Risk and Reels: A Cybersecurity Podcast

Forrest Gump, threat modeling, animal farm, application weaknesses, business impact analyses, resilience, accountability, and stride. Tune into the latest episode to hear from Matt Stamper, the CEO of Executive Advisors Group.

Creators & Guests

Host
Jeffrey Wheatman
Cyber Risk Expert, Evangelist, Thought Leader, Storyteller, Executive Advisor, and former Gartner Analyst

What is Risk and Reels: A Cybersecurity Podcast?

A podcast for movies. A podcast for cyber talk. A podcast for smart people to say smart things to smart listeners. Hosted by Jeffrey Wheatman, former Gartner Analyst.

00;00;17;00 - 00;00;39;19
Speaker 1
Greetings and salutations, everyone. Welcome to another episode of Risk in Reals. I am your host, Jeffrey Wheatman, and I am proud and excited to have my guest, Matt Stamper, on today. Matt and I have known each other for all my God, six or seven years. We worked together at Gartner. Matt is currently the CEO of Executive Advisors Group.

00;00;40;00 - 00;00;56;05
Speaker 1
He is also one of the authors of the CSO Desk Reference Guides and the Data Privacy Program Guide, which are excellent, excellent books that talk about being a CSO and protecting our data. So welcome, Matt. Nice to see you, brother.

00;01;02;06 - 00;01;06;11
Speaker 1
I don't know if déja vu. I mean, there's a glitch in the matrix, so we have to be good.

00;01;06;12 - 00;01;08;10
Speaker 2
Yes. In line for the.

00;01;08;10 - 00;01;09;26
Speaker 1
Black cat going up the stairs.

00;01;09;28 - 00;01;11;07
Speaker 2
Grab me on the show.

00;01;12;08 - 00;01;37;16
Speaker 1
Well, so just so everyone knows I am in southern Florida and Matt is very, very, very far away. You may be able to tell by his shirt that he is in Hawaii on vacation. It's something we don't always get to do in security. All right. So let's let's jump in, my friend. So as we always do on risk in reals, we always start out talking about movies.

00;01;37;17 - 00;01;58;11
Speaker 1
So what do I want to hear your thoughts on that. Let's talk about romantic comedies. What is your favorite rom com of all time at?

00;01;58;11 - 00;02;17;26
Speaker 2
It's going to sound a little bit off, but I just love Forrest Gump. I loved the true love that he had. I love the way this story kind of shows an individual life and how it pans out and all the other interesting historical montages that surface in Forrest Gump. I just think it's one of the classic films that are out there lately.

00;02;17;26 - 00;02;26;03
Speaker 2
I haven't seen a whole lot of movies because cybersecurity is so included. I mean, you're constantly, you know.

00;02;26;04 - 00;02;57;04
Speaker 1
Maybe romantic, but probably not much of a comedy. So I'm also a big Forrest Gump fan, I think rom com. It's gotten like, it's gotten like a little kind of cool to dislike Forrest Gump recently, and I believe that you have to sort of look at those things in the time they were made. At the time it was great in some of the technology they used was incredible too, to be able to get, you know, forest in with Kennedy, Nixon and all those things.

00;02;57;04 - 00;03;20;18
Speaker 1
And, you know, now with deepfakes and we can talk about that because I think that's an interesting topic, but I think, you know, I think people take that stuff for granted, right? So so I'll share. So my, my favorite rom com is When Harry Met Sally for, for a wide variety of reasons. But I think one one of the best scenes is the scene that takes place in Katz's Deli.

00;03;21;26 - 00;03;43;21
Speaker 1
And if you ever go to Katz's deli in New York City, which is an amazing place, if you want to get pastrami, they actually have a sign hanging over the table where Harry and Sally met and a little little trivia that not everyone knows. The the woman who says, I'll have what she's having after Meg Ryan does your little fake thing is actually director Rob Reiner's mother.

00;03;44;15 - 00;04;16;25
Speaker 1
So a lot of people don't don't don't know that. So so I think, you know, Forrest Gump, I think, actually gives us a really good transition. The joke that we always had when you and I work together at Gartner, you and Sam and I, your answer to every problem was threat modeling. Right. And and I yeah, I think that's a great sort of transition, though, because think of all the the risks that Forrest took in his life.

00;04;16;25 - 00;04;39;27
Speaker 1
Right. That all led to these amazing things. And, you know, his personality and his his sort of approach to life. He never really thought about that. Right. He got lucky in a lot of cases because a lot of the things he did could have ended terribly. Right. So he didn't really do a lot of risk assessment, didn't really do a lot of threat modeling.

00;04;39;27 - 00;04;56;06
Speaker 1
And as you and I have talked about, you know, many times within the area of third party risk management, which obviously is what we do at Black-Eyed and you and I have talked about it many times, I think people sometimes maybe look to high up the stack too much at the risk and not enough really at the threat.

00;04;56;06 - 00;05;10;15
Speaker 1
So before we started recording, you kind of shared a little bit of how you got into threat modeling. So I think that that might be interesting. Let's start there. So what got you sort of on the threat modeling bandwagon to begin with.

00;05;20;13 - 00;05;55;00
Speaker 2
In in in the spirit of a shameless plug for someone else's book, Adam Shaw starts book Threat Modeling. Designing for Security remains a classic. I think it's something that everybody should read in. And what what struck me was just the commonsensical nature of the methodology. When you do a straight analysis, you're looking at how identities are spoofed, how information will be tampered with, how transactions would be repudiated, how you would have information disclosure, deny services or or elevate privileges, all these negative attributes, if you will.

00;05;55;13 - 00;06;19;02
Speaker 2
It's a simple way to look at something effectively. You're always asking, what is it that I don't know that I should know about a service, about a vendor, about a component, about a supply chain, about an application, about whatever the case may be, a proposed business strategy. And you're asking some of those what if questions and you're trying to evaluate the risk in.

00;06;19;02 - 00;06;43;04
Speaker 2
I think, Jeffrey, I'm preaching to the choir. When when we think about risk in our profession, there's a tendency to look at how do we eliminate risk in our job is never to eliminate risk. Our job is to look for good risks to effectively take. There's no reward without risk. You know, organizations can exist these days without supply chains, without good, high quality third party vendors.

00;06;43;14 - 00;07;04;00
Speaker 2
But we need to assess the risk. We need to understand their risk profile. And there's tools that we can do that facilitate that. Doing a simple threat model, doing dependency, analyzes, doing things as simple as a BIA. In my book, I talk a lot about how important business impact analysis are, but too many organizations don't really do those.

00;07;04;12 - 00;07;22;11
Speaker 2
And I think they don't do them in the same way that they don't do threat models or other types of of risk assessments or analysis because they're viewed as overly complicated and they don't need to be. They can be a water cooler discussion. You and I just talking about a subject will help us think and frame risk differently.

00;07;22;26 - 00;07;24;03
Speaker 2
So weren't having those.

00;07;24;03 - 00;07;41;00
Speaker 1
There was a lot there to unpack and I agree with a lot of it. And I think the bar is one that I want to kind of pull out because I don't know if you remember, but you had a deck you created when we worked together at Gartner about using air to drive privacy and to drive security and to drive risk.

00;07;41;11 - 00;08;00;16
Speaker 1
And I think that is a huge benefit that I don't think people avail themselves of. Right? Most organizations have some kind of a continuity resiliency plan. And the only way for those to be useful is if you've done some kind of an analysis of of interaction and, you know, how bad would it be if this system went away.

00;08;00;16 - 00;08;30;03
Speaker 1
Right. To just put it really, really simply and I feel like that you're right. I think it's underutilized not just in continuity, but I think to be able to leverage that. And granted, it's focusing on availability not as much on on data and integrity and things like that. But I think it's really, really important. And that's the kind of conversation that's easier to get your business stakeholders engaged in if you go and say, So tell me what your cybersecurity goals and objectives are for this system.

00;08;30;03 - 00;08;51;26
Speaker 1
They go, Get out of here. But if you say, Hey, how bad would it be if this system fell over or in the in the construct of third party vendor risk? How bad would it be if this if this company went away? One of the questions we run into when we talk to people all the time and we used to see this at Gartner, you know, not all of your partners are the same.

00;08;51;26 - 00;09;13;26
Speaker 1
They're not all equal, right? Badly. Misquote Animal Farm by George Orwell or partners you equal. But some partners are more equal than others. And I think that the ability to look at those you know how bad would it be if they went away and we see this in ransomware, right? I always ask people what would happen if your number one partner got hit with ransomware and they were down for a week?

00;09;14;03 - 00;09;54;06
Speaker 1
How long would you be down for? And you're just always longer than a week, right? So bringing that back to the whole threat modeling discussion in looking at all of these things and thinking about the unknown unknowns. Right. So how do you for for for someone who's listening, who's never done a threat modeling exercise, what are what are sort of the steps that you would take them through from kind of, you know, one to Z?

00;09;54;06 - 00;09;59;26
Speaker 1
I think let me just use those that mean I know what is the stride model at that.

00;10;00;06 - 00;10;32;19
Speaker 2
So you're looking at inherent weaknesses within the application, within the service, within the SO stride effectively stands for all the negative things that could happen, spoofing of identities, tampering with transactions or excuse me, tampering with data, repudiating transactions, having information disclosed denial of services or elevation of privileges. So stride is a way to look at kind of these negative outcomes.

00;10;32;27 - 00;10;58;11
Speaker 2
And then you just ask good open ended questions. Do we have appropriate mitigations? Do we have an appropriate level of control or understanding or governance to preclude identities being compromised? In the case of spoofing, do I have good integrity controls in the case of, you know, tampering with the data? Do I have the ability to do non repudiation with transaction ads, those sorts of things.

00;10;58;11 - 00;11;24;07
Speaker 2
So I think stride in, in addition to doing kind of the threat model and the complement with the BIA is fundamentally about dependency analyzes do I have any types of dependencies that I need to be aware of as I'm looking to this particular business outcome, This particular business service? And one of the reasons why I think these are so critical is the first letter of that acronym.

00;11;24;10 - 00;11;47;09
Speaker 2
It's business. It's not about cyber security. You know, it's not about the newest technology. It's fundamentally what are the business impacts to our organization. Again, what is it that I don't know that I should know that could impact my organizations to my organization's ability to deliver a service, to be resilient, to be able to address some of the challenges that we're frankly seeing.

00;11;47;09 - 00;12;19;04
Speaker 2
In fact, in your firm's 2023 analysis, one of the things on on kind of vendor risk management, one of the things that really hit like a ton of bricks is this multiplier effect, the systemic risk that if you have a particular component or supplier, those impacts tend to be a lot more pervasive than we realize in. So I think one of the things that we're seeing bluntly is when CISOs or risk officers or other individuals are looking at their supply chain and their vendor risk.

00;12;19;15 - 00;12;20;29
Speaker 1
Well, let me ask you question.

00;12;21;03 - 00;12;21;07
Speaker 2
How.

00;12;21;21 - 00;12;23;17
Speaker 1
Do we know? Why don't we know?

00;12;23;18 - 00;12;25;16
Speaker 2
We don't understand you.

00;12;26;20 - 00;12;42;21
Speaker 1
Flow it, right? I do business with this company and they provide this service. And if that service goes away, I can't make money, save money or find someone to blame if something goes sideways. So why don't people know? It seems like you would have to.

00;12;48;00 - 00;12;48;13
Speaker 1
Yeah.

00;12;49;29 - 00;13;19;24
Speaker 2
It's. It's. I. You're preaching to the choir. It's. It is certainly no bull, but I think there is definitely one. There's a volumetric issue and that's let's be very honest about that. A large organization that's going to have a vendor master file that numbers in the thousands potentially seven, eight, nine, 10,000 vendors determining which of those vendors are material to operations that are material to any number of corporate directives or enterprise risk considerations.

00;13;19;24 - 00;13;42;02
Speaker 2
That's that's difficult detailed governance work that needs to be done. Then we've got the problem with the tooling, frankly, on how we look at risk. Traditionally, we've had kind of the proverbial sock to type to audit as a system, so there's no way in hell I would ever allow that level of assurance to really guide how I look at things.

00;13;42;02 - 00;14;01;19
Speaker 2
But I don't have, in many cases up until recently, really good tools to make better decisions. So we end up relying on a sock to type to audit. How many of those, if you read that have had a disclaimed opinion or deficiencies that are material? You know, they all kind of read, you know, reasonable assurance, etc., etc.. So there's a challenge there.

00;14;02;10 - 00;14;24;09
Speaker 2
Then we also have the dynamics and I just completed one of these last week, a 600 questions segue for for a customer of mine that I'm helping out with. And realistically the risk profile of the organization was inherently low, but the number of questions that were related to it, which took hours and hours and hours to complete, were asymmetric.

00;14;24;09 - 00;14;59;03
Speaker 2
So so we've got really imprecise tools historically. And I think one of the things that we're seeing is this transfer or moment around how we're looking at third party risk, how we're looking at vendor risk and supply chain risk. And there's recognition clearly with some of the issues log for the SolarWinds issues at all, a number of the MSPs that are being compromised that have high privilege access into our empire mints, we're seeing that historically the tools we had are insufficient to deal with the type of risk that we're confronting today.

00;14;59;13 - 00;15;02;00
Speaker 2
And so I think CISOs are shifting. So, okay.

00;15;02;12 - 00;15;23;05
Speaker 1
You said a couple of things there that I really like. So the first one is you sort of went supply chain risk, third party risk vendor is not in that order. That's something that I've been talking about for a long time. I mean, you know, we worked together at Gartner, and one of the things Gartner does is they have to define everything and please, my Gartner friend will get mad at me.

00;15;23;16 - 00;15;45;22
Speaker 1
But I always said, look, why are we defining things? Nobody else cares. They have problems you need to solve. And I've been talking about this concept called extended ecosystem risk or digital ecosystem risk. The end of the day, third party supply chain vendor, whatever. You're absorbing risk because of someone you do business with, right? So so I think that's an important one.

00;15;46;11 - 00;16;14;12
Speaker 1
And then the other thing that you really you hit on there was the the concept really of exactly the sort of cascading issue. Right. Which is we have partners. They have partners, They have partners. And I think that's one I think that's an area where people really struggle right? There was an incident back in December. So I always ask people, have you ever heard of a company called Seven Rooms?

00;16;15;09 - 00;16;44;08
Speaker 1
They will know Well, they had a breach in December. They are one of the biggest crimes in hospitality and restaurants. They lost what I was 400 gigabytes worth of data. But here's the interesting thing. They didn't actually lose the data. They partner with another company that does data transfer. So that company got breached seven rooms, absorbed that risk, and then they turned it on to all of the companies that they do business with.

00;16;44;18 - 00;17;03;00
Speaker 1
And when I stumbled across that, I actually wrote a blog on it. I couldn't even find the name of that third party data transfer company. So I go and I stay in a hotel, right? That hotel has my data. They put it up in seven rooms because that's how they run their business. And all of a sudden my data is out there.

00;17;03;05 - 00;17;19;01
Speaker 1
Why? Because a company I never heard of that I did not choose to do business with, didn't do what they were supposed to do. Right. And I think.

00;17;19;01 - 00;17;49;01
Speaker 2
Yep, exactly. Back when I was an analyst. If you bring up a perfect dynamic, when I was an analyst at Gartner, I did a lot of tabletop exercises and kind of built workbooks to facilitate those. And one of the topics that I had was effectively, how do you handle a security incident where it's your data, but it's that third party who's been compromised and now your data is being exposed.

00;17;49;12 - 00;18;15;20
Speaker 2
And realistically that is becoming a much more common type of scenario. But most organizations, when they start thinking through their incident response programs, they're not modeling in or contemplating some of those dependencies that they have on these third parties and their third level and fourth level dependencies. So my providers, providers provider in this case that, you know, underlying transport company, you know.

00;18;16;18 - 00;18;18;12
Speaker 1
Yes indeed I.

00;18;18;23 - 00;18;19;26
Speaker 2
Sequence your data.

00;18;20;08 - 00;18;47;15
Speaker 1
Yeah, I think it's a huge issue and I think it's actually going to get worse. You know we we talk to people all the time about, you know, what, Google's probably doing a better job insecurity than most companies Microsoft, Rackspace, Amazon. Right. But for every vertical, there's a whole suite of tools of smaller companies that probably don't have soft tools because they can't afford it.

00;18;47;24 - 00;19;09;10
Speaker 1
They don't have, you know, certificates, they don't do a night, they don't do a great job, but they're running a business They can't spend half their revenue on on on doing these assessments and mean you remember years back when you go to your SaaS provider and say, so tell me what you do security and they give you a SOC to you go, Well, is this yours?

00;19;09;10 - 00;19;20;28
Speaker 1
Oh no, it's Amazon's. I didn't know anything about your application development process or how are you doing credential management or whether you have MFA deploy?

00;19;20;29 - 00;19;21;20
Speaker 2
Exactly.

00;19;21;25 - 00;19;49;27
Speaker 1
Yeah. Any thoughts on how we I'm not going to ask you how to solve it because I don't think there is a solution, but how do we move in that direction? How do we get people more visibility other than buying Black Kite? Of course, But how do how do we get people to to move in that direction? How do we hold people accountable?

00;19;49;27 - 00;20;19;09
Speaker 2
So so there's there's yeah, I think there's a number of of a number of factors that in the ultimate are going to move the needle. So one is that we have the SEC, the Securities and Exchange Commission has got proposed rules are likely to come into force in March or April or sometime relatively early next year, where there's going to be a requirement for greater disclosure around cybersecurity risk, systemic risk, things of that nature.

00;20;19;18 - 00;20;44;25
Speaker 2
As part of that effort, there's a gentleman named Bob Zukunft that runs the Digital Directors Network, and he's focused on getting qualified technology experts on boards of directors. So there's a visibility at the executive and suites we C-suite and board level around this digital risk that pervasive digital risks that you've you've discussed frequently, you know, both here and elsewhere, that I think is really critical.

00;20;45;13 - 00;21;11;25
Speaker 2
There's another thing that I think is is going to change the dynamics of high visibility is one I think we're having greater visibility thanks to tools like yours that are that are providing more insights into kind of the inherent risk within our vendor and supply chain. There's also a legal issue here. If you were to go through and you read most software licensing agreements, there's limitations of liability in disclaimers of warranty.

00;21;12;07 - 00;21;31;01
Speaker 2
The problem is, is that we're starting to connect IP networks with operational technology and we can start to change the physical roll. You know, we can close a valve that should be open, we can open about that should be closed in effectively. You have issues now related to safety. So one of the things that I think we do really well in this country is we tend to suit people.

00;21;31;02 - 00;21;55;19
Speaker 2
You know, this is a very litigious society in the U.S. You start to see scenarios in health care and elsewhere where no cybersecurity issues that should have been addressed weren't in the consequence of which is that an individual is harmed, you know, or potentially up to and including somebody dying because of poor security configuration or code practices, things of that nature.

00;21;56;15 - 00;22;21;24
Speaker 2
I start to question how long that ability for the software industry to avoid being liable for some of the poor code that is out there will remain. So. I think there are some of those large kind of glacial type movements, but they're happening, are going to change awareness. And then I think the other dynamic clearly and this one's a little bit more more frustrating, but it just is what it is, is the geopolitical side of these things.

00;22;21;25 - 00;22;57;28
Speaker 2
You know, we've been talking for a very long time how nation states are actually going in, stealing intellectual property, weaponizing third party tools, going in and doing a number of different things that harmed us. Critical infrastructure that harm intellectual property, that undermine our nation's ability to compete and drive economic value. So I think there's a huge confluence of issues that are raising the issue of cybersecurity with the board, with the executive leadership team, and it's starting to couple with better tooling, better telemetry to have more risk informed decisions.

00;22;57;28 - 00;23;25;08
Speaker 2
So I'm actually optimistic despite all those negative things that, you know, one of the biggest issues is, you know, what is it that I don't see that I should see? Well, now, you know, we've got a lot better visibility on third party risk, on supply chain, risk on with software building materials, with the code that we run. We've got really good standards that are out there, like the open Web application security projects, Application security verification Standard.

00;23;25;08 - 00;23;41;01
Speaker 2
Okay. Yes, that's a straightforward, simple way to look at designing good, secure code. Use it. You know, the cybersecurity framework from NEST, use it. You know, these are things that I think in the aggregate start to move the needle on. Yeah.

00;23;41;10 - 00;24;06;21
Speaker 1
So I agree. And you know you brought it the FCC regulations. I don't know when this is going to air so it may actually be out by then, but we start to hear a lot more about that. And I think you hit on an interesting thing, which is getting more security people on boards. The problem we have seen, the problem I've seen is that you can't just put technical people on the boards because they need to understand the business piece.

00;24;06;21 - 00;24;36;19
Speaker 1
And unfortunately, not a huge amount of people who who cross that over. And I think that's going to be a little bit of a challenge. I mean, I was at an event in New York right before COVID, and they had five board members on stage talking about cyber. And I asked them what I thought was pretty simple question If your CEO comes to you or your CIO or your CFO and they tell you things you don't understand or don't care about, are you providing that feedback to them and all of them scratch your head and said, No, but we should, right?

00;24;37;06 - 00;24;55;05
Speaker 1
So that's the problem, is the security guys go in there, security ladies go in there. They tell a story. Good story, bad story. We don't know. They think they're being heard. The board thinks they understand and they go their separate ways. And in six months, that poor CEO comes back and says, hey, look at all the cool stuff we did.

00;24;55;12 - 00;25;16;18
Speaker 1
And the board says, Well, why did you do that? Right? So that's something that we want to be mindful of. And then the other one that we've started hearing a lot more about is Daura out of the EU. And Dora has a specific section on third party risk in where we're actually looking for a Dora expert for a future episode.

00;25;17;02 - 00;25;37;07
Speaker 1
It's so new, we don't really see a lot of them out there. But you know, from from that dependency perspective and again, I don't know when this is going to air, but not too long ago there was a situation where there was a company that provides an options trading platform, added the UK. They got hit with ransomware and they were down for I think eight days is what it ended up.

00;25;37;21 - 00;26;02;00
Speaker 1
And ABN Amro had to shut down their options trading desk in a very large bank in Spain also had to shut down. And I guarantee you no one on the board for those companies had any idea that that dependency was there. And yet, you know, millions of dollars, pounds, euros are traded in options every day. And they had to shut that thing down.

00;26;02;13 - 00;26;25;01
Speaker 1
So it's exactly. Yeah, just dumb. I'm not quite as optimistic as you are, to be frank. I think I think the level of complexity is growing faster than our ability to to have that level of visibility and visibility, something you said a few minutes ago. And I think that that may be the biggest problem is, is that lack of visibility.

00;26;25;01 - 00;26;48;06
Speaker 1
I mean, we have customers who are using our platform to manage 40, 50, 60, 70, 80,000 entities, as is our biggest client. And even if you can do that, what do you do with that information? Right. I was actually talking with the guy earlier today. You know, you and I, and we've had this conversation, right. The difference being data and information.

00;26;48;18 - 00;27;13;16
Speaker 1
We've now added sort of another layer on top of that. Right. Data is good information. Better intelligence is the best because intelligence drives decisions. And and I think that's just I think we're far away. I, I always feel like we're not moving as fast as we think we're moving. And I just feel like the bad guys are ahead of us.

00;27;13;16 - 00;27;39;29
Speaker 1
I mean, you talked about our third party risk report. And one of the data points that I thought was interesting is we saw less third party breaches, but they impacted more first parties. And the impact the financial impact was twice what it was the year before. And I tell you that guys are getting smarter.

00;27;39;29 - 00;27;44;11
Speaker 2
It was larger. Exactly. It speaks, Jeffrey, to your point.

00;27;46;13 - 00;27;46;23
Speaker 1
Yeah.

00;27;47;03 - 00;28;10;20
Speaker 2
And it speaks to the critical, critical role of dependency analysis in systemic risk that we face. You know, we are facing broad strokes. The difference, systemic risk. I had a discussion, Bill Bondi, one of the coauthors of the Cisco Desk Reference Guide, along with Gary Hayslip, he and I were talking yesterday about quote unquote black swan events, and they're common.

00;28;10;26 - 00;28;46;13
Speaker 2
It's almost as though we're witnessing the death of the Black Swan. It's just now a swan. You know, they're out there, they're happening frequently in the, you know, kind of the novel technique that we saw a couple of years ago is now the day to day to day. And I think one of the interesting dynamics, I know it's it's a lot of buzz right now, but chat and everything from Openai and all these other tools, but, you know, there's there's some interesting articles afoot right now where you can use these tools to create malware that bypasses endpoint detection and response type tools.

00;28;46;25 - 00;29;13;20
Speaker 2
So it is an arms race without a shadow of a doubt. I think the critical thing is, is you're trying to reduce that aperture of risk, you know, where the organization, you know, connect can effectively be hip with that type of risk and still be relatively resilient. That has huge implications around the quality of your supply chain, the quality of the vendors, the quality of the due diligence you do around them, and then internally the quality of your enterprise architecture.

00;29;13;20 - 00;29;40;12
Speaker 2
Is it designed for failure? You know, do you have fault tolerance and redundancy built into it, whether it's at a component level or a business process level or a vendor or supplier level, And we're seeing just so much risk hitting organizations today that again, going back to the optimistic side of it, what's good is that the issue of risk is so front and center with executive leadership teams.

00;29;40;12 - 00;30;07;24
Speaker 2
You know, they've dealt with supply chain crises, they've dealt with a global pandemic. They're dealing with some really significant geopolitical issues. Now, there's a lot there that is driving better decision. Going back, Jeffrey, to one of the things that you mentioned is the Cisco in my organization, it's incumbent upon me to translate digital risk into business impact. You know, Cisco's half to speak enterprise risk management.

00;30;08;03 - 00;30;37;26
Speaker 2
They have to know CRM if they're not really well versed in the LRM methodology, if they're not understanding of of what reputational risk and financial and operational and regulatory risks are, they're effectively not serving their organization or their security programs very well. And I think most CISOs now are really ramping up their skill base. They're able to communicate digital and complex kind of technical risk in the business impact and where they don't, there's a number of mechanisms out there that allow them.

00;30;37;29 - 00;30;48;25
Speaker 2
One of the things I do is I do a little bit of kind of sidebar discussions, almost akin to the inquiries we used to do at Gartner, but kind of mentorship and just, you know, discussions with others.

00;30;48;25 - 00;30;52;01
Speaker 1
Yes, I had a conversation with somebody a couple weeks ago about.

00;30;52;01 - 00;30;52;17
Speaker 2
Directors.

00;30;52;20 - 00;31;20;01
Speaker 1
Sort of CRM and what their role is and to be articulated in an interesting way, which I think is actually true. The person that runs CRM needs to know a little bit about a lot, but they don't own any of it, right? So it's very, very hard to roll that stuff up to the board level. But to your point, one of the requirements out of the SCC regulation is the boards need to be able to articulate material risk because of cyber.

00;31;20;22 - 00;31;43;15
Speaker 1
And I've spoken with a lot of boards and I'm not sure most of them know how to express the, you know, what what those material risks are. You know, the simple example that and it's dated but I use it all the time right Society general got hit with a very bad fraud. There was a trader he lost billions of dollars for them.

00;31;43;18 - 00;32;13;03
Speaker 1
Yeah, that was largely attributed to the fact that they didn't provision him when he changed jobs and he was checking his own trades. Right. So you say, Well, I trained six cyber, but three or $4 billion. That's a big number because someone forgot to took his right take his rights away. And that's the stuff that hurts me.

00;32;13;03 - 00;32;38;27
Speaker 2
It's it's you hit on something that I think is so critical, the governance model. You know, you think about a racy major who's responsible for the actual functional task, who's accountable, who owns that risk, who ultimately is consulted and informed, unfortunately for vendor risks, supply chain risks, cyber risk, a number of technical risk. Those governance models are frankly very immature.

00;32;38;27 - 00;33;01;19
Speaker 2
One of the things I talk about my book is, quote, declaring war on ambiguity. There should be zero ambiguity within a corporate a corporate structure who owns certain types of risk. But the reality is, is that it's an inordinately ambiguous environment right now know supply chain and vendor risk owned by the CFO because she controls the corporation's finances.

00;33;01;26 - 00;33;13;23
Speaker 2
Is it owned by the CIO? Is it owned by the line of business that owns it? What's the governance model related to that? So you've got kind of a a telemetry issue. Do we even understand the risk factors and consideration.

00;33;14;23 - 00;33;14;25
Speaker 1
In.

00;33;15;00 - 00;33;23;00
Speaker 2
Ask the vendor and supply chain environments that we operate in and then flip it over on the government side? Do I hold Jeffrey Wheaton, a consumer that would.

00;33;23;00 - 00;33;26;07
Speaker 1
Never be happy to hear that? Oh, yeah.

00;33;26;19 - 00;33;31;18
Speaker 2
We're putting it on. So I'm not more accountable for all vendor risk, man.

00;33;31;19 - 00;33;52;20
Speaker 1
I love that term. Well, you know, it's interesting you talk about the ownership and that's something that we we've started to see more and more of. I did a webinar a few months ago with the GRC forum and they asked us for a polling question. So the polling question I asked was who in your organization is ultimately accountable for the cybersecurity aspect of your supply chain?

00;33;52;20 - 00;34;20;26
Speaker 1
And about 50% of the respondents said the CSO. Some people said, Erin, some people said the CIO couple people didn't know, which always scared the crap out of me. But then I asked a follow up question. So for you CISOs out there that said you own it, do you get to say no? And none of them could? So you're telling me you are that and you don't get to stop it if it's no good, right?

00;34;20;26 - 00;34;26;10
Speaker 2
They can't. Yeah. Oh, you're doing that.

00;34;26;10 - 00;34;27;25
Speaker 1
This whole thing is we're seeing.

00;34;27;26 - 00;34;28;10
Speaker 2
Vendors.

00;34;28;10 - 00;34;43;18
Speaker 1
That is there without knowing that somebody is getting involved in you, the onboarding, they're getting involved in mergers and acquisitions. So that's definitely something that that we're seeing. Yeah, we're seeing some changes. All right, Matt.

00;34;44;12 - 00;35;16;12
Speaker 2
I yeah, I, I think you all I was just going to say, when you when you look at a small number of quintessential challenges that our profession faces, so there's a handful identity governance that remains difficult like that joiners movers leaver scenario that you describe where an individual's permissions or entitlements were change vulnerability and patch management. That's never going to be fun.

00;35;16;12 - 00;35;42;14
Speaker 2
It's always going to be a challenge vendor and supply chain risk that is always going to be an underbelly. Until we start resourcing that correctly, we start tooling it correctly and we start implementing appropriate governance models related to it. So that line of business, CIO and Cisco are not conflicted around onboarding the vendor, but they're fully informed about the risk decisions that the organization is making.

00;35;42;24 - 00;36;01;19
Speaker 2
This is, I think, something that's really critical is is the system overall, in my view, is all about a fact pattern. Here's the risk that we carry within our vendor and supply chain environment. This is the risk kind of inherently that we have. What do you as business want to do with that risk? Is this risk that we accept?

00;36;01;20 - 00;36;07;27
Speaker 2
Are we going to mitigate it? Are we going to make modifications or changes to it? But I want to make sure that you have that right.

00;36;07;27 - 00;36;14;20
Speaker 1
And then and then providing the executives that actually own it with the information so they can make better decisions. You know, we talk about my.

00;36;14;28 - 00;36;16;10
Speaker 2
Fidelity risk management.

00;36;16;18 - 00;36;39;05
Speaker 1
So. All right. In that we are running low on time, you and I could talk for hours. I want to thank you for joining us, our risk in reals. Let me just kind of recap. So, Matt, favorite romantic comedy is Peyton on I'm sorry Forrest Gump. Right. And I agree catches catch is delicatessen has the best pastrami at least on the East coast.

00;36;39;13 - 00;36;58;03
Speaker 1
I can't speak for the West coast where you are. Threat modeling solves everybody's problems, right? Is that an overstatement? Maybe a little bit of overstatement. Stride. Stride is an acronym that everyone should understand. And let's declare war on ambiguity. Any closing thoughts, Matt?

00;36;59;00 - 00;37;24;20
Speaker 2
Not at all. Absolutely. Just, you know, I want to thank you and I want to thank kind of the broader community for this work, because one thing that I think is, is we are absolutely stronger together and we're dealing with really serious issues. And I appreciate venues like this to be able to kind of talk shop and and everything.

00;37;24;20 - 00;37;31;14
Speaker 2
So just inordinately grateful for you, Jeffrey and the Black Eye team for having an opportunity to give my proverbial.

00;37;31;28 - 00;37;36;05
Speaker 1
Don't sell yourself short, Matt. It was worth at least $0.07. So I appreciate.

00;37;36;05 - 00;37;37;01
Speaker 2
It if we don't go.

00;37;37;03 - 00;37;50;25
Speaker 1
Again. Thanks to our guest Matt Stamper. We're going to last. I am. Jeffrey. We've been your host for Risk in Reals. Want to thank you for joining us. It's been a great session, as usual. Stay safe, stay healthy, stay secure. We've been out.

00;37;58;04 - 00;38;20;12
Speaker 3
Doing Thank you for listening to Risk and Reels a cybersecurity podcast. Be sure to follow us on Apple Podcasts, Spotify, or wherever you listen to riveting 30 minute conversation about movies and cybersecurity. Jeffrey will be on the road this year at some of the industry's biggest events, but you can always find him on LinkedIn and Twitter at Jeffrey Weapons.

00;38;21;10 - 00;38;30;05
Speaker 3
This podcast is powered by Black Blackout, the only security rating service to deliver the highest quality intelligence to help organizations make better risk decisions.