#245 Cybersecurity: A Closer Look at Industry Shortcomings, Risk Mitigation, and Strategies for the Future With Richard Hollis

0:00:01 - Mehmet
Hello and welcome back to any episode of the CTO Show with Mehmet Today. I'm very pleased joining me from London, richard. Richard, thank you very much for being on the show today. I like my guests to introduce themselves, because I believe this is the best thing to do is to keep it for someone to introduce themselves. So, richard, the stage is yours. 

0:00:19 - Richard
That's kind, mehmet. First of all, thanks for having me. I'm a big fan of the show. I think you guys are doing some and bringing interest to a lot of areas that both cybersecurity and technology should have been talking about years ago. Thank you. 

Anyway, my name is Richard Hollis. I'm a director in a company called Risk Crew where, as you said, we're over in London. I'm an American, so that I don't know. I bring that up in terms of my perspective of the industry. But at the end of the day, mehmet, I'm an old dog. 

I've been doing this for over 30 years. I don't know if I'm on camera, but my white hair alone should tell you that I've had a lot of. I've been in the business a long time, so I've got over 30 years of experience of doing things that are all process, not product, but process-oriented, like risk assessments, policies, procedures, cybersecurity, compliance, risk management, all the way through the red teaming and business continuity, disaster recovery. So I'm one of these guys who believe that you know, cybersecurity is all about process, not product, and in fact, cybersecurity is an oxymoron. There's no such thing as a secure computer. Never was, never will be. The game is to identify, minimize and manage the threats to the computer. So it's very much a process, that well position that I take to my profession and I do this for clients. 

We run a consultancy here in London. We're small but we've got a lot of very sophisticated clients who understand and apply cybersecurity. So we do everything, like I said, from pen testing to structuring compliance programs for them. I know I guess I think the only thing really worth bringing out is I've been doing it. I mean, I've not been talking about it, I've rolled up my sleeves and actually come up and design solutions for our clients. So it's not easy, I know that and I don't think that's openly acknowledged and discussed a lot in business today. So that's the viewpoint, that's my perspective, that's what I bring to the table in terms of where I'm coming from, from this and all the discussions I have. 

0:02:27 - Mehmet
Great. Thank you again, richard, for being here today, and I think we will try as much as we can together to dissect and discuss and the reason I keep talking about cybersecurity and risks, by the way which is, I know like it's an area where you focus also on, because it's not only responsibility of like one person or one company or one product, like it's something that we need to keep talking about. I know like people might feel bored of it and you know I will come to that, but let's start with something. You know, when I was preparing for the episode, I've seen something you mentioned is that, like, cybersecurity is a very important thing and that security is not actually doing what it should support to do. So why you think you know this way and what led you actually to reach to this conclusion. 

0:03:31 - Richard
Yeah, Okay, so I did say I've been doing this for 30 years. I'm probably tired, probably a little cynical, but, moreover, I'm coming to an age where I look back on my career and I'd like to think I was a part of something that made a difference, and being in cybersecurity and, from my mind, in technology, cybersecurity has been one of the sexiest places to be in the last 20 years. It just has Everything's there, that's, you know, that's where the attacks are, that's where the edge of the sword is, and so I've been on and I've been on the front lines that, like I said, designing cybersecurity. You know solutions and defense strategies for all kinds of clients and I'm not I guess what I'm saying is I'm not particularly proud of what my industry has done and I've been a part of that. I think we failed. Let me just say it simply I think the cybersecurity industry has failed. We failed to meet the challenges and the industry there's a lot of components to the industry, from vendors to, you know, to do enterprises that buy the solutions. 

But at the end of the day I think I was talking to you before, before the session you know it's clear that year after year, the number of breaches just skyrocket and year after year. Everybody, every business I know of, is spending more and more and more on cybersecurity and yet, every year, the number of breaches. The last thing I heard you know that I think in the last seven years alone we've lost over 16 billion personal records. That's twice the number of people walking around on the face of the planet today. We've already lost twice as many records as there are people on the planet Earth. And I don't know that you could look at our industry and say we've done a good job. Not at all. It's just we haven't been fit for the task. And it's odd because other industries like safety, fire, life, safety for interest, you know where businesses had to adopt the framework to identify, minimize and manage risk. They've done it. They've done it very successfully, but we just can't seem to do it in cybersecurity, Anyway. 

So I feel the industry has failed. It's failed to meet the challenges of the threat landscape, of the threat actors, of the threats out there today. And there's a lot of reasons, but I don't know. If I had to take them in order, I'd say the number one reason is our vendors, cybersecurity vendors. The products they sell us are not fit for purposes. They're not fit for what's out there on the threat landscape today. They sell us something you know we're always buying cybersecurity products that were, you know, maybe applicable to the threat landscape two or three years ago, but they're not applicable now, and that's understandable. They invest in, you know, an anti-malware or a firewall or an intrusion detection system, and they've got to get their money back. So they're going to bring it to market and leave it to market and sell it on the market as cutting edge for until they recoup their investment. I get it, they need to make a profit, but I think beyond, but I think that's a problem. 

Let me say it this way you know, there's a lot of people who look at the pharmaceutical industry and say that large pharmaceuticals make a lot of money Selling us symptoms for the, for our colds and our flus and our coughs and our sneezes and our sniffles. You know when there's a lot of money to be made treating the symptoms rather than looking for the cure. You know, I'm talking about just the daily stuff, and I think that's part of the problem, that our cybersecurity vendors are motivated by profit and they're. They sell us things that aren't, that are for symptoms, and if there was a cure, you'd have to ask themselves, you know, would they be very keen on bringing it to market? Here's what. Here's a better way to say it Cybersecurity vendors profit from the insecurity of computing. That's a fact. 

The more secure our computers are, the more money they make. And that oxymoron, that little conundrum, I don't think is recognized by buyers, by CTOs and CISOs out there who have a limited spend and have to have to buy something that's going to have a significant impact on reducing the threat to their business. And they're going out there and they're. I don't think they recognize that there's something in it for a cybersecurity vendor. The profit for a cybersecurity vendor is a part, is a part-time fix. He wants so recurring. He wants a client to come back to him next year and a year after that, a year after that, and not wait for five or 10 years to sell something else. So I think that's just just that. That transactional nature between us and our cybersecurity vendors is part of the problem. The next thing is, frankly, the products just don't work. They're not fit for purpose. It's like they sell us knives to take the gunfights. They're, they're, they're, they're, they're a step behind the threats. You know they're selling us this something for you know last year's threats or this summer's threats, when clearly their their responsibility to us should be to be a step ahead of the threats and be selling us something to keep us out of harm's way next year and year after that and year after that. So they're, they're, they're. They sell us things that historically were a problem for us two or three years ago and, frankly, they're ineffectual. They're, they're, they're, they're not. They don't work. 

Let me give you a. I'm rambling now, but let me give you one one. One of my easiest examples is ransomware, ransomware. What is ransomware? Ransomware is malware, and if you're running an anti malware solution and you're still getting ransomware, maybe, just maybe, you're running anti malware. That's doesn't work, it's not fit for purpose and it's it's. It's strange to me that ransomware. Everybody's hair is on fire when they talk about ransomware. 

But why aren't we talking about? Geez, I'm getting ransomware and yet we're buying two and three and four. I've got clients that have upwards of four and five anti malware solutions running on their systems and they're still getting ransomware. Why is it? Because ransomware was built on identifying, you know, malware signatures from last year, the year before that, the year before that. It's not up to date. It's never up to date, it's always in arrears. 

And yet we were not talking about hey, we're getting ransomware and maybe, just maybe, our malware solutions aren't fit for purpose. We're not connecting the dots. We're not connecting dots. We're buying firewall that should deny that, should deny traffic through a certain port, and it doesn't, and we're not. We're not, we're not connecting the dots and the firewall is not fit for purpose. 

We're buying intrusion detection systems that aren't identifying intrusions and we don't say hey, wait a minute, oh, why I'm buying an alarm system to tell me if somebody is breaking in my house and I've got burgers in my house and I, maybe my alarm systems is the problem. You can't blame the bad guys that they're getting better and better and better each year. No, our products are just stagnant. They're not, they're not, they don't work, they don't, they're not fit for purpose. In my mind and this is again why this sounds very cynical this is over the last 30 years. I'm waiting for us to get ahead of the game. I'm waiting us to be a step ahead of the threats rather than a step behind, and looks like I'll be waiting for the rest of my career. 

0:10:48 - Mehmet
Oh, like this is very, I would say, thought provoking, richard. I would call it because, for someone I like to be, it's not on purpose, because I want to please people, but I love to look at the things in a logical way. Right, because what you mentioned is logical. Now I'm buying, to your point, products for hundreds of thousands, even sometimes millions of dollars or Euro sponsor, whatever it is, and still, despite this, I'm getting ransomware attacks, I'm getting data breaches. I'm getting Now, before we go into these, because I'm very interested to discuss more about the vendor landscape with you. But you mentioned something about also having the processes in place. So now someone might say, but hey, look, there are plenty of frameworks. For example, there is the NIST framework, there is some even standardization, like the ISO 27.1 and all this. So why also like these processes? They didn't help us in getting into a better shape. 

0:11:58 - Richard
Well, it's like you go to a gym to get in better shape and if you have a trainer, he gives you a list of things to do. You do some sit-ups, do some pull-ups, do some of these exercises. They're exercises and you can do exercises. I've done a lot of sit-ups and my stomach still doesn't look like that and it's the intensity, it's building that workout into a routine of your daily life and not just going to the gym once a weekend thinking that you're going to stay in shape. So a framework is a framework in my mind. 

I love ISO 27.1,. I love NIST. I love these frameworks that says hey, do you think of this to keep up the security, health of your systems? I think it's a think list. I think it's a good way to look and understand holistically if I need to get this business secure. There are things I need to do, things I need to do with my people, things I need to do with my process and things I do with technology. 

And I think one of the unsung things, in fact the joys of these frameworks for me, are to give you a more holistic view of where to put your resources. It's because everybody, everybody when cybersecurity came along, it's relegated to the CTO, it's relegated to an IT security manager. It's seen as an IT, it's seen as a technology problem and it's not a technology problem. There are three attack vectors people, process and technology and when you just put all your security spend into technology, you're neglecting two out of three attack vectors for threat actors. You're neglecting your people, you're neglecting your process and that's where we're doing. We're spending our money on one third of the problem in terms of our defense and these frameworks the ISO framework and this framework they remind us that you've got to take a more holistic view. 

But you've got to actually do the sit-ups, you've got to do the exercise. It's a process. You never become secure. You get up every day and you do more sit-ups and you do more patch management and you've got to keep your business healthy and not a lot of people take out gym memberships, go a couple of times and never go back, as we all know, because it's work. It's actually work to stay fit and it's actually work to stay secure. It's a regime. It's something that's a repetitive process that you've got to integrate into your business processes and that's not an easy thing to do. So I think I'm a big fan of them, but I understand they're absolutely hard to apply. Yes, yeah. 

0:14:31 - Mehmet
Yeah, now you may have seen something interesting also, richard, like regarding how the technology vendors, they approach this. So, for example, one of the famous things we always hear whenever, for example, they were able, someone were able to bypass their technology, like hey, to your point, these bad actors are getting more intelligent, they are getting more sneaky, they are having like zero day attacks, like how can we be aware of a zero day attack and its name is zero days, so no one still knows about it, so it's in the wild, so nothing can be done. And I'm asking this not to challenge, but actually and this is part we will relate later in another question Like do you think this is a? I would say this is an excuse, a valid excuse for the technology to fail us. 

0:15:33 - Richard
No, in fact, this is why I'm so disillusioned with security vendors. What's a zero day vulnerability? It's an unknown, unknown right. It's an error in a piece of code that allows unauthorized access, or an authorized privilege or something. It's an unknown vulnerability. 

Okay, mehmet, can you tell me how a manufacturer of a security product could have an unknown anything in something that they made themselves? How you know? The problem is. The problem is security vendors do not practice security by design. They don't implement OS when they're building the code for the firewall or the anti malware solution. And the problem is you just put your finger on what the problem is. The problem is that because our cybersecurity vendors don't practice something as simple and fundamental as security by design and do secure coding of their products before they sell them to us, their products have now become threat vectors. Solarwinds taught us that. Look at any major. Do this right after this podcast, not before. Go to Google and type in any one of the 20 top security vendors in our industry and you know what you'll find. All top 20, all 20 of the leaders in our industry have had a breach of their own systems in the last 18 months. 

How is that possible? How is that possible? How is that possible? Rsa has a breach and loses their code? 

I thought RSA is a security vendor. Are they not practicing what they preach? Are they not using their own product to secure their systems? You know we look to our security vendors to be leaders in our industry and they're not. They're suffering from the same problems we are. They can't protect their own systems. And you gotta ask yourself so these are not shepherds, they're sheep. They're as lost as we are. You know they're struggling to protect their own systems and yet they're selling us and making a lot of money doing so, selling us firewalls and anti malware and anti intrusion systems and their own systems, their own business systems, are constantly suffer breaches and have become now so back to your point because of their zero day vulnerabilities. They have become back doors because they're trusted products. We implement a firewall, we implement a anti malware solution. We trust it because it's got a big name of a cybersecurity vendor on it and we trust it, but we don't even understand or consider that it has a backdoor because it was insecurely coded. So I'm sorry, you know, I don't believe this zero day vulnerability. I think that when we use that term. It lets vendors off the hook for insecure manufacturing of their software. 

If any security vendor out there isn't practicing and I mean religiously practicing a WESP and a secure development for a tool that you and I will put onto our systems to protect our data, then shame on them. It's very hypocritical to me, but SolarWinds taught us all we can't trust vendors. You cannot trust a vendor product. You can't. And, honestly, before you go out and buy any product, go to Google and see if they've had a breach of their own systems and then ask them how did that happen? Because you're selling me a product to protect my system. How did your system suffer a breach? Was your product involved? Were you not using your product? What you know? And, of course, the accountability, which is a completely different subject. 

If we buy these products and we have breaches, like I said, we buy anti-malware and we get ransomware why aren't we picking up the phone and calling the anti-malware and say your anti-malware solution I bought from you doesn't work. I just got ransomware. I'd like my money back please. There's no accountability in the consumer transaction between us and our cybersecurity vendors. So they do get away with selling us insecure code of an application, a web application firewall because it wasn't built and suddenly it's a backdoor for a hacker. I don't think hackers are getting any more sophisticated. I just think our cybersecurity vendors aren't getting any more sophisticated. I don't think they're doing their job. 

0:19:47 - Mehmet
Yeah, so, but maybe they would say, like, this is the nature of how all computer software works, so you always have to keep, you know, do testing, you know when you release new, when you release new features, for example, like someone might say this, but I believe, richard, to your point, now that's fine, you know, for me, at least I'm telling you my opinion. But what and sorry for if it's a strong word, with what iterate me, you know like what feels me really angry, when any vendor you know claims that if you deploy their solution you're going to have the 100% peace of mind which is, we know it will not. So how, how? You know the marketing factor, because you mentioned, yeah, of course every business has the right to make profit, like we know, one can argue on this, but I mean the transparency. Do you think that there's a clay on the warding? 

Sometimes and I got to bring one term which became very mainstream in the past 1824 months zero trust, for example, right so, and secure by design, so like, do you think they are exaggerating you know these terms in a way that will, as an end user, as a business, you know, line of business or decision maker in the IT or the security department say hey, look at these guys. They are saying this secure by design, zero trust. Okay, I can trust them. Do you think like there's an exaggeration in the terms that they are using? 

0:21:28 - Richard
Yeah, absolutely. I, you know. I pointed out to all of us we weren't using that term zero trust, which is overtaken, which is just so popular in our industry now, prior to solar winds. Solar winds made us all understand that products and cybersecurity products the more trusted they are, the more of a target they become, and so we need to not trust these things. And so we started to question vendors and we started to use terms like zero trust. 

Now but you're what you're saying is what I've said for 30 years if it's not in your service level agreement, the vendor is not going to be accountable for it. So go to your service level agreement for that product that you're buying, whether it's a managed cybersecurity product or a or a just a piece of hardware or software. Go to the service level agreement in terms of maintenance and management and look for any kind of liability in the event that it doesn't work, in the event that it doesn't stop a certain type of traffic from entering through the port of that firewall or it doesn't identify a malware signature of a certain application. You're not going to find it. There are no absolutes, there are no guarantees. There absolutely are no guarantees in any product service level agreement we find out there in our cybersecurity vendors. Now, those are the ones I'm worried about, not the rest of the industry. Yeah, of course I get it. You know we're developing applications that are not secure. I get it. There's money to be made. We got to bring it to market quickly. And there's money, you know, and quickly means cash. So the quicker we bring something in the market, the more money you can make. I get it. So we, what do we do? We overlook security. We always have, we always will. I get it. But that does not forgive our cybersecurity vendors. You see, these, these, this area of our industry, should be above and set the example. They should be the leaders, if anybody should be practicing security. 

By design, it's a cyber, it's a cybersecurity product vendor, hardware, software, managed service I don't care what it is, if they're not following a wasp and doing secure development and penetration testing of the product. I've never, I've never met a product vendor that will allow me to do a pen test on their product and I think well, then, give me your pen test report. Well, we can't do that. Well, do you do them? Well, that's why you can't do it, because they're not even pen testing their own product. They're that they're going to sell me, that I'm going to attach to my systems to protect my data. So two things. One, we absolutely started. 

You know the prevalence of the term zero trust comes from our vendors. We can't trust our vendors. They are attack vectors. They are attack vectors and clearly, whether that's in the supply chain or in the you know, hanging off our firewalls, our tech, our products and services that we depend on, have become attack vectors. And they've done that because the whole market as a whole rewards speed over security. 

But that shouldn't apply to our cybersecurity vendors. They should be secure over speed. And because we're buying it for security, we're not buying it because it's quickly on the market, you know, and I pay more for that. I pay more for a cybersecurity product that actually didn't have zero day vulnerabilities and was was. You know the code was, was not open source and had all these back doors and holes in it. I would pay more for that development of the product Because I need to depend on that product, because it's got the word, because I'm using it as a, as a, as a measure, as a control that I'm putting on to minimize the risk to my, to the rest of the applications that are built in securely. So if we can't count on our vendors to do it right, who can we count on? And this whole topic is under a certain you know what's wrong with the market. The market is we're not providing the leadership in our own industry by setting the example for all vendors to practice secure by design. 

0:25:18 - Mehmet
Yeah, and I think one of the things that they mentioned always, richard, that I think even you know even I've heard Seasaws mentioning this surprisingly is okay, the way that we the weakest link is always the user, because you mentioned three pillars, right. So you mentioned technology, processes and, and you know the employees, right. So now there are tools, there are programs for training. You know stuff on on, you know how to have the cyber hygiene. Do you think you know we didn't also do the right job of training? You know people on, on on having a true high, you know cyber hygiene. 

And this is maybe brings back to the point like someone might argue okay, I'm fine to be trained, but sometimes I have to click that link because, for example, it's like part of a biggest social engineering attack and you know like I have to click because it's coming like from the CEO or coming from, you know, a VIP in the company and I've heard this. Okay, I did the mistake and I clicked a link, right, I did that. How do we be supposed to have the technology to detect, you know, by email, if the link is malicious, right, so it's like a chicken and egg thing always, and you know what you can tell me about that, richard? 

0:26:43 - Richard
I can just tell you you're absolutely correct, but that's you know. We've been doing this for 30 years now. 30 years we've been in this industry. It's not young anymore and, as I said, we all recognize, if you're, if you understand cybersecurity, there's three attack vectors through people, through process, through technology. All right, do you know? Do you know any company that spends their security budget evenly between those three, three vectors? 

No do they spend one third on technology, one third on process and one third on their people? No, they don't. They don't, and this is this is so I hear it. The user is the weakest link. Yes, okay, so let's do something about it. How about taking one third of your budget and allocating it to user training or processing, backup and business continuity and disaster recovery and resiliency training? But no, no, we spend it on kit. We spend it on hardware and software. It's a product to us. So it's this. 

Until we open up our perspective and understand, the game is to look at all three attack vectors and treat them equally, and until we do, we will always have, you know, a weaker link, and we'd love to say the user is a weaker link. Well, here's, here's an idea. Let's spend some money on that problem. Then, okay, let's stop putting our money in the firewalls and the anti virus. That doesn't work, that anti malware that doesn't work, because we're still getting ransomware, and let's let's start spending on training our users. And we don't. I don't know of any large, small, medium sized business that looks at the user as one third of their security budget. They don't. They never did, and that's, to me, the problem that we don't understand. We, you know, we know, we know the three attack vectors, but we spend money on just looking at the one and trying to minimize the risk through our technology. And that, and until we take a more holistic view and apply our budgets across all three equally, I don't see how we're going to see any advances. And blaming the user is is a way out. For instance, you know, I, I I talked to our C to C cells who are spending 100 million, whatever's in you know, of their budget on technology and you know five, five thousand, you know dollars, whatever on on a, on a computer based training, for you know their users and I think, well, you're spending 100 times your budget. You know 1% of your budget goes to your people and that's canned security awareness training. 

And how do you expect, how do you expect these, you know us, to change behavior by just put in having somebody sit down and watch 30 minutes worth of, you know? Oh, change your password. Oh, you know, don't click on unknown links. Oh, thanks, that's, that's, that's new work, that's new information. Hadn't heard that in the last 30 years. But I tell you, if, if vendors were making money in selling information security awareness, really good. We'd get some really cool, very cutting edge, brand new approach to this, but there's no money in it. There's no money in any in security awareness training other than selling you know some canned computer based training. So we're part of. 

The problem is what I'm saying. I mean, you know it's. You know vendors are going to sell us with how we're in areas that they make money. Maybe if we started paying more attention to our process or business processes and our people, we would we start to see new solutions that are more effective and can change the needle on on how many times users will click on a link. Until then, let's stop beating them up and take a little of the responsibility. Until we start paying for their training and educating them, really educating them and changing the culture of the company, then shame on us. We're blowing our money on technology and we always. That doesn't work, by the way. So it's. 

We're ultimately caught in this circle, this self defeating circle. We don't have a strategy to, to, to address all three attack vectors people, process and technology. We spend it all on technology. The technology doesn't work. So what do we do? We go out and buy more technology. 

I got a breach in a firewall. Well, okay, well, we'll get this next gen firewall. And then we do that, we spend more money and that firewall doesn't work, and meanwhile our people keep clicking on links and our processes, our backups keep getting stolen, and and and we, because we neglect paying attention and putting effective controls into those, into those two other attack vectors, and we just keep, we go around the circle and we buy more product that doesn't work and we get breached again. And so what do we do? We run out, we freak out to oh, we got a breach, we'll go out and buy more, more product. So it to me, this is where we've been for the last 10, 15 years, the first 10 years of any industry. 

Sure, we're trying to figure out what's going on, but we get this. Now we understand how to how to reduce the risk of a breach. We know that and there are frameworks, from NIST to ISO, which we talked about, that will will give us a holistic view of how to reduce the breach. But we still are thinking. Technology is our answer. Technology, and here's a security vendor who's going to sell me this new sexy product. Let me just buy this, check that box and move on. Meanwhile some users, you know, clicking on a link and you get yet another piece of malware, and because you're mounting malware, it doesn't work here, right back where you started. 

0:32:02 - Mehmet
Yeah. So let's, let's come to the second oldest, let's say we discussed people to the third one, which is the processes, and I'm a big fan of risk mitigation. I talked about mitigation a lot, you know, in my when I was a consultant and the issue there, to be fair, richard as well, I think what if I can claim what I don't want to use the word failed but what we were not able to highlight enough to the board, the business, decision makers, the importance of giving attention to risk mitigation. And I am someone who work in the areas of disaster recovery, business continuity and all this stuff. And again, it was always seen and I'm not sure if you would agree with me it's again, it's because of the vendors, maybe, or maybe some of the way we used to do consultancies. It was seen, as you know, what like this is a cost that it's not needed now. So let's think about it when it happens, right? So have we failed to educate the business about all these processes and why they are very much needed? 

0:33:29 - Richard
I'm really beginning to sound very cynical. I think the failure lies with us as professionals, and I point the finger at myself a moment. I think you know when I was in school, I hate to do the long division, you know, to actually calculate. You know so, and for me, when we talk about process in a business, we talk about all the fundamental that you just mentioned doing a risk assessment. Risk assessments are the is the fundamental building block of everything you do in your cybersecurity program, and a CISO is so far removed from doing, rolling up his or her sleeves and doing a hands-on risk assessment. Identify, you know identifying what's the asset, what's the value, what's the criticality of that asset, what's the location, who's the owner, what are the risks to that, what's the impact probability, the likelihood, probability, what is the? You know what is the inherent risk and, if I add this control, what's the residual risk. That long division on one line for one asset, in, you know, in one piece of technology, is rarely done to the degree that it must be done much less for every new project, for every new web application or every new acquisition or sale. You know risk assessments are the fundamental element, you know, of all of our cybersecurity and yet I've you can tell me if you've seen them done right and seeing them done and used as a tool to actually identify, minimize and manage the risk to that business. And it's like we don't wanna actually do the long division and calculate everything, because that's a lot of. You know how long it takes to do a good risk assessment for a business, for a multi, much less a multi-million dollar business located in you know a multi-national, multi-million dollar business, much less just a florist you know momandpopcom selling flowers online to do a risk assessment. So what are my assets, where are they located, what are the threats, what are the probabilities of those threats happening? And so we neglect the process, the fundamental process that drives our business, and we neglect that in favor of going out to buy a product or a solution and just assuming that we understand the risk to that information asset. 

So for me it's a question of we've got CISOs up there who are not putting their arms around embracing and actually doing, you know, on a granular level, on a micro level, and information security risk assessment. You know where it needs to be done, both on the whole enterprise and on new projects or supply chains, or you know new things as the business is evolving, it's a hard thing to do to do it also, to do it right and then recommend the control that's actually gonna minimize or mitigate the risk. And so I think we're not. We've never sold that to the board. 

To answer the second part of your question, we have to understand what the risk is to sell it to the board, to articulate it to the board, to articulate the benefits for reducing that risk or transferring that risk articulated to the board. We've never done that. I don't know of a CISO who's actually. He has somebody else doing the and feeding him a risk treatment plan for review and approval, but they're not actually doing it themselves. It's like until you build the house yourself, you don't understand every single brick that needs to go in it to make you feel secure enough to say this is the dwelling that we wanna live in and sell that idea to the board. 

0:37:08 - Mehmet
Yeah. 

0:37:10 - Richard
Yeah, it's just for me, risk assessments are the key. Yeah, the key to everything. Because, as I said, for me, cyber security oxymoron cyber security is a process and the process is risk management, and if we're not doing our risk assessments a fundamental part and integrating that into our business processes, how can we ever bring the board up to date and win their hearts and minds about what the risks are to the business and why we need to do something about it? 

0:37:43 - Mehmet
Yeah, now to this point, maybe because I've talked to some CISOs as well, and sometimes they say that the priority is to keep the lights on, as they say. So, for example, if they are in a retail, we need to make sure that there's zero downtime for our post systems and the e-commerce part. They understand that, but they say the priority always is given for anything that touch the core business. Now, some of them they mentioned look, I understand what you're saying, but I don't have the manpower to help me in this, and some others especially. We start to hear about this issue recently. In cybersecurity, we have lack of skills as well. Now, with that mentioned Richard, like how do you think we can do a better job in order to, without compromising what we just mentioned? Like, okay, keep investing in technology. And you mentioned like you can divide the budget over three, but I mean there are some other factors. Which is like the time to do this, because they have other initiatives and the manpower to do that. 

0:39:00 - Richard
I don't have a really there's not a silver bullet here, but I will tell you this I find it odd that we do have a severe shortage of skilled people in the market. Right, why is that? That is because the market hasn't asked for skilled people up until now, and when we have asked, there's nobody there. Because in the last 30 years we have not made cybersecurity a marketable profession and meaning a business needs that element in their business to be successful. So we're all coming to grips with now the business is kind of concerned with cybersecurity. Let's go find a CISO or an information security and compliance manager out on the market. And you know what? There's not a lot of people out there with this kind of experience. You know why? Because we haven't asked for them 10 years ago, 20 years ago, 30 years ago. So part of this is we're all thirsty now and there's no water to quench our thirst. But sorry, this cybersecurity problem did not happen overnight and it is a problem. It is a problem when you go out and look for a skilled plumber or electrician or carpenter and you don't find one. That's because the market wasn't asking for them up until now. All right, so to fix that problem, 10 years, 15 years, 20 years from now. We need to start right now investing in understanding and taking on people with minimal talent and training them within. 

To me, that's what I'm doing. I'm a cybersecurity consultancy and I was hiring good people as one of my hardest things, but I hire bright people and they pick it up very quickly, and for us too. So I have my own solution. Every company is trying to adopt the solution to deal with a marketing, a shortage of resources out there. Having said that, it's our fault. It's our fault. It's our fault. We weren't looking for these people and they weren't in school to help them make the decision five years ago. It's a temporary problem in my mind. That's a good news, because now everybody in cybersecurity seems to be, in my mind, overpaid for what they're doing and what their qualifications are. People getting out of school with virtually no experience, hands-on skills and experience, or making incredible sums of money because they have a degree. That doesn't mean they're capable for the job. So, even the resources that we do, we can say, oh, there's a cybersecurity resource. That doesn't mean they're very good. That just means they just got a sort of ethical hacking certification. That doesn't mean they have any experience in breaking into sensitive systems. That just means they're at a place to start to learn. 

It's a tough problem it really is, but it's come through neglect, our own neglect. How can we blame the market? It's the businesses that haven't looked for this and required it from the market that are to blame. So in the meantime, we got to take care of ourselves. It's like physician heal myself, and I've always been an advocate of what they used to call 30 years ago, the human firewall. Everybody's responsible for cyber in this company. All we need to do is get leadership is get leadership to communicate everybody's responsibilities and everybody can equally take on this share. We don't need a cybersecurity department. We need employees that are cybersecurity aware. We need a board that puts money behind cybersecurity controls and that's a leader, and that, of course, I do feel we are short of leaders who can articulate a way forward and blame it on. Oh, we don't have anybody in the IT department who knows firewalls. 

0:42:50 - Mehmet
Really. Thank you very much. Yeah, that's what they say. 

0:42:55 - Richard
Yeah, it is, it is and we end up funnily enough, we end up blaming the technology that we buy to protect the. You know the RIT systems. It's an odd thing, but I am part of. You know big groups and you know who are struggling with this. Yeah, there are under qualified people out there, but in my mind that doesn't mean we don't do anything right now, right here and now. You've every business I've ever worked with has some incredibly talented people, and if they were sat down and said you know what you could do to help the cybersecurity of this program X, y, z and and and pay them more you know, and rather than hire, you know, hire a whole department. 

But for me, let me just back up the most important. If I, if I could, if I could fix this problem, I'd start with secure coders to start generating secure applications. That would reduce the level of our pain so significantly that the rest of us could take a breather, because that, in terms of you know, I'm not looking for under skilled, the problem isn't under skilled CISOs or IT security managers. The problem, year after year after year, is we keep releasing code that's insecure with, as you mentioned, zero day vulnerabilities. Shame on us. We just, we just we're just raising the floodwaters around us. 

0:44:10 - Mehmet
Yeah, now it's some something. Everyone in cybersecurity also, they've jumped on it, I would say and everyone is mentioning AI and how AI would be able to help. Do you think really AI can help in fixing not the full problem, but partially maybe? 

0:44:29 - Richard
I, I'm an old guy. How many times have I said this during this chat? I'm an old guy. Ai I've been looking at it for three, four, five years now and forget all the science fiction I've written. 

But I've also seen. I've also seen threat in our response to it and what I've come to believe is is AI's will be, for me, a double its sort. Can it be used for attacks? Absolutely, I've seen it, I'm seeing it now, whether that's chat, gpt fishing or you know, and how evolved and sophisticated AI attacks will be and AI tech defense. So it's like that. You know that ying and yang, there will be a huge rise in AI in the use by, you know, and it's used by threat actors in very specific threat vectors. Absolutely, now can we rise to that challenge and manufacture AI products that can produce controls, can anticipate AI attacks and respond to those? Maybe, but there's there. That doesn't mean this war was just between two AI actors fighting it out for each other. You know, for me, with every new threat, there's a control that has a limited impact and it just the balance goes forward. 

It's always been something in my lifetime. It has always been something. It has been technology first, security second, you know Wi Fi. Everybody adapted Wi Fi and they went oh wait, wait, 802. Wi Fi is insecure. Okay, cloud cloud comes around. Oh, wait, a minute, like cloud, so he's what great techno? Wait a minute, it's insecure. It's always technology first, security second. So technology first. Here comes, here comes AI. It will and it is currently being used as a very effective tool, attack tool, and it can be and will be, I'd like to think, used as a very effective defensive measure. But that fight for me doesn't mean things are going to change significantly in terms of, you know, threat and threat response. It'll change the conversation, it'll change what CSOs and CTOs are talking about for the next five years, but it's just another weapon and shield, you know, and what they made from the same technology, you know, with the same technology base, which will be interesting. But I don't see a resolution, I don't see one Victor on one side or the other. 

0:46:57 - Mehmet
Yet yeah, I agree with you and, by the way, like, thank you for, for you know, mentioning this to Richard, me, to me, richard, before we started the session, like you, you were hearing some of the old episodes where I used to be by myself and you know one, one episode. I did a rant, you know, and I said if, if, if a vendor, whether cybersecurity or other vendor, is coming and telling me I have AI powered, machine learning powered, you know, product, the first thing you should do, you know, and go and ask okay, what kind of machine learning is doing, like, what kind of AI is it? Because, honestly, I was a sales guy, you know, and people sees me till now as a sales guy, but I hate to use mimics just for the sake of using the mimics inside our gimmicks, let's say, inside my pitch, of course, like, if I have a good product, I would pitch this product in the best way. But I love to give people a sense, you know, if I'm using a piece of technology. So if I'm using AI, really I would love to give them first what kind of AI I'm using, because AI it's not just GPT, of course, it only like it has many things in the background. 

You know what I'm trying to achieve with this and to your point, and I think you know which is not surprising to me, and I think it's not surprising to you that the bad actors are more, I would say, advanced in using AI, because they don't have to go and waste time in thinking how we're going to market this, because they already themselves right. So now one of my guests like I hope he's still listening to me Karim Hijazi. Once he mentioned to me and I want to take your option at your opinion on this he said it's not only about like we spend a lot of money on the technologies. He said we spent a lot of money actually on defensive technologies. Why we should have spent also on offensive technologies. Do you think also like this is something which is underrated? 

0:49:03 - Richard
I do, I really do. I think you made a really good point. I don't understand. You know, for me, the internet is a. You know, I'm an American. It's like the Wild West. You know, the. 

The law on the internet is anybody who's powerful, whether that's you know, and a consumer size, or whether that's Google, or, or, you know, or, or Metta, or, or Jeff Bezos, or Amazon, you know, for me, might as right on the internet, and and I am, I've always been shocked there is no, there is no police force, there's no intergovernmental. You know, there's, there's, there's, there's, there's law enforcement chasing down bad pedophiles and things. And you know, okay, there's a, there's an element, and of course, every government on the planet uses the internet for surveillance. But outside of that, there is absolutely no framework of right and wrong, of good and bad, of, of, of legal and illegal activity on the web. And then, and I cannot believe, I cannot believe that we haven't taken a more offensive strategy to our web. You want to, you want to, you know, launch a denial of service, attack against my, my business, at a very crucial time. You know, business, that I turn around and take your IP address and load off the face of the planet, kind of. And I just don't understand how we haven't gotten more proactive in our security defenses. I don't, I don't get it when there's literally nobody who would stop us doing that. I, I, I, I that proactive defense, proactive security. 

But I did see, interestingly enough, remember, when we went from ideas intrusion detection system to an IPS intrusion prevention. You know that technology came from an area of the world who is very offensive and I thought, Okay, this is great, we're changing, we're changing the way that that we go. But I, other than that, I just don't see how how every business, who you know we can see who's, who's who's scanning our firewalls or reading our logs, or you know, we can see that it's, it's transparent on the web and whether it's by I'm sure it might be by proxy, it might not be a direct, but we could trace that down and we could, we could do the same thing and launch and be very proactive in inter intercepting that traffic and derailing that traffic and, and I'll say it, turning that traffic around and putting it right back at the target that sent it. I don't, I don't get. 

I'm all for that, by the way, because you know nobody else is looking after you know it's not like we've we've got. You know, all our world governments come together and launch a treaty that we're going to extradite hackers from. You know, russia or, or this state nation state or that nation state. Nation states are one of the biggest offenders and threat actors you know on the on the landscape today. So they're part of the problem and, given that I don't understand how everybody's just don't say you connect to the web. There are no promises. You do what you have to do to protect your business. 

0:51:59 - Mehmet
Right, right, you know I, I you said like you don't think we're going to see a solution in your, you know, career life, richard, and I don't think. Also, I will see it's like a mouse and cat game that we people have to play. Hopefully not, you know. You know, still, I like to be on the optimistic side. 

How, I don't know, I have no answer how it will be, but I believe you know, at some point, you know people will become, and when I say people like see those and CTOS and you know technology and cybersecurity professionals, they would say you know what, enough is enough, like we've got enough of this and you know like we need to do something about it because it's causing people fatigue, it's causing people stress, it's it's, as you mentioned to your point about the number of records, which was, you know, lost, right so, and then here we go, our lives became digital, everything we rely on systems, and we cannot, we cannot go like forever like this, and I agree with you. So let's hope that one day, very, in the very near future, we will see a solution for this, right? So, richard, where, where tell me, like, what kind of services you offer and where people can can find more about you? 

0:53:23 - Richard
The company is called risk crew, if our websites risk crewcom and we do all these product agnostic services that we've been talking about, which is why I have a such a strong opinion obviously from risk assessments policies, you know, compliance, grc compliance programs, to ISO and and NIST and these, these, these best practices, as well as things like SOC2 and GDPR and whatnot, and then move through to penetration testing. You know, web app pen test. We do really interesting red team testing, which is which is a lot of fun, all the way to business continuity, disaster recovery, best practices based on open source, based on, you know, cost effective, what's right for the business, kind of thing we believe in. Like I said, process over product, and been in business for about 20 years having a good time. It's still fun, although, you know, pardon the cynicism in my, in my views, I'd like to see a lot more change in our industry. Can I just say yeah, because I'm interested in how you were bringing us to the? You know we'll. 

You know what I'd like to see, mehmet, and professional objectives aside, I think we all need to start taking cybersecurity a lot more personal. You know we've we approached it as a data security ones and zeros ones and zeros, ones and zeros, and this is not about protecting ones and zeros. This is about protecting data about people's lives, about somebody's mother or father or children or brother or sister. These are people's lives. We're losing this data on people's lives and you know medical records and I, you know, I don't care if it's, if it's what kind of shampoo you use for your hair, it's. This is personal data. This is data about people's lives and I think fundamentally, our problem is my problem in my industry and my cybersecurity industry is I meet other cybersecurity professionals and they don't take it personally. They don't. It's not personal, it's just, it's a job, and for me, this is very much of you know a fundamental issue of personal privacy and your expectations and that if you expect, if you give your data to a company, your natural expectation is they'll look after it as if they were looking after their own data. 

And yet I don't see that. I don't see that in the CTOs and CISOs that I talked to, for one of the first questions is is your personal data in this business system? And they look at me and say what are you kidding me? And I think, well, if, if you know, because that's the way you should treat the protection of all systems as if it had your most secret details on them and you would expect a level of privacy of that computer or that system. And I don't. 

I don't think we do and I, I I see a lack of taking this personal. We take it professional and we do it for nine, you know, from nine to five. Then we go home and we we spend time with our kids. Then we come back and you know our threat actors don't do that. They don't work a nine to five gig. They're 24, seven, you know, seven days a week. This is a lifestyle for them, but they don't. What I'm saying is I don't, I don't think we make the personal connection between ones and zeros and actually we're losing data day after day about people's lives, and shame on us. 

0:56:32 - Mehmet
Yeah, like again another thought provoking sentence you just mentioned, rachel, we should take it more personal, which is true, and you know again, like exactly I think one year and three months, or one year or a half, let's say. Back then I did a couple of like videos where I was just talking about this and I was saying, look, imagine, you know you have a relative I don't want to make it very personal, but you have a relative in the hospital and all of a sudden you know the X-ray machines. You know you cannot process the data out of. You know what you call it, the. 

EHR system or the medical record system. You can, you can. You are, you know, sitting on in a place and you get stuck because the systems are not working due to a malware, ransomware, whatever it is. So it's like about real, real use case scenarios and it's not like. But again to your point, rachel, yeah, I blame. I blame not all of them for me, but I blame some of the vendors and I blame their messaging, because you know they cause this, so they cause this, and people start to think, even you know, like, if you, if I tell you it's got some of the conspiracy theories that came out because of this, hey, you know what? Yeah, these antivirus companies, they keep releasing the viruses, so we keep buying that from us, you know so who's to blame there? 

0:57:57 - Richard
but that's a good point. Who's to blame? You know I sounded like I'm blaming the vendors, but let me back up and say you know who I blame. I blame the buyers. I blame the buyers. You get what you pay for. And maybe, just maybe, if, if, if people who bought cybersecurity products started to expect more and then started to demand more, that we get a change in the industry. 

Cybersecurity vendors sell us products that don't work. That's my opinion because we buy them. If we stopped buying them, if we asked for accountability and said I'll buy this, but if I have a breach you'll give me my money back, if we started to exercise basic consumer rights that we do in every other industry. I, I every other industry that I know of people buy a flat screen TV. They take it home. It doesn't work. They take it back to the where they bought it. This does not work. If we did that in our own industry, we'd start to affect real change. So I just want to be very clear. I don't blame vendors for selling us products that don't work, don't like it, but I blame. I blame the people who keep buying them year after year after year. That's the source of change. For me, that's the way to change the needle is to start to expect and demand more from our vendors. 

0:59:13 - Mehmet
Yeah. So again, I would love to hear you know you know, feedbacks about this from the audience, because it's a very hot topic. I hope that I have a lot of friends working on both sides, so guys like you know, you can just tell me like this is an open space. 

0:59:32 - Richard
I said you're coming to me, let me have the hook. Yeah. 

0:59:35 - Mehmet
No, no, I'm fine, I'm fine. You know, I say my opinion also and I'm still stick to my opinion that some vendors are wrong, and they are to your point, like some decisions are taken wrong, sometimes also as well. So nevertheless, richard, like you know that really time flew outside, like it was very, very intense, very fast, but yet very informative. You know, episode today with you. I really appreciate, you know, all the insights and all your experience that you brought today and I would make sure that I would put you know all the links. You want to say something? 

1:00:08 - Richard
No, just to thank you again. I mean I enjoyed it, I appreciate the opportunity and I really appreciate the show. Thanks again, keep up the good work, but thank you for having me my pleasure and guys like. 

1:00:19 - Mehmet
Again, if you have any questions I would be putting you know like there is a. If you go to Spotify you know you can see you know a question and answer section there and your feedback you can write it there also as well. Although the podcast is available on all podcasting platforms, you can reach out to me by email or link it in where I'm most active. I'll make sure you know the links that Richard mentioned. They are also in the show notes so you can go there and check them. And again, thank you for tuning in and we'll meet again in the next episode. Thank you very much. Bye. 

Transcribed by https://podium.page