 Okay, we're back with John Shimoni, who is the CSO of Dell Technology. The S there stands for security. John, welcome. Good to see you. Thanks for taking time. Thanks for having me. Yeah, you bet. You know, you've had what I'll call a richly textured career, both in the public and private sectors. You know, the audience, I want to share with them. You were with Sony for the now infamous cyber attack that was nearly a decade ago, which was kind of a combination of ransomware and what I would consider as sort of a blackmail to take down a film that, you know, hacker group didn't like, but from a cybersecurity landscape standpoint, what do you see is sort of the same and what has changed since then? Yeah, I appreciate, first of all, I appreciate the characterization of richly textured. I may have to borrow that. That's the most polite way to speak to a brief victim I've ever heard. So that's nice. And yeah, it's, you know, it's close to ransomware. As we know ransomware today, when we think about the Sony attack, which happened, you know, about a decade ago, but it wasn't ransomware, really. Ransomware is more like, you know, a bully walking up to somebody and saying, give me your lunch money or I'm gonna punch you in the face. In the case of a Sony attack, it was just a pure destructive cyber attack. You know, no real ransom involved in how we think about it today. And it's just somebody walking up and punching you in the face. And in this case, an entertainment company, which back then is really just quite unprecedented. So when we think about how the landscape has shifted since then over the last decade, back then, again, significantly unprecedented. If you're an entertainment company, you're not necessarily thinking daily about ransomware and many other industries alike. Today, it doesn't matter what industry you're in. Ransomware is so prevalent. It's really plaguing all industries with the top risk concern for businesses of all breeds. And so a lot's changed in the last decade. At the same time, a lot remains the same. If we think back a decade ago from a cybersecurity best practices perspective, a lot of the best practices then are still best practices today. And honestly, 10 years from now will probably still be best practices. And businesses and organizations broadly still remain challenged in many cases to implement those best practices. Incidentally, a decade ago, almost always took advantage of stealing people's passwords, identities, credentials, particularly privileged accounts that exist within the network in order to get broadly into people's networks and do damage. The same remains today. If we look at most incidents that are taking place in 2023, identity still remains the epicenter of most incidents. And even as we think forward a decade from now, I imagine that probably won't be too different than what we're seeing today. Well, no question. Gen AI and the momentum around Gen AI is new. AI is not new, but what's your point of view relative to the impact of increasing threats versus those defending against the threats? Who's got the advantage in your view? I think it's too soon to tell. And I think it's a fair statement to say I'm tremendously excited about the potential of AI and what it might reach in terms of benefits for the security industry and cyber security practitioners like myself. Another true statement though is that it terrifies the heck out of me. And so the real question, the strategic question, which again, I don't think we can answer today, only time will tell is net net, what is the impact 10 years, 20 years from now on our ecosystem? Does it help more or does it hurt more? What I would say is I reflect on the current asymmetry that exists in the security landscape. There's a significant asymmetry between the offense and the defense. The defense is losing broadly if you look at the scoreboard. And that hasn't changed over the last decade. And so just like in the sports game, when you're down a lot, you need to pass a Hail Mary. You need some type of disruptive event to potentially right the table. I get excited about the prospects of AI and what it could potentially do, the right that asymmetry that exists. There's a nearly tremendous potential for security teams broadly to leverage the power of the technology to become more efficient, to become more effective. In simple terms, when we think about the security space, a lot of what security is trying to do on a daily basis is punch through this massively complex chaotic case act to find the needle and to find humans capable of doing that in industry where we're short millions of qualified humans. So by the very nature of the problem that we're trying to solve, it's really right for the potential of where AI can potentially provide tremendous benefit. So I'd like to look at the optimistic side of it and be really excited. At the same time, when I think about the same excitement that criminals and don't only have right now as they look at the technology, look in their lips, they're thinking through the same things. How can we amplify the efficacy, the efficiency of our criminal operations? How can we become quicker and better? And so that's a real concern that organizations probably need to contend with and make sure their teams are considering. Yeah, thank you for that. One of the things that my sense anyway that has also changed is, when you think about the Sony hack, when you think about things like Stuxnet, there was what I'll call the dwell time, the time that the adversary was in, doing sort of traversing and exfiltrating. And now it seems like the in and out time, I don't know, there's probably a term for that, seems to be compressed quite dramatically. So speed is really important. So as you look into 2024 and beyond, what do you think the major focus should be for organizations and practitioners that are trying to improve their security posture? Yeah, it's a great call out. I mean, speed and your time is a really interesting element in the security game. It's one that matters. And first, again, looking at the scoreboard, the defense is doing better, measurably. There's plenty of studies out there that are measuring how quickly we on the defensive side can detect and contain intrusion year over year for the last half a decade at least that's been improving. How quickly can we patch and fix vulnerabilities, patch time and speed to remediate issues when we find them, even before an incident takes place, been improving. At the same time, if we look at the speed of criminals and other threat actors, their speed has also been improving. And going back to the AI conversation, as we think about what the potential is for cybersecurity and cyber criminals in AI world, one of the most terrifying prospects of my mind, honestly, is that speed could get down to milliseconds. Today, we count cybersecurity operations and days, weeks, sometimes months. But realistically in the future, it's foreseeable that cyber attacks could literally just be code coding code, that code running on its own at the speed of light in higher incidents that historically took place over the course of weeks, happening literally at the speed of light and the defense having to contend with that, inherently always being on the reactionary side. And so again, it's a tremendously exciting time, I think to be in this industry, to be in this space, it's gonna require even more creativity and even more focus if you're on the defensive side. But this new technology just definitely has some significant implications. That said, that's probably years out, that's not tomorrow. So when you start asking like your question, what do we think about in 24? I think one of the elements that we all need to be thinking about is in 2024, I would bet that not a single organization, any of us we talked to would say, I am perfectly happy with where I'm at and I've done all I can possibly do from a cybersecurity perspective. So inherently it's a discussion, a question, and prioritization. What should be done in day one in 2024? What should be done in quarter two? What's the next most urgent priority? And thinking through those priorities, not just necessarily taking a playbook about practices off the shelf from a website or an advisory agency, but actually deeply understanding your business, your organization model, what is the different right answer or priorities for a technology provider versus a manufacturing organization versus potentially a school that requires increasing focus analysis and not just security expertise but actually business expertise and importantly a close connection between those two sides. Yeah, so a couple of things that I would call attention to for our audience, your earlier comments strike me as you've got, obviously you've got to now worry about stopping the breach at the same time, you've still got to worry about recovering when they get in, likely they are going to get in. And we often talk about the adjacency of data protection to the broader sort of cybersecurity protocols and procedures. And it seems to be some debate in the community over the course of this series where my perspective has been it's, data protection has often been a bolt-on or an afterthought. Others have said, oh no, it's got to be a fundamental component. I think everybody agrees that data protection backup and recovery should be a fundamental component of a cybersecurity strategy. What's your perspective on how those two areas intersect? First, I mean, data backups have always been a core part of the main security program. We think about cybersecurity, we think about not just protecting the confidentiality of information systems, but also the availability of the networks and the data that organizations need to leverage. I think what has changed significantly over the years with just this onslaught of ransomware and the behavior we're seeing from ransomware groups is that the industry has really shifted from a traditional data backup mindset culture to the processes and technologies where they're really oriented towards a single database going down, a single application. At worst, maybe a single data center if a weather event comes in. And in the strategies, now you've contended with the reality that with a ransomware attack, you're likely to see your backup environment purposely targeted, actually having sophisticated actors coming in. And unlike a hurricane, which doesn't move and chase you when you move, actually adapting, studying and understanding you and trying to hit you at the worst time in the worst way. And today what that means is coming into your backup environment and doing as much damage as possible to all of your data, to all of your systems, including your backups. And so, as we think about 2023, certainly 2024, a modern resiliency strategy, not just a backup strategy but being resilient, first and foremost means making sure your backup environment accounts for that. That you have your data immutable, that you have your most critical data isolated, that you've got intelligence and security intelligence built into your backup environment from a monitoring visibility perspective. But then the second part is actually being planful and recognizing that if that type of day could happen to anyone, and if that day happens, it's not just about whether you have your data, it's actually the readiness to restore with speed. I mean, that's that speed conversation. You know, the difference between survival and just a bad day for many businesses may be whether you can bring all that, bring an entire business worth of data back online in the course of days versus weeks or months depending on the level of preparedness. So data backups are more central than ever to the importance of a cybersecurity strategy. And as we look back and think where have the priorities been, again, as you set your priorities and best within a cyber program, I would say, you know, five, 10 years ago, you would talk to more practitioners that may have more percent of their investment portfolio focus being on protection and detection. I would say the opposite today is true. Everybody's talking about response and recovery and being able to recover quickly and they can show you have the technology evolved and then the process needs to get back online if you find yourself in that day. Yeah, and, you know, of course, we always talk about the complexity of cyber, the tools creep and how to deal with, you know, the latest and greatest, you know, practice and the different types of threats. But cyber used to be the domain, as you well know, of the deep best SecOps pros. And of course, then it became a board issue and now it's, I call it middle out, meaning everyone in the organization is responsible for better security and increasingly, they're aware of those responsibilities. I wonder if you could comment. One of my favorite, you know, stories is from Lena Smart is the CSO at MongoDB. And she says her approach for cultures to put those deep SecOps pros in the same room as folks who know nothing about it, you know, the business line people or some of the back office people and say, okay, talk about your worlds. As she says, you know, that kind of interaction, it creates empathy for, you know, each side and they learn from each other. How do you create a security culture? Yeah, I think mutual understanding and communications is essential. You know, the nature of security programs is at the end of the day, you're kind of set rules. You're going to have to tell people what the rules of the road are and ensure that you're enforcing it. But at the same time, you have to be really thoughtful on understanding who you're governing, who you're setting rules for, if you're a security leader within a company, you have to, again, deeply understand, what's the nature of your business? What are you trying to do? And then I think you have to have empathy. I would agree with that to actually get inside the lives and the minds and the challenges of those who have to, you know, help be part of the broader security team and essentially by following the rules that you're setting or joining the extended security team and helping across the company do the right thing every day, regardless of the role, whether you're an engineer, whether you're an HR professional or what it may be. And so from my perspective, we're communicating constantly with our employees at Dell almost a weekly basis. We're sending employee-wide communications on the topic of security and not just saying what to do, but why, you know, sharing awareness of what the issues and concerns are and not doing security for security's sake, but almost everything we're communicating that is through the lens of how we're protecting our company and how we're protecting our customers, which at the end of the day is the thing that we all collectively care about and can rally behind. And then at the same time, we're constantly looking for feedback on our initiatives and more creative ways to achieve our outcomes. And so from that perspective, we're seeking to launch incentive programs and we literally have awards programs where we will award employees, our non-security professionals awards for finding creative ways to get at our security goals and help protect the company and our customers through ways that maybe the security team wouldn't have seen because they sit in a difference of the shoes and have a diverse set of perspectives. So let's talk about Dell a little bit. I mean, huge company, you of course have a giant portfolio of offerings. You've got an ecosystem of partners that help better defend, but how do you think about managing the complexity and diversity of those piece parts so that the customer outcomes can actually be improved? Yeah, well, I would say first and foremost, we've chosen to take a very different approach than probably many technology companies and security companies where, you know, those you hear talking about security and trying to sell security to customers. And we view at the end of the day, ourselves as a technology company and when that comes a responsibility obligation, but also an opportunity to be a secure technology company. And that's very different than being a security technology company. You know, we're not at the end of the day looking to solve the cybersecurity space by just creating more and more security technologies and selling what is essentially band-aids to patch on top of technology, recognizing ourselves as a widely deployed technology provider that's supporting organizations of all shapes and sizes across the globe. We have a responsibility and opportunity to just make that technology increasingly more secure and resilient so that it needs less band-aids. And so that's our real play and opportunity in the area we're most excited to help our customers with. At the same time, I would say we also take a different approach from a partnership viewpoint and most organizations, when they're talking about security and you're seeing the marketing if we've got the solution, buy our solution and you will be secure, buy our solution and this is your trust, buy our seclusion and this is a silver bullet. We have a perspective that nobody holds all the keys to this kingdom. You know, nobody can solve it on their own. It's only through really a broader ecosystem for the partnerships and teamwork that we can provide more meaningful outcomes for our customers. And so with that in mind, we're designing our technologies to be inherently more interoperable to provide security outcomes for security practitioners that may be leveraging them but also to be aware horizontally of the environments in which we're being deployed and to recognize that there's gonna be other technologies in and around the Dell technologies that are out there and that we need to do our part but it's not, you know, the whole part and where possible to be good stewards and to bring leadership to the community. And one example of this is with Project 4.0 where we've actually marshaled the efforts of over 30 different companies to come together to provide a collective set of outcomes that meet the zero trust standards of the US Department of Defense. You know, it's through this type of teamwork that I think we'll really start getting at making a broader impact on this problem space. Okay, last question. So let's say you have somebody that you're mentoring. You're pretty young, but let's say you got a young person that you're mentoring. And they just got anointed as the chief security officer of a fairly large firm. What would be the number one piece of advice you would give that fellow CSO about presenting to the board? How should that individual communicate to the board? What should be her or his main messages when communicating to a board of directors of a public sector or commercial organization? That's a great question. And it's one that often honestly is discussed with a lot of anxiety and fear by people who might be stepping into their first CSO role. So it is a conversation I've had. And I think the common misperception we see is that boards of directors are there to operationally engage in the details of whatever issues you may be managing in your space. And interestingly, we see board members potentially as confused about this. When they know they need to be doing something about cybersecurity, it's the hot topic. It's the biggest risk they hear about, but what is it? You know, I counsel to step back. I mean, the purpose of a board largely is to be there to provide a duty of oversight and to help ensure oversight of the management team of the company's management of the company, not to manage the company themselves. And so the best way to CSO or CSO can engage in that environment really is to help translate, help contextualize management efforts, help contextualize the risks relative to the business that they're responsible for overseeing and to build confidence that collectively the management team is doing or isn't doing the right things relative to managing those risks. And at the end of the day, ensuring there's a very tight alignment between the tolerance for risk-taking in this space, which is never going to be zero. Every company has cybersecurity risk to some degree, but making sure there's a very tight alignment between what the reality of that risk is and what the management team in the board believes that risk should be. And so the stewardship of that connection at the end of the day is the role that CSO should be playing as they engage with the board. And their best suited to do that is long and taken at the same time, not just be a security expert, but make sure they maintain a deep understanding of the business that they support. Great framework, excellent advice and how you should think about that. I wanna thank you, John, for your time and participating in the program. Yeah, great for you. Thank you again for having me. You bet. Okay, you're watching Navigating the Road to Cyber Resilience, the summit made possible by Dell Technologies. We're live and on demand from our Palo Alto studios. Keep it right there. We're right back.