[Music] welcome everyone to the Cyber physics podcast where we unravel the complex web of cyber security through the lens of its foundational principles I'm your host and today we embark on an intellectual Journey that mirrors the intricacy of physics itself joining us are two remarkable experts ruman vatran and Sue bergo as we delve into cyber physics in essence thank you for for having me today I really appreciate being here um Su bergo longtime CIO ciso um had a great I still have a great career um made the move into cyber uh about eight years ago and um you know while you never really give up the CIO portion of it because you're always working with it um by uh by by Nature I'm a nurturer and so I have found the ultimate career um being able to take care of um people right companies employees customers I just really like to take care of people and um this has just been a really fantastic Journey for me so I'm uh uh working independently uh in my own consulting firm now and enjoying the customers that I have worldwide um and I provide um all kinds of um either fractional or executive advisory services to a lot of startups in the cyber field um but mostly I'm having a great time uh working for um folks that that want to make a difference in the industry and um my goal is to just help secure a little portion of the world uh and hopefully collectively we can all uh secure the whole thing so that's a sort of a tall order but I'd like to at least get a little corner of it together so that's that's my story thank you thank you for that um I'm ran m I head up three companies resilience that focuses on AI pinle that focuses on cyber security and curious that focuses on a tech so we basically in the uh squarely in the hot seat with AI cyber security and with edtech love all three areas extremely and I think they're all super linked uh Pinnacle you know focuses exclusively on cyber security and leverages a lot of AI to deliver cyber secur Solutions we're also a platform company and we also you know bake in services in it uh because you have to bring sort of an Eclectic mix into the equation to support a customer end to endend so uh maybe on a followup call we can share what we exactly do but uh this is a space that we absolutely love and uh it's it's a it's a journey that allows us to sort of grow taller than the problem because the problem continues to go grow bigger the only way you can really solve it is to grow taller than the problem on a continuous basis so that's really what keeps us going so um you know we generally like to meet people in the industry exchange ideas and thoughts and hopefully uh it benefits the audience so from your work uh you know in the space What are you seeing as some of the latest trends and uh why do you think the audience should care well you know that's an interesting question because I spend a lot of time with smaller compan companies uh startups series a um and what I look for and what I kind of have a good nose for is um smelling out the ones that are really Innovative and I mean truly doing something different and those are the ones that I like to spend time with they're a lot of fun and because I work with so many different companies I see the patterns of what's going on out there and um I I see a couple of things uh there are some new compan iies out there that have taken identity and access management to an all new game and I I won't mention any company names right now that won't be fair but um but there are some really cool Technologies in IM am personally has been beaten to death I mean really like it when a company calls me says oh I'm an identity and access management I'm like stop right there if you don't have anything that's different I'm not even going to continue this conversation but there are some really cool Technologies coming out that are going um after cyber criminals and literally poking them in the eye and I I'm just so excited about some of them the other thing is I see um a convergence of uh some uh higher level I'm going to call it Sim vulnerability casby Solutions and um and those those companies that are out there taking taking Sim to the next level are also very exciting because you know I hate that phrase single pane of glass what it really is is about putting the analytics together so that we as cisos understand what's coming at us um and they're really and again I don't want to call it a single paint of glass but the analytics have gotten so much better and they've gotten so much better because we've moved strictly from ml to ml and Ai and the AI brings a whole different category and level of analysis uh and insights that just weren't there before so I'm really excited about what I'm seeing in the industry and um it's an exciting time to to be in cyber so maybe a little bit more on the I and stuff on where do you think it's going like you said you don't need to name companies but maybe you can you know share where you see the Technologies actually poking the eye of the attacker or providing you know better defenses what do you do you think is going on there and what are the game Cher technologies that are sort of at play that you feel so strongly about yeah you know it's it's it's not enough right like you have to have your defenses you know and and I'll get out of I am for a second you know you have to have your endpoint security you have to have m& MFA you have to have VPN right like you have to do those things it's just it's just t sticks it's just another layer of protection but when it comes to Identity and access management it's not enough to just have those foundational items and some of the technologies that are out there today and again it's AI That's bringing uh you know this increased awareness um you know in this space to to all of us is making it almost foolproof um that if there is uh someone sitting at the end of a device that you know exactly who it is I don't know if everyone heard about the um the the CFO that the Deep fake CFO that supposedly called a financial analyst and the company's out $25 million I mean you know that's really an unfortunate um event but it happens because the technology has gotten so good in AI you know isn't isn't perfect but of course the Cyber criminals are using it as well so you know as I say to cesos don't be afraid of AI use it to your advantage to find and and defend against these cyber criminals so it's really AI is what I'm excited about um in IAM because it's helping us uh to identify and defend against these criminals but let's talk about a scenario when the same tools are available both to the attacker and the defender so for example if you take fire they got hacked by the same tools that they use to defend their customers and in that race how do you see things play out I'm going to head down a whole different path with you because this seems to be the theme over the last several weeks um and and again I'm a pattern Watcher by trade so I like to talk to anyone that I can about engineering practices or I should say the lack of secure engineering practices so you know we're all we've all figured it out right the network is you know per perfecting the perimeter protecting the perimeter we've all perfected that we get it right start with a network make sure that it's you know surrounding your environment um you know if it's your DMZ or your your firewalls or whatever it is that you're using we've got that down pat and we've got the Technologies to monitor the network we're good but when companies have issues software companies right like firey um and I I can name so many other ones that you know they're big breaches it it's not the network that they're getting into yes credentials may be compromise on some you know engineer or lead engineer but really what happens in most cases is that some cyber criminal comes in on a vulnerability in their own software and that's exact ly what happened with firey that led to the whole solar winds breach which you know now we're all facing you know what's happening to Tim Brown right in in this next wave of the SEC going after aiso so um I I am here to ask every engineer that's listening to this podcast that if you don't have a secure coding practice that you're working with that you ask or you find one and you begin to bring in some Champions to help you in your own organization and I'll give you a huge tidbit oasp top 10 just start there there's um there's never been a pent test that I've seen that hasn't had an OAS top 10 vulnerability on it so if you just code securely with that principle in mind you probably get rid of a whole bunch of them and then you know we go on and work to the you know the other thing and and I'm going to take this one step further I was laughing with someone yesterday who posed the question about security and compliance and most people don't understand that they are two separate areas of responsibility for the ciso but they complement one another and you know everybody thinks oh I'll just bring in some monitoring tool and I'm secure that's only one half of the battle it's people process and Tech and compliance is the process and the procedures that lead people to have more secure practices so you know the reason that companies are going for things like the sck 2 or ISO 270001 or Hippo of hippo or fed ramp you know just pick one um is because they are they're there to implement security controls that help not just the engineers but the network admins and the HR people and the finance people and everyone across the board have better security awareness so um I'm a big proponent people process Tech um and uh just for a Shameless plug if you want to learn more about this um you can go read my new book so you want to be a ceso find it on Amazon I'll tell you exactly how to do it it's it's not that hard no thank you for that overview um and um you know a Shameless PL um my book just got released it's called brand it's b r n d uh separated by P so congratulations on your book and uh you know if you're willing to be interested in partnering in future book or you know writings I'm happy to do it in the security space as well so just leaving that with you yeah let's talk about that yes we should and um no I I like your answer I mean it makes a lot of sense to look at uh you know things for multi-prong approach uh especially the compliance angle um and uh the you know the angle of how you you look at risk the question however you know which is you know an interesting one is I was recently speaking to one of my clients and I said you're actually you know the customer was thinking he was paying as a lot of money and I said no you're not I said uh the reason for that is that you're just basically playing to participate in security but to win in security is a different ball game alog together and it requires a different investment profile most companies today are just playing to participate they I mean you know they check a few boxes and hope that it works in this there's a lot of inherent challenges right the ceso gets blamed when there is a problem there's a breach or an incident the security vendors do get blamed because you know they need somebody to you know throw mud at and um you know so the the real challenge that I also see in advising companies working with them as well as being their vendor is that one of the things that we constantly worry about is how do you ensure that the customer does the right thing when the advice is provided case in point you know Comcast and in the infinity division essentially had one patch that didn't get done and you know and here you go you had an incident and then of course the same thing happened with Capital One you know there was a misconfiguration on the firewall then you had um you know Equifax that been through a very expensive breach but all of these things you know require us not necessarily to be intelligent but less stupid in other words and uh so one of the things that we really aim for is how do we be less stupid because I think intelligent is available in Fairly great abundance but what seems to be in scarcity is being less stupid so your thoughts how long do we have for this podcast so we can always have a follow I I love that you said how do we be less stupid but I think I'll turn it around in a little bit more positive note which is how do we educate people to take less risk and be more secure so everyone believes I'm going to make a general statement that it's the seo's problem right just like the back office applications were the cio's problems right well security isn't just the seo's problem it's everyone's problem because it takes a village to secure you know whatever it is that you're trying to secure it takes a village we need more eyes and hands and I know that everybody has an opinion on how it should work but we're there to make sure that we're plugging up the holes the first thing that we do is we assess an environment and see where those gaps occur and then we assign a maturity level to it so that people understand and the maturity level is usually one through five right so one being low five being high I've never seen a five but not to say that they're not out there but then you put in a program that strives to continuously improve and even if things change like if a company is at a two and then they they do a merger and acquisition and and you know they could go back down to one again but that's okay right you just keep continuously improving and working that program until it makes sense but the problem is that people really don't want to talk about risk right somebody else's problem and if a see understands the important of risk management they can bring it to the executive team they can bring it to the board and they can have meaningful conversation but one of the things that I caution and Counsel cisos on is please don't bore those individuals with the details of an attack right like what I mean by that is you never ever go to the CEO of a company and say oh we got hit a you know a million times this month like that brings about a whole bunch of questions that you don't want to answer and don't need to because more often than not no one's getting through right most companies are getting attacked millions of times a month it's the occasional one time that a cyber criminal comes through that you do want to talk about and you talk about it not necessarily in the details and I'm going to go back to that in a second but you talk about it from a framework of how did it impact Revenue go to market activities and brand reputation that's what the board in the elt is looking for not how many bits and bites and kinds of attacks okay if it's Ransom whereare it's ransomware just call it what it is you don't need to spell it out for them their heads will explode so um this is what I I try to explain to people be smart about how you're trying to approach risk the other thing is there's different levels of risk right at the board and executive level you're going to talk about company economic and competitor risk you're not going to talk about operational risk but you should be having an operational risk board lower down in the organization so you could find things that individuals like Engineers or you know the IT team or you know whoever should be working on but you would never bring those things to an executive level unless it impacts revenue or brand reputation right and so those those are the things that I would Counsel cesos on a related question however I think you know U we all know this playing the defensive game is a lot harder than playing the offensive game because the offensive game you just need to be right one out of 100 times on the defensive side of the fence we just need to be wrong just one time out of 100 and then you're done so the real question you know is in projecting one's story you know sometimes you know like you said there are people who are compelled to talk about all the incidents that got blocked couldn't make it so that in that one incident where you don't get it right you can at least pull a story that says you know one out of a trillion times you know we were wrong but uh you know nearly a trillion times we were right because if that one story you know happens to be a bad one all that effort that went in and the Investments that went in to do the defensive obviously does not get any sort of recognition in any shape of form and then they're all fixated and putting the putting the microscope on the one thing and then not recognizing the other things that went right because many organizations are in a spectrum they you know they've made a lot of of progress but they still have a lot way to go so in that distance do you measure how far you've come or do you have to measure how far you go because how far you go is going to be a journey for most companies because Investments don't come all at once they tricken them your thoughts yeah no that's a great point and I think it's a balancing act right so once you have that assessment in that maturity um measure you know at least in my program then I lay it out and I do it very simply um because again you can't bring in too much detail to people that don't understand what you're talking about and I mean that in the nicest of ways it's our craft don't just talk in technology um but I do a simple red yellow green diagram that shows very visually where we are and what we need to do and then you talk to people about what is the most critical areas that you need and sometimes the ciso has to make a choice um and in my program I always solve for ISO 27,000 And1 because it's the hardest one to do it's the most effective in my my view everything else Falls underneath ISO it doesn't mean that I need to certify but I always go for for the the highest level of um of the framework and so you know sometimes I just have to pick three or four control areas especially if I'm starting from the ground floor up or maybe I have a control that's halfway there but not quite that would be an easy one to do right let go get it done you're you're halfway there and and really involve people in the organization to help right get those Champions because the more that you involve individuals across the organization the more app they're going to support your efforts and be reasonable with what you're trying to do start slow if it's something new that no one understands make sure you're educating and that's really where the defense mechanism comes in the more that you can train and educate your users to stop fishing attacks because they identify the threat you know life goes on a lot easier for the ceso you know there are always going to be things like gaps um that are going to you know crop up and that we're going to identify that's why we have continuous monitoring but the more that you can get employees to understand um the threats that are out there uh the better you'll be and you know something is simple it happens all the time I go into companies all the time to assess uh their security posture right and right from the beginning as soon as I stand at the front door and somebody inevitably wants to be nice and they open the door they have no idea who I am hi do you want to come in sure I say right and right from there they have no idea who I could be and uh that's uh that's uh you know X number one right so it's the simplest of things that get you um but it is the simplest of things thank you for that um but you know I'd love to you know have a follow on as well but uh to keep this within a certain time frame for the uh for the listeners how would you like to sort of go tie this in terms of key messages that uh you believe um busers should take notice especially cesos and maybe you know Executives in companies that uh care about cyber security but perhaps do not know enough about it yeah thank you for that um I'll go back to uh the the I have a chapter in my book this ISS last thoughts it literally is the last chapter and um I I say a couple of things in that chapter one if you don't know where to start start somewhere right pick a framework I don't care which one you pick right CIS CSF nist um you know ISO just pick a framework and start there if you don't know what to do ask for help right just ask but understand that it's not just Tech and it's people process Tech and they all go together and the optimization of Technologies through automation is going to get you a more efficient security envir environment um but honestly you know it's not putting in a security program isn't hard what's hard is the constant identification of threats and the defending against threats when they attack and they get through that's hard but when you're well equipped and you have good skills and the other thing I would say is make sure your staff is cross trained so in case somebody's out somebody else knows what to do and do Pap top exercises and make sure the staff is prepared well in advance of an attack because the last time or I should say that you don't want to train during the moment you want to be um well aware of what you're going to be doing and how to do it in advance those are my guidelines thank you and uh you may want to repeat the name of the book again for the audience and hopefully where they can find it um I'm sure they'll be interested in reading it yes thank you it's called so you want to be a seeso I'm on Amazon I'm on Barnes & Noble um you can find me it's an easy read and for anyone watching this podcast if you'd like to link with me on LinkedIn subero you'll find me I think I'm the only one there just put a little note in your invitation saying that you saw this on this podcast and and I'll let you in but thank you for having me thank you we look forward to more in the future but um great having you thank you so much thank you as we wrap up this enlightening episode of the Cyber physics podcast we want to express our deep appreciation to our insightful guests ran vinat traman and sue bergo for sharing their wisdom with us today cyber physics in essence has indeed brought us closer to understanding the intricate forces that govern our digital world we hope you've gained valuable insights and inspiration to navigate the ever evolving landscape of cyber security stay connected stay informed and remember the essence of cyber physics is ever present in our connected reality until next time keep exploring and seeking the equilibrium between Innovation and safeguarding thank you for joining us on this captivating Journey