mnemonic security podcast
The mnemonic security podcast is a place where IT Security professionals can go to obtain insight into what their peers are working with and thinking about.
mnemonic security podcast
The Risk Business
For this episode, Robby is joined by Levi Gundert, Chief Security Officer at the cybersecurity company Recorded Future and author of the book The Risk Business – what leaders need to know about intelligence and risk-based security.
Levi shares from his decades of experience in the threat and risk space – and Robby picks his brain about a broad set of security topics ranging from telling the risk story and categorising risk, to darknet monitoring and infiltration, and using chatbots for security analysis and risk management.
From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelter. Welcome to the Pneumonic Security Podcast.
Speaker 2:Everyone around you at any given time has a motive and with the right order and combination of words, that motive can be exploited. Now that may have sounded sinister, but we're not the blackouts. So for this episode, we're going to dive into the things that you can say to your management to get their attention and to get you budget, as management these days face a lot of uncertainty internal and external risk coming from all directions. Now we have security to deal with the cyber aspects of that risk, but, as you can see on the news, there may be a few other things that the suits need to deal with and, to be honest, sometimes cyber security isn't the most important thing on their list. Luckily for us, that responsibility is not in our shoulders. As long as we provide them with an accurate, understandable view of how cyber provides risk to their business and its operations, and perhaps also a strategy or two on how to address them, I'd say the rest is on them, and today's guest has written a few books about just that how to communicate the risk business.
Speaker 3:Levi Gundert. Welcome back to the podcast.
Speaker 1:Thank you, robbie, it's great to be here.
Speaker 3:It's been, I don't know, a year, two perhaps, so I saw you last.
Speaker 1:I lose all track of time because of COVID.
Speaker 3:Are you still in Sunny San Diego?
Speaker 1:I am. I'm not a lot, but when I'm on home it's great to be in Southern California.
Speaker 3:We could be friends, even though I'm from NorCal.
Speaker 1:Two different states. We know it now.
Speaker 3:Yeah, right. So I wanted to hi to you from a mutual friend of ours, Ferry from ING, Are you probably? Know, him from the Dutch National Police or the cyber forgot what they call it over there but yeah, that's amazing.
Speaker 1:I've known him probably close to 20 years just through. You know Law of Orsa and various private sector engagements. Great guy really knows his stuff. Always fun talk and shop.
Speaker 3:Yeah. So Ferry is a new colleague of mine in Mnemonic and he knows you because you were in the Secret Service when you guys knew each other. I guess that's right. That's right.
Speaker 1:A lot of great guys and gals, for that matter, and the agency and doing cyber crime work in the early days and a lot of those people have been down to the private sector just because the opportunity cost is so high, right, but I was very fortunate and blessed to meet very early on in my career and now being able to stay in touch with a lot of those people is really great.
Speaker 3:You've been in TI pretty much your whole life, right? So I think it's at FBI in your LinkedIn, but Secret Service, fbi, cisco, talos, fidelity and you're now the CSO of Recorded Feature, so that means you also have physical security as well.
Speaker 1:Yeah, that's right. So information and physical security and I get to help out with INSIC groups still, which is great, as well as fraud.
Speaker 3:You have a lot of war stories basically.
Speaker 1:Yeah, those are some good stories over the years, but it's all good stuff. A lot of fun for sure.
Speaker 3:Yeah, and you've also written a book. You've also shown me the book that you sent him the risk business. Yes, that's right.
Speaker 1:So it's interesting, I actually wrote the first one pre-COVID and so much of it was focused on quantifying risk, and there's a lot of people in our industry who have to deal with this concept of you know how do you sort of calculate risk and communicate it right to other executives in the board. If you can put it in dollar terms, it's helpful because it's more specific and people understand oh, like this is going to cost us money and this is how much money. But the problem is that unless you're in the insurance industry, where there's a lot of actuaries that already do that sort of thing, generally speaking the board doesn't really want to get into figures and equations on how you came up with those figures Chalkingly. They still prefer to talk about risk in a qualitative way, and so this is sort of the second iteration of the book is more about storytelling right at the board level and there's so many great people that work in information security.
Speaker 1:But the biggest problem we have as an industry is it's very difficult to bridge the gap between security and business and the enterprise, where they understand risk sort of holistically in a lot of different categories.
Speaker 1:But when it comes to cyber risk, there's been this historical challenge to communicate and storytell the way that resonates with the board, and so this book the second iteration is really about if you want to quantify risk like more power to you. I still think it's a better way to communicate risk, but at the end of the day it turns out, after talking to hundreds of CISOs and literally every industry worker on earth, that there's not a lot of appetite for that at the board level. They're still sort of wanting to. They want to talk about risk in story terms and it's still a little bit of the likelihood and impact which are very imprecise in my opinion. So I talked a little bit about why words matter greatly and we can probably use better words in our storytelling, but at the end of the day it's really some thoughts on how to categorize, how to move from intelligence to risk in a programmatic way and how to help your teams think a little bit bigger about how they connect with the business, which is so important.
Speaker 3:And he mentioned that he had taken some of your words and operationalized them, so he had made like risk categories I think you also just said the same thing like pillars right, like you have a reputation, that's a pillar. Then you have like your operations, like downtime, that's another one.
Speaker 1:And yeah, it turns out all cyber events fall into 105 risk impact categories, and this is for the private sector. It's not for the public sector, right. If you get into intelligence within the military or law enforcement, it's a different story, but in the private sector it's really five risk impact. So you have brand impairment right, it's a long tail, sort of difficult to measure that sometimes. You have operational disruption, obviously very important with ransomware. You have a legal or compliance failure, which I would say is probably the most relevant and impactful, regardless of industry as a motivator. You have competitive disadvantage, right, which is, hey, there's someone in our network and they're stealing intellectual property or information that can be used to harass in the future competitively. And then the fifth category is financial fraud, and that's really obviously these days you see a lot of that. There's this thing called compromise. There's a ton of attacks that are improving, the efficacy of attacks are improving because of generated AI, and a lot of that leads to financial fraud.
Speaker 1:But all cyber events, regardless of what they are, lead to one of those five risk impacts, and I think it's been really helpful for our clients as well.
Speaker 1:When you sort of talk about, well, what are the intelligence requirements, if you sort of understand the risk impacts that are most relevant to business first, then it really helps you frame and contextualize what you're doing in your intelligence program or you're doing any security program, because not all risk impacts are equal. Generally speaking, most businesses care about one or two, sometimes three, risk impacts and less about the others. And so, for example, you're in financial services, you care deeply about a legal or compliance failure, right, you have to pass your audits, like that's a given. So there's a lot of things that flow out of that right when you understand that that's your number one risk impact that you need to solve for, and then you can sort of map into what are all the various scenarios right on the cyber side that trigger that particular risk impact that ultimately cause loss Shouldn't this be like very much ingrained into everybody that has like security in their titles.
Speaker 3:Almost you know I couldn't agree more.
Speaker 1:It's hard, right, it really is hard, I think, sometimes to up level the business to the business and I think when you understand the risk impacts, it's just a lot easier to sort of think through how you're going to prioritize your resources right as a security team, and I think that's really helpful. So I'm super passionate about evangelizing the ideas and you know it's not a big book, it's a quick read, you can probably read it in a couple hours. But I really am passionate about the ideas and I think that they will help you if you're responsible for any part of security program and even if you're just a practitioner in the trenches, hands on keyboard. I think it also helps you to better understand like this is how we're going to connect to the business. This is how we're going to tell our story.
Speaker 3:Yeah, and that's one thing we all, that's one thing that security is failing at is connecting to the business right, and this is like a very, very simple, easy way to do that. So that was our first lesson learned. So thank you for that and thank you to Ferry for enlightening me of that book.
Speaker 3:Nice. But what I wanted to talk to you today, a couple things. The reason I sent you a message I'm not sure what I was doing when I sent you that message, but you know everybody and their mothers using chat, gpt and bar these days, right, and I remember the client. The client is very like complex, they do a bunch of different stuff. They're all over the place, right.
Speaker 3:So they brought, they bought a tool and then they were like, okay, too much information in the tool, we try another tool, too much information, another tool, the contact demonic. Can't you just read all these tools and figure out what we need to know and help us to like communicate that to the business? Yeah, okay, so we do that. And then you know that goes back and forth. Then at the end of the day then the business was just like they're not even reading it, you know. So then that that all just gets thrown to the side. And now we're. I had this conversation with that same exact client a few weeks ago, because we're now we're talking about, you know, these language bottles. If you had a chat bot and on top of record of future or Drago's with that, that would kind of eliminate the need for a mnemonic, as long as you have an analyst that knows what they're doing on on the side of the chatbot, right? Is that something that you talked to your clients about? Do you have a chatbot as a part of your product these days?
Speaker 1:We do. We do so. We were actually one of the first to integrate GBT into Recording Future, into the platform. So the first evolution of that was we have intelligence cards in the platform. That's really a summarization of a lot of information, and GBT did just beautiful summaries of massive amounts of information and the great thing about it was we were including traceability into the results, and so when you pull up an intelligence card, whether it be on an actor or a TTP or some geopolitical situation, you get this AI-produced summary that had footnotes and each of the footnotes sort of gave you where it originated from, which was just super helpful.
Speaker 1:And then we just launched, two months ago, basically, the chatbot that you were referring to, which is the second evolution, which is the back and forth dialogue, obviously based on the corpus of knowledge and cybercourt future, and I think it's obviously a work in progress and I don't think it's ever done, but I think it has been helpful for our clients because it saves analysts and particularly just a lot of time. I mean, there's no doubt about it and I don't think you're necessarily going to replace humans to your point, but I do think it becomes an absolute necessity. It's not a nice to have. It's an absolute requirement now.
Speaker 3:Just because, then, the sheer amounts of information that are in your platform are. Have you heard any feedback from your customers about it?
Speaker 1:So I haven't heard I mean I have not directly heard from our clients. I know other folks who have recorded future have and there's been a lot of positive feedback on it, both the first iteration and the second iteration. I think there's still a little bit of trying to figure out, as various companies and various industries trying to figure out what can we use, what can we not use, what is OK for input on the privacy concerns. There's obviously a little bit of trying to figure out the mechanisms and is there a DLP component to this to make sure that we're not giving proprietary information to an AI that could lead to somewhere?
Speaker 2:else.
Speaker 1:So I think there's still a little bit of caution out there, but I think it's sort of like cloud computing over a decade ago where people were like we can't move our data to the cloud and now it's ridiculous to do anything, but we do data to the cloud for all kinds of reasons. I think we're going to run through some of that same evolution with Jared, ai and the LLMs, but yeah, I think the early signals that were very positive.
Speaker 3:Yeah, because I could see it being like if I was working in a company, if I was one of those individuals that had my five risk categories mapped out, then I would really easily be able to use that platform to be like, ok, how does what's going on in the world apply to my, and go back and forth. And that would be accomplished in a much quicker way than it would be to go through some analyst in a company that needs to read through all the data, and at human speed, I guess.
Speaker 1:Yeah, absolutely, and I think a lot of. We have some brilliant people in Gothenburg where one of our offices is that work on the AI piece, but then we also have a risk team inside of INSICR and they're just trying to keep up with the least developments in terms of what is available, what are the capabilities and a lot of what we spend our time on. We actually we sort of call it the so what, the now what, the then what, which is all these events happen on a daily basis, but what is the applicability to the business? What is the applicability to an organization or an industry in terms of second order implications and really a second order of non-obvious implications?
Speaker 1:And I think right now, if you work with GPT-4, it will give you implications. So it'll do a great job of summarizing implications from a geopolitical event, from a cyber event, but it's not really going to give you the non-obvious just yet. In future iterations it may, but I think, to your point, it's going to help you IDE and maybe give you 60%, 70% of what you're looking for on the second order implications, which is like what does this mean for our business and what are we not seeing? What are we not thinking about in terms of second or third order implications. So it's not necessarily going to give you, but it is absolutely going to help you in the process of thinking through those elements.
Speaker 3:Can you give me an example of a second, third order implementation implication?
Speaker 1:Yeah, absolutely so, the one I talk about. All the time I think it was about 18 months ago now recorded features in secret put out some really good reporting on how Chinese threat actors had embedded shadow pad implants inside of India's power grid. And this was basically right after a physical escalation that happened in the Himalayas, right on the China-India border. And right after that happens we started to observe the shadow pad implants. It started in the north of India, but basically by the time they were done, they had infiltrated most of India's power grid and the substations that we were able to locate, the actual physical substations that they had implanted into, probably for just pre-positioning, and so we saw that traffic between implant and controllers. And so you look at that as a Western business, right, let's say in North America. You look at it and you say, wow, okay, well, there's all kinds of interesting sort of technical details in the reporting here. You can see how the implant works, we can see a communication, we can see, obviously, that China has a real interest in the pre-positioning here. But again, we're not in the public sector, right? We're not in the military, we're not in a police organization. We work for an enterprise, right? So why does the enterprise care about what's going on in India?
Speaker 1:We say a second order implication is do we outsource IT call centers in India? Do we have developers that work in India? Do we have any sort of vendor supply relationships that come out of India? And if the intermediate that's yes, then the following questions have to be do we understand the impact if China decides to turn out the lights in India? And this was two years ago, right, I'm not saying present tense, but two years ago roughly, when you're analyzing this? Do we understand the impact to our business, our organization, if we have vendors and suppliers that we rely on? We no longer have power in India? Do you head back generators? Have we diversified some of our risk geographically, right? Should we think about having additional capabilities in other parts of the world? And there's, like, have you done a tabletop exercise? I understand this, right. There's all sorts of very hard crunchy takeaways that you call that's a second order implication for the enterprise, right?
Speaker 1:I would give you another one. Like, we recently have seen Russia compromising various telecommunication networks and embassies around the world, mainly in Europe and the Middle East, the moment. And again, right, you look at it as a sort of you know pure analyst that comes out public sector, you go oh, it's very interesting. You know TTPs that Russia is using. We can, you know, analyze all of the technical details? It's very interesting and relevant for our defenses, of course, right.
Speaker 1:But there's also this other point of if your business, if your enterprise is engaged in doing business in those parts of the world where you're trying to expand into those parts of the world and China does this in Africa, actually, you have to be very careful about emailing embassies, right, anything regarding your business plans, anything regarding, you know, future, future work or expansion, or anything that you're doing sort of in coordination with a foreign embassy. You have to sort of understand that those communications are probably being intercepted and there's a foreign government who's now aware and maybe positioning themselves against you and you may have no idea about that as a business, right. So that's sort of what we say is a second order implication, and if you get to a non-obvious second order implication, it's extremely valuable, right, interesting.
Speaker 3:Yeah, those examples used I am. There's probably somebody in the business that would have thought about you know, oh yeah, like, if it has to do with India, they would have immediately thought, oh, that's important for us. But the security team would not have necessarily thought about that, right Interesting. By the way. How does Record of Future get all this intelligence? How do you know, like, how would you know that things are going down in India's power grid or that Russia is infiltrating these embassies? You know?
Speaker 1:So we collect a lot of different types of data, everything from you know non-structured data in you know criminal forms to you know open sources, like you know code repositories and telegram channels and so forth, and then on the technical structured data side, we collect a lot of different types of data. At Salaatchi. You know everything from passive DNS to malware, metadata. We actually acquire a company that does sandboxy and there's other types of technical telegram that we collect that help us with that disability and we put it all together. So it's not I won't get too into the weeds, but those are sort of the high level how you guys are buckets of data that we collect and process.
Speaker 3:Yeah, because usually, like that sort of information comes available from like a stock vendor or something you know, mandian comes, the Indian the power plant calls, mandian says hey, come tell us what happened, and then, but that you're actually doing this collection on your own, through your own means and putting it together there. I guess it's a secret sauce of what you do, I guess.
Speaker 1:Yeah, and you're right to your point. You know we don't do IR, we don't do instant response, we're not on site and we're not an EDR vendor, but we do have midpoint telemetry and we do. We do have a lot of visibility from different technical data sets and you know the way that we put those together and the analytics that we create are pretty impressive. And I'm still sort of blown away by it, to be honest with you, because we I think we've created something pretty special.
Speaker 3:One day I help on the client so I get to sit in that sales meeting and get the juicy details. But one thing I want to ask why you're here is, like I'm sure you've noticed, there's a lot of companies saying they're doing dark net monitoring. Right, it was like I was at a FSISAC event, fsisac summit in Europe and there was literally like eight different intelligence companies there talking about like how they you know yeah, it's all we have the best analyst and the other speaker Russian and kind of thinking like how many are there really like dark nets out there where the bad guys are actually planning things anymore, because there's so many companies that have infiltrated them? Can you just give me like a status of like where that space is? How much of the companies are bullshit out there? How's this actually working?
Speaker 1:Yeah, that's a great question. It's a really good question because I was doing this in English criminal communities 20 years ago at Secret Service and obviously there's been a lot of evolutions in terms of the way that threat actors communicate, from IRC and peer forums to larger migrations to telegram right and different mechanisms for communication. But at the end of the day, you're right, there's a component of anonymity that threat actors obviously use, but then law enforcement and private sector uses as well, and I think you look at organizations over the years Intel 471, who do this very well in terms of just the human sources, and it's hard to know because at the end of the day, there are a lot of threat actors still making money selling unauthorized access and there's a lot of threat actors that still make real money on selling malware and malicious code. The Info Stealer market is super hot right now. There's subsidiaries, there's affiliates, there's these entire ecosystems of threat actors that are involved in these ecosystems and I think to some degree there's an awareness that quote, good guys are infiltrating the community and that's just kind of the cost of doing business right, and I think for a lot of them, depending on the country they reside in, they don't worry about it a lot because they're either not worried about extradition, they're never going to leave that country. There's a lot of ways that threat actors probably dismiss the infiltration component of it, but I agree with you as well that they probably are not as open in their communications anymore with each other because they've read too many indictments right, particularly out of the US. They just read too many indictments and they understand how it all works and they know that once law enforcement is able to get to one member of their community, that means the entire community is out compromised and they're never going to know. So I think they're smart enough and they're aware enough to understand that, but I think the economic opportunity is too great to turn down. It's actually interesting.
Speaker 1:We have a lot of data from Infostealer malware, which is how a lot of organizations are compromised these days. If you look at some of the big headlines of late, like in Las Vegas, where ransomware groups have been successful, a lot of that starts with stolen credentials, and those credentials oftentimes come from these Infostealer malware families like Red Lion, adar and so forth. But it's really interesting because bad actors also infect themselves, either knowingly or unknowingly, with the same Infostealer malware, and so we actually see them sometimes logging into known malicious resources. It's interesting because the volume is really incredible. There are thousands and thousands of authentication events to criminal forms, to other types of tools and resources that threat actors use, and it's spread throughout the world I mean you literally I think I ran the analytics the other night was like over 160 countries, like IP addresses from over 160 countries that were logging into malicious resources that were captured by Infostealer malware.
Speaker 1:It was super, super ironic at the moment, but it just gives you a taste of the volume of threat actors, and so I'm giving you a very long-winded answer to your question. But I think the bottom line is the economy for criminal goods and services isn't going anywhere and, at the same time, they understand that there's risk in the communities.
Speaker 3:Is it because they're so distributed, Like they have an industrial access broker? It's like the community is so dispersed and there's so many different small groups that you kind of have to have it open to make the system work. So that's you just. It's a cost-of-doing business, like you said, like it's just an acceptable risk.
Speaker 1:Yeah, exactly, I think if you're a higher tier or an actor meaning you're established and you sort of have a role of dex, of actors that you work with, that buy your criminal goods and services then you probably interact less because you start to move to the side of the spectrum. That's more about managing risk of attribution. But if you're not well-known and you're just starting out, then you can't afford to not be in those communities. Then you have to build your role today. So it's where do you fall as a threat actor on that spectrum? But I would say the older actors that have been around, that have great goods and services, they're able to interact less, I would say.
Speaker 3:Right, yeah, because they have the pondice of their status. I read it as something today by Rick Ferguson. He said that ransomware is dead, everything is going to. Yeah, you catch this drift, do you agree? Ransomware is dead. They're just going to steal your information and if it's not encrypted, you're fucked. Basically.
Speaker 1:Yeah, I mean, I know, so it's very.
Speaker 3:I summed it up a little bit, but yeah.
Speaker 1:It's a little bit reductionist, but I agree with where the sentiment's going there, which is obviously organizations are catching on. They're investing heavily in resilience and maybe not city-needable governments, but in the private sector I think it's safe to say at the enterprise level there's been a huge resource investment in resilience. So if they are hit with ransomware, they understand exactly how long it will take them to restore from backup. They understand whether they're going to negotiate with the actor or not. They've done tabletop exercises, they've brought in external parties, they've studied it five ways a Sunday, and I think that's true.
Speaker 1:And so I think a lot of what we've seen over the last year, maybe 18 months, is that more of these ransomware groups are moving away from that pure.
Speaker 1:We're going to encrypt your data to now, of course, we're going to steal your data and we're going to use the threat of a legal or compliance failure to get you to pay up. So you come back to the five risk impacts. Again, legal or compliance failure is the one that has a lot of teeth when you think about unit of fines, whether it's GDPR, whether it's through the FTC or the SEC in the US. Looking at some of the evolving legislation in the EU IS-2, dora. What's interesting is, all of a sudden, these ransomware actors have become legal stallies and they understand the regulatory regimes that these enterprises are operating in. And they are, of course. There was this big story a week or two ago about how a ransomware group reported a victim to the SEC proactively, which is just sort of I mean you have to chuckle a little bit just the absurdity of it, but at the same time it's a real thing, right?
Speaker 3:Makes sense, let's shit them in.
Speaker 1:So I think what he's saying is ransomware, in terms of the primary objective, is changing right and they understand the regulatory regimes, especially around data privacy, are only going to be increasing and evolving across different geographies and once they understand what regulatory regime you operate in, they're absolutely going to go after you and I think, for a lot of our clients. In talking to them about this. I was actually talking to COO in the UK last week about this and we had a great conversation and we were talking about okay, here's the threat, what kind of risk does it actually represent to the organization Based on the controls they already have in place? And we were talking about the fact that all of their data is not encrypted right.
Speaker 1:And then you talk about what kind of encryption Right Application model and encryption is at disk encryption and then it becomes a broader scope project right, of course, around data classification, which is, do we actually understand all the data in our environment first, and then, once we've done that successfully, then we can sort of figure out what absolutely needs to be encrypted at rest on disk, whether it's PII, phi, whatever category label you want to put on it. But it takes. Those projects absolutely take on new urgency. In the way that RanchWord table top exercises were happening a year ago, it's now in data classification and encryption questions Interesting.
Speaker 3:Yeah, I think his point, and I apologize, rick, if you're listening to this. I didn't mean to misuse your words, but I think his point it was like encrypt, right, like I think he asked a question like, if you do, if your data gets stolen but it's encrypted, do you get a fine Like? I think the answer is no. I'm not really sure.
Speaker 1:But interesting question you could ask a RanchWord actor. I'm sure they have a courage and response for you.
Speaker 3:Right, exactly Since they're legal scholars. Do you have any closing thoughts, anything that you are going to use a little bit of your time on moving forward that you find interesting, especially interesting?
Speaker 1:That's a tough question. There's so much that's interesting. I mean, obviously we talked about AI. I think you know generally AI in LA. That is just fascinating. Right now I was actually speaking to a group of CISOs on this topic and I do think there's a lot of challenges with it in terms of, you know, do your defenders have the same capabilities? Right, are they able to access the same resources as adversaries start to use generated AI across text and images and voice and video and code? Are your defenders using the same capabilities? Are they able to access the same capabilities? Are they able to model offensive scenarios? So, watching the development there, I think you know it's a daily thing. Now, you know, when you think about how do you retrain users? Right, I mean, everyone does security training on phishing, for example. But how do you go back and redo training, right for your organization that you know the quality and velocity of social engineering you're phishing, you're smishing, is so much better, right, how do you help your organization and people in the organization to better understand what's possible? Right?
Speaker 1:And then, you know, do you sort of just assume breached, Do you just sort of assume that there will always be humans that are the weak point and you're going to invest more in detection and remediation? Right, you get a group of CISOs together. There's obviously startups in the space right that are trying to come up with solutions for you know, identifying deepfates and so forth. But it's a big problem, like it's a big, big, challenging problem and I think it will continue to be for a while. So that's a really interesting space. And then I think the other interesting space is just third and fourth party risk. When you talk about legal compliance failures. Again on third and fourth party risk, it's very difficult for organizations to get their hands around the complexity of it. That's another one. Like there's no silver bullets. They're very challenging problems. So that's kind of the space that I've been thinking about and been focused on. But there's plenty of fun, plenty of challenges, right. What about you? What are you working on?
Speaker 3:Uh, samo, trying to help clients convince their management and their boards that a security is worth investing in. At least that part of the equation has gotten easier. Right, I really like your five risk categories, pillars that's going to be something I tell everybody, along with your book, so that part of the job's gone easier, but it's uh. But how do you?
Speaker 1:So I'm curious about that. Like when you talk to them like where is the point of diminishing returns Right? Like where is the point at which they feel confident in the level of investment, because they don't, you know, and you can't take risk to zero of course? Like where how do you help instill profitids in them that you know they're investing correctly and timing their investments correctly to match, you know, their risk altitude?
Speaker 3:You know what I feel like this is very much, um, depending on the client, depending on the personality, the person you're talking to. Some of the like, the more senior ones, are just like hey, at the end of the day, this is not my risk. It's my responsibility to communicate the risk, but it's their responsibility to accept it and do something with it. But where's the younger ones? They're all like, just like, really stressed all the time and Because nobody knows if they're right or wrong, right, if you're talking to demonic and buying something, if we do our job, nothing happens, but nothing happening. I'm not sure if that's a good thing or if it's a bad thing for them. So it's like, uh, yeah, it depends on the personality, it depends on, like, the sort of standing they have internally.
Speaker 3:It's always interesting. It's just a bunch of politics. I feel like at the end of the day, it's literally internal politics. But it's really nice to have, uh, when your colleagues come to you and say, hey, was this a good investment? And you could actually say, well, it made sense at the time. Because this is what we're dealing with and, like I think you said at the beginning of this conversation, it's the um, it's the understanding of risk at the end of the day, and it's a conversation the stories that you're able to tell. If that story works and they can relate to it, then it works. Then you did your job for that part Right. And then, uh, quantifying risk. I don't think anybody I've never met one on this side of the world that actually went down the route like quantifying risk. Um, really difficult, sure, sure.
Speaker 1:It's interesting Because you know we I think you still talk to CISOs, you know, who run into sort of a brick wall when they're trying to create that coalition. Uh, you know where they need more resources and there's still a lot of that sediment of well, it hasn't happened to us yet. And then once it happens, then all of a sudden the flood gets open and it's, you know, like checkbook, but it's, you know, it's obviously this interesting paradigm that the security insurance has been dealing with for a while at the time and stuff can do, but it's still, you know, for a lot of companies it's still, you know, sort of at the executive board level, uh, there's a divorce for reality, right, until that, until that event happens, like you said, and the absence of an event is intangible. But you know, as soon as there's a ransomware attack that's successful, then you know the entire paradigm changes. But why couldn't it be a proactive solution?
Speaker 3:Yeah, and I also feel like just the way that people are compensated, like the board members and, you know, senior leadership, they're not going to be there for more than four or five years anyway. If they're younger, you know, if they're like really successful, if they're like a money hungry CEO, like they don't care, they're not incentivized to care about security. So there should be somebody else that actually does care and that's just simply not in place.
Speaker 1:Yeah, that's a great point actually, because obviously the incentives are on profit margins, like that's a great point right before that was in bond. It was interesting to your point that we were talking about CISOs at our conference predict Two weeks ago in London. We were talking about the SEC's action on individual solar winds, right, and how it sort of created ripple effects in the CISO community. And you know, I was talking to a friend of mine who used to be at a financial services company in Singapore, senior guy. He was saying Singapore, you're personally liable on the book, right, but if there's a breach and you're deemed to have been insufficient in solid capability or capacity, you're on the hook. To the point, you know you could go to jail for a couple years and you're not allowed to have personal liability change.
Speaker 1:And so it's interesting because, yeah, what you're saying in terms of you know the executives at the top, there's that dynamic in terms of their incentives. And then you have the CISO incentives and CISOs are typically their 10 years, like 18 months to 36 months, right, and their incentive lovers are also a little bit different. But when you throw in sort of the personal liability component to all this, like CISOs are vastly underpaid. Number one, you know. Number two the requirements to take the role for a senior enterprise in the future is probably going to change.
Speaker 3:But something's got to happen because it's. But then again, after I know I've been doing this for so many years the amount of companies that just get off the hook, for I'm not sure if it's lucky, or you know a lot of companies. They don't invest and nothing happens. So I guess they won, you know, and that's since. We're good for them. But then you have those that didn't and it doesn't. So it's a but, yeah, a lot of politics. That's what I'm, that's what I meet very often. So it's helping. Helping somebody make a good story that somebody else on the other side will nod their head to and be able to sign off on.
Speaker 3:I'm not sure if that's exactly it, Mr Gunder. Thank you for your time. I appreciate it. Sorry about the camera, but I don't think you care about that. You look great either way.
Speaker 1:This mug was made for Radio Robbie. I appreciate the time then.
Speaker 3:It was great catching up A radio face. I like the shoes in the background. Cool Hi from Ferri, and we wish you happy holidays.
Speaker 1:Likewise, likewise. Talk to you soon.
Speaker 3:Thank you Bye.