On this episode of The Six Five – On The Road, hosts Daniel Newman and Patrick Moorhead welcome Splunk’s Ryan Kovar, Distinguished Security Strategist/SURGe Founder and Kirsty Paine, Field CTO, EMEA, live from .conf23 in Las Vegas.
Their discussion covers:
- The top three security trends and issues that CISOs and security professionals are focusing on currently
- How CISOs can communicate more effectively with their board, as their roles have becoming increasingly more important in their organization
- What the hardest questions to answer are for security professionals
- What the biggest mistakes and the best wins they are seeing from CISOs
Watch the video here:
Or Listen to the full audio here:
Disclaimer: The Six Five webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded, and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors, and we ask that you do not treat us as such.
Patrick Moorhead: Hi, this is Pat Moorhead and we are live here in Las Vegas at Splunk’s .conf conference. Dan, the excitement is here. It’s awesome to be here with The Six Five On the Road and we’re really having some incredible conversations that these aren’t just buzzwords, these are real challenges that companies and organizations are having. We’re talking about data, we’re talking about data resiliency, we’re talking about visibility, we’re talking about security and because nobody’s talking about it in the industry, we’re talking about AI.
Daniel Newman: Yeah, security’s become a real top of mind over the last few years. Now, for some people, and a lot of people we’ll talk to here, it’s been a top of mind for a long time.
Patrick Moorhead: Yes.
Daniel Newman: But we’ve seen this sort of continuum, and now even a growing momentum towards making larger and larger investments. It started off as what can we spend to just do what it takes to avoid the worst?
Patrick Moorhead: Yes.
Daniel Newman: And, I think what we’re starting to see is that avoiding the worst is no longer a strategy.
Patrick Moorhead: That’s right.
Daniel Newman: It’s all about getting out in front of it, and as data proliferates and it’s more and more exponential, it comes down to, how do we make sure we protect our customers, private data, our infrastructure? We had public sector conversations, keeping the world’s infrastructure running and of course, do so in a way that keeps enterprise values in check. Because it’s only one breach away from major, major problems for any company, big or small.
Patrick Moorhead: That’s right and security has become so complex. Sometimes we lose the forest in the trees. And looking at that, and to help us talk about and discuss some of the top security issues, we have Ryan and we have Kirsty, welcome to The Six Five.
Kirsty Paine: Thank you. Thanks for having us.
Ryan Kovar: Thank you very much.
Patrick Moorhead: Yeah, thanks for coming on the show, first time. And we love talking about security, so we are in the right place here.
Kirsty Paine: Oh, yeah. So, do we. We love it.
Daniel Newman: Excellent. It’s great to have both of you here. Now, we had a chance to talk a little bit in the green room. We talked about some of the top trends that you’re really focused on for CISOs and in the security space. And we came up with… we had ransomware, we had AI, we had regulation. I’d love for you guys to break these down for us a little bit. Maybe Ryan, starting with you, talk about ransomware. Talk about a red-hot topic.
Ryan Kovar: Yeah, it does not end, it’s all I think about and all I do and full disclosure.
Patrick Moorhead: Job security.
Ryan Kovar: Absolutely.
Kirsty Paine: Always good.
Ryan Kovar: My background is nation state threat hunting, and so I’d always not been that interested in crimeware, I hadn’t been interested in those things. But the reality is, the number one threat I see to almost any business and most governments today, is actually ransomware. And when you look over the last, what, seven or eight years? I think, 2015 is really when it crescendoed in the public’s eye. There’s been some major changes. So technology has changed, the sophistication of the threat actors have changed. And now we have things like state sponsored or state sheltered ransomware actors that are outside the law-abiding citizens and our ability to prosecute.
So not only has the landscape changed that ransomware actors are operating in, along with the technologies, but just people’s awareness of this. We’ve seen conflicting reports that ransomware attacks have gone down, but overall payments have gone up. But we’ve also seen a change in the tactics of ransomware actors to be more specific, more surgical. They’re not encrypting everything in a business, sometimes they’re only encrypting a few things and only telling a few people. So, we’re not necessarily sure if we have the visibility that we had hoped we would.
Daniel Newman: Kirsty, you want to jump in and talk about ransomware before we hit regulation?
Kirsty Paine: Just that it’s something we see as well in Europe, that shift to a much more sophisticated extortion model, rather than a kind of ransomware all the things, make a big splash. Actually, you can save a lot of that reputational damage, and you can achieve a much better result as a ransomware actor by being a lot more subtle. And so that totally chimes with what we see in Europe as well.
Daniel Newman: So, you mentioned Europe and obviously everywhere in the world, regulation is a little bit different and regulation and security, there’s a very high amount of interdependence. We had a conversation here at this event with public sector talking about the public-private, but talk a little bit about regulation and its role right now in cyber.
Kirsty Paine: Yeah, I would love to. I’m sure everyone loves talking about regulation as much as I do. I think it’s- does.
Daniel Newman: I do. I love it.
Kirsty Paine: Yeah, I think it’s a great thing, actually.
Patrick Moorhead: We do so much about public policy, you’d be surprised, as industry analysts, what we get into.
Daniel Newman: It’s huge in tech.
Ryan Kovar: Yeah, it’s huge.
Kirsty Paine: I think it’s impossible to ignore now. I think that a lot of regulation that we see, especially in Europe, has been focused historically on data privacy. But we’re really seeing now a surge in security and resilience regulation. So we have DORA in the EU, which is all about operational resilience, mostly focused on financial services. We have similar legislation in the UK. We have the NIS2 Directives, so Network Information Security Directive, and that’s covering a range of sectors and their need to be resilient. And it’s covering a lot more than it used to before. The original NIS was very focused on a few critical sectors. And actually with the pandemic and all these disruptions, we saw how important things like our food supply chain were, and so they’re now in scope for the regulation. And it’s really recognizing the criticality of these sectors and the need to bolster security in them and overall improve that resilience.
Ryan Kovar: We’ve seen this in the US as well with the increasing regulation from President Biden, the National cybersecurity strategy coming out. Seeing things like passive DNS in a memo from the White House is something I never thought I’d see when I was in public sector. It’s been an incredible change and there’s definitely an awareness that these nation state threats as ransomware actors. We have to change how we’re looking at security fundamentally, both at a regulatory and compliance point of view. And I am oddly, and I can’t believe I’ll say this, excited to see some of it, because I think it’s a place we can actually make a change. There’s a lot of things we haven’t done in security that haven’t worked for 20 or 30 years, but what we haven’t done in the US at least, we’re lagging behind our EMEA colleagues perhaps, we haven’t made a big stretch towards regulatory requirements to actually affect change. So I’m hoping we do.
Kirsty Paine: Yeah. And I think that that incentivization piece is key. If we’re not seeing the changes that we need, that’s when regulation arrives. And so actually making sure that the ecosystem is set up to support and reward companies that are investing in their security, I think that’s a really positive step forward. So a really good thing.
Daniel Newman: And so trend line three, AI, we made it two before we got to it, but there probably hasn’t been a trend that is going to more significantly shift the landscape of every part of the tech stack. So Ryan, maybe what are your thoughts on AI as a trend line for CISOs and cyber?
Ryan Kovar: Sure. The biggest thing when I talk to CISOs, in the US especially, is they’re very worried about data loss. They’re worried that people are going to use it and have their data in a way that they don’t understand or it’s going to be sucked into a LLM, which is a completely reasonable concern. The reality though is, one CISO said, “I can’t stop water from going downhill and I can’t stop my SOC from using ChatGPT.” So I would really be looking at how are you thinking about this constructively? I think it’s an incredible staff augmentation tool when put in front of people who are making good judgment decisions. But you can’t just give it to someone and expect for them to answer questions effectively. It has to be used as a tool, and it could be quite strongly used within a SOC with appropriate guidelines.
Kirsty Paine: And that’s very much on the defensive side. On the attacker side, we just hear a lot of chat about how it’s going to improve phishing and it’s going to be so much more realistic, all of these different scam emails. But to be honest, my response to that is always, “Oh, was phishing really struggling before as an attack vector? I don’t think it was really having a tough time out there.”
Ryan Kovar: Did it slip from one to two for a week or, yeah?
Kirsty Paine: It was doing okay in my view. So it just really means that your defensive capabilities now, instead of focusing on employee training or over focusing on that, you need to augment the other layers of your defense.
Patrick Moorhead: No, I love that summary. One of the biggest challenges I think we have in security is its complexity. First off, we seem to have a different nomenclature we use, and maybe for the United States and what the Biden administration pulled down at least, maybe got us on a similar nomenclature to use. It’s also very hard to measure how much more investment should I put in and how much more secure am I going to get back? There are no benchmarks like performance on let’s say the compute side versus the security.
So net-net it takes really takes a village to not only share data, not only across people inside of the same company, but also across different companies out there in the security landscape. We seem to have been on this best-of-breed kick. And then everybody sees, “Oh my gosh, look at how much time and energy it takes to integrate all of this.” And, “Oh, I need data from everywhere to make the best decisions.”
The other aspect of this data sharing is also CISOs being able to share best practices and have a platform. And Kirsty, you actually have a podcast. How about this? Very meta.
Kirsty Paine: Yeah.
Patrick Moorhead: Doing a podcast on a video podcast here. It’s called The Security Detail, where they go through and they talk about their experiences. And if you wouldn’t mind maybe solidifying, I don’t know, your past additions you’ve had of the podcast, but net-net what are some of the key highlights, the key takeaways, some of the key themes that comprise these discussions of these CISOs?
Kirsty Paine: Yeah. Well, thank you. I appreciate the opportunity to plug The Security Detail. Fantastic podcast.
Patrick Moorhead: Plug away. Yes.
Ryan Kovar: 10 out of 10.
Kirsty Paine: So it’s co-hosted by us.
Daniel Newman: As long as it doesn’t compete with us.
Patrick Moorhead: Yeah. Because we’re always plugging our companies.
Daniel Newman: Yeah, we’ll promote it all day long.
Kirsty Paine: It’s complimentary. Yeah, it’s complimentary for sure. So it’s co-hosted by myself and Audra Streetman. It’s called The Security Detail and every episode we focus on a different vertical, and the sector and the security threats within that sector. So we’ve had some really interesting guests on there, we’ve had some ex-CISOs, some very important folks in public sector. And we have a section called, I’m a CISO, and I say so, which is my favorite feature of the whole podcast. What would you say so if you’re a CISO for a day for your entire sector?
Patrick Moorhead: Can you say that five times fast?
Kirsty Paine: Yeah. It’s CISO on the CISO on the seashore. Well, something like that.
Ryan Kovar: We only interview them on the seashore, which is really a key part of the whole process.
Patrick Moorhead: I’m out.
Daniel Newman: Only if you say so.
Kirsty Paine: It is actually part of the audition to be on the podcast. Yeah.
Patrick Moorhead: I see what you’re saying. I’d love to CISO.
Daniel Newman: About the CISO, yes.
Kirsty Paine: Yeah. Well, I’ve got it down anyway, so what would I say so if I was a CISO? I think the key highlights that I’ve seen have been from our telco expert, Ian Keller, who spoke and just had very simple advice, which was just listen. And I loved it in its simplicity. Just listen. You pay your security professionals quite a lot, just listen to them. If they’re telling you something you don’t want to hear, just listen. Just accept it and make the changes because they’re always working in your best interest. That’s been my personal favorite highlight. I think, Ryan, do you have a?
Ryan Kovar: Yeah, I had one from Dan in Australia.
Kirsty Paine: Dan Tripovich, yeah.
Ryan Kovar: Dan Tripovich, yeah. He’s incredible. And his ongoing theme, it’s not about technology for CISOs, a lot of times it’s about the people. And for him it was just be a good human, have empathy around you for both your customers, your employees, what they’re going through. And that really resonated for me. And I don’t see that enough I think, in those rules.
Kirsty Paine: Yeah. So we’ve had some really impressive guests. Many more to come, but thank you for the opportunity to plug it. Always appreciate it.
Patrick Moorhead: No, absolutely and it does take a village. And it’s more than data sharing, it’s best practice sharing, and here we go. I have to read this because I’m the CISO and I say so, because I’m on the seashore with Dan. You see what I’m saying?
Daniel Newman: I have no idea what you just said.
Patrick Moorhead: Okay, good. Just consider it brilliant.
Daniel Newman: I will tell you, something we can learn is themes help. For instance, if you did a podcast and you said, let’s do six topics for five minutes each, that would be a brilliant approach. It would probably be one of the worlds.
Patrick Moorhead: Gosh, that’s The Six Five.
Ryan Kovar: It’s in the name I guess. On the nose.
Patrick Moorhead: Gosh, that’s amazing.
Daniel Newman: Yeah. We should do that.
Patrick Moorhead: We should.
Daniel Newman: We should start that when we get back.
Patrick Moorhead: How about Friday?
Daniel Newman: Let’s not… No, not Friday.
Patrick Moorhead: Alright.
Daniel Newman: Okay. So Ryan, you heard me go down the banter about security’s rising profile, right? Used to be the CIO or CTO maybe was in the boardroom for digital transformation needs and security was sat maybe somewhere to the right or underneath and to the left. And the board didn’t want to hear about it until it became such a prevalent thing that all of a sudden it was our business is at risk. We’re one breach away from losing significant market value. I remember this going back to the target breaches, some of the early big ones. Now the CISO is part of the story, or at least more and more becoming part of that conversation. Talk about how that relationship has evolved a little bit and perhaps what do you recommend for CISOs to be able to communicate more with the less technically astute, that need to become more aware to loosen up the funding and support to get these initiatives done?
Ryan Kovar: Sure. I think one of the largest challenges that CISOs have is they’re CISO with a little C. It’s very rare that I find a CISO who’s reporting directly to the Chief Executive Officer of the company. So a lot of times they’re in a position where they can’t affect as much change as they would like to do because they are beholden to the CTO or the CIO, and they obviously have competing business priorities. When I look at how the relationship has changed, it’s a very odd thing, but in the US there’s precedent set from a recent ruling in the dairy industry, around liability of board of directors around safety and security of products, which then establishes a precedent for security at an organization being derived to the board members themselves.
The outcome of this is now we have a lot more interest by board of directors for things like ransomware, where they’re setting up subcommittees from the board of directors to directly ask CISOs, are you prepared for ransomware? Because now suddenly I may be personally liable on the board of directors for your company’s security around this. So that’s completely changed the dynamic in my opinion. And it means that CISOs have to be able to effectively communicate in a different way than they have before. You’ve talked about the technical part. It is important for a CISO to have an understanding of a technical background, but I think it’s actually more important for them to understand the business that they’re in and that their customer, in this case, the board of directors, are concerned about their livelihood. And how do they deal with that, going back to Dan, with empathy?
Patrick Moorhead: So CISOs, even with the little C, have carried a lot more weight. When I started in this… I’ve been in the tech industry over 30 years, there was no CISO. And in fact, security was an after the fact. And there was this notion of perimeter defense, which, “Hey, we use security, nobody’s getting in.” And then we left ourselves exposed. Once they did get in, which was about a hundred percent of the time, we didn’t know how to get them out. And oh, by the way, the damage that they wielded, we see it in ransomware today, it’s how do we get our data back? How do we get the manufacturing line to start moving again? How do we get the trust back?
So this industry has evolved in an incredible way. And then we talked a little bit about CISOs and how they can communicate. They have to communicate up to the board, up to the big C, and then they have to communicate to everybody else that’s below them. And I’m curious, and Kirsty this question is for you, when it comes to communications, what are the hardest questions that security professionals have to answer these days? And that could be up, down, sideways, your choice.
Kirsty Paine: Yeah, leading on from the previous topic, I think at least now CISOs don’t have to constantly explain their remit and their role. I’m glad that we’ve moved past that because that was a painful period of time. So actually there’s a range of questions that I think just any security professional, any level, is getting asked at the moment. And there’s a big theme on resilience that we talk about all the time. And the biggest question for me is, are you resilient and how do you know? Whatever your answer is, if it’s yes, no, maybe, just how do you know? What are you measuring that by? How are you tracking your improvement and your benchmarking? And there’s always the question as old as time, are we getting better or worse? Are we doing better or the attacks just getting more sophisticated? Have our investments born fruit? Are we getting value for money?
Ryan Kovar: How do I compare to my peers?
Kirsty Paine: Yeah, how do I fit among my peers? And am I leading the pack or am I following? And it’s really hard. And when we talk about CISOs needing to communicate more with the board, these are the kind of questions they’re going to be asking you. Not tell me your patch percentage, they’re going to be asking the bigger business related questions.
Patrick Moorhead: And I love that. Well, partially because I do a lot of advisory to the C-suite, and when they’re asking me, their biggest frustration is one that you cited. Which was, “Okay, if I invest 50% more in this, how much more secure will I be?” And by the way, when it comes to compute, when it comes to storage, when it comes to all these other investments that the C-suites making, there are answers for that. But in security, there really isn’t a good answer for that. And it’s not binary where, “Hey, I’m secure yesterday, or I’m secure today. That might mean seven days from now, I’m not as secure as I used to be.” So yeah, I think as an industry, we need to figure this out to get as much budget for security as we can outside of these regulated industries, where quite frankly it’s a lot easier, because the downside of a security breach is a lot higher.
Kirsty Paine: Yeah. I think we do see the best practice actually being shared among CISOs. So I nickname this CISO therapy. You got a problem, go and talk to someone, have a cry if you need to. But you can share your things that work, you can just talk about your problems. By sharing it, you’re making it better. And we see this when people talk about board updates. If you get 20 minutes with the board every quarter, how are you making the most of that time? And a lot of what boards want to see is tracked improvement. Now we call this Mickey Mouse dollars. “Oh, if you spend this much, then you’ll be 3% more secure.” It doesn’t mean anything, right? But you have to show some tracked improvement and some reduction in risk, or some nice graphic that illustrates your improvement in your security posture.
Patrick Moorhead: That’s great.
Daniel Newman: So Kirsty, I think that’s a second podcast. CISO Therapy.
Patrick Moorhead: That’s exactly what I was thinking.
Kirsty Paine: It’s actually an initiative we run in Geneva.
Daniel Newman: Or it should be a segment of each show. So you got the CISO say so, and then you got CISO therapy.
Kirsty Paine: Yeah, we may have to cut it.
Daniel Newman: And you can get the CISO. I actually, I can’t promise you I can help you sell more Splunk today, but I can promise you I can get more downloads for your podcast here.
Ryan Kovar: There we go. Done.
Daniel Newman: If you just follow.
Ryan Kovar: That’s the same thing I think.
Daniel Newman: And by the way, long term, media matters. Media matters. So as analysts, that’s why we do this, is we get it. Someone has to listen or it doesn’t matter if you’ve got the best ideas in the world.
Ryan, love to have you both, but I’ll start with you. Take us home here. What’s some of the smartest things and the dumbest things right now that you’re seeing? I think it’s sad to say wins and mistakes, but I like smart… it’s all about gamifying.
Ryan Kovar: The smartest thing I ever saw a CISO do, was one of the most simple from a financial point of view. He was brought in as a CISO of a very large financial organization, hundreds of thousands of endpoints. And they were constantly getting compromised by very basic things, as most organizations do. And the common one was unpatched Windows systems. And he looked at this and said, “Why are they, do we need to order?” His team said, “Oh, well if we got this, if we got this.” He’s like, “Yeah, but why aren’t we patching today?” And well, it turned out the lowest paid employees in the IT center were the ones who were in charge of patching. They were really unmotivated, they were demoralized, their job was really boring. And so he flipped it around and just said, “Any one of you who has over 95% of your dedicated fleet patched, will get a 5% bonus every quarter.” And for him, that was something like $150,000. But he’s like, “I couldn’t even have gotten an asset management tool for under 5 million.”
And so he went from something like a pretty consistent 40% to 50% patching within three weeks, to over 95% to 99% within one quarter. And which meant his actual incidents over time trended drastically lower because they weren’t getting popped by things that were already out in the wild. And that to me was brilliant.
Daniel Newman: It was a net revenue gain. It was a net gain.
Ryan Kovar: Absolutely. It was incentivism, right? Kirsty talked about that earlier.
Daniel Newman: Give me the dumbest though. I’d like to have a little fun now.
Ryan Kovar: The dumbest thing that I’ve ever seen an organization do, which hurts because my background is threat intel, but they prioritized the threat intelligence team over a detection engineering team, which is very macro. But the cause of this was he thought that threat intelligence was really cool and his friends had one. So he prioritized the funding for a threat intel team, but then was surprised when no one could write detections to actually go into their security tools. And that was.
Daniel Newman: Oopsies.
Ryan Kovar: It sounded great, but the reality, by the time he set up this threat intel team, they didn’t have anyone to actually put that data into. So he flipped the pyramid upside down, and as always, the basics first are always the best and he missed the boat on that.
Kirsty Paine: Yeah.
Daniel Newman: No tires on the bike.
Ryan Kovar: Exactly. He’s got a Tour de France frame but didn’t bother putting wheels on it.
Daniel Newman: So Kirsty, you got a best and worst to take us home?
Kirsty Paine: Yeah. Well actually this common mistake, I think, is putting hype above anything else. If you’re just blindly following the trend, then you’re always going to end up with some problem. If you’re just doing what your friends are doing or what you think is cool, you’re pretty quickly going to run into trouble. And I guess the biggest win, it’s similar to yours, is that incentivization just really matters. So if you take the time to think about what motivates people, what incentivizes them to do that nail the basics, which is kind of boring. How can you make that actually attractive and improve your posture, get upstream of a lot of the incidents that you’re going to have? Those are the biggest wins that I see.
Daniel Newman: Oh, it’s like fitness. I know you did a big biking thing, right?
Ryan Kovar: Yeah, yeah.
Daniel Newman: It’s more work, eat less, and you tend to get good results, right?
Ryan Kovar: Yeah.
Daniel Newman: You do these all these things, eat less.
Kirsty Paine: There’s a reason we say.
Daniel Newman: You got to do it all and by the way, the things that work are super boring. It just really usually is. Ryan, Kirsty, I want to thank you guys so much for joining us here on The Six Five.
Kirsty Paine: Thank you.
Daniel Newman: It was a lot of fun.
Ryan Kovar: Of course. Absolutely.
Kirsty Paine: Yeah, really fun for us too. Thanks for having us.
Ryan Kovar: Yeah, have a great week.
Daniel Newman: Alright, there you have it everybody. We are here at Splunk .conf 2023 in Las Vegas. Lots of great conversations here with Patrick Moorhead and myself in The Six Five, so many great guests. We hope you hit that subscribe button, tune in to all of our shows here, and of course all of our other shows. It’s a lot of fun. But for this one, for this show, it’s time to say goodbye. We’ll see y’all later.