WEBVTT - Smart Talks With IBM: A Changing Cybersecurity Landscape 0:00:00.120 --> 0:00:02.880 In this episode, we're going to cover a topic that 0:00:03.080 --> 0:00:07.600 all too often only gets attention when something goes horribly wrong. 0:00:08.119 --> 0:00:12.240 That is cybersecurity. And before we get into the interview, 0:00:12.760 --> 0:00:16.200 let me hit you with some facts. In the United States, 0:00:16.480 --> 0:00:19.279 the cost a company incurs in the wake of a 0:00:19.360 --> 0:00:22.560 data breach has been on the rise. According to the 0:00:22.600 --> 0:00:27.920 Ponamon Institute, costs have increased by one hundred thirty percent 0:00:28.200 --> 0:00:30.800 since two thousand and six. So a data breach that 0:00:30.840 --> 0:00:33.159 would set a company back three point five to four 0:00:33.360 --> 0:00:36.520 million dollars in two thousand and six would cost eight 0:00:36.600 --> 0:00:41.000 point one nine million dollars in twenty nineteen. A single 0:00:41.159 --> 0:00:46.800 compromised record costs one hundred and fifty dollars on average, 0:00:46.840 --> 0:00:50.880 and that's just the average. For some companies, like those 0:00:50.920 --> 0:00:54.120 in healthcare, the cost can be much higher due to 0:00:54.160 --> 0:00:57.480 the nature of the data. The report found that more 0:00:57.520 --> 0:01:00.840 than half of data breaches come as the result of 0:01:00.880 --> 0:01:04.040 a malicious attack. And one important thing to keep in 0:01:04.080 --> 0:01:07.520 mind about this report is that it was for twenty nineteen. 0:01:08.200 --> 0:01:11.840 We are in a different environment today with more potential 0:01:11.880 --> 0:01:15.160 attack vectors, and while the tricks of the trade haven't 0:01:15.240 --> 0:01:18.440 changed much over the years, the number of opportunities for 0:01:18.520 --> 0:01:22.280 attack are on the rise now. With all that in mind, 0:01:22.600 --> 0:01:28.520 I sat down virtually speaking, we were all remotely isolated, 0:01:28.959 --> 0:01:33.480 with Wendy Whitmore, VP IBM Security X Force Threat Intelligence, 0:01:33.840 --> 0:01:37.760 and Alison Ritter, program leader at IBM Security Command Center. 0:01:38.080 --> 0:01:41.560 We talked about the challenges that companies face today as 0:01:41.560 --> 0:01:44.880 our concept of the workplace is changing, and how companies 0:01:44.920 --> 0:01:49.920 can best prepare themselves for the worst day. Ever, here's 0:01:49.960 --> 0:01:53.680 our conversation. I think we can get the obvious out 0:01:53.720 --> 0:01:56.760 of the way. We can state that a priority for 0:01:56.840 --> 0:01:59.240 any business in the twenty first century needs to be 0:01:59.800 --> 0:02:04.919 on cybersecurity. That is pretty obvious. But what has become 0:02:04.960 --> 0:02:08.600 more complicated, I would think, would be this shift we're 0:02:08.639 --> 0:02:12.440 seeing now that we're in an era of let's say, 0:02:12.480 --> 0:02:18.040 momentous events where we've seen a real move to decentralization. 0:02:18.160 --> 0:02:20.959 A lot of people are working from home and that's 0:02:21.040 --> 0:02:25.480 kind of changed the nature of business. Has that impacted 0:02:25.680 --> 0:02:28.600 sort of the focus of cyber threats as well? Are 0:02:28.600 --> 0:02:33.320 we seeing changes in that realm? Wendy, yes, I would 0:02:33.320 --> 0:02:35.919 say we absolutely are. You know. The good news, though, 0:02:36.040 --> 0:02:38.680 is it hasn't shifted in terms of such new and 0:02:38.760 --> 0:02:42.000 novel types of attack techniques. But I think what's really 0:02:42.040 --> 0:02:46.560 shifted is the volume of attacks as well as the frequency, 0:02:46.800 --> 0:02:50.160 and then the attack surface. So when I say attack surface, 0:02:50.280 --> 0:02:53.440 you know what I mean is there are millions of 0:02:53.520 --> 0:02:57.800 more computers that are now connecting from remote locations into 0:02:57.840 --> 0:03:02.079 devices and applications and systems that previously were within the 0:03:02.120 --> 0:03:05.520 same network. So that gives the attackers a bigger attack 0:03:05.680 --> 0:03:08.720 surface from the external side of that, right, all these 0:03:08.760 --> 0:03:11.639 new systems that were online that are no longer behind 0:03:11.680 --> 0:03:15.880 these firewalls. But then also it opens the corporate entities 0:03:15.919 --> 0:03:19.120 to potentially more of an attack surface because of the 0:03:19.160 --> 0:03:22.440 fact that they might have overnight, you know, enabled the 0:03:22.520 --> 0:03:25.400 ability for their workers to work remotely, and perhaps they 0:03:25.440 --> 0:03:28.960 don't have the right types of authentication or enough authentication 0:03:29.240 --> 0:03:33.200 on their systems where these attackers can take advantage of, 0:03:33.360 --> 0:03:36.640 but ultimately where their users need to connect to do 0:03:36.720 --> 0:03:38.800 business and to do their work on a daily basis. 0:03:39.160 --> 0:03:43.080 And we've definitely seen issues in the past where even 0:03:43.120 --> 0:03:49.600 within these well protected systems, we can see failures. Often 0:03:49.840 --> 0:03:53.840 I argue in tech stuff that the weakest link in 0:03:53.920 --> 0:04:00.280 a company's cybersecurity process often isn't necessarily the technology It 0:04:00.320 --> 0:04:03.320 can be the implementation of that technology, but it often 0:04:03.440 --> 0:04:08.160 falls to a weak link in the the use of 0:04:08.160 --> 0:04:11.640 that technology. So user error, you could argue, I think 0:04:12.000 --> 0:04:14.320 leads to a lot of those I imagine that that 0:04:14.960 --> 0:04:20.880 this decentralized approach has created enormous opportunities to exploit that 0:04:21.200 --> 0:04:26.920 because people are having to navigate a new workspace, they're 0:04:26.920 --> 0:04:30.760 having to access systems in ways that they haven't before. That, 0:04:30.960 --> 0:04:34.520 as you say, are are a little a step outside 0:04:34.560 --> 0:04:37.240 of the immediate control of a lot of these businesses. 0:04:38.120 --> 0:04:40.919 So can you talk a bit about sort of the 0:04:41.040 --> 0:04:45.240 nature of that, Like this attack surface, what are the 0:04:45.279 --> 0:04:49.320 sort of attacks that you typically see, what's kind of 0:04:49.320 --> 0:04:52.080 the nature of it? Well, okay, so let's take that 0:04:52.600 --> 0:04:55.120 question from a couple of different angles, right. So, one 0:04:55.200 --> 0:04:57.800 is just the ability to exploit human error, which we 0:04:57.839 --> 0:04:59.800 are all going to be prone to do. Right, So, 0:05:00.120 --> 0:05:02.840 if you're looking at it from the attacker perspective, they're 0:05:02.920 --> 0:05:05.440 kind of saying, hey, great, look at this. There's all 0:05:05.480 --> 0:05:08.200 this chaos going on in the world right now. There's 0:05:08.279 --> 0:05:11.279 new ways of working. But people who are now working 0:05:11.320 --> 0:05:14.520 remotely that maybe didn't before are also doing things like 0:05:14.640 --> 0:05:17.960 checking their email more regularly and they're checking social media 0:05:18.000 --> 0:05:20.839 sources and news sources because they want to know what 0:05:20.920 --> 0:05:24.440 are the local regulations where I live, what's the current 0:05:24.839 --> 0:05:27.560 counts in terms of how many people are being infected. 0:05:28.080 --> 0:05:31.360 And so since March we have seen a six thousand 0:05:31.440 --> 0:05:36.160 percent increase in spam related to COVID nineteen. So that's 0:05:36.200 --> 0:05:40.560 coming into users directly, so maybe your personal email accounts, 0:05:40.720 --> 0:05:44.520 but it's also coming into work email accounts unfortunately. And 0:05:44.839 --> 0:05:47.960 each one of those systems that I mentioned that previously 0:05:48.040 --> 0:05:49.920 used to be inside of a network and is now 0:05:50.040 --> 0:05:53.000 not may or may not have the same types of 0:05:53.040 --> 0:05:56.680 personal protections on it, right in forms of firewalls and 0:05:56.720 --> 0:05:59.960 antivirus and endpoint detection that it had when it was 0:06:00.120 --> 0:06:03.440 on the interior of their network. And so from that perspective, 0:06:03.680 --> 0:06:06.560 human error and humans are always going to be a 0:06:06.640 --> 0:06:09.160 huge part of the attack surface, right, So we've all 0:06:09.160 --> 0:06:11.640 got that, you know, as if we don't have enough 0:06:11.640 --> 0:06:13.400 things to be concerned about right now, we're going to 0:06:13.400 --> 0:06:17.400 add that to the list. And then as the pandemic 0:06:17.440 --> 0:06:20.360 has shifted and as it continues to go on, there 0:06:20.400 --> 0:06:26.280 is obviously a huge influence on testing, on vaccine research, 0:06:26.560 --> 0:06:31.159 on the development of a vaccine and processes and procedures 0:06:31.160 --> 0:06:32.919 that are all going to make all of us more secure, 0:06:33.360 --> 0:06:36.560 and so now you not only have those. When we 0:06:36.600 --> 0:06:39.960 talk about spam, we're often talking about cyber criminals, right 0:06:40.000 --> 0:06:43.719 who are financially motivated looking to steal information, maybe looking 0:06:43.720 --> 0:06:46.520 to conduct ransomware attacks. But when we shift over to 0:06:46.720 --> 0:06:50.080 the vaccine research and the testing, we're then really looking 0:06:50.120 --> 0:06:52.960 at nation state actors who are looking to capitalize on 0:06:53.000 --> 0:06:55.840 the theft of intellectual property and make sure that they 0:06:55.880 --> 0:07:00.520 can protect their citizens and potentially turn that research into 0:07:01.160 --> 0:07:05.719 financial gain as well. So it's a pretty tumultuous environment 0:07:05.800 --> 0:07:09.480 right now. I mentioned that the attacks themselves are not 0:07:09.520 --> 0:07:12.600 necessarily all that new and novel or exciting, but the 0:07:12.720 --> 0:07:15.320 volume of them, and combined with the increase of tax 0:07:15.360 --> 0:07:18.080 surface as well as just the general day to day chaos, 0:07:18.160 --> 0:07:22.360 has made it a pretty interesting environment to say the least. Yes, 0:07:22.440 --> 0:07:24.840 I think interesting is a great word for it. It's 0:07:24.880 --> 0:07:29.280 one of those nice catch alls in your work, Wendy, 0:07:29.360 --> 0:07:34.000 have you noticed any particular sectors or industries that are 0:07:35.160 --> 0:07:40.320 particularly being targeted by cyber attacks in this era? Right now, 0:07:40.400 --> 0:07:44.800 we're absolutely concerned about critical infrastructure, and when I say 0:07:44.800 --> 0:07:47.960 that though, that's kind of a big list, right of organizations. 0:07:47.960 --> 0:07:51.480 So that's everything from the obvious like hospitals who are 0:07:51.520 --> 0:07:56.040 providing healthcare to people who are sick. It's the medical insures, 0:07:56.080 --> 0:07:59.400 it's the whole infrastructure and ecosystem on the medical side. 0:07:59.520 --> 0:08:03.400 It's also financial services industry, and they're supporting infrastructure and 0:08:03.440 --> 0:08:07.360 supply chain as well as energy and oil and gas 0:08:07.600 --> 0:08:10.160 and really any of these organizations. It could also be 0:08:10.240 --> 0:08:13.240 food supply chain, right, All of those things that we 0:08:13.280 --> 0:08:16.880 need now to work perfectly more than ever are also 0:08:16.960 --> 0:08:19.240 potentially at risk. And so what we look at and 0:08:19.280 --> 0:08:22.760 what we're concerned about most our ransomware attacks to those 0:08:22.800 --> 0:08:26.400 type of organizations. We know the continual targeting and theft 0:08:26.400 --> 0:08:29.800 of intellectual property will go on as it always has. 0:08:29.880 --> 0:08:32.920 But if we can stop some of these major ransomware 0:08:32.920 --> 0:08:37.240 breaches from being effective and from stopping business for our clients, 0:08:37.600 --> 0:08:41.120 that's really what we're concerned about helping out with. I 0:08:41.120 --> 0:08:45.439 think one of the things we've learned we being sort 0:08:45.480 --> 0:08:48.480 of the layman I include myself in this in the 0:08:48.480 --> 0:08:53.560 wake of this pandemic, is how incredibly interconnected all these 0:08:53.559 --> 0:08:56.720 different pieces are, and if you do put yourself in 0:08:56.760 --> 0:09:00.160 the mind of someone who is attempting to exploit the 0:09:00.160 --> 0:09:04.720 the chaos. Then you can think, well, then you want 0:09:04.760 --> 0:09:09.400 to target whatever links appear to be the most vulnerable 0:09:09.440 --> 0:09:12.960 at any given time. And this kind of brings us 0:09:13.040 --> 0:09:17.200 over into something that I wanted to speak with Alison about. Alison, 0:09:17.280 --> 0:09:22.160 you have a pretty cool job in that you help 0:09:22.360 --> 0:09:26.560 architects scenarios for companies so that they can have a 0:09:26.640 --> 0:09:32.640 simulated cyber threat attack sort of a worse Day ever scenario. 0:09:32.960 --> 0:09:35.560 Can you talk a little bit about what that's all 0:09:35.600 --> 0:09:39.640 about and what goes into planning this sort of thing. Yeah, 0:09:39.679 --> 0:09:42.520 So having a well tested and really thought out plan 0:09:42.679 --> 0:09:46.240 is key to any incident response piece that you'd be 0:09:46.280 --> 0:09:49.240 working on with in a company. So where I work 0:09:49.320 --> 0:09:54.080 is really working on creating custom scenarios for organizations to 0:09:54.120 --> 0:09:56.720 go through and handle. Really a day in the life 0:09:56.720 --> 0:09:59.320 of a cybersecurity attack, something that would go on. It 0:09:59.400 --> 0:10:02.000 is really, like you said, your worst day that could 0:10:02.040 --> 0:10:06.760 possibly happen within an organization. A plan is really only 0:10:06.800 --> 0:10:09.640 part of the solution, So you also need to find 0:10:09.679 --> 0:10:12.800 out if your company is ready and able to execute 0:10:12.880 --> 0:10:16.280 and work through that plan. And that's where my team 0:10:16.320 --> 0:10:19.680 comes in. With helping to test out that plan within 0:10:19.720 --> 0:10:23.720 your organization. We run a fully immersive and gamified cyber 0:10:23.840 --> 0:10:27.320 range as part of IBM Security Command Centers. Within the 0:10:27.320 --> 0:10:29.880 command centers, we test and train companies in order to 0:10:29.960 --> 0:10:33.800 practice their response to a cybersecurity attack. Now, when I 0:10:33.800 --> 0:10:36.680 say test, it's not just reading through your plan and 0:10:36.720 --> 0:10:40.760 answering questions. We put your plan into action by throwing 0:10:40.800 --> 0:10:44.800 your entire response into a full on simulation of a 0:10:44.840 --> 0:10:48.920 cyber attack. The most effective response plans that we found 0:10:49.040 --> 0:10:52.760 are really tested and rehearsed multiple times through different types 0:10:52.800 --> 0:10:56.040 of attack scenarios. So, for example, you could be testing 0:10:56.840 --> 0:11:01.199 a ransomware response, DIDOS attack in threats. All of these 0:11:01.240 --> 0:11:04.600 areas are important to test and train when dealing and 0:11:04.640 --> 0:11:07.040 handling a cyber attack. And you know a lot of 0:11:07.040 --> 0:11:10.640 people think that these are technical responses, that this is 0:11:10.679 --> 0:11:15.199 something that you know, it's really for your security operation centers, 0:11:15.280 --> 0:11:18.520 your IT areas, but actually, as cyber response plans are 0:11:18.559 --> 0:11:21.720 best executed by the whole of business response, So dealing 0:11:21.760 --> 0:11:27.600 with individuals from human resources, communications, finance, legal, all of 0:11:27.640 --> 0:11:30.800 those individuals come into play when handling the cyber attack. 0:11:31.200 --> 0:11:33.480 So we work with all of those within the cyber range. 0:11:33.960 --> 0:11:38.920 That's absolutely fascinating. And as you point out, like I 0:11:38.920 --> 0:11:42.040 think a lot of us think of cyber attacks and 0:11:42.120 --> 0:11:45.800 the response to them in very Hollywood terms, just because 0:11:45.840 --> 0:11:49.240 the way the media tends to portray this sort of stuff, 0:11:49.280 --> 0:11:51.439 where you have the people just furiously typing, maybe two 0:11:51.480 --> 0:11:53.800 people typing on the same keyboard, which we all know 0:11:53.880 --> 0:11:58.160 works incredibly well, that clearly is not an accurate representation 0:11:58.400 --> 0:12:01.040 of what actually happens. And I'm sure there are a 0:12:01.040 --> 0:12:04.200 lot of people out there listening who are working in 0:12:04.240 --> 0:12:07.440 their IT departments, perhaps they are leaders in their IT departments, 0:12:07.840 --> 0:12:10.480 and maybe they're thinking about this for the first time. 0:12:10.920 --> 0:12:13.520 So do you have any thoughts about even just the 0:12:13.559 --> 0:12:17.000 process of getting started and building a response plan? How 0:12:17.000 --> 0:12:20.840 does someone go about doing that? Yeah, that's a great question. 0:12:20.920 --> 0:12:24.480 I think a lot of organizations have, and I think 0:12:24.600 --> 0:12:27.240 at times they can feel overwhelmed on where do I start? 0:12:27.360 --> 0:12:29.080 You know, I don't know how to get started. It's 0:12:29.120 --> 0:12:32.240 this huge thing, and you know, to be honest, what 0:12:32.280 --> 0:12:36.160 we see is there's still three quarters of organizations that 0:12:36.240 --> 0:12:38.679 don't actually have a plan in place, so no incident 0:12:38.679 --> 0:12:42.080 ave response plan, no playbooks on specifically, how do we 0:12:42.120 --> 0:12:45.000 respond to a certain kind of attack. So first and foremost, 0:12:45.200 --> 0:12:48.240 put it on paper, right, start somewhere, Start with names 0:12:48.360 --> 0:12:53.000 of your personnel, their contact information, their email addresses, and 0:12:53.040 --> 0:12:56.320 their roles, and literally start there, and then from there 0:12:56.400 --> 0:13:00.479 start looking to build out different components right of the organization, 0:13:00.679 --> 0:13:04.760 so cross functional departments, who they're, who those leaders are, 0:13:04.840 --> 0:13:08.719 what applications are responsible for, and really getting an understanding 0:13:08.880 --> 0:13:12.280 of what roles and responsibilities different team members are going 0:13:12.320 --> 0:13:14.920 to play. Then, as we look at organizations that are 0:13:14.960 --> 0:13:17.760 more advanced, what we would encourage them to do is 0:13:17.760 --> 0:13:21.840 certainly to have specific playbooks for certain activities, right, so 0:13:21.880 --> 0:13:28.200 a ransomware playbook, a thective intellectual property playbook, any type 0:13:28.200 --> 0:13:30.680 of things along those lines. And then once you have 0:13:30.800 --> 0:13:33.520 those in place, then we look at testing them. So 0:13:33.800 --> 0:13:36.680 increasing the frequency of testing them. If you can be 0:13:36.760 --> 0:13:40.680 testing quarterly at least one of those scenarios, your organization 0:13:40.800 --> 0:13:43.959 is going to then identify where the gaps are. And 0:13:44.160 --> 0:13:45.920 if you can do that in advance of an attack 0:13:46.000 --> 0:13:48.040 or doing it for you, you're going to be much 0:13:48.080 --> 0:13:52.280 better prepared to respond effectively to an attack. I imagine 0:13:52.280 --> 0:13:56.360 part of that also comes into how you communicate this 0:13:57.000 --> 0:14:00.840 Both internally and then externally. We've probably I'm sure we 0:14:00.880 --> 0:14:06.239 could all list off examples in the past of companies 0:14:06.320 --> 0:14:10.360 that have had a data breach, for example, and kept 0:14:10.400 --> 0:14:13.520 that quiet for maybe up to a year before news breaks. 0:14:13.559 --> 0:14:17.200 And honestly, I feel that the longer that goes, the 0:14:17.360 --> 0:14:21.800 deeper the sense of loss of trust tends to follow. 0:14:22.720 --> 0:14:26.320 There's almost a sense of betrayal among the various stakeholders, 0:14:26.360 --> 0:14:29.720 whether it's a customer or a client or whatever. So 0:14:30.320 --> 0:14:34.360 is communication a part of that playbook? Is that something 0:14:34.400 --> 0:14:38.200 that you help develop as well? So communication is absolutely, 0:14:38.240 --> 0:14:40.320 I would argue the most important part of the whole 0:14:40.320 --> 0:14:43.240 thing today, and I'll let Allison definitely talk more about 0:14:43.280 --> 0:14:45.800 how we train that in the range. But what we 0:14:45.880 --> 0:14:48.560 talk to our clients about in these situations is that 0:14:48.960 --> 0:14:51.520 there are components that you can do in advance. So 0:14:51.600 --> 0:14:54.440 things like having what we call a holding statement, which 0:14:54.480 --> 0:14:56.640 is some sort of a statement that if press breaks 0:14:57.080 --> 0:15:00.600 and you're not potentially ready to share information that you've 0:15:00.600 --> 0:15:03.200 got a canned statement prepared and ready to go. That 0:15:03.360 --> 0:15:06.000 is going to put you in position where it appears 0:15:06.000 --> 0:15:08.320 that the organization is on top of things that they're 0:15:08.320 --> 0:15:12.080 communicating with their clients and that they are investigating the situation. 0:15:12.640 --> 0:15:15.280 In so many of these cases today, it's not just 0:15:15.360 --> 0:15:19.040 about what the response was to the event, but it's 0:15:19.080 --> 0:15:21.920 the communication of it and the public's perception of that 0:15:21.960 --> 0:15:26.200 communication as well as your customers and clients' perception of 0:15:26.240 --> 0:15:30.160 that that can cause reputational damage. Or on the plus side, 0:15:30.600 --> 0:15:32.520 even in the wake of some of the worst breaches 0:15:32.520 --> 0:15:35.040 we've seen in history, we've seen leaders who have come 0:15:35.080 --> 0:15:38.040 out and done a fantastic job of communicating about it, 0:15:38.400 --> 0:15:41.160 and they've actually built even more goodwill and trust in 0:15:41.160 --> 0:15:43.960 their client base as a result of one of these breaches. 0:15:44.520 --> 0:15:47.440 That's something that Allison and her team share on a 0:15:47.560 --> 0:15:50.320 daily basis within the range. So Alison, I'd love to 0:15:50.320 --> 0:15:53.120 hear your perspective on it. I'd say a great deal 0:15:53.600 --> 0:15:57.120 about my area is working on how we get the 0:15:57.160 --> 0:16:00.880 attendees to engage within the scenarios, right breaking you away 0:16:01.280 --> 0:16:04.200 from your everyday life and now simulating something a cyber 0:16:04.240 --> 0:16:06.680 attack that could be possibly simulating your worst day in 0:16:06.680 --> 0:16:09.840 that organization. So something that you know we think about 0:16:09.840 --> 0:16:13.280 when creating these we're really testing you and training you 0:16:13.320 --> 0:16:16.440 to emulate these business and security issues that would be 0:16:16.480 --> 0:16:19.280 taking place and all of the stories that we work on, 0:16:19.320 --> 0:16:22.480 and these experiences are based upon real life incidents and 0:16:22.560 --> 0:16:25.640 stories that are from the field and kind of like 0:16:25.840 --> 0:16:28.560 top headlines that we're seeing. So in order to create 0:16:28.600 --> 0:16:32.080 these simulations, we use a method called really experienced design 0:16:32.200 --> 0:16:35.880 that creates real life situations that not only pull from 0:16:35.920 --> 0:16:39.600 real life stories, but also feelings such as like panic 0:16:39.640 --> 0:16:43.280 and uncertainty. And these areas are really kind of this 0:16:43.440 --> 0:16:46.560 experimental learning where in order to fully learn what you 0:16:46.560 --> 0:16:49.160 need to do, you have to experience it firsthand. So 0:16:49.200 --> 0:16:51.480 we want to drop you into a scenario and have 0:16:51.520 --> 0:16:54.360 you go through that so you know, for example, something 0:16:54.360 --> 0:16:56.560 that you might be dealing with, like Wendy said, is 0:16:56.920 --> 0:17:00.119 going through a holding statement, having to actually put that out, 0:17:00.240 --> 0:17:03.640 test you and put you firsthand into what we call 0:17:03.720 --> 0:17:06.399 the hot seat. It's a live broadcast studio where we 0:17:06.520 --> 0:17:09.360 drop you in full green screen lights and we turn 0:17:09.440 --> 0:17:12.199 that camera on and ask you questions from a real reporter. 0:17:12.320 --> 0:17:14.080 It's up to you to answer and how do you 0:17:14.119 --> 0:17:16.760 deal with that? You know, many people find out once 0:17:16.800 --> 0:17:19.080 they go through I need to go back and take 0:17:19.119 --> 0:17:20.800 some time to learn how do you answer some of 0:17:20.840 --> 0:17:23.000 these questions? How are ways that you would go through that, 0:17:23.240 --> 0:17:25.960 because again, the brand and reputation of your company is really, 0:17:26.160 --> 0:17:28.359 you know, a big piece of this, so keeping that 0:17:28.520 --> 0:17:30.760 up is something that we work on. And all of 0:17:30.800 --> 0:17:33.199 this comes through these kind of emulating and you know, 0:17:33.240 --> 0:17:37.399 simulating these scenario pieces. Allison, one of the things that 0:17:37.440 --> 0:17:41.080 you and I share is a background in theater and 0:17:42.000 --> 0:17:45.440 as someone who is in theater and who has participated 0:17:45.480 --> 0:17:50.000 in various theatrical events where you are simulating something. To me, 0:17:50.160 --> 0:17:53.280 one of the magic parts of theater is that people 0:17:53.359 --> 0:17:59.439 actually will experience those reactions even in a simulation. You know, 0:17:59.480 --> 0:18:02.160 you have removed yourself from any real danger, you are 0:18:02.200 --> 0:18:07.160 not in a legit dangerous situation, but your your body 0:18:07.200 --> 0:18:10.480 and your mind still goes through those reactions. Do you 0:18:10.840 --> 0:18:13.800 witness that in these simulations. Do you actually see people 0:18:14.200 --> 0:18:16.960 having those kind of emotional responses and that's a big 0:18:17.000 --> 0:18:20.679 part of learning how to respond appropriately when this happens 0:18:20.680 --> 0:18:24.280 in real life? Yes, exactly, You're spot on having that 0:18:24.400 --> 0:18:26.639 we you know, the whole piece is really creating that 0:18:26.720 --> 0:18:29.679 adrenaline rush, seeing your heart rate go up, you know, 0:18:29.720 --> 0:18:32.280 as soon as you see your headline, you know, splashed 0:18:32.280 --> 0:18:35.359 across you know, front page and in the news. That's 0:18:35.400 --> 0:18:38.760 creating something really for you internally, and so what we're 0:18:38.800 --> 0:18:40.960 doing is creating it in a safe space. Right, this 0:18:41.080 --> 0:18:42.840 is a space where you know, we want you to 0:18:42.880 --> 0:18:45.359 fail in here versus out in the real world. We 0:18:45.400 --> 0:18:47.200 want you to understand what you would need to do 0:18:47.600 --> 0:18:49.720 if you did have something that took place and now 0:18:49.720 --> 0:18:52.520 you need to respond to that. So in order to 0:18:52.520 --> 0:18:56.720 do that, we use lighting, sound design, interactive apps to 0:18:56.840 --> 0:19:00.000 create and evoke this emotion. You know, we have an 0:19:00.000 --> 0:19:02.000 individual come through and they said it almost created like 0:19:02.040 --> 0:19:05.640 a level of PTSD from a previous tyber attack. They 0:19:05.640 --> 0:19:07.639 came through and said like, wow, this is like really, 0:19:07.960 --> 0:19:10.200 I know that I'm in a simulation, but my heart 0:19:10.200 --> 0:19:12.280 and mind sort of take me to this other place 0:19:12.560 --> 0:19:14.760 where now I'm really feeling what it's like. And that's 0:19:14.800 --> 0:19:17.840 the whole thing of practicing and having this muscle memory 0:19:17.840 --> 0:19:20.960 of going through it. Right, you're just rehearsing and rehearsing 0:19:21.040 --> 0:19:24.600 and understanding, and like Wendy said, you know, doing these 0:19:24.680 --> 0:19:28.800 every quarter can really help for you to really understand 0:19:28.800 --> 0:19:30.200 what you would need to do in order to deal 0:19:30.240 --> 0:19:32.480 with that, and that pressure might then go down because 0:19:32.520 --> 0:19:34.919 now you know how you work with you know, the 0:19:34.960 --> 0:19:36.879 attack and the next steps of what you need to 0:19:36.880 --> 0:19:39.320 do to process it. Yes, I think it's much better 0:19:39.400 --> 0:19:42.600 to have that visceral reaction when you're in a practice 0:19:42.640 --> 0:19:46.000 stage than to have it when you're having to deal 0:19:46.040 --> 0:19:50.119 with a real world intrusion or a data breach or 0:19:50.160 --> 0:19:52.879 something along those lines. You definitely want to be able 0:19:52.920 --> 0:19:56.800 to look back on that training you've had and rely 0:19:56.960 --> 0:19:59.800 upon that muscle memory, as you say, rather than have 0:19:59.840 --> 0:20:03.720 to to soldier on and put that response plan to 0:20:03.800 --> 0:20:08.679 test without ever having actually done it. It's that's I 0:20:08.680 --> 0:20:11.000 would love to actually be a fly on the wall 0:20:11.040 --> 0:20:13.639 on one of these It sounds truly amazing to me, 0:20:14.240 --> 0:20:16.639 and and the sort of stuff that I've seen in 0:20:16.880 --> 0:20:20.120 in like hacker movies, but never thought that anyone actually 0:20:20.160 --> 0:20:25.280 did it, So that's phenomenal. Wendy, can you talk a 0:20:25.320 --> 0:20:28.840 little bit. Are there any common traits that you see 0:20:29.280 --> 0:20:34.120 among companies that are really good at recovering from these 0:20:34.160 --> 0:20:37.160 sort of of threats of these sort of attacks. Are 0:20:37.160 --> 0:20:40.360 there certain things that you can identify and say these 0:20:40.400 --> 0:20:43.720 are our markers sort of best practices that are common 0:20:43.760 --> 0:20:47.360 across different industries. Well, I think, first and foremost it's 0:20:47.400 --> 0:20:51.000 because they have access to an incident response team. Right, So, 0:20:51.200 --> 0:20:53.679 whether that's an internal team or whether they choose to 0:20:53.920 --> 0:20:56.720 use and leverage an external team. The reason that you 0:20:56.760 --> 0:20:59.199 want people there is actually right along the lines of 0:20:59.200 --> 0:21:01.720 what you two are talking about, which is you want 0:21:01.800 --> 0:21:04.119 people who have had a lot of practice in this, 0:21:04.280 --> 0:21:07.920 right who have responded to events. I will say, you know, 0:21:07.920 --> 0:21:10.720 I've been doing this almost twenty years, and I still 0:21:10.720 --> 0:21:12.480 when I get the first phone call from a client 0:21:12.600 --> 0:21:14.440 it's a new client that we know there's a situation 0:21:14.560 --> 0:21:16.880 going on, I get the adrenaline rush, you know, because 0:21:16.880 --> 0:21:18.840 I want to know, Okay, what are the details that 0:21:18.880 --> 0:21:20.960 are going to share with me? Who's the potential attacker? 0:21:21.040 --> 0:21:22.480 What do we need to do? In my mind is 0:21:22.560 --> 0:21:24.840 racing of all of these different things and actions we 0:21:24.920 --> 0:21:27.840 need to take. But because I've been through it so 0:21:27.880 --> 0:21:30.280 many times, I'm able to then really harness that and 0:21:30.400 --> 0:21:35.199 channel it into a productive, credible discussion. Right, here's what 0:21:35.240 --> 0:21:37.280 we need to do, Here's the actions we need to take. 0:21:37.320 --> 0:21:39.240 Here the things not to do right now, here's the 0:21:39.280 --> 0:21:42.960 evidence to preserve. So the more that organizations have access 0:21:43.000 --> 0:21:46.879 to personnel like that and those skills, the more successful 0:21:46.880 --> 0:21:49.480 they're going to be because they're going to reduce time 0:21:49.880 --> 0:21:53.040 that it takes to get answers. And when you talk about, 0:21:53.119 --> 0:21:57.280 you know the age old verbiage that time is money, 0:21:57.560 --> 0:22:01.000 that is extremely true in attacks because the more time 0:22:01.000 --> 0:22:03.639 that you can save, right, or the less time you 0:22:03.680 --> 0:22:06.639 take to get answers, the more money you're ultimately going 0:22:06.680 --> 0:22:09.840 to save because you're exposing your organization to less risk 0:22:10.119 --> 0:22:14.320 throughout that entire time. And so, first and foremost, if 0:22:14.320 --> 0:22:16.479 we want to look at who's successful, it's they have 0:22:16.560 --> 0:22:19.560 a team of people who can respond to the incident. 0:22:20.040 --> 0:22:23.240 That said, then those team of people also have things 0:22:23.320 --> 0:22:26.240 like technology in place that gives them the visibility to 0:22:26.280 --> 0:22:29.840 answer questions. Because if you can answer questions really quickly, again, 0:22:29.960 --> 0:22:32.600 then we can make decisions for the business. Whether that's 0:22:32.640 --> 0:22:35.800 taking a system offline, whether it's taking an entire part 0:22:35.800 --> 0:22:39.240 of the network offline because of the risk that is exposed. 0:22:39.600 --> 0:22:41.840 Those are all decisions we can make. So the quicker 0:22:41.880 --> 0:22:44.720 that we can do that based on visibility, the better 0:22:46.000 --> 0:22:48.520 I like that. That answer goes back to what you 0:22:48.560 --> 0:22:51.600 were saying earlier, Wendy, about that first step of building 0:22:51.640 --> 0:22:57.000