There is so much cyber news that, once in a while, all cybersecurity leaders and network defenders should stop, take a deep breath and consider exactly which developments were the most important. Join Rick Howard, the CyberWire’s Chief Analyst, and our team of experts for an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you’re responsible for, and the daily lives of people all over the world.

Transcript:

Rick Howard: Well hello everyone, welcome to The CyberWire’s quarterly analyst call. My name is Rick Howard, I’m The CyberWire’s chief security officer, chief analyst and senior fellow, I’m also the host of two CyberWire podcasts Word Notes on the ad supported site, meaning it’s free to anybody and it’s short, usually no more than five minutes and it covers all the kinds of words and phrases that we all find and we have to explain to our bosses, this alphabet soup of cybersecurity. And the other one I do is CSO Perspectives on the pro side, the prescription side, I like to call it the Netflix side. It’s a weekly podcast that discusses first principles strategic thinking, it targets senior security executives oh and by the way those that want to be them, so something for your career in the future. But more importantly I’m also the host of this program, reserved for Cybernetic Pro subscribers and I’m happy to say that I’m joined at the Cybernetic hash table today by two good friends of mine. 

 Okay one has recently taken a new CISO gig, Greg Notch, the new CISO for Expel and my dear friend, Steve Winterfeld, the advisory CISO for Akamai. So Greg, Steve, welcome to the show. You guys can say hello.

Greg Notch: Thank you. Hello.

Steve Winterfeld: Hello.

Rick Howard: Great Steve, right on cue, nicely done.

Steve Winterfeld: I was doing exactly what I was told, I felt very compliant to that.

Rick Howard: So this is our 10th show in the series where we try to pick out the most in-string and impactful stories in the last 90 days and try to make sense of them. In this quarter as you all can imagine have been full of surprises, like the London Court is showing the extradition order for Julian Assange, I never thought that was going to happen and how about the Japanese contractor that walked out the door of the Amagasaki city government building in Japan with a USB stick containing the personal data of 460,000 residence got drunk and lost it. That sounds like something Steven, I would’ve done back in the day and the NSA rewarding of its unclassified Cloud contract to Amazon. So those are impactful stories I would say but Greg you didn’t choose any of those for your topic. What do you have for us to kick this thing off?

Greg Notch: Sure, thanks for having me. I think what I’ve been noticing and the thing I want to talk about was how the disaster of identity and SaaS, all of the SaaS tools that we’re all using and how we often indicate to them and the sort of mess that that is and frankly how easy it is to steel a cloud identity and we’ve noticed and I’ve seen in the news a bunch how even MFA isn’t the bull work against this thing that we thought it was going to be. MFA prom bombing has taken off and even cloud services that appear to be protected aren’t protected. And you couple that with some of the other problems that we’re seeing, like the SaaS platforms not giving you good telemetry and sort of advocating a responsibility for giving you’re the log in you need. It is a little bit terrifying as my new role as a CISO with a lot of SaaS in our environment. I just noticed that there’s some things that we kind of haven’t gotten to yet.

Rick Howard: Can you explain what NFA prom bombing because when we were going through the notes before the show I said that’s a phrase I haven’t heard before. So explain to me how that works.

Greg Notch: Sure. Sometimes I call it a fatigue attack. So imagine the attacker has your actual user name and password for a service and they log in but they’re waiting for the MFA response. So they push it and that response goes to the user’s phone and of course they’re not trying to log in, so they say no. but now imagine they do it to you over and over again and they it to you at 3 o’clock in the morning, 15 times. So you ultimately just capitulate and say yeah, sure, whatever, I don’t know what this is, I’ll deal with it tomorrow and you hit the yes button. All of a sudden you’ve been allowed and you’ve allowed an attacker into your environment. So it almost fails on human bounds like most of security.

Rick Howard: That’s a target designed specifically for people like me because they just get annoyed about that, I would definitely say yeah, do whatever you need to do, just leave me alone. So I totally get it.

Steve Winterfeld: Yeah I think there’s kind of a spectrum of social engineering and direct attacks. I just think ultimately we’re using our phones as a security device and they were never designed to do that. The phone makers and the carriers are not interested in taking that on, so it leaves some holes. The sim swapping doesn’t scale as well. You know when we were talking about fraud attack earlier where you send them the prop and then you call and say hey this is bank X, Y, Z, we think there’s fraud on your account, I just send you a prop, we need you to validate yourself, can you read me back the code. Well they’ve now social engineered the way around that and this is my favorite part, they’re going to say okay as part of the investigation you’re probably get a bunch of fraud notifications, just ignore them.

Rick Howard: That’s fantastic.

Steve Winterfeld: And then the last part is it goes back to standards and you know I’m a frame worker, I am a standards guy, if you’re going to stand up to an audit, if you’re going to get involved with the class action law suit, I think it’s important to go to something like FIDO2, fast identity online two and use those as kind of your litmus test for your vendors and your architecture. It’s not going to be some of the social engineering we just talked about but it’s going to minimize some of the man in the middle SMS compromises.

Rick Howard: Well I mean we have gotten better at this. I mean even with the MFA prom bombing stuff, I agree that’s an attack record but that’s way better than just using user ID and passwords and as the authentication technology has improved over the years, things like parch notifications from like Apple and Google like you said Steve, the UTS stuff, that’s comic right and it’s going to be much better very soon I think. So I have hope here. I don’t know, Greg am I off base there?

Greg Notch: I agree. What I like about Apple and Google and Microsoft getting involved in this, is there’s a check of identity as well as the device there. If they’re using face ID or something else and like go it’s actually you with your phone and that way we’ve gotten a little bit stronger authentication there. I don’t think we’ve solved the human factor right. I didn’t see prop bombing coming. I thought okay cool, we all have an Okta, we all have some other MFA provider. We’ve gotten away from SMS as the second factor, so we’re good but we’re not because there’s still a behavior thing that I now have to train against but I now have to let people know it’s an issue that– I feel like whenever we put in place there’s still going to be that last bit. But I do agree that it’s better than a list of hats whereas you can download from the dark web.

Rick Howard: Let’s throw our Greg, poor collection out there while we’re talking. Go ahead Steve, I didn’t mean to interrupt you there.

Steve Winterfeld: No I agree on a poor question. Greg I guess one of the questions I have is, we’ve seen so much of this happening in the cloud lately, we’ve seen this with SaaS providers, are these new problems or are we facing the same misconfiguration, poor architecture, poor practices?

Greg Notch: I don’t think they’re new problems. I think what happened with SaaS too is that how you detect is changed and what you need to detect problems is changed and frankly when you’re running on prime and you had firewalls and you ran all your own servers, getting log in was easy and just part of building a good security program, getting back to that state when you have SaaS providers is actually super hard. You know many providers will charge you actually for security telemetry which I find interesting.

Rick Howard: Wow.

Greg Notch: Yeah some providers will actually, they don’t just have it, they can’t even tell you like at a granular level what people are doing in your platform. They’ll tell you somebody who logged in but not what they did. So it’s hard to get your arms around it. So I think in some ways we lost some ground and we’ve advocated a responsibility in some ways but it’s the same kind of problems, there’s nothing new here.

Steve Winterfeld: Yeah and you’re right. It’s a shared responsibility matrix now and being real crisp on who owns what and what’s in your contract. Do you have audit rights? Do you have notification rights? All of those things feel like half my time is spent vendor management versus managing actual technology and risk.

Greg Notch: What I don’t like about the legal side of it, I mean it’s a good control, like understanding what your obligations are and having an audit right, but then A. I have to do an audit and then I’m left with this faustian bargain of like what happens when they fail the audit, do I go back to my business and tell them well we’re turning this thing off, you’re like cause they failed an audit. They’re very hard conversations once the SaaS platform’s embedded in your environment and try that with Google right. It’s a non-starter.

Rick Howard: They don’t meet our expectations so we’re just gonna turn Google off. That’s gonna endear us to all of the IT people out there. So all this discussion about my dealing in excess management is really a keen and essential part to our zero trust strategy. I know people are going to roll their eyes whenever anybody talks about zero trust because the vendors have commandeered it in their marking materials but zero trust is a great strategy and we all should be pursuing it and this is affecting it right Greg. This kind of trouble is even harder now than it was when we invented zero trust 10 years ago.

Greg Notch: I agree and I think the big shift, everyone looked at zero trust when it came out in the Google papers and all that and they’re like okay cool, this is about network boundaries in micro-segmentation and then the message sort of shifted to oh this is now about identity as a source of truth both with the device and the person. Those two things, which is right, but now we’ve relied on identity providers which are themselves SaaS platforms and it sort of turtles all the way down right. If you’ve got the same problems you’ll just move them over here.

Steve Winterfeld: So for those that have heard me before big fan of Nist 800 207. If you want to talk about zero trust I mean you’ve got to define it for your corporation before you go listen to anybody unless there’s a great resource for you to help, you know, because talking to two different vendors are going to give you two different architectures which both technically are zero trust but they’re very different approaches and it’s kind of clean for you to know what you’re looking for when you go in.

Rick Howard: Well let’s break that down a bit because I think describing it is pretty simple, doing it is the hard part, we won’t talk about that here but really in the early days of zero trust, it was just we needed to make sure we know exactly that it’s Greg logging into the system, it’s not anybody else or it’s Steve and then later on we added we know that Greg comes in from these devices, his laptop, his mobile device, whatever it is so we add that to the mix and what’s coming in in the last couple of years is us being able to identify the applications that are being used and we know exactly what permissions those things should have is Greg uses it or Steve uses it or as it’s B to B, you know business to business what those applications should have access for and what they’re authorized to do. So it has become very complicated in the last three or four years. Is there any solution out there Greg that you’re looking at? Is it a home grown solution or you think vendors are handling this or what are you thinking about there?

Greg Notch: I think Steve has it exactly right. Like this is going to really be depending on what your, I think it’s going to be different for every business. And how you implement it’s going to depend on what you have and what your goals are. There’s no one size fits all product solution for this. It’s a strategy, it’s not a destination.

Rick Howard: Well I know your last job too, at the NHL you brought a lot of that code yourself, at least your team did right, you had to kind of figure that yourselves out right?

Greg Notch: Yeah there were gaps in the –yeah there were gaps for sure.

Rick Howard: And Steve you talked to a lot of other CISOs out there in your job, what are they telling you?

Steve Winterfeld: So I want to be transparent in that Akamai provides a solution around this.

Rick Howard: Oh, so we should buy Akamai. Okay so I guess we’ll put that out there.

Steve Winterfeld: So I just want to be transparent and that’s why I said, you know, I think it’s important to go back to something like needs to know what you want going in. But that said, you know a lot of this also not only is your trust but the other analysts word that we’ve thrown around lately is around vendor management, that’s sassy. A complexity is an enemy of security and zero trust is authorization and identification and that’s simple when we have people, it’s simpler. You know with remote employees and multiple devices it gets more complexed and then we have contractors and we have auditors and so, you know, where we have control. You know we’re talking, Greg you said this, sassy we’re losing that control but now we’re saying, you know, not only that but B to B, system to system, cloud to on prem, to then what does cloud mean, server list and did we build authentication into our server list applications.

 And so all of this goes back to most of the conversations we’re having is how do we move to the next generation of doing a solution that fits in all of those environments.

Rick Howard: So we had a little technical difficulty with the poll but we finally got it figured out. So if the audience would answer that as we go through this. We’ve also got a couple of questions. Let me see what it says here. Alright this is from user Googlemenow and she asks how do you all manage your SaaS in your organizations? That’s a real interesting question. You know I work at a start up, you know The Cybernetic is a small start up company and we the business runs on a hundred SaaS applications and I don’t know, Greg you’re new to your job, have you got a chance to take a look at all that stuff yet or are you still figuring it out?

Greg Notch: Definitely still figuring it out. I think it was a bit of a culture shock coming into what’s a similar start up, maybe a little bit larger and we have a couple hundred SaaS applications that are in active use, you know, some bigger than others, obviously sales force and Google are big parts of our environment and if there are a million little ones, things in FP and A and proportions of the business that I was not familiar with, work flows that, that were used or handled in traditional on-prem environments at my prior role and it’s just SaaS wired into SaaS and they’re all talking to each other and they’re plugged into each other. A lot of automations that are connecting them and that to think about the security boundaries between things like, you know, Slack and Jiraand G drive and all, and how the work flows that are big into the business using those, it’s heady to try to figure out what controls you can put in place and how you can bring about, you know, even in investigative there’s an issue or put some guard rails around how those things worked.

 And the key comma but there is without slowing down or interfering with how the business works.

Rick Howard: So you guys can see the results of the poll from the audience. Let’s see. Steve, Akamai’s a big company now, you’re kind of balanced with SaaS applications, where do you fall on that poll?

Steve Winterfeld: So I think we’re more than 20 less than a hundred and I will agree with what Greg said as well is, you know, there’s so much out there that really it comes back to what we always say and we do poorly usually is impact. Which of those SaaS have what kind of information, which have how much information, what’s impact from a third party being compromised. Tracking data flows, tracking critical data and in the case of resiliency which one of those going down takes my business off line. Those are the hard things to get back and map at a maturity level.

Rick Howard: Well it’s a great topic SaaS identity management that’s going great, thanks for bringing that up. But I’m going to switch to the next top now. Steve what was the topic you chose for this afternoon?

Steve Winterfeld: So mine’s kind of a blend. You know I want to start off with we’ve seen Costa Rica as a country be hit by ransomware twice.

Rick Howard: Twice not once but twice.

Greg Notch: We’ve seen, you know, United Kingdom had 75 different hospitals go down to ransomware and so we have national systems that are dependent on cyber that are going down and then on more of the contested environment with the war in Europe right now we’ve seen historically Ukraine and Russia have had cyber conflicts. Now that we’ve gone to physical conflict it’s even more you’re seeing Russian DDOS against banks in the region. You’re seeing US cyber command acknowledged that they’re getting involved in cyber operations in support of the Ukraine. So most of it’s been in the region but there’s always that worry that, you know, economic sanctions will be responded to with cyber sanctions. And then what is the reaction because, you know, we’ve got the challenge of attribution and is attribution legal, criminal, political. We’ve got collateral damage. Are commercial companies going to get caught up in this.

 And so that’s where I’ve seen a couple articles that are how are our nations responding to this level of activity. The US passed a law around incident response in notifications and then you’re seeing a proposal in the UK for financial third party critical providers to start to be regulated. And imagine that you’re a major provider to the UK, how would you feel about you uniquely being regulated versus all your competitors not being regulated. I just think this is a fascinating area we’re starting to move into.

Rick Howard: Well it isnt like this is the first time that we’ve been aware of nation states using cyber to do things against commercial organizations or government organizations, why is it different now? Any ideas about that?

Steve Winterfeld: Well for me it is how dependent were we on the cyber infrastructure, how much banking is on-line, how much of my life is on-line and in some countries it’s even higher than the United States. You take the national health care system off line, that’s more cyber crime than nation states, although some of the cyber criminals as you map back to APT are sanctioned if not outright run through nation states. So once the responsibility of the government to provide security around these national systems.

Rick Howard: So Greg I’ll come to you because now you’re taking on this new gig right. Like Steve said before is right, we’re all going to worry that Russia is going to feel boxed in with all the sanctions that the west is putting on them and they will lash out in ways that are easier for them to do than physical violence, and all of us think that’s cyber. So have you guys put together a team that says we need to orchestrate, orient towards the Russian adversary play book? Is that a real thing?

Greg Notch: We certainly put the TTPs into the automation that’s behind our product that is definitely something we’re paying attention to and we see a wide variety of different types of attacks, different industries right. That’s the advantage of the perch. Yeah I often wonder for all the most sophisticated cyber security programs whether attribution actually matters. I’ve asked this question a few times. Like if someone’s banging on your door to you care who it is or do you care what they’re doing and how they’re doing it and stopping them right. So they’re a very sophisticated commercial attackers just as they are very sophisticated nation state attackers. I think I worry if Russia goes loud across a wide swath of industries all at once. I think the collective response is the thing that probably concerns me the most which, you know, for all the reasons that you can read about not enough people to defend and just general maturity being all over the place.

 But I think from that perspective I just worry that if they go loud and hot all at once that’s what I would worry about.

Rick Howard: So let’s throw Steve this poll question, we have to see what the audience think and Steve I’ll direct it over to you. I agree with Greg that we don’t really care if it’s the Russians, we care about these known play books that all of us like to share around. We know what, you know, panda bear does, whether it’s Russia or China or anybody, when you’re talking to CISOs out there, is that what you’re talking about?

Steve Winterfeld: Well I mean I think it goes back to exactly what you asked Greg is, you know, we have limited set of resources and when we pick out what red team activities we’re going to go against is it the latest cyber crime gang, is it an ATP, a nation state threat. How do we balance and when do we prioritize which of these play books we focus on? And it also probably is very industry specific. I don’t know if I’m in manufacturing or commerce, am I as worried about a critical provider like finance or the electrical grid or something like that and so there’s this factor of which play books we focus on and what. So what did everybody say?

Rick Howard: Here we go. About half and half, how about that. That’s interesting. Well this topic is one of my hobby horses, I’m talking about this all the time right. The idea that we have to focus on the handful of play books versus all of them is kind of ludicrous to me. There’s not that many right. There’s like 250 known adversary play books, just go to the minor attack framework you can manage that in a spreadsheet if you wanted to right. So it’s not like it’s complicated. The fact the idea that we can’t put prevention controls and detection controls for all of those things seems ludicrous to me but Greg you tell me why that I’m wrong about that because people tell me all the time I’m out of bounds on that one.

Greg Notch: I think building a security program is hard, period, full stop. It just start with like the level of understanding of both the business and the technology required to even start the endeavor. So trying to map MITRE attack framework against your security controls is a pretty, like you’re pretty far down the maturity curve by the time you’re doing that and frankly some of the gaps are in tools that you bought thinking they did one thing and they did another. So I think in a perfect world you’re right. Like we know who the 250 play books are, we know how to do attack simulation for 250 play books and we can just like fire that against your environment. We can tell you what to do next in your security program and the problems with that is the prioritization that comes after that and the second like more sinister one is that there’s no reason if you’re going to automate a MITRE attack framework for defensive purposes that it can also be automated for offensive purposes and that notion is also terrifying.

Rick Howard: Yeah I would like to have that as a problem to solve because of the previous stuff you said is true that we’re nowhere near being to automate our defenses for the MITRE attack. I’ll gladly take on the next level of threat. Steve I interrupted you, I’m sorry.

Steve Winterfeld: And you got to remember every play back review is a snap shot in time and so how often does your network change. And so how long is that last play book review valid. So that’s 256 times how many times you’re going to run that a day, a month, a week, a year.

Rick Howard: Well I mean we all have a finite security stack right and so that’s the only place you could put the preventive controls in. So you’re not really doing it for the changes in your network, you’re doing it for the security stack that’s defending your network right or am I wrong about that.

Greg Notch: A little of both because you don’t know what your coverage is.

Rick Howard: Yeah.

Greg Notch: Right of your security tools. I think there’s some good venture backed companies that are thinking hard about attack surface management and CSPM and I don’t happen to see a full result yet but it’s a problem people are thinking about for sure.

Rick Howard: So lets take a question from the audience. This is from anonmouse, okay I love that name by the way. She asks Steve how do we legislate cross border issues for cyber? Is this something the government should be handling for us not in an attack way but in policy?

Steve Winterfeld: So it’s just interesting, you know, when we think about most of our laws and regulations today are tied to geography. You know the laws of the United States stop at the border, you know, and then we get into more agreements. Do we have agreements with people on law enforcement? Do we have agreements on people on how we have, you know, NATO national defense? And so it’s very complex and there are not a lot of standards about how we do International joint cyber protection. There is no, you know, real great equivalent for this and a lot of the defensive is commercial entities. And so even where we start to get into regulation the defensive systems that we’re talking about, we said a minute ago, if the UK is going to start regulating critical providers and those critical providers are International companies ow does that work?

Rick Howard: Yeah, I don’t know, okay. Any ideas Greg? If you’re king for a day do you know how to fix this?

Greg Notch: I got nothing.

Rick Howard: Well that’s one of the questions from one of our audience from Bornconfused. She says how do you regulate a subset of industries internationally? I think that’s the crutch of the problem. But here’s another one from cerealkiller spelt like the breakfast cereal, come on you guys, like that’s funny, she’s wondering if this is a Board of Director’s issue at all right. Is this something you want to take to the Board of Directors to say Russia’s been attacking us. Does that help them make decisions somehow?

Steve Winterfeld: So I think you know, that’s an interesting question. It goes back to I think maybe by industry and what is the risk appetite the level of maturity but when you’re, as a CISO my job is not to accept risk, my job is to make sure that the leadership knows the risk that they’re accepting. And so when I go up and talk about our major risks is a war in the Ukraine a change, is the change in ransomware, is the new criminal group Magecart attacking JavaScripts. I have to decide what is worth having a discussion on the threat side, you know, obviously we have the risk follow discussion as well to make them aware of why the risk landscape has changed. There could be some Log4j, do we need to go and talk to the Board about Log4j. These are interesting questions and I think as somebody going up to talk to the Board we need to establish where they want to draw that line but we also need to be careful not to and Rick before I get into this a little bit more later, but I can’t stop this rant. So just buckle in.

Steve Winterfeld: But when we go to the Board we also have to remember that we’re an officer of the company, we need to have a broader business discussion. We’re not going up there talking as technocrats, we’re going up there talking as business partners. So it’s a risk discussion about the business, it’s not a risk discussion about the threat.

Rick Howard: I agree that we need to be talking about risk up there but I’ll just throw an example out there. At the beginning of the Ukraine war, the Russian war against Ukraine, let me say it that way, and there was an attack against their satellite system, Mr Elon Musk sent his company, is it Starlink, I can’t remember the name, alright but he sent a boat load of his equipment to help them with that communication system. I got to believe that the CISO for that company was going oh my god that just put a bullseye on Starlink’s back end, don’t you think Greg. So is that something you would take to the Board?

Greg Notch: Yeah I would. What I was going to say was basically what Steve said. It depends on what your exposure to the risk is. I think if it’s just generally I’m going to get ransomware, like that’s no different than last week other than maybe the frequency might be more likely. But if you’re doing something specific to poke the bear or you have all of the bears, or if you have some specific exposure to, you know, either side of the conflict, or you’re doing business in Finland or something like that, I think it’s worth a discussion but it rally depends on what your Board cares about. I think like all Board discussions turn into like what do they want to hear and how do you want to explain in the language of risk that they understand to them and if that’s going to be a Board by Board thing. But I would bet either money that the CISO for space X put that in his risk register for the months that that happened.

Rick Howard: I would think so but, you know, I’m a crazy guy, people have told me. My friend Steve has told me I’m a crazy guy. So that goes to what you were talking about though, you know, we think that there’s these standard answers for all Boards and like you guys were conveying that’s just not the case right. Every Board, every senior leadership team has its own culture and some are more risk adverse than others and some companies may have lots of risk factors going on not just cyber. So this is going to be different wherever you are right. Steve what are your CISOs telling you about that? How do they adjust that? What is their mechanism for gaging where they should go with this kind of conversation?

Steve Winterfeld: And I think that’s where I bring up the fact that it’s very much industry dependent and in the more happily regulated an industry is, I think that’s where you get into a lot different discussion that are responsive to things that the Federal auditors is going to come in and ask about. Because if I’m selling, you know, flip flops I’m probably not going to have anybody ask me what am I thinking about the national and International threats gate. If I’m a major bank, if I am a major insurance company, anybody that’s heavily regulated, I’m more likely to be challenged by things like that and if I’m publicly traded, you know, I’ve got to put things in my, you know, my reports. I’ve got a report out on cyber risks. And so I think that’s where you’re seeing the difference where there’s an expectation of audibility and accountability.

Rick Howard: This is one of those perennial questions that have been around since we all were young in the security business and there’s still no good answers for this but really interesting question Steve. So good job. Let’s shift over to my question that I’m responsible for and I may just preposit it this way. Over the last five years or so I’ve been aware of this growing moment across all verticals that instead of hiring a full time CISO to run infosec programs, some business leaders are hiring virtual CISOs, contractors if you will, they’re coming in and show up some critical security function or functions and as I said, I knew this was kind of going on but I really wasn’t paying attention to it until we all went to the RSA conference in San Francisco a couple of weeks ago. And so while I was talking with some of my good friends and peers, former CiSOs and CSOs of big companies, I happen to notice that a good many of them had hung out their shingle to perform this function and I got a sense of this wasn’t just a collection of warn offs but instead a movement or an evolution, so to speak, for a direction of our profession, maybe even a career path.

Rick Howard: So here’s my hot take about that. I’m not sure if this is the right direction for our profession to be going in. And so before I explain that I want to get my take from you guys to see if my observation is valid. Did you guys notice this too at RSA right and Steve you and I have been talking about this at one of our breakfast together, in fact we attended our second breakfast together rather and for those of you who have not attended RSA before, the goal of the entire RSA conference exercise is to meet people and many of the meetings are scheduled around meals but they’re not enough to go around. So it’s common practice to have two or three breakfast meetings in one day. So there was Steve and I eating our second breakfast of Belgian waffles and pancakes, just like the hobbits we aspire to be. So Greg let’s start with you alright. Can you confirm my observation, the virtual CISO is the thing now or is it still just a one off and we shouldn’t be paying attention to it?

Greg Notch: It’s a thing and it’s a thing that I think is a response to the market not having enough to go around but I agree with your take, I don’t think it’s a good thing.

Rick Howard: Aah so agreement there. Steve what do you think? Is it a thing first, let’s decide if it’s a thing or not.

Steve Winterfeld: Statistically. So after having an opinion I thought I’d do research to see if.

Rick Howard: That’s a change. Why would you do that?

Steve Winterfeld: So, well, I did it it the normal way, I develop my opinion, then I did the research. So I stuck to my normal pattern and I went and I said so statistically yes, it is both a service offered by companies. It is a service people, you know, offer as individuals. If you go off to job sites you will see requests for it, you’ll see people advertising but then something caught me off guard. I looked for a virtual CFO and that’s a thing and I’m like nearly this next one’s not possible. I looked for a virtual CEO, that’s a thing. And so I’m wondering if this is a subset of virtual and I always measure myself against the CFO and you’ve heard me say before, you know, people will ask should a CISO have a technical background or should they be an MBA or something like that and I think we’re being asked that question because we’re showing up to the Board as technocrats not business partners.

Steve Winterfeld: And so having said that if a CFO can be virtual then maybe we’re talking about a broader trend and then where is a virtual CFO, CEO, CISO appropriate. I think maybe for the start ups, for the mom and pops, for the little ones, where it’s important enough that they say listen, I can’t afford a security staff, I have one guy doing security and information, operations and IT and a couple other things, but I want some portion of a strategy. So I want a virtual something.

Rick Howard: I think you just answered my whole problem with this thing right because, you know, everything is about me, it’s about being a CISO not about these other jobs that you mentioned, these other highfalutin jobs right and I never imagined that there would be virtual CFOs or CEOs or CTOs, so if there are maybe this whole argument goes out the window. But my worry is that in the past five years or some when we were all thinking about this, the career for CISOs was kind of looking up. Most of us expected to be on senior leadership teams alongside those CTOs and CFOs and even CMOs right. Then we expected to be on board talking about risks as part of the business decision process right but if this is a thing in the security world, my argument is it seems like we’re going in the wrong direction that we could just hire out a hitman to come in and, you know, figure out some things for compliance and then get it out the back door.

Rick Howard: I don’t know Greg, you said you agreed with me when we first started this. What’s your take on this?

Greg Notch: I think what I would like to ask on the virtual CFO and virtual CEO thing is when and how are they hired for that? Like if you’re a virtual CEO are they a virtual CEO forever or are they coming in to solve a specific set of tasks at a specific set of time? Like a virtual CFO getting you ready for some event. I think a virtual CISO could help you build a program and set a strategy but part of the role of the CISO is sort of maintaining that and reporting out on it and being a partner to the business as they build things to make sure that security is woven into the thinking of business process and other things. I feel like the same is true for a CEO and the same as true for a CFO. So I just wonder how those virtual people are used in those roles.

Rick Howard: Yes put the ball question out. Go ahead Steve.

Steve Winterfeld: My concern I think probably mirrors yours Rick which is this a slippery slope. Now when and where is it appropriate to, is it by the size of company, by size of revenue? When is it appropriate to have a part time office? And so for CISO a lot of that is, I don’t think you can go in and declare a strategy and be gone for six months. So what’s the, you know, what’s the level of engagement? Is it your CISO shows up to two meetings a year? Probably not very good. Is it eight hours a week? So it’s kind of a spectrum here.

Rick Howard: So I want to be clear though. I think it’s fantastic that my friends are getting these gigs right, so by all accounts they’re pretty lucrative and they don’t come with a burden of being a 24 by seven operations and by the way, you’re probably not getting fired because you got, you know, some successful ransomware attack hit you, so that’s all in the positive side and the expertise of these virtual CISOs provide, you know, my old friends I saw at RSA, they’ve got years of experience under their belt so they can come in and help a fledgling infosec program get stood up. I get all that right but I ran into my good friend at RSA about the ins keep. He’s got a company that does this. Now he’s a regular listener to this show, I hope he’s listening right now, and he and I had a mini debate about my hot take right there at the Marriott hotel lobby and he says that, especially for small organizations who don’t have the resources to hire a full time isn’t and can’t afford these gigantic salaries right, virtual CISOs fill the need in the industry and I don’t disagree with that.

Rick Howard: Did we get the poll question up? What was the answer? Did it come up? I didn’t see it. So virtual CISOs are a good idea, so what I’m hearing everybody saying is Rick should just shut up and stop talking, that’s what I’m hearing right

Steve Winterfeld: I’m just going to say Amen.

Rick Howard: I get that, I get that. Go ahead.

Steve Winterfeld: Yeah another thing you brought up as far as career tracks is the recent rule coming out of the SCC around expertise on Boards. I think there are a couple things as we get to be a more mature industry. I think they’re just going to be more models out here and more opportunities for us to figure out what our rule is but yeah I’m very excited about the new SCC rule, to see if that’s actually filled by past CISOs or where they go with that.

Rick Howard: I don’t Greg, what’s your take on that? I don’t think they’re going to be hiring CISOs into that role.

Greg Notch: I don’t know either. I heard someone say this one tonight, I believe it to be true. It’s like being a CISO is like being a CFO before accounting was invented. There isn’t like a set of things that like this is like very measurable, I mean, there are some but there isn’t like a well agreed upon and well defined set of things that you look for and so where the subjectivity comes in, I think you have to have expertise. Is that a Board Director that you’re paying and has fiduciary your responsibility for the company, I don’t know. Is it a Board advisor, I can’t tell or they’re going to hire a CFO who like went to an ACD class and like they have the sub-section on cyber right. I can’t tell either,

Rick Howard: Well it goes to what Steve was saying earlier that, you know, CISOs are not really board members, they don’t have the fiduciary responsibilities in title only okay, it doesn’t come with the responsibility right. So my guess would be they would higher a former president for security companies or financial companies and then those people would be the ones responsible to do that board work. I know a couple of my friends out of the military who have gone on to do this function for big fortune 500 companies because they don’t know how to do business but they had security background. And so that’s the person that’s going to look for it. I don’t know, cal me crazy Steve is that the right ball park or am I wrong here?

Steve Winterfeld: Well yeah it’s interesting, you know, how many CISOs are going to do training to be a Director. We’re great at training to be experts in our field, you know, not should I’m like okay, artificial intelligence is more than a buzzword, I got to go figure out what this means, I got to get educated in it but I’ve never taken a, you know, and there are courses out there, there are paths, there’s a couple good podcasts I’ve listened to that, you know, kind of walk you through. If you want to be a director in the future what is your fruit path. What are the skills you have to have and how many of the CISOs are developing board skills.

Rick Howard: When you talk to peers Greg, is everybody moving in that direction? Are we still mostly technical policy walks for our organizations?

Greg Notch: I’ve always maintained those two types to CISOs, so the ones that are like me that came from the technical side and then the folks who are more risk management, some of them are lawyers, some of them are MBAs right. They hired the tech chops and that’s part of their team and they’re more of an enterprise risk management role. I think if I talk to peer CISOs I mean because of my background I bend more towards the technical ones. So they’re very excited about the SCC ruling because they actually think that’s an opportunity for them without having to go to any CD training and really, you know, understand like how to read a cab table and a PNL and understand what’s going on in the business and tie that in. I think there may be a little irrational exuberance but, you know, oh they’re going to need me on the Board but I do think it’ll probably trend towards that sort of second type of CISO with a more business focused skill set.

Rick Howard: So we’re going to have to leave it there. That’s a good topic and clearly I’m wrong on that subject, so I’m okay with that. Let’s do some general purpose questions. These came in while we were yakking and one of these is from your first one Greg. So this is from Steven Ramsay. How do you manage saying no to business units that want small SaaS applications? Which don’t have the correct certifications that don’t meet you vendor management roles. We’ll just take those guys in the back of a room and beat the crap out of them or what’s the policy there?

Greg Notch: We just have a 3PA policy. I mean this is the rules of the road, we make them very flexible and easy to comply with but at the end of the day I work for a security company so having a base line understanding of hey things need to be secure isn’t something I have to convince anyone of.

Rick Howard: And see when I worked for a security company that was a lot easier sale than it was when I was working for a government contractor right. I totally get that. How about you Steve, any advice you’re giving your CISOs?

Steve Winterfeld: No I think Greg nailed it.

Rick Howard: So I got another question from David Lank and he says what’s the panel’s view on security versus recovery resilience when considering critical infrastructure impact? So security things you can do to prevent the attack I guess and recovery after. Is there one way you would look at it that’s more important than the other? Open that to either one of you.

Steve Winterfeld: So for me on the security side, you know, your security infrastructure has to be resilient as well and part of this around, for me the holy grail situation where it is real time, monitoring, all of those things because that’s going to start to give you indicators of resiliency issues. Resiliency versus business continuity, for me I think that’s and I know Rick has talked about this a few times before, it is about being in a contested environment with the active adversary. And so when you’re talking about recovery it is recovering in a contested environment and again I think, you know, NIS has done a very good job of talking about resiliency as a way to dynamically overcome real time attacks. How are you going to fight through a DDOs. How are you going to fight through ransomware. And these are things that I think you should be going in and doing through, you know, both the prevention on the cyber kill chain and recovery on your exercises.

Rick Howard: Greg do you have a preference, one way or the other?

Greg Notch: If you give me a choice and I have a credible option to prevent, I’m going to choose that over recovering from an incident every time, left of boom is preferable. But that’s not always, the key is credible that there’s not always a way to do that. So the short answer is both. I think a lot of testing has to go into resilience. You really need good IR planning and table tops to make it useful and practical. Where there’s a lot of resilient things that are buttons that you don’t ever test and then you don’t know if they work, whereas prevention stuff is a little more dive in the wall, we test that. So I would choose prevention over resilience but only because it prevents me from having to do work, I guess it’s lazy.

Rick Howard: Yeah well this is one of my hobby horses also right. It depends on what question you’re asking right. Are you asking do I have enough resources to do one or the other or I can only do one or the other, that’s a question, okay. But really what the entire subject of my podcast is okay what is the first principle that we’re all trying to do as security professionals and I believe we’re trying to reduce the probability of material impact. There are a number of things you can do to do that. Resilience is one okay, you could also do like Steve said, intrusion kill chain prevention, zero trust, all those things could be done. The thing you have to answer as a security professional, is what’s going to have the highest impact on reducing that probability of material impact. So that’s the real question I think we should all be answering.

Greg Notch: I get a question from let’s see Nathan Thomas, he’s a senior underwriter from Crum & Forster. He says what are the feelings and trends from the panda we are seeing for cyber insurance and a similar question from David Oliver, he’s a principle at Catalyst Partners, to what extent had changes in insurance increased costs and reductions in [UNSURE OF WORD] in your cyber insurance policy affects your actions. Greg you’re at this new CISO gig, has that come to your attention yet, this insurance ideal?

Greg Notch: It was renewed right before I started but I know the cost went up astronomically and I had just finished renewing at my prior before I left. Effectively a program that existed at the 98th percentile as the insurer measures it, was they still almost tripled our premiums. I think the indicator that I often found interesting was how little information they wanted to write you a policy over a period of years and thinking if somebody like– well if I was writing this policy I would be asking a lot different stuff and I think it finally caught up with them between ransomware and Kaseya and like they just had a couple of bad years, so the economic curve changed. That’s my hot take on it.

Rick Howard: Steve when I think about insurance right, I’m not trying to pick insurance out on a chance that I might get hit, that’s not what I want insurance money for. I would want insurance to pay for the recovery operations right, to bring in an incident responder, a commercial incident response team to pay for all the new machines, to pay for the PR campaign I’m going to have to wage to, you know, talk my customers off the ledge, that’s what I would do. What are your CISOs talking about with this insurance thing?

Steve Winterfeld: Well ultimately, you know, you’re right. It is transferring that financial risk, so buying insurance to transfer risk. The insurance companies are getting actuarial tables at this point and they’re expensive. The number of compromises has pushed the requirements up so you’re seeing more come in with a checklist looking for what kind of security you’re doing and turning you down if you’re not doing the fundamentals. You’re seeing more and more companies charging you so much because the likelihood is barely high. And so, you know, it’s becoming an interesting question if insurance coverage is going to be the same, if I pay for insurance for three years it’s the same as being breached, you know, the cost washes out. What do I want to do?

Greg Notch: I think health insurance is going to be common, I really believe people are going to move for the premiums there. They’re like you know what I’ll set up a BV and self insure myself, as long as I have a reasonable program.

Rick Howard: So I got, this is right into the topic we were talking about before Steve, so this is from Fat bad man, another great user name, he asks what’s your take on the Google engineer claiming that his AI called LaMDA it’s sentient. How about that? Are you following this story you guys? I think it’s fascinating. What do you think Steve?

Steve Winterfeld: Now I’m going to be on Google here in a minute. I have not been following that.

Rick Howard: Have you read about it Greg? What’s your take on this?

Greg Notch: I’m not sure I’m sentient, so I don’t know if I’m capable of evaluating it. I don’t know, I have no idea.

Rick Howard: I’ve talked about artificial intelligence in a lot of the podcasts I’ve done. If you guys are fans of the imitation game okay with Benedict Cumberbatch playing Alan Turing, there’s like a three minute segment in that, that is the best explanation of what artificial intelligence is. I highly recommend you go seek that out. You can find it on you-tube. But Turing wrote the imitation game paper and he lays out an intelligence test in the paper and it’s essentially, you put a computer and a person behind the screen and a Judge in front of the screen and the Judge asked the person and the computer questions and if the Judge can’t tell the difference between the answers then that’s an intelligence right. And what the Google engineer is claiming is that his Lambda AI passes the Turing test right which is I am not an AI scholar at all but that seems to be a milestone that hasn’t been hit yet. Steve you were going to say something.

Steve Winterfeld: Yeah and this is an entire podcast on itself is Turing had to have some of the early, what we’re talking about is more general intelligence and artificial intelligence and the ability to map and have intuition ad things of that nature and because of the power, that’s why a lot of people were not as impressed by the Turing test is, you know, I’ve been fooled just being on a call center, you know, not knowing I was talking to a chat bot for a lot of stuff.

Rick Howard: I get routinely beat by AIs in fortnight okay. So yeah.

Greg Notch: I’d like to say the standard for intelligence is getting tricked and facebook’s tricking people at scale and Facebook’s got it covered right.

Rick Howard: Best place to leave that discussion right. So guys we’re at the end of this. Ladies and gentlemen thanks for coming on and listening to us on behalf of my colleagues Greg Notch and Steve Winterfeld, thanks for participating and we’ll see you at the next CyberWire quarterly analyst call. See you guys. Say goodbye everybody.

Greg Notch: Bye.

Steve Winterfeld: Thanks, awesome, bye.

Greg Notch: Thanks.