The Good, Bad, and Ugly About AI in Cybersecurity

Patrick Spencer 0:23 

Welcome, everyone to another Kitecast episode I’m here with my cohost, Tim Freestone.

Tim, Hello, how are you doing?

Tim Freestone 0:31 

Good now with the copies in me.

Patrick Spencer 0:35 

We have a great episode ahead of us here. Richard Stiennon is joining us. He is the Chief Research Analyst at IT-Harvest a board member for various organizations such as Sāf.ai, Inc., Quick Heal, and Phosphorus Cybersecurity Inc., and a bunch of others. Hopefully I pronounced all those correctly, Richard, he has a master’s degree in War. That’s a whole War in the Modern Era. That’s a whole separate podcast, I maybe will touch one question on that topic. I’m just curious how in the world he got into that from King’s College in London, Bachelors of Science in aerospace engineering from the University of Michigan. He’s a regular speaker at numerous events, including RSA on the topic of cybersecurity and other technology related issues. We’re excited to have you join us, Richard, thanks for your time.

Richard Stiennon 1:23 

Great to be here. This is going to be fun.

Patrick Spencer 1:26 

So RSA is coming up. You’ve been at numerous RSA events, what do you think is going to be a couple of the hot topics of this coming event? Obviously, those who are watching this will be able to judge because this will be published right afterwards. Right. But what do you think is resonating the marketplace when it comes to cybersecurity?

Richard Stiennon 1:45 

You know, it’s interesting, because we haven’t had much time for the industry to react to the explosion of ChatGPT in the world. But that is going to be the hot topic.

Tim Freestone 1:57 

There. You had my favorite, you hit my favorite topic Richard.

Richard Stiennon 2:01 

Absolutely. Right. It’s most exciting thing has happened since the internet was brought about. And of course, Microsoft beat everybody to the punch, I had a couple of press releases, you know, that were under embargo from vendors about how they were integrating basically the large language model and have a conversational way to interact with your data. And Microsoft, beat them to the punch. Now they had a little extra time. But still, it’s unbelievably fast for Microsoft to do anything. Right. Right. But less than three months, they integrated chat GBT, essentially into there’s security data offering so pretty cool.

Patrick Spencer 2:45 

Yeah the other person gave too.

Tim Freestone 2:49 

The other thing I saw them do, Richard just recently was, is there. Because one of the things is like date data sovereignty and data privacy, and not just your, you as a person using GPT. But the data that you want GPT to that’s query for lack of a better term. But they they’ve created an Azure cloud environment, a cloud storage environment, where you can put your data to ensure that it I mean, as much as Microsoft can ensure this, it doesn’t get doesn’t leak and GPT doesn’t use it can’t store it can’t see it. And you can use that large language model to basically query just your data, right. And I think that’s a big leap for a lot of companies to be able to be much more effective and faster at how they leverage their security info, and security alerts and all those things in a secure manner. Whereas, you know, without that sort of ring fencing of your data that Microsoft is allowing for, you’d be stuck, pretty hard pressed to just trust open AI that your data is secure. Right?

Richard Stiennon 4:00 

Right. Absolutely. I actually had to face that because, you know, I’ve got a platform for researching the cybersecurity industry and everything relies on me, keeping at least, you know, the list of vendors of which are 3375, today, keeping that out of the hands of somebody who wants to just repost it as a spreadsheet somewhere or, or build a business based on it. Right, so, so all of my business’s income depends on keeping that data safe. So how do I incorporate chat GPT so you can query that data. So we just took a few extra steps. And as we pass the data to open AI, we have to keep the vendor name. So open days got open a can get all the data and all the vendors and how much they’re funded and how much they grew. But it doesn’t know who that data lines up with. So

Tim Freestone 4:57 

Things are pretty useless.

Richard Stiennon 4:58 

GPT five will be. We’ll figure it out in a second. So we have to iterate fast.

Patrick Spencer 5:05 

Or it gets harder. Well, I saw it to Tim’s point, there were certain large companies who had banned chat GPT, for the reasons you just specified, because they had employees who were dumping it into the public pool. And they didn’t want their private data floating around in the chat GPT cloud, if you may, in fact, there’s some that there’s like a module in AI PRM, which you’re both familiar with, where you can use that to block your data from actually being used by the chat GPT clouds. So it’s interesting to see all the permutations that are happening in virtual real time. dramas, right? So, Richie.

Richard Stiennon 5:44 

Good, we could go on forever about it. But people are embedding whitespace or, you know, text in white in their documents. So if they show up and somebody queries and it gives the answer, they’ll say, you know, this was created or generated by an AI or something like that.

Patrick Spencer 6:04 

So as you look at AI and cybersecurity, there’s good uses for AI. There’s, there’s no nefarious uses for AI. I assume, as you look at RSA, and you know, where the industry is headed, both are going to happen, right, we saw that, you know, we have guardrails in a chat GPT when it was first announced back in December, you know, no one can use this for cyber-attacks or anything that’s malicious. And within two weeks, people are already using it for that. Now, what do you where do you see that conversation headed?

Richard Stiennon 6:36 

Yeah, it certainly lowers the bar for so called script kiddies, right. And it makes, you know, people who develop exploits and attacks for living makes their job a lot easier. So it’s, it’s taking everybody’s abilities and multiplying them by 100. So now you, you can write your own exploits. You can deploy them and package them, do whatever you want with them with assistance from open AI. And that, to me is just, that’s just what comes with having that power. But it also means the defenders have to stay on top of their game and start using these capabilities. Somebody, somebody posted, oh, my gosh, this is great. I’m going to automate AI to actually send sales emails for me and they’ll be perfectly crafted take into account the recipient and all this stuff. And everybody’s all excited about that in the SDR world. And I pointed out as soon as that starts happening, we’re all going to have products that will answer those emails, and kind of cool, cool, you know, it’ll work out pretty cool, because now the sales bot reaches out to your email bot, and you two will negotiate whether or not you want to move to the next step. And then, you know, the recipient will only be joining meetings that really match what they want to see.

Tim Freestone 8:04 

Yeah, you know, to your point about the good guys have to kind of race the bad guys now with this is, I was at an event with I don’t know, there was probably 50 or 60 CISOs. There. This couple month ago, when I started when I asked a question I said, in light of this, are you looking at your own organization, and thinking about roles that are specifically tailored to leveraging AI models in combat for against the bad actors who are leveraging AI models for the threats, and it was crickets. It was almost as if nobody had thought about the idea that you need to start changing your org structure in light of this, and I can guarantee you there are pockets of nation states that have 50 ai prompt and you’re sitting there building threats to attack now what I what I can’t quite figure out yet is why nothing major has happened yet. Like I haven’t seen in the news or, you know, first malware built by AI GPT attacks Bank of America flattens the entire banking. Like I’m just waiting for this massive wave of problems to come and just still hasn’t yet, which is interesting. If you have any comments on that,

Richard Stiennon 9:28 

yeah, always keep an eye open for those things that you think because they’re doable, they should they should happen, right? When I think of the NSA in particular, who you rarely hear about their exploits, you know, or getting out right? We can name the few cases flame Stuxnet. But you have to assume and you should as a defender that the NSA actually is effectively attacking and exploiting and covering their tracks, and then maybe true for Chinese and possibly Gru and SRV attackers as well.

Patrick Spencer 10:10 

You see anyone in the cybersecurity space Richard, who is tapping into this AI trend, or, you know, like Tim reported, are they still just thinking about it or not even thinking about it, and we have a few early leaders in the cybersecurity space?

Richard Stiennon 10:27 

Yeah. Radware has a Division I can’t remember if I think it’s called Cyber Hawk. Yeah, cyber hawk. And they’ve incorporated GPT into their threat hunting capability. Radware, recorded future announced this already. And then it gets confused, you’ll understand why I think it’s hot cyber, as a standalone vendor, and they too have introduced AI, it’s going to, it’s going to take a while, right? People have to try it out. You know, once it’s introduced to them, they have to try it out, work it into their processes. And you know, it’s going to take several months before people start going, Wow, this is really helping our productivity of our SOC analysts, etc.

Patrick Spencer 11:24 

There’s a plethora of different use cases that will just begin, I suspect, we’ll hear about some of those be press releases and announcements that take place at RSA. But over the coming year, the number of use cases are just kind of burgeoned rapidly, we’ll be able to count them,

Richard Stiennon 11:40 

as somebody tweeted, after chat GPT, you know, hit, you know, after we got to 5 million users, which only took about a day and a half. So he said there are already more use cases for chat GPT and a day and a half. Then there were for all of block chain and you know, what is it 14 years?

Tim Freestone 12:04 

Well, and you listen to any of the pundits in this area, and it’s, you know, some of the people have been doing this since the 80s. They’re also shocked, they had no clue that this was going to happen so quickly. Right? Yeah. You know, six months ago, some Yeah, some of these leaders, I’ve listened to these podcasts, if they were asked, when you could have a conversation with a with an automated agent that hadn’t made any sense at all, let alone incredibly intelligent by the standards of humanity. There’s, I don’t know, 10, maybe 15 years, and it was, you know, six months later, right. So it’s just like, Yeah, I don’t know, everybody’s, everybody’s looking at what’s next. Right?

Richard Stiennon 12:45 

That’s right. I look for evidence that the open AI and Google DeepMind you know, engineers knew beforehand what this would be like, and they didn’t. Right. So. So they were excited about what they had and all this, but they had no idea would find so many use cases so quickly.

Patrick Spencer 13:05 

Or we’ve been talking about AI for a long, long period of time, and the Nirvana never had really been reached until this occurred. So I think everyone had that perception that, you know, we’re still talking about AI. Yeah, it’s not, it’s going to move the ball down the field a couple of yards, here or there, but it’s not going to move it down the field. 40 or 50 yards is what transpired check repeats? Yep.

Richard Stiennon 13:26 

Yep. It’s amazing times.

Patrick Spencer 13:29 

So you’ve been at IT-Harvest for what, five or six years. Now. You talk a bit about the organization. What you guys do you know, what, what your research and tells? What are you looking at?

Richard Stiennon 13:41 

Sure, yeah. So I created it. I have, as you know, with a template from my experience at Gartner, right? It’s It was basically a vehicle for me to do what I love doing, which is talking to people researching the cybersecurity industry, writing in writing books. And but then I did write a book security yearbook, this latest edition. And in the back of it, I posted a printed directory of all the vendors. I think they were 2200 in the first edition, and now we’re up to 3300. And only last year, I realized that, hey, this is something that changes so quickly, the book is a really poor point in time, because, you know, by the time I go to press, you know, there are 200 new vendors and 200 that are going to be acquired. So I need an app to make that data available as fast as it happens. So we built that last year, and it’s totally pivoted, what I guess I’m trying to do. So we are now a data driven analyst firm. So every analyst firm in the world is driven by expertise. We’ve got analysts on board and published research so the analysts spend some time that much but some might have their very busy schedules talking to customers. They spend some time creating this research that they published once a year, which isn’t done the answer to your questions, right? It’s always going to be a last year when Gartner sent out the questionnaire for the Magic Quadrant. This is where everybody’s stood in a point in time, but things change fast. So I realized, especially as we integrate AI tools, this is going to be kind of a new version of the industry analyst’s business model. Interest, so

Patrick Spencer 15:33 

you have chat GPT, or AI capability built into the app that you’re using today, right, based on

Richard Stiennon 15:39 

that are correct. Yeah, you can you can converse with the data, single vendor or all the vendors so you can ask it, you know, how is the application security market faring in the bay area or something like that?

Tim Freestone 15:53 

No one wants to, it’s on your website.

Richard Stiennon 15:57 

Yeah, if you’re on the website, just click on dashboard, and you’ll get to it. But big, you’re going to hit a paywall really fast.

Tim Freestone 16:04 

Yeah, okay. Got

Richard Stiennon 16:07 

monetized. Yep.

Patrick Spencer 16:09 

Yeah, you do an annual report. And then the data is in virtual real time that feeds into the actual app,

Richard Stiennon 16:16 

right? Yep. Yeah, we update the data, headcount and funding at least every month for all 3300 vendors.

Patrick Spencer 16:26 

And your win is the 2020 References early wins your 2020 3d report coming out.

Richard Stiennon 16:33 

So the security yearbook 2023, should come out in time for Black hat. Some July, and then July timeframe. And then I’m not ready to announce this because I haven’t signed the contract. But I’m going to turn over the fifth edition to a publisher. And they’re going to take it globally. So it’s going to be fun.

Patrick Spencer 16:55 

That’s great. So anything that you can talk about beyond ChatGPT that you’re seeing that is resonating in the marketplace? And maybe a preview of what we might find in the 2023? yearbook?

Richard Stiennon 17:10 

Yeah. First of all, the kind of the picture of how we did from an investment standpoint, last year, almost $17 billion invested in cybersecurity companies last year. But you compare that it was Yeah, interesting. Yeah, yeah. And I, you know, as I finished the chapter, of course, I pretty much posted to my substack. So you, you know, you won’t have to buy the book, if you just go to the sub site, other than the fact that I’ve got interviews with founders and pioneers in the industry, in the book. And this year, we’re adding Eva Chen, who is the, one of the founders, and now CEO of Trend, Micro. Marty Rash, you know, founded Sourcefire. So we’ve got all their stories in here, because I’m trying to capture the history of our industry while every other pioneers are still with us. Right, they can still talk about and are excited to talk about what they did.

Tim Freestone 18:11 

Yeah, with, with all that funding, the I mean, especially the past five or six years, I’ve been thinking about how hard it’s got to be to be a cybersecurity professional at any company, right now, from many different angles. One is just being bombarded by people like me and my team to get the attention. So it just becomes numb. And that causes you to miss things you need to see. Right. And so, how do you know do you have any insight there on, you know, in your circles, what cybersecurity professionals are doing to make good well informed decisions and not miss the trends in the market? And, you know, it’s just a tough question to answer. I know, but it’s yes, it’s, it’s getting worse and worse.

Richard Stiennon 19:03 

And I’ve thought about it. And I see this gap developing because, you know, for years and years, large companies especially you would just have a relationship with Gartner, Forrester, IDC. And the decision processes were slower, right. It’s like, should we use IBM or Amdocs? That’s, that’s what Gartner was founded was to answer that question. And so there are only a few major IT questions to ask. But now, you know, there are 3000 cybersecurity companies. There are 15,000 FinTech, cybersecurity, or FinTech companies. And, and I don’t even know how many you know, market automation. Companies are alright, it’s just unbelievable how much there is to discuss. When I see most CISOs think that they’re experts on the industry. Quite a few of them want to be industry analysts, so they even start their own industry analyst firms. They think because they’re talking to vendors every single day, that they’ve got a complete picture of the industry, they don’t. You can’t talk to as many vendors, as an industry analyst does, that’s their sole job is to understand what’s happening in the industry. But you can’t ask everybody to go spend $70,000 A year and a Gartner relationship. And even if he did, he couldn’t get the analyst time, because it takes three months to schedule a call. So I’m hopeful that the, you know, the gap will close thanks to AI. So you’re available, you know, so you can at least get rather than when you’re looking for new products, wait for Gartner Magic Quadrant to come out, which could lag three years behind the development of the technology. I want to know all the, you know, data security posture management vendors, and then I’ll, you know, my team will go talk to them and are, were picked the ones that aren’t in China or Vietnam, you know, that, that we know we’re not going to do business with and narrow down the list and look at the ones that are growing which indicates that they’re got they’ve got happy customers and get a proof of concept from the top three. That’s why it should.

Tim Freestone 21:30 

Yeah, I didn’t want that to lead into the answer being well, AI will solve it. But it sounds like

Richard Stiennon 21:35 

it won’t. It won’t quite solve it. Because there’s a there’s a place for curation and expertise. And that’ll still be there for two generations of AI. Who knows what comes next.

Tim Freestone 21:50 

But it is a good answer, though, to think. And I just hadn’t thought about it. But you know, the idea of being able to query at least a good section of the market, and then be able to have it, you know, give a consolidated view of customer reviews across multiple review sites, and then negative and positive sentiment analysis and you can kind of curate it down to like five, and then you have to do your due diligence. Right. But you really did. I guess skip past the Gartner process, I guess. Look at it.

Richard Stiennon 22:26 

You know, it’s difficult with unfortunately, you know, Gartner has got a review site, and there are four or five other ones for enterprise products. Unfortunately, as soon as those review sites become popular tools, then the vendors game them to just pump it up for us. Yeah,

Tim Freestone 22:45 

we’ve never done that. Patrick, have we of course.

Patrick Spencer 22:53 

Speaking of trends in the marketplace, we’ve seen this intersection, Tim spoken about this a couple different events. I’ve done some webinars on the topic. So if he this confluence between compliance, as well as cybersecurity, there’s an overlapping, you know, as we see all the cyber-attacks and breaches take place, there is a reaction in the marketplace, whether it’s at the government level, or it’s at the industry level, to implement different compliance standards and regulations to hopefully avert event, though, from happening in the future. You know, are you seeing, you know, a closer integration between those two? Are the security vendors talking about them? Are the security leaders like CISOs, CIO’s and so forth? Are they looking at compliance and cybersecurity as being in the same bucket? If you make

Richard Stiennon 23:44 

Certainly falls into the CISOs responsibility, right? And compliance is a little more annoying than pure cybersecurity. Because your, your, your site, here you go, here’s the list of things you have to do. And there’s a time schedule, then they have to be done by the time we audit. In point in time, you must be compliant after that you got 12 months or two years before you have to read comply, right? But that means there’s budget it there’s also board, you know, support for it. Hey, we you know, we’ve got 10 customers, you know, we’re kind of in in purgatory with them because they’re waiting for us to be ISO compliant. So okay, where’s our ISO program? Who’s going to lead that and let’s, let’s do that. As and now, you know, sometime this month, the SEC supposed to issue its guidance, recommendations and cybersecurity reporting for public companies. Don’t forget the SEC also regulates private equity and hedge funds. So they too are going to enter this this space. I’m actually getting people reaching out, who sit on boards, you know, CFOs of very large companies saying, Hey, I’m thinking I should get educated on cybersecurity, you know, which is a great sign, really, really good sign. So, you know, I am always happy that compliance drives investment and thinking about security. And lately, the, you know, the, even though the compliance is a long path from a problem arising, government reacting going, Oh, my God, this is a horrible, you know, a pipeline company suffered from ransomware, how do we solve that come up with some guidance and requirements for those parts of the world that they control in that eventually works its way into a regulation or a compliance regime, but it takes up to 10 years for that to happen. So it’s, you know, but, you know, the best compliance organizations that I know, look ahead, you know, okay. What is going to happen, you know, in this compliance regime, a year from now, what’s the current draft look like? Should we comment on that in trying to influence the direction of it? Or we’re moving into Singapore? Or the Philippines? What are their privacy requirements? Regulations? Oh, my gosh, we go to jail, you know, the CEO could go to jail if they violate some of these things. So there, you have to have that view around the world to those

Patrick Spencer 26:38 

countries with different data privacy regulations in place today. Number?

Tim Freestone 26:44 

Yeah, the, the I was going to say, oh, it’s interesting, because for me, cybersecurity, least in the last five years, has kind of been table stakes. But also, it’s been a potential business problem. But compliance is a definite business problem. Right? You know, what I mean? That’s why like, boards are starting to come out of the woodworks because if you don’t, for sure, there’s a stick with money behind it, that’s coming your way. Whereas, you know, security is, maybe you definitely need to do some security, but just the imminence of compliance and that stick of fines and penalties, and that’s a business problem, you can’t kind of dance around, right? So

Richard Stiennon 27:31 

it’s, it’s a lot easier to sell to, because you can say look at, you know, here’s your value proposition, you, at the end of spending all this money, you will be able to show that you’re in compliance, all the, you know, purely defensive, you know, proactive cybersecurity solutions, say look at, you might be attacked, and you might suffer a major breach, and you deploy all this stuff, and we’re going to reduce the possibility of that, we’re not going to eliminate it, you know, it’s always possible. But, but you can’t measure how much you’re going to reduce it, it’s really hard to do that return on investment calculation.

Tim Freestone 28:12 

Right, you say do try to do the return on investment calculation, but it’s generally try its

Richard Stiennon 28:18 

best. Yeah, I’ve been helping build some of those models. And, you know, you have to rely on look at a breach costs, according to Parliament costs three and a half million for your industry sector. And we’re only asking you to put up $100,000. And we’re going to reduce that breach possibility.

Patrick Spencer 28:37 

Cybersecurity insurance companies are still trying to figure out the that equation, right, or the insurance companies need to understand what that risk looks like in a, you know, they keep increasing their premiums, because I don’t think they’ve, they figured it out yet. And they just go back on the standards, we sort of see NIST as being one of the frameworks that is the most proactive that’s looking forward. In terms of, you know, if you do these things, then you really are going to mitigate your risk associated with these cyber-attacks that could actually target specific vulnerabilities within your environment. Is that the one that you you’re seeing take hold in the marketplace? Are there others? Do you have an opinion on that front?

Richard Stiennon 29:23 

Yeah, certainly here in the US. It’s completely taken hold. And I credit that with one, it’s, you know, it’s free and open, unlike a lot of standards that got to pay $75 Just to get this stupid PDF. And, and it’s flexible, right? It’s, it’s very generic, you know, just these are the things you got to do and, and they moved a little bit away from the risk management language. You know, as has, you know, this current administration has totally moved away from talking about risk management, right. They’re talking about real detail, how do we get to where you are using multi factor authentication and doing all these things?

Patrick Spencer 30:11 

When we look at what they’re targeting, we believe data, you know, they’re sensitive to an organization’s sensitive content and the communication specifically from point, are being target targeted by cyber criminals and all these rogue nation states. And you look at the data, like I just looked at the new in trends Mandiant report, it showed that data obviously is a key target there. I don’t have the data, like 22% of the initial infection vectors was related to the data. That and we’re going to have the Verizon data breach investigations report come out next week, I suspect it’s going to corroborate the same the same narrative. What’s your opinion in terms of what do you need to focus on as organization? Or what else do you need to focus on. And as an organization, once you get beyond the network, once you get beyond the applications, once you get beyond your workloads? Is content the next area that everyone needs to lock down and make sure that they have protected?

Richard Stiennon 31:14 

Yeah, and I don’t think that’s a future thing. I think that’s what it’s always been. Right? That was what are the oldest, as I started to write the history of the industry, I realized, hey, there’s plenty of history in the encryption world, in some, in many, many books on it, you know, no books on the history of the rest of the industry. So I, you know, cover the history of encryption, but that, you know, it’s, it’s amazing, we have the capability to completely lock down and control who has access to our data. It’s just really hard to work out. And it’s, you know, the play, they, you know, okay, we’re going to encrypt everything, alright, but you probably shouldn’t use the same keys to encrypt everything. And you have to rekey encrypted data on a fairly frequent basis. You know, once every two or three years, we’re facing that, you know, kind of looming occurrence of quantum computing that will force us to re encrypt everything really quickly. And so we’ve got the basis, we know how to do it, just like, you know, we used to know how to protect the network, right? You just close down all the ports, except for, you know, four or five of them, and then inspect all the traffic after that piece of cake. And yet, here we are, we still don’t do a good job of that. So that’s I do look a lot at anybody who’s in the key management space, how are they going to do that? And then anybody who, who can get down to the granular permissions, because you know, you create a document, if I posted this to substack, I want everybody to see it. And I’m not going to ask them to, you know, decrypt it first, right? I don’t need that step. But if it’s a private communication, then it should be encrypted. But how do I determine who gets to use it? And it’s less valuable in an organization if it can’t be shared internally? So how do you make it completely shareable by anybody in the organization? But if they download it, and send it out, you know, then it’s not readable? That’s a difficult, very difficult problem.

Patrick Spencer 33:20 

The problem? Yeah, Richard, I

Tim Freestone 33:21 

have a, I just, I have a, I have a solution for that problem. That’s called Kiteworks.

Richard Stiennon 33:29 

What a coincidence. Shameless plug. Yeah, yep. Exactly. That’s, you know, so it’s a great, great problem to tackle. Obviously, it’s a hard sell. It’s a hard sell. Because, you know, your prospects are going to say, wait a minute, why do I have to protect everything? Well, there’s only these few things, you know, the crown jewels really need to be protected? And the answer is because you don’t know what the crown jewels are. You cannot determine those by getting your team together and said, What’s the most valuable asset and how you know, what would happen if it was stolen? You can’t do that because the attacker is the one who determines what your crown jewels are. My favorite example is RSA who reading between the lines have apparently generated the secret seeds for the RSA secure ID token and stored them in a hope it’s a database but it could have been a spreadsheet because Yeah. And you know, they thought well, it’s important but man, if even if somebody has a secret seed, it will be almost impossible. They even told the SEC, it will highly unlikely that anybody could use these but that’s what China wanted and that they had a multiple teams working on that project. Get me all those secure ID secret seeds, and they did and use that to attack lackey who was actually the target RSA was the target. They just had the means to get there.

Tim Freestone 35:02 

Yeah. You bring up. That was a long time ago, I forgot about that.

Richard Stiennon 35:08 

That probably wonder 10 feels like yesterday. Yeah,

Tim Freestone 35:11 

yeah, RSA turned that entire event into a good roadshow basically talking about what happened, how they, how they were resilient, and how they bounce back lessons learned all those types of things. It was it was a good example of turning something really, really awful into lesson learned for the industry. Right?

Patrick Spencer 35:35 

Where do you see it? He talked about, it’s kind of hard to ascertain. What are your crown jewels? What is since the content? Where do you see this concept of data classification and being able to classify your data, maybe it’s an AI issue in an automated manner. So that, you know, you can’t share that to third parties who shouldn’t have access to it, you can’t share it to internal folks who shouldn’t have access to it based on how it’s classified, when you see certain organizations maturing in that space.

Richard Stiennon 36:07 

I haven’t seen much progress, because, you know, we, we had the capability with so called data leak prevention solutions to do something like that, right? The early ones would be to two parts to them, they’d have a network thing that back when there was a single perimeter. And they would monitor all the traffic both ways. And if they ever saw, you know, sensitive information or whatever, they would block it. And they could do it too. They’d go to all your data stores, and they would take hashes of all the little tiny segments, they have huge libraries of hashes. If anything ever matched, then you could block it. Nobody deployed that they may be deployed it in looking for things you could find with a regular expression, right social security numbers, identifiers health records, or they set it on alert, you know, without blocking so they could tell you after the fact that a breach happened. So it’s, you know, that it’s just because of that heavy lifting in the, in the dispersal of the problem to, you know, very, very large surface area, same and also all

Tim Freestone 37:19 

the things that they would throw up and block stuff that shouldn’t have been parked. It’s not an easy solve, obviously, an entire industry failed at it, basically.

Richard Stiennon 37:30

Yep. And you know, when you when you think about false positives, if you know, world security people and we like we’d rather have a false positive or a false negative. Yeah, we don’t mind that. Sometimes an administrator has to go in and fix a problem for a user. But it’s not the case with the user. They like, why the heck didn’t you let me send this file as part of my job.

Tim Freestone 37:58 

And it becomes really important when it’s the CEO stuff that gets blocked, that they say, a board or

Richard Stiennon 38:04 

whatever, or, you know, in the military if it’s a two-star, you know, they will not allow it just like somebody could get, I don’t know what the punishment is in the military, but not put up for promotion. If you were the one who, who blocked telnet on your network, which I still use inside the Pentagon.

Patrick Spencer 38:26 

You do a lot of board work, Richard, the dates back a number of years, we’ve had a lot of discussions around boards need to have a security expert on them need to have an advisory board, at least that looks at cybersecurity. What are you seeing transpire in that space? I suspect that’s why you’re on some of these boards in the first place. Some of them are entrepreneurial startups, based on your LinkedIn profile. Where are things headed there? What should organizations be paying attention to when they decide who’s on their board and who isn’t on their board?

Richard Stiennon 39:00 

First of all, I’m not on any boards because of my cybersecurity expertise. I couldn’t be I’m on board because of my industry expertise. So I can tell you all board meetings I’ve been at security has not come up once. Why really ever, ever, never comes up? So now mind you, these are security companies. So they’re, you know, they know what they’re doing already. But I suspect that’s the case across the board. The, you know, the ÇISO gets called in once a year, maybe once a quarter, to report on status and ask for more resources. And I think that you know, I would like to see that change. The SEC requirement apparently is going to be that the public companies must report the security expertise of any board member, which, you know, that sounds like a two edged George, do you want to say, hey, this board member spent some time as a CISO? Or something like that? Or is it better to say nothing, right, we don’t have any experts on board. So you’re not going to pin anything on any of the board members. That the one thing I’d like to see changes the way CISOs communicate with boards, because they, that’s part of their role. And I want them to stop using the business language, which is what everybody has told CISOs to do for 25 years I’ve been in this business, obviously, it’s not working, right. And the message is not getting through, if you step into a bar, and you start, you know, quantifying everything and risk models, the speaking the CFOs language, first of all, you have to learn their language, which is a secret language that they hold tightly. And once you’re communicating, and that they know exactly how to counter, right, they said, Okay, we’re going to buy insurance to cover that risk. But, you know, I know when I talk to security experts, people who are actually doing the research and countering exploits, they go way into the weeds, and I love it. And I think that that’s how you should talk to the boards go into the weeds, mystify them with your language, spread fear, uncertainty and doubt, because, you know, you’ve got to live with that, you should share your fear. Because boards, you know, are just people that, generally they are old white guys. And they, they don’t make these considered decisions based on all the facts and all that. So they’re just old white guys sitting in a boardroom relying on their personal experience from past things that they know. And spouting off opinions, and the person with the strongest personality wins. And so therefore, you have to, you know, get them in their emotions, get them to feel that their company has some critical stuff in this group sitting in this building in Beijing, once that critical stuff, and they will stop at nothing, even, you know, hiring your employees away, or hiring somebody into your organization to steal it. So they go, Oh, my God, what can we do to stop that from happening? We don’t need that.

Tim Freestone 42:30 

That’s probably the wisest, most candid response I’ve ever heard about how to manage a board. And it’s 100% accurate, because everybody’s been telling the CISOs to talk business models and in how you described every board member is 100%. Think they’re looking at the if then factors of the spreadsheet, and they got 40 years of experience. They trust their gut, hit the gut, right?

Richard Stiennon 43:04 

Yep. Hit the gut wise. That’s a good way to say it. Yep.

Patrick Spencer 43:08 

There’s actual organizations out there that have been set up to train CISOs on how to use business language, which is ironic, right? And it’s not working to your point.

Richard Stiennon 43:17 

Yeah, not working at all. I understand the FBI has a really cool program at Quantico. It’s three days, and they actually, you know, teach the CISOs about, you know, cyber-attacks and stuff like that sounds really cool. And the third day you go to a shooting range.

Patrick Spencer 43:42 

Well, we’re about out of time, Richard, this has been a fascinating conversation. We span the spectrum in terms of topics and our audience certainly is going to find this interesting. We need to do this again. I really, absolutely.

Richard Stiennon 43:54 

Yeah, we can talk about warfare.

Patrick Spencer 43:57 

Yeah, exactly the podcast element to your, to your point, once again, for our audience, for those who are looking for more information IT-Harvests and how they can access your app as well as the security yearbooks. Where can they go?

Richard Stiennon 44:12 

Oh, just head on over to find me on LinkedIn. Because I’m constantly posting what I’m doing there, find my substack Stiennon.substack.com And of course, you can go to IT-harvest.com.

Patrick Spencer 44:25 

That’s great. Well appreciate your time. For those in our audience who want more Kitecast, you can check us out at kiteworks.com/kitecast. We’ll look forward to having you on our next podcast. Have a great day. Thanks.