 This is Think Tech Hawaii, Community Matters here. Aloha, and welcome back to the Think Tech Hawaii studio. This is Andrew in the security guard here on this episode of Security Matters Hawaii. We've got Pierre Borjex in the house from EFAC Convergence, and we're going to be talking about baseline risk assessment. We're going to talk about some of the problems with convergence of risk across different industries out there today. So we've got a really interesting episode. Pierre, I know you're traveling up here. We appreciate you joining us today in the studio remotely. I can remote, you're remote, so it's a crazy, especially welcome aboard. Thank you. I appreciate it. I appreciate you having me on the show. Right. Thank you so much. I'd like to start off by asking my guest, I know you're a long-time industry practitioner yourself, and from a security perspective this day and age, what's kind of keeping you up at night? You know, it's a good question. I think a lot of things have become more and more of an issue in the last 10 years, and one of them is critical infrastructure. I do do a lot of work within that environment, you know, from utilities to power, energy, et cetera. And I think one of the factors is that I find that we're not secure at all. The grid, et cetera, has many vulnerabilities, and I think from the standpoint of controls, the PLCs, the state assistants, the things that control things, I feel are still not there. And I think that with converged security coming along the way of where we have devices and products and going towards the smart buildings, smart cities, environment, we have a lot of, I would say, there are gaps in the way security is structured today. And I think that that's where, you know, I fear that we're not taking as important a look at this as we should, and I think it's going the right direction to a certain extent, but we're still far from being at a point where we can become secure, we can avoid that liability. And then the other thing is really, I guess, two parts to that is, you know, the aspect of how much converged security has reached the market, the technology from IoT devices and secure infrastructure, you know, camera systems and access control, facial recognition, et cetera, et cetera, et cetera. You know, and the reality is that how are we managing alerts? How are we managing the infrastructure when we're receiving all of this information, this metadata? And then finally, you know, the integrator, you know, I mean, who's going to install this? Who's going to integrate all this? I mean, those three right there are, you know, the big issues, and I think that part of the things that I've been working on are kind of leading the way in terms of what we're trying to do to help the industry get us in a position to be more secure in regards to liability. Yeah, you know, your concerns are not lost. Many of our guests are expressing that. I think, you know, in Hawaii, we do have our, you know, we've got our wastewater treatment, we've got our electrics, and people are aware of that. We're aware of the telecom and when there's an outage, what that causes. But things like that. Hawaii, or the mainland has other really long-range, you know, really, like, open. And a lot of the folks in Hawaii don't really consider the scale of a service across, you know, 15 or 20 states, you know, things that run from New York all the way down to the Gulf of Mexico and stuff like that. So I know you work with the street. It's going to be interesting to see what we do as a country to secure that stuff. To that end, let's get back. I know I, on from my quote, contributed on, and it was really about this base-lining of risk, you know, and how do we get to establish that, because it doesn't seem to be done well across different industries and, you know, finance versus ops, you know, things like that. Does that make sense? So, you know, you're going in and out, but I know exactly the line of question there. You know, it's interesting. Risk has always been something that either to be deferred, you know, moved away or accepted. Unfortunately, for the most part, there's so much risk and it comes from so many different arenas within the corporation within a municipality or government agency. They don't understand the complexity of it at this point. And I think from a security standpoint, I think this is where the converged approach is really important. When we talk about convergence, you know, people have always used it as a sense of its IT and physical security and it's really not. It's more than that. It's really a convergence of governance. It's taking the different segments of the different organization from business operations to IT to operational technology or operational environment to physical security and aligning really how they operate, how they develop the proper process to define technology. And therefore, really, how do we do that with the frameworks that we have today? Unfortunately, you know, it boils down to it that we've lived in silos for so long and I think we've been very comfortable in those silos. And what I mean by silos is, you know, IT lives in its space, operations lives in its space, HR, et cetera, et cetera, et cetera. And for all its purposes, you've got two different segments working parallel but never working together. And so kind of, I guess I want you to picture really an hourglass, right? The top of the hourglass is risk, bottom of the hourglass is security. In the security hourglass at the base of that is infrastructure. It's everything. Just think about everything in the IT, physical security and IoT environment. And think about human beings as they enter that environment, right? Doesn't matter if you turn on your computer, you go in and, you know, get into your email or you turn on a video management system or you use an access control platform. Whatever human being touches that, they create threats and vulnerabilities. And I think that in the last, say, 10 years, 15 years, we began to realize, well, if we tie threats and vulnerabilities to business and operational risk, which is the top of that hourglass, which incorporates HR, operations, finance, et cetera, then we may have a small picture. We may have a small chance to define that baseline risk, right? We might see some of that. But unfortunately, here's the problem, right? Because everyone's living in their own silos, they don't communicate that. And therefore, risk tends to stay within that environment. It doesn't really correlate to anything. It just, you know, at the end of the month, everybody talks about what happened, but they don't really talk about how it happened, right? And why did it happen? They may get a forensic approach to it and say, okay, well, somebody entered the door, right? And we say, since we don't have a secured entry, we had a guard and the guard let three people enter piggyback. Well, that shouldn't have happened. Good, so what are we going to do, right? So we're going to tell the person, you shouldn't do that again, because we have a forensic video. But at the end of the day, what have you really accomplished? Very little. Have you eliminated the compliance issue, the regulation? Have you potentially mitigated the potential responsibility if it's in a, say, utility environment under NERP SIF? No. So one of the things that I'm missing is, how do we identify compliance and add that to the equation? So you kind of have to add, you know, the recipe, right? You've got to start adding the pieces. Because every symptomatic, every industry has a symptomatic issue. And it's also symptomatic to the compliance that they have to face. Now, if you're a small manufacturer to a mid-cap manufacturer, when you come to ISO, you have physical controls as much as cyber controls. All those play a role. Well, you have to take those into account. Once you take those into account, you have to say, wait a minute here. Now that I'm taking that into account, I'm saying on the business risk side, on the top part, I still have to deal with it on the physical side or the security side, which is the bottom side of that hourglass. Now I'm aligning things, right? Now I'm beginning to work together. Now, if I layer over governance, all these procedures as well as communication and collaboration across IT, OC physical security and IoT, which I bring IoT because Internet of Things are all things, which brings in HR and everybody else involved in the operation. Automation is part of the OT side. So operational technology, automation from, you know, you can name a Rothwell, Hitachi, that's out there. The point is, is once you start aligning these areas, you start defining real threat and you also define real risk. Because, you know, there's a big adage at this point in the industry where we say, is risk really, is risk dead? And I say, you know, some would argue maybe, you know, Matthew is a good friend of mine at Intel, they'll say, Peter, risk is alive and well. It's a problem. And I go, I get it. But how do you define risk? And how do you measure it? You have no metrics because you're not aligning and correlating all this across the entire corporation or the entire municipality or the entire, you know, municipality or government agency. So if that's the case, how are you picking technology? Are you just overlaying technology based upon the wants and needs of a certain person in a certain environment? A friend tells you it's a good product, so you use it. Or you're trying to solve a problem that took place because, okay, somebody, you know, oh, I'm worried about active shooter because the C-suite just told you that you should be worried about it. So you're buying defense, you're buying countermeasures. Or you're doing it in a more proactive level to define the true risk so that you're not having it pushed away and you're really accepting that it becomes a liability if you don't bring this all together. And I think what evolves down to this, right? So NIST, you know, is in the process of working together with myself and a few others and CIA and other consultants to put together really a converged standard, right? And that brings together, you know, obviously the four major points. And the four major points are, you know, you have to look at business operations. You have to look at compliance. You have to look at technology, right? And then you have to look at behavior. And behavior really goes down as too fast, right? Are you willing to look at convenience versus security in your organization? Or, and if you do assessments within each area, IT, OT, physical security, are you doing anything about it? So that really puts the rubber the rubber eats the road. And it's based on this 800-171 and taking that cyber-physical methodology in terms of standard or existing framework, NIST framework. And then looking at CMMI and rate of maturity. Are you maturing these areas through questions and answers? The weighted answers give you kind of a number. So who's pushing all this, right? You wonder, you know, we're talking about baseline risk. Well, think about it. The insurance industry is concerned. They're putting the cyber liability out there and they're going, well, how do I measure this risk? And you're telling me that you're okay. You've done cyber assessment in FOSAC with information security assessment. You've done a physical security assessment. Maybe you did an OT assessment, which is rare, you know, taking a look at your operational systems. But have you talked? Have you correlated all this? Do you have correlated event mapping? Do you map all this on a pan of glass? You know when something happens and I think some of us in the cyber world know kill chain, right, where it starts, how to mitigate it and how it, you know, can be cordoned and also mediated. Well, that's what we're doing in physical security too, believe it or not. But we just haven't gotten much sure enough to use it. And we're just starting that. So with all this, and I know this is a lot of, you know, information, but the reality is this is happening. Now, you know, I want to give you an example, right? Which is actually a good example for you. You have an energy company, a utility within Hawaii. Their utility has done everything right. Believe it or not. They aren't even under it. I under start under under Merc SIP, which is right. You're not part of the American grid, you're not part of the American grid. But believe it or not, you guys have done everything right. Why? Because you've had no choice. The funny part is being an island, you pretty much got to sustain yourself. You got to figure out, well, wait a minute. If I don't sustain myself, who's going to come to the rescue? Well, no one. So you better believe it, that they have to have that put in place. So it's interesting is that they already see to converge methodology taking place. They are already communicating between IPOT physical security. They're beginning to, they already put a framework together to make sure that we can progress it in many ways beyond what where we are today in terms of, you know, secured infrastructure. So this is, you know, this goes along the lines. Hey Pierre, let's take a short break. I want to get into how we, there's another way we can do some of this measurement when we come back. We're going to pay some bills for about what people do. Thank you, Sarah. This is Think Tech Hawaii, raising public awareness. You can be the greatest. You can be the best. You can be the king. Come play in all your chess. You could be, you could talk to God. Go banging on his door. My name is Stephanie Mock and I'm one of three hosts of Think Tech Hawaii's Hawaii Food and Farmer series. Our other hosts are Matt Johnson and Pomei Weigert. And we talk to those who are in the fields and behind the scenes of our local food system. We talk to farmers, chefs, restaurateurs and more to learn more about what goes into sustainable agriculture here in Hawaii. We are on on Thursdays at 4 p.m. And we hope we'll see you next time. Hey, Aloha. Welcome back to the Think Tech Hawaii Studio. This is Security Matters Hawaii. We're kicking around baseline and security risk and some of the problems with that across the enterprise, across government, across all sectors really, even functional sectors within an organization. So, Piers, with this, Piers, you mentioned some of the difficulty about comparing, you know, and I sat in a risk panel yesterday and I was thinking, you know, when you were talking, you know, just measuring people. You know, when I measure the risk of an HR person, for example, doing something versus the risk of an operator on the plant floor in a production environment, for example. Or like you said, you gave a great example of a guard just not doing his job at the door. But how can an organization give weight, you know, of properly weight and properly defined the roles of just those people, not even the mentioned technology, some of the other things you talked about. What can we do to standardize that? It seems like a massive problem. We've got a sort of cover for it. Like you said, insurance wants us to do it. You know, we need to do it for ourselves as well. But there's a lot of reasons driving this and I think it's not been done. No, that's a good point. And I think that is the behavior side of things, right? One of the issues in regards to most organizations is they fail to really vet, right? Not only their employees properly in regards to what they do and how they do it, but how they correlate to really the technology they use as well as the future plans of that business. So this is really interesting, right? I mean, you think about it. These are, this is where the business process, right? Connects with security and safety. This is where the COOP plan, right? Continuing operations plan meets, you know, the disaster recovery plan. You know, we oftentimes, you know, stay those things, right? But do we ever look at them and do we look at how they actually connect to people's jobs? And oftentimes they don't. And I think that what you find is, you know, where you have guard services, maybe a third-party guard service who's being implemented. They review these things based upon, say, what the guard service does in terms of security. But did we ever measure, right, the use of guards in regards to, you know, why do we use a guard when we need an unmanned security door, right? Why do we put three guards at a door that, you know, a slide door when we want an authorized entry? These are very simple questions, but have we really asked why we do things, right? And I think that that's the question that the Converge Standard will help us do. But it also, we, and I'm just going to, this is a good point, right, to where you wanted to go with this, is we need to have a Converge certificate. We need to have assessors who actually have a baseline understanding of not only, you know, our traditional CPP or PSP, but we have to incorporate them with cyber and really the FISP, and we have to incorporate them with business process and how we define, say, the governance between the different organizations within a large organization, right, or even a small organization. Obviously, this should be done by small companies, mid-cap companies, and large. It doesn't matter how big or small you are. By not evaluating these as a whole, you're really sacrificing your ability to defend yourself from liability. And at the end of the day, how do you measure liability? So I've got a simple equation, and you can take it or leave it up to you. So it's really the measurement of one rate of risk. Rate of risk is your environment, your people, your processes, your technology, all in one interest, how they interact presently. What is the rate of risk accepting in your environment, right? Your industry has specific risks. Meaning, if it's not specific energy, you have risk risks. If you're in retail, it could be loss prevention, asset protection. And if it's in a specific location where there's lots of crime, you're going to have a rate of risk of time, right? So if your people, resources aren't the right place because you aren't hiring the right people because you're not in the right situation, well, guess what? Your rate of risk is going to be higher. So that time, the times that, on baseline liability, what is your baseline liability of the corporation right now? Do you know that? Most organizations have never done a baseline liability in regards to where they are present from the financial standpoint they have. Most people do it, but they haven't done it from a security or safety standpoint. And I can tell you that these assessments are out there. Many of these companies have done these assessments and have used security assessment people like ourselves to do those baseline, but they've never correlated them to the business and the direction they're going in. So they just assume it's okay that it's not, right? So if I've done a cybersecurity assessment, have I correlated with the business aspect? Have I correlated to the physical security assessment? Most organizations who are connected with the governance in place do it. Most that are siloed do not. So then that's over acceptable level of risk. What is your acceptable level of risk as a company? Have you defined that, right? Are you willing to accept maybe 20% risk, 30% risk? Because, you know, honestly, I'm a choose factory in the middle of Wisconsin. Nobody's going to attack me. I know I have some key facts issues. I may have some safety management issues that I have to deal with. Other than that, I'm okay. So I'm accepting a lot more risk in that environment. And then that should equal, at the end of the day, your rate of acceptance of technology. Because here's the thing. If you really take all that into place, you begin to realize what your level of technology should be. And then you start asking the questions rather than, you know, people asking you. You start asking questions. You know what? Well, here's my rate of risk. And I have a manufacturing center in the middle of a bad, you know, a place in a major city. I have a hard time hiring the right people. I've got a lot of loss, a lot of shrinkage. My based on liability is, well, you know, we were doing well, but you know, economically, you know, we've got, we've had some issues. We had to shrink the size of the business. So that's not doing as well. But my acceptable level of risk, you know, unfortunately, because they didn't have the money, they don't have the resources to put the right security in place. So therefore, my ability to accept technology is reduced. Now, how do I, how do I help this company? Well, you know, if you go based upon the normal standard, I'm just going to basically say, well, you can't, you've got to buy this, you've got to do this, you've got to do this. Instead, let's talk about people. Let's talk about improving one part of this dynamic. So maybe I can use the right technology to help those people that you do have that are lacking, or maybe they can be helped through automation, through maybe the automation they're using, maybe you can use cameras for both production as well as for security. Can we converge some of the approaches we're taking in regards to managing people and maybe having them do different things in the business? Listen, there's no straightforward way. But if you talk this way, you start solving problems. And this is where, you know, I mean, I could tell you that, you know, the big, the big behemoths in the world like SAP and all that did this on a large scale. But believe it or not, shrinking this down to a basic element now really makes it easy. I mean, that's a kind of baseline, I would say, ratio. And if you start applying that accordingly, you may have a chance to really know where you stand in regards to risk. Do you think that the, you know, DHS has the risk management framework for all of the niche sectors out there. And of course, we've got the cybersecurity framework from this. Do you think that we can cobble those ideas together to build this converged sort of risk? Is it a converged risk infrastructure model? I'm thinking of, you know, you went to CNMI, that continuity of maturity over time. You know, I can understand how people can use that to judge where they're at. Are the tools there that could be brought forth to build something? You know, I'm thinking of the Baldrige, you know, the cybersecurity excellence sort of a thing that, you know, and I use that one as a thing to kind of get people started because it's an easy format to answer and, you know, kind of see where you're at with things. But what you're talking about is much bigger, you know, much more complex to do, but are the measures there that could be applied across these silos that you're talking about? A hundred percent. A hundred percent. If you take every industry, right, and every machine you're in, they're already frameworks in place. So if you're in the retail sector, you have PCI, right, payment card industry. If you're in healthcare, you have HIPAA hyphens. If you're in energy, you have NERC SIP. If you're in food safety, you're in food safety management and CFAS or chemical safety, right? If you're in the petrochemical industry, you have CFAS, I mean, it goes down the line. If you're in logistics, you may have TAPA, right? These are all actual standards and ways to measure the risk. If you apply these to a missed framework, right, if you take your missed-based framework and you take a rate of maturity, you see NMI, and you have a question, questions and answers that are weighted, which we produce a lot of them, and we're going to go through public form next year, hopefully. Everything will be good to that point where the government can actually send some of this stuff to you so that you can use, right? It's going to be good charge. And I think the whole concept is this. I mean, it's a passion of mine and a passion of all of those who want the industry to progress because here's the thing. We're at the precipice. We're at the tipping point. Products and security, both of the security technology is growing so quickly that if we don't have a way to create a standard that enables companies to really identify what they should be doing or how they should be doing it, and really just finding the liability around that, it's going to be tough. So that's really the goal, and I kicked your ride on target with what you said. There are standards that are already in place. Miss 800-170, one of you go there, you'll see the cyber-physical framework. You will also see if you look at your industry specifically, whatever industry you're in, take a look at your compliances and look at the physical controls and the cyber-physical controls. Please do that. Once you look at those, you'll see there are frameworks already built in that you can begin to follow. Then you take your business process and things of everything that you do on a daily basis and understand what your future goals are, right? What is your goal? What is your desired state? Know what your current state is. Know where your desired state is. Don't just fix the tactical. Get a strategic plan because the goal is to get you to a point where you don't dive back down to the beginning. And I think that's been the five-year, seven-year age of technology. Every time we get to a point where we put a product in place, we don't future-proof ourselves. How do you future-proof it? You do this. What we've been talking about for the last few minutes is if you do this and you correlate this and you put governance on top of this and you really communicate across your environment, you have a chance. You have a chance to not only buy the right product, hire the right people, put the right processes in place to get you in a position to be successful in terms of liability. Awesome. Yeah, I look forward to the time when we are, you know, showing up at the door because we are offsetting risk, not installing something that someone, you know, is buying just for the camera product or just for the access control product. But we know, hey, we're mitigating risk. That's potential for you. So really good stuff. I look forward to the work that you do with NIST and I look forward to seeing this stuff. Maybe in the spring, you think, Pierre? Yeah, I think it's going to be spring. I was hoping for it, but it's spring. Awesome. Pierre, thank you so much again. Thank you all for tuning in today to this episode of Security Matters of Life. And we'll be back next week with more next Wednesday. I forget who my guest is, but I will be back in the studio and we'll bring you some more great information because Security Matters. Thank you.