Cybernomics Radio
Welcome to Cybernomics, the podcast where we break down the latest enterprise innovations and challenges shaping the Information Security industry. Whether it’s AI, cloud computing, or digital transformation, we dive deep into the forces driving businesses forward.
Join host Josh Bruyning as he engages with industry experts and technology leaders to explore how businesses are leveraging technology for growth. From cutting-edge advancements to the economic impact of tech decisions, Cybernomics delivers insights that keep you ahead of the curve.
Tune in for expert analysis, compelling discussions, and a front-row seat to the future of Information Security.
Cybernomics Radio
#25 Cybersecurity Resilience with Matt Webster, CEO @Cyvergence
What happens when 75% of Chief Information Security Officers contemplate leaving their jobs? In this compelling episode of Security Market Watch, we engage with Matt Webster, CEO and CISO at Cyvergence, to tackle this critical issue head-on. With his extensive background as a former CISO, Matt sheds light on the alarming turnover rates in the industry and Cyvergence's mission to provide a 360-degree approach to cybersecurity. We discuss key elements such as risk management, disaster recovery, and the pressing need for aligning cybersecurity with business goals. Additionally, Matt offers his perspectives on the recent CrowdStrike incident and its broader implications for the industry, emphasizing the necessity of having sturdy people, processes, and technologies for long-term success.
We dive deep into cybersecurity resilience strategies and software evaluation, exploring the dilemma of relying on a single vendor versus diversifying providers. Matt emphasizes the importance of authentic conversations with IT teams about system deployment and stability, as well as assessing third-party risks. We also focus on the significance of thorough Business Impact Analyses (BIAs) and maintaining multiple layers of protection, particularly for vulnerable sectors like healthcare. By examining real-world examples and considering the costs and complexities associated with different security measures, this episode provides essential insights for organizations aiming to build a more resilient cybersecurity strategy. Tune in to discover how you can balance the intricate demands of cybersecurity and ensure your organization is prepared for any scenario.
This episode of Security Market Watch is brought to you by Horizon Summit. Connect, learn and lead with the brightest minds in technology.
Speaker 2:People may disagree with me. People might say you're an idiot. You should absolutely get rid of CrowdStrike. They're a garbage company. I'm sure there are people out there who feel that way. Obviously I don't. But you know, it's something I'm going to keep an eye on and my opinion may change. Cisos are 75% are looking at leaving their position, which is pretty high. You know it's 50%. About a year and a half before from a Gartner report, they did screw up. It was a mistake on there. I'm not trying to say they didn't screw up because they did Okay, but I can tell you they're going to improve their processes as a result of this because it is such a blemish against them.
Speaker 1:I'm here today with Matt Webster, ceo and CISO at Cyvergence, aka the 360-degree cyber resilience company. Matt, welcome to Security Market Watch. Thank you very much, josh. We've had a chance to catch up a little bit at the end of the last Horizon Summit in New York City. That's where we met in person and we had an interesting conversation.
Speaker 1:I learned a little bit about your company, about the services that you provide, and really intrigued by what you're doing, because what you're trying to do really is to provide a 360 degree view, a very holistic view, of cybersecurity for companies, right, so you work with leadership. You really give them insight, from assessments to risk, to management, to training, providing a holistic view from the top down and the bottom up of cybersecurity for companies. So talking to you is a pleasure. It is my honor to host you on this show today and I'm really glad that you've been so gracious with your time to be able to talk to us today about some of the things that you're doing over at Cyvergence, and maybe we even get into a little bit of the whole CrowdStrike debacle.
Speaker 2:Sounds good.
Speaker 1:Okay, so, matt, for those who are not familiar with Cyvergence, could you give us a little bit of a background on what Cyvergence is and what was your origin story? And you know what was your origin story. How did this even come about? What was the conception of Syvergence?
Speaker 2:So there's a lot of things to go into there because that's like a very deep subject. I mean for a little bit of my background first, because I think that's going to be very helpful for people to understand. I am a former chief information security officer, three times over before starting Syvergence. One of those was a global chief information security officer. I do have a sales background and some other things as well, and a long history in IT. I've worked with more than 10 cybersecurity frameworks, have made mistakes myself and I have witnessed others making mistakes over the years, and so what Syvergence is is starting to build and grow from a lot of what I've seen out there, and a lot of this has to do with that business alignment, with cybersecurity and IT being part of that journey. So I will focus on some things like business impact analysis and disaster recovery plans and a whole bunch of other things, including like incident response and some other things. So part of what I'm trying to do is get a holistic view of cybersecurity.
Speaker 2:Cybersecurity does not exist in a vacuum. You know we have seen that CISOs are leaving in droves in jobs. I mean, from a report from IANS, cisos are 75% are looking at leaving their position, which is pretty high. You know it's 50%, about a year and a half before, from a Gartner report. Those are very concerning numbers. The average lifespan of a CISO it depends on the report, but I've seen in my time anywhere between 14 and 24 months is the average lifespan, but the average lifespan of the average C-level executive is 5.3 years. So this is pretty drastic. This is pretty concerning. So there's obviously a lot of things that are going on, but it has been my fortune to work in some good organizations that have really built up and they have done the right things, they have asked the right questions and they've gotten this right business alignment. And so part of what I'm doing with Syvergence is starting to create that business alignment. Whether you're talking about enterprise risk management, whether you're talking with, hey, let's educate the board of directors and the CEO how to create a successful program, some of that is going to be on their shoulders, but some of that is going to be on the shoulders of the CISO.
Speaker 2:I think that there are things that need to change across the board and there's a lot of understanding about where do the CISOs come from and some of these others, but it's trying to build those bridges across the board, really taking a look at a 360 view of cybersecurity.
Speaker 2:In essence, that's what I'm trying to build right now is something that's going to create success for cybersecurity, because right now we look at the threat landscape, we were above 10 trillion in terms of the amount of cybercrime in 2023. Four years from now, it's going to be roughly double from some of the estimates that I'm seeing. So if you're looking at, double the number of risks, double the amount of cybercrime, it's going to be absolutely horrible out there because it is growing and, unfortunately, crime does pay. Nobody likes to say that, but that's just the reality and then companies are forced to defend themselves. Now there's a lot of new resources that are coming out, but you have to have the right people, processes and technologies in place, and that's part of what I'm focusing on is making sure that you have the long-term success of a healthy cybersecurity organization?
Speaker 1:Very rarely, I mean. We do talk about third-party risk, but not at the scale as we've seen with the CrowdStrike disaster, right. I mean, let's call it what is a global disaster, right? So how do you think? Do you think that companies should reposition the way they think about threats and to include the large players, I mean, that are ironically supposed to be protecting the enterprise? Should they be categorized in the same class as any other threat, and is it a new threat? I guess that's the question I'm asking Is it a new threat and do we recategorize it?
Speaker 2:So, interestingly enough, with CrowdStrike, the CEO actually had to deal with the same issue. I believe it was with McAfee, like 14 years ago, where the same issue was there. These sorts of systemic risks have existed for a long period of time. When you talk about SolarWinds, that was Russia getting into it into a system that's already connecting to all these different companies and then putting out ransomware and malware out to all these other organizations. We've seen the same thing with other sorts of major products on the market. Now the scale is what makes this so different. I mean, it shut down when you were looking at the planes that are out there. It virtually shut down the whole United States airspace. That scale is where things are very concerning and what's important, I think, for companies to really think about how important are those backups and to have those conversations. When you talk about an airline, for example, and the worst case I've ever seen of this, this I heard about, let's call it, a decade ago they were working off of Windows 3.11. And that was a major system in the airport and I think it was in France, and that system finally went down. It was like 15 years old and the system finally was shot. It just couldn't do anything. They did not have the appropriate infrastructure and the appropriate levels of protection. They hadn't talked about five nines. Maybe they had, but they hadn't actually started moving it. Five nines being how long is the system going to be up? For? You want to have the maximum amount of uptime possible. Five nines is usually considered maximum, but that's something that, to me, is more important.
Speaker 2:So when you look at something like CrowdStrike, it could happen to you from any particular point of view. Netflix went down during the Mirai botnet. Those are huge systemic risks to organizations based on cloud. So when you're starting to look at things whether they're individual systems or whether you've got others having backup systems in place may be important. Now, what's interesting here? We're looking at a couple of different things. A, you've got the cybersecurity risk, but B, there's insider risk. So when you're talking about classifying this type of risk, you have to look at those, and so we constantly look at the insider risk. There could be people who don't know any better. There could be people who make mistakes. There could be people who are malicious. Now in this case, it looks like it's an innocent accident. It doesn't look like anything malicious from all the material that I have read that's out there, but mistakes do happen with all of these companies. This just happened to be a very tragic case. So when you're thinking about things like resilience, it's going to depend a little bit on the type of company. How important is that five, nines, and how important are these systemic risks?
Speaker 2:Maybe you want to interlace different systems that are out there, maybe separate different systems or create more resilient processes. For example, a lot of this had to do with the auto update, so you rolled it out and then all of a sudden, the systems went dead. 15 years ago, when I was in government, before we even put out an antivirus update, it needed to be validated on a few test systems. First you wait and that's just the signatures, and then you go through and add another update and then you make sure that things are good and then you can roll out all of the antivirus signatures. Now, if you're talking about a patch, you do the same thing, and that's really what needs to be done is create the resilient processes to make sure that you're going to be okay today.
Speaker 2:And that, I think, is one of the challenges, because I don't think a lot of organizations have the resources to put things in place, or at least they're choosing not to, for whatever reason. Now, in some cases because I work with a lot of different types of customers they don't know any better. They don't have the resources. It's interesting some of the customers that are out there for big name companies they don't even know the A, bs and Cs of how to do IT properly and how to do security properly. So when you're dealing with that level, it's time for the team to get educated. It's time to get an outside perspective to say what really are the risks.
Speaker 2:And that's where I come back to things like a business impact analysis. Yeah, there's the cyber risk and that comes in there. But when you talk about these sorts of systemic risks, you could call it a cyber risk. Most people don't, but a lot of it is getting into this higher level conversation. So this is going to be like your enterprise risk management. You've got the cybersecurity risk management, but then you've got the higher level, the enterprise. We're talking about these types of things.
Speaker 2:Now the healthy companies are sitting down and having conversations about enterprise risk management. Hey, what are the risks to our organization? Are there some approaches we can take? Maybe we should interlace different types of antivirus to make sure that if one of these is affected by one, it doesn't affect our whole company. And so there are strategies to work with, because the reality is, in some cases of antivirus, to make sure that if one of these have it's affected by one, it doesn't affect our whole company. And so there are strategies to work with, because the reality is, you know, in some cases people are working from home, they're working abroad, and they have no means of getting home and they don't have the people, they don't have the expertise. You know, because the fix is going in a safe mode and you know, changing a file, and you know, for some people that are not used to doing IT work, that is very intimidating. And so you've got a lot of challenges there to work with. But I think that we're dealing with a confluence of things.
Speaker 2:I personally, I have a little bit of sympathy for CrowdStrike. I know that they're a very solid product on the market. Their MDR is great. I can go on saying good things about them, but this is going to sit in the minds of a lot of executives today to say we really want to work with them. So unfortunately, that's sort of the reality when you're talking to an executive like I don't trust them anymore because they got burned, and when you're talking about any of these types of products that connect into every system that are out there, these risks exist and you need to talk about them. You know whether you want to go with a competitor, crowdstrike or something else.
Speaker 2:There are other issues that you have to factor in, and all that boils down to what's the return on investment or, in the security world we like to say ROSI, return on security investment for implementing these products. And that's where I like things like cyber risk quantification, because you can factor in what are the costs? What does it mean to start to do things? Can you hire the appropriate staff? What is that going to take and is it really worth the time to implement something like this?
Speaker 2:The reality is, even though the cybercrime is going up, a lot of the business leaders that couldn't happen. They're not going to worry about it and they're worried about their financial responsibilities. And when you talk about the board, the board is oftentimes interested in the financial responsibility, so they want to cut corners and cut costs as much as possible. So you introduce a measure that's going to cost a little bit more. There's going to be a lot of concern out there in terms of implementing these systems, so I think that there's got to be larger conversations around this. But that's how I kind of look at these big picture items just playing around at the 10,000 foot perspective. But I want to give you a chance to delve further into each one of these, because there's a lot to say about every topic that I'm going into.
Speaker 1:Right, right, I mean, we're also talking about the business impact of cybersecurity really, which you're having to argue both sides. You're having to look at this from the perspective of the business impact of not having cybersecurity. You have to make the case to the business for having cybersecurity, which I know, that's your bread and butter and that's what a CISO is tasked with doing, and that's one of the hardest parts of being a CISO and it's one of the hardest tasks of the cybersecurity profession is making the case for cybersecurity because, like you said, the companies are more focused on financials. But with this CrowdStrike thing, now we're talking about not just the business impact of not having cybersecurity, we're talking about the business impact of having cybersecurity and, just in this case, having one main point of failure. So, on that note, do you think companies should in general?
Speaker 1:We're going to make a generalization here and we're also going to delve into fantasy land a little bit, because I'm also going to throw in the caveat of we have unlimited funds, right, let's say, in a perfect world where we have unlimited resources, should companies stick with CrowdStrike? I know I'm throwing you under the bus a little bit here and I'm going to draw some opinions that may not be super popular, but look, this is a developing thing and we can change our minds later. But just for the sake of argument and conversation, should companies stick with CrowdStrike or should they switch to another vendor, so Palo Alto Networks switch over to a completely different big player, or should they diversify? What? From a resilience standpoint, what is the best option?
Speaker 2:So I'm about those that cyber risk quantification and some of that means you don't know, but you have to investigate it based on the company how big of a financial impact is it to have all the airplanes down? The stocks are being affected. And that's a question up at the business level to see how do they feel and are they aligned with it. You can't just go in there and say I'm all knowing, I know everything, I'm going to push everything down. That doesn't work. And so having a genuine conversation saying I don't know, but here are some factors to take into account, you've got to work with the IT teams. They're going to be doing the deployment of these systems and say is this going to make a genuine difference to the stability of the organization or not? And having those conversations to say, get rid of CrowdStrike or not.
Speaker 2:There's lots of different arguments. So when you're doing third-party risk, if you want to go through and assess, say, the difference between Cyber Reason or Sentinel-1 or any of the other products on the market there's roughly 50 different products that I'm aware of. There's probably more that are in this space and so when you look at it, well, are you really looking from a third-party risk perspective what their IT processes are and how carefully do they follow those IT processes? When you talk about third-party risk, there are external types of third-party risk and an external third-party risk would analyze it for what's going on in the outside. But really what matters is the processes. When I look at third-party risk, I like to go back and take a look at the breach history. If I see a breach history of every two or three years is a major breach there. It says that there is something fundamentally wrong with that organization. In my view, I want to take a look at that and know that ahead of time, prior to making a purchase. When you look at those things, you have to really evaluate it.
Speaker 2:Now, as I said, this could happen to any company. There are some special situations that make it a little bit unique that you could sit down and argue about, but to me this goes back to that cost-benefit analysis. Is it really worthwhile to invest in it for your organization? In some cases the answer is going to be yes. But the other hand, when you go through and you send out a questionnaire for third-party risk and you ask those kinds of questions, they may know that these are hot button items. What are your IT processes? Do you make sure that developers don't have access to production? How do you roll out those releases? You can get this fine tune analysis to try to figure out well, how strong is their program, and it's going to be imperfect, and I have had some companies that are going to lie and tell you things that are not true, but, in general, I find that there is a lot of good feedback that I get from those and am able to make a good determination.
Speaker 2:What the reality is, though and I've done this from any ERM perspective, and I've seen this in other organizations too where you get you know what's the business value, what is the security value, what's the IT value, and sort of mix all this stuff together to say what really are the challenges here. How much are you going to save by using product X and product Y, and how much of an impact is that going to be? You know, we don't hear about it as much from a small vendor, because they don't cover as much surface, they're not touching as many systems that are out there, whether they're Windows systems, linux systems or others, and that's really what it comes down to is kind of doing some serious thinking and do some serious math to figure out, because when you're talking about something as big as an airline, that's huge. There are so many systems that are involved. It is a massive conversation. It could be that it's not really worthwhile for your organization, but it could be. You know what? We just lost $20 billion in a day. We better get our act together and start getting the right systems in place, and so those are good questions I think that companies should be having the conversation about Now. It's like business impact analysis typically, or BIAs are typically pooed upon, but until the reality hits of what's going on, like we saw that with change.
Speaker 2:Healthcare, you know, that was another big hit to healthcare organizations. It had a system out there that didn't have multi-factor authentication. Threat actors got in there and then, all of a sudden, it was down for months. So companies were scrambling to get an alternate strategy in place, and so, to me, this is part of what cyber risks should be paying attention to, because that is a strategic risk to an organization to have one payee system that's in there. You should always have a backup to make sure that, hey, you've got one thing working, one thing not working. Let's at least use this alternate and so using these strategies.
Speaker 2:So like, for example, when I was in government, we had multiple types of firewalls. You had to have one external firewall of one type. We had multiple types of firewalls. You had to have one external firewall of one type. Well then, after you had the web servers, then behind that you had a different type of firewall and there becomes different types of risks, because now you need firewall engineers and experts who know the configurations of multiple types of firewalls. We had three different types of firewalls for one set of systems and this was a requirement that we had to have.
Speaker 2:But in the end you end up really protecting the organization. Because what happens if you've got a really serious vulnerability for the external firewall? You want them to cut through that and get through the entire firewall and get through your entire network? Probably not. Most of us don't want that. So it's an expensive approach what I'm talking about but in some cases it's not worthwhile. In some cases it very much is worthwhile and it's worth having those discussions. So what I'm about is having the conversation in your organization. I can't be dictatorial and say you must do this, you must do that, because that just simply isn't true. Does that help?
Speaker 1:So your answer is it depends.
Speaker 2:It's a classic idea, yeah.
Speaker 1:And it's going to take a whole lot of money. Well, let me see if I could take a it depends, I mean there are other approaches you can take.
Speaker 2:Let's say, if you use the top two. So if you had CrowdStrike and then number two in place and you know that you're covering yourself pretty good, you might be okay. You might be on thin down service, but that might be, from a business standpoint, completely acceptable. And so you come up with what's reasonable for your organization.
Speaker 1:Let me see if I could take a. I'll take a stab at at simplifying it in a way that I understand. Just sort of I've been absorbing everything that you've been saying like a sponge. So let's say, let's see if I could regurgitate it in a simplified fashion. What you're saying is that really, when you do that BIA, it'll tell you that sort of analysis. If you start there, that tells you one what systems you have in place and could, how those systems could be affected and what systems can affect that. So that would affect your, your vendor choice and your, your, your systems that you purchase and all that. And the other part of that is that CrowdStrike really they didn't really screw up here and it could have been any other company, right.
Speaker 2:Well, they did screw up. It was a mistake on there. I'm not trying to say they didn't screw up because they did, but I can tell you they're going to improve their processes as a result of this because it is such a blemish against them.
Speaker 1:So they did screw up this big and there's this huge catastrophe. The companies tend to fail up because they can say, well, we've learned from our mistakes. And if they're the first one to learn from the mistakes, well, you for sure want to renew your contract with those guys because the competition hasn't been hit yet. So in a way, this may end up helping CrowdStrike and maybe their competition is going to be chomping at the bit to have their stab at failure. So it looks like okay, going back to what you said, something like CrowdStrike, if you were to, let's say, you've done the business analysis, you say that you have the systems. You need something like CrowdStrike. You do have the resources to do it. It doesn't make sense to really pivot over to a different system because the other system might suffer from the same vulnerability and you still have to do the same business impact analysis anyway. So if you've done it once with CrowdStrike, what I'm hearing is probably companies should just stick with CrowdStrike.
Speaker 2:Well, let me back up a little bit, because you don't want to have. Just because something could happen with two different vendors does not mean that it's going to happen at the same time. So CrowdStrike took a hit, but let's say, if you had Sentinel-1 in place, they didn't get hit Right the same time. So if you've got enough systems out there to really move and get things done, you might be perfectly okay at this point, and so that's one acceptable approach that you could take. I'm not saying that it's right for every organization. It creates additional levels of complexity. You've got different systems with different capabilities, and I've seen it in organizations that are in this transition phase with malware streaming through the environment. Part of it will be hit, part of it won't, because of the antivirus that they had in place, and I'm using antivirus as a general for next generation antivirus with endpoint detection response and managed detection response. You know there's a lot to go into there and that's something we could explore just as part of it, but that's a tiny part of the processes. Also, business impact analysis you can do them once, but really it's that third-party risk that you go and map against that business impact, and so the business impact only needs to be done once. You don't need to do it for each individual system. You just have to take a look at it and say what's the larger context for that and look at the third-party risk information to say, hey, what are the risks of this happening again? And if I were to see this let's say every year CrowdStrike starts having the same issue I'd start going you know what? Crowdstrike is not doing a good job here. There's clearly some issues. Let's go on Begrudgingly allow them to have one failure like this from my perspective, but it is a concern. My concern is when situations like this.
Speaker 2:Let's say, a lot of companies decide they're going to move away from CrowdStrike and so then they take a 50% hit to the number of people that are actually utilizing their product. Are they able to maintain the same standards they had before? And that's a question. I don't have the answer for that, but that would be a concern of mine. But then you can start looking at these other products as well. Maybe they've got a better process in place, maybe they don't.
Speaker 2:But that's why you really need to sit down and understand the third-party risk and make sure that you continually evaluate this. So I would put into contracts. I'm really big on making sure the contracts are in place, but if you have a contract that says you can go back and analyze them at a later point in time from a third-party perspective, you can kind of start to understand where that systemic risk comes from. And so those are just a few of the strategies I would use, because you can't use a single strategy and think I'm going to solve everything. Here's my silver bullet, because really it takes teamwork and multiple people looking at things from multiple sides to really come together to make sure the situation is going in a good direction.
Speaker 1:Matt, you are a well of knowledge, my friend. I really appreciate your time today. Again, I wish we had more time to talk about this stuff, but they tell me that if podcasts run for more than 30 minutes, I'll lose my audience, so we should wrap it up there. Is there anything that we didn't cover that we should have covered that you want people to know, and what is top of mind for you and what is the message that you want to put out there?
Speaker 2:If you don't know if you're running into problems or challenges with your organization. Bringing in an outside organization to start those conversations and to understand what those challenges are is incredibly important. As I said, I work with companies who sometimes do not have the expertise to even cover a lot of the basic IT foundations or the cybersecurity foundations and they're at great risk, and so sometimes working with an outside vendor to get an outside perspective who is very business-minded and is able to get that conversation going from multiple standpoints, can be a huge help for any organization.
Speaker 1:Excellent, and if people want to find you, what's the best way that they can contact you? So I'm on LinkedIn.
Speaker 2:Feel free to find me there. That's a very easy way to get hold of me. Also, the website is wwwcyvergencebiz. That's cybersecurity and convergence matched into one C-Y-vergence, b-i-z. But feel free to reach out to me there and I look forward to hearing from people.
Speaker 1:And everybody. Matt's number is 555-555-5555. And he loves to get phone calls at 4 am, so hit him up at 4 o'clock in the morning.
Speaker 1:All right. Well, that's it for our show today. I'll be in Dallas on August 29th for the Horizon Summit, so head over to CISOeventscom Register if you have not registered yet. And since we touched on patching and making sure that environments are safe, before you roll out a patch, check out side deploycom. Uh, side deploy you know my friend and CEO and founder side deploy is Tina Williams-Karoma. Uh, check out her website and you might find a solution over there that may be helpful, may be useful. All right, Matt, thank you so much.
Speaker 1:Thank you for watching this episode of security market watch. We'll catch you on the next one. Bye sounds good thank you bye-bye, all right, and that's it. That's a wrap.