Cybernomics Radio
Welcome to Cybernomics, the podcast where we break down the latest enterprise innovations and challenges shaping the Information Security industry. Whether it’s AI, cloud computing, or digital transformation, we dive deep into the forces driving businesses forward.
Join host Josh Bruyning as he engages with industry experts and technology leaders to explore how businesses are leveraging technology for growth. From cutting-edge advancements to the economic impact of tech decisions, Cybernomics delivers insights that keep you ahead of the curve.
Tune in for expert analysis, compelling discussions, and a front-row seat to the future of Information Security.
Cybernomics Radio
#36 The Hidden Costs of Vulnerability Management with Kyle Bhiro, CEO @Pensar
In this episode of Cybernomics, Josh Bruyning and Kyle Bhiro discuss the hidden costs associated with vulnerability management in cybersecurity. They explore the importance of understanding these costs, the role of AI in improving efficiency, and the necessity of human oversight in security operations. The conversation also touches on the concept of security debt, compliance, and the future of vulnerability management as organizations adapt to new technologies.
• Understanding what vulnerability management encompasses
• Triage as a crucial yet costly part of vulnerability management
• Leveraging AI to streamline the triage process and reduce costs
• Risks associated with unaddressed vulnerabilities
• The relationship between vulnerability management and compliance costs
• Tailoring vulnerability management strategies to business size
• The concept of security debt and its implications
• Future outlook for security roles in a tech-heavy era
Welcome to another episode of Cybernomics where we talk about the hidden costs in cybersecurity, and today we are talking about the hidden costs of vulnerability management. And this is not emotional vulnerability, you know. That's another show, it's a totally different topic. We're talking about security vulnerability management, and how do we as business leaders, security leaders, get ahead of those hidden costs? Even if licensing costs are clear and upfront, organizations can face significant indirect expenses over the lifecycle of a vulnerability management program. So, actively accounting for these factors, from human resources and cultural aspects to compliance demands this can help CTOs and CISOs and other executives shape a more accurate budget and create more resilient security strategies. Here to help us get ahead of these costs is Kyle Biro, the co-founder and CEO at Pensar. Kyle, welcome to Cybernomics. Thank you for having me, josh. I'm really excited for this. So I'm really interested in what you guys are doing over at Pensar. We're not going to talk about the product too much because we want to talk about this approach of getting ahead of the costs in vulnerability management. For those who are not completely security savvy or tech savvy, can you describe what vulnerability management is and how PENSAR is thinking about the landscape? Vulnerability management can probably best be described as finding those little nodes of attack before they're exploited. You know, what can we do to manage this from day one is well, first, building secure products. Why not teach our developers to write secure code, buzzword in security. But this is really pushing our landscape of developers and security engineers. What have you towards a future using tools to their advantage, and so I'm really excited about a future where we can maybe start talking less about the concerns around security because we're considering security from day one. However, that future isn't here yet. Vulnerability management right now, and the way it exists, is identifying these attack nodes, finding them in the code base, triaging them which is a huge part and I hope that we can get into and then fixing and patching those.
Speaker 1:Let's start with triage, since you mentioned that that's a really big cost to organizations. I mean, when you talk about manual processes, that's often where you find the greatest costs, right, because you've got often SOC analysts or others in the security organization who are going through logs, like just you know, one by one, and the SOC analyst is going cross-eyed. To quote my friend, alan Alford Shout out to Alan. It takes a lot of effort, a lot of brain power and just raw energy and time to triage, and whenever I hear vulnerability management, I usually think false positives. I think that things are going to get through the door that are not supposed to be there and we're going to miss the things that we should have caught Right. So it is obvious that organizations will incur costs in terms of not being able to find all of the vulnerabilities that are in their system and, of course, those vulnerabilities get exploited. There could be a breach and that incurs you knowurs all the costs associated with breaches.
Speaker 1:So, naturally, any kind of management solution or any approach to vulnerability management has to address manual triage and being able to find all of the vulnerabilities, if not most of them, and react to them in a way that is time sensitive and risk averse, or at least risk conscious. How are you thinking about manual triage? Is this something that we just have to deal with? Is this something that organizations just have to put up with, or is there a way to manage those vulnerabilities and to triage those logs and those vulnerabilities in a more effective way? Triageing is the most manual part of a security organization. You put it perfectly it is like sifting through, if you've ever been inside of a record store right, going through every single record until you find the one that needs to be plucked out. There's intense amount of noise and we start using this word in security, but it pours into the developer experience as well, which is alert fatigue, and so these tools that are currently being used by larger enterprises that can afford them and I will get into how expensive these can become these tools are not building triaging into their current workflow.
Speaker 1:Now, I think triaging, being a highly manual part of the security organization, is probably one of the first areas where we can start to leverage machine learning and AI to create efficiencies, and so the cost immediately becomes a question of okay, what work can we start to sell to companies or tools, for example, these AI powered tools and solutions that'll take care of this very medial task for us, and triaging is probably the first to go. So, in my opinion, I think security engineers and developers would actually be quite more excited to do higher leverage tasks, and we are not in any way to go and immediately replace the security engineer. I would much rather provide them with tools so that way they can go and do their jobs better. This means more effective hires right, instead of spending hours. Maybe we can quantify it to be 10, a dozen hours a week finding vulnerabilities just to sift through them and flag the false positives and actually move the ones that need to be addressed into high criticality. It's a huge waste of time Now, without going too deep into what we do at Pensar, but to eliminate that step, we've trained a language model to triage and sift through those vulnerabilities for you. Immediately, we're able to shift that cost associated for the decision maker to our tool.
Speaker 1:Now, if you wanted to also look at the potential risk and slowdown that vulnerabilities in your code base cause an organization, this is much more difficult to quantify. What does a breach cost to a business? Now you can look at headlines. This could be millions of dollars. There are tremendous examples of highly regulated industries. Healthcare is a great example to take a look at here, where patient data or hospitals. The worst case scenario is you have a hospital be knocked offline and then one your institution is no longer trustworthy. But also what happens to the actual day-to-day operations and managing the people and managing the patients. This is a terrifying reality. This part of vulnerability management and finding those attack nodes and vulnerabilities becomes really really, really, really important in managing that future risk, something to also continue on for compliance reasons.
Speaker 1:Vulnerability management is a huge part of getting your SOC compliance or any other regulated framework that you'd probably pursue as an enterprise organization. Since we're spending heaps and I could speak to a small organization will probably spend $20,000, I'm talking early stage startups even $20,000 just to get their SOC 2. A larger organization that's doing over a million dollars in ARR is probably spending north of $100,000 to get this process done, thousand dollars to get this process done. And part of the evidence that's collected in the SOC 2 procedure is do you have sufficient vulnerability management? And so this part if you for some reason fail your SOC 2 audit or it's a slowdown and you're not on the timeline to get your audit prevents you from being able to unlock new business channels, prevents you from being able to increase revenue operations, and so now we're able to shift the narrative of security to becoming table stakes in doing deals. So let's say I go into a company and I'm going to implement an AI driven solution for vulnerability management. Right, it's going to help everybody do vulnerability management better, or at least help the SOC analysts.
Speaker 1:Like you said, empower the SOC analysts and the other security analysts to be able to do more with less right, so let's say this works too well. Now the SOC analysts instead of 40 hours a week, they can do the same work in 20 hours. Analyst instead of 40 hours a week, they can do the same work in 20 hours. What does the organization do with those employees? Do they expand their role or are they laying off half of their employees? This is a great question. I want to break it into segments of organization.
Speaker 1:So let's talk about small businesses first. A small business is not hiring a security engineer in their first 10, maybe even their first 20 employees. The reality is, small businesses right now are not concerned about security when they really should be about security when they really should be A lot of the attack nodes for high-profile exploitations. I was recently talking to a group of students about early January. Cisa had reported that the US Treasury was breached and the attack node for this could be tracked all the way back to a company. I'll leave out their name. However, this is the pack of attack and it's not the large organizations who need to be worried about this. It really is the small ones, and then your reputation is on the line. So, small organization. They need these resources, these vulnerability management tools, maybe a condensed security tool to put in their tech stack to start to address these problems immediately.
Speaker 1:Now let's shift towards the medium-sized, maybe your small to medium enterprise. These are 200, 500 to 1,000 person organizations. You have a security group. You likely have a CISO, maybe you have a handful of security engineers. These people are very, very busy, especially right now. Budgets are quite lean, there's not a lot to work with and they are spending immense amount of time on, like we were talking about, vulnerability management A lot of tasks that can be highly, highly automated. Now we can move them onto higher leverage tasks and projects. What that might be, it could be preparing their organization for a new framework that they're going to explore. It could be some, probably high, critical vulnerability that a tool like Pensar finds and now they can address rather than, you know, spending the half the day looking for that vulnerability. This is what they'll be doing.
Speaker 1:I want to reiterate I don't foresee a future where security engineers are being laid off. I actually see a future where security engineers are more important to the business organization because they're taking care of these tasks, because they're enabling revenue to open up and protect their business. Let's take a look at the really large organization as well. I could point to an example of a scan we recently done on an organization that has a couple thousand developers. These industries, especially if they're highly regulated. They have pretty large budgets and pretty large security groups. The CISO is highly, highly concerned with a million things, and that doesn't consist of trying to pluck out vulnerabilities, especially if you don't even know that they're there. So what we're working on and this is a future that is not here yet is self-healing and auto-fixing right. So allowing the security analyst, security engineer, the CISO, to be flagged when there's something important to take a look at, rather than spending time sifting through the vulnerabilities, triaging them manually, instead of just getting you know. Bing, bing, bing, bing, bing lots of noise and lots of alerts. You're flagged when something actually needs to be taken care of.
Speaker 1:I'll wrap up by saying these large organizations and I group CISOs into two different buckets here. There's those who are excited and looking for these types of solutions and there's those who are not receptive to them yet. Do organizations still need people to double check the work of the AI platform At this present moment? The answer is yes. However, we are going to bet big on a future where LLMs are going to be able to handle this very manual part of security for us. Let me give you a little bit of context. Whenever I use Chad GPT, it helps me a lot. I save a lot of time by using Chad GPT, but on certain tasks I always have to double check and it creates more work for me. So are we at the stage where, yes, ai has the potential to catch all these vulnerabilities and to take the work off of the SOC analysts or the security analysts whoever is doing the work or managing the solution duplicate their efforts in that they have to triage, but then they have to double check that. The AI did a good job of triaging, which some may some CISOs or some CTOs may look at that and think, well, now you've not cut my workforce's work in half, you've kind of doubled their work. What would you say to that CTO or that CISO?
Speaker 1:I think this example with ChatGPT is easy to understand for everyone. It's not just specific to security people. If you asked ChatGPT to show you what the score is on a basketball game and it spits something out, maybe it's not accurate, right, it's not pulling the right data, you definitely double check. At a certain point, there will be a trust element to using tools like this. Right, right, and that's ultimately what it comes down to. That's ultimately what I'm asking how much should they trust it? This is a good time to say how long have we been using AI tools? Yeah, since time to say how long have we been using AI tools Since the really exciting maybe ChatGPT 3.5 came out Five years maybe, if we were to look at the timeline for where this could be and how this changes businesses in the next hundred years. We're in the very beginning, and so right now I think it is exciting and I think companies that adopt these types of tools and these types of practices are going to get ahead.
Speaker 1:So vulnerability scanners may miss a lot in an environment because you might have a server that's sitting in the basement that's collecting dust, that nobody's really unplugged but nobody really knows what it does, and so when you implement at least traditionally, when you implement a vulnerability scanner or some sort of vulnerability management solution, one of the costs just associated with that is missing a lot, not being able to find all of the vulnerabilities that are affected, and I know that you guys have a very unique take on this and you've kind of built a robust philosophy around how you deal with security debt. So, in the time that we have left, how can companies curb the costs of just missing stuff in their environment? Great question Security debt as a concept similar to technical debt. These are I like to call them, skeletons in the closet. The security organization for a long time knows that they have vulnerabilities and they let them collect cobwebs. This is huge risk for their CISO, for their organization, and these need to be addressed. The costs associated with this immediately, by leveraging LLMs and triaging these vulnerabilities, are cut down massively. If you were to put one security engineer on a code base that has a decently large one that has a million lines of code, it would be their full-time salary to go through and sift and find these vulnerabilities and a huge waste of time and probably their skill set. If we were to use an LLM-powered vulnerability management solution and sift through these vulnerabilities, allowing it to do it the time to accomplish and find the vulnerabilities, the ones that we know are there, identify how high criticality these are to solve, and then find the ones that we didn't know were there to solve a huge problem, a huge point of attack before a breach occurs, but also building and securing your posture before going for potential compliance frameworks. Yeah, so time to value is pretty high, or at least it should be, and I'm going to call this vulnerability management 2.0. Is there like an official name for the new way of doing vulnerability management, with AI involved? You know I like Vulnerability Management 2.0. I've also been saying this for quite a bit of time. You know we've been doing security for one way a long time. We're having a revolution. Yeah, the vulnerability management revolution has begun, and on the battlefront of that revolution is Pensar.
Speaker 1:Kyle, thank you so much for joining me on Cybernomics. Thank you for being gracious with your time. If people want to find you and learn more about Pensar, how can they do that? Yes, they can go to wwwpensaraicom. I am on LinkedIn. Kyle Biro. I'm happy to chat with anyone who has questions. I love this space. I think it is probably the most important problem in the world. Feel free to reach out. All right, and I'll go deal with my vulnerability issues the emotional ones right after this call. So thank you so much. Thanks again. Great Thanks, joshosh. Thanks for having me. Thank you.