1 00:00:07,630 --> 00:00:11,330 Welcome to Hard Problems, Smart Solutions, the Newfire podcast, where 2 00:00:11,330 --> 00:00:14,700 we explore complex challenges and innovative solutions with leaders in 3 00:00:14,700 --> 00:00:16,190 the healthcare industry and beyond. 4 00:00:16,830 --> 00:00:19,900 I'm Will Crawford, Head of Advisory Services and Chief Technology 5 00:00:19,900 --> 00:00:21,290 Officer at Newfire Global. 6 00:00:21,840 --> 00:00:23,180 And your host for today's episode. 7 00:00:23,410 --> 00:00:27,140 In each episode, we engage with top innovators and decision-makers, 8 00:00:27,159 --> 00:00:29,740 talking about some of the toughest issues across industries. 9 00:00:30,030 --> 00:00:33,139 So whether you're here for fresh insights or to learn from the best, you're in 10 00:00:33,150 --> 00:00:34,379 the right place, and let's dive in. 11 00:00:39,179 --> 00:00:42,869 So today, I'm thrilled to welcome Laura Louthan, founder of Angel 12 00:00:42,869 --> 00:00:45,420 Cybersecurity and a seasoned virtual CISO. 13 00:00:45,940 --> 00:00:50,030 Laura specializes in risk assessment, IT compliance, and innovative 14 00:00:50,030 --> 00:00:51,830 information security strategies. 15 00:00:52,140 --> 00:00:57,110 She has over 15 years of experience and some really notable roles at major 16 00:00:57,110 --> 00:00:59,849 companies like Sephora and Equifax. 17 00:01:00,129 --> 00:01:04,110 Throughout her career, she has successfully built secure, compliant 18 00:01:04,120 --> 00:01:08,350 infrastructures, managed third-party risk, and crafted effective and 19 00:01:08,350 --> 00:01:10,310 budget-conscious security solutions. 20 00:01:10,780 --> 00:01:15,019 We've gotten to know Laura here at Newfire over several years while collaborating 21 00:01:15,030 --> 00:01:16,770 with her and with some of her clients. 22 00:01:18,170 --> 00:01:21,450 So, I once had an entrepreneur tell me that they wished they'd invested 23 00:01:21,450 --> 00:01:24,210 more in security and compliance when they were just starting out. 24 00:01:25,025 --> 00:01:28,065 Uh, but he also said that all the companies that did make that 25 00:01:28,065 --> 00:01:29,805 investment didn't actually make it. 26 00:01:30,795 --> 00:01:34,055 Uh, so when, like, when building a company, every decision is 27 00:01:34,055 --> 00:01:35,845 about maximizing your resources. 28 00:01:36,415 --> 00:01:40,045 Uh, so today I wanted to talk with Laura about how you can maximize the 29 00:01:40,054 --> 00:01:43,785 impact of your security program, uh, without spending a fortune or at least 30 00:01:43,805 --> 00:01:45,055 without spending a fortune at first. 31 00:01:45,945 --> 00:01:49,995 So today, we're going to discuss how businesses can approach security 32 00:01:50,035 --> 00:01:54,075 challenges creatively and effectively even if the budget's a little restricted. 33 00:01:54,375 --> 00:01:56,125 Uh, Laura, welcome to the podcast. 34 00:01:56,255 --> 00:01:56,935 Thank you. 35 00:01:57,175 --> 00:01:58,405 I'm looking forward to it. 36 00:01:58,585 --> 00:02:02,684 So, data security in healthcare is an increasingly complex challenge. 37 00:02:02,975 --> 00:02:07,565 Organizations are constantly trying to balance protecting patient information, 38 00:02:07,895 --> 00:02:13,295 being regulatorily compliant, uh, but also facing a very, uh, adaptive 39 00:02:13,295 --> 00:02:15,165 and complex, uh, risk landscape. 40 00:02:15,895 --> 00:02:18,865 Uh, but before we dive into all of that, can you just tell us a 41 00:02:18,865 --> 00:02:20,125 little bit more about your work? 42 00:02:20,125 --> 00:02:24,005 And what's your mission, and what drives you to help organizations tackle 43 00:02:24,005 --> 00:02:25,115 some of these security challenges? 44 00:02:26,144 --> 00:02:31,325 Sure, so I have been a vCISO now, so virtual CISO or fractional CISO, however 45 00:02:31,355 --> 00:02:34,725 people want to call it, for, it'll be eight years, uh, this coming April. 46 00:02:35,425 --> 00:02:39,305 And, so I started doing that in 2017, and I was in, uh, 47 00:02:39,305 --> 00:02:41,635 full-time in security since 2011. 48 00:02:41,675 --> 00:02:46,909 And then, I was in IT before that for really, uh, uh, very many, very many years 49 00:02:46,909 --> 00:02:49,670 going into the previous century, which is just weird to say, but there it is. 50 00:02:50,200 --> 00:02:54,320 So I've been in the tech world for a long time, um, and I really do 51 00:02:54,360 --> 00:02:59,670 like being in the virtual CISO world because we probably all know people 52 00:02:59,670 --> 00:03:03,070 that work in big organizations, big organizations that both need and can 53 00:03:03,070 --> 00:03:04,880 afford full-time security people. 54 00:03:05,329 --> 00:03:09,600 But there's just this huge, there's a plethora of these small organizations 55 00:03:09,600 --> 00:03:13,679 that hopefully know they need security, or at least if they don't, I will tell 56 00:03:13,679 --> 00:03:15,079 them they probably need some security. 57 00:03:15,519 --> 00:03:18,720 And, you know, there's a real opportunity to right-size the amount 58 00:03:18,720 --> 00:03:21,950 of security you give to people, so that it's not more than they can take. 59 00:03:22,350 --> 00:03:25,390 And I would say that's probably one of my approaches is to make sure that, 60 00:03:25,450 --> 00:03:29,510 that you're only giving people as much as they can stand, and that's both from 61 00:03:29,510 --> 00:03:34,910 a budget standpoint and also a kind of culture standpoint and just being 62 00:03:34,910 --> 00:03:36,970 pragmatic about what's a possibility. 63 00:03:37,010 --> 00:03:41,000 Because there's absolutely no point in trying to boil the ocean 64 00:03:41,010 --> 00:03:42,360 if you're a small organization. 65 00:03:42,930 --> 00:03:46,759 I've been doing, uh, so with the vCISO thing, what I do is I'm 66 00:03:46,800 --> 00:03:50,050 typically there to build a security program in some shape or form. 67 00:03:50,460 --> 00:03:54,179 So there's either no security or little to no security. 68 00:03:54,179 --> 00:03:57,740 There's probably nobody in the security team, no full-time security people. 69 00:03:58,329 --> 00:04:02,209 There's probably some poor soul who's been given the job of being the primary 70 00:04:02,209 --> 00:04:05,799 security person and is probably on the paperwork as the information security 71 00:04:05,799 --> 00:04:12,410 officer and is likely in charge of the tech in one of the areas or is the best 72 00:04:12,410 --> 00:04:15,799 software engineer that knows the most about security or whatever it might be. 73 00:04:16,260 --> 00:04:17,079 It could be anyone. 74 00:04:18,000 --> 00:04:21,889 And so what I will do is work with everyone in the team. 75 00:04:21,889 --> 00:04:25,839 So work with the businesses, uh, the business leaders and work with the 76 00:04:25,839 --> 00:04:29,669 leadership and work with the technical teams, work with the HR teams if they 77 00:04:29,669 --> 00:04:32,799 have them, and again, a lot of my clients are not big enough to have HR 78 00:04:32,800 --> 00:04:35,900 people either, and just help set them 79 00:04:36,180 --> 00:04:40,365 on a path to becoming more secure, because no one is ever completely secure. 80 00:04:40,705 --> 00:04:43,005 A lot of people are probably completely insecure. 81 00:04:43,375 --> 00:04:47,255 And so just getting from one end to closer to the other end 82 00:04:47,255 --> 00:04:49,025 is, is where I head typically. 83 00:04:49,885 --> 00:04:53,925 So, what advice would you have for, I mean, and I've been that 84 00:04:53,925 --> 00:04:58,255 person who became the security officer, whether he liked it or not. 85 00:04:59,284 --> 00:05:02,055 What advice would you have for people who are in that role? 86 00:05:03,195 --> 00:05:06,244 I mean, obviously I'm selfishly going to say is that you shouldn't 87 00:05:06,294 --> 00:05:08,755 try and do it all on your own. 88 00:05:08,854 --> 00:05:12,155 A little bit like with, you know, Newfire and obviously we've had, uh, mutual 89 00:05:12,155 --> 00:05:15,994 engagements where people have said we don't have the right software engineers 90 00:05:15,995 --> 00:05:20,094 or the right DevOps people, we're going to look to people that can provide us 91 00:05:20,134 --> 00:05:23,185 with that expertise that's not us, right? 92 00:05:23,204 --> 00:05:26,935 And so, if somebody knows it's not them, that's actually a really 93 00:05:26,935 --> 00:05:28,305 great place to start, right? 94 00:05:28,305 --> 00:05:29,785 If you know it's not something you do. 95 00:05:29,855 --> 00:05:31,505 I do not fix my own car. 96 00:05:31,555 --> 00:05:35,415 I probably could tinker with it and break it worse, but it's not practical. 97 00:05:35,845 --> 00:05:38,925 And so, you know, there are a lot of vCISO organizations. 98 00:05:39,045 --> 00:05:43,075 Um, there are a lot of IT outsources that do things like typically 99 00:05:43,075 --> 00:05:46,805 look after laptops and stuff that, and a lot of software vendors 100 00:05:46,805 --> 00:05:48,895 that are selling vCISO services. 101 00:05:49,215 --> 00:05:53,614 I think I probably have mixed opinions about those, but there's a lot of people 102 00:05:53,615 --> 00:05:58,805 out there that, that the thing that is a vCISO is becoming much more common now 103 00:05:58,805 --> 00:06:00,415 because there's a great market for it. 104 00:06:00,835 --> 00:06:02,205 People need a little bit of us. 105 00:06:02,235 --> 00:06:03,565 They don't need a full-time us. 106 00:06:03,905 --> 00:06:08,505 And so they can reach out to a trusted partner or a trusted colleague or somebody 107 00:06:08,515 --> 00:06:11,814 that says and say, have you ever reached out to someone for a little bit of help? 108 00:06:11,815 --> 00:06:13,895 And then they can start that process from there. 109 00:06:14,825 --> 00:06:18,215 So, within the healthcare space, I mean, is there anything that you've 110 00:06:18,215 --> 00:06:21,015 worked with a lot of healthcare companies, as do we here at Newfire. 111 00:06:21,489 --> 00:06:25,169 What sets those organizations apart, and maybe the flip side of that 112 00:06:25,169 --> 00:06:26,090 is, what doesn't set them apart? 113 00:06:27,630 --> 00:06:29,969 Obviously, the first thing you think of when you think of healthcare 114 00:06:29,969 --> 00:06:32,599 is you think of patient care. 115 00:06:33,169 --> 00:06:34,759 But it isn't always that, right? 116 00:06:34,759 --> 00:06:36,269 There's a lot of healthcare adjacent. 117 00:06:36,280 --> 00:06:41,730 So they may be providing tools to then sell on to healthcare organizations, so 118 00:06:41,730 --> 00:06:43,260 they're not providing direct patient care. 119 00:06:43,260 --> 00:06:45,380 They may be providing direct patient care. 120 00:06:45,829 --> 00:06:50,770 But ultimately, what, what they're all going to have in common, most likely, is 121 00:06:50,790 --> 00:06:54,800 that they're going to be having to deal with protected health information or PHI. 122 00:06:56,515 --> 00:07:00,665 They're probably also, uh, particularly in America, going to have in common 123 00:07:00,675 --> 00:07:04,885 these large payers as the covered entities who are going to sign them 124 00:07:04,885 --> 00:07:09,385 up with a contract that says you are taking appropriate care of the PHI to 125 00:07:09,385 --> 00:07:14,054 meet all of these regulatory frameworks or best practices or whatever it is. 126 00:07:15,215 --> 00:07:19,985 So what they have in common with each other is the PHI problem. 127 00:07:20,015 --> 00:07:24,445 What they have in common with all smaller organizations is there's 128 00:07:24,455 --> 00:07:27,595 some data security that needs to happen of some shape or form. 129 00:07:27,595 --> 00:07:29,954 And actually, when you look at something like HIPAA frameworks, 130 00:07:29,955 --> 00:07:32,964 the HIPAA compliance framework is not a particularly high bar. 131 00:07:33,205 --> 00:07:36,385 I mean, arguably, you have to take better care of credit card data, 132 00:07:37,075 --> 00:07:41,140 which it sort of doesn't make a lot of sense, not in all respects. 133 00:07:42,750 --> 00:07:47,480 They are going to be held to a high standard by their ultimate customers. 134 00:07:47,529 --> 00:07:50,940 And for my clients, I'm typically working with B2B clients. 135 00:07:51,689 --> 00:07:55,340 So they're going to be held to a high standard by people who won't 136 00:07:55,369 --> 00:07:59,300 really accept much leeway in the, listen, we're not doing it now, but 137 00:07:59,300 --> 00:08:01,500 we will be, we promise in six months. 138 00:08:02,130 --> 00:08:05,460 So for the small organizations that are starting out, really the sooner you 139 00:08:05,460 --> 00:08:10,320 get your security staff in place, the easier those conversations are going to 140 00:08:10,340 --> 00:08:13,640 be with those big potential customers. 141 00:08:14,050 --> 00:08:18,189 And maybe to go a little deeper on that, so what's worked well for you 142 00:08:18,240 --> 00:08:22,310 supporting your customers in that sales cycle with those B2B customers? 143 00:08:23,059 --> 00:08:28,132 I think one of the advantages that I have over possibly internal experts they 144 00:08:28,132 --> 00:08:31,920 may have at the organization is that I've been on both sides of the coin. 145 00:08:32,320 --> 00:08:36,950 I am for them asking their potential vendors the security questions and 146 00:08:36,950 --> 00:08:41,169 doing the due diligence and just seeing if the report, puff the sniff test, 147 00:08:41,169 --> 00:08:43,960 and you know, there's just like with everything else, there's a certain 148 00:08:43,960 --> 00:08:46,470 amount of due diligence you do if you're a very small organization. 149 00:08:46,470 --> 00:08:49,790 And if you're a very large, very regulated organization, you're probably going to 150 00:08:50,339 --> 00:08:55,440 take a little bit of a heavy hand with it, but just someone really understanding 151 00:08:55,729 --> 00:08:59,910 why the question is being asked, because I've also asked that question. 152 00:09:00,270 --> 00:09:04,470 And so understanding the intent behind the question and then understanding 153 00:09:04,470 --> 00:09:07,469 what's the best way of getting my client 154 00:09:07,695 --> 00:09:11,344 to meet the intent, which is ultimately being around being secure, 155 00:09:11,405 --> 00:09:12,785 but there's various levels of that. 156 00:09:13,245 --> 00:09:17,534 If I just pick a sort of very lame example, there's a question, let's 157 00:09:17,534 --> 00:09:21,365 say, that says, all your hard drives must be encrypted in your laptops. 158 00:09:21,805 --> 00:09:23,464 So everyone says, okay, yeah, Rob, fine. 159 00:09:23,465 --> 00:09:25,074 Well, we'll roll out a tool and we'll do that. 160 00:09:25,075 --> 00:09:26,804 But why are they asking that, right? 161 00:09:26,825 --> 00:09:31,124 We all know they're asking that because if your laptop gets lost, uh, you don't 162 00:09:31,164 --> 00:09:35,595 necessarily, and it, and you can prove without a doubt that it's encrypted that 163 00:09:35,595 --> 00:09:39,864 just gets you off a whole lot of hooks that you don't want to be on, right? 164 00:09:40,224 --> 00:09:43,545 So understanding why each control is there and it helps also that I had 165 00:09:43,545 --> 00:09:48,155 probably about 20 years in IT that um, I just get where they're going with that. 166 00:09:48,225 --> 00:09:53,194 And then it means that when you're on a call with the let's say the large 167 00:09:53,194 --> 00:09:57,220 insurance company's security team, and they ask the question, you understand 168 00:09:57,220 --> 00:09:59,750 why they're asking the question, you understand what answer they want to hear. 169 00:09:59,750 --> 00:10:02,700 And I'm not telling anyone an answer they want to hear if it's not true, 170 00:10:03,160 --> 00:10:07,005 but there are definite ways of getting to the point in a way that gives 171 00:10:07,005 --> 00:10:08,715 people a better level of comfort. 172 00:10:08,915 --> 00:10:12,035 And also being very frank about things that maybe aren't in place, 173 00:10:12,465 --> 00:10:16,605 with equally a way of saying, and here is our plan, because if I know 174 00:10:16,605 --> 00:10:19,585 that they're going to have something fundamental that's not in place, I'm 175 00:10:19,585 --> 00:10:21,344 going to make them come up with a plan. 176 00:10:21,384 --> 00:10:25,104 We want to get there, because it's just, it's all about, ultimately, 177 00:10:25,104 --> 00:10:26,285 it's all about securing the data. 178 00:10:26,640 --> 00:10:30,310 But for the small organizations, they've got to sell those contracts 179 00:10:30,320 --> 00:10:33,420 to buy, to get the money, to buy the stuff, to secure the data. 180 00:10:33,440 --> 00:10:37,199 It's not like they've got 10 years of capital funds that, that are 181 00:10:37,200 --> 00:10:38,190 going to come into play there. 182 00:10:39,179 --> 00:10:41,510 I had my list of questions here and I'm going completely off 183 00:10:41,510 --> 00:10:44,459 script because everything you're saying is triggering something. 184 00:10:44,660 --> 00:10:50,719 So I'd love to hear about the flip side of that, which is actually educating 185 00:10:50,780 --> 00:10:57,155 the workforce at your clients about the importance of security and why some 186 00:10:57,155 --> 00:11:00,005 of these things that might feel like they're going, they're jumping through 187 00:11:00,005 --> 00:11:04,275 hoops, whether it's mobile device management on developer laptops or 188 00:11:04,704 --> 00:11:10,865 having to re-login to Microsoft Teams every 15 minutes is actually high value. 189 00:11:10,865 --> 00:11:14,624 So how do you educate employees on the importance of good security practice? 190 00:11:15,285 --> 00:11:17,204 It's not always easy. 191 00:11:17,204 --> 00:11:20,265 I'm not going to say security awareness training because there's all 192 00:11:20,265 --> 00:11:22,335 sorts of mixed feelings about that. 193 00:11:22,335 --> 00:11:23,815 And obviously it's good. 194 00:11:24,135 --> 00:11:26,775 And security awareness training helps people become more aware 195 00:11:26,775 --> 00:11:30,105 of security in their personal lives as well as their work lives. 196 00:11:30,105 --> 00:11:31,565 So it's never a bad thing. 197 00:11:32,085 --> 00:11:34,615 But it doesn't typically, it's typically generic, and it doesn't 198 00:11:34,674 --> 00:11:38,904 typically say, okay, company X, here's why we're doing this. 199 00:11:38,905 --> 00:11:42,735 We're not just doing it because our potential client Y is going to ask 200 00:11:42,735 --> 00:11:47,655 us if we are, and we'd prefer to say yes than no, but also because 201 00:11:47,885 --> 00:11:51,915 if we do this control, then this backs up with control, and ultimately 202 00:11:51,915 --> 00:11:53,295 it boils down to risk mitigation. 203 00:11:53,865 --> 00:11:57,715 Part of the problem about being a virtual CISO, though, is you're typically 204 00:11:57,725 --> 00:12:00,235 directly working with a much smaller team. 205 00:12:00,554 --> 00:12:04,805 When I was a full-time CISO, I'm going around people's desks and 206 00:12:04,805 --> 00:12:08,505 leaving them literally little presents going "don't forget about security." 207 00:12:08,535 --> 00:12:13,125 Um, and I'm involved with different teams and helping literally buy 208 00:12:13,135 --> 00:12:16,535 software for different teams if they, in exchange, would help some 209 00:12:16,535 --> 00:12:20,555 of the projects I was working with to, to mature the security program. 210 00:12:20,954 --> 00:12:24,215 So, it was absolutely total bribery, that's how it works. 211 00:12:24,215 --> 00:12:28,415 I had a budget and I needed their help so we just made a little bit of bargaining. 212 00:12:28,814 --> 00:12:32,045 And that kind of relationship building I don't get to do for most 213 00:12:32,045 --> 00:12:36,255 of my organizations because I'm typically working with a core team. 214 00:12:36,675 --> 00:12:40,874 And they will say "reach out to Laura, Laura's our, our vCISO if 215 00:12:40,874 --> 00:12:43,254 you have questions," and sometimes it happens, sometimes it doesn't. 216 00:12:43,984 --> 00:12:47,515 But I think the main thing is about the clients I have. 217 00:12:47,574 --> 00:12:49,924 If they've reached out to me, it's because somewhere, somewhere along 218 00:12:49,924 --> 00:12:54,340 the line they've understood that security is something they need. 219 00:12:54,550 --> 00:12:58,690 It may well be a third-party influence, like it may well be their big client 220 00:12:58,700 --> 00:13:02,900 that said you have to have a SOC 2 or an ISO or whatever, or they may 221 00:13:02,900 --> 00:13:07,489 have had a breach of some sort or a security event of some sort that's 222 00:13:07,499 --> 00:13:08,989 kind of put the frighteners on them. 223 00:13:09,550 --> 00:13:14,650 And so typically they're in a sort of frame of mind where they're 224 00:13:14,650 --> 00:13:16,990 wanting to get better, right? 225 00:13:16,990 --> 00:13:18,010 Or to improve. 226 00:13:18,490 --> 00:13:22,800 Um, and hopefully that spills out, um, to the rest of the teams. 227 00:13:22,800 --> 00:13:25,770 And we do, we will do, uh, targeted awareness messaging. 228 00:13:25,770 --> 00:13:29,790 So I'll get someone, whoever's the most, the most senior person in my leadership 229 00:13:29,790 --> 00:13:33,240 team that I work with directly, to send out an email, which I have basically 230 00:13:33,240 --> 00:13:36,620 written that at the end says, reach out to Laura, if anything, 'cause I want 231 00:13:36,620 --> 00:13:40,700 to try and get in there and wrinkle my way in, wrinkle my way in somehow. 232 00:13:41,315 --> 00:13:42,195 So they know I'm there. 233 00:13:42,475 --> 00:13:46,135 So picking up on that theme, can you think of any organizations that 234 00:13:46,135 --> 00:13:51,525 have done a really good job of tying security into, into an overall mission? 235 00:13:51,975 --> 00:13:55,054 And I think in healthcare, of course, there's lots of opportunities to do that 236 00:13:55,384 --> 00:13:58,904 because of the impact ultimately that these companies have on patient care. 237 00:14:00,125 --> 00:14:04,295 Realistically, the most recent kind of blatant issues that we've had coming 238 00:14:04,295 --> 00:14:08,185 out from a standpoint of security issues have been from healthcare ones. 239 00:14:08,185 --> 00:14:14,735 Because if there was a major ransomware issue in a pencil making shop, nobody 240 00:14:14,735 --> 00:14:18,034 would care because everyone's much more concerned about what's going to happen 241 00:14:18,034 --> 00:14:23,255 to their data if somebody might know that they've got some medical issue that should 242 00:14:23,255 --> 00:14:25,745 forever remain unpublic and now won't 243 00:14:26,415 --> 00:14:28,275 because that data has been compromised. 244 00:14:28,635 --> 00:14:31,975 Even Microsoft was saying that they're all about security and then they had 245 00:14:31,975 --> 00:14:34,855 the issues with the logs that they had recently and some other stuff with keys. 246 00:14:34,855 --> 00:14:40,705 And so everybody is struggling with it because security is quite hard. 247 00:14:41,154 --> 00:14:44,664 And the main thing is that if I think every organization should 248 00:14:44,665 --> 00:14:50,945 be proud of themselves, if they really can genuinely feel that their 249 00:14:51,015 --> 00:14:56,015 stakeholders, which include employees and everyone in a flow has at least some 250 00:14:56,415 --> 00:14:58,814 understanding that security matters. 251 00:14:58,894 --> 00:15:04,014 So whether it's through periodic messaging or whether it's through encouragement, 252 00:15:04,314 --> 00:15:07,915 there's a lot of historical problems with security being the kind of naysayer 253 00:15:07,915 --> 00:15:11,724 and the grumpy people in the room and getting security out the punishment corner 254 00:15:11,734 --> 00:15:16,185 into they, listen, this is, a business driver for us, or if nothing else, it 255 00:15:16,185 --> 00:15:17,854 might be a marketing advantage for us. 256 00:15:17,895 --> 00:15:22,745 And so, I think if they can help make people not feel punished by 257 00:15:22,755 --> 00:15:27,344 security and supported by security, that's going to be a win somewhere. 258 00:15:27,714 --> 00:15:31,254 And I don't know if I could particularly name one, but I'm sure 259 00:15:31,254 --> 00:15:34,145 there are a lot out there who might recognize themselves in that comment. 260 00:15:34,645 --> 00:15:35,064 I hope. 261 00:15:37,194 --> 00:15:42,265 I had someone suggest to me once that their company run a marketing 262 00:15:42,265 --> 00:15:45,595 initiative around how secure they were. 263 00:15:46,875 --> 00:15:47,485 That sounds dangerous. 264 00:15:47,485 --> 00:15:49,194 Do you think that would be a good idea? 265 00:15:50,594 --> 00:15:54,675 Well, probably no, because the thing is, the minute that you say, "oh 266 00:15:54,675 --> 00:15:59,055 my, aren't we so secure," something bad's going to happen, either because 267 00:15:59,064 --> 00:16:03,164 someone's going to pick on you for saying such a foolish thing, or because 268 00:16:03,164 --> 00:16:04,814 Sod's Law, as we would call it here. 269 00:16:05,244 --> 00:16:06,235 I don't think so. 270 00:16:06,265 --> 00:16:09,824 I think what you have to do is you have to back up those kind of statements 271 00:16:09,845 --> 00:16:16,225 with, we have got a, independent audits, uh, from a variety of auditors, we are 272 00:16:16,275 --> 00:16:20,074 constantly making improvements because if anyone ever thinks that they can 273 00:16:20,074 --> 00:16:23,194 rest on their security laurels, they're really going down the wrong path there. 274 00:16:23,644 --> 00:16:28,504 And from a standpoint of when I am talking to potential vendors and going through 275 00:16:28,504 --> 00:16:31,394 the security grilling of when I'm doing the grilling as opposed to the one being 276 00:16:31,394 --> 00:16:36,464 grilled, I just want to know, do they have someone or a team there, depending 277 00:16:36,464 --> 00:16:39,925 on the, you know, the size, depending on the appropriateness of the size of the 278 00:16:39,925 --> 00:16:44,819 company, that really understands what they're trying to do, and they may not 279 00:16:44,910 --> 00:16:50,020 have done it yet, but if they say, "no, listen, we are not doing infrastructure 280 00:16:50,020 --> 00:16:53,320 as code and running it through some kind of security review, but we really 281 00:16:53,350 --> 00:16:56,669 plan to, we've got it on our list" and it might be a complete fabrication, but 282 00:16:56,669 --> 00:16:59,019 at least they know what you're asking 283 00:16:59,379 --> 00:17:00,719 and they're trying to get there. 284 00:17:00,789 --> 00:17:04,649 And it's that kind of thing is nobody is completely secure as I've mentioned. 285 00:17:05,190 --> 00:17:09,609 I have talked a lot in my days and actually when I had my previous 286 00:17:09,899 --> 00:17:12,770 full-time job was about the security maturity swoosh, right? 287 00:17:12,780 --> 00:17:14,510 So the little swoosh, the little hill. 288 00:17:14,810 --> 00:17:17,839 So little organizations are typically going to be on the 289 00:17:17,839 --> 00:17:18,699 bottom end of the swoosh. 290 00:17:18,699 --> 00:17:22,839 And if you're a legacy, a highly-regulated industry, you're going 291 00:17:22,839 --> 00:17:24,000 to be on the top end of the swoosh. 292 00:17:24,000 --> 00:17:27,949 And you still may have a whole barrel of problems if you're there, but at least 293 00:17:27,949 --> 00:17:29,890 you're more likely to know about them. 294 00:17:30,560 --> 00:17:34,990 And so if you're talking to a vendor that you know has only got four people 295 00:17:34,990 --> 00:17:36,940 working for them, and they may have. 296 00:17:37,165 --> 00:17:38,165 got their SOC 2. 297 00:17:38,185 --> 00:17:42,295 And, and some, you may have some questions about it because you, you wonder why 298 00:17:42,295 --> 00:17:46,505 their SOC 2 keeps on mentioning all these massive teams that you know they don't 299 00:17:46,505 --> 00:17:49,085 have, but you're saying, where are you? 300 00:17:49,085 --> 00:17:52,105 And you, you get that thing where you feel that they know what they're talking 301 00:17:52,105 --> 00:17:56,344 about, even if they are not there and that they know where the gaps are. 302 00:17:56,345 --> 00:18:00,440 Knowing where your problems are is really important, as much as then 303 00:18:00,440 --> 00:18:02,040 subsequently fixing those problems. 304 00:18:03,220 --> 00:18:06,260 Thank you for that, because I did in fact tell them that I thought that that was 305 00:18:06,260 --> 00:18:10,650 a pretty terrible idea, and that they probably shouldn't do it, um, but, uh. 306 00:18:10,730 --> 00:18:11,070 Yeah. 307 00:18:11,150 --> 00:18:12,069 No, it's a weird thing. 308 00:18:12,079 --> 00:18:12,910 It's tempting fate. 309 00:18:13,100 --> 00:18:15,169 And it, and security is relative. 310 00:18:15,249 --> 00:18:19,479 Are you more secure than everyone else selling your product, or more 311 00:18:19,479 --> 00:18:21,569 secure than you were at the beginning? 312 00:18:21,579 --> 00:18:22,889 Or what are you putting yourself up against? 313 00:18:23,735 --> 00:18:26,514 So for organizations that would like to do some kind of thing like that, 314 00:18:26,525 --> 00:18:30,965 they're going to have to do a pretty good benchmarking exercise to say, "I 315 00:18:30,965 --> 00:18:34,115 am super secure, we are super secure," which again, they should never say. 316 00:18:34,185 --> 00:18:39,255 But they should be really honest and have someone come in and do an assessment. 317 00:18:39,655 --> 00:18:43,405 An independent person come in and do an assessment and turn over a few rocks and 318 00:18:43,545 --> 00:18:48,475 go, you're pretty good, but you've also got these major issues here or some minor 319 00:18:48,475 --> 00:18:50,074 issues and then you'd be even better. 320 00:18:50,834 --> 00:18:56,044 You touched on third-party assessments, uh, and yeah, I think we've all, any, any 321 00:18:56,044 --> 00:19:00,355 of us who have had to work with those in the past are aware that there's a range, 322 00:19:00,365 --> 00:19:05,465 and certainly with the SOC 2, a lot depends on what your covered surface is. 323 00:19:06,165 --> 00:19:11,674 For smaller companies that are maybe making decisions about when and how 324 00:19:11,674 --> 00:19:14,715 to pursue a third-party audit, what, what advice do you have for them? 325 00:19:15,989 --> 00:19:20,379 I would say that they need to figure out who their customers are or who they want 326 00:19:20,379 --> 00:19:25,370 their customers to be, because depending on who those customers are, there's 327 00:19:25,370 --> 00:19:29,620 going to be either a 0 percent or 100 percent chance that they're going to be 328 00:19:29,620 --> 00:19:31,020 asked for an independent audit report. 329 00:19:32,179 --> 00:19:43,784 And, um, if it is becoming, for good or bad, much cheaper to get a SOC 2 report. 330 00:19:43,845 --> 00:19:49,435 There is unfortunately new types of auditors coming out that are 331 00:19:49,945 --> 00:19:51,675 asking fewer questions in the audit. 332 00:19:51,695 --> 00:19:56,125 I've worked with a large variety of auditors from very big to very small 333 00:19:56,755 --> 00:20:00,615 and obviously if you're a very small organization and you don't have a 334 00:20:00,615 --> 00:20:04,815 great deal of budget and you are trying to get your report, you are going to 335 00:20:04,834 --> 00:20:08,850 probably deal with a cheaper vendor who, because they're cheaper, is also 336 00:20:08,850 --> 00:20:10,180 not putting that much effort into it. 337 00:20:10,180 --> 00:20:13,880 And so the report that you get at the end of it may be in an independent 338 00:20:13,890 --> 00:20:17,839 order report, but you may secretly know that it really, that they 339 00:20:17,839 --> 00:20:19,270 didn't hardly ask you anything. 340 00:20:19,290 --> 00:20:23,470 And it concerns me generally, and I know there's a, there's some people on LinkedIn 341 00:20:23,470 --> 00:20:26,920 who talk about this a lot, it concerns me that the value of a SOC 2 report 342 00:20:26,920 --> 00:20:28,470 is going to be diminished as a result. 343 00:20:29,020 --> 00:20:34,280 Because if people like me who are reading SOC 2 reports feel that the reports 344 00:20:34,300 --> 00:20:39,550 are becoming less, I don't want to say truthful, but maybe less detailed or 345 00:20:40,190 --> 00:20:43,930 they are, you suspect that the auditor, because perhaps you've worked with 346 00:20:43,930 --> 00:20:47,549 them before, didn't really look under the covers as they're supposed to, 347 00:20:47,960 --> 00:20:49,659 then how much faith can you put in it? 348 00:20:49,670 --> 00:20:52,640 So it puts us in a bit of a sticky situation. 349 00:20:53,040 --> 00:20:57,270 Having said that, it is still a baseline requirement, really, is a SOC 2. 350 00:20:57,270 --> 00:21:00,850 You can have a type 1, but you better have a plan for your type 2. 351 00:21:01,210 --> 00:21:04,020 Because, obviously, people, organizations, customers, want to 352 00:21:04,020 --> 00:21:06,470 know that you can maintain your controls over a period of time. 353 00:21:06,849 --> 00:21:09,749 Longer than a quarter, which is what everyone does, is they do their SOC 354 00:21:10,040 --> 00:21:12,669 2 type 1, and then they do three months, and they get their type 2. 355 00:21:13,180 --> 00:21:14,560 And then you've got to maintain it. 356 00:21:14,570 --> 00:21:17,219 So you've got to have budget, you've got to have planned ahead, you've 357 00:21:17,219 --> 00:21:18,610 got to have your controls in place. 358 00:21:18,679 --> 00:21:21,620 Most people will end up using one of the DRC tools that 359 00:21:21,620 --> 00:21:22,610 makes that a little bit easier. 360 00:21:23,860 --> 00:21:26,830 If you know that you're going to have an institutional customer, then you're going 361 00:21:26,830 --> 00:21:29,200 to have to get going on that very soon. 362 00:21:30,799 --> 00:21:34,820 So let's actually talk about third-party vendor risk assessments. 363 00:21:34,990 --> 00:21:38,880 That I think is the, probably the biggest surprise for people who are 364 00:21:38,880 --> 00:21:41,840 getting involved in implementing a security program for the first time, 365 00:21:41,840 --> 00:21:45,660 especially if they are coming from more of a technologist background. 366 00:21:47,420 --> 00:21:51,310 When you're launching a vendor risk assessment program yourself, 367 00:21:52,130 --> 00:21:55,470 what are some important things for smaller teams to keep in mind? 368 00:21:56,419 --> 00:21:59,439 I would imagine that everyone would be hard pushed to come up 369 00:21:59,440 --> 00:22:00,790 with a list of their vendors. 370 00:22:00,860 --> 00:22:04,739 Even a really small organization, that list stables very quickly. 371 00:22:05,160 --> 00:22:09,890 So for smaller organizations, they should start making a list, even 372 00:22:09,890 --> 00:22:12,970 if it's just a list of names very early on of who their vendors are, 373 00:22:13,200 --> 00:22:14,320 that are important in the flow. 374 00:22:14,630 --> 00:22:17,560 Like it doesn't matter who delivers your water bottle if you have an office. 375 00:22:18,085 --> 00:22:19,275 or other things. 376 00:22:19,545 --> 00:22:20,655 So, bill. 377 00:22:20,835 --> 00:22:21,325 com, right? 378 00:22:21,365 --> 00:22:21,575 Bill. 379 00:22:21,725 --> 00:22:24,645 com is an important vendor for most organizations because they 380 00:22:24,645 --> 00:22:28,784 want to pay, get paid, but they typically isn't involved in the 381 00:22:28,785 --> 00:22:30,845 production data or application flow. 382 00:22:30,864 --> 00:22:33,415 So it does not need to be added to the list of vendors you really 383 00:22:33,415 --> 00:22:35,694 want to take a good look at, especially not in early phases. 384 00:22:36,864 --> 00:22:40,764 When I'm launching a third-party risk management program, we start 385 00:22:40,764 --> 00:22:44,414 with the list, but in parallel, we're starting to do the reviews 386 00:22:44,414 --> 00:22:45,774 of the vendors we know we have. 387 00:22:46,314 --> 00:22:49,885 And for the most of the small organizations that I'm working 388 00:22:49,885 --> 00:22:51,915 with, they're using some sort of cloud infrastructure. 389 00:22:52,315 --> 00:22:56,045 A lot of them are using outsourcers like Newfire, for example, and 390 00:22:56,655 --> 00:22:58,105 they might be using IT outsourcers, 391 00:22:58,105 --> 00:23:01,664 they're going to be using a lot of the common tools, the common bigger tools. 392 00:23:02,804 --> 00:23:06,894 But what becomes a little bit trickier is if it's a slightly more niche type 393 00:23:06,894 --> 00:23:11,655 of vendor and then they're starting to use slightly more niche type vendors 394 00:23:11,655 --> 00:23:16,575 themselves who may not have a SOC 2, who may be involved in an environment 395 00:23:16,585 --> 00:23:21,210 where, um, nobody's asked for them to come up with anything like that before. 396 00:23:21,210 --> 00:23:23,730 And then you have to go through a little bit more of a manual process. 397 00:23:23,730 --> 00:23:27,250 But what I do with the clients as well is, is let's track the vendors. 398 00:23:27,250 --> 00:23:28,830 Let's track what kind of data they get. 399 00:23:29,020 --> 00:23:32,989 Let's assign them a risk based on usually what type of data they get, but 400 00:23:32,990 --> 00:23:36,239 also if they're providing a security tooling or something that's a critical 401 00:23:36,544 --> 00:23:38,074 piece of something for the company. 402 00:23:38,074 --> 00:23:39,304 Let's give that a high rating. 403 00:23:39,725 --> 00:23:43,705 Let's figure out what we're going to do with them as part of the review process. 404 00:23:43,735 --> 00:23:45,764 Let's figure out how often we're going to do it. 405 00:23:46,344 --> 00:23:48,884 And even things like, let's track what kind of authentication 406 00:23:48,884 --> 00:23:51,894 mechanism we're using, because does it support single sign on? 407 00:23:51,895 --> 00:23:54,714 Because if it doesn't, every time someone gets on boarded and off boarded, 408 00:23:54,714 --> 00:23:58,245 that's an extra step that we need to remember about so that somebody doesn't 409 00:23:58,245 --> 00:23:59,715 have inappropriate access to data. 410 00:23:59,735 --> 00:24:03,695 So there's, there are a few important columns in my vendor spreadsheet. 411 00:24:04,649 --> 00:24:08,649 So, for newer companies that have managed to build their infrastructure almost 412 00:24:08,649 --> 00:24:14,509 entirely in the cloud, is there any way for them to think about when they might 413 00:24:14,519 --> 00:24:19,030 have to sort of break the glass and bring in self-hosted systems and all of 414 00:24:19,030 --> 00:24:20,550 the infrastructure that goes with that. 415 00:24:22,209 --> 00:24:28,590 There are very few situations that I have come across where organizations that have 416 00:24:28,590 --> 00:24:35,889 already started their life off in the cloud would need to do any self-hosting. 417 00:24:35,909 --> 00:24:37,909 And in some cases they don't even need to. 418 00:24:38,130 --> 00:24:40,660 They don't, they can run off serverless infrastructure in the 419 00:24:40,660 --> 00:24:42,680 cloud, not all of them, to be fair. 420 00:24:42,730 --> 00:24:46,430 And so most of my clients will have some sort of operating system 421 00:24:46,430 --> 00:24:47,990 they're dealing with in the cloud. 422 00:24:49,750 --> 00:24:57,309 There are so many negatives involved in self-hosting anything, whether it's your 423 00:24:57,309 --> 00:25:03,410 own network or your own data center, or even, dare I say it, an EC2 instance with 424 00:25:03,410 --> 00:25:06,950 an operating system running something that you could also get as a SaaS solution. 425 00:25:07,409 --> 00:25:11,699 That I wouldn't ever particularly encourage it unless there were no option. 426 00:25:11,699 --> 00:25:13,230 And typically there is an option. 427 00:25:13,720 --> 00:25:16,610 You need to have specialized tool sets. 428 00:25:16,620 --> 00:25:19,279 Sometimes you need to have specialized skills in your staff. 429 00:25:19,279 --> 00:25:27,189 It just seems a waste of money if you can find, and by money I think I more 430 00:25:27,189 --> 00:25:31,269 generically mean resources in general, if you can find a hosted solution. 431 00:25:31,299 --> 00:25:33,999 It does mean you have to trust the vendor, and of course that's 432 00:25:34,019 --> 00:25:35,019 part of the problem, isn't it? 433 00:25:35,029 --> 00:25:39,249 So if you're going to put your most precious data on a third-party tool 434 00:25:39,250 --> 00:25:42,129 because you don't want to host it in house or can't host it in house 435 00:25:42,129 --> 00:25:45,860 or whatever in-house is to you, then you have to hope that you're 436 00:25:46,020 --> 00:25:47,380 placing it with the right vendor. 437 00:25:47,450 --> 00:25:50,820 And certainly we've seen that people that we thought were the right vendor 438 00:25:50,970 --> 00:25:52,540 ended up having security issues. 439 00:25:52,560 --> 00:25:59,470 But my kind of standard, uh, expression for that, which isn't, is not an answer, 440 00:25:59,470 --> 00:26:03,839 but it's a statement, is that if this company goes down in flames, you will be 441 00:26:03,840 --> 00:26:06,755 going down in flames in very good company. 442 00:26:07,145 --> 00:26:10,325 If you know that there's going to be very large organizations that have picked 443 00:26:10,325 --> 00:26:12,345 this vendor, why wouldn't you have? 444 00:26:13,725 --> 00:26:16,295 So stay out of US East 1, but otherwise we're okay. 445 00:26:17,715 --> 00:26:22,874 Well, you know, is that stay out of databases, RRFs, whatever, hosted by 446 00:26:22,954 --> 00:26:26,905 your mate that just spun up a data center around the corner in his cow shed, 447 00:26:26,925 --> 00:26:28,785 there's just things you shouldn't do. 448 00:26:28,785 --> 00:26:32,385 And that's why part of the due diligence piece is so important because there's 449 00:26:32,385 --> 00:26:34,785 a very easy ways to rule things out. 450 00:26:34,810 --> 00:26:38,190 And also that's, I think, helpful when you're, when you've become 451 00:26:38,220 --> 00:26:42,230 part of the company's structure, even as a virtual CISO, people know 452 00:26:42,240 --> 00:26:43,500 where you can ask you or something. 453 00:26:43,915 --> 00:26:47,495 I will say, if you're doing a beauty contest between three different vendors 454 00:26:47,495 --> 00:26:50,915 that are going to provide warehouse management systems, and you're kind of 455 00:26:50,915 --> 00:26:53,645 torn because they're all the same to you, let's look at the security piece. 456 00:26:53,655 --> 00:26:57,415 That can feed into the matrix that you're running in the bake off. 457 00:26:57,705 --> 00:27:01,475 If one of them has a security score of 1 and the other one is 10, I'm 458 00:27:01,475 --> 00:27:03,785 obviously going to prefer you're going to pick the one that's 10. 459 00:27:04,235 --> 00:27:08,235 And if not, we know that we need to go back to the one with 1 and 460 00:27:08,235 --> 00:27:09,355 give them some really stringent 461 00:27:09,630 --> 00:27:12,020 contract wording, which they may not go for. 462 00:27:12,819 --> 00:27:17,729 That security review can feed into the early on stage of picking 463 00:27:17,729 --> 00:27:20,759 vendors for my clients just as much as it is on the flip side. 464 00:27:22,550 --> 00:27:26,159 So, of course, we can't have a Newfire podcast without talking 465 00:27:26,160 --> 00:27:27,840 about AI at least a little bit. 466 00:27:28,729 --> 00:27:31,959 How are the companies that you're working with thinking about the 467 00:27:31,959 --> 00:27:36,700 impact of AI on their security, on their security programs overall. 468 00:27:36,959 --> 00:27:40,629 My newest client is actually a client which is using AI 469 00:27:40,689 --> 00:27:42,000 as part of their product. 470 00:27:43,160 --> 00:27:45,589 So obviously they like that. 471 00:27:46,299 --> 00:27:53,580 For most of the rest of my clients, they are probably not thinking about how AI is 472 00:27:53,580 --> 00:27:55,100 going to help them with their security. 473 00:27:55,300 --> 00:28:00,359 They're probably looking at tools that happen to have AI to provide better 474 00:28:00,580 --> 00:28:04,339 something, whatever, better log reviews, better vulnerability scanning, better 475 00:28:04,340 --> 00:28:07,700 something, but I think realistically that's been the case for a long time. 476 00:28:07,700 --> 00:28:07,849 Right? 477 00:28:07,849 --> 00:28:11,080 So we've had machine learning and that's been in a whole bunch of security tools 478 00:28:11,260 --> 00:28:16,120 for a long time, and now it's effectively being rebranded and much improved. 479 00:28:18,070 --> 00:28:21,605 My client for smaller organizations, they're just trying to figure out 480 00:28:21,784 --> 00:28:26,870 how to patch and how to do MFA and how to do some basic functions. 481 00:28:27,370 --> 00:28:29,389 Don't they and their functions don't really lend themselves 482 00:28:29,389 --> 00:28:30,700 particularly well to AI. 483 00:28:31,139 --> 00:28:34,280 And certainly there was a conversation I was having with some of my peers on 484 00:28:34,280 --> 00:28:38,199 a vCISO Slack channel when people were going, well, how has AI helped you? 485 00:28:38,769 --> 00:28:41,840 And for the most part, most people go, it really hasn't because we're there 486 00:28:41,850 --> 00:28:47,100 having conversations with people about why something, and for sure I will spin up 487 00:28:47,620 --> 00:28:51,009 ChatGPT and go make this policy a bit less boring. 488 00:28:51,039 --> 00:28:52,559 And there's a lot to be said for that. 489 00:28:53,470 --> 00:28:56,899 But realistically, a lot of the things I do is not assisted by AI. 490 00:28:56,970 --> 00:29:00,639 But I do accept that the tools that we're looking at are in some shape 491 00:29:00,639 --> 00:29:02,559 or form going to be assisted by AI. 492 00:29:02,840 --> 00:29:06,139 It also really irritates me that everyone has just jammed 493 00:29:06,169 --> 00:29:07,830 AI into their product name. 494 00:29:08,100 --> 00:29:11,219 Like it's going to miraculously make that product better and more 495 00:29:11,230 --> 00:29:13,510 suitable for a given organization. 496 00:29:13,960 --> 00:29:18,055 And It's like the new FUD, when you used to sell stuff to people 497 00:29:18,055 --> 00:29:20,945 because you said if you don't, you'll immediately be hacked tomorrow. 498 00:29:21,365 --> 00:29:24,995 It's the, you must buy this because it's got AI, so therefore it must be better. 499 00:29:25,035 --> 00:29:26,955 And it just doesn't apply in all cases. 500 00:29:27,825 --> 00:29:31,904 Generally speaking, I would say that I think it's going to be 501 00:29:31,935 --> 00:29:36,737 very helpful because it does help provide information to people in 502 00:29:36,737 --> 00:29:39,295 formats that can be more consumable. 503 00:29:40,345 --> 00:29:40,795 Related 504 00:29:40,795 --> 00:29:45,985 to AI data, small organizations again, may be building their first data 505 00:29:45,985 --> 00:29:51,605 warehouses, building their first BI and reporting platforms, and making the 506 00:29:51,605 --> 00:29:55,365 transition to having data that might be available to very small parts of 507 00:29:55,375 --> 00:29:59,215 the organization now have to be made more broadly available within a team. 508 00:29:59,920 --> 00:30:02,690 How do you think about, how do you and some of the companies that you've worked 509 00:30:02,690 --> 00:30:08,800 with think about extending that security and compliance envelope to broader use 510 00:30:08,850 --> 00:30:10,999 of information assets within the company? 511 00:30:12,300 --> 00:30:15,410 Well, I've had that very specifically with one organization 512 00:30:15,559 --> 00:30:17,570 who were using Tableau, BigQuery. 513 00:30:17,570 --> 00:30:22,290 Yeah, there's, there's a lot of things out there where you're providing some 514 00:30:22,300 --> 00:30:29,170 sort of dashboard or portal for people to see things that they need to see because 515 00:30:29,430 --> 00:30:35,450 obviously the marketing department needs to see if they have, let's say clients 516 00:30:35,450 --> 00:30:39,729 in area X, they don't necessarily need to know their clients' names though, right? 517 00:30:39,729 --> 00:30:45,490 So, hopefully, there's an option to provide some field-based access. 518 00:30:45,540 --> 00:30:48,530 So access is really important for all of that stuff, right? 519 00:30:48,820 --> 00:30:50,690 So what's appropriate for people to see? 520 00:30:50,690 --> 00:30:52,780 What is appropriate for teams to see? 521 00:30:53,039 --> 00:30:58,270 And is there a way that you can put some kind of filter and 522 00:30:58,270 --> 00:30:59,200 then nearly always is, right? 523 00:30:59,200 --> 00:31:03,290 So there's some sort of, some sort of filter in front of reports or output. 524 00:31:03,299 --> 00:31:08,115 So in some cases it's, we only let two people write the reports. 525 00:31:08,405 --> 00:31:12,505 So only two people know which fields the people need, or not know which fields 526 00:31:12,505 --> 00:31:17,525 they need, but have the ability to create a report that creates an output that 527 00:31:17,525 --> 00:31:19,034 may have sensitive information in it. 528 00:31:19,295 --> 00:31:23,105 And they know that that output has to go in a different folder, or a 529 00:31:23,105 --> 00:31:27,585 different group access, or those ways to make sure that that data 530 00:31:27,605 --> 00:31:32,375 stays in the business-justified world that it needs to live in, 531 00:31:32,395 --> 00:31:32,735 right? 532 00:31:32,745 --> 00:31:37,635 So, uh, if you can't justify your HR people having access to 533 00:31:37,645 --> 00:31:39,045 healthcare data, why would they? 534 00:31:39,265 --> 00:31:40,955 That is not employee healthcare data. 535 00:31:41,335 --> 00:31:43,575 Uh, then you make sure that they're not in the group that has that. 536 00:31:43,575 --> 00:31:45,004 So access is super important. 537 00:31:45,004 --> 00:31:46,555 It'd be super important for AI as well. 538 00:31:46,605 --> 00:31:51,755 What, if you've got APIs, you, what are those APIs able to access on the back end? 539 00:31:51,915 --> 00:31:55,165 Are you again saying they can only see de-identified data? 540 00:31:55,355 --> 00:31:57,075 Are you saying that they can't see anything at all? 541 00:31:57,115 --> 00:32:00,145 You have to think about that in the beginning because you don't want 542 00:32:00,154 --> 00:32:03,685 to build it wrong and then realize you have to turn off the tap after. 543 00:32:04,614 --> 00:32:09,014 So a common business model for productivity focused SaaS 544 00:32:09,015 --> 00:32:13,790 applications is to come into a company at the end user level. 545 00:32:13,790 --> 00:32:16,160 I know Tableau and team really pioneered this. 546 00:32:16,950 --> 00:32:21,780 How do you think about shadow IT where people bring in tools that they want 547 00:32:21,780 --> 00:32:26,049 to use that may not be blessed by the company as a whole and certainly aren't 548 00:32:26,060 --> 00:32:28,859 part of the overall security program? 549 00:32:30,319 --> 00:32:33,420 There are a couple of aspects to that. 550 00:32:33,870 --> 00:32:37,715 So one is knowing that they're using it at all, right? 551 00:32:37,755 --> 00:32:39,325 And that's really quite tricky. 552 00:32:39,635 --> 00:32:43,005 So there's a couple of new tools out there that some of my clients are using 553 00:32:43,065 --> 00:32:50,165 that do things like read every email to say: "Hey you, this is your new user 554 00:32:50,165 --> 00:32:53,725 account from shadowit.com product here. 555 00:32:54,015 --> 00:32:56,345 Um, here's your login and don't forget to look at the report." 556 00:32:56,355 --> 00:33:00,555 So it can, it looks at all of those emails says, okay, so just so you 557 00:33:00,555 --> 00:33:04,165 know, your shadow it list has now included this particular tool. 558 00:33:04,845 --> 00:33:08,214 And that's always been a problem is to identify what is being used. 559 00:33:08,225 --> 00:33:09,584 Hence the shadow, I suppose. 560 00:33:10,074 --> 00:33:16,140 Um, because so many of them can come in with a free trial that it no 561 00:33:16,140 --> 00:33:19,140 longer becomes a thing of is it on your corporate card because probably 562 00:33:19,140 --> 00:33:20,440 not because it's a free trial. 563 00:33:20,860 --> 00:33:25,790 Hopefully people are at least using their single sign on for logging into it because 564 00:33:26,040 --> 00:33:31,579 that is another way to actually see what tools people are using because it is not 565 00:33:31,579 --> 00:33:34,739 entirely straightforward but there are again tools that make it a little easier. 566 00:33:34,999 --> 00:33:38,950 You can see who has been logging in with your angel cybersecurity. 567 00:33:39,139 --> 00:33:40,470 com to which products. 568 00:33:42,070 --> 00:33:44,460 So then again, it's about building the list. 569 00:33:44,470 --> 00:33:47,170 So first problem, do you even know who they are? 570 00:33:47,780 --> 00:33:52,450 Second problem, it's not that it's a bad idea that people are using these. 571 00:33:52,450 --> 00:33:54,150 They may have used them in a previous job. 572 00:33:54,160 --> 00:33:58,810 They may know that they do a great, great job of what they need it to do. 573 00:33:59,270 --> 00:34:02,470 And they don't think they're necessarily doing anything wrong by 574 00:34:02,480 --> 00:34:03,780 bringing it into the organization. 575 00:34:03,780 --> 00:34:07,479 So what you have to do is get out in front of that with some education and 576 00:34:07,479 --> 00:34:09,119 say: "Hey, everybody, we love tools. 577 00:34:09,120 --> 00:34:10,199 We want to get things done. 578 00:34:10,469 --> 00:34:11,449 We want to do it right. 579 00:34:11,569 --> 00:34:16,735 However, we have contractual obligations, regulatory requirements. 580 00:34:16,745 --> 00:34:21,165 We cannot share data with these tools without it going through 581 00:34:21,165 --> 00:34:22,615 our vendor review process." 582 00:34:22,625 --> 00:34:24,485 So here are some guardrails. 583 00:34:24,495 --> 00:34:28,210 So actually we've got a document, I've got a document that we use, it says "Yeah, if 584 00:34:28,220 --> 00:34:30,780 you want to try something out, you can try it out, but you can't use any real data. 585 00:34:30,800 --> 00:34:34,250 Not our real data, not employee real data, not any real data, right? 586 00:34:34,250 --> 00:34:37,700 So give it a whirl, and if you like it, share it with your team if you like it. 587 00:34:37,920 --> 00:34:42,020 If you all like it, and it's budget for it, if it costs anything, then we'll go 588 00:34:42,020 --> 00:34:46,750 through the vendor process because we want to use tools that people want to use." 589 00:34:47,050 --> 00:34:50,690 Because it's just as bad if security says, Oh no, thou shalt 590 00:34:50,700 --> 00:34:52,440 use this tool that everybody hates. 591 00:34:53,190 --> 00:34:57,925 So it's awareness and education around making sure you give people the tools 592 00:34:57,925 --> 00:35:03,265 they need to do the right thing and then it's also capturing the information 593 00:35:03,265 --> 00:35:07,004 about tools that, that half the time they didn't even know was shadow IT, right? 594 00:35:07,015 --> 00:35:09,784 They think they're just using a little app somewhere and they don't think of 595 00:35:09,784 --> 00:35:13,095 it as shadow IT and they don't think of it as having access to company data. 596 00:35:13,424 --> 00:35:16,565 So you have to help them understand that, that it is. 597 00:35:17,715 --> 00:35:20,755 So I've always been very interested in, in how you set up a great 598 00:35:20,765 --> 00:35:22,925 incident response, um, program. 599 00:35:23,035 --> 00:35:25,795 And I know we've, I've had to spend a lot of time in previous companies 600 00:35:26,215 --> 00:35:29,125 training that skill set into people as well as putting in the right kind 601 00:35:29,125 --> 00:35:33,165 of an infrastructure so that when there is, and frankly, it's usually 602 00:35:33,165 --> 00:35:37,085 a production incident rather than a security incident, that we have 603 00:35:37,395 --> 00:35:39,985 the right people in the right place to be able to respond to that. 604 00:35:40,515 --> 00:35:43,005 And it's always been a little bit of a bespoke process. 605 00:35:43,005 --> 00:35:47,055 So, for companies that are building their incident response program 606 00:35:47,055 --> 00:35:49,844 for the first time, what do you recommend that they focus on first? 607 00:35:50,964 --> 00:35:54,055 So, the thing that I focus on first is the contact list. 608 00:35:54,795 --> 00:35:57,504 Really, I mean, and it sounds straightforward. 609 00:35:57,990 --> 00:36:01,140 If you're the CMO and you're on a call with me once every 610 00:36:01,170 --> 00:36:02,480 six weeks, you know I exist. 611 00:36:02,480 --> 00:36:03,570 Do you know how to get hold of me? 612 00:36:03,820 --> 00:36:06,540 Do you know how to get hold of your main software engineer 613 00:36:06,600 --> 00:36:07,879 who might be outsourced, right? 614 00:36:07,879 --> 00:36:11,959 So do you know how to get hold of the people because something has gone wrong? 615 00:36:12,389 --> 00:36:15,850 And so the contact list is very important and obviously it's quite easy to get 616 00:36:15,850 --> 00:36:19,585 to, but it also includes things like to do you have cyber insurance, hopefully. 617 00:36:19,755 --> 00:36:22,155 If you have cyber insurance, how do you get hold of them? 618 00:36:22,165 --> 00:36:24,865 Because chances are they're going to be your forensics team because 619 00:36:24,865 --> 00:36:28,225 small organizations are typically not going to have a retainer with a 620 00:36:28,235 --> 00:36:30,395 forensics organization from the get go. 621 00:36:31,185 --> 00:36:33,775 So you've got your contact list, you've got law enforcement because you 622 00:36:33,775 --> 00:36:36,004 should be notifying law enforcement. 623 00:36:36,904 --> 00:36:39,450 The subsequent piece of the contact list is do you have 624 00:36:39,660 --> 00:36:41,130 categories you need to notify? 625 00:36:41,160 --> 00:36:43,310 Because you should know who they are and what their 626 00:36:43,310 --> 00:36:45,700 expectations are of notifications. 627 00:36:45,710 --> 00:36:49,839 So one person might have contractually required you to notify them in 24 hours. 628 00:36:49,850 --> 00:36:51,170 Someone else might be 72 hours. 629 00:36:51,420 --> 00:36:53,300 Ultimately, you'll probably do them all at the same time. 630 00:36:53,340 --> 00:36:56,985 But if you've gone a week, and you've known for 24 hours, you know, that 631 00:36:56,995 --> 00:36:58,205 you're going to have an issue with. 632 00:36:58,735 --> 00:37:00,585 So the contact list is very important. 633 00:37:00,635 --> 00:37:04,615 And actually, even the process of building the contact list gets those 634 00:37:04,725 --> 00:37:08,944 teams for the internal security and response team, which we're going to decide 635 00:37:08,944 --> 00:37:11,155 who that is as part of that process. 636 00:37:12,555 --> 00:37:17,045 What is in the response document, I'm not going to say it doesn't matter because 637 00:37:17,045 --> 00:37:23,115 it does matter, but what really happens when an incident happens is that everybody 638 00:37:23,115 --> 00:37:25,665 gets on a call and just makes it work. 639 00:37:26,184 --> 00:37:31,255 And you have to know who to talk to, and you also have to have very clear 640 00:37:31,305 --> 00:37:36,305 guidelines about who is allowed to talk to who, because what you don't want is 641 00:37:36,510 --> 00:37:40,060 is the junior customer services person who only started last week to get 642 00:37:40,060 --> 00:37:42,520 on the call with someone saying, no, I'm sorry, we've had a breach, right? 643 00:37:42,560 --> 00:37:47,170 You just, you've got to be very clear about who does the communications, who 644 00:37:47,179 --> 00:37:52,110 approves the communications, whether it's internal, external media, customers, law 645 00:37:52,110 --> 00:37:56,599 enforcement, all of those things have to go through layers of approval so that 646 00:37:56,599 --> 00:38:00,600 down the line, it doesn't put you in even hotter water than you might be in. 647 00:38:01,080 --> 00:38:05,775 So I have an instrument response document that links to the contact list, 648 00:38:05,805 --> 00:38:08,035 which should be in more than one form. 649 00:38:08,035 --> 00:38:11,235 So if somebody eats your, your storage space, you've got, you 650 00:38:11,235 --> 00:38:12,415 still got those numbers somewhere. 651 00:38:13,135 --> 00:38:16,045 And also it says, these are the things we need to think about. 652 00:38:16,095 --> 00:38:17,275 So if something's gone wrong. 653 00:38:17,574 --> 00:38:18,494 So here's the tracker. 654 00:38:18,505 --> 00:38:20,644 We're going to start recording the timeline because the timeline 655 00:38:20,645 --> 00:38:21,664 might become quite important. 656 00:38:21,715 --> 00:38:22,644 It's typically important. 657 00:38:22,934 --> 00:38:23,845 We have to start tracking this. 658 00:38:23,845 --> 00:38:25,885 We might not even think it's a security incident. 659 00:38:25,905 --> 00:38:27,065 We just don't know. 660 00:38:27,345 --> 00:38:30,605 So we're just going to start taking notes and it could be in a Jira ticket. 661 00:38:30,625 --> 00:38:31,584 It could be anywhere. 662 00:38:32,345 --> 00:38:37,445 But recording that kind of being described as typically a stated role 663 00:38:37,475 --> 00:38:38,835 in an instant response document. 664 00:38:39,375 --> 00:38:41,005 So who's going to call who? 665 00:38:41,024 --> 00:38:42,335 Who's going to write stuff down? 666 00:38:42,375 --> 00:38:43,895 Who's going to start bringing things back? 667 00:38:43,934 --> 00:38:47,524 Because to your point, in a production incident, everybody knows who's going 668 00:38:47,524 --> 00:38:48,795 to bring your stuff back, right? 669 00:38:48,994 --> 00:38:51,835 Whoever's closest to the button to push the button to make it come back. 670 00:38:51,835 --> 00:38:56,905 In a security response, um, there are a lot of, uh, there's a, there's 671 00:38:56,905 --> 00:39:02,520 a lot of overlap, but there's also a lot of, of specifics that you 672 00:39:02,560 --> 00:39:05,130 might not want to to get wrong. 673 00:39:05,640 --> 00:39:07,490 Uh, and I'm sure there are with production as well. 674 00:39:07,950 --> 00:39:11,529 But so for me, it's just important that everyone who's on the team 675 00:39:11,529 --> 00:39:13,069 knows that they are part of the team. 676 00:39:13,069 --> 00:39:15,760 So we do the desktop walkthroughs, which are always interesting. 677 00:39:16,220 --> 00:39:18,990 So you'll come up with a scenario and I'll come up with scenario. 678 00:39:19,059 --> 00:39:20,180 We'll talk it through with the team. 679 00:39:20,180 --> 00:39:22,600 And there's always something that we thought, oh, we haven't done that. 680 00:39:22,670 --> 00:39:26,310 And that is part of recognizing where your gaps lie, right? 681 00:39:26,310 --> 00:39:27,420 So my job is not 682 00:39:27,625 --> 00:39:29,345 making people secure because it's impossible. 683 00:39:29,645 --> 00:39:33,195 My job is risk mitigation and that involves going through a tabletop 684 00:39:33,415 --> 00:39:37,225 walkthrough of an incident scenario and saying, how do we not know that 685 00:39:37,225 --> 00:39:43,764 we don't know the number of the person who is going to be able to approve X? 686 00:39:44,245 --> 00:39:44,545 Right. 687 00:39:44,585 --> 00:39:48,995 And so having that documented it might be out of date in six weeks, but at 688 00:39:48,995 --> 00:39:52,485 least we've got it and we know that there's a list and we, we know that 689 00:39:52,855 --> 00:39:54,285 there are things that we need to do. 690 00:39:55,075 --> 00:39:57,244 Um, so really that one's kind of a knowledge based stuff. 691 00:39:57,245 --> 00:39:59,925 I mean, I've lived through some incidents and they're never fun. 692 00:40:00,275 --> 00:40:03,864 And I'd love to say that everyone immediately pulls up the incident 693 00:40:03,864 --> 00:40:05,404 response plan, but that isn't the case. 694 00:40:06,555 --> 00:40:11,185 So what I'm taking away from that is print it out, get it laminated, 695 00:40:11,515 --> 00:40:13,345 stick a copy at your in-laws house. 696 00:40:14,165 --> 00:40:16,444 That's basically our rebel when I was in, uh. 697 00:40:16,970 --> 00:40:18,150 Was it my last IT job? 698 00:40:18,150 --> 00:40:23,370 I think my last big IT job I had, which is before I started working at Equifax, 699 00:40:23,400 --> 00:40:26,800 and we had the disaster recovery manuals, which were done by an entire team. 700 00:40:26,800 --> 00:40:32,470 It was a very big, uh, regulated industry, and there was an entire team doing 701 00:40:32,470 --> 00:40:37,345 the incident response, and we all had three-inch ring binder in our cars because 702 00:40:37,345 --> 00:40:38,755 that's where we were supposed to keep it. 703 00:40:38,775 --> 00:40:40,345 So that's one way of doing it. 704 00:40:40,755 --> 00:40:44,434 At the very least, if you think that your contact list might get eaten 705 00:40:44,434 --> 00:40:48,175 by a piece of ransomware, do you at least have those people, most of 706 00:40:48,175 --> 00:40:49,775 those people's numbers in your phone? 707 00:40:50,354 --> 00:40:55,015 And there's only so many things that we can do, but luckily we now have, we 708 00:40:55,015 --> 00:40:58,075 have many more methods of communication than we used to back in the day. 709 00:40:59,065 --> 00:41:02,074 So on that note, what's exciting to you in the field right now? 710 00:41:02,915 --> 00:41:08,605 I like what I'm seeing with the GRC tools I'm using, and GRC always, yeah, 711 00:41:08,635 --> 00:41:11,495 I feel like everyone just yawns when they hear of governance, risk, and 712 00:41:11,495 --> 00:41:16,560 compliance, but what's new and different with the tools that I've been using in 713 00:41:16,560 --> 00:41:21,010 the last couple of years is their ability to hook into just about everything. 714 00:41:21,480 --> 00:41:24,060 And to start pulling out low hanging fruit, right? 715 00:41:24,070 --> 00:41:26,740 So you can hook it into your Google and go, why is it this 716 00:41:26,740 --> 00:41:28,299 person's been inactive for 30 days? 717 00:41:28,299 --> 00:41:32,859 And you know, you, because you don't have a full team of people managing 718 00:41:32,899 --> 00:41:37,530 access and seeing who's been inactive for 30 days, you can have a tool 719 00:41:37,830 --> 00:41:41,130 send you a message into Slack going, someone's been inactive for 30 days. 720 00:41:41,160 --> 00:41:48,075 And it's just really, they are very useful for avoiding stupid 721 00:41:48,075 --> 00:41:49,635 slippage and stuff, right? 722 00:41:49,635 --> 00:41:54,755 So somebody set up a new S3 bucket and didn't something by default, 723 00:41:54,775 --> 00:41:56,985 right, there's a sort of umpteen things that it could be checking for. 724 00:41:57,385 --> 00:41:59,845 And those tools will just tell you, and it's just easy and it's 725 00:41:59,874 --> 00:42:00,945 part of what you're paying for. 726 00:42:00,975 --> 00:42:05,660 And obviously they do a lot of other things that help you get to and 727 00:42:05,670 --> 00:42:08,810 maintain a decent compliance status. 728 00:42:09,110 --> 00:42:13,070 And I do try and emphasize security over compliance, but the reality is, if there 729 00:42:13,070 --> 00:42:15,929 are a lot of things on the compliance list that people wouldn't ordinarily choose 730 00:42:15,929 --> 00:42:20,229 to do first because they're boring, but they do provide a big security uplift. 731 00:42:21,010 --> 00:42:22,740 So I like those tools. 732 00:42:22,740 --> 00:42:24,400 I'm sure they're using a bunch of AI as well. 733 00:42:25,095 --> 00:42:26,735 And we'll continue to increase that. 734 00:42:26,735 --> 00:42:30,845 But I like the way that for less than 10,000 dollars a year, a small 735 00:42:30,845 --> 00:42:34,555 organization can get a tool that really does quite a lot of things, 736 00:42:35,105 --> 00:42:40,914 um, in their security maturity, um, plan and, uh, compliance 737 00:42:41,125 --> 00:42:42,995 ability to reach their old plan. 738 00:42:43,554 --> 00:42:45,674 Um, so those are great. 739 00:42:46,064 --> 00:42:50,585 I wish everyone was doing serverless because nobody needs to be patching EC2s. 740 00:42:50,675 --> 00:42:56,685 There's just, the cloud has come out with so many opportunities for then everyone 741 00:42:56,685 --> 00:43:00,355 to build products in the cloud that moving away from having to go and reboot 742 00:43:00,355 --> 00:43:04,195 a firewall in the middle of the night is possibility for just about everybody. 743 00:43:04,235 --> 00:43:06,695 And obviously that's, that's been around for a long time. 744 00:43:07,245 --> 00:43:14,740 But for small organizations, integrations between tools have made it just generally 745 00:43:14,890 --> 00:43:16,820 much easier to do the right thing. 746 00:43:18,460 --> 00:43:22,719 Laura, before we wrap up, is there, especially in this post change 747 00:43:22,719 --> 00:43:26,519 healthcare world, is there one piece of advice that you'd like to give 748 00:43:26,519 --> 00:43:29,760 to healthcare leaders or founders of companies, specifically in healthcare 749 00:43:29,760 --> 00:43:34,219 technology, but even more broadly, around their security programs and posture? 750 00:43:36,150 --> 00:43:40,730 I would say they shouldn't consider security an expense. 751 00:43:41,080 --> 00:43:44,260 They should consider it a marketing advantage because if they don't 752 00:43:44,270 --> 00:43:45,810 have it, no one's going to buy it. 753 00:43:46,130 --> 00:43:50,390 It's a slightly bold statement because that's what I'm seeing. 754 00:43:51,390 --> 00:43:58,970 I think that I'm astonished still by the clients that come to me that still aren't 755 00:43:58,970 --> 00:44:01,810 doing some of the incredibly basic things. 756 00:44:02,470 --> 00:44:07,830 It feels like we've gone beyond the point where people don't have multi-factor in 757 00:44:07,850 --> 00:44:10,390 place, and yet I can say that we're not. 758 00:44:10,910 --> 00:44:15,630 And my job is effectively telling people to do more or less the 759 00:44:15,630 --> 00:44:19,420 same five things, and I'm still having to tell them to do it. 760 00:44:20,059 --> 00:44:25,249 And I think as technology gets more advanced, and tools are super 761 00:44:25,250 --> 00:44:31,040 cool, and everyone's telling them something fancy, it's not the fancy 762 00:44:31,040 --> 00:44:32,860 stuff that's catching people out. 763 00:44:33,740 --> 00:44:34,770 It's just not. 764 00:44:34,780 --> 00:44:36,110 It wasn't with change. 765 00:44:36,660 --> 00:44:42,520 So, you need to make sure, and again, be very honest and actually check 766 00:44:42,810 --> 00:44:47,120 that you're doing the boring things, like scanning for vulnerabilities, 767 00:44:47,390 --> 00:44:51,260 patching the vulnerabilities, putting multi-factor in place, making sure 768 00:44:51,529 --> 00:44:53,260 people aren't leaving with your data. 769 00:44:53,279 --> 00:44:57,120 Like, none of this has changed for years, and yet it's still a problem. 770 00:44:57,600 --> 00:44:59,920 Get those things done so you don't have to worry about them moving forward. 771 00:45:00,090 --> 00:45:02,310 Because, for the most part, most of them are pretty quick and easy. 772 00:45:03,910 --> 00:45:09,060 And any advice for people who are looking to build a career in the security field? 773 00:45:10,480 --> 00:45:13,930 Oh, it's really tricky because, you know, we're all so well aware that, 774 00:45:14,060 --> 00:45:17,310 that we need more people in the security field and we're also equally 775 00:45:17,310 --> 00:45:20,470 well aware that an entry-level job in security apparently doesn't exist. 776 00:45:20,570 --> 00:45:23,220 I, like a lot of my peers, got into security through IT. 777 00:45:23,220 --> 00:45:28,359 I would say for everyone, if you're looking at security, join 778 00:45:28,359 --> 00:45:31,220 up with any of the available groups that are in your area. 779 00:45:31,480 --> 00:45:33,660 Nearly everything is free, right? 780 00:45:33,660 --> 00:45:35,390 You don't have to go black cat, but you might be able to 781 00:45:35,390 --> 00:45:36,640 get sponsored to go black cat. 782 00:45:37,290 --> 00:45:41,270 And also, find out what part of security interests you, because if you want to 783 00:45:41,280 --> 00:45:45,350 be an ethical hacker, there's no point learning a great deal about GRC, because 784 00:45:45,350 --> 00:45:46,749 it's just going to bore you mindless. 785 00:45:47,210 --> 00:45:49,479 And, you know, like, for me, I'm not an ethical hacker. 786 00:45:49,479 --> 00:45:53,210 I've never claimed to be able to do anything with coding, so I'm not spending 787 00:45:53,210 --> 00:45:54,740 a great deal of time delving into that. 788 00:45:55,565 --> 00:46:00,525 Understand what the different parts of security are, the security world are. 789 00:46:01,235 --> 00:46:03,885 Think about which ones interest you, because that's going to put 790 00:46:03,885 --> 00:46:05,355 you down a slightly different path. 791 00:46:05,694 --> 00:46:09,155 You might have to go and do a little bit of, um, software development, go 792 00:46:09,155 --> 00:46:13,274 and work for Newfire, do some software dev and then spit out Intersect DevOps. 793 00:46:13,274 --> 00:46:14,024 That's great. 794 00:46:14,325 --> 00:46:18,365 If you're not super technical, it doesn't mean that you can't get into security. 795 00:46:18,375 --> 00:46:19,145 You can. 796 00:46:20,170 --> 00:46:23,540 Coming through auditing ways, although it's always helpful if you're, if your 797 00:46:23,590 --> 00:46:26,020 technical action helps when you're auditing with technical control. 798 00:46:26,020 --> 00:46:30,850 There are ways to get in there and you just need to persevere and be aware 799 00:46:30,880 --> 00:46:34,810 that in the security field, we're just rubbish at creating entry level jobs. 800 00:46:34,850 --> 00:46:38,250 And we take, we steal people from the IT teams all the time. 801 00:46:39,039 --> 00:46:43,790 And that probably is going to continue. 802 00:46:43,810 --> 00:46:46,610 So try and get into security through another team. 803 00:46:48,025 --> 00:46:50,545 Laura, thank you so much for joining us today. 804 00:46:50,865 --> 00:46:53,635 Uh, you know, this has been a fabulous conversation. 805 00:46:53,675 --> 00:46:54,505 I've learned a lot. 806 00:46:54,545 --> 00:46:57,025 I think our listeners are going to learn a lot, too. 807 00:46:57,685 --> 00:47:02,114 Building a security program from ground up is I think one of the things that 808 00:47:02,114 --> 00:47:06,214 founders don't recognize that they're going to have to do when they start 809 00:47:06,215 --> 00:47:07,934 the journey of building a company. 810 00:47:08,324 --> 00:47:10,924 And it's something that leaders don't necessarily realize they're going to 811 00:47:10,934 --> 00:47:16,164 be responsible for when they make that switch from a functional role to something 812 00:47:16,165 --> 00:47:17,845 that's more focused on general management. 813 00:47:17,854 --> 00:47:22,530 So, being able to cover so many of these different areas, I hope it's been very 814 00:47:22,530 --> 00:47:24,210 interesting to you, you who are listening. 815 00:47:24,875 --> 00:47:29,775 If you are facing similar challenges or looking to improve your data security, 816 00:47:30,025 --> 00:47:31,995 obviously, we'd love to talk with you. 817 00:47:32,055 --> 00:47:33,445 Laura would love to talk to you. 818 00:47:33,654 --> 00:47:34,995 So feel free to reach out. 819 00:47:36,114 --> 00:47:39,264 So Laura, it's been an absolute pleasure having you on Hard Problems, 820 00:47:39,265 --> 00:47:41,544 Smart Solutions, the Newfire podcast. 821 00:47:42,424 --> 00:47:46,355 Thank you again for sharing your knowledge and inspiring us to think a little 822 00:47:46,355 --> 00:47:48,385 creatively about security and innovation. 823 00:47:48,615 --> 00:47:53,895 And to our listeners, thank you all for tuning in and we will hear you next time.