Cyber threats continue increase and the tactics and tools available to threat actors grow more sophisticated, but the challenges for companies remains the same. How to quickly and effectively remediate security vulnerabilities without crippling the business.

In short, the volume of changes introduced by trying to address all possible threats is too great. In 2018 more than 16,500 vulnerabilities were identified and reported by vendors across the industry, but only a small percentage had an actual exploit available AND an even smaller percentage were weaponized.

So how do you know where to focus your efforts? Get best practices from a panel of experts in risk-based vulnerability prioritization and hear from an IT security professional at a major packaging materials company on how their organization structures their security strategy accordingly.

Enjoy the video presentation and accompanying transcript below, brought to you by presenters Steve Morton (CMO, Ivanti), Phil Richards (CISO, Ivanti), Ryan Layton (CEO of Secuvant), Pete Green (vCISO, Sirius Computer Systems), and Dan Anderson (CISO, Lifescan).

Cybersecurity Summit - CISO Session - Ivanti

TRANSCRIPT

Get expert insights you can't find anywhere else - watch nowSteve Morton: Hi folks, and welcome to the CISO panel. My name's Steve Morton. I'm the CMO here at Ivanti, and I will be adding the least amount of value of anyone at this table, which is normally my MO. Over here is Phil Richards. Phil is the CISO here at Ivanti. We also have Peter Green, the Virtual CISO, the small "v" CISO at Sirius Computer Systems.

Peter Green: Little "v," yeah.

Steve Morton: Yeah. We'll ask you about that in just a minute. Ryan Layton is here. He's the CEO at Secuvant. Did I say that right?

Ryan Layton: Perfect, nicely done.

Steve Morton: All right. See, I'm getting better every time I practice it. Also, Dan Anderson, who is the CISO at Lifescan. Welcome guys, thanks for joining us for this discussion.

Dan Anderson: Thank you.

Steve Morton: We're just going to bounce ... We're going to have a real conversational, just kind of talk about what it means to be a CISO. Maybe we'll start off a little bit about understanding how you got into the business. Maybe a little bit about the company. Dan, why don't we start with you.

Dan Anderson: Okay. Getting into the business, long-time security practitioner. I have my roots in the Air Force, where I got my interest in security. Then many years in healthcare, IT security. Local Utah native, grew up here. Most of my training has been done here, and then all over the world with different companies.

Steve Morton: Did you get assigned to security while you were in the military then? Is that how you got started? Started to pick it up?

Dan Anderson: Mm-hmm (affirmative), yeah. That's where I first got started.

Steve Morton: Yeah, and took it to the private sector. What does Lifescan do?

Dan Anderson: Lifescan is all about diabetes care. We manufacture blood glucose monitors, and so we help patients manage their diabetes.

Steve Morton: Yeah, yeah. What did you think ... I listened to a podcast recently about, was it [Thorzon 00:02:02]? What is the blood diagnostic company that really turned out to be a scam in Silicon Valley? Have you seen that?

Peter Green: Oh, yeah. Right, right. I don't remember what it ...

Steve Morton: You guys are legitimately bringing care and changing people's lives with the way that they manage diabetes.

Dan Anderson: Yeah, absolutely.

Steve Morton: What is the "v" in, I mentioned, Peter, that's "virtual," has a small "v." I've never heard of vCISO before.

Peter Green: A little "v," yeah. Maybe we'll get into a discussion about it but in the security market, especially in consulting, it's difficult nowadays to find the right mix of experience and deep skillset, more of like on an operational level. The "v" is I'm virtual.

Steve Morton: Yeah.

Peter Green: Yeah. It's-

Steve Morton: You literally will bring practices to multiple companies. You may not sit in their office every day but you're providing that?

Peter Green: I'm not sitting in their office every day, but occasionally come onsite. It's good to have those connections, the personal, face-to-face connections. Otherwise, I just make people turn on their cameras so I can see them-

Steve Morton: Oh, really?

Peter Green: ... and that they're actually paying attention, and that we've got eye contact, and so that's the "virtual."

Steve Morton: You don't consider that to be a security breach in and of itself by having video open?

Peter Green: We've got NDAs.

Steve Morton: Okay. That's right. Ryan, nice to have you here.

Ryan Layton: Good to be here.

Steve Morton: CEO, and yeah, tell me a little bit about your business, and also give me a little bit of background about how you got into this space.

Ryan Layton: Yeah, absolutely. Secuvant is a, we're a manned security service provider, so we work with mid-market companies, small enterprise companies. Mostly, those that are struggling with budget and they just don't have the capability, the budget, the resources to be able to hire the right resources, hire or acquire the right tools to be able to put a security program in place that has the maturity that it needs for an organization.

Ryan Layton: We're a great outsource option to be able to help customers really move their security forward. We do the monitoring, the technical side. We also do the risk management side, so we use people like Pete in the vCISO role. We have people that work with us, and have relationships that we can provide that type of service for the mid-market companies.

Steve Morton: Yeah. The mid-market, specifically.

Ryan Layton: Mid-market and small enterprise, yeah.

Steve Morton: I'm going to talk about that when we start to talk about the talent shortage, and where can people can ... I mean, a lot of big companies can afford to go get those expensive guys, but mid-market is an underserved market, I think.

Ryan Layton: Yeah, it is. It really is.

Steve Morton: Phil, what do you do over here at Ivanti?

Phil Richards: I am the Chief Security Officer here for Ivanti, so that includes both physical security as well as IT security, which is great for-

Steve Morton: Is that new? How long have you been doing that?

Phil Richards: Since I got here, since I got here. Been doing the-

Steve Morton: I did not know that, Phil.

Phil Richards: Yeah. I do things like the evacuation plans and that kind of stuff. That's actually been really nice, since Ivanti, of course, is putting together a new building, and so we're making sure that the right infrastructure's in place for that as well as, obviously, the IT security components.

Steve Morton: Yeah. I'm going to ask a broad question to start. Now, you guys have, obviously, been in this space for a long time. Is it getting easier? Are we getting ahead of the game, or are we falling further behind in security as a practice and, realistically, what we need to do? What would you say? What would you guys guess?

Dan Anderson: [crosstalk 00:05:26] It seems like we're getting ahead in that there's more awareness, so people are more aware. You see breaches every day, all those things happen. It feels like we're getting ahead because there's more awareness, more emphasis on security. While on the other hand, it feels like we're always behind because we're always trying to keep up. We're always learning, we're always ... You can never really stop learning in this space.

Peter Green: Yeah, yeah.

Steve Morton: What would you say?

Peter Green: It feels like most days, one step forward, two steps back.

Steve Morton: Yeah?

Peter Green: Yeah. I mean, because it's a constant barrage of different things, a variety of things.

Steve Morton: Is that because the attacks themselves are morphing? Is it because they've got more money than us?

Peter Green: Persistence, money.

Phil Richards: I think it really is kind of a, somewhat of a leapfrog kind of an idea. Because just take, for example, ransomware. We kind of thought ransomware was dead and gone about a year and a half ago, two years ago. Now it looks like a lot of criminals are making focused, targeted attacks, from a ransomware perspective, to specific companies or organizations or industries. We've seen them attack service providers for like dental offices and things like that.

Steve Morton: Yeah. My doctor's office sent me a note just last week that said that they didn't feel any of my information was compromised, not that there would be anything interesting in there anyway, but that they had to respond to a ransomware. I'm pretty sure ... I'm going to ask my physician next time I see him if they paid the ransom, but I suspect that they did. Right?

Peter Green: They do. They have to, sometimes.

Steve Morton: It seems like these guys are, to your point, being much more targeted. They'll go after very specialty attacks, as opposed to the graffiti, "I was here," or even some of the broader attacks. They're going to those not well-documented not well-protected environments. I got to think that's how maybe your company can make a difference here as well. They're not going to get that expertise, where the doctor is the most knowledgeable about the network.

Ryan Layton: Exactly.

Steve Morton: It may have to be a guy like you.

Ryan Layton: Exactly. I'd also add, I'll add to your previous question as well that I think when you look at the size of the negative unemployment that exists today on security practitioners, in my opinion, that's the indicator that we're behind. Right?

Steve Morton: Yeah. Interesting.

Ryan Layton: If we have that many open positions that need to be filled, we're behind. I think the other challenge that we have is that innovation's always going to outpace security, so we're always going to want to try to leverage new technologies, a lot of times, at the expense of security. Hopefully, what we're doing is we're getting, Dan, your point, the awareness that as we're innovating, that security's built into that practice. It's even worse, to your point, it's exacerbated with the mid-market because they just don't have the resources-

Steve Morton: Sure.

Ryan Layton: ... to be able to do it. They're whole focus ... They may not have risk management programs, generally, in place. Their whole focus is trying to get product to market.

Steve Morton: Sure.

Phil Richards: Trying to get operational.

Ryan Layton: Yeah. Get operational.

Phil Richards: Security does tend to fall by the wayside-

Ryan Layton: It slows it down.

Phil Richards: ... from an Operations perspective.

Steve Morton: That's an interesting question. How do you manage the desire of the growth of the company, and the innovation, and moving at a fast pace with balancing that risk management?

Steve Morton: How have enterprise risk management strategies kind of morphed over the past few years? Is it leaning, again, back towards solving business problems, or accelerating the business, or allowing the business to go? Or do you think the pendulum's in that, "Let's lock things down" kind of mode right now? What would you say?

Phil Richards: Well, I come from financial services background, and financial services used to be really focused on kind of what I would call the point items, the checklist sort of items from a security standpoint. They have recently switched over to being very enterprise risk-based.

Phil Richards: Rather than saying, "Here's the 150 things that you have to do," what they're saying is, "You need to have a risk management program that prioritizes for your organization what needs to be done and what the order needs to be." That's a big change for the financial services organizations, and I think the rest of the industries are kind of moving in that direction.

Steve Morton: Those big financial guys, you're going to get the talent there. You're going to have, the best and brightest are going to go to Fidelity in this market.

Phil Richards: Sure.

Steve Morton: Maybe present company excepted, of course. I mean, they certainly can afford to hire those guys. Right?

Peter Green: Sure.

Steve Morton: How does that come down to a company that's focused on diabetes care? Are you able to hire the people that you need, or how are you staying in front of that?

Dan Anderson: Slowly. Part of it is working with leadership, articulating the message, talk about risk. Then the way to get funding and resources is prioritizing and going after the most important things that can give you the best value for what you have to spend. It's always challenging when you have ...

Dan Anderson: I like to say this is, Lifescan's, it's like a well-funded startup. It's been running a long time. It's been around a long time, but we're kind of brand new to having our own company, so we're learning all those processes and helping the leaders figure that out.

Steve Morton: You got to have even a greater amount of pressure when you're talking about people's healthcare information. I mean, any electronic medical records, any of that type of stuff. I mean, that's high-risk stuff. Right?

Dan Anderson: Yeah. We have all those pressures, and we have Russia and China offices and places that we have to-

Steve Morton: Oh, interesting.

Dan Anderson: ... to worry about protecting information a little bit differently, because in those countries, they have to have their data stay within the country.

Steve Morton: Yeah, sure. Yeah, interesting. As a marketer, we're dealing with GDPR and all the issues around that. Has that made its way to the States do you feel? I have my opinion. Is part of your practice focus around GDPR?

Peter Green: Yeah, absolutely. I mean, it affects us because our customers do business globally, the ones that I work with. On any given week, I could be working with five to ten customers, virtually, and just trying to work on the program, programmatic aspects of, "How are you covering yourself in maybe 18 different domains, if we're talking ISO?" Ransomware, it's so interesting that a lot of these customers that I'm talking about, and GDPR covers privacy, and so they're very frightened to have-

Steve Morton: Sure, yeah.

Peter Green: ... any of their customer information out there, and so they're doing the cyber insurance thing, and then paying the ransomware, and they have to sometimes.

Steve Morton: Is that your recommendation?

Peter Green: I don't recommend that. I recommend that you have a good backup strategy, and that you can restore your data in a timely manner, and that is has integrity, it's the data that you stored originally, but that's difficult. It's not easy. It's easier said than done.

Phil Richards: It really is, it really is challenging. Ransomware, in-particular, has this nasty attribute that it infects a machine so in order to get rid of it, oftentimes, you have to re-image a machine. If you're talking about doing that across thousands of machines, virtual and physical machines, you have to do those re-images before you can restore files-

Steve Morton: Interesting.

Phil Richards: ... So you're, oftentimes, several days out from being able to, to be up and running 100%. What Pete's talking about is you need to have a prioritized set of what systems have to be restored first, what systems get restored next, and that kind of thing, in order to maintain some sort of a disaster recovery kind of capability. It is really challenging. It's a lot harder than it sounds just to say, "You got to take a backup."

Peter Green: It's a lot harder. I mean, and companies are facing that difficulty because of their mix of storage. They're in the Clouds-

Steve Morton: Interesting. If they're in Cloud or in their private Cloud or in a big center- [crosstalk 00:13:22]

Peter Green: ... All of those places. In one of my business classes, my professor said, "Pricing is the most difficult thing that you'll ever do as a company."

Steve Morton: Sure.

Peter Green: Because you don't know really where that price point is until you test it. These ransomware gurus, whoever they are, are figuring out that price point.

Steve Morton: Interesting.

Peter Green: The companies are going to say, "You know what? That's too much."

Ryan Layton: "I'll do it, I'll pay it."

Peter Green: "I'm just going to pay it."

Steve Morton: Yeah, interesting. Again, there's a good argument for an MSP security strategy there for, especially for that mid-market, that you're just not going to grab those guys.

Steve Morton: I want to ask you about the connection or disconnection between security and operations. One of the things that surprises me, having been in this business a while, is how inaccurate people are in guessing the number of devices they have in their environment. It seems like that's a pretty basic thing to understand. Would you be able to have a pretty good guess of what your environment ...

Dan Anderson: Inventory's rough because we should know what equipment we have, we should know the people we have. On any given day, it's really challenging to know those things. We have contractors, we have vendors, we have employees, we have all those things happening.

Phil Richards: Virtual machines.

Dan Anderson: Virtual machines, and so while all of that is happening, it's very dynamic. To really have a good view in that is difficult.

Steve Morton: One of the first steps you do as you go into a company is figure out what they have?

Ryan Layton: We have to understand the baseline. Right?

Steve Morton: Yeah.

Ryan Layton: You have to understand what they have, and again, the challenge, to your point, is you think it's hard in the enterprise because of the quantity. In the mid-market, small enterprise, it's a problem because they just don't have the resources to be able do it. Right?

Steve Morton: Right.

Ryan Layton: It's just not, it's not a priority and so-

Steve Morton: Is there a higher preponderance of personal devices in mid-market companies as well?

Ryan Layton: As far as personal ... Nah, I wouldn't-

Steve Morton: More iPads, more phones, all those types of pieces that are potential attack factors?

Ryan Layton: I wouldn't ... Not that I ... No, I wouldn't know a difference either way. I think the key though in both cases, it's just a really hard, hard challenge. It's the basic function of security is knowing what you have, where you can't secure it and it's, I think, where we're probably missing the most. [crosstalk 00:15:43]

Phil Richards: It's really interesting. NIST, who's the governing body, who comes out with a lot of these standards-

Steve Morton: Sure, yeah.

Phil Richards: ... in terms of what you're supposed to put in place, they're configuration management baseline, which is called CM-2, says that a configuration baseline requires you to have a current and accurate snapshot of your hardware and software inventory, and that that needs to change and be reflected as being accurate at all times. The way they say it, it makes it sound like it's really easy but it's not easy.

Phil Richards: You have to have active discovery as well as passive discovery of devices. You have to have a process that captures new machines and devices when they show up on your network, and it is able to catalog and categorize those pieces. Having that at an enterprise scale can be very, very challenging for a lot of organizations.

Steve Morton: Sure. How about you, Pete? When you become a virtual CISO on some of these accounts, how far along are people in getting that basic understanding of what they have?

Peter Green: Honestly, I think they've blown past it, just because out of necessity. They're trying to look at their top three, top five, and so they're focused on some of the things that we were talking about before. Protecting the crown jewels, and trying to classify data so that they know what data they even have. It's a little alarming how underserved asset management is.

Steve Morton: All of you, do you work closely with the Operations team? Is your role as CISO really the thought leader and the policy maker, as opposed to the implementers and people that would find inventory? What's that connection like between the Operations side of the business and a CISO?

Ryan Layton: I can, I speak to the mid-market. The mid-market's interesting because in most cases, they don't have a CISO, and they have an IT Manager or IT Director that reports, probably, to a CFO or a COO. That person is functioning as the Director as well as the Security.

Steve Morton: They're doing both roles in that case.

Ryan Layton: They're doing both roles, and that's always a problem because you've got this conflict of interest. You've got, you're always sacrificing one. You're sacrificing operational efficiency, you're sacrificing operational performance or time to market, whatever, when you throw in the security layers, and so you're pulling budget away, you're pulling time away, you're pulling resources away, and you put these Directors in a really hard spot.

Ryan Layton: They have to make decisions, one versus the other, and that's never a good thing. We recommend, to solve that problem, that you have to form a governance committee that pulls executive people in, that pulls the IT folks in and, hopefully, if they have a Security. If we can do that, we've got a much greater opportunity to be successful in helping manage that Operational versus Security challenge.

Steve Morton: Are they the same person inside of Lifescan? Do have separate and clear responsibilities between the Operations guys and your department?

Dan Anderson: I wouldn't use words like "separate" or "clear," because in kind of that feel of the startup mode, there's a lot of hats to be worn. I think for being the CISO at Lifescan, I have a lot of ability to set policy, direct, educate. Really, it's an education, and I'm more of an educator kind of a role-

Steve Morton: Really? Okay.

Dan Anderson: ... And consulting. I'm not doing a lot of hands-on to implement, but there's usually part of IT that would do that. Then selling that to the business, and getting their buy-in on why it's important for them to lead with security. Security is a really good product to sell as a product. If our products are the most secure products in the space, then-

Steve Morton: It's a differentiator for you as a business.

Dan Anderson: ... our customers want to buy them.

Steve Morton: How about you, Pete? Do you like the Operations guys that you work with?

Peter Green: Honestly, when I go in, I will talk to the Security folks at a higher level at some point, but usually, I'm working with the Architecture team, Operations. Because most organizations are really deficient in setting requirements. "What do we need to do to secure this environment?" I mean, policy isn't going to do it. You have to look at each individual solution, and so I'm working with the Architecture guys. They're stressed out of their minds.

Steve Morton: Yeah, sure.

Peter Green: They're trying to do everything that they can to implement these policy changes and requirements changes. I'm a therapist, most of the time.

Steve Morton: Interesting, yeah.

Peter Green: Honestly.

Steve Morton: Yeah, no, I can see that.

Peter Green: Because-

Ryan Layton: You have your certification.

Peter Green: ... They just feel so swamped.

Steve Morton: Yeah, sure.

Ryan Layton: You need your cert, right?

Peter Green: Yeah, I know. It's like a remote therapy. I need to do a little bit more education. My wife would love that. She's like, "Sure."

Steve Morton: There's more school, and all that stuff, yeah.

Peter Green: Yeah. I develop kind of a genuine connection to a lot of these people, because I'm feeling their pain. I'm on the outside, and I see so many customers during the year that have so many different problems that I might have a use case, I might be able to walk through some scenarios with them.

Steve Morton: I want to ask about that. One of the things that you and I have talked about before was that you guys have, you and Keith have your little play dates where you pretend that something went wrong-

Peter Green: I think they're called tabletops.

Phil Richards: I'm really confused on what my relationship with Keith is at this point.

Steve Morton: As is Keith. He just texted me. Where you guys will have an incident response plan, certainly, but you'll test those plans as well.

Phil Richards: Right, exactly.

Steve Morton: Tell us a little bit about that.

Phil Richards: What we do is we have ... First of all, we have a whole Security Council that includes leaders throughout the entire organization, so all of the departments are represented. We will walk through different scenarios. It's called a tabletop exercise. We'll walk through those scenarios with the team ... Sorry.

Steve Morton: Play dates is better, but go ahead.

Phil Richards: Play dates is better. Tabletop exercise. As we walk through that, we kind of figure out what everybody's role is. We kind of self-educate in terms of what our responsibilities are, how we're supposed to handle this kind of a scenario and situation.

Phil Richards: It is really kind of cool to see the organization really respond to the changes and the differences in the different plans that we put in front of people, and how they look at their responsibility and really take ownership for specific things. Obviously, we document it, write it up, and make sure that the rules are then kind of ...

Steve Morton: Have you ever totally blown one, where you had a scenario come up and you're like, "Yeah, that's not going to work," and that actually happens?

Phil Richards: Yeah. We actually had one recently. I don't know if "totally blown" is the right word. Because what happened is, everybody talked themselves into exactly what their responsibilities were. It wasn't until after the tabletop exercise that we realized we didn't decrease the risk of that particular scenario in any way. We just talked about what we would do to handle it. We didn't talk about how to make it better.

Steve Morton: Interesting.

Phil Richards: We felt like that was a failure, because we didn't figure out ... Our goal was not to just handle things, but to make things, make the world better, make our lives better as a result of that- [crosstalk 00:23:03]

Steve Morton: Do you do the same thing at Lifescan? Do you do tabletop exercises and that type of stuff?

Dan Anderson: We haven't yet. We're poised to. We've been really focused on building infrastructure out, carving out from Johnson & Johnson. We're just at the point now, where we've worked on our business continuity and disaster recovery, and we're going to start doing it. We're just right at that point, yeah, so we haven't done it yet.

Steve Morton: How about in the mid-market? Are you doing those type of exercises?

Ryan Layton: We are.

Steve Morton: Or does that all fall onto you as a consulting organization to handle that?

Ryan Layton: We are. It's interesting. What we've implemented is when we engage with a client that's a managed services client, we have to understand, obviously, the baseline in so many different ways. One of the key baselines we have to understand is the business baseline. What we've done is, it's similar to a tabletop, but we'll get the entire Executive team together in a room and we go through about an hour and a half working session with them.

Ryan Layton: You have Legal, you have Marketing, you have, I mean, every one of the executives, and we'll talk to them about prioritization. We introduce seven business risk areas. It's actually six plus one that's business enablement. We'll go through this, these talking points with them, and they all have different priorities, and they're competing priorities. Right?

Steve Morton: Sure.

Ryan Layton: We'll get to a point where the company will identify or the Executive team will identify their top three prioritizations that we then can govern and build a security program around for our customers. Whether it's business disruption, whether it's data protection, whether it's compliance and governance, whatever their priorities are. That working session proves to be the right thing, where it takes a disparate group who's never really had this conversation before-

Steve Morton: Interesting, yeah.

Ryan Layton: ... and pulls them together, and they walk away with a common understanding of what's important to the business.

Steve Morton: Yeah. It helps to prioritize when all that stuff hits the fan. How much of this is technology, and how much is people? Again, I work at a software company. I would say it's all technology, but I have a feeling that's not the case. How much of your work in your roles is really getting people aligned here, as opposed to introducing new tools into the product side? What would you say, Pete?

Peter Green: It's big, it's a huge part of it. When I hear these guys talk about trying to get those two things aligned, when you're doing the tabletops and you're trying to get these committees formed, and trying to build ambassadors and advocates for your security program, that's huge. You really can't do it without these people that are kind of going to bat for you, when you don't know that they are.

Ryan Layton: Too many roadblocks if you don't. Right?

Peter Green: Right, yeah, yeah. You need to have those right people, right positions, right timing. Then they can help enable security enforcement, and even tooling into these different, disparate groups within an organization. You don't really think about it that way, but there are little kind of fiefdoms that work differently-

Steve Morton: Sure.

Peter Green: ... than one another, and so you have to have people to help the enterprise.

Steve Morton: To your point as being a therapist, earlier, is that one of the first things you do coming into a company? Just establish who those people are and, as you mentioned, maybe set those priorities at the high level?

Peter Green: Yeah, absolutely. I mean, that's what you're on the lookout for. We're so understaffed and everyone's kind of saying that, the same thing, and so you have to have those people who wear two hats, but they're happy to, and there are a lot of them out there. A lot of people want to get into security-

Steve Morton: Sure.

Peter Green: ... and want to help us advocate.

Steve Morton: Sure.

Ryan Layton: I would add too, that the tools, you need, you, obviously, need the tools. Right?

Steve Morton: Sure.

Ryan Layton: I would say that if you can get the people and address the people side of it, the organizational side of it, the cultural side of it, you're going to get a much greater return on risk reduction on your tool investments than you would if you just go try to buy tools.

Steve Morton: That seems like a really difficult thing to do. Because it's one idiot that clicks on an attachment that can blow all your ... I have not been that idiot.

Phil Richards: No, I have no idea who you're talking about.

Steve Morton: Okay, thank you. I mean, but that seems like a game you're just not going to win.

Ryan Layton: As long as you have users, you're going to have problems, so it's education. It's education, it's getting the controls, it's getting the culture right. It has to start with the top, and you have to push it down or you're right, you're stuck.

Phil Richards: Yeah. I think the reason why you have to deal with the people and the people part of the process first is because it changes ... It's kind of a weird thing to say, but it changes the nature of the tool. If you don't get the people and process right first, then the tool becomes your process by default, and that's a problem.

Steve Morton: Oh, that's an interesting point.

Phil Richards: Whereas, if you get the people and the process right, the tool enables the people to do their job. It's a completely different mindset for everybody who's working with it, and that change of mindset is really what you're going for.

Steve Morton: Interesting, yeah.

Phil Richards: The people are now responsible for the activity. The tool is a labor-saving device.

Steve Morton: Interesting.

Phil Richards: That's the right way to look at it.

Steve Morton: You think, in each of your cases, do you have the tools that you need? Is there a killer app, a killer ... Maybe it's user elimination. I don't think that's probably a reasonable one, but I guess the point I'm getting to is that I go to a security trade show and there's a million companies that are trying to show things. They're trying to solve the same eight or ten problems, and there's a lot of overlap on those tools.

Steve Morton: When we talk to folks, we find that people are only using a fraction of those tools. How much is consolidation of those tools important? Just say, "Look, these are the five that we're going to use, as opposed to the 50." I guess, the bigger question I'm getting to, is there a move away from best of breed solutions, to ones that are more integrated and simplified and consumable than they were maybe five years ago? I don't know. Dan, what would you think about that?

Dan Anderson: I spend a fair amount of time with Fortune 100, Fortune 500 groups of CISOs, and this is one of the hottest topics. They've had money, they've spent money on tons of tools. They have more tools than they could ever use. They don't know how to use their tools well, and so they're learning how to cut that all down.

Dan Anderson: Now you're looking for more integration, so the tools that can talk to each other, and how can they get their people trained? Because the real vacuum or the thing that's still missing is having the right amount of people that can really operate the right tool set. That's a real big emphasis all across, seeing it all this year in numerous forms about, "How can we reduce the spend in IT?"

Steve Morton: Is it because of just trying to have a better cost, the economics of it? Or is it actually in usability and effectiveness of those tools?

Dan Anderson: It's both. Make the cost less, but really using what you have. That's what I really encourage our people to ... "Let's first know what we have, use what's in place." We have a different thing. We don't have 100 tools like some of these companies might have. We have a good set of about ten things and so, "Let's get the most out of those first."

Ryan Layton: I think too, I think I agree with that completely. I think, for so long, we've tried to address this as a technical problem, and so all the R&D, all the investment was going into just building these point solutions that just flooded the market. Customers are trying to solve a problem, so they buy this, they buy that. You find that you just can't address it that way.

Ryan Layton: The other thing is you only have so far you can take your risk reduction with the amount of money you have available to spend. Just, there has to be an increased level of prioritization and business alignment because you're not going to solve the problem entirely. You just can't.

Steve Morton: It is really a management of the scale of risk versus reward-

Ryan Layton: Cost.

Steve Morton: ... and cost, in many ... Have you ever had a C-level person say, "I don't care. Just do this because it's right for the business"?

Phil Richards: Well, I've had a number of C-levels and Board members provide mandates that sometimes are aligned with good security practices and, oftentimes, are not aligned with good security practices. The only way to be able to rectify that is to have it be a risk discussion. To talk about, "Here's the cost. Here's the risk that we're taking in by not doing this the right way," or whatever.

Phil Richards: Just to follow-on in terms of the killer app in the security space, I have frequently said that the most important tool that I have, from a security perspective, is our service management component. Because it allows me to document what the workflow is and what the process is-

Steve Morton: Interesting.

Phil Richards: ... for each one of these different security initiatives. All the security initiatives that we run are processes. I mean, there's a whole vulnerability management process, there's an onboarding new employee process. Being able to document what those processes are with the right audit points and the right checks, and everything like that. That's critical in all of our business.

Steve Morton: Do you guys consider yourselves process managers in many ways? Does that ring true, as Phil described it?That sounds pretty boring, by the way.

Peter Green: I don't like to tell people what I do for a living.

Steve Morton: Security's boring-

Peter Green: "I don't want to bore you."

Steve Morton: ... It sounds like, yeah, yeah.

Peter Green: It's a lot of process. I mean, it's a lot of process.

Phil Richards: There's a lot of process, and a lot of reading, and a lot of reviewing documents and writing documents.

Peter Green: Yeah. A lot of documentation. Service management, I love that idea because it is all process. Configuration management, I think, is an untapped market, because-

Steve Morton: To our point about asset earlier, if you don't understand what you have, how can you manage it?

Peter Green: Exactly. Asset, asset management, vulnerability management, patching, to actually take remote control, to do things like certificate delivery. It's all there in configuration management. When you have an incident, it's not, "Where's that coming from? Who's that talking to?" It's all in the config logs, and so I think it's really, really underserved.

Peter Green: I'm a little biased. I've been in that space for a long time, and I haven't recently, but I was at vendors that did that. I just don't see that consolidated config management agent that I could actually look at mobile devices, MDM and desktops and servers. I just, sometimes, I don't understand why that piece is not in place to make life easier.

Steve Morton: Yeah, yeah. I get it.

Peter Green: It's a smaller amount of tools. You know?

Steve Morton: Yeah, yeah. Interesting. What do you guys ... We'll wrap here in a couple of minutes. What's coming next? What do you think is the next ... We kind of saw ransomware starting to happen and we thought, okay, last year would be the last year of ransomware, and we talked about that. As you guys are kind of thinking about what you have to do next, is there anything that's scary out there, or you think there's attack service that's going to ...

Phil Richards: I think what we're seeing now with ransomware is kind of a precursor to what I guess I want to call designer malware.

Steve Morton: Super targeted.

Phil Richards: There's a lot of ... Yeah, well, there's a lot of locations where you can pick and choose, and design and configure your malware so that it is targeted at exactly the target that you want to hit. We saw that with the exploit that took place at the dental offices.

Phil Richards: It turns out the dentist offices weren't exploited, that was just a couple of months ago. It was a service provider that was, and that was targeted malware, ransomware. I do think that some of those designer qualities will make that malware much more effective for a very, very pinpoint, targeted population.

Steve Morton: Yeah, interesting. To the point earlier about dental offices and things, they're targeting low-sophistication users or that have, again, pretty important data. What do you guys think? What's next? What's keeping you up at night about the next attack?

Ryan Layton: I think from our customers' standpoint, what we're seeing is there's, obviously, this migration to Cloud and leveraging Cloud. It's not necessarily the security challenge, but it's the cost associated with it. So much of the business decision to go to the Cloud has been based on the savings of the compute and the storage.

Steve Morton: Don't have to set up a server, all that stuff.

Ryan Layton: All that kind of stuff, and then the agility that you have as a business user, to be able to leverage that. What we're finding is, the same ... If you look at on-prem deployments and all the monitoring and management resources you have to effectively secure those types of environments, those cost factors, generally, haven't been factored in-

Steve Morton: Interesting.

Ryan Layton: ... by those that are moving to the Cloud, so we're having to have these conversations with customers saying, "If you want to secure the Cloud or your Cloud infrastructure, your Cloud-computer environment, there's all these additional costs that need to be in place," that they really never even built their business case on.

Steve Morton: Do you think Cloud, 10 years from now, is seen as a cost savings, or neutral to on-prem solutions?

Ryan Layton: I think it'll be, I think it's going to continue to morph. What you're going to see, and where you're starting to see it, the big providers, the security controls have to just be factored-in and built into the service. Right?

Steve Morton: Yeah.

Ryan Layton: You're seeing Microsoft, you're seeing Google, Amazon, come out with more and more features that are security controls within the Cloud. I think that will continue, but you still have to manage it. You still have to address it in that regard, so that's a challenge that we're seeing already.

Steve Morton: Dan, what's keeping you up at night over at Lifescan?

Dan Anderson: I like to look at patterns, and think about some of the recent tools that were grabbed from, not intentionally released from CIA.

Steve Morton: Yeah. Some crazy stuff.

Dan Anderson: Those tools are out there. Well, as they're out there for a while, some of the adversaries pick them up, they learn about them, they study how they worked. The thing that concerns me is, what are they going to do with them? It's not, "Can they use them?" Because most anyone can take those and figure out how to use them. It's what they learn from it, and then what they decide to build next.

Steve Morton: Interesting.

Dan Anderson: They say, "If this tool does this, couldn't we do something, cobble a couple of them together and do some really strange things with them?" I think that is kind of along the lines of what Phil was mentioning, is this designer malware. This is designer malware on steroids. It's, a lot of effort and money was spent on these tools, and now the adversaries can just take them and then do more with them, so that's the-

Steve Morton: They've learned, and they're going to take them to this next level, yeah. How about you, Pete?

Peter Green: I'm going to kind of bring the room down here.

Steve Morton: Okay, that's great. As if I haven't done that already.

Phil Richards: That's great, that's a good idea.

Peter Green: It's going to go from this level, to containers. I see that containerization is going to just takeoff like wildfire. The ability to totally virtualize a solution or environment, and just drag and drop it some place else. We've had that with virtualization, but not the ability to break a workload into multiple components, where you have templates and configuration files, and you have compute, you have storage, and you just kind of cobble those things together.

Steve Morton: You make the argument that increased complexity is going to have more attack-

Peter Green: The complexity, I don't think we're ready for, because-

Steve Morton: There's also an argument on containers that you are compartmentalizing some of those threats, so they can't traverse multiple spots.

Peter Green: Right, yeah, so that's great. I mean, we're gaining a lot of security efficiencies, and things are going to get a lot, I don't want to say easier, but more automated through that process. The problem is, is that I hear from the developers that, "Oh, we're just going to upload a new environment, or just swap-out this container, or throw a new template on it," and that's just going to be rife-

Steve Morton: It's just a bigger band-aid.

Peter Green: ... Oh, it's just going to be rife for abuse.

Steve Morton: Well, you're right. You brought the whole room down, appreciate that. That was-

Peter Green: Yeah, I knew that would break us.

Steve Morton: All right. 30 second, maybe a 10 second answer just to close off this. Again, thank you guys for being here. It's a really interesting conversation, and I feel better knowing there's smart people working on some of these problems.

Steve Morton: What's the most egregious or craziest thing you've seen in your jobs and have just said, "Uh, some people are just never going to get it"? Maybe you can start.

Phil Richards: Well, we-

Steve Morton: It better not involve me, by the way.

Phil Richards: No, it doesn't involve you. I have had ... As you know though, we do a phishing campaign-

Steve Morton: Yes.

Phil Richards: ... of our employees, and one of our employees actually responded to and clicked on a phishing email. They put in their user credentials and everything. I mean, they bought it hook, line and sinker. Then they opened up an incident defect that said their password wasn't accepted on the website.

Steve Morton: Really?

Phil Richards: They went the extra mile, had tried to get us to fix it because their legitimate password wasn't accepted in the malware.

Steve Morton: By the way, just as an aside story, you know what we do with Phil, Phil sends these phishing emails out and then he'll send a note that'll say-

Peter Green: He's known for that.

Steve Morton: Yeah, he is known for that. It's almost a defect in some ways. He'll send a note to the executives and say, "Hey, these people have not responded," including you, usually, Morton. Then we'll send that email back to him, suspecting it's a phishing campaign, so we've- [crosstalk 00:40:45]

Phil Richards: That's actually the behavior I'm looking for.

Peter Green: That's good, that's good.

Phil Richards: I want people ... We get that, occasionally. We'll see emails that come from Marketing or from Sales or somebody else, and I will receive those and they'll say, "I don't know if this really came from Steve Morton, so I'm not sure. I'm not opening it."

Steve Morton: It's probably a good idea not to open any ones that come from me, to be perfectly honest, yeah. Ryan, How about you? What have you seen that's been interesting in those years of experience?

Ryan Layton: Not specifically, but more generally, the biggest culprits of like the phishing and just bad practices are, generally, the executives. It's just, they're so busy. Routine is a big piece of what they do, and so you get caught in your routine and you kind of get caught.

Steve Morton: I've only fallen for one, by the way. All right. Pete, how about you?

Peter Green: Man, I think the most-

Steve Morton: You don't have to disclose any particular people. I know, risk management-

Peter Green: No, I won't name names here. Actually, I'm going to kind of flip it again and say the most egregious thing, and I just can't get used to this, is how professional these ransomware companies are, some of them.

Steve Morton: Interesting.

Peter Green: With customer support, and their polite on the phone, [crosstalk 00:41:53] and they've got really nice websites with all payment options. You know?

Steve Morton: Yeah.

Phil Richards: If you don't know how to pay in bitcoin, there's an 800 number that the bad guys have put up for you, so they can help you set up-

Peter Green: They've got a help line. That's the most egregious, to me. That's-

Ryan Layton: The best customer service on the planet.

Peter Green: Oh my gosh.

Steve Morton: You could send a Comcast- [crosstalk 00:42:14]

Peter Green: They're so good at it.

Ryan Layton: Exactly.

Steve Morton: What would you say, Dan?

Dan Anderson: I would say, and it's not limited to the current company, but also I've seen in the last five years, it's probably the use of really simplistic passwords across ... The same password across multiple sites. I mean, that thing should be well-understood at this point not to do, but it's still happening and it's still out there today. It's crazy.

Ryan Layton: It's still a yellow post-it note on their computer screen.

Dan Anderson: I've seen some of that, yeah. I've seen some of that.

Steve Morton: That seems like such an obvious one, just like knowing what you have in your environment. Doing patches, managing your passwords, encrypting your files. Those kind of basic care and feeding are still probably your best bets, and at least reducing the risk.

Ryan Layton: Yeah, it is.

Peter Green: They still are, they still are.

Phil Richards: Yeah, they really are. One of the interesting things about that is, for our organizations, we have to do, for patching or encryption, and that kind of thing, we have to get it right on every single one of our devices, because the one device we miss is the one that the bad guys are going to find and they're going to get into, so we have to get it right 100% of the time, and that's really the hard part.

Steve Morton: Yeah, yeah. Guys, fantastic. Thank you for the conversation. Dan Anderson, this is over at Lifescan. Peter Green, over at Sirius Computer Systems. Ryan Layton, Secuvant, and our own Phil Richards. Thanks, guys. That was a fantastic conversation, and keep on fighting the good fight.

Ryan Layton: You bet.

Peter Green: All right.

Dan Anderson: Thank you.

Peter Green: Thanks.