CSO Perspectives (Pro) 9.23.24
Ep 120 | 9.23.24

Resilience.

Transcript

Rick Howard: Hey, everybody. Welcome back to Season 15 of the CSO Perspectives podcast. This is Episode 2, where we're turning the microphone over to some of our regulars who visit us at the N2K CyberWire Hash Table. You all know that I have a stable of friends and colleagues who graciously come on the show to provide us some clarity about the issues we're trying to understand. That's the official reason we have them on the show. In truth, as you all know, I bring them on to hip-check me back into reality when I go on some of my more crazier rants. We've been doing it that way for almost four years now, and it occurred to me that these regular visitors to the Hash Table were some of the smartest and well-respected thought leaders in the business, and in a podcast called CSO Perspectives, wouldn't it be interesting and thought-provoking to turn the mic over to them for an entire show? We might call the show Other CSO Perspectives. So that's what we did. Over the break, the interns have been helping these Hash Table contributors get their thoughts together for an entire episode of this podcast, so hold onto your buts. Hold onto your buts, buts, buts. This is going to be fun. Buts, buts, buts. [ Music ] My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland in the good old US of A, and you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] I've known Roselle Safran for years now. I initially met her at this recurring dinner she and I attend here in DC called The cyber notch dinner, organized by Pascal Luck, Anup Ghosh, and Thomas Knox. They gather a gaggle of senior security business leaders around a dinner table at Bobby Van's Steakhouse in DC and facilitated discussion of the issues of the day. They always bring in an interesting guest to speak off the cuff about what they're up to. Like a couple of months ago, they brought in Nina Jankowicz, author of the 2020 book, How to Lose the Information War: Russia, Fake News, and the Future of Conflict. It was fascinating, but when I started gathering experts at the N2K CyberWire Hash Table, Roselle was one of the first people I called. She's a civil engineer by training a Princeton graduate, consulted at a couple of big firms, moved into government service for a while, working for DHS as the deputy branch chief for digital analytics, and later working for the White House as the branch chief for cybersecurity operations, but she has always had the entrepreneurial bug. She's been the CEO and founder of several startups, and today she runs a company called KeyCaliber that provides a customer platform to manage cyber assets and threat exposure. For this show, she's going to make the business case for why resilience might be the most important cybersecurity strategy of them all. Here's Roselle.

Roselle Safran: Hello, everyone. Thank you for joining me for our conversation today about cyber resilience. Cyber resilience is a very hot topic these days because we have so many examples of why we need it. When the pandemic began, organizations faced a sudden change to their environment that prevented business as usual. Organizations adapted to remote work out of necessity. When CrowdStrike erroneously pushed out a flawed update, organizations faced a sudden change to their environment that prevented business as usual. Organizations adapted and applied the next necessary fixes automatically or manually. And every time an organization is hit with a ransomware attack that is not blocked, organizations are faced with a sudden change to their environment that prevents business as usual. Mitigations and remediations are vital in order for the organizations to get up and running again. In all of these situations, the rate at which an organization goes from not operating adequately to operating again, depends on the organization's resilience, and that is why the topic of resilience needs to be front and center for organizations of all sizes, and that's why resilience is the topic of our discussion today. So what is resilience? Broadly speaking, from a business perspective, operational resilience is the ability for an organization to readily adapt to a change in its environment. What that comes down to in practice is the ability to continue to function and provide essential services during and after disruptions. When we talk of resilience on a holistic level, that encompasses all the activities necessary to prevent, respond to, recover, and learn from operational disruptions. Operational resilience encompasses adapting to both physical and cyber changes. For this conversation, I'm going to focus specifically on cyber resilience because, in today's society, most physical environments come with a technology or cyber component. We saw this was clearly the case with the pandemic, physical offices were closed, and that necessitated adapting from a cyber perspective. The same can be said for other physical situations such as natural disasters. If a physical location is not functional because of a hurricane, earthquake, or tornado, technology or cyber operations need to happen elsewhere for all but a handful of types of businesses because technology is the underpinning of our society today. So I'm going to discuss the core elements of resilience, which is cyber resilience. This actually fits very nicely with my background as I've been in the cybersecurity industry for 20 years now, so I've been looking at business operations through the lens of cyber for a very long time. So why does cyber resilience matter? In some ways, cyber resilient is akin to business Darwinism. Generally speaking, the organizations then that can better adapt to changes, their technology environments, will fare better than those who struggle or fail to adjust. The resilient ones are able to either continue operations during technology disruptions or readily recover and resume operations when an event occurs. Their financial and reputational losses are minimized to the extent possible, then the business remains a going concern. This is in stark contrast to the businesses that have significant downtime and face serious consequences as a result. According to one company in the resilience space called Veeam, up to 60% of small businesses fail after a successful cyber attack due to the losses from business interruptions and the costs of recovering data. So the reality is for most businesses today, cyber resilience is an imperative. So let's talk about who owns the responsibility of cyber resilience. This tends to be a difficult question to fully answer in many organizations because many of the requisite responsibilities are shared between IT and infrastructure and security. Certainly, when it comes down to security issues, it's the security team that identifies what is a concern that can lead to a major disruption in operations should a successful cyber attack occur, but then it's often the IT or infrastructure or cloud or networking team that has the responsibility of doing the work to address the security concern, whether it's patching a vulnerability, fixing a misconfiguration, or anything else along those lines. Similarly, when there's a security incident, it's the security team who does the response and investigation work, but, often, the recovery process such as restoring data from backups falls under the purview of the IT team. Additionally, there are standard IT complications such as servers going down or internet going down, and other complications which don't have a cybersecurity cause and therefore squarely reside in IT's lane. So, often, cyber resilience is a shared responsibility jointly held by the CIO and the CISO. Sometimes the CIO and CISO are peers in the reporting structure, but often the CISO reports to the CIO. I've actually seen some movement towards flipping that paradigm so that the CIO reports to the CISO. I recently posted about this on LinkedIn and was surprised to learn that the concept is gaining traction in some organizations. In my role as the CEO and founder of KeyCaliber, I have the opportunity to talk with lots of cyber leaders about their challenges, and many of them are focused around challenges to achieving cyber resilience. Generally, I see four major challenges they face in pursuing cyber resilience. Number one, for many organizations, the biggest challenge to achieving cyber resilience is the complexity of their own technology environments. They have on-premises and cloud assets. The cloud assets can be in multiple clouds, and they are in a highly dynamic state of being created and torn down. They may have operational technology assets or internet of things assets and often have unmanaged assets referred to as shadow IT, commonly. Additionally, there's often a spectrum of assets that organizations must contend with, from legacy systems that are outdated or end-of-life but cannot easily be extricated from operations to new technologies such as AI models that bring a novel set of security concerns that are not fully understood or addressed. This complexity tends to only increase as the business grows. Number two, a lack of resources is often a major obstacle to cyber resilience. When an organization is having a difficult time making ends meet, it's not going to focus on what would happen if there's a problem. Even when an organization has sufficient funds, it doesn't mean that cyber resilience is a priority. As a result, it's common to see organizations that lack the talent needed to plan and implement cyber resilience strategies and or lack the technologies that make cyber resilience possible. Number three, there is the challenge to cyber resilience that we cybersecurity folks understand all too well. Cyber incidents are a major cause of disruption, and cyber threats are growing in intensity. Cyber attacks are happening at a greater frequency, the sophistication of attacks is continually growing, and the sheer number of threat actors is expanding. Last but not least, number four, the organization's dynamics can be an impediment to cyber resilience. To build an effective cyber resilience program requires strategy, planning, and implementation. If there isn't support and buy-in from senior leadership or there is not a clearly defined set of roles and responsibilities for IT versus security, the organization will face an uphill battle in making its cyber resilience initiatives successful. [ Music ] So what is actually needed for success in cyber resilience? I'd like to suggest a simple, straightforward five-step guide to how you can make cyber resilience work in your organization. [ Music ] Number one, it starts with the tone at the top. There must be support from your senior leadership that is demonstrated to the entirety of the organization. This includes delineating who is responsible for each elements of the cyber resilience program. Number two, identify what your critical functions are. This means knowing which assets and systems must be running in order to continue critical operations, generate revenue, and achieve your mission. If you do not have this crucial set of information, you're setting yourself up for failure. Granted, this is often a very challenging process, especially for large businesses and many organizations resort to manual procedures for it. That can include interviews and surveys to obtain the right information, but there are technologies that can accomplish this as well, and for full disclosure here, my startup KeyCaliber does provide this technology. Number three, devise your plans. There are several essential documents for cyber resilience, your business continuity and disaster recovery plans, and your incident response plans, and these plans are for both security and IT incidents. These must be drafted with the knowledge of the critical functions and any regulatory compliance that applies, and they must be living documents that you revisit and refine as necessary. Both the security and IT teams need to know these two documents. Yes, this is a step in the direction of breaking down the silos that security and IT often reside in. Number four, modify or build your cybersecurity and IT programs according to the specifications of your organization's cyber resilience needs. This means that all of the critical functions that are identified in Step 2 become your key priorities. Make sure that you have proper backups for all your critical assets and systems, and that you can quickly and easily access the backups in the event of a cybersecurity or IT incident. Make sure that you are effectively applying security controls on your critical assets and systems. This can include implementing zero trust and ensuring that the assets and systems have the prevention, detection, and response technologies in place. That includes vulnerability scanners, endpoint detection and response, firewalls, and a host of other security-stacked technology that may be necessary, and make sure that the security and IT teams are aware of the critical assets and systems. So, when they see an alert or notification related to one of these assets, they know that it is a high priority, a SEV 1 incident or Severity 1 incident as I've pretty called in IT circles. And that way they can respond accordingly, they know that they need to jump to focus on that first. And lastly, number five, learn and iterate based on real-world or tabletop testing. The best way to determine whether your plans are solid is to put them to the test. Ideally, this is done in a controlled situation such as a tabletop exercise, but in some cases, the testing will happen while you're in the midst of an incident. In either case, spend time reflecting after the fact to figure out what could have been done better so that you are more prepared for future incidents? Then go back to the step where you're identifying your critical functions with this newfound knowledge and work through the paces again. As the basic tenets of Darwinism stipulate, surviving and thriving is based on the ability to evolve. [ Music ] So, for my discussion on cyber resilience, I figured there'd be no better person to have this conversation about it than with Tia Hopkins, who is the Chief Cyber Resilience Officer and Field CTO at eSentire. Now, we are very lucky to get to speak with Tia. She is an incredibly busy person. In addition to her role at eSentire, she is an adjunct professor of cybersecurity at Yeshiva University. She's a LinkedIn learning instructor. She has co-authored two bestselling books, Hack the Cybersecurity Interview and Securing Our Future, and she is the founder of Empow(H)er Cybersecurity, which is a nonprofit aimed at inspiring and empowering women of color to pursue cybersecurity careers. And then, out of the office, she's a woman's tackle football coach. So lots going on, but thankfully she's made time for our conversation here today. So thank you so much, Tia.

Tia Hopkins: Yeah, for sure. Thanks for having me.

Roselle Safran: Excellent. All right, let's get started here for our discussion on cyber resilience. So, cyber resilience, relatively new concept, and certainly chief cyber resilience officer is a relatively new title. So how- how'd you get your role? How did that come about?

Tia Hopkins: Yes, an interesting question. So prior to being the Chief Cyber Resilience Officer at eSentire, I was strictly a field CTO, which is still part of my responsibilities today, and that was a lot of evangelism, talking to partners and customers and prospective customers about the challenges that they're trying to solve, and then working with our customer success and sales and product teams to deliver relevant and valuable security solutions to our customers. So as I'm having these conversations, I'm getting a lot of -- I'm having trouble communicating with my leadership team and I need to show the effectiveness of my security program, and I need to measure this and I need to articulate that. And it just seemed like the sort of underlying challenge was we're doing all this work, we're going on this journey, but what's the destination? What's the period on the end of the sentence? So I went through kind of this transition of thinking, well, risk quantification is what we need to do. That's how we had the conversation, but that quickly turned into okay, well, that gets you down to how you should prioritize your risk and what you should focus on, but at the end of the day, the reality is all of us in cybersecurity, yes, we're there to reduce risk, but the reason we're doing that is because we want to keep the lights on for the business. And so that is when resilience really, really started to resonate with me, and I started to do a lot of research, and I really, really got sucked into the NIST definition of cyber resilience. They wrote -- where they released special publication 800 dash 160 Volume 2, Revision 1. I say that three times fast. But I think it was back in December of 2021, and it was all about building cyber resilience systems. And in it, they define cyber resilience as the ability to anticipate, withstand, recover from, and adapt to just summarize it and say an adverse or cyber incident. And so that really resonated with me in terms of what my company does, because we're with our customers. If you think about the attack continuum, that's really what happens before, during, and after an attack, and so the messaging made sense and, you know, as I started to have more and more conversations, it helped customers with messaging and communicating to their leadership and driving these outcomes and having a reason for driving these outcomes. And so, you know, no good deed goes unpunished. It became the overall sort of go-to-market, not necessarily strategy, but the way we package up our overall solution, the journey that we're taking our customers on to continuously build resilience, and I became the leader of that function, and it re- it really is just all about working with customers in a strategic fashion to drive more resilient outcomes in their security programs.

Roselle Safran: Excellent. I love that. I love that. So yeah, it all stems from one of the big challenges we have in cybersecurity, is articulating our value and connecting it with the business functions. Yeah, it's one of the continuous challenges, that's for sure. So I've seen the -- only a few other folks with this type of title, but what are some of the major responsibilities for someone who is a chief resilience officer and is focused squarely on that type of role and making sure that the organization is resilient from cyber issues and, even more broadly, operational issues?

Tia Hopkins: Yeah, I mean it could -- yeah, you make a good point. It could be a cybersecurity issue, it could just be something related to IT infrastructure, a server just went down, or the internet is down or whatever that is. I'm -- I -- I'm probably in a more unique position than what I think will eventually be viewed as a more traditional function as a chief resilience or chief cyber resilience officer, and that I'm on the vendor side of things, so I'm driving strategy around building more resilient security programs, whereas internally, I mean it -- well, I won't say whereas, but it's kind of the same thing inside an organization. This -- I've been asked, you know, is this role adjacent to the CSO? Does it replace the CSO? I really think like most things in this industry, it comes down to the needs of the business. If the organization is so large and complex that resilience needs to be a separate function from security because they're focusing on more than security-related things, that totally makes sense, but I can also see a world where cyber resilience becomes part of the responsibilities of a CISO, because in theory, it is already what a CISO is driving towards, right? Protecting and enabling the business, and there's a lot of resilience capabilities that have to go into that, I think from a mindset perspective. But for me, primarily, like I said earlier, helping businesses keep the lights on, the way I look at it is my primary responsibility is to ensure that our customers have a way to ensure the survivability of their critical systems, and that starts with, you know, controlling the controllables, being aware of what the risks are, making risk choices on what to address, then being able to do something when something actually happens, being able to detect it quickly, being able to respond to it quickly so that when it comes to recovery, you can get systems back to normal as quickly as possible. It really is about limiting the damage, limiting the scope of the breach, and like I said, ensuring the survivability of critical systems because we say all the time, and it's not like -- it's not marketing terminology, it's really real. It's no longer a matter of if, it's a matter of when. So, you know, while there's these conversations around, well, prevention is a dirty word, we can't just rely on prevention technologies. I agree we shouldn't rely solely on prevention technologies, but prevention in and of itself is still something we could be -- we should be focused on. It's just -- I think it's elevated a bit to where instead of fully just relying on prevention of breaches, we need to be focused on the prevention of business disruption, and that's what resilience is all about.

Roselle Safran: Yeah, so true. Again, tying it back to the business, which is absolutely the way to go. So, do you find that the skills that are more needed for this type of role would be on the technical side, where you have that understanding of how it's all going to play out, or are the soft skills more crucial, or is it a combination of both?

Tia Hopkins: Yeah, I'm probably a little biased here because I do have a balance of both, and it took work. I come from a technical background, hands-on keyboard. I was a network admin and then just, you know, came up to focus on the deploying security technologies, and then I got into the business side and had a lot to learn when I got to the business side. But the reality is, even if you're a wizard behind the keyboard, if you don't understand what's important to the business, how the business generates value, what services or technologies are critical to the business, then how can you really build a strategy around what to protect and how to protect it? What is the most critical and basically get buy-in from the business that you're doing the right things. And so, you know, it's funny because when I started to see my trajectory heading into leadership, I got nervous because it was like, well, the less I'm touching the keyboard, the less I'm going to be able to do behind the keyboard and I don't want to do that, but the more I got into leadership, I was like well, you know what, the span of what I'm able to impact is actually greater because I have a broader view, I'm having broader conversations versus being focused on very specific things behind the keyboard. So the business aspect of it has been incredibly valuable for me. And so now my thought process is, it is, I think, important to be able to understand the technical components of what goes into building a resilient program. But I don't think the leader necessarily has to be able to get behind the keyboard and do it. I think it's important that the leader understand what's happening, why it's happening, whether those things are effective, efficient, et cetera. I mean, it's like being a the head coach of a football team, you're relying on your offensive coordinator to call the right plays, but if you don't understand football, you're not going to know if it's the right play or not. But anyway, in a leadership role, and I say this probably every time I have the opportunity to if you think about management-level security exams, like the CISSP or the CISM, you can get the majority of the answers to those questions right if you pick the option that most closely aligns with drive business outcomes. And so I say that to say, if a leader is responsible for the resilience of an organization, then they need to understand where the critical weaknesses are in the business or what could bring the business to a halt but also need to have the ability to communicate that in business terms and financial terms, et cetera, with non-technical business leaders and decision making. So to directly answer your question, it is a mix, but I think in a leadership role, especially a chief type, executive type of role, the soft skills are really important. You have to be able to effectively communicate, you have to have a little charisma, right? You got to get people to buy into to what you're saying, and you have to have influence for sure. I mean, that's just a few that I can think of, but having those soft skills definitely goes a long way.

Roselle Safran: Great points. I like the little tips on the CISSP exam. I mean, I was the same way when it came to deciding to switch from the technical side to the managerial side.

Tia Hopkins: It's scary.

Roselle Safran: Yeah. And -- because my thinking was, you know, if you are technical, you're kind of -- you're fighting with hardware and, software, and half the time you can just turn it off and turn it back on and the problem goes away, but when you're on the managerial side and you're dealing with people, you can't turn them off and turn them on and expect problem to go away.

Tia Hopkins: It's a different level.

Roselle Safran: Yes. Very different, very different. You've been talking about the business side of it and then connecting the two. So what would you recommend for security leaders when trying to make that business case for cyber resilience?

Tia Hopkins: Yeah, this is a -- this is an interesting question because of course resilience -- cyber resilience is near and dear to my heart and so much so that I'm basing my PhD research on it. I'm like -- yeah, I'm trying to be a doctor someday. Life's got other plans right now, but I'm going to get there. But I am doing a lot of research around bridging the communication gap between technical and non-technical leaders, and it is my belief that cyber resilience or resilience, in general, can serve as sort of the foundation for where the conversation should start because I can't think of a business leader out there that isn't concerned about their company being resilient to some degree. You know, you think about the pandemic, you think about the economic downturn, leaders were concerned about how do we weather this storm? How do we get through this? And I mean, even outside of that, hey, if our competitors do something great, how do we respond to that? Or, you know, some- something adverse has happened from a brand perspective, how do we survive that? So resilience is always implied in one way or another. And I think that the conversation gives security leaders the opportunity to kind of just tuck in to the conversation that is already there. So the -- to -- the long and short of it is the conversation has to be not only about how the business is being protected by the security team, it has to be about how the business is being enabled by the security team. And when I talk to security leaders that are having trouble resonating with the business, it's often because that business enablement -- the business outcome is void or missing from the conversation. It's about the latest threats and the technologies that we need to deploy in stats from what we got in the firewall, but what does that mean in terms of what I need to invest in and what do I need to go protect? And so if you have the conversation, here is what we are protecting, here's what we're worried about, here's what we're already doing about it, and here's what we need to go do. And the reason that we need to do this is because we want to keep the lights on and we want to stay productive, and if this thing were to happen, we're looking at this much of a loss in productivity over this period of time just add, you know, add some numbers to those conversations. I think it's a very easy conversation to have because then you're bringing the value of what you're doing as a leader into the conversation and putting it into terms that matter to the people that you're speaking with. I always say you can't speak to a CFO, for example, in bits and bites when they're listening to you and in dollars and cents. And we have to do a better job as technical leaders to speak the language of the listeners that we're speaking to.

Roselle Safran: Yes, very, very good points. It's so easy in cybersecurity to just go down that rabbit hole and get very lost in the minutia from a cybersecurity standpoint. And we forget that often no one else cares about this thing. So what are some of the major obstacles you've seen organizations face in trying to implement cyber resilience programs?

Tia Hopkins: Yeah, another great question. I think -- I mean, first I want to say it's not really this huge lift of an implementation of this brand-new approach or strategy. That's going to be much different from what's already occurring in most, I'll say, decent to mature security programs. Cyber resilience really is an outcome, it's the why you're doing all the things, and it's a mindset, we got to keep the lights on, right? We have to ensure the survivability of critical systems. So I would say the major obstacles I've seen is really introducing that mindset into the business and getting that executive buy-in, right? So having that conversation of no longer a matter of if, but when, you know, because I think -- and, you know, maybe of the unpopular opinion here, but if I am a security leader and I'm having conversations about preventing things from happening, I'm likely setting myself up for failure because something is going to happen. So it's not a question of whether something will happen, the question is how bad it will be when something happens. And it's hard sometimes to get business leaders to accept that although they're investing all these things in the security program, that there's the potential that something might still happen. I had a CEO -- I was speaking at a conference and I was jus- I was having the -- if, you know, no longer a matter of if, it's a matter of when and you have to be resilient because here's all the things. And he was like, "I don't understand you people have to do better. I invest all this money in my security program and you're telling me something's still going to happen. There's just got to be something that all you brilliant minds can get together and just figure it out and do something about it." And so I won't drag the story out, but my response back to him was essentially, "I mean, you have a home security system, right? You invested in that. That's not going to holistically prevent something from happening to your home. I mean, sometimes you'll get the alert when an intruder's at the gate, sometimes they're at the door, sometimes they're going to break a window, other times they're going to be under your bed for three months and you had no idea because they found a blind spot and oh, I don't know, maybe you did get an alert that something was going on, but you swiped it off your phone because you were too busy." These are the things that happen in our businesses as it relates to security every day. And so the investment isn't to say nothing will ever happen. The investment is to say, I'm going to be as prepared as I can be so that the impact is as small as it can be when something happens. And that's the conversation we need to start having.

Roselle Safran: That's a great analogy. So what was his response to that?

Tia Hopkins: He calmed down a lot. He was like, "Okay, okay, I get it." And then after he walked up to me and he said, "I get it now." He said, "You guys have a really hard job. I appreciate you."

Roselle Safran: Yeah. Sometimes you just got to abstract it out from security completely.

Tia Hopkins: Yep. Yep. I tell folks all the time, they're trying to have, you know, I talk to people that are trying to get a security conversation started but maybe they're not at the most technical or, you know, not a specialist in one particular technology or another. And always tell them the best way to talk about security is not to talk about security, right? Just understand what the concerns are, understand how the business works, and then we can figure out, you know, what's keeping folks up at night and go from there. But you don't have to start with the bits and bites, and let's talk about ransomware and DDoS and -- because, you know, CISOs got enough to keep them up at night if you're talking to those types, and if you're talking to someone that's not technical, you lost them very early on.

Roselle Safran: Yeah, very true. And I like tying it with physical security when possible because that is something tangible that people can relate to.

Tia Hopkins: Absolutely.

Roselle Safran: So, what have you found that has been a way to successfully navigate some of the challenges, you know, for discussing how it's a business imperative, and just in general forgetting that buy-in that -- that's so essential? Have you seen any techniques that prove to be more effective?

Tia Hopkins: It's funny, I was having a conversation with a group of CISOs and we're talking about resilience and some were mentioning that, you know, they're having challenges getting buy-in, you know, like I mentioned earlier, leaders are like, "But we're investing., We're investing because we don't want these things to happen. Make these things not happen." And he is actually -- the CISO that I'm referencing is actually who made the point that I referred to earlier to stop having the prevention conversation. So he said -- in his presentations to his executive team and his board, he actually stopped using the preventing breaches, preventing incidents terminology, and he flat out just had the conversation, listen, this is the world we live in today. We're super connected. Everything's digital online. Our users are everywhere. Our data is accessible from anywhere, so the possibility of something happening is a lot higher than it was, you know, 10, 15, 20 years ago. And so we have to think that way if we're going to properly protect the business, because assuming all the things that we've done can or even should keep us 100% protected, gives us a false sense of confidence, a false sense of security, and we're not continuing to evolve and improve the way that we would if we were focused on constantly being resilient. So improving based on changes to the business, improving based on evolving threats, what we're seeing in the threat landscape et cetera, keeps us from being relaxed. And so he did start to have that conversation around this is our plan -- when thing X happens, this is our plan. If we -- or when we get hit with ransomware, this is what would happen when we're in a situation where we have an insider threat versus saying, these are the things we're putting in place to prevent it because if you ever have to come back and talk about what happened, I mean, you know, hopefully, it's not right after the meeting where you said you were going to prevent these things, like I said earlier, setting yourself up for failure. So just having a real conversation and -- I mean, look, it might take multiple conversations, but you have to get the conversation started, first of all, because you need to see where your executive team stands. You might get surprised they might totally get it. And where possible use examples of competitors or partners or allies, whatever of organizations that are taking this approach, and some of the positive impact that they've seen. I mean, a good example of this is with that -- when it comes to third-party risk, I was reading a trend report that shows that security and risk management leaders are shifting not fully away from questionnaires for third-party vendors. So they're doing those for due diligence, but what they're actually investing in more is putting resilience capabilities in place to protect them should something go wrong with that vendor, and that's the conversation that's being had with the business, right? We've done our due diligence, we gathered all the information, but here's how we're going to protect ourselves because they are third party to us, and if something were to happen, we need to be ready. And leaders are showing signs of getting more buy-in, being able to move faster, you know, with digital transformation and things like that because they have a plan versus just having some documentation that you hope is accurate with, with this third-party partner that you've had a conversation with.

Roselle Safran: Yeah, that concept of not looking at it from the perspective of if this happens, but when this happens.

Tia Hopkins: Yeah.

Roselle Safran: And being able to move at that point, that does change the tone of the conversation for sure. So, for organizations that are early in their maturity on this and are beginning their journey towards cyber resilience, what can they start doing today to move in the right direction, knowing that this is -- it's going to take some time to get to the point of being in a mature state, but what are the baby steps they can start taking?

Tia Hopkins: Yeah, I mean, I -- the big thing for me is, and this is in most things I do in life, I feel like before I can decide where I want to go, I have to figure out where I am. And I firmly believe that security leaders I mean are responsible for a lot, but the biggest responsibility for security leader is to understand where the business is, understand where the business needs to go, and then continue to bridge that gap every day because let's be honest, it's a moving target. So if an organization is looking to shift away from, I mean, maybe things are based on maturity today, maybe they're based on compliance today, you want to shift to resilience or add resilience as part of what you're doing, really get an understanding of where you are, understand where your executive team lies, like what's their view on taking that approach. Shifting to not if, but when. Also understanding where you are as an organization. What do your anticipatory or preventive capabilities look like? How well are you able to hang in there when something happens? And as a result of that, how do you think it would look in terms of recovery? Do you have an incident response plan at all? Is it updated? Is it tested? Does everyone know what to do? And then that last bit when I was talking about the four pillars of resilience when it comes to adapt, I like to always toss into conversations when I'm having them. That seems to be the pillar that people focus on the least, and I feel like we can always stand to learn from our mistakes, and we have to make sure we're doing that. So I say all that to say the first step should be understanding where you are and how that compares to where you want to go, and then figure out where your gaps are, and then you have to go through this whole prioritization process. This is not really new and novel or different from, you know, discovery, assessing, prioritizing, and then getting into what you need to do to continuously mature your program, except that the reason you're doing it and the outcome and what everyone is charging toward is different, and that will lead to different decisions. Because today we are taught to focus on risk, the business asks us to reduce risk, but reducing risk or responding to risk in whatever way we decide does not necessarily imply that we're going to be resilient when something happens to the organization. And so, from my perspective, risk reduction is part of like controlling the controllables and part of anticipating what could come about, but if there's not enough focus on hanging in there, eliminating the scope of the breach, ensuring the viabi- survivability of critical systems and quickly being able to recover, then all of those risk management sort of anticipatory preventive activities have been or not. So, anyway, long-winded answer, but really figure out where the business is on the issue, how do they feel about resilience as an outcome, figure out where your program is today and the type of transition that would be necessary for you to get there. And this is just a shift in operations first. You don't need to go out and buy a bunch of technologies, and we need this tool and that tool. This is an operational shift. Make sure you have the right people, make sure they have the right expertise, get your operations in place, and then go down the path of continuously maturing based on where you are in your journey. [ Music ]

Rick Howard: So Roselle, thanks for doing the episode. This was your first experience being a host of a podcast. I know you've done podcasts before, but this is the first time you've done one by -- on your own?

Roselle Safran: Yes. Yeah. And it was a great experience. It was good to see the other side of it, because I've been the interviewee, not the interviewer, and I kind of feel I need to do more of these now.

Rick Howard: Oh. So now we got you in this table. Now you can be, you know, one of the talking heads like me on these programs. That's fantastic.

Roselle Safran: There you go. Yeah, gimme a call. I'm be happy to.

Rick Howard: So I want to jump right in. I thought your interview with Tia was really interesting, but I want to push back on this notion that you brought up with Tia regarding that it's not if, but when you get attacked, and it's be- that's been a common notion in the InfoSec profession for, I don't know, about a decade now. But in reality, the chances that any company, let's say in the US will be impacted by a material cyber event, it's really low, okay? It doesn't feel like that if you read the headlines every day. It feels like the bad guys are attacking everybody all the time, but, you know, it's just not the case. There's just over 6 million organizations in the US if you count businesses, schools, government departments, you know, both large and small, but, you know, in 2021, the FBI reported that were just 5,000 reported breaches. So, you know, doing the math there, 5,000 divided by 6 million, that's a really small number. So this common notion that everybody will eventually be impacted by a material cyber event, I think is a myth. What we're really worried about are black swan events, you know, things that are unlikely to happen, but if they do, could wipe out your organization. And I'm wondering if you -- what you think about that. Am I completely wrong?

Roselle Safran: So first off, I'm going to push back on your pushback.

Rick Howard: Which I get all the time, so feel free. [ Laughter ]

Roselle Safran: So, you mentioned that these are -- the breach is reported to the FBI and first off, only a small fraction are reported to the FBI. There are a variety of reasons why an organization wouldn't want to make their breach known to another entity, especially government entity. I remember this from my days working in the government, there were lots of folks who were just reluctant to share anything with the government agency, particularly one that that's involved in law enforcement. So -- and what you're looking at, that 5,000 is a fraction -- a very small fraction. I don't know if it's a hundred times, but may -- it could be 50 times. And then you're talking about a quarter million. But then also you have to look at that as that was one year, and this is cumulative over years. So if it was say, quarter of a million in one year, like over time, that's going to get to the 6 million.

Rick Howard: Well--

Roselle Safran: And yes, overlap, but the fact is that it- it's not a hundred percent guarantee, but it's much larger probability than a fraction of a fraction of a percent where it's -- it- it's highly unlikely.

Rick Howard: Well, my only point about bringing that number up, and yeah, we can argue about the division there, right? Okay? But my -- what I'm proposing is the strategy for defense for companies who have a high probability of getting hit by a cyberattack versus a low probability, okay? Is probably different. And what I've come to believe at the end of my career, okay, is that you know, resilience is probably the strategy for most organizations, right? Because -- and the reason I say that is it's completely different from the other preventative strategies that are out there. You know, we have like zero trust, we have intrusion kill chain prevention, we have workforce development strategies, right? These are all designed to enhance our defensive positions, but if the chances aren't that very or aren't very good that you're going to get hit by a material event this year, maybe resilience is the best strategy to do. And the things you do for resilience are completely different than those other preventative strategies. And I'm beginning to think that any company that's, you know, anywhere from a startup to some medium-sized companies in terms of revenue should only focus on resilience. And am I completely crazy about that?

Roselle Safran: There's certainly a lot of validity to that. I don't think you can take preventative measures out of the equation completely though. So I'm -- yeah, I lead a startup that- that's small, so we're in that bucket of SMBs. And I always liken us to a boat, you know, we're like a motorboat. We're speedy, we're nimble, we're agile, but, you know, when there's a wave, we feel it. And if you think of small businesses from that perspective, you're always worried about the boat capsizing --

Rick Howard: Yeah.

Roselle Safran: -- or sinking. And the strategy can't be -- well, we're just going to be good swimmers if that happens. There has to be some -- needs to be some preventative measures involved. Like you have to have your life jackets if you're getting in the boat.

Rick Howard: Well, I agree that there'll be some preventative measures. I'm just saying for like, you know, I work at a startup too. Okay. N2K is a small company. We don't have the resources to build and monitor a fully realized zero trust strategy or an intrusion kill chamber prevention strategy, right? It would be better if we were really good at a resilient strategy. What I mean by that is we're not going to try to defend against the attack. What we're going to do is survive it, be able to restore quickly, and to make sure our customers don't even know we were under attack, right? And that's the way to think about it. And I don't think you agree with me on that. [ Laughter ]

Roselle Safran: I ab- I absolutely agree. I mean, we -- at the end of the day, the whole purpose of having security is to keep the business up and running.

Rick Howard: Right.

Roselle Safran: And so when it comes to resilience, it's the availability side of confidentiality, integrity, availability. It definitely falls in the- that security paradigm, and it's an absolutely essential part. And for a small organization, sometimes that is the only one that -- of the three that- that's really going to be a concern. And it is a legitimate concern, and so there definitely needs to be a strategy around how are we going to ensure that we keep the lights on, that we keep our business running, that we keep our critical operations going, our revenues flowing, we're accomplishing our mission. And yeah, a lot of that doesn't require these huge beefy security programs, but you do need the fundamentals of knowing what's most critical, that you have to keep --

Rick Howard: Exactly.

Roselle Safran: -- [inaudible 00:54:42] and at least getting a layer of protection around that. And yeah -- and then it is certainly a matter of making sure that you have the strategy in place to deal with whatever is going to come your way.

Rick Howard: Well, Roselle, I thought this episode was fantastic. I learned a lot, okay? So thanks for doing this for us. But before we go, is there any last words on resilience that you'd like to give to the audience? What's the -- if I had to ge- take one thing away from this entire episode, what would it be?

Roselle Safran: Great question. So I would say don't try to boil the ocean. Start with what you can do and build from there, and start with figuring out what needs to stay up and running, and then you can start to build those processes and those technologies and the procedures around it to make sure that they stay up and running.

Rick Howard: Well, that's great advice and that's a perfect way to end this, Roselle. Thank you, and we'll hit you up on the next time we do this.

Roselle Safran: Sounds great. Thank you. Take care. [ Music ]

Rick Howard: And that's a wrap. I want to thank my friend and long-time colleague Roselle Safran, the KeyCaliber CEO and Founder for taking over the hosting duties for this episode and giving us the current state of the cybersecurity first principle strategy, resilience. CSO Perspectives is brought to you by N2K CyberWire, where you can find us at thecyberwire.com. And for this episode, I've added some helpful links in the show notes to help you do more of a deep dive, if that strikes you fancy. And don't forget to check out our book, Cybersecurity First Principles: A Reboot of Strategy and Tactics that we published in 2023. Resilience is a key concept that runs all through that book. And by the way, we'd love to know what you think of our show. Please share a rating and review on your podcast app, but if that's too hard, you can fill out the survey in the show notes or send an email to csop@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize their biggest investment. Your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. One last thing, here at N2K, we have a wonderful team of talented people doing insanely great things to make me sound good. I think it's only appropriate that you know who they are.

Liz Stokes: I'm Liz Stokes, I'm N2K's CyberWire's associate producer.

Tre Hester: I'm Tre Hester, audio editor and sound engineer.

Elliott Peltzman: I'm Elliott Peltzman, executive director of sound and vision.

Jennifer Eiben: I'm Jennifer Eiben, executive producer.

Brandon Karpf: I'm Brandon Karpf, executive editor.

Simone Petrella: I'm Simone Petrella, the president of N2K.

Peter Kilpe: I'm Peter Kilpe, the CEO and publisher at N2K.

Rick Howard: And I'm Rick Howard, thanks for your support, everybody.

[Unison]: And thanks for listening. [ Music ]