‹ All episodes

Kitecast

Andreas Wuchner: Cybersecurity Through the Lens of Risk Management

October 07, 2022 Tim Freestone and Patrick Spencer Season 1 Episode 1
Kitecast
Andreas Wuchner: Cybersecurity Through the Lens of Risk Management
Info
Kitecast
Andreas Wuchner: Cybersecurity Through the Lens of Risk Management
Oct 07, 2022 Season 1 Episode 1
Tim Freestone and Patrick Spencer

Cybersecurity and Risk Management Investor and Advisor  Andreas Wuchner discusses how cybersecurity is all about risk management and how security and compliance are now intertwined. Learn how the complexity of managing all the dimensions, such as migration to the cloud and digital exchange of private data with thousands of third parties, makes it increasingly difficult for organizations to manage risk and what you can do about it.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Share
Spotify Amazon Music Podcast Index Podcast Addict Podchaser Pocket Casts +
Show Notes Transcript

Cybersecurity and Risk Management Investor and Advisor  Andreas Wuchner discusses how cybersecurity is all about risk management and how security and compliance are now intertwined. Learn how the complexity of managing all the dimensions, such as migration to the cloud and digital exchange of private data with thousands of third parties, makes it increasingly difficult for organizations to manage risk and what you can do about it.

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer 0:24 

Welcome, everyone to a Kitecast. We’re excited to have you here. We are thrilled to have Andreas Wuchner, all the way from Switzerland with us. Joining us is Tim Freestone, my co-host.

Tim, how are you doing?

Tim Freestone 0:36 

Good. How you doing? Patrick? Andreas?

Andreas Wuchner 0:40 

Hi, everyone.

Patrick Spencer 0:42 

Andreas, we appreciate your time today. This is a really going to be a really interesting conversation because your resume won’t fit on about 10 of my big monitors.

Tim Freestone 0:55 

I think when I saw it, I was just scrolling through as well, it’s pretty impressive.

Andreas Wuchner 0:59 

Yeah, that means your monitors or your screens are too small, right?

Patrick Spencer 1:06 

So, you’ve been doing some cool consulting work for the last I don’t know what, 9, 10 months or so for those who haven’t been keeping track of me for the last 10 months. So, what have you been up to?

Andreas Wuchner 1:19 

You know, I decided after 26 years of doing security for so many enterprises that I want to use my knowledge experience. And first of all, to give back to students and do some mentoring, coaching, and help especially startup and organization in need, with some security practice know how always, you know, quick wins and all that stuff. Because you know, in the small and medium enterprise world security is far behind, not everywhere, but a lot of you are far behind. And it’s surprising. Also, in the FinTech world, how many companies suffer through some security breaches and all that stuff. And that’s my job. Now, I’m happy and looking forward to help as many of them as possible.

Patrick Spencer 2:09 

Well, I think you got it in the past. And well, if you look at your LinkedIn profile, it’s cyber and risk expert. are we going to start talking about risk rather than cybersecurity here pretty soon in the future?

Is that going to become the mantra for what folks like you do?

Andreas Wuchner 2:25 

Yeah, absolutely. You know, you see, there’s a huge shift in the qualification of CISOs. Right? You don’t find a lot modern day, super deep technical CISOs anymore. They have MBAs, they have risk background. And the reason is very simple, right? The top management, boards, they don’t understand Tech Talk, right? They want to talk about risks, they want to talk about relationships, they want to understand how something which is maybe deeply technical, relates to business processes, you know, to income or, you know, missing incomes and things like that. And that, therefore, absolutely, you need to talk risks these days.

Tim Freestone 3:09 

Just on that point, Andreas, you know, I read a lot about, obviously, this cyber landscape, but they tend to put security and risk management. Isn’t security nested under risk management? Not a separate sort of track, if you will?

Andreas Wuchner 3:30

That depends from which angle you’re looking right? If you take the pure risk lens, and you do enterprise risk, then you do ops risk and under ops risk, you have IT risk and within IT risk, you have cyber risk, right? And that’s a very clear line. And that’s why often you see security budgets when security people reporting to CIOs, right, because that’s the pure flow of information. And that’s the view of flow of money. You know; however, you call the thing at the end, you know, some organizations have a more technical oriented IT organization, and they talk normally about IT risk or information risk and information security and all that stuff. And organizations which have a bigger risk purpose and you know, really focusing on risk, they normally tend to talk about cyber risks or IT risks you know, this kind of a little bit more on the risk structure side.

Tim Freestone 4:30 

Yeah, I see. And having been out in the field here, touring around both Europe in the US, do you see a difference in the maturity between the two geos is one ahead of the other in terms of strategic risk management planning, or are they at par?

Andreas Wuchner 4:53 

I guess what you can say for sure is that the verticals are very different, right? I think from the risk point of view, you can see that the financial service industry and also health care are further developed. Because, you know, in the life science world they were always afraid about, about people dying if something goes wrong, right? They come from a different angle that’s not you know, if you come with an IT risk, and you have on the other side, people who are dying, it’s a little bit of a difficulty, but that’s the nature of the beast people understand and use to talk about risks.

When you look in the SMP market again, then you see problems everywhere. I wouldn’t call it out saying, Look US is best, better, Europe is better. There are good players that are really, really good and well-equipped companies all over the world. I just came across a FinTech organization in Dubai, and I was totally blown away how much effort they have put on cybersecurity, but you have black sheep everywhere. So, I wouldn’t call it really, on a geopolitical or geographical level, I would call it with a look at even far more from a vertical level, which verticals are more advanced than others.

Tim Freestone 6:07

You mentioned FinTech as sort of, you know, obviously a nested part of financial services. Within industries, even there’s probably a maturity curve and companies in the FinTech sector, by and large, probably sprinting to business value first and thinking about security second, with the exceptions of like what you just mentioned, in Dubai.

Andreas Wuchner 6:33 

At the end, every business is there to do business right and at the end they have to make money to feed the people or to pay bills and all that stuff. So, it’s all about doing business, right. But everyone has recognized and learned that whenever and wherever there is money, there are people who try to gain it for free or to get access to it, right. So, I think if today you are a CEO in the FinTech organization, and you don’t care about security, I think you have a pretty short lifespan in your job, because hackers or whoever will find you right? And often it’s not always the bad hackers from the outside. But there are people in the inside, if they notice, or the culture is like this, no one cares. Think about if you sit in the Philippines and nothing against Philippines or you know, anywhere else in the world, and you make 1000 US dollar per week and someone comes in, look, my friend, he has 20,000 US dollar per week, but I need this and this from you. Guess what happens? Right? So, this is, you know, we benefit from the different situations around the world, but at the same time, they are just creating a certain threat to the way we do business.

Patrick Spencer 7:49 

But that brings up an interesting question, when you’re talking about risk in cybersecurity. Have you seen a model that has figured out how to actually measure the risk? Is it’s associated with various elements of cybersecurity? For example, I just taken a look at the Gartner trends for 2022. And as things like tax/identity management, the supply chain, vendor consolidation, it has a list of different elements, there’s risk tied to each of those, I would assume, how in the world do you measure that risk and translate that to the board? Because you can talk about cybersecurity to the board? And okay, it goes in one ear and out the other until you start translating it into financial terms. So how do you do that translation and have it make sense to the board, to the C suite folks?

Andreas Wuchner 8:37 

In two ways, right, the board and going back to the standard risk and financial risk, ops risk topics, they are normally able to do quantitative risk assessments and they know if this happens, the impact to the business, is this high. We are not there yet. Right? There are a couple of companies which have done the exercise and at least for their crown jewels, they mapped data elements to system elements to business-critical processes, right. And they can say, you know, if something happens here, that’s the impact. And that’s a language which the business, especially the board understands super well. But it’s so easily said and it’s so hard to do, right? And there’s a reason why not many have done it or successfully done it. So, most of the organizations have a kind of a quantitative kind of risk approach. And they say, okay, look, we have certain thresholds. And if we aggregate these risks today, it’s green, it’s yellow, it’s, it’s red. And we do risk appetite discussions with the board based on these kinds of aggregated risk clusters. Because on that level, you can then easily say, look, I care about everything with, let’s just make it up 30 million, right if something is below 30 million, you know, you guys deal with it, everything above I want to know and then You can say, okay, look, based on the critical elements, which we have based on the critical processes we have, we can make it up. It’s not science, it’s more kind of look, narrowing, narrowing down the scope, and then you get there. But it’s definitely not 100% Science yet. And there’s so much more to be done. Right? Give you an example about human cyber risk to humans. How do you quantify a human, you know, and interaction with you? And what can a human do? If I’m doing a mistake and accept or click on a link in a phishing mail? Versus I’m a network banker, and the guy over, the person opposite of me has hundreds of millions with us in the bank, and I do something wrong there. Right, this is very difficult, it’s a very difficult thing to do.

Tim Freestone 10:48 

Yeah, the human risk factor is almost completely discouraging, when I tried to think about it, because you know, that it just, were flawed. At some point, you hit a risk threshold that can’t be overcome, at least not with technology today. And as you probably know, you know, system intrusion, and through phishing and social engineering remain, if not the top and the top two or three of most breaches.

Andreas Wuchner 11:23 

The good thing is that everyone, the enterprises, and also the regulator, have noticed that right, if you see, for example, NIST will publish soon, a new standard, where they talk about human cyber risk, and how to quantify the behaviors, what they do and how they do things, right. There are public sources or the public projects out there. One is called SEMP database, for example, which is a database where researchers work together where they map certain behaviors to risk scenarios. And so that allows you sooner or later to really quantify the things you see also the cyber insurance, the cyber insurance world is going in this direction, say, look, guys, I just did a research on that, where they said, traditional learning and education is wrong, doesn’t work for cyber, just by knowing that you shouldn’t drink beer, or you should eat sweets, or shouldn’t smoke, you still smoke, even if you know it, right. Knowing not is not necessarily changing your behavior. And if you want to have a security DNA in your employees, and also in your kids and everywhere, you need to address behaviors, when you leave your home. In the morning, you never think about locking the door and no one has ever told you need to lock the door. It’s in your DNA because your parents did it. Everyone does it. So that’s a DNA. That’s where we need to get to with traditional human cyber risk as well.

Patrick Spencer 12:56 

I guess great point, Andreas. Yeah, we all have to go through the compensatory required cybersecurity training every year as an organization, right? Every employee sits on cybersecurity training for two or three hours in aggregate over the year. And that’s the same thing, right? It’s a cookie-cutter approach. Each company uses the same model, is it broken? It seems to be because it doesn’t really translate into the behavior you want at the end of the day, and

Andreas Wuchner 13:21 

You’re not seeing eye to eye and it’s a complete waste of time. It’s a complete waste of time. It’s a compliance effort. And it fulfills a requirement. Yes, it’s done. Okay. But it does not help an organization really to change. Because, again, you know, I don’t know, but I was always bad. I always had students around me, I don’t know how many students have done my security training.

Tim Freestone 13:44 

First, you said it first.

Andreas Wuchner 13:48 

Be honest ratings. Yeah, definitely. You know, there are things which makes sense. And, you know, I totally get why you do, why compliance requirements are like this. Nothing against but the world has changed, the world has moved on. And this has to be changed. And as I said, NIST is the first. The Forrester report was a little bit of a wakeup call from any organization, which where they really say, look, guys, it’s broken, forget it, don’t raise further money. It’s not about doing more the same. I think what’s also cool in this report is gamification, right, because everyone says gamification is the holy grail. But it is not the case. Because just because you laugh your ass off doesn’t make you to change anything. It’s just it entertains you, yes. But that’s it. Right. Nothing more happens. So that’s another thing which you which you just need to consider. And yeah, so we’re learning we’re educating.

Patrick Spencer 14:44 

So, what’s going to drive that change? In your opinion, is it going to be like combination, will it be regulation? We have distance some other things are trying to drive some behavioral changes, things that can actually be measured from a regulatory standpoint, but then you will have come companies that you know, won’t simply roll out those videos that you have to watch for an hour, and then you get you checked off, you complete cybersecurity training, but do something completely different when it comes to monitoring and influencing the behavior that you want. And employees when it comes to risk management.

Andreas Wuchner 15:17 

I see several areas, one is the industry, the cyber education industry, which is now moving into this direction. But what is far more important for me is the boards are waking up as well, Because, you know, as I told you, I’m have the pleasure to sit together on my own on some boards, but also, I get often asked by a board member, and hey, I don’t know what security but I need to blah, blah, can you help me? And the question, which always comes up is, are we doing enough? We spend so much money, do we spend it the right way, or we have spent so much time but we still have a cyber incident. And you know, when you get the post mortem of the incidents that someone clicked on something, or someone got attacked, or the third party, they added something which we have under control, right. So, and I believe whatever statistic between 70 and 90%, it was a human who did something. So therefore, the people at the board and the hiring manager did not stupid, right? They said, look, we invest all in these toys and tools and stuff. But the problem is between the keyboard and the seat, right? So hey, let’s address this. That’s a trigger point. And now I just had a discussion with colleagues here from Deloitte in Switzerland. You know, whenever they do corporate audit, they start asking these questions as well as and hey, guys, do you board member? What are you doing about your humans? How do you address that? What is compliance versus what is really does kind of behavior aspect. And that’s it, that’s a good sign. Will it be done tomorrow? No, but it will the next one, two years, I guess we will see a major shift.

Tim Freestone 16:58 

Yeah, well, I think also the sophistication of the social engineers, on the bad guy’s side is getting pretty incredible. You know, just as an example, and this was maybe five years ago, so it’s even more sophisticated. But I’ve been working in cybersecurity and tech for 20 years. I’ve gone through those trainings, like I said, maybe my kids have taken a few. I know what to do, and not to do. But I started at this, this cybersecurity organization four or five years ago, and in the first two weeks, so in the marketing organization, you do a lot of shipping and sending, you get a lot of invoices, I got an email, with a with a FedEx label, I get them all the time for different things. I clicked on it, ransomware shut my computer down, right. And I know what I’m feeling like, I should know better sort of a deal. And I worked in a cybersecurity company that has their own incredibly high or low threshold for risk. So, they had all of the technology, but it still got through. And basically, the point of the story is the social engineers, the hackers are looking at departments, what are these people thinking? What are they most likely to click on? It’s just getting more and more difficult.

Andreas Wuchner 18:26 

Yeah, but that’s exactly this domain in behavior, right? Things like time, pressure, annoyance, and, you know, culture in an organization. Just look, look out this week, Uber got hacked this week, right. And if you see the attack vector, it’s called to F A DDoS. So, they use two factor authentication, but the attacker, they just found out for whatever, what however way, whatever way, you set the password, and they just started to use it and annoy everyone get one request for four second authentication again, and again and again. And after the 10 or 12 requests that people tend to accept just to get rid of this nonsense. And that’s how it works. And guess what, I have two of my companies which I’m working with, which have this problem just seeing it or left of me in one of the Slack channels where they said, okay, please do not accept any two factor authentication requests. And this is just a new thing, right? But again, the noise we all want to get rid of stuff want to get things done pressure, you know, this phishing thing, or I need this now I’m the CEO, blah, blah, blah, dentist, that’s where people want to place their wants to. And sometimes it’s just we are under pressure, right? Because there’s so much stuff, most of it the domain which you have looked at and click that was not perfect, but it just looks normal, right? And we all have a job to do and we all want to do the right things and want to get our job Done. And we are not necessarily security experts or detect this, we’ll figure out every little thing. So, the future is in a combination of strong tech, with a lot of detection capabilities. And people who have the kind of cyber aware DNA saying, does this make sense? Right? I think if you just apply sense and get away from the pressure, then a lot can be prevented. But you know, if I just want to phish you, Tim and I spent enough time and energy I find out what your kids are doing, which golf club you’re going to and all that stuff, I will get you, there’s no way that you can prevent that

Tim Freestone 20:41 

You’ll be able to do it. So, it seems insurmountable. Like we’ve been throughout this conversation, not you and I, but I’ve been in the conversation before, where do we go from here with Uber, right it just every day. And it’s getting more and more than Verizon data breach report that looks uglier and uglier every year. But it shows

Andreas Wuchner 21:03 

It approves just one thing. Again, compliance doesn’t mean security, because, you know, we all have to report on clicked rates from the phishing simulations, the repeated clickers and some call them clicker, some offenders whatsoever, we call them, but they’re completely worthless. Two sets of tape said really brutal, when it comes to your overall cybersecurity posture, you are compliant, you are below 4%, you have all that done. So, us you cannot be fired for not having done your job, okay. But it doesn’t mean anything, your organization is not more secure, just because it’s 3.9%, and things like that. And where it’s going, it goes into a direction where, if we all improve, right, we need to order we will figure out whether we have more controls, which are self-learning, and really covering all the stuff. One of the biggest problems is that the high dependencies, right, yes, you know, the we are highly meshed and just said the report before, I think it’s still on my table somewhere 7% of enterprises are still believing that the cloud providers are responsible for bringing monitoring their security posture. Ha ha. People haven’t they don’t know, either. They haven’t read the policies or the documents they signed, or they’re just in dreamland. And you see so many hacks which were successful through third parties. And you know, don’t get me wrong, I’m not saying that third parties are a bad thing, or cloud is a bad thing. Totally not. But you need to integrate, doesn’t help you if the cloud service security provider has 99% safety and security. And you on the on your internal site have only 70%. Right, that attackers will always find a weak link. I don’t think that it’s, you know, if you are the super-duper executive working for the big corporation, would I go off to Europe, banking computer, I could know I wouldn’t, I would go after your kids, right, because of your kids. I get into your network at home, or at network at home, I see what you’re doing, and so on and so forth. Just if I have time, I find it easy way. So, security becomes more and more of one set of risk topics and really say okay, what are the threat vectors where I’m are vulnerable. And then secondly, to an end-to-end game. And that’s what Patrick mentioned before about risk management thing, right? If we only look at certain things, you know that you can do a NIST or ISO certification only for one process, right, and then call yourself easily certified, you can write but this is not helping. This is maybe separating and this sounds good, but it’s not helping your overall security posture. And we will see I’m pretty certain that we’ll see more of this bigger picture approaches by you know, give you an example. Bought discussions or this tabletop exercise with sports are still more or less an exception. Not many organizations do that. And when there is a cyber incident, everyone runs around like a headless chicken because who informs whom, what am I? What, who declares all that stuff? Right? Simple things. Only because I’m a board member, I’m not Jesus, I’m not walking on water, right? It’s not the things you need to go through once and best before something happens. And then we all make it better security. I guess we all three either in this space and we most all three of us. Most people will retire in this space because security will not be solved by the time we retire.

Tim Freestone 24:52 

So, Elon Musk finishes the singularity and we’re all connected.

Patrick Spencer 24:56 

And speaking of boards, Andreas, you bring up an interesting point. You know, there’s been discussion last few years about, you got to get a CISO on your board. So, you have a security view. Because you have financial experts, marketing experts, sales experts, merger and acquisition experts on many boards, but typically, historically, anyway, you didn’t have a cybersecurity risk management expert, you actually are sitting on some boards and providing that today. So that paradigm seems to be changing. Where do you see that headed? And then many who are listening to today’s podcast may be CISOs. And they’re probably wondering, how do I become a member of a board? You know, how do I get that type of gig? What recommendation do you have for them?

Andreas Wuchner 25:44 

I disagree with that statement that every board needs a CISO, for the simple reason. I’ve done my entire life security stuff, right. And when I’m on the board, which I’m sitting on here in Switzerland, that’s a security company, they live and breathe security. So, the topic on this board meetings has often something to do with security products go to market and things like that. There, I feel super comfortable and whatsoever. On some other boards, where I’m doing advisory stuff, they talk about life science things, things which are far beyond my head. And sure, I’m learning something every single day. But I’m often sitting there, I think my contribution to that overall board is rather small. And you know, there are so many tables you can sit on. And I think as it sees though, you should really make an effort to find the table where you can make an impact. You know, if you’re a CEO or something, someone, the CFO sits on the board, and he has the security hat on somehow besides, and you help the person to be the go-to person and help and all that stuff. I think you get far more value and far more return than just sitting there. And because everyone will look at you and say, oh, the guy/girl never says something. This way, if the time comes and he or she says something, it’s negative, it’s a problem. This is not really helping your reputation and not helping the situation. So therefore, there are good companies where board members were one board member of a security knowledge is really, really helpful. But overall, I think, be a good executive member in one way or the other and supports the board with knowledge and with information they understand and then can articulate is sometimes better than trying to be super, super shiny and rock star because all about value,

Patrick Spencer 27:49 

It sounds like to be a really, really good CISO, you got to know that industry backwards and forwards. Like you do for financial purposes.

Andreas Wuchner 27:58 

Sure, absolutely.

Tim Freestone 28:00 

Since you mentioned risk in third parties. We, Kiteworks may or may not know something about risk and third parties. But I was surprised the 2022 data breach report that Verizon put how many years they’ve been doing that Patrick like 20 years that report more

Patrick Spencer 28:19 

20 years, they did a look back to 2008. I think in this past report.

Tim Freestone 28:25 

Yeah. I think it was the first time I had seen the partner ecosystem, being the number one vector for breaches in when it comes to system intrusions. And then, you know, to top that off, obviously that’s heavily influenced by supply chain, specifically, software supply chain. But to top that off the third-party risk management and all the vendors that are popping up to protect that. It just seems like the Risk Board to use an analogy to the games, at least we played growing up is getting bigger. Because of this third-party risk vector, the ecosystem of third parties is just incredible. We have one small county in in California, they have a small county in California, they have 800 business partners. A report Patrick did, I don’t know six or seven months ago said that the average business or enterprise has more than 2500 business partners and when you get into fortune 500 it’s 10s of 1000s of business partners. The scale of where data goes is just incredible these days is that coming up in the conversations, you’re having

Patrick Spencer 29:54 

The past guys know it right Tim? To build on what you said, that listen that’s going to lead under Andreas answer I was looking at the Mandiant report published earlier this year 17% of all attacks that were successful intrusions last year were connected to the supply chain. The year before 1%. Seems that the crooks, the bad guys are onto something.

Andreas Wuchner 30:17 

And think about if you can attack an aggregator, you know, instead of attacking success of this one company, if you get an aggregator, you’re successful with 1000s of companies, right? So, it’s so much more attractive to get into one of these. There are a lot of elements to it. If you think about the last 20 years, the IT risks, per se, have not changed, right? So, you have identity and access management, you have vulnerability management, you have threat management, all this hasn’t changed. We have other technologies, other ways of doing things. The profits have shifted. But the fundamental risks are the things. Now we have wasted cloud and all that we have, we have outsourced the problems with the hope that it goes away or becomes better. Bad luck. Now it comes to us back, right. Okay. I had once and a boss who said, you know, regarding third party, if you pay third party peanuts, you get back monkeys, right. And that’s exactly what happens also to you to your quality of life, you know, whatever’s in the document is just reality. And that has proven several times over the last 20 years. The third-party vendor risk is a funny one for the simple reason. third party vendor is voice. But there is something which is there since many, many years, but it was with the purchasing department, right? They have looked in the past for different control groups like HR, like legal, and things like that environmental safety of the health, safety and environment, all that stuff. And all of a sudden, a couple of years ago, there was cybersecurity. And now you see companies struggling with because cybersecurity is most of the time far more complex. And the control group is always late. It takes forever. And you know, if you want to do a proper assessment about a third party in a different country, taking near shore Portugal whatsoever, and then you have your questionnaire sent there, they send you something back, which is not okay. And then you go back the other, you know, it’s a ping pong game, easily four to eight weeks, right? And that’s just slows down everything. And then in addition, you know, in third party vendor risk, you have two dimensions, right? One is the Inside Out View, which is completely questionnaire base, and you have to trust what they say and answer, or you don’t, and then you put someone send someone there to really validate. And that’s where the force of the big force, make a fortune out of it. And then you have the outside in view, you know, what do you see anything in the dark web? Did they had any, you know, credit card numbers floating around, have they been attacked, they say they patch in average critical vulnerabilities within 17 days, and the scans show, they do it all in 30 days. So, the complexity is huge. And then you have all this data. And the funny thing is, you have two ways of getting this data and maybe even three, you do it on your own, you ask a big for or you join one of these exchanges, which do it for you and you trust what they give you, right? But then you have an inherent risk of doing business with someone. So, then you do a risk assessment, and you get all the risks and all the stuff, which is there. And you want to know at the end, what is your residual risk really, of doing business with them, so that you can either make put the cyber insurance on the stuff or remediate what is there, right? So that’s proper risk management. But if I get a Bit Sight, or security scorecard core score of 486. But does this mean this is not actual? I cannot do anything. Okay. Okay, now it goes up to 490. Or they become better. Great. Do I know anything more about my residual risk of doing business with that company? No, I don’t. So, there is a huge problem in this third-party vendor is that first, it is too slow for the business processes. And it’s that’s why often a lot of risks get just accepted. And they say, look, we look we fix it later. And you know exactly when a contract is signed, nothing gets fixed anymore, because everyone says, Yeah, we’re too busy doing business, right. And then the other thing is, it’s not a clear measurement, there is nothing you know, which that is really actionable, that you can really go there and say look here, you can discuss with them this and these things. Okay, that’s get remediated this and the things get not really, I have to accept, I can ensure and rest I need to accept. And I have a kind of evaluation against my risk appetite. Not there yet. And that’s why it’s so fluffy and why it’s such a nice attack vector. I would always go third party if I could, if I want to attack someone.

Tim Freestone 35:23 

Yeah. And is this another form of almost sort of checkbox checking for lack of going through the security scorecard process so that you can get a lower insurance when you’re doing business with certain? You know, to your point, I was talking to Gartner a couple of weeks ago about this very topic, and it just seems like it’s a snapshot in time of this particular vendors, risk posture, and then they use that in your point of insurance and compliance. But that’s it, right? It just it immaterial, so to speak, you know,

Patrick Spencer 36:06 

Eastern framing issue, right. It’s a checkbox activity. Yeah. But

Andreas Wuchner 36:11 

You know, for me, there is still, you know, I don’t want to say anything negative about companies’ security scorecard or bid side, right. Because the value, the value is clearly there, if I use it the right way. But if I expect it to say, look, oh, it will solve my friend, it’s the Holy Grail. That’s just wrong. Right? If you have, again, the situation that there is compliance, I need to do it, now. Take I have done it, I’m good, right. And that’s what this is all about. This is all about. And that’s fine. If I take it more seriously, and I say, look, here, I really want to know, because I’m really afraid about that attack vector, then I need to do more. And I need to do inside out and outside in I need to find a smart way how to do it, which fits into my process, which does not hinder the business because every assessment, which takes two months, you know, we all know that this, this is not going to fly. So, we find a better way. That’s another area of development. Right? You see consolidation in this market? There is a lot going on already. And but we haven’t we haven’t mentioned it yet, there is still a lot which can be done and which can need to be improved. You know, there’s a quite interesting discussion currently, in cybersecurity in general, have this shift left shift right question all the time, right? In. In the third-party vendor risk space, you see both as well, shift left in the sense that a lot of companies say, look, let’s put security early on into the purchasing process. So that it doesn’t add an RFI stage already. I look at every company, just high-level look, what industry where are they a little bit of background check, but a solid, light touch check, even if it sounds straight, solid, light touch, but that you get Okay, out of these 10 companies to have they already paid, you know, so that’s a shift left, and then on towards the shift, right? Where they say, look, we have 4000 vendors 400 just making it up at 400 vendors have access to critical data or provide critical service. And they are them, I really want to monitor 24/7, you know, I want them to be scanned all the time, I want the assessment to be done or renewed at least every three months or six months and all that stuff. So, both extremes are not helpful, right? Because the right shift, It’s extremely expensive. And the shift left has the risk that you then say, okay, it’s all good. And you don’t do the rest anymore, right? So, we need that market needs to balance out and the industry needs to find ways to how to integrate it into an Arriba and SAP as it becomes a normal business process in purchasing. And I just had a discussion with Mr. Sisco, here in Switzerland, which calls himself that he’s a disrupter or challenge. So, who’s the disrupter? That’s obvious. Sounds pretty good. And then he talked about third party vendor risk and using one of the services you just said, okay. That’s very interesting. Well, how is that disrupting? Before we have done it manually? Okay. So that’s the question of, you know, where you start, right? That’s always the, you can see this as disruptive right. But I think that’s maybe the broader,

Tim Freestone 39:40 

But at the at the same point, just to go back to the shift left and shift, right. And let’s say you find the balance, and for the intents and purposes, we’re, we’re talking about the right side, and you’re monitoring to the degree that it’s feasible. At the end of the day, you’re doing all of that Because when your data is in their hands, you don’t want them to lose it or them to be a vector of entry. Right? So, the end of the day, it’s not about the vendor, it’s not about the technology they have, it’s about the data they’re getting, and for how long they get, how much access they have to it, where they can move it, right, it always comes back to the data angle. And so, you know, the real conversation that seems to always just get overshot is what are we doing with at the data level? Again, I agree with you, you rack and stack all of your abilities to lower risk. But for some reason, it just seems like data is the last part of the conversation, not the first part of the conversation. Would you agree with that statement?

Andreas Wuchner 40:52 

I agree. I agree. I think the maturity is just not there. Right? The infrastructure the people understand, typical coming from the classification. They understand. But it’s not that look at the cloud stuff, right? There you see it as well, you had most of the cloud security vendors were infrastructure oriented, compliance oriented. And now you see the first one saying, that’s all cool. But let’s be data-centric, right? And data first, that’s for sure. Part of the journey. One of my big concerns is there is in general, the security organization, any organization will never be able to monitor everything, right? Because again, if you have 4000 vendors, you cannot monitor them because you need an army full of people internally to follow up. Otherwise, if something goes wrong, someone will say, oh, but you know, it was in your record, or you just have not looked at it right, and things like that. But think about it, wasn’t there a very prominent cyber breach in the US? Not too long ago, which happened through the provider of the air conditioning system? Yes, there was. So, what has the air conditioning system to do with data? Or no, you know, in these kinds of in these kinds of scenarios, we often overlook the odd part of the thing because data centric, cool infrastructure centric based on critical business processes, code. But if I can get, you know, an elevator here next to me, it’s Wi Fi enabled and everything. It took me maybe three minutes to hack the system here from my desk, and to have access to the controller. And guess what it because it’s connected to my network. From there, it took just another couple of minutes. And I was in my own network. Right. And so, it’s just reality. I mean, this is the third party when there is a journey, a longer journey to go it that’s one of the risks, which I think most organizations still completely overlooked or underestimated the impact which may have.

Tim Freestone 43:06 

Yeah, it’s, as you said, data-centric, infrastructure-centric. I like the one two punches there. And then maybe as we look to close the conversation, risk-centric as a third one is totally,

Andreas Wuchner 43:23 

Totally, It’s a really good thing, because that’s just the aggregation level on top. And you can say what or I can use whatever mitree attack vectors and view because as soon as I talk about risk, I know exactly the value added can go down and be vulnerable to weaknesses, vulnerabilities and attacks and threat scenarios to it. And that’s for sure, if I do a proper simulation, they have on a risk level, I would see something like the OT or think about something like the OT vector

Patrick Spencer 43:55 

Scheduling a separate podcast conversation about how to structure OT Yeah.

Andreas Wuchner 44:02 

Happy to do so because I got arrested once in the US for hacking a wireless LAN of a company forklift with disk scan guns, you know, for barcode scans. And so therefore, but I was an auditor. So, you know, it was clarified quickly, but was pretty funny. All of a sudden, two police cars came and they want to arrest me so they can do this.

Patrick Spencer 44:28 

We’re going to talk about that during the next podcast for sure. Andreas, it’s always a pleasure to talk to you. This was a wide-ranging conversation that I’m sure our listeners are going to find informative. I found it very informative. I’m sure they will as well. We appreciate your time, and we look forward to doing this again with you in the near future. Thanks.

Andreas Wuchner 44:48 

Thanks so much, Tim and Patrick, was really nice to talk to you.

Patrick Spencer 44:51

Check out other Kitecasts by going to kiteworks.com/kitecast