 and welcome to the inaugural episode of the Security Angle. Our webcast focused on all things security. Today, I am so excited. I'm joined by a member of our cube collective family of analysts, Jo Peterson. Jo is an engineer, she's an analyst, and she is a brilliant mind. And I am relatively certain that anybody who knows her would agree. I'm so glad to be collaborating with you, Jo. Welcome. Thank you. I'm excited to be here, Shelley. Absolutely, absolutely. So in this series, you can expect interesting, insightful, opinionated, and timely conversations on all things security, including security news, security management strategies, cloud security, AI security, security technology, you name it. And also, we will provide coverage on what some of the major vendors in this space are doing on the cybersecurity solutions front. So each week we'll cover a handful of topics, we'll feature an occasional guest, and we're always interested, of course, in your coverage suggestions. So if you're watching or listening, welcome, and don't hesitate to reach out and send us your ideas on things that you'd like covered. So with that, we're gonna dive into our first topic, which is a pretty important one. It's about the challenges that are involved in protecting critical infrastructure. Joe, I know this is something that you spend a lot of time thinking about. I do as well. Let's talk a little bit about that cyber attack on the water authority near Pittsburgh. Yeah, that was kind of scary. And I didn't know until I dug into it, and I wanna read a stat here, because I think it's kind of important that the private sector owns the vast majority of the nation's critical infrastructure and key resources, roughly 85%. And so when we think about key infrastructure, it's all the things that we use every day, our water, our electricity, things that keep the world going. Transportation systems, right? I mean, all these things. Right, and so processing food, right? That's part of the infrastructure. And the government has tried so back in 2010, the government accountability office made 106 recommendations in this area, or since 2010, I should say. 57% of those recommendations had not been implemented as of December of 2022. That's cringe-worthy. Yeah, it is. And I get it's a balance, right? We're gonna talk about that. That's gonna be, I think, a theme as we talk today through some of the things that we talk about. Sort of that balance between government and the rights of a private entity and how much a government can step in and mandate, right? But the other side of it is as good, diligent business owners with a fiduciary responsibility to the public that they serve, what are these organizations doing to make sure that this critical infrastructure is secure? Absolutely, absolutely. You know, when I was preparing for this and I was looking at this topic, I ran across a 2022 waterfall security report that indicated 140% increase in cyber attacks against industrial operations that have resulted in more than 150 incidents. And by the way, I'm sure that, you know, that number is probably smaller than it is in reality, right? But what got my attention was that the researchers warned that at this growth rate, they expect cyber attacks to shut down 15,000 industrial sites by 2027. And even more alarming to me anyway, is that 17% of the attacks that happened in 2022 had no identifiable motive in many of these. And I know, you know these, many of these are just designed to disrupt critical infrastructure or services. And, you know, so when we think about the, and sometimes I think, you know, the general public doesn't really understand when we talk about infrastructure and how key this is. And I think this actually translates even at the boardroom level. But, you know, think about the attacks on airlines. Many major airlines have had cyber attacks in recent years. In fact, when I was heading to Mobile World Congress a couple of years ago, I ran into, I was a victim of an, I don't think they talked about this a lot, but it was an attack on British airways that really shut down transportation across the world. It was a mess. So we've had attacks on airlines. We've had attacks on power grids. We've had attacks on auto manufacturing plants. We've had attacks of the colonial pipeline attack. The, you mentioned food. I believe there was an attack on a meat processing plant. There was an attack on a wastewater facility in Florida. Then there was nothing more than an attempt to really poison people drinking or using the water system. And so anyway, when you think about infrastructure, it's a small world word with massive implications, right? And it impacts our health, safety, security, lives, everything in a way that's really a pretty big deal. Yeah, and you brought up, you sort of made something perk for me, which was the average person and what they understand. And we talk about the term nation state attacks, right? Well, so first of all, a nation state attack could take us all down, right? Certainly. If an adversary, right? But I wanna peel back the onion a little bit there. For the folks that don't know, there are companies, countries in the world that have people on payroll. Rose and rose people. Like in an office you'd see maybe a New York City or LA or Chicago of accountants. And they have one job. Right, and that job is PAC. And these people are paid a paycheck by that nation state. And they have benefits and they recruit people. I mean, it is not some kids wearing hoodies in a room trying to be rebels. It is grown men and women that this is their job that they clock in for. And they're mind blowing. Like if you think about that, a minute, these are people that spend their entire day trying to hurt the citizens of another country or another country in general. I mean, stand still with that for a minute. So that makes me feel queasy. It just does. Well, and the other, I mean, when we talk about this, we're talking about China. We're talking about North Korea. We're talking about Russia. But yeah. You know, I mean, we're talking about, and the other thing is, is that these countries, I mean, I believe that those people who are sitting in a room whose job is to constantly scan for, detect vulnerabilities and to launch attacks and things like that. I mean, can you imagine how celebrated they are when they're able to, you know, really make some damage? I mean, that's like a very big deal. So it just seems so bizarre to me that that would be something that you would spend all day every day doing. But you know what? I mean, we are, we in Europe and we are attack vectors. And so understanding that and understanding the reality that there are people there all day, every day whose job is just to look for weaknesses and the stress and the responsibilities, I think that that puts on, you know, companies of the world over is really pretty significant. I think that I read in one of the, the waterfall security report that I referenced earlier that reported 140% increase in cyber tax against industrial operations showed that 60% of these attacks were led by state affiliated actors. So that's a big number. It is, it is a really big number. And when you, so a couple of other things, you know, if we think about the solar winds attack, right? And we think about something, people may be familiar with this term and maybe not familiar with this term is called dwell time. And dwell time is the idea that somebody, a bad actor sits inside a system for a really long period of time, just stays there. They're very patient. Yeah. Gathers information, right? And so it was determined that the solar winds attack was a nation state attack. And it took hundreds of engineers to reverse engineer that. And they found it by accident. Isn't it crazy? Right? They, they found it by somebody tried to authenticate. I'm going to get the story a little wrong here, but they had already authenticated and someone caught the fact that they had already authenticated through. So it was found by accident. So they'd not, they're not exactly sure how long that had been going on and that brings me to something else that I think we're going to talk about. And if I'm early, stop me and we'll rewind. But it makes me think about sort of, okay, so if 60% was the number you cited of these attacks being nation state attacks, then, and this was something that came out in a talk this week of Black Hat in London. When does it border up Sarbanes-Oxley moment? Meaning, when does the government step in and go, enough, just enough? Like we've had too much and we've reached this sort of inflection point where we have to make some mandates that have to be enforced. Well, absolutely. And, you know, I think this is a great time to transition over to talk about Black Hat Europe and I thought it was interesting that, so Black Hat Europe took place in London last week, Jeff Moss, Black Hat's founder, predicted that governments will be forced to impose greater levels of security regulation because the reality of it is, it's pretty clear that organizations aren't doing a good enough job to protect themselves. And, you know, his quote on this topic was, self-regulation is not working. And, you know, and so that made me think about, you know, why isn't self-regulation working? And I started doing some research on that front and I know you and I've talked about this a little bit, but it's a boardroom issue, right? And, you know, I was, so as I was digging into this, I found some research. The Wall Street Journal reported on a study that was done by a VC firm, Night Dragon and the Diligent Institute, which is a research think tank arm of a software developer named Diligent. And this was done in September and they did an analysis of board competition in the S&P 500 companies. And this research found that 88% of these companies had no directors with cybersecurity expertise. I mean, how, this is a board level problem. You know, further, they found that only seven of those S&P 500 companies had a current or former CISO on board and out of those seven, two were the same person. So, you know, we're in a situation where we have boards that are comprised of people that have no knowledge or expertise at all as it relates to cybersecurity. And then we wonder, why is this problematic? Well, I think we have our answer. That's a really good point. The other thing I think about, and I know there's lots of SISOs that I'm aware of that do their absolute best to talk to the board and really present security in a way where it's a business problem and not a tech problem. Really try hard to get security seen as integral to business and not a cost, right? And they do all these good things on the daily. They do, but there's a couple of things that drift into my mind. And the first is, and these are just realities, cybersecurity is only a small percentage of an IT firms or an IT budget. It's just a small percentage. Depending upon the vertical that you're looking at, the percentage is larger. So those verticals that are highly regulated, think finance, spend more on cybersecurity. But even then, it's 12 to 15% on average of the entire IT budget, okay? That's even with the regulations. And finance, the finance folks, the hospital folks, the guys that have the most and gals that have the most regulations spend the most. That's the first thing. The second thing that I'm gonna say that's kind of inflammatory and mea culpa in advance. You, it's inflammatory now. Well, yes, yes. Is how can you expect a CISO to do a good, good job if they report to a CFO that doesn't wanna spend any money, right? I'm just gonna ask the question, boys and girls. And I'm just gonna ask because this person can only do so much, right? You know, I made my own prom dress. It wasn't pretty. I didn't have much to work with, okay? These guys and gals have these tiny little budgets to work with. And we wonder why the average tenure for a CISO is two years. Right. Well, they feel like they can't affect any change and it's very stressful and very frustrating. Well, speaking of stress, I mean, you know, think about, you mentioned solar winds, the CISO of solar winds, you know, is in a situation where he's been charged because of the breach, right? I mean, like when you think about that for a minute, so think about culpability when you have a massive attack, a massive breach. Think about this, you know, if something happens and of course there's damage done and there's, you know, a stock drop and everything else, well, if we're gonna charge CISOs, are we also gonna charge board members for not paying attention? You know, I mean, this is a bigger issue and a bigger responsibility than just the one that sits on the CISO's shoulders. This is a corporate-wide responsibility. And I think that that's really, you know, kind of what Jeff was talking about a little bit when he was talking about, you know, this is a problem and self-regulation isn't working. It's a boardroom issue. And, you know, and really that leads to the reality that you and I talk about this all the time. Security is and should be a foundational thing across every organization of every size and everything everybody does should be secured in my opinion. And I know that that maybe isn't echoed by everyone out there, but the risks to the business are so significant that you really can't not have a security-first mindset and that, you know, making cybersecurity not just a CISO responsibility, not just an IT responsibility, a senior leadership responsibility, a board-level responsibility, and really across the organization, everybody involved really needs to understand the importance of data protection, the importance of, you know, of having the right technology, of having the right practices, of regular and ongoing training, you know, there's so many pieces here and all of them are important. Yeah, I don't think it's black and white as SOX personally. No, it's not. SOX is financial and that's pretty black and white, but in, there becomes all this area of gray in my mind. So let's go back to the CISO and it's, maybe this is a second point, but let's go back to the CISO that goes to the CFO, the reports to the CFO and says, you know, man, we really need MFA and the CFO says, no. Should that CISO be held accountable? Because at the end of the day, they can't get budget for what they need. And I think it's, and I applaud the cyber insurance firms that come, that are coming down heavier on their clients. Oh, absolutely. You know what? You need to have this and you need to have this and you need to have that in place. Yeah. I think there used to be a mindset, you know, say within the last five years or so. I think there was a mindset that was not a good mindset, but that we have cyber insurance. So we're good, right? And then, but then, you know, when you think about some of the ramifications of some of these cyber attacks, you know, some of the biggest cyber attacks. And when you think of kind of the ramifications, the public pays the price, you know. I mean, the public always pays the price, the Equifax, data breach, right? All of our information is out there. All of those things. So I think that it is, I think you make some very good points that, you know, we have the perfect storm of lack of understanding, lack of budget allocation, lack of skilled technical help, right? You know, so I think that you have all of these things coming together, playing a role. And we've got to fix it. We absolutely have to fix it. And I think that that sets the stage for our next, our next segue here. We're going to talk a little bit about the newly adopted SEC rule that goes into effect in December. And, you know, there's a lot of criticism about this rule. And one of the things that, you know, that the writers of this rule have been criticized about is not including people from the trenches in conversations as they were making some of these decisions. But, you know, in short, in July of this year, the SEC adopted some rules on cyber risk management, security governance, and incident disclosure by public companies. And the rule requires the disclosure of cybersecurity incidents, that organizations experience, they have to disclose on an annual basis material information about their cyber risk management practices, their strategies, their governance, that sort of thing. Well, these newly adopted rules go into effect in December. And I think this is actually both good and terrible because I understand sort of the thinking and maybe the heart is in the right place here. But I think that we've got, and I think that this is not unusual as it relates to what we do in the United States compared to some of the regulations that we see coming out of the EU. We tend to get things, we tend to be a little bit more lackadaisical, I think in some of the rules and regulations that we put into place. One of the rules here, one of the critics, one of the rules here though, is that these are pretty demanding disclosure rules from the SEC. And one of the requirements is that publicly traded companies have to report cyber attacks through regulatory filings no less than four days after they determine the attack will have a material impact on their operations. Well, four days is not very much. You know, I know you have some thoughts on this, so let's hear it. I, you know, so you said a couple of critical things. This is the SEC weighing in. So this is publicly traded companies that are applied to privately held organizations. For governments, or companies of any size doing business with government entities. Right, so the heart was in the right place when they put this in, right? And to the way I understand the ruling, it is gonna affect two things. It's gonna affect that disclosure that you described, but they also have to describe their process. So it's not the disclosure, then they have to go and then make another statement on their form, what is it? There's a couple of different forms. Yeah, there's a couple of different forms involved, right? There's an item 1.05 form 8K is the four business days that you alluded to. And then there's a SK item 106 that says that they have to talk about their process. And there's another piece of the legislation that says the boards have to describe what they knew and were aware of, right? Which I found pretty interesting, right? So there's all kinds of places in here where the I's have to be dotted and the T's have to be crossed. Well, and interestingly to me was that one of the changes from the original proposals was the removal of a requirement for companies to disclose the cybersecurity expertise on their boards of directors. I mean, we just talked about this, right? Yeah. So when you talk about, I can't remember the phrase you just used two seconds ago, but it's like, when you talk about, our heart was in, maybe this is what you said, our heart was in the right place, but come on. I know, but as I read through this, and I didn't read the actual legislation itself, I read a summary of the legislation, but there's words that trigger me in there. Like it says, smaller reporting companies will have an additional 180 days. What defines large and what defines small? Right. Where's the large? So it seems like it needs some refinement. Yeah. It'll really be interesting. And I think that this is true. We're gonna talk about this in a next episode. We're gonna talk about AI security and the roadmap for trustee AI and really comparing some guidelines that are out there on this front. But the reality of it is, I think that it's easy to be a critic. I realize that. It's easy to look for and find all the holes, right? I think that this is probably a good step forward. I think requiring some official accounting and things like that. And I'll put some additional information in the show notes here about the specifics of the new SEC rules and so that you'll be able to see what the requirements are. I suppose that a first step that isn't perfect is better than no steps. That's right. That's right. It's conversations like this that I think get people thinking. Yeah. Yeah. And that's what we wanna do. We wanna start a conversation. We wanna start a conversation. And by the way, if you happen to be a company, whether you're part of the S&P 500 or whether you're part of a smaller organization, sit back and ask yourself, what does our board look like? What are our conversations from the board level and senior executive level? How are we addressing and embracing and educating about the importance of cybersecurity and examining our own cyber sec operations and our risk mitigation strategies? Because that is, I think the holy grail, that's what we want. We want there to be increased understanding. We want there to be increased awareness and we want people to understand too that the reality is, and we work with these vendors all the time, whether it's AWS or Cisco or Microsoft or tons of other vendors who have IBM, who have amazing security, security related technology solutions that are out there. And I remember we did some research for Dell a couple of years ago. And one of the things that we asked respondents in that research study was, do you have visibility? Do you have a dashboard that shows you in real time what's happening across your security landscape? And many of the people that responded to that survey who were, you know, CISOs, IT pros, senior leaders said no. And another question that we asked was, you know, how many instances of cyber threats have you encountered in the last 12 to 18 months? And the interesting thing, and not surprising at all thing was that of course, the people who responded that they didn't have any kind of visibility, they weren't using, you know, technology like Splungs or Dell's or anything else, they weren't using technology solutions to provide visibility. They thought that they weren't targets and that cyber attacks weren't happening. And the other survey respondents, again, no surprises here, who do have visibility knew that they were seeing and thwarting hundreds of attacks on a weekly basis. So it's happening. And just because you don't see it doesn't mean it's not happening. And I think that's really where we need awareness and the understanding that there are technology solutions out there that can provide the kind of assistance that people need. Yeah, lots of good ones, so good points. Absolutely. Well, with that, we're gonna wrap up this inaugural episode of the security angle. Thank you for hanging out with us and for watching or for listening. You'll find us here every week, Joe. It's always a pleasure to swap gray matter with you and I look forward to more on that front. Me too. All right, bye everybody. Bye.