Cybersecurity is not the sum but the product of its parts. But how can you know if the sum is protecting your business without all of its components working together to detect and remediate threats? This session will walk you through how to build an effective cyber strategy to focus your business and business leaders on how to proactively mitigate against cyber risk.
In this webinar you’ll learn:
- The emerging threat landscape
- Key components of a cybersecurity strategy
- Ways to communicate security risks to executives and boards
A PACT webinar sponsored by SEI.
Building an effective cybersecurity strategy
Megan Reilly: Good afternoon and welcome to PACT's Cyber Security Series. I'm Megan Reilly, director of member success at PACT. And we have a really interesting discussion plan for you today on cybersecurity, mixing cyber with business.
Megan Reilly: First, we want to thank and recognize SEI for sponsoring the series. We are tremendously grateful for their support and their expertise. Before we get started, I have a few notes. You are muted, please stay on mute for the duration of the program. If you have any questions or comments, feel free to put them in the chat, we'll be monitoring put throughout. And this program will go to four o'clock today. Now, I'd like to introduce our moderator, Steve Bomberger, head of SEI Sphere.
Steve Bomberger: Thanks Megan. Thank you PACT. Really excited to be here with you all today. Welcome to today's webinar, mixing cyber with business, how to build and communicate an effective cybersecurity strategy. As Megan mentioned, I'm Steve Bomberger, head of SEI Sphere, which is at a division of SEI that offers cyber security solutions and other IT managed services to the market. I'm really, really pleased to be moderating today's discussion and thrilled to be joined by three great panelists today, Jack Allison, CIO of Republic Bank, Mike Kenney, director of services at Consortium Networks and Ryan Hicke, CIO at SEI. I probably won't do their backgrounds justice. So I've asked if they could all introduce themselves. Jack we'll start with you please.
Jack Allison: Hey, good afternoon everyone. I will not bore you to tears on this, but I've been in financial services in healthcare, looking after technology for the better part of 30 years, been in the Delaware Valley most of that time. So a lot of the companies that you all represent, I'm probably pretty familiar with. So welcome to the presentation.
Steve Bomberger: Thank you, Jack. Mike, please.
Mike Kenney: Thanks Steven. Thanks Heidi and Megan. Mike Kenney here, I head up the services team at Consortium Networks, which is a small and quickly growing cybersecurity consultancy. We focus exclusively on cybersecurity products and services, and we've got about 700 customers up and down, mostly the east coast, but across the country as well. Before Consortium, I was the chief of staff at New York City Cyber Command, which is a New York City government agency that I helped set up about five years ago to centralize cybersecurity authority and accountability across the city of New York. And for scale, that's 350,000 employees, about 500,000 endpoints depending on the day. And before that, I worked in the Mayor's Office of Management and Budget in New York City. Thanks for having me.
Steve Bomberger: Thanks Mike. Last but not least, Ryan.
Ryan Hicke: Thanks, Steve. And thanks PACT for setting this up and hosting today. I'm Ryan Hicke, I am the CIO of SEI. I am 24 years into SEI. I am on our executive committee. I've spent half my career in the Philadelphia area and half in London building out our global businesses. And I am also a member of Steve's team on the SEI Sphere business.
Steve Bomberger: Awesome. Thank you, Ryan. Thank you gentlemen for that. And a big, thanks again to the attendees. Please feel free to send in questions, we hope we can spawn some conversation and some quality questions, but we'll try to keep this conversation maybe to 30 or 40 minutes and leave room for that at the end.
Steve Bomberger: So we're on the continuing hot topic today of cybersecurity, but we're going to do this as the webinar noted through the lens of business leaders. The importance of viewing security in a different light given today's environment has been discussed widely. We all hear, we see it in the news today, but turning that into an actionable plan, one that is clear and decisive is not always a clear path, not easy path. This group, hopefully today, is going to help break it down for us and provide some context to security risk, operational risk, business risk, and how and where some of those risks may converge.
Steve Bomberger: Just by setting the foundation a little bit from a statistic perspective. I thought I'd throw a couple of these out today. According to Gartner's 2022 Board of Director's survey, 88% of boards now regards cybersecurity as a business risk rather than just an IT problem. I think that's pretty telling about the importance of cybersecurity in today's world. Another piece by Gartner, and this is some of their planning projections and predictions that they do, they suggest that by 2026 at least 50% of sea level executives will have performance requirements related to cybersecurity built into their employment contracts. So I could ask Jack and Ryan, how they feel about that right now. I won't put them on the spot this early, maybe they can comment to that later.
Steve Bomberger: But let's go ahead and just jump right in. And Mike, I think we're going to start with you given that you have the purview of those 700 plus clients that you talk about, and then we can go over to Jack and Ryan. But tell us, in general, as you talk to a lot of your clients, how do they view cybersecurity within the context of the overall business in today's climate?
Mike Kenney: Yeah, so it's changing is the first part of the answer and it's changing and shifting toward a perspective that's focused on operational resilience. I promise I won't go any deeper into technical jargon than this, but if we think about the NIST cybersecurity framework, it lays out five pillars that basically make up a holistic cybersecurity program, identify, protect, protect, respond, recover. And for a long time, cybersecurity has been focused on that protect component. I need to protect everything I have and I need to prevent any bad thing from happening, breach, DDoS attack, software vulnerability, whatever it is. And I think we're shifting now to a focus on resilience and operational resilience in particular, which changes the focus to detect, respond, recover. I'm not going to prevent every bad thing from happening, but how can I detect it quickly? How can I respond quickly? And if I need to, how do I recover quickly? So that I minimize the impact to my business. And that's the primary objective, keep the business up and running uninterrupted.
Mike Kenney: I think that's a challenging head space, both for business leaders and for IT or cybersecurity leaders. And it's precisely because we've drawn that distinction between the two that it's so difficult. Business leaders have hired cybersecurity professionals to try to prevent every breach or bad press or whatever it is and they've been incentivized to do so. And so they've lost connection with the business. And I think part of what we need to do going forward is rebuild that connection between cybersecurity and the business and make sure the cyber team know is what's important to the business. And likewise make sure that the team running the business is tightly integrated with the cyber team and understands their needs.
Steve Bomberger: Yeah. Thank you, Mike. Yeah, it's certainly become not just an IT problem, but an interdepartmental problem that all organizations within the broader company framework need to think about. Jack, from your perspective, obviously we talked a little about NIST framework there, and that's a wonderful methodology for kind of evaluating a program. But from a general perspective, cybersecurity at Republic Bank, how do you see it? How do you feel about it?
Jack Allison: Yeah, so it is absolutely a balanced equation as Mike had said. I think back earlier in my career and working with the CTO who used to really walk around stump speeching saying, security and convenience are inversely related, and he was kind of proud about that. Unlike what Mike is suggesting, that we need to work together to figure that out. And I think we are very much evolving at. There is an incredible heightened sense of the possibilities of doom and gloom because of everything that's going on out in the world. But, as we work through this, I think the balance really comes to a point where instead of using... And a love of fact that Mike you said this a bit earlier, I'm not going to get really deep technically and I know most of the audience on this call could go really deep. But if you alienate those business leaders with that deep speak or the FUD, the fear, the uncertainty and the doubt, they kind of tune out. It gets harder to work on a combined, I hate to use this because we always want to use this risk based evaluation on everything. But honestly, what is the risk valuations?
Jack Allison: And when you start teasing that out to what it could mean profitability or cost wise to the business reputationally, it gets clearer, especially when you can benchmark that stuff to show them the results of it's done well, what that means for a company. There could be really positive things. I've seen a great financial institution technology provider that's actually doubled down on this and created value out of it. Or on the flip side of that, if you do it really poorly, what's going to happen to valuation and potential to attract or lose other customers. So I think it is a really important balancing match between what we're trying to do in tech and InfoSec space and the true business.
Steve Bomberger: Great. Thank you, Jack. Ryan, any commentary from your CIO seat?
Ryan Hicke: Yeah, instead of just repeating what Mike and Jack said, I think Steve, we're almost at a point where we've stopped talking about these situations with an if they have into more of a when they happen lens. To do that inside an organization and outside an organization, to Jack's point, it now requires different stakeholders at the table and actually creates an opportunity for different levels of engagement. So, to Mike's point about resiliency and recovery, instead of that being an IT perspective, we can look all the way out to the client, to our operations groups and saying, okay, well, when this happens, what are we going to do? And how are we going to respond? I just think that whole posture has actually given us a better perspective even today of how we even service our clients. But it also changes the paradigm to really allow us to think about this as everybody's responsibility and organization, not just inside the technology group.
Steve Bomberger: Yeah. That makes a lot of sense. So, the last couple of years we've seen the heightened security in the press, we've seen ransomware continue to evolve. We've seen all these other different attack vectors that work from home, everything that we've been seeing around this space from your perspectives, and this is just an open question here to the group, have changed and how you have to think about security? Has the current threat landscape that we're living in the last couple of years that maybe we're even living in the last couple of weeks, given some of the heightened tensions that are going on, have things changed? Are boards more receptive to understanding some of that tech speak? Or is it still a discussion topic that needs to be addressed at the highest level? Jack, do you want to provide some context around that?
Jack Allison: Yeah, I would say this, I think the board in any conversations that I get the privilege of kind of talking with them, they're really looking to understand how to cut through all this. Really get to the issues that matter and that we can make a difference in. Whether it was the ransomware that I think woke a lot of folks up with, to what's going on right now kind of with the cyber attacks that are going on because of the war in the Ukraine. They're asking, how do we know we're prepared, how can you give me-
PART 1 OF 4 ENDS [00:12:04]
Jack Allison: ... How do we know we're prepared? How can you give me comfort in a really justified way, not just saying, "Hey, don't worry about this, we've got it covered. We're the big boys and girls in IT." But also, what do I need to be worried about? What can I help you with? I think earlier in my career, I had a CEO when we had a particular incident. So it was great, Ryan, what you just said. So I got to see this years before maybe the evolution happened.
Jack Allison: And he was really crystal clear. As this thing was unfurling he said, "Look, in the three years we turned this company around, we've created $100 million worth of market cap. This could be gone tomorrow. If there is a tool, a consultancy, a combination of those things that we need to invest in to make sure we come out of this correctly, we need to do that."
Jack Allison: And I think that really carries the message of what I was saying earlier. The board wants to know how they can help or where is the gaps or what are the priorities and why. And they don't want all that technical stuff to get them bogged down. They want to get to a real clear, measurable path forward.
Mike Kenney: Yeah. If I could just add to that, is the board more receptive to the deep speak or the technical speak? I don't know, I would venture not really. And I think the onus is on the IT team, the cybersecurity team, to speak in a language that the board understands. And for the board perspective, oftentimes that boils down to dollars. How can I quantify cyber risk in dollar terms? How can I measure it? Because what gets measured gets managed, or what gets measured gets done, or what gets measured gets lied about, is something that I used to say. Hopefully, that doesn't happen too much. But that's what we've got to do. We've got to speak in terms that the board understands so that they can help. As Jack said, they know it's a problem. They want to know that they can do something about it.
Ryan Hicke: Yeah. I think that's right. I also think when I look at that conversation at the boardroom, Steve, as you know, we have an extremely talented CISO, he's really well respected, he's got a great team. I think even in the last three years, I have observed the board asking him and his team, what do they think we should do? And what do they need from the board and the executive committee to put [SCI 00:14:24] in a better position?
Ryan Hicke: Because I think Jack hit the nail in the head. Before it wasn't just about what's the ramification if we had some sort of incident. It's we have $2 billion of revenue and thousands and thousands of clients and their underlying clients that we're responsible for and we're protecting. And I think that has changed the perspective. And I think Mike makes a really good point that's required both sides to ask questions differently and also answer questions differently, so that it becomes more empirical data, more definitive. Here's what we need. But I've seen it firsthand. It's been great to see the board ask Corey and the team, what do they need from the board and executive committee for SCI to be more successful.
Steve Bomberger: Yeah. I think you guys are hitting on an important topic around allocation of spend within IT and budgets. We look at the statistics, and we see IT services, and underneath that umbrella is cybersecurity and things like digital transformation. Allocations are growing to that. Mike, from your perspective of a lot of the different organizations, and Jack and Ryan, from your organization, do you see a more open dialogue around spend and cybersecurity? And almost to your conversation earlier group here about this evolution and looking through a different mindset that about how cybersecurity is not necessarily a cost center, but potentially a growth enabler now, are things at the board level and at the C-suite opening up in terms of more spend on cybersecurity?
Mike Kenney: I think they are, and I think they have been for some time, but I think the burden remains on the cyber team to articulate not just what they need, but why they need it. And to again, tie it to a business enabler. An investment in cyber security makes the entire organization more resilient to the next pandemic, to the next rapid shift to work from home, or to changing labor dynamics or to the next natural disaster. So the more you can tie an investment in cybersecurity to something that benefits the overall business, the more likely that spend is to open up. I think you've got to be able to articulate what you get for the investment. It's not just I get endpoint defense licenses or I get application security. You've got to tie it to the business, and then that message resonates.
Ryan Hicke: I still think, Steve, it's going to continue to open up more. I still think it's hard for people to truly, honestly self-assess their current position. I think they will always be, in many cases, a little bit over confident about maybe their current security posture and cyber posture. So a lot of times, it requires some negative event and an incident as a catalyst for them to look out. So I think that'll change over time, and regulation may accelerate that change, but I think people get it. But I think they still have a hard time connecting where are their weaknesses and where should they be thinking about investing differently, because they don't have an easy way to self-assess.
Jack Allison: I think that's spot one, Ryan. And one of the things that I always try to take, regardless of what line of business in IT that we're working with, is that you've got to bring benchmarks to this game, to be able to self-assess. And I'll be honest with you, as the proliferation of tools and strategies have hit [InfoSpec 00:18:07], it's really easy to spend more money. And if you've got a board that's willing to go along for the ride, that's great. But how do you actually work through the effectiveness of that spend, with some benchmarks and actually assessing, all right, you could buy the best in endpoint protection, but have you actually set it up in a way that lets you take advantage of that? And I think holding your team accountable to that and finding resources to do that.
Jack Allison: And I'll throw a plug out for Mike and his company here. We were able to do that with them, where we can actually really assess how we're doing with those investments and really take it on in a step by step process to build our program up with the capabilities and funds that we have today. And what are we leaving on the table for that next round of conversation, to say, "Here's how we'll improve."
Jack Allison: And I think, as you all have said so far, we have that accountability not to just go in and stamp our feet and say, "You guys don't understand. It's bad out there." They get it. They read the front page of every business journal as well. We have to bring that solution in there and prove to them that we're doing it, just like if we were fighting for new funding to build out the next digital initiative or reporting in data analytics and governance and whatnot. I think all these things matter.
Mike Kenney: Yeah. And just to add to that, the right next move is not always buy another product. And we've seen that time and again. The right next move may be focus on the maturity of the implementation of what I already have, or focus on expanding the coverage of what I already have to all of my most critical assets, or consolidate on certain products. I go back to my experience with the city of New York, and we owned at least one of every piece of technology that had been manufactured in the last 40 years. And we've got inefficiencies left and right. We've got teams that need to be trained on six different kinds of firewalls. And there's one argument to be made about avoiding single points of failure. But I think there's another more compelling argument to be made for the efficiency that comes with consolidating in certain scenarios and investing in training up on one piece of technology to serve one function and being the best that you absolutely can be on that.
Ryan Hicke: Mike, I actually think that is a really insightful point, and it's one that Steve and I talk a lot about because we draw an analogy, and I'm going on a quick tangent, but we draw an analogy to our financial advisor business. And financial advisors over the years have built up their business by buying single products. They'll buy a rebalancing engine, they'll buy a CRM, they'll buy a financial planning tool, they'll buy a portfolio management tool. And then as they grow, they look around, and they're like, "Wow, I have this enormous hodgepodge of all these individual products." There is no continuity around what their platforms look like, and then they have to figure out how to manage that, but they don't even know... Steve and I talked about there's a lot of analogies there that nobody's doing the wrong thing, but they're not thinking far enough out sometimes of saying, "Hey, if I doubled or..." Jack's living this. "If I double or triple my business, how am I going to manage this infrastructure? And is it even going to solve strategically we're trying to do?" I couldn't agree with you more on that, Mike.
Steve Bomberger: So, you guys are taking us down that path from the communication side, as we talked about in the topic of this webinar, to more of the build side, what goes into having an effective cybersecurity program. I think we've just established, it's not always getting that next best great tool. It's how that all works together.
Steve Bomberger: So Mike, maybe just back to you then, as we're going around the horn here. Thinking about security, you mentioned [NIST 00:21:54] at the beginning. You mentioned also the maturity of a program. What in your eyes defines good security? And I know that means different things to different organizations that are in different industries, but in general, what are your thoughts around good security and what components you have in place for that?
Mike Kenney: Yeah. I think there's some basic technical elements to that equation. Endpoint, defense, multifactor authentication. I think there's a lot of benefit to be had from migrating to the cloud, benefit that oftentimes outweighs the cost that some people feel when you talk about physical access to your data center. I think those are all elements that can make a good program. I think communication is absolutely critical, and that's the topic of the webinar here, but you've got to have the buy-in from the whole organization. Because some of these leap frog improvements in security will come with a change in the way that people conduct their business every day in front of their computer.
Mike Kenney: And once you get used to it... I shouldn't even say you get used to it. If it's communicated appropriately and people understand why they're doing it, it's oftentimes not as big of a lift as is represented before you go ahead and do it.
Mike Kenney: One of the great examples of this is a conversation when I was in the city that we had with the security team at Google, and they talked about the move to YubiKeys, so hardware tokens and multifactor authentication for access to all of their assets. And people groaned about it, and they grumbled about it. But what they were able to do at the same time was eliminate the need to change your password ever. There was no more monthly password reset, no more quarterly password refresh. You never had to change your password again. And by communicating in that way, not just what you have to do, but while you have to do it and what other benefits might come with doing it-
PART 2 OF 4 ENDS [00:24:04]
Mike Kenney: To do it and what other benefits might come with doing it? You know they were able to do it and they're a big organization.
Steve Bomberger: Ryan, Jack, any thoughts on, we could take it a technical path or down a path like Mike around maturity and some other things. Any thoughts on components of good security, or how it should be viewed from your seat?
Ryan Hicke: Again I mean, I think we're all in kind of violent agreement. I think communication's key. I mean, you look at something like COVID, Steve, when we had to ship to so many people working from home and things like always on VPN, right? But nobody complained, right? Because the team did a great job of communicating and explaining not only why was this something we needed to do, but it just made sense. And if we engaged people and explained why that you don't get pushback, because they felt that they were part of the conversation, but they also understood why we were doing what we were doing. And I think that's that's important kind of every step going forward.
Ryan Hicke: And I also think one of the things that Mike said earlier, and I know there was a question in the chat about cloud. You can't just move applications to the cloud and wash your hands of it and think that it's no longer your responsibility, right? It doesn't work that way. So as you know, were living, we're going to be living in kind of a hybrid world where we have things on prem, and we have things in cloud and they'll be different ways we operate. But it doesn't mean just because it gets shifted to Azure it's no longer InfoSec or IT's issue anymore. It just means we have to kind of change some of our principles and governance and procedures. But I think there's a belief sometimes that once that goes to AWS or Azure, "Whoo," or "yeah, not our problem anymore."
Jack Allison: Yeah. And I would just add from being in a financial services world and healthcare before that, and back and forth between, and you had to deal with it as well, Ryan, right? That stuff is also something that we have to deal with from a compliance and our regulators are all over us on this stuff, right?
Jack Allison: And it goes back to our vendor management platforms, right? I mean, the regulators will come in and say exactly what you just said, Ryan. Like, "Just because you outsourced it, you still have the accountability." Right? And some people get confused by that. They kind of want to do this washing hands, whether it's the cloud or it's a great service provider and, "They're going to take care of this for us," whatever this is that accountability still comes back on us.
Jack Allison: And that benchmark I've talked about also, it's really making sure and like you started us off with this, right? Is that you have to measure everything right now. I've been in organizations where they'll have 58 KPIs around a topic, right? 58 is too much. You can probably figure out everything on about three key KPIs. You might have some supplementary stuff that tells a bit of a story and a trend that you want to watch, but you really, really need to work on that. And I think that those things are important and you can't forget about the compliance, right? And in our case, the regulators.
Jack Allison: Because in our case, if you're in financial service, you already know the story, right? I can't get a new store approved. I can't just go sign a lease and open a store like T-Mobile can. My regulator has to say yes every time. So they get an opportunity every time we want to grow to basically say yay or nay. So our shop has to be that good.
Ryan Hicke: And Jack, just to jump in briefly and Mike can weigh in here too. I think I'm sure what you've seen in the last two years from that regulatory front, it has definitely moved from say you are doing it to show you are doing it. I mean the need to evidence this now that acceleration of over the last couple of years has been amazing.
Mike Kenney: Yeah. I think I don't want to be too sympathetic to the regulators or to auditors, but I am somewhat sympathetic having dealt with them in different capacities.
Mike Kenney: I mean think about the challenges that we have in hiring the best cyber security professionals for our teams and the jobs that we do, there is a talent shortage out there. It's significant and there are training and university programs and bootcamp programs that are trying to help bridge that gap. But we have a difficult enough time hiring the right people for our teams. Certainly the regulators are having that same problem.
Mike Kenney: And so it all comes back to speaking the same language and trying to understand exactly what they're looking for and provide the type of evidence that's requested. And it's not always as easy as you know, this document, check the box and I'm done sometimes you have to bridge. Again, bridge the gap a little bit between what's being requested and what you have and the intent is really important there.
Steve Bomberger: That's a great point, everybody. Yeah you guys are kind of really on the right spot of defining and putting metrics around, not just what you have to do from a compliance perspective, but at how you have to. Then from a technical perspective evaluate and show, Ryan to your point, how you're doing what you say you're doing or what the regulation is asking.
Steve Bomberger: Jack, you mentioned the word KPIs. We're talking about metrics a little bit. I know this is a tough question because a lot of people say, "Hey, looking at ROI around cyber security is a really difficult subject." Any ideas or recommendations from the group around KPIs, maybe from either a technical perspective or metrics or KPIs that you've heard from other executives or other board members that are important to look at.
Jack Allison: I don't know, I think I want to turn the mic onto Mike because what we did with them, through the metrics that matter platform that they've built out, really let us figure out what the financial, as well as the maturity growth was for each strategic decision we've made, right? So you can already get this broken record speech for me, "I really like metrics." It's my fault. I'm an econ undergrad, right? So everything that you can do in economics, I feel like you can do kind of through all the business stuff. So Mike, I'm sorry to put the spot on you, but if you want to share a little bit of that, because I don't want to say something I'm not supposed to well, "Where's my [crosstalk 00:30:22] coming?" But please jump in there. And I'll play backup harmony.
Mike Kenney: No, I really appreciate it, Jack. I mean so one of the things that we've done is in terms of metrics we've developed a platform to help quantify cyber risk. And the way we've done that is we've looked at a 10 years of publicly available cost of breach data. And I think just making the decision to start that process about two years ago was absolutely critical to how we got to where we are today.
Mike Kenney: Because the refrain for a long time has been, "There's not enough data. When there's a breach, we call the lawyers. We make sure that the absolute bare minimum gets out publicly." And we're reluctant as a company to share any information whatsoever on what happened, why it happened and what the impact was. So we decided we're going to start looking into what's out there, because there is a good amount of data out there and more and more every day, which helps us get a little bit more precise on what the cost of certain types of breaches looks like.
Mike Kenney: We also know what kinds of cyber security controls mitigate the impact of those breaches. And as we bring that information together, we can begin to quantify the cyber risk to an overall environment, given a certain set of controls and the corpus of data is growing every day.
Mike Kenney: We haven't really touched on it yet and maybe we'll go there but cyber insurance is an industry that's, that's picking up significantly. There's more and more good data that's coming out of the cyber insurance industry. It's not the end all be all, but it is good input to helping to quantify cyber risk within industries or within certain organizations.
Jack Allison: And I'll just jump right back in on that real quick, sorry, Ryan to do this.
Ryan Hicke: No.
Jack Allison: Based on that, now that Mike's giving you a little bit of a primer on what this means. We are able to take that information through our various levels of approval, right? So we have a very effective new product and services committee that needs to kind of look at all the things we want to do. And then there's obviously an executive steering committee and ultimately the board, got to see this.
Jack Allison: And we got to show quantitatively, the risks that we were taking off the table in dollars, something they really get and really want to maximize, right? They got. But in addition to that, without bogging them down with what NST is, we were able to get them in a little bit engaged with a NST framework and say, "Here's how many more things we have coverage for and how many things we had coverage on, but improved." And we were able to a score, right? That can be digested and tracked over time. So this is exactly the heart of the matter that I think don't take shortcuts on saying, "This is too hard."
Jack Allison: As Mike said, it is possible. And by doing that, you can keep your team focused and you can keep that dialogue with the business, that communication that we keep talking about here, you can really keep that going and evolving in a positive trend.
Ryan Hicke: I think it's simply a combination of getting that data, using that data in the right way, as Jack and Mike said, and then Steve changing the posture inside an organization to run true tabletop exercises. So when you use that data and you see the statistics of the probability of something happening and then saying, "Okay, well what if it really happened here? And what if we couldn't? What if Jack couldn't access this production environment for three days and couldn't trend?"" Then the conversation is totally, totally changed. Totally changed because I think, and then if people engage in these real exercises of saying, "What would we do in this event?" You have a different lens.
Mike Kenney: Yeah. On that tabletop piece. And to connect it back to metrics here. I think one of the most important exercises you can undertake is to actually sit down and begin to define what the appropriate metrics are for your organization. Two that I think apply basically across the board, are recovery time objective and recovery point objective, critical to a disaster recovery and a backup plan. But if can understand, and you don't need a technical background or discipline to have this conversation, if you can understand, "How long can I be down for before the operation to the business is significant or catastrophic?" And put that down on paper, that's a big step and recovery point objective. "How much data can I lose? How many days?" Yeah.
Ryan Hicke: That's such a great point, Mike, you should expand on that real briefly. I think sometimes for the audience, because I might be willing to be down a little bit longer if I'm not going to lose any data. And I don't think people make that connection a lot of time because my actual recovery to the clients and the business may actually be faster if I didn't lose any data. So if you don't mind doing maybe 30 seconds and explaining those, the differences, between those two things.
Mike Kenney: Yeah, absolutely. So RTO, recovery time objective, how long can my systems be down? Recovery point objective, if I look going backwards, how much of my past data can I-
PART 3 OF 4 ENDS [00:36:04]
Mike Kenney: ... going backwards, how much of my past data can I afford to lose? Can I lose the last 24 hours of work? Can I lose the last 48, the last week, the last month? At what point, again, is it a critical interruption? A catastrophic interruption? At what point, do I have to go buy new servers and just start from scratch? And what's the impact from a dollars and cents perspective of doing that? So that RPO/RTO conversation is a good starting point for building metrics for a cyber program that connect to the overall mission of the business.
Ryan Hicke: Thank you, Mike.
Steve Bomberger: So common theme here around resiliency, and how you view resiliency within this, is there anything from your perspective, gentlemen, around resiliency that we haven't covered today, or any general topics? I think we've hit on effective communication strategies. We've talked about metrics and potential KPIs, we've talked about, not only the conversions of the security risk with the business risk, but I think you have brought up good conversations around, there is compliance, and all the way on the front end, and the tail end, there's an insurance component that's becoming a bigger, bigger topic, and then there's that operational component in between both to those. And at some point, the challenge that we all will face is aggregating all of those three components into, "What is your security posture as an organization?" So I appreciate all the angles that you've taken from your lenses today. Anything that we're missing here that you want to share with the audience? We're at that 40 minute mark, so I want to be true to our word here. Any thoughts in general, folks?
Ryan Hicke: I'll start here, Steve. My last thought, I think it's important because it picks up on Mike and Jack's last point, I think if people take away from this to not confuse technical recovery and resiliency with business recovery and resiliency, it's just a great starting point of understanding that and what that actually means as an umbrella. And then I would advocate everybody that's participating to hire consortium for some work, open a bank account in Republic, and outsource to [SEI Sphere 00:38:17]. I mean, that'd be rude of me not to do that.
Steve Bomberger: You stole my close line, Ryan. You stole my close.
Jack Allison: Nice work there, Ryan.
Ryan Hicke: No, I didn't know that Mike was going down that path with RTO. That was one of my biggest learning experiences getting this job a few years ago was distinguishing between those two things, and the technical recovery and business recovery were often very, very different timelines.
Jack Allison: I think we can get an amen on that.
Steve Bomberger: Yeah. There is one question, [Heidi 00:38:47], I know you were probably aggregating. There seems to be a theme here that I'm seeing on the chat around poly cloud environments and security. And I know Ryan, you kind of talked about it a little bit in your section, which is, "Hey, just because you're putting it in cloud doesn't mean it's out there and it's not your responsibility anymore." Any thoughts, gentlemen, on digital transformation and moving to the cloud and poly cloud environments and the security that people should put around that or think about?
Jack Allison: Well, I mean, I think we've said it earlier, so I'm sorry it's a bit of a repeat, but just because you moved to the cloud doesn't mean that all the things that you've built, or even if you've got ideas of building them, you think you can walk away from that build process by moving to cloud. All that stuff has to come along. It can be a point that you actually freeze, because you don't know how to do that. Don't let that be the reason. I think, Mike, you're the one who pointed this out earlier in the conversation, there's actually some better things that are happening in the cloud for us all. It does take you to rethink, so I think teams can become frozen, because change is hard and, "What does this all mean?" But when you actually think about the things you can take advantage of by building that cloud environment out cleanly with those new advantages, you could do some amazing things.
Jack Allison: We could probably spend two hours talking about that, but when you talk about what you can do with high availability zones and recovering things and auto recovering things by just having really, really strong, yes, believe it or not, config management, the most boring part, probably of our jobs. But if you really rock through that and you get some great tools in there, you can do some things. Ryan, you called it out. Sometimes you got to start over. So by having that good foundation, you can start over really fast. And I'm not suggesting that we have to go to those extremes in every case, but you should give yourself permission to think through that in your design, and then go test it. Not in the nuclear way, do some table tops, and make sure the little pieces that you're taking on really do deliver what you heard. But I do think that's really, really important.
Steve Bomberger: Great point, Jack. Sometimes take that pause to evaluate really where you are before you head for [crosstalk 00:41:00]
Mike Kenney: I think that's perfect. I think there's a real opportunity in doing that, in thoughtfully and deliberately planning your digital transformation, or planning your migration to the cloud. It gives you an opportunity to assess exactly what you have. Do you still need it? Is it still functioning the way you want it to function? How's it going to function when it's in the cloud? How do my responsibilities change when that application is running in the cloud? But I think the opportunity... I look at all of this as an opportunity. There's a chance to really accelerate whatever it is that you're doing online by moving to the cloud, to reach more customers, to process more transactions, to increase your uptime or your reliability to five or six, nines. All of that is possible in a cloud setup in a way that it just is not possible in a one or multi data center approach that's geographically located within miles of each other.
Ryan Hicke: Yeah. And what I would say to the poly cloud question is a couple things. This is just from... So this is SEI experience, we're certainly not the total experts on this. So our experience has been a few things with the move to the cloud. I think Mike just made a really good point. We made a big investment in educating people that cloud was not just about where the application is hosted. Cloud is about how the software is designed and developed and deployed. It's a whole different paradigm. And I think that actually engaged more of the workforce.
Ryan Hicke: I think we also spent a decent amount of time building out what we called landing zones for Azure and then AWS. And they're not exactly the same. It's like a BMW and a Mercedes, they're different to drive. And we had our [InfoSec 00:42:58] team and compliance, we had a lot of people involved in the build of those landing zones, which I would argue actually has allowed us to go faster, because we made that investment in those landing zones.
Ryan Hicke: And then this is just our experience, Steve, as you know, is we made sure to not create a cultural divide between the people doing the things in the data center and people in the cloud, that it was one team and it was the future. And that was a win for us, because we learned we've done things at SEI the other way, that was a mistake, and we created a haves and have-nots. And I think our experience has been get everybody engaged in that journey to the cloud and not, "Oh, you guys will be in the data center. That's the legacy." That's not true, because there's a lot of cloud native things that are actually relevant to our data center. So that's my 60 Second Soapbox on the cloud, because I think everybody's dealing with it right now.
Steve Bomberger: Thank you, gentlemen. That's great. One other question here that popped up, I'm just going to read it verbatim here. "Are there metrics around loss of goodwill when customer data is compromised, or their operations disrupted due to a breach?"
Mike Kenney: Yeah. I want to... Let me jump in with that, because I think it's a great question, and it's one that we're studying right now at Consortium. I'm very inter... I don't know of any good metrics right now, and it's something we're looking very, very closely up. Because if we can reliably measure that impact to goodwill, that will factor into a company's overall cyber risk. I think there are plenty of examples that we can think about, Equifax and FedEx and Maersk and Colonial Pipeline. I mean, some of these don't have customers that can readily leave them in the first place, and I think that's a separate conversation. But it's a good point, and it leads to a question about whether or not individuals are starting to get desensitized to the concept of data breaches.
Mike Kenney: And, again, I don't know the answer, and the research that we're working on is not complete, but I think it'll be interesting. I think there is an increasing theme out there that focuses on data privacy, and there's legislation and compliance around data privacy. And I think the next step of that may be something along the lines of ownership of data. And I, as an individual, own the data that I create by using the social media platform, or that I provide to the credit card company. And then that changes the entire concept of what happens after a data breach. And let's not forget that these companies are the victims of crimes, and you don't necessarily want to blame the victim in these cases, if they can show that they've taken reasonable measures to safeguard your data. So anyway, it's a long answer to say, I don't know, but we're looking into it.
Steve Bomberger: Sounds like you just created the next topic for our webinar, if we can-
Mike Kenney: I look forward to being back here.
Steve Bomberger: We could probably spend an hour on that one. All right. Well, I don't see any other questions popping through here. I know we're coming here to the end of time, at least for our session today. So gentlemen, any other final thoughts for the group here, for the attendees? All right. Well, Jack, Mike, Ryan, thank you so much for your expert insights today. There are definitely some takeaway items that I've gotten from it. Thank you to the audience. Yeah, Ryan? Yeah.
Ryan Hicke: Yeah. The only thing I would say, Steve, on the [PACT 00:46:48] front, I know, obviously, one of the big missions of PACT is to kind of really try to enable the entrepreneurial community in the area, in the region. And if there are people that are looking at doing things in this space and they want to reach out personally, I know to me, and I'm sure Jack and Mike would be the same. They just want to just reach out and make some connections, not even on business side, but just to network and get educated and learn a little bit more, I'm always open and willing to do that. I think that's important.
Mike Kenney: Absolutely.
Steve Bomberger: Thank you, Ryan. Thank you, PACT. Thank you all the attendees of today. Have a great rest of the day.
Ryan Hicke: Thanks, Jack and Mike. Nice job, Steve.
PART 4 OF 4 ENDS [00:47:30]
Unit Lead, SEI Sphere
Business Executive Officer