Risk and Reels: A Cybersecurity Podcast

Crafty hackers, super-smart villains, speaking the business language, GRC tools, risk and regulatory correlations, reg ops, being compliant, meeting regulations, and why vendors can't solve all your problems. 

This episode, features Larry Whiteside, the current CISO at RegScale and long-time friend of Jeffrey Wheatman. 

Creators & Guests

Host
Jeffrey Wheatman
Cyber Risk Expert, Evangelist, Thought Leader, Storyteller, Executive Advisor, and former Gartner Analyst

What is Risk and Reels: A Cybersecurity Podcast?

A podcast for movies. A podcast for cyber talk. A podcast for smart people to say smart things to smart listeners. Hosted by Jeffrey Wheatman, former Gartner Analyst.

00;00;19;11 - 00;00;45;08
Jeffrey
Greetings and salutations, one and all. Welcome to today's episode of Risk and Reels. My name is Jeffrey Wheaton and I am your host for the next 40 or 45 minutes. I am pleased as punch to have my buddy Larry Whiteside on the podcast. Larry and I have known each other man, for probably 15 years. I was actually telling someone this story.

00;00;45;08 - 00;01;07;12
Jeffrey
I don't know if you remember, but you, me, Proctor and our steak were at the bar at the L.A. at Def Con one year. This was this was after I stopped drinking into three you where you guys are light it up. And it was great. So, yeah, Larry and I have known each other a long time. Larry is a fixture in the security space.

00;01;07;21 - 00;01;23;29
Jeffrey
He is a man about town. He is the best dressed security guy. I know. I was going to put a tuxedo on, but I said, you know what? No matter what I put on, Larry is going to be better dressed than me. Larry's got a great background, but you can look him up on LinkedIn, so I'm just going to introduce him as my friend Larry.

00;01;24;00 - 00;01;25;20
Jeffrey
Larry, welcome and see you.

00;01;25;27 - 00;01;34;01
Larry
What's up, buddy? I'm so happy to be here. I'm so happy for you. You know, in this new role and all the fun stuff you're getting to do. So I've been excited watching you go.

00;01;34;19 - 00;01;50;11
Jeffrey
All right, cool. So. All right. So as everyone knows, we always start off with the movie question. So let's see, Larry. Who is your favorite movie heroine of all time? All the movies you've seen. Who's the favorite female character you got? Who stole the show?

00;01;51;27 - 00;02;17;11
Larry
You know, so it's funny. I can't say I have a favorite female heroine character. There's one actress, though. I don't care what she does. I don't care what she does. And sign me up. And that is Charlize Theron. Charlize Theron. I don't care what she does and what it's in. Yes, please. I will take every piece of all of that.

00;02;17;26 - 00;02;19;17
Larry
This is doing every role.

00;02;20;26 - 00;02;36;05
Jeffrey
I am with you. In addition to being an amazing actress, she's like a real person. She was on Howard Stern a couple of years ago and she's like a regular, regular person. Yes. She lives right. Small house kids. Yeah, I love that. I love that about her.

00;02;36;05 - 00;02;39;16
Larry
She does not let the stardom blow her head up. Yeah.

00;02;39;20 - 00;02;42;02
Jeffrey
So what's your what's your favorite movie? She's in?

00;02;44;22 - 00;03;15;11
Larry
So I don't remember the name of it. It's where she was like an ice queen. Like. Like if you think about most of her movies, she plays like that. Like either a femme Fatal where she's, you know, very active, you know, fighting type thing or she is like the villain. And so for me, it's all of the ones where she plays a villain, where she is this alter ego, female, super smart, super crafty, villainous, right.

00;03;16;06 - 00;03;40;29
Larry
When she plays those roles, I'm like, because for me, it's it's a combination of beauty and intelligence and threat. We all know in this field that cyber criminals are not done right. And so when you think about the criminal element, the criminal element in cyber, there's very few that we're dealing with that are dumb. And so she's never played the dumb, glitzy, footsie blond.

00;03;40;29 - 00;03;58;25
Larry
She always plays a woman who is a thinker. Right. And she's always big thinking, crafty and so forth. So it's I can't even say there's one particular role. It's every time she plays that super smart, villainous type role I'm in, I'm right there with popcorn.

00;03;59;15 - 00;04;20;05
Jeffrey
All right. You know what? I love that. That's a great assessment. She was in something fairly recently that I thought was pretty good. It might have been a Netflix only thing, and I don't remember the name of it, but she's part of this group of semi immortal characters. And she's the leader. Yes. And I see her and I go, I think Charlize Theron.

00;04;20;12 - 00;04;50;02
Jeffrey
And it's amazing because she's so good. She makes you forget who she is. And I think you are spot on. She is she is definitely, I think, underrated, number one. And number two, I like that that that that kind of bad girl thing you pointed to there. So. All right. Awesome. I would have to tell you, I think my my favorite heroine of all time is just went right right out of my head.

00;04;51;04 - 00;05;05;17
Jeffrey
I'll come back to it because I swear it was right in there. I even knew my answer before I ask you the question. And now I cannot remember. But I will come back. You know what I mean? There are so many, so many of them out there, but. Well, I'll think about it before we wrap up, I promise.

00;05;07;01 - 00;05;33;23
Jeffrey
So it's been a little while since we spoke. I think the last time we ran into each other might have been last year at RSA. And I think you were on a panel for the Cloud Security Alliance, which are good friends of of ours. I actually was I was looking at the the RSA page today. Looks like you are going to be speaking there.

00;05;33;23 - 00;05;50;27
Jeffrey
So I'm looking forward to seeing that our our friend Patty Titus, who has been on the podcast, she's actually got a slot, so I'm actually excited. Yeah, I didn't believe it. Last year was the first year I ever went to RSA because as a Gartner analyst it was a vendor thing and there was never any crazy.

00;05;51;22 - 00;06;10;09
Larry
That is hard to believe for anybody that's been in a good role as long as you have at the level that you operate for this long to know that last year was your first year. Like most of us, CISOs have been going for 20 years at this point. Like literally have been going for so long at this point.

00;06;10;17 - 00;06;16;13
Larry
So here that you this is that that was your first and it's it's actually mind boggling.

00;06;16;25 - 00;06;36;03
Jeffrey
Well, you got you remember when I was on the Gartner side, all the vendors wanted to talk to us. So anybody from Gartner that went out there, you didn't get to see anything. You were literally cramped with vendors. And you don't like the vendors. I mean, now, now we do like one all right. So so let me just kind of throw something out there.

00;06;36;03 - 00;06;58;04
Jeffrey
So one of the things that that I picked up on last year was we've definitely seen some transition in the market that we call GRC governance, risk management and compliance. My experience and granted, we we have Black Kite, we're sort of in a narrow element, but what we've seen is that whole GRC thing is moving upstream, right? It's moving.

00;06;58;13 - 00;07;17;18
Jeffrey
It's got more management visibility. We're talking to more enterprise risk managers. So why did you wax poetic for a couple of minutes on what you've seen? I mean, you've been a see so in a bunch of different places, you know, good or bad. Well, you've always been good, but the organization's not always great. So what what have you seen as an evolution there, for good or bad?

00;07;18;14 - 00;07;39;28
Larry
Yeah. So. So here's a reality of the space. If you think about where the industry is saying that executives must go, right, We have to speak the business language, right? We have to speak in terms of what the business understands. We have to speak in a way that they can grasp what we're trying to accomplish. We have to speak in their terms.

00;07;40;06 - 00;08;07;10
Larry
Great. Some of us see. So we've been saying that for ten years and we've been operating in that mode. The only tool, if you really think about the ecosystem of tools that security teams run and operate and have in their bag, the only tool that speaks in a language that business understands is the GRC tools, right? Because it talks about risk, it talks about compliance and regulatory things, right?

00;08;07;11 - 00;08;34;29
Larry
It talks in things that they begin to understand because you can directly correlate the things that you're dealing with into their business. So with that, over the last, I'll say, seven years, GRC tools are just All right, everybody add to that the questionnaires and all right, so this, this whole proliferation of more governance, more regulation, more and more and more and more has pushed the space.

00;08;35;19 - 00;08;54;29
Larry
But now what's happened is we are an information overload. We don't we still don't have enough staff. The GRC space being the least technical space is the one that grows the slowest, but they've got more work than ever. So now we're seeing this shift, what we call the shift left mentality, right? We've heard ship left being utilized across our industry.

00;08;55;05 - 00;09;15;23
Larry
It started in the development phase right where we were talking about shift development left and right, have DevOps and Devsecops right. How do you see ICD pipeline and all of this and automate where you can? Then we push that into SEC ops where we like, Hey, it's security operations. We're getting in so much data. We want analysts to spend time on the right things.

00;09;15;23 - 00;09;34;24
Larry
So let's automate where we can and let's narrow the focus down so that they're not doing menial tasks and they're focusing on the things that need to happen. Well, now that's where we're at in the GRC space, GRC see space with the amount of data that's coming into an organization that they have to use to push this all the way back.

00;09;35;28 - 00;10;03;24
Larry
As far as GRC tools have grown, there have been more regulations pushed. All that's done is push more work on the cybersecurity team to have a GRC function or on the audit teams or on the the risk managers teams that are trying to do data gathering because the data proliferation has caused it to be more data that has to be gathered to provide attestations that were actually meeting the controls of this regulatory thing.

00;10;04;09 - 00;10;29;00
Larry
So now organizations are starting to say, let's automate, let's let's, let's stop manually gathering data like why in 2023 are we still doing the screen scrapes of of pictures of tools, right. Showing hey, see you look at this picture of this security tool that we have. That's how we meet that control. Are you or you really shouldn't be like, pardon my French, but is that what we're doing in 2023?

00;10;29;01 - 00;10;30;29
Jeffrey
It's all right. We are. We all speak French here.

00;10;32;19 - 00;10;56;23
Larry
But so now it's it's it's this whole aspect of let's automate. This is the I'm calling this the last frontier. We've we've coined this term rogue ops regulatory operations. Right? We've got DevOps we've got set up. So let's let's, let's build a rig ops function, right, to make sure that we are actually utilizing the tools that we have in front of us appropriately.

00;10;57;03 - 00;11;17;16
Larry
Every tool that we have now has API capabilities for you to be able to extract data points. Why are we not utilizing that to do that for these audits? Why are we not doing that for these attestations, for the regulatory things? Why we but because that is not been our focus. We've been focusing on protect and detect, right.

00;11;17;22 - 00;11;40;23
Larry
Make sure you can detect as quickly as possible. Right. So it's it's it's what you mean. Time to detection. Every CSO has got that on the frickin board in their office that is asking their sick ops team every single day to look at that number right what should mean time to remediation. Right. Because that's how we get measured from the standpoint of our operational teams functioning properly.

00;11;41;03 - 00;12;00;12
Larry
Well, guess what? The thing is going to get you money. The thing is going to get you the budget that you need to actually build the operations program that you want, because all those regulations and all the controls that all those regulations mandate you to do, showing that you have operationalize something, to meet all of that on your journey to having a good cyber program.

00;12;01;01 - 00;12;22;12
Larry
The challenge has been and the problem has been we've had this adversarial relationship with compliance and with risk, right? Oh, well, if I meet this regulatory framework, that doesn't mean I'm secure. Well, no shit, Sherlock, right? Nobody's saying that. But. But what we've done is we've allowed that to be the narrative, right? What? We go back to Target, and everybody always uses Target, right?

00;12;22;12 - 00;12;48;25
Larry
Well, title is PCI compliant, and it's still got that. Yes, being PCI compliant does not mean you're secure. We all know that being compliant with any regulation does not mean you're secure. But because we are CISOs have not done a good job holistically articulating to the board, to the audit committee, to our executive leadership team, Hey, we have these regulations that I need to meet, right, in order for us as a business to operate.

00;12;49;13 - 00;13;07;15
Larry
Okay, great. These are how I'm going to meet those in my path towards being a better security team. But instead we let them push down on us. You need to meet this regulation, right? What I've always done is a great I need to meet the regulators who will hear the controls that align to that that I need to deal with.

00;13;07;24 - 00;13;29;11
Larry
And I advocate ones from the framework because we're all dealing with some sort of framework where the this CSF, the 853 ISO, whatever, pick your framework, any framework. Right. And I use those controls as the basis for hey, these are the things I need to do operationally to meet these controls and these are the controls that are aligned to this.

00;13;29;17 - 00;13;39;01
Larry
So if you say you want me to meet this, give me the money, I will meet these controls that will help me meet this. And now everybody's happy. But that doesn't mean.

00;13;39;14 - 00;14;03;26
Jeffrey
I don't know their focal point. But I got. Let me ask you a question, Ari. So. So I agree with everything you're saying. Here's here's what I have seen and remember. You know, I've been on the opposite side of the table where the problem is GRC tools are essentially workflow management tools. You need to know who needs to be involved in being responsible, informed, accountable, etc..

00;14;04;14 - 00;14;34;07
Jeffrey
Most of the folks I've spoken with don't understand the process. They don't understand what their material risks are. They don't understand what their key assets are. They don't have the authority to make a decision, Hey, you know what this risk is outside of risk appetite. We can't do this. So the tools are fine. But I will tell you, when I was advising people at Gartner on GRC, 80% of the time I hang up the phone and go, You should not buy a tool because they're automating badness.

00;14;34;07 - 00;14;50;22
Jeffrey
Right? The metaphor I use if you think of risk, is this little animal with with sharp teeth and pointy claws. If you jam that little dude in a box GRC and in a year you open that box, you are not going to recognize that little monster. It's going to be a different monster. Or maybe it's going to be more than one monster.

00;14;51;01 - 00;15;06;13
Jeffrey
So how do you how do you how would you advise organizations that don't have the process, don't have the right level of accountability? Right. You know as well as anyone, if the CEO is accountable for risk, they're failing, Right? Stop. Well.

00;15;06;29 - 00;15;17;11
Larry
That's that's the first point right there. The first point is, is this tool is not a panacea like anybody who's going into the GRC.

00;15;17;20 - 00;15;20;26
Jeffrey
Can you call the vendors and tell them that because they seem to think it it's.

00;15;21;26 - 00;15;50;13
Larry
Yeah, but every vendor does it like you'll be at RSA, right. I'll be at RSA and we need to this is something I think we should partner on is, is literally a freaking word. Bingo. Right. Like just because we know every single entity in there is going to have everything saying we solve all your problems by us because we fix up.

00;15;50;16 - 00;15;58;24
Larry
We will stop you from ever having a breach. We will allow you to walk on water you by us. Jesus will like everything that you can possibly think of.

00;15;59;02 - 00;16;07;03
Jeffrey
They say it's fun to use that term the right, because I always tell people, if a vendor tells you they solve all your problems, you should run away really fast. Really fast.

00;16;07;03 - 00;16;30;18
Larry
But we don't. We don't because they're in the biggest bulls right in front and they say all these things. Right. So so here's the reality. So number one, GSE tools are not a panacea. You have to understand your risk. But the thing is, is I look at the tools as a mechanism to enable me to have a platform that I can bring in, bring others in for collaboration.

00;16;30;29 - 00;16;50;14
Larry
Right? Because here's the deal. Most of the time when I did not have a GSE tool, you know what I did? I had Excel spreadsheets and PowerPoint. And then the only time I got to bring the other leaders in, right, was when I was going to Brazil about it and tell them what they I needed from them. Related to what I put together.

00;16;50;19 - 00;17;12;16
Larry
Right. And that was once a month or once every other week at the most. And then there were a bunch of back in meetings because they had no idea what the hell is going on. And they weren't again, they didn't understand. Right? So when I did get a GRC tool to from your standpoint, it was about implementing a process because it put me in a process would be a ticketing system.

00;17;12;16 - 00;17;33;02
Larry
Never worked. It just it just doesn't work. Hey, these here's, here's our risk register. It's in an Excel spreadsheet. These risks have been identified. They get brought up once a month at the CEO's field meeting. They get assigned to somebody in a ticketing system. They don't do anything with it. They don't follow up on it. They don't understand how it aligns to the business.

00;17;33;02 - 00;17;55;15
Larry
They don't understand how it negatively impacts the controls that are governed by the regulatory things that we have to do. And so then what happens is it goes on. I keep being brought up as red because it's not being dealt with on a monthly basis, but nobody ties it all the way back to right. Okay, now it's audit season and the others are coming in and it gets shown and it's red.

00;17;55;21 - 00;18;25;14
Larry
And then everybody's like, Well, why is that still red? Well, it's been red now for nine months, but nobody cares. The only reason somebody cares about it now is because the auditors are coming. So the goal is, is to have this to help bring a full picture. Right. Of what risk means. Right. Because if you can tie it down and say, hey, we had a risk assessment or we've got these vulnerabilities, the risk associated with these things means this.

00;18;25;23 - 00;18;48;09
Larry
It ties back to our inability for this application to run. Right. Which is going to cost us X amount of money. It ties back to this regulatory thing that we will that we are currently failing. This is going to cost X amount of money in funds, right? It's bringing that full picture. The talk the purpose of a GRC is not is not to solve the problem of governance, risk and compliance.

00;18;48;16 - 00;19;18;20
Larry
It's to bring visibility to it and bring in the ties to all the things that matter. From a business perspective. And that's where people get this this failure. It's not just about getting reports written, it's not just about having a system of record, it's about all of those things. And having this tool is going to facilitate processes tie into the other tools that you already have and remove a lot of manual efforts that organizations are wasting today.

00;19;18;25 - 00;19;53;03
Larry
If you can't hire enough people, shouldn't your number one job be trying to find out how to make the people you have more efficient? Right. And in automating GRC, that's one of the big things. If I could make my team more efficient, if I've got a way to automate the ingestion of vulnerability data audit, automate the ingestion of security data, automate the ingestion of all these different data points that I can then through that tie that directly into my risk register and the controls that I have and see in real time every day where we stand.

00;19;53;09 - 00;20;16;11
Larry
Because here's the deal. If a tool in report said something right, something turned red in Tool Z, because we know we've got a myriad of tools out there today, right? If somebody sees it, they're going to focus on just that, but they're not going to know how to prioritize it. So if the tools are not important, then all of a sudden turn red over there.

00;20;16;11 - 00;20;36;18
Larry
We'll get to that because we've got other things. But if this tool reports it and that tool is seen as it ties to a control that then aligns to a business process that then allows to a regulatory framework and that stream turns red, that's a whole asset moment, like, Oh wait, who? I didn't know that that was going to impact all these things.

00;20;36;18 - 00;20;41;27
Larry
Somebody needs to go fix that. That's what the purpose of GRC tools should be.

00;20;43;05 - 00;21;10;29
Jeffrey
All right. So couple of questions. And so so you've been talking a lot about regulatory drivers. What what about organizations or companies that don't have a lot of regulatory oversight? I mean, I think I think everyone's got something. But there are there are organizations that are not heavily regulated, right? Not everyone's a bank, not everyone's health care. So how would you suggest a peer, a colleague of yours in one of those environments sort of motivates people to fix stuff, right, To address risk.

00;21;11;24 - 00;21;26;14
Larry
Yeah. So so in those non-regulated entities and they do exist, right? It's really about controls, right? Everybody is picking a framework. Nobody is building a cyber program just on a whim. Just that just doesn't happen. You know, I guess.

00;21;27;03 - 00;21;33;04
Jeffrey
I will tell you my time at Gartner, that is not true. There were plenty of really winging it, man.

00;21;34;05 - 00;21;53;04
Larry
Really? Are we kidding? Like the easiest thing on the planet that you can do as a cyber practitioner or a cyber leader is when you say, okay, I need to build. And actually I did meet somebody that day who's both I.T and cyber and he's at a a small health care facility here in Florida. He was like I said, so you have a team.

00;21;53;04 - 00;22;11;14
Larry
He's like, no, it's just me. I said, you have an AI team. He said, No, it's just me. I do have you. What tools do you have? And I won't even name a tool, but it was like it was like it was 1995 all over. You know, the okay, I was like, do you have So what?

00;22;12;18 - 00;22;29;08
Jeffrey
You know what? I that's a that's a find a new job moment. But I'll tell you what, Larry, I'm telling you, I was taken at least two or three calls a month for the last couple of years at Gartner going, hey, we don't have a framework. What framework should we pick? And I used to tell people all the time, I don't really care which way you pick one.

00;22;29;17 - 00;22;45;19
Jeffrey
And there's too many great number one, a bunch of really smart people made a bunch of bad mistakes and decided this is how not to make them. But more important, when you go to management, say, Hey, we need to do this. And they say, why? If your answer is why, got to thumbs and I say, so they're not giving you any money.

00;22;46;03 - 00;22;52;22
Jeffrey
Right? So you're assuming you're assuming everyone is is is you in? That's not true.

00;22;53;05 - 00;23;11;00
Larry
Right? Right. Yeah. And so today on stage, I did ask the room of probably, you know, 200 people, hey, who's using a framework for the basis of this particular program? But about 50% of the room raised their hand. I assume the other 50% just didn't raise their hand because they're, you know.

00;23;12;08 - 00;23;16;01
Jeffrey
You remember the old system because it makes an ass out of you and me.

00;23;17;04 - 00;23;42;05
Larry
Either. So here's the deal. So for those non-regulated entities, my, my, my hope is that they're using a framework. And I'd say for any non-regulated regulated entity that is using a framework, again, it is about tying things back to controls because controls are the things that help you understand your true risk. You can say, Oh, because I've got this vulnerability, there's a risk.

00;23;42;05 - 00;24;08;24
Larry
But if the vulnerability is to a system that is not connected to the Internet and it's isolated, is it really a risk? Right. But you may have 25 of those that have something that's unpatched, but is it really a risk? Right. But if you have that same system that's sitting in your DMZ that's tied to a business unit that generates $100 million of revenue, then that should be the highest risk possible.

00;24;08;24 - 00;24;43;29
Larry
And so it's, I think a control aligning to a control framework of some sort gives you the ability to sort of prioritize what you do and don't work on. Right. And then having those and being able to have those controls that give you that prioritization, then having a GRC that ties the data specifically to what you are generating from a data standpoint inside your security ecosystem to those controls gives you that visibility you need of what controls are failing and why.

00;24;45;06 - 00;25;05;27
Jeffrey
Right. So so you mentioned business process, and I think that's an important thing. Let's spend a couple of minutes. I am I have sort of realized fairly recently considering I've been doing this for a long time, that your executives care about three things, money coming in where that's customers revenue, whatever money going out, they want less of it.

00;25;06;05 - 00;25;27;25
Jeffrey
And if something goes sideways, who's getting in trouble, Right? So there's so there's a I think there's a piece between what you talked about and sort of ultimately what that is. I mean, like just to give you an example, I work with our salespeople at Black Eye, and I tell them, you need to go to the company's website who you're trying to sell product to and look at what their values are.

00;25;27;25 - 00;25;53;23
Jeffrey
Look at their their mission, their vision, look at their strategic objectives. And here's the interesting thing. I used to talk to a lot of CISOs who never did that for their organizations. So I don't know if you remember Ken McGee from Gartner years and years ago, but like my first out of the country conference, Ken, I was sitting having cocktails in India and he had a couple and he said, Look, I work with a lot of CEOs of very big companies.

00;25;53;23 - 00;26;01;05
Jeffrey
And he said, A lot of them can't tell me what the most valuable line item on their general ledger is. In other words, they don't know what their businesses do for a living.

00;26;03;04 - 00;26;03;29
Larry
That's insane.

00;26;05;07 - 00;26;09;12
Jeffrey
But it's a fact and it's pretty real stuff.

00;26;09;12 - 00;26;28;25
Larry
That's it. Because the CIO is supposed to be the tie between business and technology. They're supposed to be the ones that are developing a technology strategy to enable the business to accomplish its business goals through the use of technology. So any CIO that like that is, yeah.

00;26;29;16 - 00;26;50;29
Jeffrey
Man, I in my opinion, I think there are a fair amount of CIOs out there that are actually really CTOs. They manage the technology, but I don't think but the flip side, I think is also a problem, which is, you know, if you look at publicly traded companies, right, they declare salary. So CEO makes 800 K, CFO makes 600, K CEO makes 600, K, CIO makes 350.

00;26;52;22 - 00;26;53;08
Jeffrey
Right, Right.

00;26;53;08 - 00;26;55;29
Larry
Well, so that's well and then.

00;26;55;29 - 00;26;56;14
Jeffrey
They're not.

00;26;56;15 - 00;27;01;03
Larry
C, So if the CIO makes 350, then the CEOs making 175.

00;27;01;28 - 00;27;24;11
Jeffrey
Are not. Not anymore though. But yeah, I mean but, but the point is that I think it's a bit of a cyclical problem, right? Because if they don't believe the CIO or the CSO is strategic, they won't involve them in strategic conversations. And then it becomes a self-fulfilling sort of privacy where they're pulling everybody down. And then what happens?

00;27;24;11 - 00;27;42;17
Jeffrey
Something bad happens in the CSO is now the chief scapegoat officer. And, you know, so hopefully the new FCC regulations are will have some impact there because now the boards need to know what the material risks are of the business and they can't say, well, we didn't know that anymore. So hopefully.

00;27;42;17 - 00;27;43;14
Larry
That will take.

00;27;43;14 - 00;27;44;02
Jeffrey
Some time. But.

00;27;44;26 - 00;28;03;09
Larry
You know, the credit unions have come out with a similar thing, right? So the credit unions have come out with a regulation that basically says 72 hours of identification of material breach. You must notify 72 hours. Right, for credit unions.

00;28;03;12 - 00;28;22;24
Jeffrey
So even here's the problem. You, Larry, when are they aware being building? Because because that's the thing. The federal government has similar strict things. And, you know, typically they just we didn't know about it or we were still researching and we didn't have anything to declare. So I like to hear.

00;28;22;24 - 00;28;23;18
Larry
That's the piece.

00;28;24;17 - 00;28;42;29
Jeffrey
And the other one, I think that's going to start raising a lot of awareness too, is door at the EU. And I'm actually looking for someone to come on and talk about it because I don't know enough about it. But you know, I was talking with my former colleague Roberta Witty and she says their volume on Dora is like through the roof.

00;28;43;15 - 00;29;00;25
Jeffrey
And really the general consensus is that this is not going to be one of those regulations where they're going to let you off a whole bunch of times until they start enforcing. She thinks they're going to have a hard, you know, nose to the grindstone enforcement like they want, and it's coming. I think it's I think wow, this month.

00;29;01;12 - 00;29;01;24
Jeffrey
Yeah.

00;29;02;01 - 00;29;02;18
Larry
Wow.

00;29;02;18 - 00;29;17;07
Jeffrey
And and I think there are huge issues there. And one of the things we've been talking about and I actually have a blog that either just went up or is going up on, you know, Dora has a big piece on third party risk management in it because of all of the all of the dependencies that are out there.

00;29;17;17 - 00;29;35;26
Jeffrey
And let's actually talk a little bit about third party risk, right, as a subset of forum, because we're seeing board board level awareness now around supply chain risk. And for my money supply chain risk vendor is third party risk. They are all facets of the same coin.

00;29;36;12 - 00;29;37;03
Larry
100%.

00;29;38;08 - 00;30;03;17
Jeffrey
It's a risk you accrue because you do business with somebody else, right? So depending on who's looking to to but who owns it, Right? Because we don't get a good answer. I did I did a webinar PHI GRC forum last summer and we asked as a polling question, who owns the cybersecurity piece of your supply chain? Risk was their topic, and about 50% of the people said to see so and the other answers were all over the place.

00;30;03;24 - 00;30;12;12
Jeffrey
And then I asked kind of in a kind of on the fly question. So of the CISOs that own it, can you say, no, none of them could know.

00;30;13;16 - 00;30;15;02
Larry
So you can say, Well.

00;30;15;09 - 00;30;17;16
Jeffrey
Who owns third party risk? Who should own it?

00;30;18;19 - 00;30;45;24
Larry
It shouldn't be the CSA, it shouldn't be the CSA, right? I mean, unless you are focusing that third party risk specifically on the technology component, Right. If you want to say right, I think because third party risk goes beyond just the technology integration between jobs and the right. So I think the chief data officer is a person that should own it, right, Because ultimately the risk is about the data, right?

00;30;46;06 - 00;31;07;24
Larry
When you when you're working with a third party, Right. So then it's that data interchange and how they utilize it, how they store it and that type of stuff. But I can also see the C, so it should be so in most organizations that I know, third party risk the C, so has a seat at the table. Right?

00;31;07;24 - 00;31;25;24
Larry
And then there's somebody in the business that owns third party risk, like my buddy is the head of third party risk at TD Ameritrade. Right? So so it's a it's its own entity outside the C so and so I don't know I see it as its own thing. If you have a chief risk officer, maybe that's where it goes, right?

00;31;25;24 - 00;31;39;01
Larry
Because the risk and it's got this tie between business and data and technology that is just sort of very weird and tough to put it in the proper place. Yeah.

00;31;39;12 - 00;32;08;21
Jeffrey
Well, you know, there's two extremes, right? If everybody owns it, nobody owns it. And if nobody owns it, nobody owns it. And I feel like we are we're playing both ends against the middle. And I was actually talking to the guy a couple weeks ago about enterprise risk, and he said, look, the person that runs enterprise risk, whether it's a S.R.O. or something similar, they have an unenviable role because they need to understand all of the facets of risk but don't own any of them like that.

00;32;08;22 - 00;32;27;18
Jeffrey
The air in person typically has a very, very small staff. You know, maybe they have a couple of policy people, maybe they have GRC people. But it just it seems to me like we're still far away from figuring this part out. Like, I mean, you know, in my rule, I own I own the relationship with the analyst firms.

00;32;27;29 - 00;32;45;00
Jeffrey
And I talked to my former employer and the others and I talk to them on a regular basis and I'm constantly being shunted around. Well, okay, talk to the people. They talk to CISOs. I talked to the people in sourcing procurement and vendor management. I talked to the people that are focusing on ERP. I actually had someone suggest to me, which was really interesting.

00;32;45;21 - 00;33;09;26
Jeffrey
He said Supply chain risk actually should be owned by the Chief Revenue officer. And you go, Well, why? Well, here's why. If I sell product and my supply chain gets whacked and I can't deliver product, who's getting a screaming phone call? The sales guys, right? So it's all over the place and that's part of the deal.

00;33;09;26 - 00;33;34;05
Larry
But the Chief. Yeah, that's interesting. I've never thought about that. I would I wouldn't do that. And here's the reality with most of these, right? So, so Enterprise Risk management is always a group, right? But to the point that you made about the enterprise risk manager not owning anything and having to make calls about things that they don't own, isn't that what CISOs do today?

00;33;34;28 - 00;33;38;26
Larry
We don't own any of the risk. We don't own the technology that I have.

00;33;38;27 - 00;33;41;14
Jeffrey
But we you guys get in trouble for it all the time.

00;33;41;27 - 00;34;07;12
Larry
Right? I know. But like, so so when we think about the enterprise risk manager, right, where they don't own the risk, they don't own, they're just governing the risk. They're advisors who sort of track the risk across the business and what's going on, whether it's physical risk, operational risk or whatever technology risk they're sort of tracking and governing and trying to hold someone accountable, but they don't own it.

00;34;07;12 - 00;34;30;20
Larry
Well, that's what security does. We don't own this shit. We are blocking and tackling and then we're advising the technology arm of our business, Hey, we need to do these things. We're advising the business that that business strategy and the mechanism you're going down to try and implement technology to enable that business strategy is risky, that you probably should do this, but we don't own it.

00;34;30;26 - 00;34;45;13
Larry
Yes, we are starting to see CISOs take over infrastructure, but they're pulling it into them. And now I see Chief See to see what is it? Chief Infrastructure Security Officer Right. I know a couple of people that.

00;34;45;27 - 00;34;49;29
Jeffrey
I feel like we're going, but I feel like then we're going in the wrong direction.

00;34;50;07 - 00;35;20;02
Larry
I agree. 100%. 100%. Actually. My belief is this is that the CSO should not only operations meeting the CSO shouldn't own a soc. The CSO should know that should all be underneath the CIO and or the CTO. Okay, that's it. Put it underneath. The CIO and CTO. Have the CSO sit on the outside and be an advisor and an auditor and an own governance.

00;35;21;03 - 00;35;51;18
Larry
Right with their job is to hold the CTO and the CIO accountable. Right to the proper controls, accountable to implementing the proper technology, accountable to doing the things that they need to, and reporting on that up to the CEO, reporting that up to the board as as an advisor to these entities, understanding risk, understanding the risks of business, understanding the risk of technology implementation.

00;35;52;01 - 00;36;03;22
Larry
But we see CEOs in our industry have a problem with size and I'll expand on that. We like big teams, right?

00;36;03;29 - 00;36;07;17
Jeffrey
Well, right, because the more people you have, the more perceived power you have.

00;36;08;23 - 00;36;18;21
Larry
Me, me, me, me, me, me, me, me, me. Right, right. There's the Sir Mix-A-Lot song, Right? Big team that we will not allow you. It's right.

00;36;19;15 - 00;36;21;11
Jeffrey
Now. You're dating yourself, Larry.

00;36;22;00 - 00;36;43;28
Larry
I know a little bit, but. But that's what it is. We like size. We want to. We want our teams to be massive. We want our team to be right. Listen, I would I would prefer a small team if I could just sit here and be an advisor and say, hey, they're not operating this way the way they need to.

00;36;44;12 - 00;36;55;06
Larry
They're not implementing the way they need to. They're not these are the things we advise that they do here. The controls that need to work to aligning towards. Right? That would be my nirvana.

00;36;55;26 - 00;37;25;03
Jeffrey
Is here that that requires that requires good processes. It requires visibility because you can say that. But you need to know it's happening and you need to know before it becomes a problem. And that is I just I feel like we are I feel like we're going up. But there very, very slowly. And I don't know if you've been following any of the stuff that Procter has been doing over at Gartner on Odms and outcome driven security.

00;37;25;03 - 00;37;47;23
Jeffrey
And I think he's really on to something there and it's resonating. But I feel like it's still it's still applicable in much, much larger environments. And I think in smaller environments, I think I don't think we have the luxury of not having some of those teams. I mean, some of the best CISOs I've known in my career has had very small teams.

00;37;48;01 - 00;38;08;27
Jeffrey
You know, my friend Dennis Precocious, he was the C, so for from McGraw-Hill, he like five people. They were a strategic advisory function company and he had a great program, but part of it was his personality, right. And his approach and I don't know when he left there if that was the case. Now, there was the whole spin off with S&P and there was a lot of stuff there.

00;38;08;27 - 00;38;30;04
Jeffrey
But yeah, so. All right, Larry, we are running up on the end of our time. I know you and I could talk forever. Yeah. Let's do a quick let's talk a quick little recap. So Larry does not have a famous heroin. However, he is a big Charlize Theron fan. I love that. Yeah, that's my I think if I.

00;38;30;13 - 00;38;53;03
Jeffrey
I could never come up with heroin, but I'm a big fan of Galadriel from from Lord of the Rings. I thought she was okay. Very powerful. Subtle. Put push the man in the right direction, which is here. Go, go Do this. So I thought she was great. GRC is not a panacea, which we we all know, but it can definitely be an important part.

00;38;53;09 - 00;38;59;12
Jeffrey
We have too much data. And Larry, like Sir Mix-A-Lot, anything else? Larry, before we go.

00;39;02;04 - 00;39;04;08
Larry
That's a good summary. It's super.

00;39;06;20 - 00;39;10;29
Jeffrey
All right. Any final thoughts, Larry, for the audience before we go our separate ways?

00;39;11;15 - 00;39;38;17
Larry
No. You know, for me, I know. Yes. For me, I always like to leave. A final thought. Right. So and this sort of stuck with me. It is do something. And that do something is start with a framework like whatever you're doing. I don't care what you're doing. Start with a framework as your guide. Do not go out there like a cowboy, a cowgirl, and do this all willy nilly.

00;39;38;28 - 00;40;02;21
Larry
There is too much data. There's too much that we have found over the years. The threat actors are getting smarter at a faster clip than we are. Like use a framework. It will it will literally save you time. And literally, like the SAS controls, they've actually made it English, meaning, you know, a lot of these frameworks are you know, if you're trying to read like what do they really mean?

00;40;02;29 - 00;40;05;28
Larry
Go to the SAS controls, They've simplified it for you. Right?

00;40;06;25 - 00;40;21;00
Jeffrey
But you know what I will tell you, it made me nuts when they went from 20 to 1820, for whatever reason, as a nice round number 18 is to diffusing. But you know, to your point, I love that. And there was a presentation I tried to do a couple of years ago. They let me do the deck but they wouldn't let me keep the title.

00;40;21;08 - 00;40;39;22
Jeffrey
My title was pick a framework stupid. Shockingly, Gartner would not let me put that on stage. But I know like, you know, rich artists got a cushy job and a couple other folks, they ran with that and I think it was really, really important. So. All right, my friend, a pleasure as always. It's been way, way too long.

00;40;39;22 - 00;40;59;23
Jeffrey
Let's keep in touch. We will see each other at RSA or maybe we will have seen each other at RSA because I don't know when you're going to go up, but either way, we'll have fun with that. Larry, I want to thank you again to the audience. Stay safe, stay healthy, stay secure. This has been another episode of Risk in reels.

00;41;00;04 - 00;41;00;21
Jeffrey
We've been out.

00;41;00;21 - 00;41;29;21
Ender
To. Thank you for listening to Risk and Reels a cybersecurity podcast. Be sure to follow us on Apple Podcasts, Spotify or wherever you listen to riveting minute conversation about movies and cybersecurity. Jeffrey will be on the road this year at some of the industry's biggest events, but you can always find him on LinkedIn and Twitter at Jeffrey Wiegand.

00;41;30;19 - 00;41;39;14
Ender
This podcast is powered by Blackout, the only security rating service to deliver the highest quality intelligence to help organizations make better risk decisions.