Assessing Cyber Risks in the Cloud and AI Era

Patrick Spencer (00:02.384)
Hey everyone, welcome back to another Kitecast show. We have a real treat today. Tim and I are speaking with Alexandre Blanc. He’s up north of the border in Montreal, Canada. Alexandre, thanks for joining us today. We’re looking forward to this conversation.

Alexandre Blanc (00:16.873)
Yeah, hi Patrick, Tim, really happy to be with you today. Thank you for the opportunity.

Patrick Spencer (00:22.94)
Thank you. So Alexander, let’s start with your background. You’ve been in cybersecurity for about 12, 15 years. You’re a strategic security advisor over at VARS. You have been there for I think about three years. You’ve done some really cool branding on LinkedIn. We’ll want to talk a bit about that, but you know, you’re one of the, the top 20 voices in cybersecurity. And like I said, there’s a whole bunch of acronyms and awards and everything else that you have to go behind your name. But.

But let’s start by introducing yourself to our audience. How’d you get into cybersecurity? And talk a little bit about your current role.

Alexandre Blanc (01:00.801)
Yeah, so basically, you know, I was an IT person back in the end of the 90s. And this is a time where IT people would have to protect the infrastructure as well. And the responsibility of this grew and basically cybersecurity did come as a whole new domain, new field by itself. And I was basically sticking to IT. And at some point I realized that I was doing more security and attacks, service management, all the end risk management than IT. And

The fun stuff is that I didn’t start on LinkedIn until I think 2018 or something. And yeah, and I, this is the fun part. Like people don’t know. It was a kind of a discussion with the marketing guy who was like really an ex IT person and we had a long discussion about that. And I didn’t want to kick in the field of the marketing of the communication side. And I just started to share on LinkedIn my, my take on things, you know, trying to get insight and that did open a crazy.

things, crazy exchange I didn’t see coming. I mean, I had so many contacts over there, so many workshops I got invited to that it opened many, many things that I didn’t see coming. So I’m really happy with that. The only thing is I say what I think is right. And I really read and like to read people’s take on things because I have, I mean, you know me a little bit. I am a, people know me because I complain a lot about the cloud, the leaks and stuff like that. And, but

Tim Freestone (02:28.174)
Thanks for watching.

Alexandre Blanc (02:29.321)
It’s a fair game. We need voice, I think, like that, that challenges that you go ask questions, so as we enhance things overall. So that’s kind of me. I don’t know. That’s about it.

Tim Freestone (02:34.41)
Thank you.

Patrick Spencer (02:41.undefined)
That’s really interesting how you really kind of late to the game on LinkedIn in many ways, but you dived head first and you have a bunch of followers. So maybe that’s a good starting point. You’re kind of late to the game. How do you build the number of followers that you have? I think you’re up to, is it 30,000 or something like that you have on LinkedIn now, I believe, or it’s, it’s certainly digits.

Alexandre Blanc (03:00.754)
It’s like 70,000 or 71,000 already. Yeah, yeah, yeah. And…

Patrick Spencer (03:05.216)
Oh wow, 70s now. So how do you do that over a relatively short period of time?

Alexandre Blanc (03:13.077)
I don’t know, people like what I share. I mean, the key, I mean, I’m consistent. I post on a regular basis. I maintain, you know, accurate information. I stick to the thing I like to my field, and I bring view, I try to bring value. The key in every post on my end is trying to make a difference, getting something to take out of it, or trigger a reflection. I’m, yeah, like, is, you know, there is all the time something

to think about if you are a CISO, risk manager, decision maker, or business manager. For every share that I do, there is something to think about that you may not have been thinking about, and that may help you enhance the resilience of your organization. So that’s the goal. And I think people like it.

Tim Freestone (04:03.438)
Hmm. So let me ask a quick question here, Patrick, the, before we go on too far, I noticed in your profile, you’re with VARS, V A R S right now, right? Can you tell a little bit more about that? I mean, I’ve been doing this a while. I know what Avar is, but what’s VARS, how did you get involved? A little more info on that would be great.

Alexandre Blanc (04:13.838)
Yeah.

Alexandre Blanc (04:19.182)
Oh yeah.

Alexandre Blanc (04:23.265)
All right, Varus is doing basically managed security services and consulting on cybersecurity.

Tim Freestone (04:28.542)
And it’s just you, is it a company or? Okay.

Alexandre Blanc (04:32.269)
It’s a company. I’m hired. And this is also on my profile of a bigger company called RCGT. And VAS is the cybersecurity division of that. So I’ve been doing that for three years. I mean, on my end, I kind of kick on calls about complex topics. If company organizations face challenges and I’m making the communication easy.

Tim Freestone (04:38.644)
Okay.

Got it.

Alexandre Blanc (05:01.349)
bring a good understanding between tech and managing people, and also bringing the risk understanding to the business side of things. And also I’m very, very technical, so I can really speak the language of the tech guys, the solution provider, and answer the interrogation, because what we see in the market, when organizations bring solutions, this is triggering a lot of questions.

from the customers because they have goals, they want to protect the organization, they want to achieve something. And obviously the sales pitch is always magical. You know, it does everything. It’s fantastic. So yeah, but we think, I mean, there is a lot of legitimate skepticism. People don’t believe everything in the sales pitch. So I’m trying to be true to technical side of things, what it does, what it doesn’t. So there is no like wrong expectation, like zero BS on my end.

And that’s how I try to drive the thing with people, because we need that on the market. Yeah.

Tim Freestone (06:00.679)
Yeah. Yeah, for sure. I totally get it. And it’s kind of a rare breed to be able to balance both the thought leadership and the technical, um, cause there’s a lot to consume and remember and pay attention to in both of those aspects. You like one more than the other at this point strategy versus tech, or you’re still enthused about both.

Alexandre Blanc (06:21.193)
It’s more now a strategy on my end than tech. I keep my own, you know, home lab stuff and I play with things. I kind of preview sometimes before going through a product, I would get it, try it and really go through it the way you would do a CTF kind of things, you know, the hacking part of it, because I don’t want to deceive people. So I try as much as I can to validate what’s out there or…

And if I do not have the time period or do not have access to the thing, I try to correlate the information and find multiple sources around so I can actually back what’s said or what’s claimed on the stuff.

Patrick Spencer (06:56.624)
What managed services are you focused on, Alexander? Are there specific cybersecurity areas that you hone in on or are you sort of a broader solution provider that focuses on a lot of different areas?

Tim Freestone (06:56.663)
Yeah.

Alexandre Blanc (07:09.705)
I’m, it’s a more broad, you know, the broad side of things. It’s, it’s about, you know, answering the needs and matching what organization need on my end. And that’s not mean like that’s what I want to bring to organization is an answer or a solution. If I don’t know, I will basically send them to people who knows, um, to get the best advice and if I know I can, I can recommend stuff, I will, uh, solution for them. This is just about being practical.

and also really understanding the context of these businesses. Because, I mean, from ICS to… I mean, it depends on the vertical in which the business is, and the reality is totally different. And we have also to consider the compliance side of things, the side of the threat landscape itself. So it’s each time it’s like, and that’s the part I like, is analyzing, understanding the reality, and trying what makes sense. Because, I mean, it’s different all the time.

Tim Freestone (08:06.254)
Are you hearing any sort of trend in the past year or two in terms of strategies that customers are asking you about that’s new? You know, obviously AI, so let’s push AI away for a moment. Anything else that you’re hearing more than you used to in the top of minds of customers?

Alexandre Blanc (08:28.389)
Well, there is a big change in the regulation side of things, especially in Quebec, where I’m located, there is the Law 25, which is basically the implementation of GDPR. So that’s one big thing because the deadlines did fall on that recently. And it comes on many requirements. One is the data governance, you know what you have, drive the data and stuff. So it requires policies. But there is also mandatory…

Tim Freestone (08:38.818)
Mm-hmm.

Alexandre Blanc (08:54.565)
protection that you need to bring to the data and the infrastructure not to be held accountable or responsible of a breach and For that they need to put the right security control in place. So that has been a big boost in the in the need for organization towards security because before that it was just Needing to protect yourself, but this is your own risk decision right now. There is a big push from the

the legislation back to companies. So they have no option but doing it. And sometimes it’s quite painful because the maturity on the markets in Canada, at least what they see in Quebec is very low. A lot of SMBs, they do not have security people. And a lot of them don’t even have IT people in house. So they rely on service provider outside. And it’s challenging because they’ll try to respond to the need.

But it’s quite a complex situation. So yeah, it’s, and when I speak, you know, I spoke earlier about translating the need and the requirement to the business side of things. This is what happened. And like why you need to do it, how you can do it, and who should help you do it. Sometimes it’s not even me or the company providing service, like when they have a service provider on IT side, that your IT provider should help you do that. So basically advisory side of things.

Tim Freestone (10:16.094)
Yeah, there, we, we did some work a little while. It does law 25, right? The bill, bill 64, formerly known as. Yeah. We did some work on understanding that and kind of providing some messaging around it for our Canadian customers. I don’t know, like five or six months ago, but I remember just having a perspective that there were some gaps there, which are gaps I see quite often. I wonder if they’ve been filled. It’s been a little bit while it’s been a little while. Um, but one of them, I remember being just, um,

the enforcement and fines being a little bit opaque. Has that solidified, you know, for non-compliance? What happens? Are those penalties being enforced, et cetera, et cetera?

Alexandre Blanc (11:00.433)
So what I see, and that’s my perspective on my hand, is basically the government do not have the resource to track each and every businesses. So when the issue is going to kick in, it’s like with cyber insurance, it’s when an incident happen then they’re going to be an investigation. And this is when that thing is going to kick in because they’re going to look, did you do it right?

And that’s the whole key of documenting and doing the formal process for your organization. That’s one of the recommendations because a lot of people think they do it, but they do not write, keep track or the documentation. So there is no proof. And when there is no proof, then from a legal standpoint, it doesn’t exist. So that’s the key thing that I see as incident will kick in. You will have an investigation either because your customer will go after you because their data has been stolen or your partners.

Because when we see incidents spreading around, all your customers may come after you, or even the legal investigation get goes through that. So you’d better be backed at this point. Also to assess the damage as well. Because proper governance allows you to know what was stolen, what’s out. If you do not do that, if you do it right, you have no way to know what’s been taken and what’s the impact. And even your legal counsel cannot properly advise you.

against the way they will address the situation. Sometimes they will decide to go fully transparent. Sometimes they decide to hide the thing because of the size of the impact is smaller. It’s just a business decision. This is not me. I mean, doing right is doing everything by the books. But the reality in the field is, the legal counsel will advise the board to decide what action to take. And these decisions are based on data and you must have that data. So that’s the big gap that we see. But…

Tim Freestone (12:44.097)
Mm-hmm.

Alexandre Blanc (12:49.385)
And that’s also why on the LinkedIn side I share a lot about the incident. Because there is always something to learn about these. Basically you could technically build a security program out of all the incidents out there. See what happened to them, can this happen to us? Every time you see something like that it should trigger a question. Even if you are the CEO of the company, you are not obviously the CEO of it, but you are the CEO.

Tim Freestone (13:06.444)
Mm-hmm.

Alexandre Blanc (13:14.689)
And you see that happen to this, and especially if this is in the same vertical as your business. And then you wonder, can that happen to me? And then ask your technical team, can this happen to us? Do we have the control? What do we do? And then that will naturally trigger a continuous enhancement. It’s not a formal way to do it. You don’t do the full scope, definition, the assessment, the evaluation and all. But you know, it’s better than nothing to start with.

Tim Freestone (13:38.913)
Yeah.

Patrick Spencer (13:39.796)
You brought up an interesting point in terms of demonstrating that you actually had governance in place when an issue does arise or showing the extent of what that looks like. You find in the marketplace, we believe that this is a problem, that you have all these different tools, you have disparate, siloed audit logs. It’s really, really difficult to put together that bigger picture at the end of the day until we move to a more unified

architecture when it comes to the way we manage content. You know, what, what’s your perception there? And, you know, do you see things improving or, you know, staying about the same when it comes to all those disparate silos that exist.

Alexandre Blanc (14:18.737)
Well, it was improving with the actual regulation coming in, but with the dynamic of the technology market and all the tools popping out in there and the shift in employment as well, like people start projects, start to implement tools and solutions, but then they leave, someone has come back and they come with their own tools. So we have a lot of shelfwares or shelf solution because sometimes like most of the time it’s SaaS now, sadly, but this is what it is. And

And this is hard to get a follow up. And one of the challenge too is like so many tools, so many external resources are involved and the way to address that, I mean, the TPR, the third party risk assessment needs to be done before anything, knowing what you signed for. And I’m not sure right now, because of the way solution are adopted in organization that every new contract, every new subscription go through the legal counsel. I mean, to be doing right.

before subscribing to anything, all the terms and conditions need to be put for review for the legal counsel to make sure that what’s offered and what’s falling on the organization is actually well understood, so you know what you have to do. And the second thing on that, even if they do it right, it’s not a static thing, because all the terms and conditions of all the third party we use has that clause that say, these terms and conditions change all the time, blah, you must come back yourself to check that there is something new.

And I’m not sure like many legal council of organizations have an actual on-change notification for the term of service they subscribe to. So that’s very dynamic too. And that’s one of the challenges that we see. We cannot address the dynamic thing with a static solution. So it’s really… Yeah.

Tim Freestone (16:01.414)
Yeah. That’s an interesting, you, I caught up, I caught something there. You said most tools are SAS and then you said, sadly, is that, is that why, is that why you said sadly there? Cause one of the things we, we often promote kite works or a virtual appliance and, and we have some messaging around not a SAS by design. We have our reasons for that, but I’d love to understand why, why you think the SAS, why there’s a SAS challenge.

Or is it just the legal aspect?

Alexandre Blanc (16:30.889)
Yeah, it’s about and it’s a very formal thing. You know, I play a lot against that. But from a risk management, you know, you got contract and you got your risk posture, you got the context of your organization that you’re supposed to own. But when you go through third party where you do not control, you didn’t have a word about the change management, about the way change is implemented. I mean, the change management of your provider is not aligned to the change of your business.

Sometimes they will do major change, but this is not aligned with your business posture. Sometimes you cannot take that at this time. So, and you do not have any, I mean, anyone who’s been using, I don’t know, like a customer relationship solution online, and there is a new release coming to tell you, in June, that’s gonna change, you have to change, blah, blah. But if you had any development, anything on your hand, you cannot postpone that thing because you do not have it, you do not control it. And that means that you will need, and you have to go through the assessment.

Tim Freestone (17:06.379)
Mm-hmm.

Alexandre Blanc (17:29.161)
of what’s new, the terms and conditions, the impact of the change on your organization, every connector, every third party that you use. And that can be daunting for business because if you have one, that’s fine. But if you start and now with a, we have like dozens of these. So if you do things right, you are going to spend more than you can do to just review the change of your third party and solution. So that’s why I, that’s one part why I don’t like to externalize everything. We need it, but you need to keep.

control of your things because when something wrong happened, it’s gonna fall back on you. So that’s something.

Tim Freestone (18:05.706)
No, that’s true. It’s a very, it’s a great, great perspective. I haven’t quite heard it coined that way. Um, but the whole, the control part is, is huge, right? The, the more you can control the decision-making of, of any of your infrastructure tools, whether security or not, um, the better off you are in everything you just said, the one caveat to that is then you got to control a bunch of stuff. You don’t get to rely on the automatic updates. And.

you know, some of the support layers you get from the fact that you just can’t. I’m playing devil’s advocate a little bit, but you just control everything. Right. So I think you said like a balance across both is the key here. Stuff you control, not the outsource.

Alexandre Blanc (18:41.561)
Yeah.

Alexandre Blanc (18:49.229)
Yeah, it’s an assessment. Right now, it’s sadly no marketing side only selling magical, but the responsibility is a shared responsibility model, such as in the cloud. So you still have to do things. We have to leverage solution because we cannot do everything yourself. I mean, today, it’s like most of organizations, it’s not their core business to do the technology side of things. So they have to rely on it. But.

Tim Freestone (19:08.073)
Mm-hmm.

Alexandre Blanc (19:16.997)
they still have to make the decision wisely. Because if you multiply the thing, you are sold tons of magical things, but you will pay a price for that you may not see at first. And between compliance, but also the risk of cyber attacks, cyber risk, and even the governance, the life cycle of account management of employee coming in, leaving, and we see that all the time. So many accounts are never closed because the organization is not even aware that there was an account.

So that’s the kind of thing that is tricky to manage today. And I understand the market, you know, it’s all time to market. It’s all about being the first in the place to do the thing, to make a difference, to be ahead. But at the same time, there is an issue with that because it’s bringing risk and then you don’t want to end in the news and being destroyed by an incident. So that’s the whole thing we try. I mean, that’s very high level speaking. You can put all kinds of KPI and metrics.

Because as we say in ISO 2701, everything has to be measured. I mean, you need miserable, not miserable, but something you can measure to make sure that you are actually enhancing the situation and not getting worse. You need to measure the performance of your poster, knowing if you’re doing things right. So that’s how it goes.

Patrick Spencer (20:37.34)
What are some of the biggest, good Tim. No, I was just curious, cause you’re working with all these clients, providing them with risk assessments. What are some of the biggest areas of concern or biggest gaps that you’re seeing just in general, when you do these assessments with customers, when it comes to how they secure and protect, govern their data?

Tim Freestone (20:37.526)
So, go ahead.

Alexandre Blanc (21:01.169)
So there are many things. First of all, again, it depends if this is a tech company or non-tech company, there’s a big gap there because the tech companies, you have kind of a better security posture role. They understand well the risks. What we see, you know, the typical flat network, everything connected, and they don’t understand that if a single mile we’re getting, they are just cut off and they don’t measure the impact properly. So sometimes I even go back to very, very down.

quantitative risk analysis with them. I tell them, and you don’t have to be in the basic users. Okay, you have that many employees, let’s say 50 employees and you have an incident, whatever it is, and you are cut for a week. So take just how much these people cost to your company. That’s going to give you an idea of the impact of the financial impact, just of the loss of production. And usually this is way, way above any investment they will do. This is the factor of 10 or 100 sometime.

compared to the solution or the change they need to apply in the little effort. Because you know, when you try it, you can say, okay, to change that, you will need to invest in that or make that change. And it’s, oh, it’s gonna cost us so many hours, like, you know, 50,000 bucks. And then say, yeah, but 50,000 bucks. If you get it tomorrow, this is like 10 times that. So then they realize, oh, we didn’t think about it. Because they think, you know, they have like business interruption insurance coverage.

But this is not covering cyber incident or digital impact. And also more and more what we see because the insurance was usually the key answer where we get. I’m insured if something happened, the insurance is covering us, you know, and we have a partner that can rebuild. But today, the insurance are dropping a lot of incidents. So you will not get paid and they do not assess that as well. So part of the risk assessment and the compensation measure that you have in place, is it still valid?

And they may not, because two things, either when the insurance contractor was subscribed, the reality of the environment was not the same, or the insurance terms and conditions changed and you may blindly sign because this is not the operation people, it’s not always connected to the chain management, they just renew an appendix of the contract stating blah blah, and they don’t realize that it no longer covering the key asset of the organization. So that’s the whole thing. And when I speak about it, it’s like…

Alexandre Blanc (23:27.761)
crazy, we have to think about everything. So you can go high level and still get your things together. There are some key things, like pretty basics, that will protect the organization. I mean, I like to think about immutable backup solution. Organization, to protect their data, they should have immutable backup solution. That’s just ruling out any data loss issue for the long run. And this is cheap. And that thing, when you do that,

Tim Freestone (23:52.43)
Sure.

Alexandre Blanc (23:56.549)
you’re going to check a lot of the resilience and the compliance need, assuming that you know what you have and you actually do not have a policy that store data for too long according to the compliance side of things. But then this is opening the discussion and the solution and that’s. And usually what we see is that the organization outsource the sensitive part of it. Like…

the payment side of things. We barely see organization doing the thing themselves. They use the bank solution or they use a third party payment solution. So all the compliance side of this is actually outstripped. And they just have to focus to the historical transaction from accounting perspective. And that means they need to protect the accounting. And so if they have immutable backup, the accounting side is protected. So that’s how you round up things and you get up all the complexity of we’re doing too deep into the details.

Tim Freestone (24:51.33)
Yeah. A lot of, uh, lots of unpacking what you said. I want to double click on the insurance piece. Um, I haven’t heard of this, but maybe you have, uh, one of the aspects of. Data breaches is loss of revenue just from brand impact over a significant period of time. So yeah, there’s, there’s fines. Okay. Insurance can cover that. There’s being sued, which goes on and on forever. There’s some level of insurance for that, but there’s revenue loss from

So to say as a company, oh, we have insurance, we’re taken care of. That seems like a really naive statement.

Alexandre Blanc (25:26.37)
Yeah.

Patrick Spencer (25:26.576)
doesn’t call it lawyer fees as well, right? Alexander on top of brand impact. Yeah. For years.

Tim Freestone (25:29.45)
Yeah, lower fees, you know, not just fines, the fees, the brand reputation. It’s, uh, it gets very expensive, very fast and insurance only goes so far.

Alexandre Blanc (25:35.073)
Yeah… Yeah!

Alexandre Blanc (25:40.505)
Yeah, and you know, human mind, we tend to remind things that went wrong. So if I, I mean, we can easily give the name of 10 different high level brands in IT in the last five years that got blasted. And if you have this name and another name that is kind of clean, you most likely have a bias to go to the clean one. Oh, well, some people say it’s good to go.

with an organization that had an incident and that did manage it very well. Like if they’ve been transparent, they did quantify the impact and controlled it. It’s kind of the experience paying off an organization that is fairly newer and never faced it. So it’s just like you could have and the fun part is like if you had an incident, it was like kind of small enough but you managed well. It can be good for the brand because you show expertise, you show control. Now if you had some big, big bad thing.

I don’t think you can recover from that. The market will continue because people are customer locked in situation. So it may take a decade to escape from a failing provider. But the price will be paid on that, I’m sure. I mean, we see that, I guess, when I speak about that, you think about big names I have in mind. And these big names will suffer from that from a decade long ahead.

They will try, you know, the strategy is split the company, rename, rebrand, blah, blah. But you have to do it right and very right to recover from that. At least when I speak to organizations, that’s where I would go because you don’t want to be the collateral of a main provider issue. And this is happening a lot today.

Tim Freestone (27:28.746)
Yeah. You know, it’s interesting. You, um, you bring up the sort of size of the breach and then the resilience and how the company deals with it as a marker of, um, quality as a marker of quality cybersecurity practices, um, to dredge up a little bit of our past. Um, uh, five, four or five years ago, um, we had a, uh, it was called FTA file transfer appliance that was.

end of life and the company was moving as many customers off of it. It’s in the news. This is all very public, but it was, it was relative and it ended up getting breached and it was a relatively small part of our customer base that were. We’re impacted, but because our CEO was so, uh, transparent on what was happening, works hand and foot with the, the FBI and any agencies that were involved, all of that.

ended up being sort of a feather in our cap in terms of showing what we have in place for cybersecurity, what we have in place for resilience, how we lessen the impact and then moving forward. It’s almost a little bit of a reminder sometimes for companies to over-rotate on your cybersecurity practices, especially at this day and age. And then to your point, you know, we see companies…

a betting on us because of that A experience B transparency and C our cybersecurity practices moving forward. What not to be a commercial here, but one of the things that, um, uh, CESA here in the, in the U S put out was a, a document and guidance called security by design and by default, which sort of, um, listed all of the best practices in terms of, uh, software development, uh, to create

have security first in how you develop and how you put the posture forward for default settings and things like that. Turns out our Chief Product Officer over the past five or six years has created a… without that document has actually created a process for securing our system for our customers that aligns right with it. So again, some of that was driven by just, you know, fool me once, shame on you.

Tim Freestone (29:51.023)
me twice shame on me kind of perspective. So

Alexandre Blanc (29:54.266)
Yeah, that makes sense. And it’s nice to see. And also, you know, when you get the CISA recommendation, there are tons of documents with best practices around, you can see CIS doing a lot, Center for Internet Security and all, depending on the different platforms you see. But as long as the culture of security is now deep in the organization and basically part in the change management, that’s the key. Because if you have a formal change management

process and you should because today you need to know the impact of every change given all the different interactions between systems. If you just take the action of adding a security check on each and every step and most of the time there is no impact security impact zero known it goes on but if you have it and you check just that thing that’s gonna be a huge difference for organization.

I like what you brought me, security by design and by default. That’s, I’m a big advocacy for that. Actually in my end, security and privacy by default and by design. So as the user wouldn’t have to, and that’s not related to you or security organizations, but more of the global big tech industry, but as individual, or as customer as business, we shouldn’t have to take an action to opt out of something invasive. We could be offered, you know,

for whatever reason to kick in, you know, at the product development, at giving feedback, but it should not be the default to be invasive and having to opt out. So it goes together. And, but I see on the market, there are a lot of organizations getting there because in the end, this is building trust and we need to rebuild trust. It’s something that I bring a lot in my shares. Like today, we cannot trust technology because it’s lying everywhere. It’s bad, but this is what it is. Because either,

the posture is not what it’s claimed to be, or the real impact or use of the data of what you give away is not clearly explained and there’s a lot of deception in it. So that’s what we need to clear. And I think organization that really look forward, transparency as you said, and clearly tell customer what’s in, what’s out and what they sign up for, is gonna make a big difference in the long run.

Alexandre Blanc (32:15.942)
At least that’s my hope.

Tim Freestone (32:17.631)
Do you have… Sorry.

Patrick Spencer (32:17.788)
Are you seeing the privacy component? You see more, Tim and I are about to ask the same question. You know, with the NIST privacy framework, are you seeing more focus on that in the marketplace? It’s been out, what, two or three years now? Or, you know, is there a shift from, you know, security by design to privacy by design? How do those two correlate?

Alexandre Blanc (32:39.589)
Well, they work together because security is about protecting the data. So, I mean, privacy is about giving the control of the data owner. That’s a big difference. The data owner control the access to the data. And basically security and privacy is quite the same. Just in the security side of things is the organization responsibility protect its assets on the privacy side. It’s just data owner focused. So, just an extra step.

And when we speak about PIMS, privacy information management solution, this is just bringing control to the owner of the information, like GDPR-like kind of things. And we see that popping, the regulation, aside of the NIST framework on privacy, the regulation in the US states is growing. We saw CCPA, it has been revised and updated. And we see a lot of great things being pushed, at least on my end,

on the IoT side of things. That’s also a big, big challenge because people plug this embedded system, not realizing that they are creating a big, big attack surface, not knowing what’s in there. No one can audit what’s in these boxes. The camera you plug in your network and stuff like that. So when I saw in the US, I think California came the first with that mandatory update and security toward IoT. That’s a great, great step.

Because if we try, you know, as an organization, to secure the whole infrastructure perimeter, micro perimeter, or whatever the hybrid environment that we have, but all around we have these uncontrolled assets that are tapped into our everything, then it’s worthless because it’s killing our efforts. So it has to be unified. It has to be, you know, overall aligned with the control that we have.

Patrick Spencer (34:33.703)
These devices proliferate to your point. Tim and I, before the podcast started, we’re talking about a new one that’s on the marketplace. It is a PIN. We’re capturing more and more personal data and who knows if it’s secure and who knows if you have full of it, right?

Alexandre Blanc (34:49.037)
I think I just saw that thing this morning on LinkedIn, someone shared about it. There was a presentation and they said there is a LED blinking when it records. And is it the one that has the laser projection kind of things when you can have all the things? Okay, so I was like hmm, to me it was a big no-no. Because, well, we have to be realistic, we cannot escape.

the surveillance things because everybody has a you know, your neighbor has a ring bell even if you don’t want it It’s it’s looking toward you. So so you are in there but I think awareness is one key knowing that’s there and And then knowing what? Because we don’t have to be playing individually and that so when you do things like be aware of the impact and These cameras someone said it’s like a new fancy body cam for everybody

I’m like yeah that’s true so I know pros and cons.

Tim Freestone (35:50.01)
I did that thing where I talk with my mute on, so I’m going to try it without the mute on. But the, the pin is, it’s called humane AI, but the, um, industry that’s evolving is, um, uh, wearable AI. And in the next one, two years, it’s just going to be ubiquitous. I think everybody’s going to have some form of wearable AI and the data collection, the data privacy, um, the amount of.

resources that are going to need to be put into regulations and regulators and auditing. And it’s just immense. And so it kind of leads me to another question for you. OK, AI is driving a lot of the problem. Have you seen anything yet on a cybersecurity or privacy standpoint that will help scale the protection and compliance from a technology standpoint yet? Or is it still early?

Alexandre Blanc (36:45.165)
Yeah, well AI is already in the sell pitch for a couple of years in many actors in all the detection and response Is based on no longer our signature or anything. This is about behavior analytics and this is Correlation of information which is also AI power at you know to sort out and do the triage what’s wrong What’s a false positive and stuff? Yeah, he’s a lot used to that because it’s faster than you man to get the solution. So that’s one thing now

It’s also used for data recognition. When you get to do your data inventory, AI is used to sort the data. What’s private information? What’s PII? What’s self-speech? What’s public information? So this is already used on that. Now, when it comes to the integration in our environment, and when you speak body cam wearable, we speak smart cities and all, cars, transportation, everything.

Well, we need frameworks. We need, I mean, the states came with these AI recommendation about, you know, what the good use of AI and some guidelines to get abused. It’s needed to protect people and to protect society. I understand. And the challenge is. The regulation should not kill innovation, because if we are too strong on regulation, another country is going to go ahead and come with something bigger.

Tim Freestone (38:00.235)
Yep.

Alexandre Blanc (38:07.661)
So that’s why I’m a private privacy advocate, but I’m also aware on the tech side. So, and again, back to the beginning of the discussion, why I share what I share is I want to bend the trajectory so as we do things the right way, we allow people to have a choice, yet we still evolve, but let’s not forget and let’s go evil side of things. Also in the tech side, we will have some backfire as well.

And we should be transparent as well. The same thing we spoke about organization, trust and transparency. The AI impact and negative impact, the negative stories should be shared and people should be aware so as they can make proper decision, informed decision. I saw a story about the autonomous vehicle driving lately. The company that were involved in that did hide the casualties and hide many, many bad things that did happen. And this is not the way you build trust.

Tim Freestone (39:00.803)
Mm. Right.

Patrick Spencer (39:04.157)
Yeah.

Alexandre Blanc (39:04.173)
So I understand the investment. We speak about billions a year spent on that research and development. But look at what’s happening. Finally, the story got out and everything got stopped. No more authorization to be on the street and stuff like that. So do it right. Just come on. We’re in it together. I understand there is innovation, but do it right. Show that just, I mean, if you need more time, I understand this is money. Right. But if you don’t do it right, it’s going to backfire. It’s going to cost you tons.

We saw in the automotive industry so many stories about saving a few bucks and killing many people and then backfiring with global recalls. So why are we doing that again and again? I mean, even from a business standpoint, it doesn’t make sense. So do it right, please people.

Alexandre Blanc (39:55.318)
It’s a bit idealistic, I know, but that’s, I mean, we should try to go toward that.

Tim Freestone (40:01.182)
Well, it’s part of the podcast here too, is just amplifying voices of, of reason. Um, it’s all, it’s really all you can do, uh, not just in IT security, but in a lot of domains that are facing a culture in a, a world of, um, uncertainty, don’t know what to trust, what to trust. So it’s like, you know, um, level headed voices go a long way and we’re, you know, we’re happy to, um, be part of, uh, advancing that.

Let me ask you kind of one final question unless Patrick has, and this is kind of a loaded question, but I’m interestingly starting to get into a little bit more conversations with customers and the government around data security in the quantum computing era. Are you hearing much about this? You know, what happens to encryption? You know, we’re five, 10 years out, et cetera, et cetera. Or is it still just.

Alexandre Blanc (40:50.371)
Yeah.

Alexandre Blanc (40:54.253)
Yeah, so what people don’t realize is we’re already late on that. I had a chance to participate in discussion. There was a Microsoft doing a presentation. I think they’ve been working a long time ago. I think I was in that meeting 2019 or so, where Microsoft did release a post-Countroom encryption prototype, which was a fork of OpenVPN back then. And they have been working on that a lot. Thing is, this is constantly evolving. So PQ…

Oh, it’s back. PQI, post-quantum encryption, is a dynamic field because the more we discover about the quantum capabilities, the more it’s invalidating the theoretical encryption stuff that we have today. But the key thing about the threat of that is that there is that main threat, which is, recall now, decrypt later. So if you tap into the network feed today, and this is happening everywhere, all the countries do is that. They tap, even if it’s encrypted. And…

when the capability is there against the cipher, it’s going to be decrypted. And that goes back to the question of the life cycle of the data. How long is the data valid for an enemy, for an attacker, for an industry, for spying? I mean, people think like what you say today doesn’t matter. But let’s say if I have access to all your emails from 10 years ago, or even 20 years ago, and then you think about which business, which vertical, has a life cycle

of products that goes up to 100 years. So let’s go. Energy, grid power, these things last 50 years, 100 years. Nuclear nukes, missiles, military strategy, networking stuff, critical infrastructure of the countries. And this has been sent and encrypted back then in ciphers that either you can already break today or that the quantum is going to break. So think that

everything you add to our now, what’s all everything top secret that has been transiting on the network will be decrypted. So even if we fix today, can’t do. We still have a big issue because you do not move a secret research center. You don’t you don’t reach change the security of physical facilities that are huge, that have been billions of investments and that’s the biggest challenge. I mean aside of the fancy

Alexandre Blanc (43:18.413)
We sell post-counterman encryption, blah blah, okay cute. But the biggest threat is not there. The biggest threat is what we did for the last 20 years. So…

Tim Freestone (43:29.438)
Hmm. That’s an interesting perspective. Yeah. Uh, how far do you go back and, uh, take inventory basically of the sensitive information that you have and did you have policy in place to get rid of it, et cetera, et cetera.

Alexandre Blanc (43:37.689)
Yeah.

Patrick Spencer (43:38.82)
Data cleansing, getting rid of the data that you no longer need, is that’s part of the risk assessment, I assume that you provide to your clients and recommend.

Alexandre Blanc (43:48.317)
Yeah, but there is governance and that, but the fact that you get rid of it, if it has been tapped on the network, it’s not disappearing. It’s copied somewhere. Yeah.

Patrick Spencer (43:57.736)
Yeah.

Tim Freestone (43:59.473)
I see. I see. So if it was tapped years ago, 20 years ago or something.

Alexandre Blanc (44:02.433)
Yeah, yeah, because you saw like a few years ago, it happens all the time, like BGP hijack, BGP protocol, the routing, the core routing of internet. We saw like many countries hijacking accidentally traffic. And I think two years ago was the whole traffic to Azure was hijacking Iran or something like that. And oh, it was a mistake with someone on the IS autonomous system on the network that did basically what people do.

they claim to own the IP address, the public IP of an infrastructure and all the client then reach that IP. So, and if you could during that timeframe, you collect the data, you’re gonna have a lot of information. And so that’s part of the scope. Yeah.

Tim Freestone (44:45.886)
I see. Yeah. I think we’ve heard, I think we’ve seen stories about that. Yeah. That the just aren’t, um, I don’t know, this is, I’m tapping into my own way back machine here, but aren’t there nation states that are actively tapped and collecting encrypted data they can’t do anything with today, just to be able to in the future, decrypt it essentially, right?

Patrick Spencer (44:48.176)
It’s only on the network now it’s in all the LLMs.

Alexandre Blanc (44:50.233)
Yeah.

Alexandre Blanc (45:09.573)
Yeah, yeah, that’s a reality. I mean, and that’s also all the threat that we see now. So the quantum question, it’s many things at once. It’s guessing the innovation and evolution of quantum computing in the next decade. It’s investing in post-quantum encryption capability that you don’t know how far and how long it’s gonna hold. So what’s the impact on your business?

See what I mean? And knowing that what transits online right now will be decrypted in the future, how far should we get the sensitive thing local? I mean, that’s part of my cloud complaint kind of. When you do cloud, you send data, encrypted, yes, for now, to a remote location. Okay, it’s good for a thing that you don’t care. Use your enterprise, SMB.

Tim Freestone (45:38.098)
Mm. Mm-hmm.

Tim Freestone (46:05.666)
Right.

Alexandre Blanc (46:07.229)
okay, fine, you know, what they do today is going to be gone tomorrow. We don’t care. But more sensitive, there is a gap where stuff becomes really sensitive. And this sensitive data should not go out and transit in the public stuff, even encrypted as today, even though what we know from tech. So that’s the quantum side of things. It’s unknown. What we know is that because people have been discussing, record now and decrypt later, this is a thing.

So it can happen. So we need two things. We need to assess what the hell did we transmit in the past decades? And that is still relevant today for foreign, for enemies, if you are a state or government, for enemies. If you are a private organization, do we have patent? Do we have secrets that’s been transmitted? What’s gonna be the impact? And how can we, you know, what can we do to lower the risk of that?

Patrick Spencer (47:00.172)
And who was it sent to, right? And what access to privileges did they have? So, well, we’re over time on this podcast. This has been a very interesting conversation. We covered about 10 different things, I think, during today’s call. Before we wrap things up, Alexander, how can folks get in touch with VARS if they’re interested in knowing more about your organizations or yourself?

Alexandre Blanc (47:05.253)
Correct. So.

Tim Freestone (47:10.894)
It’s a fun one. Yeah. We’re going to do it again.

Alexandre Blanc (47:24.845)
That’s gonna be LinkedIn. They should reach out and connect for LinkedIn. That’s gonna be simple. And yeah, and if they want to reach and follow me and you know, if they can go through and send through my complaint and rant against Cloud, I apologize for that, but I mean, someone has to do it, you know. Just shake a little bit the staticos. Are you sure this is right? Maybe not. Stuff like that.

Tim Freestone (47:37.922)
Hahaha

Patrick Spencer (47:50.184)
Well, we thank you for your time today. We appreciate our audience as always. If you’re interested in other Kitecast episodes, you can go to kiteworks.com slash kitecast. We’ll see you on our next show.

Alexandre Blanc (48:02.577)
Thank you.