WEBVTT 1 00:00:00.000 --> 00:00:02.790 Anna Delaney: Hello, I'm Anna Delaney and this is the ISMG 2 00:00:02.790 --> 00:00:06.000 Editors' Panel, where members of the editorial team convene to 3 00:00:06.000 --> 00:00:09.270 review some of the most interesting cybersecurity issues 4 00:00:09.270 --> 00:00:12.900 of the moment. It's a cozy trio this week. I am delighted to be 5 00:00:12.900 --> 00:00:16.740 joined by Suparna Goswami, associate editor for ISMG Asia, 6 00:00:17.010 --> 00:00:21.090 and Tony Morgan, executive news editor for the EU. Great to see 7 00:00:21.090 --> 00:00:21.570 you both. 8 00:00:22.740 --> 00:00:23.580 Suparna Goswami: Always a pleasure. 9 00:00:26.520 --> 00:00:28.830 Anna Delaney: Tony, tell us where are you zooming in from 10 00:00:28.830 --> 00:00:29.400 today? 11 00:00:30.900 --> 00:00:34.530 Tony Morbin: Well, I'm out in space, but really a way of 12 00:00:34.770 --> 00:00:39.090 getting a kind of a globalization type-theme. So, 13 00:00:39.300 --> 00:00:40.680 that's my excuse. 14 00:00:41.310 --> 00:00:45.720 Anna Delaney: Yeah, very good. Space is always relevant in 15 00:00:45.720 --> 00:00:49.590 cybersecurity. Suparna, tell us more. 16 00:00:50.550 --> 00:00:52.320 Suparna Goswami: Yes, the background is of a 9-day 17 00:00:52.320 --> 00:00:55.590 festival in India, which began earlier this week. So lots of 18 00:00:55.590 --> 00:00:58.860 celebration across the states, different states celebrated in a 19 00:00:58.860 --> 00:01:01.590 different manner. What you see in the background is a dance 20 00:01:01.590 --> 00:01:06.090 form famous during this time of the year called Dandiya. So 21 00:01:06.090 --> 00:01:09.600 there is dancing, lots of food, grand celebrations across most 22 00:01:09.600 --> 00:01:12.120 of the states in India, and this is called the Navratri, called 23 00:01:12.120 --> 00:01:14.400 nine days. This festival is called that. 24 00:01:14.790 --> 00:01:17.160 Anna Delaney: Very good. You do your festivals very well. That 25 00:01:17.160 --> 00:01:23.550 must be said. I am in Brussels this week. I want a city break 26 00:01:23.550 --> 00:01:26.100 to Belgium. While I was just going through pre-pandemic 27 00:01:26.100 --> 00:01:30.690 photos, I came across in the city this fun jazz club. So I 28 00:01:30.690 --> 00:01:33.390 thought it was quite Edward Hopper-esque at the time. 29 00:01:33.720 --> 00:01:38.700 Bringing some jazz to the panel this week, Suparna, you 30 00:01:38.700 --> 00:01:42.150 conducted a very informative interview recently with two 31 00:01:42.150 --> 00:01:47.190 members of Verizon on PCI DSS 4.0: How to Comply With New 32 00:01:47.190 --> 00:01:50.670 Security Requirements. It'll be great if you could start us off 33 00:01:50.670 --> 00:01:54.480 with a bit of background on the standard and what changes these 34 00:01:54.480 --> 00:01:56.940 new requirements introduce for the payment space 35 00:01:57.840 --> 00:01:59.910 Suparna Goswami: Sure, Anna, thank you. So, as you mentioned, 36 00:01:59.910 --> 00:02:04.110 I did talk to a couple of speakers on Verizon's latest 37 00:02:04.110 --> 00:02:07.560 Payment Security Report. It's 10th edition. And the report 38 00:02:07.560 --> 00:02:10.980 analyzes the changes that is brought about by the latest PCI 39 00:02:10.980 --> 00:02:16.350 DSS version PCI DSS 4.0. And what it means to company so the 40 00:02:16.350 --> 00:02:20.250 version was introduced earlier this year. And report analyzes 41 00:02:20.250 --> 00:02:23.700 what the changes are and how companies must comply with that. 42 00:02:24.060 --> 00:02:28.710 So the goal of PCI DSS for essentially - I did go through 43 00:02:28.710 --> 00:02:31.020 the report and it was essentially four goals: you 44 00:02:31.020 --> 00:02:35.280 ensure standards continue to meet security requirement, they 45 00:02:35.280 --> 00:02:37.560 have added a lot of flexibility. And this is something that I 46 00:02:37.560 --> 00:02:41.370 have found throughout the report - the term flexibility - and 47 00:02:41.400 --> 00:02:45.720 promote security as a continuous process and enhance validation 48 00:02:45.720 --> 00:02:51.720 methods. So the earlier versions of PCI DSS were prescriptive in 49 00:02:51.720 --> 00:02:56.580 nature and told, and they actually described what you need 50 00:02:56.580 --> 00:03:00.510 to do with tighter controls. Now for such controls, for such 51 00:03:00.510 --> 00:03:03.810 tighter controls, an enterprise can take a customized approach. 52 00:03:04.140 --> 00:03:07.170 And this is mainly to give organizations the flexibility to 53 00:03:07.170 --> 00:03:11.130 try different methods to support security. And like the previous 54 00:03:11.130 --> 00:03:15.120 version, this version too puts a lot of emphasis on continuous 55 00:03:15.120 --> 00:03:18.630 monitoring. Continuous monitoring has always been a 56 00:03:18.630 --> 00:03:22.620 requirement of PCI DSS, but the new version places more emphasis 57 00:03:22.650 --> 00:03:27.900 on it. So the people I spoke with, the experts, and I'm 58 00:03:27.900 --> 00:03:30.450 quoting them here. They said the whole bottom line is that you 59 00:03:30.450 --> 00:03:34.170 cannot do the minimum, you have to make compliance an ongoing 60 00:03:34.170 --> 00:03:38.010 activity instead of being just one off. And just following a 61 00:03:38.010 --> 00:03:40.680 standard is not enough to implement controls. They said 62 00:03:40.680 --> 00:03:43.470 the new version says it is essential to measure and report 63 00:03:43.470 --> 00:03:48.660 control effectiveness of tools. Now again, by tools, you not 64 00:03:48.660 --> 00:03:51.540 really mean only technology tools, but the entire process, 65 00:03:51.720 --> 00:03:54.330 including having a proper structure and governance in 66 00:03:54.360 --> 00:03:57.780 place. And other speakers mentioned that enterprises need 67 00:03:57.780 --> 00:04:00.900 to define a maintenance process to address sustainability of 68 00:04:00.900 --> 00:04:05.070 controls. And this must be part of business, your business as 69 00:04:05.070 --> 00:04:08.790 usual program. Since cybersecurity, they said, is not 70 00:04:08.790 --> 00:04:11.610 siloed process. One needs to ensure that it is implemented 71 00:04:12.000 --> 00:04:16.260 properly and it matches organizations' management goals. 72 00:04:16.800 --> 00:04:20.310 And this is one of the primary reasons that PCI DSS version has 73 00:04:20.310 --> 00:04:22.590 moved away from being prescriptive, as I mentioned 74 00:04:22.590 --> 00:04:26.070 before, so that enterprises can match security management goals 75 00:04:26.070 --> 00:04:30.210 with that of business and they have that flexibility. I'll play 76 00:04:30.210 --> 00:04:34.320 a part of the recording. I think that's very relevant. And 77 00:04:34.320 --> 00:04:36.030 probably we can talk more about it. 78 00:04:36.360 --> 00:04:38.670 Ferdinand Delos Santos: Organizations should continue to evolve. You 79 00:04:38.670 --> 00:04:41.190 have to meet compliance as an ongoing activity instead of 80 00:04:41.190 --> 00:04:46.410 being one off. So I can imagine top of my head, right? First you 81 00:04:46.410 --> 00:04:50.460 have to ensure that your scope is very well maintained. And of 82 00:04:50.460 --> 00:04:54.120 course, you'd have to expand your programs in the ongoing 83 00:04:54.120 --> 00:04:57.240 changes of your environment. Of course, you have to upgrade for 84 00:04:57.240 --> 00:05:00.990 business processing point of view and everything. The shape 85 00:05:00.990 --> 00:05:04.260 of organization changes your culture and your people as well. 86 00:05:04.440 --> 00:05:06.840 And secondly, you have to implement a process for 87 00:05:07.290 --> 00:05:11.730 performing a business impact analysis on an ongoing basis and 88 00:05:11.730 --> 00:05:15.240 measure and take into consideration, if there are 89 00:05:15.270 --> 00:05:19.200 business decisions or strategies that has to be in consideration 90 00:05:19.230 --> 00:05:22.710 of that. Rokon, would you want to add more on those 91 00:05:23.040 --> 00:05:23.970 recommendations here? 92 00:05:24.690 --> 00:05:28.710 Rokon Zaman: Yeah, thanks again. Yeah. I like few other examples. 93 00:05:28.920 --> 00:05:32.310 For example, security awareness, it cannot be a once-a-year 94 00:05:33.120 --> 00:05:36.840 activity. The security awareness and education, it should be an 95 00:05:36.840 --> 00:05:40.080 ongoing activity like emerging threats in the environment. 96 00:05:40.530 --> 00:05:44.370 Because nowadays, we have a new threat or a new vulnerability. 97 00:05:44.370 --> 00:05:48.450 So it should be on an ongoing basis. Effectiveness or 98 00:05:48.450 --> 00:05:51.690 performance of security controls should be measured and inputted 99 00:05:51.690 --> 00:05:54.450 to ensure security activities are being performed on an 100 00:05:54.450 --> 00:05:57.990 ongoing basis, implementing a continuous improvement process 101 00:05:58.020 --> 00:06:01.770 to ensure issues are collected and controls are measured 102 00:06:01.770 --> 00:06:04.710 accurately. So that feedback needs to go on to the process 103 00:06:04.770 --> 00:06:07.920 and it should be an ongoing management and improvement 104 00:06:07.920 --> 00:06:09.120 process built in. 105 00:06:09.180 --> 00:06:10.560 Suparna Goswami: What I understood as the general 106 00:06:10.560 --> 00:06:14.610 feedback of CISOs has been there are too many standards out there 107 00:06:14.640 --> 00:06:17.280 and it becomes a mammoth task for them to follow all the 108 00:06:17.280 --> 00:06:20.940 standards. And hence, the major theme of the new requirement is 109 00:06:20.940 --> 00:06:24.180 having a customized approach. And you will see these two 110 00:06:24.180 --> 00:06:27.690 words: customized approach being repeated throughout the document 111 00:06:27.690 --> 00:06:30.750 of this version. So aside from this, the current version has 112 00:06:30.810 --> 00:06:34.140 also improved on some of the - has also emphasis on some of the 113 00:06:34.140 --> 00:06:37.020 technical requirements like anti-phishing solution, it was 114 00:06:37.020 --> 00:06:40.350 never mentioned in the previous version, it has now become a 115 00:06:40.350 --> 00:06:43.290 requirement. Web Application Firewall - earlier, it was an 116 00:06:43.320 --> 00:06:47.280 optional solution. But now it is a mandatory solution. So yes, 117 00:06:47.580 --> 00:06:50.700 this is these are some of the changes, and it becomes 118 00:06:50.700 --> 00:06:52.980 mandatory from April 2024. 119 00:06:54.330 --> 00:06:56.850 Anna Delaney: Right, okay, so I think also they discuss key 120 00:06:56.850 --> 00:06:59.580 strategies for implementing this new standard across 121 00:06:59.580 --> 00:07:02.220 organizations. And I think you can share with us in that 122 00:07:02.220 --> 00:07:02.640 respect. 123 00:07:03.690 --> 00:07:06.060 Suparna Goswami: So the key strategy, according to them, has 124 00:07:06.060 --> 00:07:10.740 been: just, you know, get into the process early first and 125 00:07:11.040 --> 00:07:14.460 involve the business. Because this, as he said that 126 00:07:14.580 --> 00:07:17.640 cybersecurity is not a siloed thing. So you need to involve 127 00:07:17.640 --> 00:07:20.970 the business and assign the tools matching your business 128 00:07:20.970 --> 00:07:26.670 goals. So if you're facing problems with phishing, you 129 00:07:26.670 --> 00:07:29.310 can't just be happy with some solution and say, "Okay, I've 130 00:07:29.310 --> 00:07:32.640 complied" and not have an anti-phishing tool. Similarly, 131 00:07:32.640 --> 00:07:36.990 if you're having problems with your identity, you can't be just 132 00:07:36.990 --> 00:07:39.150 happy with anti-phishing tools, saying that, "Okay, I've 133 00:07:39.150 --> 00:07:43.860 complied," and not really having a tool adhering to the problem. 134 00:07:43.860 --> 00:07:48.360 So they say map your tools with the problems that you face. 135 00:07:49.920 --> 00:07:51.570 Anna Delaney: Okay good. And I think they also discussed 136 00:07:51.600 --> 00:07:54.510 education and a mindset shift. 137 00:07:56.190 --> 00:07:59.100 Suparna Goswami: Of course, and you will see it across, hear it 138 00:07:59.100 --> 00:08:02.700 across. I think every CISO says the technology can only play a 139 00:08:02.820 --> 00:08:05.490 certain role, but it's people who actually go out and 140 00:08:05.490 --> 00:08:10.050 implement the technology. So people education is very 141 00:08:10.050 --> 00:08:12.480 important. And this is something that they have put a lot of 142 00:08:12.480 --> 00:08:15.660 emphasis on. I'm sure CISOs would agree as well. And in your 143 00:08:15.660 --> 00:08:19.110 conversation with CISOs, you too would have heard like how much 144 00:08:19.140 --> 00:08:22.170 education plays an important role. And it is not only about 145 00:08:22.170 --> 00:08:25.890 that, he said, one off education like you do once in a year, it 146 00:08:25.890 --> 00:08:28.440 has to be a continuous thing and you need to come up with 147 00:08:28.440 --> 00:08:31.440 innovative methods to make it more interesting because in case 148 00:08:31.440 --> 00:08:33.720 you say, "Okay, there is a session," people do not really 149 00:08:33.720 --> 00:08:37.710 understand the importance of it till you make people get 150 00:08:37.710 --> 00:08:40.440 involved, make it more practical, make them involved in 151 00:08:40.440 --> 00:08:43.920 certain things, rather than just being it theoretical in nature. 152 00:08:44.760 --> 00:08:47.190 Anna Delaney: Or continuous being the word in many respects 153 00:08:47.190 --> 00:08:52.020 for this. Well, that's very informative. Thank you so much, 154 00:08:52.080 --> 00:08:56.610 Suparna. Tony, it's interesting times for the SBOM. What's the 155 00:08:56.610 --> 00:08:57.270 latest? 156 00:08:58.470 --> 00:09:01.410 Tony Morbin: Coincidentally, I'm also looking at the the aspects 157 00:09:01.410 --> 00:09:06.750 of standards and standardization of standards. So, obviously, 158 00:09:06.810 --> 00:09:09.930 many of the most devastating cyber attacks have been the 159 00:09:09.930 --> 00:09:12.930 result of compromised software from a supplier, whether that's 160 00:09:12.930 --> 00:09:16.410 from the 10 billion in commercial assets and losses due 161 00:09:16.410 --> 00:09:19.680 to NotPetya, which was first delivered via accounting 162 00:09:19.680 --> 00:09:23.640 software to deep infection of highly sensitive networks by 163 00:09:23.640 --> 00:09:26.880 SolarWinds. Of course, more recently, we've had the 164 00:09:26.880 --> 00:09:31.290 ubiquitous Log4j. It was described by many as a wake up 165 00:09:31.290 --> 00:09:33.720 call for the industry. Well, that was more like a bucket of 166 00:09:33.720 --> 00:09:37.140 cold water over our head after we've consistently ignored the 167 00:09:37.140 --> 00:09:41.130 alarm clock urgently ringing. But that widespread 168 00:09:41.130 --> 00:09:44.160 vulnerability did see software supply chains leap up the risk 169 00:09:44.490 --> 00:09:48.750 register. In the U.S., the Biden Executive Order resulted in 170 00:09:48.750 --> 00:09:51.390 legislation for a software bill of materials for federal 171 00:09:51.390 --> 00:09:55.830 software purchases. Now, not everyone has actually located 172 00:09:55.830 --> 00:09:59.580 all their instances of Log4j even now, and more shockingly, 173 00:09:59.580 --> 00:10:03.030 still downloads of vulnerable Log4j exceed the updated 174 00:10:03.030 --> 00:10:07.170 version. But as one participant at the recent ISMG Roundtable 175 00:10:07.170 --> 00:10:10.080 noted, at least now we've identified all of our critical 176 00:10:10.080 --> 00:10:15.810 systems. Now we just have to find Log4j elsewhere. It was way 177 00:10:15.810 --> 00:10:20.730 back in 2014 that the U.S. Cyber Supply Chain Management and 178 00:10:20.730 --> 00:10:24.630 Transparency Act was proposed for government agencies to 179 00:10:24.630 --> 00:10:28.200 require SBOMs for any new product that they purchase. It 180 00:10:28.200 --> 00:10:31.650 didn't pass at the time, but it did inform last year's May 181 00:10:31.650 --> 00:10:34.770 Presidential Executive Order, calling on NIST to issue 182 00:10:34.770 --> 00:10:39.360 guidelines for creating an SBOM. Now, those providing software to 183 00:10:39.360 --> 00:10:42.900 the U.S. federal government need to provide SBOMs that detail the 184 00:10:42.900 --> 00:10:46.320 components used, the changes made between versions, and this 185 00:10:46.320 --> 00:10:48.960 includes information about libraries, add ons, custom 186 00:10:48.960 --> 00:10:53.220 source code utilized by an application. In addition to the 187 00:10:53.220 --> 00:10:56.460 NIST guidelines, there's the NTIA (National 188 00:10:56.460 --> 00:10:58.680 Telecommunications and Information Administration) 189 00:10:58.680 --> 00:11:05.490 standard, ENISA in Europe, BSI in Germany NCSC in the U.K., and 190 00:11:05.490 --> 00:11:09.630 others have also issued guidelines on creating SBOMs. It 191 00:11:09.630 --> 00:11:11.910 remains to be seen if these will actually translate into 192 00:11:11.910 --> 00:11:15.330 standards or regulations. Though in the U.K., there's planned 193 00:11:15.330 --> 00:11:19.320 government procurement rules in the public sector for 2023. And 194 00:11:19.320 --> 00:11:23.040 they followed consultation on security of digital supply 195 00:11:23.040 --> 00:11:27.540 chains and third-party IT, so that may well end up producing 196 00:11:27.540 --> 00:11:32.550 an SBOM. But standard SBOMs don't include some aspects of 197 00:11:32.550 --> 00:11:36.180 cybersecurity and compliance like API, calls passwords, 198 00:11:36.210 --> 00:11:42.810 control flow, PII, cryptography, hardware, various things. And 199 00:11:42.810 --> 00:11:46.200 there's been some kickback against calls by some U.S. 200 00:11:46.200 --> 00:11:49.470 government departments to mandate SBOMs right now. The 201 00:11:49.470 --> 00:11:52.410 Alliance for Digital Innovation, BSA Software Alliance, 202 00:11:52.410 --> 00:11:55.740 Cybersecurity Coalition and the Information Technology Industry 203 00:11:55.890 --> 00:11:59.460 Council say that some of the new legislation leapfrogs ongoing 204 00:11:59.460 --> 00:12:04.590 administrative efforts to mandate an SBOM and to establish 205 00:12:04.620 --> 00:12:10.620 a proper standardized SBOM. In the U.S., Ross Nodurft, 206 00:12:10.980 --> 00:12:13.680 executive director of the Alliance for Digital Innovation 207 00:12:13.890 --> 00:12:17.250 said the process of producing and implementing the inventory 208 00:12:17.250 --> 00:12:21.960 lists of software components is not mature enough to be codified 209 00:12:21.960 --> 00:12:26.070 into law at this time. He is urging the White House to 210 00:12:26.070 --> 00:12:28.950 continue its work in developing and standardizing SBOMs for 211 00:12:28.950 --> 00:12:32.910 federal agencies before the practice is mandated into law by 212 00:12:32.910 --> 00:12:37.710 any of the departments. Now, to my mind, cybersecurity has 213 00:12:37.710 --> 00:12:42.630 become like aviation, or the law of the sea or space, which is my 214 00:12:44.460 --> 00:12:48.600 tenuous link to my background. We don't want different national 215 00:12:48.600 --> 00:12:52.500 standards or regulations, we want one interoperable standard 216 00:12:52.590 --> 00:12:56.010 that we can all comply with. For the benefit of us all, we need a 217 00:12:56.010 --> 00:12:59.520 global standard that we can adhere to. Now, okay, for speed 218 00:12:59.520 --> 00:13:02.310 of implementation, that may mean that we initially do draw up 219 00:13:02.310 --> 00:13:06.240 national standards. But the aim surely must be to reduce the 220 00:13:06.240 --> 00:13:10.110 number of standards as early as possible. So that's my plea 221 00:13:10.110 --> 00:13:10.410 there. 222 00:13:10.650 --> 00:13:12.300 Anna Delaney: Yeah, that's interesting. Interesting about 223 00:13:12.360 --> 00:13:16.800 the kickback actually. Do you know or do we know the extent of 224 00:13:16.830 --> 00:13:19.770 organizational SBOM readiness in the U.S.? 225 00:13:21.180 --> 00:13:24.300 Tony Morbin: No, and there is some slight get out clause as 226 00:13:24.300 --> 00:13:27.480 well, in that, you know, if people are actually showing that 227 00:13:27.480 --> 00:13:31.020 they're working toward implementing it, that they will 228 00:13:31.020 --> 00:13:35.550 be able to get around some of these government departments, 229 00:13:35.550 --> 00:13:41.910 which are actually mandating an SBOM. So it's mandated, but 230 00:13:41.910 --> 00:13:45.690 there are, as I say, sort of get out clauses. But I think the 231 00:13:45.690 --> 00:13:51.330 principle remains that there are multiple standards and the plea 232 00:13:51.330 --> 00:13:52.950 is for there to be one standard. 233 00:13:54.060 --> 00:13:56.430 Anna Delaney: So, as this progresses, what will you be 234 00:13:56.520 --> 00:13:57.690 observing closely? 235 00:13:59.250 --> 00:14:02.970 Tony Morbin: Well, people are facing various difficulties 236 00:14:02.970 --> 00:14:05.970 actually implementing an SBOM. It's not easy, it's going to 237 00:14:05.970 --> 00:14:08.550 need, in most cases, it's going to need automation, because 238 00:14:08.550 --> 00:14:13.110 you've just got so many elements of software across a large 239 00:14:13.110 --> 00:14:16.860 enterprise, it could be thousands. And you might not 240 00:14:16.860 --> 00:14:22.140 even know, when you've got open source used within your 241 00:14:22.140 --> 00:14:26.040 suppliers, proprietary software. And they might not even know 242 00:14:26.040 --> 00:14:29.850 what they've used. And people have got legacy systems that the 243 00:14:29.850 --> 00:14:35.190 people who created it are long gone. So it's not an easy thing 244 00:14:35.190 --> 00:14:40.320 to do. Automation is the solution. But you want to be 245 00:14:40.320 --> 00:14:43.710 automating, as I say, toward a global standard at the moment. 246 00:14:45.600 --> 00:14:48.480 Obviously, in the U.S., they need to get themselves one 247 00:14:48.480 --> 00:14:53.220 standard within the country. ENISA in Europe may play a 248 00:14:53.220 --> 00:14:57.630 coordinating role with the European countries. And I would 249 00:14:57.630 --> 00:15:05.280 imagine, like GDPR, a big group, establishing an effective 250 00:15:05.280 --> 00:15:08.280 standard could become the de facto standard. 251 00:15:09.930 --> 00:15:12.300 Suparna Goswami: And I was reading somewhere or not 252 00:15:12.300 --> 00:15:15.090 reading, in fact, I was speaking to one of the CISOs. And he said 253 00:15:15.090 --> 00:15:18.150 that SBOM, while it is not a solution to the security 254 00:15:18.150 --> 00:15:21.180 problem, is a great enabler to help solve some of the problems. 255 00:15:21.990 --> 00:15:25.680 Tony Morbin: Yes, it's not. Nothing's a silver bullet. This 256 00:15:25.680 --> 00:15:30.510 isn't the total solution. Because you know, the 257 00:15:30.510 --> 00:15:34.050 adversaries particularly, whether it be state or criminal, 258 00:15:34.050 --> 00:15:36.690 because they're both at the virtually the same level now, 259 00:15:36.690 --> 00:15:43.680 sophistication. You wouldn't have probably found SolarWinds 260 00:15:43.710 --> 00:15:49.770 with an SBOM, but you certainly would have been able to fix 261 00:15:50.700 --> 00:15:55.320 Log4j a lot quicker if you'd had NIST knowing where it was within 262 00:15:55.320 --> 00:15:58.950 your portfolio and within your state. 263 00:15:59.490 --> 00:16:03.210 Anna Delaney: Yeah. Well, very useful takeaways. Tony, thank 264 00:16:03.210 --> 00:16:06.330 you very much. Well, I thought I'd share, as a final story, 265 00:16:06.330 --> 00:16:10.410 something that I'm working on. A feature for CISOs who are facing 266 00:16:10.410 --> 00:16:14.670 budget cuts, and how they can run a security program on a 267 00:16:14.670 --> 00:16:17.940 limited budget. And, as part of this, I had the great pleasure 268 00:16:18.210 --> 00:16:22.080 of interviewing a very experienced CISO, George Finney, 269 00:16:22.230 --> 00:16:25.740 he's the CSO actually of Southern Methodist University in 270 00:16:25.740 --> 00:16:29.400 the U.S. And I was asking him about strategies he can 271 00:16:29.400 --> 00:16:33.210 recommend for preparing for, and dealing with, an economic 272 00:16:33.450 --> 00:16:37.350 downturn and ways to build cyber maturity on low budgets. So 273 00:16:37.350 --> 00:16:38.910 here's what he had to say. 274 00:16:39.720 --> 00:16:44.130 George Finney: I think that, you know, bringing costs down, even 275 00:16:44.160 --> 00:16:47.580 if you've got a great tool that you believe in, multi-year 276 00:16:47.580 --> 00:16:51.630 agreements are a great way of, you know, most vendors will 277 00:16:51.630 --> 00:16:56.100 knock 10 or 20% off just because you signed a three-year deal. 278 00:16:56.760 --> 00:17:00.660 That's really huge, right? If you need to stretch your dollar, 279 00:17:01.260 --> 00:17:04.320 gosh, if you can reduce costs in that way, versus having to 280 00:17:04.320 --> 00:17:10.560 reduce staff, for example, I think that's a huge win. If you 281 00:17:10.560 --> 00:17:14.040 can consolidate vendors. There are a lot of products out there, 282 00:17:14.070 --> 00:17:17.010 you know, there's a lot of overlap. You might have two 283 00:17:17.010 --> 00:17:22.650 different products and 80% of what they do are the same. Gosh, 284 00:17:22.650 --> 00:17:24.960 it's a hard thing to do, especially when you've got team 285 00:17:24.960 --> 00:17:28.740 members who are trained in those products or who really like, you 286 00:17:28.740 --> 00:17:32.010 know, one or the other. You know, I think sometimes you've 287 00:17:32.010 --> 00:17:36.480 got to make hard decisions. If you are at a deficit in terms of 288 00:17:36.480 --> 00:17:44.040 budget for staffing, you know, partner with other teams in IT, 289 00:17:44.400 --> 00:17:49.080 and do security training. So one of the things we did is we help 290 00:17:49.080 --> 00:17:53.550 pay for people outside of the security team to go out and get 291 00:17:53.550 --> 00:17:56.520 cybersecurity certifications, right? They feel great about it, 292 00:17:56.520 --> 00:17:59.190 because, you know, it's something that they'll take with 293 00:17:59.190 --> 00:18:02.490 them through the rest of their career. But we're also building 294 00:18:02.490 --> 00:18:06.990 security bench depth, I guess, or, you know, better security 295 00:18:06.990 --> 00:18:09.180 knowledge across the organization. Again, we're 296 00:18:09.180 --> 00:18:13.470 maturing the organization, we're supporting our individuals, but 297 00:18:13.470 --> 00:18:17.040 maybe we're also supplementing cybersecurity staff with those 298 00:18:17.040 --> 00:18:20.340 individuals, kind of deputizing them, if you will, so that we're 299 00:18:20.340 --> 00:18:24.270 not having to add extra headcount. Again, I think, lots 300 00:18:24.270 --> 00:18:26.190 of different creative ways to do that. 301 00:18:26.760 --> 00:18:29.220 Anna Delaney: So some helpful insights I thought was 302 00:18:29.220 --> 00:18:31.800 interesting about the tooling recommendations, and as I said, 303 00:18:32.400 --> 00:18:35.610 this is part of an upcoming wider report, but it's an 304 00:18:35.610 --> 00:18:38.730 interesting topic. I mean, I know, we all read a recent 305 00:18:38.730 --> 00:18:42.390 report from the Bank of America on highlights from Black Hat 306 00:18:42.390 --> 00:18:47.100 this year, and it seemed to, conversely, indicate no shortage 307 00:18:47.250 --> 00:18:51.900 of spending in the industry. So it depends on the size of the 308 00:18:51.900 --> 00:18:54.660 organization. Suparna, I know you've hosted a number of 309 00:18:54.660 --> 00:18:59.130 summits recently. Are CISOs worried about the same issue? 310 00:19:00.660 --> 00:19:04.170 Suparna Goswami: Yes, of course, and you know, aside from that, I 311 00:19:04.170 --> 00:19:07.230 was also speaking with the fraud practitioners a bit and they 312 00:19:07.230 --> 00:19:11.490 said that whenever there is an economic downturn or news of 313 00:19:11.490 --> 00:19:14.820 economic downturn, it automatically means that fraud 314 00:19:14.820 --> 00:19:19.830 increases, because people will invariably - some people will 315 00:19:19.890 --> 00:19:23.940 lose their job or people have that fear. So invariably, there 316 00:19:23.940 --> 00:19:27.750 are budget cuts, even adversaries know about that and 317 00:19:27.750 --> 00:19:31.680 fraud tends to increase and past statistics have shown that even 318 00:19:31.680 --> 00:19:35.100 during the pandemic, it was not an economic downturn, but we saw 319 00:19:35.100 --> 00:19:41.130 how much fraud had took place in terms of unemployment fraud, or 320 00:19:41.160 --> 00:19:45.540 PPP loan fraud in the U.S. So, any such news means that 321 00:19:45.540 --> 00:19:49.920 adversaries are on the alerts that yes, companies will tend to 322 00:19:49.920 --> 00:19:54.660 cut back on the budgets. And that gives them an opportunity 323 00:19:54.660 --> 00:19:58.530 to probably, you know, attack the companies even more. So 324 00:19:58.560 --> 00:20:01.920 there's a whole report that shows how fraud increases as 325 00:20:01.920 --> 00:20:05.310 soon as there's any news of economic downturn or recession. 326 00:20:06.540 --> 00:20:08.460 Anna Delaney: You're absolutely right. Criminals are watching 327 00:20:08.460 --> 00:20:13.800 closely, as are we. So finally, sometimes, on the Editors' 328 00:20:13.800 --> 00:20:17.040 Panel, I ask about hot topics of the week, but I thought it'd be 329 00:20:17.040 --> 00:20:20.040 interesting to explore the longer view, you know, we're in 330 00:20:20.040 --> 00:20:23.670 the last quarter, can you believe, of 2022? So what 331 00:20:23.670 --> 00:20:27.900 topics, stories, technologies trends, will you be observing 332 00:20:27.900 --> 00:20:33.360 closely as we close this year? I'm curious to know, Tony, what 333 00:20:33.360 --> 00:20:33.960 are you looking at? 334 00:20:35.580 --> 00:20:37.620 Tony Morbin: Well, in the background, there's always going 335 00:20:37.620 --> 00:20:43.410 to be the Ukraine war that's going on. And it seems to have 336 00:20:43.410 --> 00:20:47.370 flared up a bit on the cyber side with hybrid warfare and 337 00:20:48.270 --> 00:20:53.310 both a rise in cyber attacks targeting the energy sector, as 338 00:20:53.310 --> 00:20:58.140 well as coordinating that with kinetic attacks. And there's 339 00:20:58.140 --> 00:21:02.340 also been the Ukrainian hacking army has also said that it has 340 00:21:02.340 --> 00:21:08.460 upped its activity as well. But I guess the other big enterprise 341 00:21:08.490 --> 00:21:12.810 story that is continuing is the whole insurance market, because 342 00:21:12.810 --> 00:21:17.670 cyber insurance, we've seen, you know, rises in premiums, because 343 00:21:17.670 --> 00:21:22.200 there's been so many attacks and so much to pay out. There's been 344 00:21:22.410 --> 00:21:28.650 restrictions on what's actually covered, whether or not 345 00:21:28.710 --> 00:21:32.640 nation-state attacks are going to be covered or not, and what 346 00:21:32.640 --> 00:21:37.710 counts as a nation-state attack, then some companies are even 347 00:21:37.710 --> 00:21:40.260 finding it hard to get insurance. So the insurance 348 00:21:40.260 --> 00:21:45.060 companies are wanting very much to almost have a techno-graph in 349 00:21:45.060 --> 00:21:47.640 the cab, they want to actually see what you're doing and see 350 00:21:47.640 --> 00:21:51.780 what your insurance, what your security policies and activities 351 00:21:51.780 --> 00:21:56.550 are, to be able to price their premium accordingly. So some 352 00:21:56.550 --> 00:21:58.770 people actually voting with their feet, if they're big 353 00:21:58.770 --> 00:22:01.920 enough, and self insuring by putting money aside to cover 354 00:22:01.920 --> 00:22:05.280 things rather than getting insurance. But I actually don't 355 00:22:05.310 --> 00:22:08.760 personally see that as, ultimately, the way to go. I 356 00:22:08.760 --> 00:22:12.900 think they will be coming back to cyber insurance. And that 357 00:22:12.900 --> 00:22:16.380 long term, it's a really good thing, because it's the private 358 00:22:16.380 --> 00:22:21.270 market actually setting the standard for what is good 359 00:22:22.110 --> 00:22:25.050 cybersecurity, because at the moment, you know, $100 million 360 00:22:25.080 --> 00:22:29.160 company, if it spends 1 million or 10 million on cybersecurity, 361 00:22:29.160 --> 00:22:32.880 which one is overspending and which one is under spending, or 362 00:22:32.880 --> 00:22:37.530 is either, you know, whereas the insurance companies, once they 363 00:22:37.530 --> 00:22:42.000 have the actual data, will be able to say, this is what good 364 00:22:42.000 --> 00:22:46.260 security looks like. So, I don't think we're there yet. I think 365 00:22:46.260 --> 00:22:52.830 that's definitely something that we're going to see, really get 366 00:22:52.830 --> 00:22:56.790 into the nitty gritty this year, because of the pressures that 367 00:22:56.820 --> 00:22:59.760 we've just had. Suparna and yourself mentioning in terms of 368 00:23:00.270 --> 00:23:02.730 budgets, you know, as people have less budget, they want to 369 00:23:02.730 --> 00:23:05.820 make sure that they're getting real value out of the money they 370 00:23:05.820 --> 00:23:09.810 spend. And similarly, the insurance companies can't afford 371 00:23:09.810 --> 00:23:14.250 to just take a hit, they have to really hone down on what are 372 00:23:14.250 --> 00:23:16.380 they actually covering, and what is the risk. 373 00:23:17.220 --> 00:23:19.350 Anna Delaney: Yeah, and it'd be interesting to see if others 374 00:23:19.620 --> 00:23:24.300 follow Lloyd's decision to cut cyber insurance. So watch this 375 00:23:24.300 --> 00:23:27.690 space. What are you looking at? 376 00:23:30.060 --> 00:23:32.640 Suparna Goswami: I have been, so zero trust is something I have 377 00:23:32.640 --> 00:23:35.730 been looking through the year and I love the way the 378 00:23:35.730 --> 00:23:39.780 conversation has changed from how it was last year. In the 379 00:23:39.840 --> 00:23:43.770 beginning, it was why zero trust is important, last year it was 380 00:23:43.770 --> 00:23:46.650 which approach of zero trust one should take, how should we go 381 00:23:46.650 --> 00:23:52.440 about it? And now it has gone very deep into, how do we do 382 00:23:52.440 --> 00:23:55.260 authorization around zero trust? Or how do we do continuous 383 00:23:55.260 --> 00:23:57.570 monitoring around zero trust, which is not an easy thing to 384 00:23:57.570 --> 00:24:03.060 do. So, I'm seeing the conversation changing from being 385 00:24:03.090 --> 00:24:06.840 very broad to very niche now. And the other topic that I would 386 00:24:06.840 --> 00:24:12.150 be very interested in probably covering or following is India's 387 00:24:12.150 --> 00:24:16.080 data protection bill, which the parliament is expected to launch 388 00:24:16.110 --> 00:24:19.260 any time. And I would love to see the changes that it has 389 00:24:19.260 --> 00:24:23.640 made. The new bill will have, compared to the previous one, 390 00:24:23.670 --> 00:24:27.240 and when exactly it will become a law. We have been delaying it 391 00:24:27.240 --> 00:24:31.320 for many years now. So I would love to see India really gearing 392 00:24:31.320 --> 00:24:35.460 up for a fast data protection law soon. But before that we 393 00:24:35.460 --> 00:24:38.310 need to pass the bill. So the bill should be out anytime. 394 00:24:38.310 --> 00:24:41.520 That's what we heard. So I will be closely following that space. 395 00:24:41.940 --> 00:24:43.500 Anna Delaney: Absolutely. I think the whole world is 396 00:24:43.500 --> 00:24:47.790 watching what will happen in that respect. So, thank you very 397 00:24:47.790 --> 00:24:50.460 much, Suparna and Tony. This has been a pleasure, as always. 398 00:24:50.790 --> 00:24:51.600 Suparna Goswami: Thank you. 399 00:24:51.990 --> 00:24:52.440 Tony Morbin: Thank you. 400 00:24:54.030 --> 00:24:56.310 Anna Delaney: And thanks so much for watching. Until next time,