 We're here with Anthony Gian Domenico, who's a senior security strategist and researcher at Fortnett, Fort Agard Labs. Tony G. Hey, thanks for having me today, Peter. Good to see you again. But so Tony G, you spend a lot of time talking to a lot of users, a lot of other professionals. You're doing a lot of research on issues. Give us a quick snap. Give us the quick snap dot. What's the state of security today? Yeah, well, you know, I think, I mean, there's a lot of things that are happening right now. I think in the cyber world, you know, one that a lot of us already know is we have a huge skill shortage. We just don't have enough folks, you know, to be able to, you know, defend our cyber assets. You know, and I think the other thing is, you look at, you know, some of the mid-tier organizations, maybe 1,000 users or so, they don't have those skilled resources. And what happens is, they had, you know, relying on different types of technology to help fill that skills gap, and that's good. But what they need to also make sure is that they really have an overarching, good, solid security program that takes into consideration technology controls, right? So you're buying these, you know, specific products, but also what are the processes and what are the actual kind of people that are involved and are you actually combining all of those to encompass a solid, good, cybersecurity program? Yeah, a bad guy who launches a ransomware attack on a mid-sized company may be a little bit disappointed that they're not able to get $10 million, but they'll be pretty happy with a million or $500,000. That's a good day's work for these guys. It's a little hanging fruit, Peter, right? It's much easier, and I think that's the sweet spot for the bad guys, right? Because if you go too high, sometimes it's too much effort. You go too low, you're not really getting much. But in the middle, you know, you're getting a decent amount, and a lot of times, they don't have that strong cybersecurity program. Now, I always tell a lot of my customers in that sweet spot, forget about protecting and monitoring everything. That's not going to happen. You will fail 100% of the time. However, if you focus on what are the key assets? What are those five, six business critical processes? Understand the assets that those processes ride over. Focus on protecting those. Everything else is ancillary, because this is all that really matters to the business. The other thing I would say, Peter, and I think this is a mindset change. If I'm a security professional and I'm responsible for protecting my cyber assets, and if I'm being measured on whether there's a breach in my network or not, so if there is a breach, I fail, that has to go away, because you will fail every single time. That's not the way you should be measured. You should be measured on, hey, we quickly identified something in the network, we isolated it, we mitigated, we got everything back up and running, and we're back up and running as normal, minimize the actual damage. That's how I would be actually, or should be graded on. So just an important point, Tony G. So what we're saying is that the real metrics associated with this should be the degree to which you can mitigate problems, not whether or not you are 100% clear of everything, because the bad guys are going to find their way at some point in time. They've got enough time to do it, and you don't. So like if you can quickly identify when they are in the network, isolate it, minimize the damage, and get your business processes back up and running, that's a win. Well, it's one of the things you mentioned as you mentioned for your cybersecurity or your cyber assets, which by itself is not an easy thing necessarily to measure. It's hard to say that this cyber asset's worth that and that cyber asset's worth that, but we do have to take some effort, we have to make some effort to understand the risks associated with cyber, whether it's an opportunity cost or whether it's what the replacement cost is, whatever else it might be. But it also suggests, historically, we invest in assets to appreciate the value of those assets. Should security be regarded as an asset that's part of, or cybersecurity, should that be regarded as part of the asset base of the business? What do you think? Oh, absolutely. I mean, you definitely, you know, as a consumer or as someone who's interested in looking at an actual business, I think that's a key asset to make sure that your information is actually being protected. And honestly, I don't think it always is. You know, we have these regulations that are tied to kind of making sure, for example, if you're storing, you know, customer credit cards, you know, there's PCI and there's all these other now, you know, HIPAA regulations and all that type of stuff. But those regulations still don't seem to be enough. And yeah, they're due. I think the minute that you can turn... But you mean, it's not enough and it appears that enterprises generally continue to under-invest in their cybersecurity assets. Is that kind of what you mean? Yeah, I still think it's a checkbox. You know, you, okay, I am compliant. Okay, you know, that's enough, right? Because I bet you there are companies out there that will just invest, that they'll put a certain money aside knowing that they're going to get breached and use that money, you know, to be able to pay for their breach or, you know, whatever else they have to do to meet those regulations, instead of investing into the actual technology to fortify their environment a lot better. Well, at Wikibon, we are doing research on related types of things all the time. And we're just fascinated by the idea that if a business is going after greater flexibility and agility, a crucial element of that has to be, do you have a cybersecurity profile that allows you to take advantage of those opportunities, that allow you to connect with those partners, that allows you to set up more intimate relations with a big customer. And it just seems as though that's something that's probably, it has to become an explicit feature of the conversation about what are strategic assets. Yeah, I definitely, you know, I totally agree. And that kind of, you know, stirs up something in my head about cyber insurance. I think a lot of companies are also moving towards, okay, well, let me just kind of buy some cyber insurance. And in the beginning, they would go ahead and they would buy those things, but what they would quickly find out is they wouldn't be able to, you know, reap the money on an actual breach because they were out of compliance because they didn't have the good cybersecurity program they were supposed to have. Yeah, the insurance company always finds a way to not pay. But let's talk now about this notion of greater agility. We talked about the role that security or cybersecurity could play in businesses as they transform in the digital world. We've seen a lot of developers starting to enter into cloud native, cloud development, you know, new ways of integrating. That requires a mindset shift in the development world about what constitutes security. Now, everybody knows, we're not just talking about perimeter. We're talking about something different. But what is it we're talking about? We're talking about how the security is going to move with the data, how the security is going to be embedded in the API. What do developers have to do differently or how do they have to think differently to make sure that they are building stuff that makes the business more secure? Well, even before even start talking about the cloud or anything else, I think we still have an issue when we're building our applications that developers still, I don't think, are up to speed enough on practicing good, secure coding. I think we're still playing catch up to that. Now, what you just said, I mean, think about where we're at now, you know, we're not even sort of there. Now you're going to expand that out into the cloud. It's only going to amplify the actual problem. So there's definitely going to be a lot of challenges that, you know, we're going to have to actually face. And then you think, you know, we talked about this little offline before is, you know, where's your data going to be? It's going to be everywhere. You know, how are you going to be able to secure all that particular data? And I think that's going to be a lot of challenges that, you know, you know, face ahead of us. And, you know, we're going to figure out how to deal with it. And the last thing I want to talk about, Tony G, is the, a lot of the applications that folks are going to be building, a lot of the things that the developers are going to be building are things that increasingly provide or bring a degree of automation to bear. So think about it, if you got bad cybersecurity or bad crypto, bad cybersecurity, you may not know when you've been breached or when you've been hacked or when you've been compromised. You definitely don't want to find out because you got some automation thing that's going on that starts spinning out of control and doing everything wrong because of a security breach. What's the relationship between increasing automation and the need for a more focus and attention on cybersecurity? Yeah, well, usually when I talk about automation, I end up talking about how the bad guys are leveraging automation. You know, I'll give you a little bit of an example here. In our Fortegaard labs, I think last quarter we saw about, I think it was over a million exploits, or at least exploit attempts that we were thwarting in one minute. The volume of the attack are so large these days and it's really coming from the cyber crime ecosystem. So, the human cannot actually deal with handling all those different threats out there. So they need to figure out a way to be able to fight automation with automation. And that's really the key. And I had mentioned this earlier on before, is what happens is you have to make sure that your technology controls are talking to each other. So they can actually take some automated action because as far as you're concerned as a security operator working in a sock, no matter how good you are, the process for you to identify something, analyze it and take action on it, it's going to be a couple hours sometimes. Sometimes it's a little bit faster, but just a couple of hours. It's way too late by then because that threat could spread all over the place. You need those machines to make some of those actual decisions for you. And that's where you start to hear a lot about in all these buzzwords about artificial intelligence, machine learning, big data analytics, we're really diving into now and trying to figure out how can the machines help us make these automated decisions for us? But as you increase the amount of automation, you dramatically expand the threat surface for the number of things that could suddenly be compromised and taken over as a bad actor, they themselves are more connected. It just makes this whole problem. It just amplifies the whole problem, doesn't it? Yeah, it gets more complicated. So the more a system that's more complex is less secure. Yeah, the more vulnerable, sir. The more vulnerable, absolutely. All right, so once again, Tony, gee, thanks for being here. So we've been speaking on this cute conversation with Anthony Giamendico who's at Fortinet with the Fortinet Fortegaard Labs. He's a security analyst and researcher. Thank you very much for being here. Thanks. Thanks for having me.