngblood: Yeah, it's a great question. And I think the -- there's a few reasons why. I think with the importance of cybersecurity and how cybersecurity has become so important to companies at the highest levels, where you're talking about cybersecurity at the board level, the SEC has recently mandated that companies of certain size have cyber representation on the board. I think, because we're seeing that cyber is so important companies reacted to that with, oh, we need to hire unicorns. We need to hire people that are the perfect fit to have all of these skill sets to build our cybersecurity programs. Because if we don't, we're going to fail since there's so many eyes on this. And I think that fear seeped into the hiring process, and created these really high bars of entry for folks getting into the cyberspace because of that. I think also, you know, there's a ton of gate keeping because of the challenges that people that, you know, kind of started this whole cybersecurity thing and sector, they have to go through a lot to get into the field. And now with the advancement of certifications, and the boot camps, and just the many different ways that people can get into the field, I think the folks that are in position to hire people into cybersecurity are looking for folks that went down the same exact paths of them, the same exact school name, the same exact background.

Ann Johnson: So let me ask this question of you just as a follow up, right? You mentioned that there is a very, very small number of black and Hispanic professionals in cyber, there's a smaller number of women in cyber. You know, given that it would seem that with a talent shortage, it should be easy to recruit folks, we still have barriers to bringing people of color or women into cyber. Why do you think that is?

Tim Youngblood: Yeah, I think a lot of those challenges I mentioned, you know, there's kind of a lack of the connection into the communities there, right. There's not really great programs that feed people into the to the industry, like, that's needed. And even in the university level, there's still, you know, a very small number of universities that have a specialty of cybersecurity as an offer. So it's unfortunate because, you know, we're not doing a great job of solving the problem. Now, you know, what's happening I think you have a lot of big companies, like ours, T Mobile, who have started programs trying to build this out. We started what's called an explorer program where we go down to the high school level, and we try to identify talent, right, and grow that talent, you know, from the time they're in high school, and give them summer internships, get them trained up on some of the basic parts of cybersecurity. And then as they go into college, get them into the apprentice program so that they have, you know, a long term work rotation into the cyber team, [music] and then eventually when they graduate there's a job waiting for them.

[ Music ]

Ann Johnson: Thank you all for joining us on our look back at season six. Afternoon cyber T will return for season seven in August 2023. And we cannot wait for you to hear from the fantastic guests that we have lined up. Remember to follow us at or wherever you get your favorite podcasts.

Ann Johnson: [ Music ]