Skip to main content

Webinar replay: ICBA - The future of the cyber fiduciary

February 15, 2023
clock 44 MIN READ

Modernization of technology means more ways cyberthreats can affect a company. Cyber risk should be viewed as financial risk; therefore, we can expect it to become regulated as such. Given that premise, community bank leaders could potentially be pulled further into a formal fiduciary role over cyber risk.

In this webinar, we will discuss what the fiduciary responsibility means in the financial industry and how fiduciary leaders can take charge for their organization.

Featured speaker: Dave Detweiler 

View transcript

Close transcript

Speaker 1 (00:06):

Hello everyone. I'm Janine Donnelly manager of Webinars for Independent Banker Magazine. And on behalf of the I C B A an Independent Banker Magazine I'd like to welcome you to our presentation the Future of the Cyber Fiduciary. We will be holding a q and a session at the end of the webinar but feel free to ask a question at any time during the event by entering it into the q and a panel. If you experience technical difficulties during the webinar please use the q and a panel to alert us and someone will assist you. You may download a PDF version of the slide deck by clicking on the drop down menu labeled event resources. You'll find that on the left side of your screen and know that you can download those right from the platform without being disconnected from the webinar. Today's webinar is sponsored by s e I Sphere. S e I Sphere provides cybersecurity and it managed services designed to optimize secure and support the complex and evolving technology operations needs of today's regulated and data-centric businesses. Our featured speaker today is Dave Detweiler. Dave is the managing director for FCI Sphere. In this role he leads a team that helps business and technology leaders of community banks bridge the gap of cyber protection to secure their growing business.

Dave's professional background includes more than 20 years with software as a service startup organization specializing in building expert teams that help define effective solutions for customers. And so without further ado Dave I'll turn the presentation over to you.

Speaker 2 (02:07):

Thank you Janine. And  hello everybody. Thanks for having me today and thanks for joining in.  Janine it's a great background and I appreciate the introduction  for everybody that is on the call joining us today.  please take Janine up on it. I know it's the day after Valentine's Day but I'm gonna be a little lonely here myself doing this presentation. So if you do have questions or even comments please feel free to submit those into the q and a at the bottom.  I'd love to see 'em. I'll incorporate 'em into the conversation as we go through this today. I know we have about an hour scheduled like Jan mentioned but I promise you I won't I won't bore you with an hour of slides and content. It'll be much more engaging if you have some questions and I'd love to field those as we go through it.

(02:49):

 But again thanks for joining us today and really a pretty simple agenda. We're here to talk about the concept of fiduciary right? Why it's relevant and kind of how it applies to banks and cybersecurity and really some suggestions on what we can do to get ready for it  for a little bit more background not just on myself and SEI sphere. SEI is a large financial organization itself highly regulated. We've been around for 50 plus years publicly traded for 40 of those years as well. So we understand a lot of the regulations and things that banks and yourselves on this call are going through.  And hopefully you'll see that's the lens that I'm kind of coming at this.  We have had to go through a lot of and many of these things ourselves as an organization to help grow and protect from the advancing threats that we've seen in the marketplace.

(03:39):

So just a brief agenda here today and we'll walk through this.  But really you know when we think about this term what the fiduciary is? I think that the term itself a lot of people probably hear on the airwaves today. There's a couple commercials out there where they use that term over and over again. But you know how am I talking about it today and what does it mean? Well really if you think about it especially from a banking standpoint this has been done fiduciary has been done for financial assets right? It's kind of the same criteria that motivates financial regulation applies to data and information security. It's the it's the same way to look at it right?  And really as we see this the executive leadership and board members are gonna start being held to if you will a fiduciary standard over cybersecurity by the regulators right?

(04:25):

The regulator's real focus that we're seeing right now is maintaining trust in the marketplace. And what they're kind of seeing within our organizations like yourself is the idea that there's already fiduciaries in this business. And if we can put some regulations specifically in place to their responsibility for cyber right?  We now have a connection that organizations are gonna have to start to answer to. And that's what we're seeing right? So the idea that we all really have become it's not just the financial element of the data that we're housing and controlling you know in this financial sector and vertical it's all that other data that we capture too the data that your organization is using for marketing.  just recently we put out a blog post about  some new stuff around SEO and SEO poisoning and how attackers are starting to target that information too.

(05:15):

So when I use the term fiduciary I don't want you to just think financial right? There is a financial motivation and we're gonna talk about that from the threat actors and things like that. But think about this as really all of the data the not just the data that you're housing but then also where that data goes where the data's stored what partners use what third parties. It really starts to create this dynamic you know footprint of our responsibility. And really the easiest example here is is you know a 401k. I think we're all familiar with a 401k right? There's a responsibility for selecting the investment fund and to which we as employees can invest. And those people need to understand the purpose of that fund the risks of that fund and the oversight of that fund right?  and why it was selected versus other options.

(06:02):

But at the same time they're not responsible for it underperforming in the market right? It it's process not outcomes. And I think that's really how we all have to start looking at cybersecurity  and really start associating as we talk about this today a little bit how we associate monetary value to that and funds to that but really how the process is gonna help us lead to success. And that's really what we've been focusing on. And and that's you know hopefully makes a little bit of sense when we start to use the term fiduciary and what that means in the you know in in the landscape. And then obviously there are plenty of you on the phone maybe some of you with these titles here right? But I think that everyone you know that's playing a role within our financial organizations has a role in this element right?

(06:50):

 I think that you know everybody kind of has a different slight for sure the financial folks are gonna you know try to understand well how much does it cost to comply? Or how much do I have at risk? Or whatever that might be. Whereas you know a risk officer or someone on the InfoSec team might be you know a little bit more worried about what's the type of data like we talked about. And I think those are some of the questions we're gonna hear come more regularly and more often. What types of data are you're capturing? How much of that data do you capture? Where is that data? How often do you use that data right? I think those are some of the types of questions we're gonna start to see. Again it's not just the idea that we house and transact on millions and some of you billions of dollars if some of those trillions of dollars right?

(07:31):

It's not just that financial element it's also the data element of the information that we're capturing in housing as an organization and our responsibility around that right?  so if we take this   a step further you know obviously there are leaders in business and honest. What we've seen and I'm sure what many of you have seen you know here joining us today is leadership. Most leadership teams are willing to support infotech it right?  especially when the purpose is clear. Like think about some of the big projects that might be being worked on within your organizations you know a core process or a crm a things where you've gotten support because there's a very clear purpose to it right? And I think the point and some of this conversation today and I'd love again to hear your feedback  about this but the idea that  you know really what it comes down to is understanding the management you know managing other business risks.

(08:30):

Why are we not managing the cyber risk like we manage other business risks right? There's trust between the business it's customers the regulators you know and in the market. But are we top or are we on top of the business right? And and I think really the evolution here  of course we all want system availability. And of course we all wanted to make sure that our intellectual property is secure. And and yes no doubt Dave just talked about compliance and you know what's gonna happen and you know what are the regulators gonna say? All those things are important. I think what what we're trying to maybe change a little bit here is is how do you think about cyber and how do you think about cyber risk? And and the idea that you know sometimes that's very difficult to articulate. I think we have great support from an executive leadership team and a bunch of people and and throughout our organization that say Hey I don't want to be hacked right?

(09:21):

I don't want something bad to happen to my organization but how do I understand like what that really costs? How much should I spend? How little should I spend right? And I think those are some of the questions that we're all dealing with. And honestly if you think about the risk side of this we have tons of data as organizations especially the ones that I can see on here today around driving and supporting nbers with precision right? Financial risk is our ballywick I'm sure plenty of yours sitting on this call and are like yep I know those words. And every time when we sit down I know I know what those charts should look like. I know what those graphs should look like. And by the way when I start to even hear the tone of people talking I know how we're doing because there's some type of risk you know expertise to this  in in many of the other things we do across our life right?

(10:12):

I mean it's not just financial risk. Think about insurance right? And and that's another topic we'll talk about a little bit here today too. You know well what about cyber insurance? And is that a topic that's intriguing today? Well how do you associate your cyber risk? What types of data do you capture? Cause I be you your business is a little different maybe than the other bank down the street. Maybe not maybe there are some similarities but I think that's what we all have to be aware of. And what we're all trying to really kind of maybe circle around a little bit is the idea of how do we start to process this? How do we start to think about cyber risk you know in more of a  traditional way if that's a term right? There isn't a clear answer necessarily right? The biggest problem that we see a lot of times when you when you're sitting there and you're saying okay well you're telling me the regulators are gonna maybe have some additional you know   requirements for me as an executive well damn then as an executive I should be able to have some type of a risk chart to this right?

(11:15):

A association a risk versus reward. What am I getting out of this? And really the problem with cyber is that it's quite asymmetrical right? On any given day  you know it could be nothing or it could be everything. And the idea is that's where I think and what the regulators and the regulation is trying to push right? If you look at this chart compared to that other financial risk chart this is what a a cyber risk chart might look like right? It's asymmetrical again it's not what risk feels like to everybody sitting on this call that's used to looking at financial risk for years right? And understanding what that is.  and I think that when you know if I go back a slide many of you know a lot of times when asked the question well how are we doing from a cybersecurity standpoint?

(12:04):

How are we doing from a security standpoint at the bank at the at the firm at the location right? Think a lot of you you go back right? Well we passed our audit. That's good right? Check. I haven't necessarily had a problem right? I I I don't think we've had a problem. And that's where this kind of lopsided risk comes into play. And the thought of Hey how can we start to affect that right? And and what does that mean?  and and you know how do we change maybe the the current state? But I think establishing a process that meets the standards right? It it facilitates the conversation of what investment needs to be made.  sometimes I think that conversation's tough because the information security people you know kind of falls within the business hierarchy. So maybe that's why it's not a traditional seat at the table.

(12:52):

You know if you're a person that's sitting there with your financial risk model and your calculator in hand your information security person probably isn't sitting there hand in hand. But you know I I think the question becomes at some point maybe does that person sit there at the table? They probably should have a seat at the table somewhere for sure. Cuz it is opening up a there there's a business risk right? I'm not here to here today. And and one of the big things at s e I that we don't do you know I'm not here to promote a bunch of fear or uncertainty or doubt but I think it's the truth in what we're seeing. The idea that information security and the idea of how we pro protect our business has to become a business risks conversation. It has to become a risk conversation that we're having in the organization just like we're having the other conversations throughout right?

(13:35):

So as we look at this and and now let's look at maybe how you know where this is coming from and and maybe the the plight itself. So I'm gonna break this down maybe a step lower. So you're talking hey the executive level and hey there's gonna be some responsibility because there's a fiduciary element of this and we have data that's being tracked and housed and captured that we're responsible for. Now well let's look back a little bit historically and I'm talking now specifically about cybersecurity but I bet you many of you can make a quick correlation to other IT elements in the life cycle of your business. So think through the course of time. I'm talking let's go back a decade or so right? Which by the way when we talk about this term cybersecurity not more than a decade ago could you even get a college degree in cybersecurity right?

(14:23):

Most of our great cybersecurity people are now yes. Now there's degrees. Now there's great programs but less than a decade ago maybe 15 years for sure weren't necessarily in college getting their  you know degree in cybersecurity. They might have been getting in networking they might have been getting in some information technology type stuff for sure. Cybersecurity has really kind of come on the the scene over the course of the last decade or so. And the idea is that what has happened and for many of you that have lived myself over the course of this decade in business think about what we've been told a business to protect ourselves right?  we've really been set up a little bit 10 years ago was Hey if you put in a you know a firewall you're gonna be set. Don't worry about it. Firewalls what you need.

(15:06):

That's where all the attackers are coming from. So we all went and put firewalls in on our businesses and we were protected check right? You may have even had an auditor come in a couple years later and been like Hey you got a firewall in? Yep sure do check right? Well then a couple years later people were like well you know  you should have antivirus right? And maybe antivirus was first before firewall I apologize but I think you're following the analogy right? So everybody got antivirus you had all these different antiviruses on the machines and then you know so you have firewalls now now you have antiviruses. By the way those were usually two different vendors you know at the time you weren't getting antivirus from one and a firewall from the same one. Now you you progressed forward and email becomes the main means of communication for business.

(15:46):

We're all emailing back and forth. You have people that are starting to social engineer emailing right? Threat actors that are you know social engineering your employees and things like that. And they're falsifying emails and you know we've all heard about those. So now you gotta have an email vendor right? Well how are you protecting your email? Oh holy crap I you know I need another vendor now now I got an antivirus vendor. I got a you know a a I got a <laugh> I got a firewall I got some email. Someone comes out and says you know where you're really at risk is you know that end point that laptop that your computer has you know or that server that's sitting in your environment. How do you protect those right? So I think many of you hopefully are nodding a little bit. You've heard these conversations but really it's kind of a history that set us up to get to this point which wasn't necessarily setting us up for success.

(16:30):

Because what ended up happening was there were multiple tools in our environments to protect us. And yes those tools on their own were very good at that one element. But the idea that they weren't designed to talk together they weren't designed to communicate together they weren't designed to solve the problem together right? And and I think that as we've seen this  you know evolution the idea that this is one of the reasons we feel that the information security teams has really struggled a little bit to give you that cyber risk chart right? To give you that graphic. Because there there are multiple tools protecting the organization in multiple ways. And and a lot of those you know oh well if I had one phishing email that's a big deal. Whereas you know I I stopped at the firewall a hundred things. Does that mean anything?

(17:18):

Who knows what that means right? Like and I think a bunch of us sat there and were like well I'm putting money into this. How am I getting my investment out of it? And I think historically you know if we were gonna take it one step further I one of the things that we've seen from a lot of the tools and vendors and again this is us too as we've lived through our you know 50 years and and five decades of time the idea is that a lot of times these tools or even the vendors that you work with all best intentions right? But they they kind of just told you what was wrong right? Hey you know you had a problem over here. Hey you got a problem on your firewall. Hey you got a problem on your you know this is a bad email.

(17:55):

You weren't necessarily getting a solution to fix it. So now again associating that risk saying oh well I get a bunch of these  notifications right? Alerts some of them are good some of them are bad some of I should pay attention to.  and I think that you know I I I took this example a little bit. Maybe some of you have seen a a commercial or two around LifeLock where they talk about this and the guy's sitting in the chair right? And he's sitting in the dentist chair and the dentist says well yep that sure is a cavity. You know and the guy's expecting him to fix the cavity but he doesn't. And I think that if we all looked at that and especially from our vendors in this segment I think that's very important for us not only to have transparency and trust that we're working with those vendors but I think help with those solutions to the problems. Like stop me from having all those alerts. How do you stop that from happening? How do we continue to progress this and become proactive in this area I think is all something that  you know we we're working towards. And I think that's a a good solution. But I do think that's part of the issue in trying to put a risk score to this trying to associate hard dollar to this right?

(19:01):

So what are what do we think's happening right? What's changing? So pulling this back up a little bit a little bit above the tool conversation and the idea of how we're protecting the organization. I think many of you may have seen this definitely s e as we have a a big play in the history and some pension funds. We saw this in the pensions in the early two thousands right? The the public wanted to know more about those liabilities after Enron blew up right? The liabilities of the pension fund were forced onto the company balance sheet. If everyone remembers right? All of a sudden it's a high priority for the cfo right? I we're definitely seeing a similar pattern right? How that pattern plays out completely. But we're seeing a similar pattern for this for cybersecurity. This is the direction it's heading for. The idea is how do we start to to you know get our hands around this?

(19:48):

I think you know a lot of you probably today are paying attention to the the former CISO from Uber who's going through the litigation process right now. Maybe one of the you know probably the most popular or maybe whatever you know I I don't wanna mean popular in a good way. I mean just kind of his name is known out there as one of the first executives that's going through this process. Now he I'm assing unlike anyone on this call was acting you know pretty poorly. He was hiding some of the stuff that he was doing and and stuff like that. But I think the concept of that person actually serving time right now is something that a lot of us are starting to pay attention to right? And and I think the you know the the good news and bad news however you feel  and this is definitely not and I will say this for sure not a political commercial  but both sides agree.

(20:42):

Democrats and Republicans I think both agree in this. And I think what it means is there's a a high likelihood  of something may actually happen with you know with some congressional approval right? And I think that again you know when you're when you're looking at this well what does that really mean? I I you know I think there's some things and we'll I I have a couple of these baked in here in a couple minutes that we can talk about just initial things that you can do. But I think there's an initial concept of this which is hey like how do how do we justify this? How do I justify my spend? Right? Like I love for some of you on here I see that there's a couple financial folks on here right? Like the idea of in your job like understanding how much you should spend for good protection.

(21:25):

I just saw an article the other day that came out. You know spending a ton of money doesn't ensure that you're fully protected. That doesn't you know go back to the silo conversation. I I we were talking about you could have a hundred tools. If they're not talking together it's not making you more secure. It may allow you to check a couple more boxes off on your audit but it may not actually be protecting the organization better and it may be a waste of money a waste of spend right? So  I'm gonna stop there and take a break. I'm gonna take a sip of water as I transition to the next slide. If there are any questions or any comments please feel free to to put those down below as I'm going through this.  but hopefully this is resonating with you as as we're we're kind of navigating through these slides.

(22:07):

Now I want to talk a little bit and just kind of transition a little bit about you know what are we  you know moving forward what's it look like and and what what should we do? And and kind of how does what does that look like right?  so as I as as I pull up this slide I'm hoping many of you you know had a smug smile on your face and said Dave of course this is what I'm doing. Cause that's what we see in the market. I think that there are some things that especially banks have have picked up on right? And and the understanding that we are in a highly saturated attack vertical right? In the financial as a financial institution. But I think these things  most people are picking up on doing. And this is the stuff that you want to be paying attention to right?

(22:50):

We you always hear right away you know whenever there's a a big event like think back to the it's still ongoing but the the geopolitical event around the Ukraine and Russia right? The idea what did everybody say right away? Like whoa there's gonna be a big cyber attack. What did everybody do? We should go patch right? Make sure you're patching. I think everybody has gotten to this point and if you haven't I'm sure you're looking at this from an organizational standpoint but the idea that patching is important  network operations and running your network effectively and efficiency and with resiliency and scalability is important to your security program. So any of you network folks on the call maybe you can gimme a high five but support your network guys right? They and gals they need to make sure that you're patched and you're efficient and you're in a good spot.

(23:34):

I everyone has heard and I've seen the trends in spending and I know that the majority of you probably on this call are doing it today. They're spending around employee training. Where's a weak link? The weak link is your employee's gonna have a bad day? The Super Bowl was on Sunday they came in Monday morning and they clicked on a link cuz they weren't fully thinking through their day right? So the idea of fishing testing it's a it's a big deal. We absolutely see that as an area  that you can help you know  lessen that risk I guess. And then I'm not gonna go through the last two I'm sure everyone's doing but you know penetration tests and scans are obviously very important  from an organizational standpoint. But what we really believe at S C I and and and what I'm talking about cuz you might have said yeah Dave I have those four bullets. <laugh>

(24:21):

That's great. Well tell me something new right? Well the idea is that really what you're trying to do is get to the center of this Venn diagram. That's what you're trying to figure out right? You're trying to figure out as an organization there's a whole ton of threats out in the threat averse right? Made up word right there. But the idea that really you're also looking for the relevant threats coming to your organization. Many of you especially a couple of the IT folks I see on here today dog fooding right? The idea that the threats coming at your information are probably or at your organization are probably the most important threats to your organization is something to pay attention to right? But the idea of then taking those protections you have in place and understanding the concept of am I protected right? And that's that center of that Venn diagram that you're seeing there.

(25:13):

And it can happen right? It takes a little bit of work for sure. But this is our belief right? When you start to when you start to think it think of this. And and one of the things that we we've always laughed about a little bit here is you know all the bad guys just gotta be good ones right? How many of you guys have heard that right?  The idea that you know oh they have to be and I'm gonna stop here for a second cause I appreciate the question that just came in. So Raul I appreciate the question and and yeah for infrastructure definitely including so the question is you know when we're talking about infrastructure and patching and things like that is or switches and routers included for sure switches routers servers  all that hardware that you have out there you have to be looking at to be current right?

(25:58):

And I think that  I so nber one roa I appreciate the question. Thanks for reaching out. If anybody else has any other questions please do.  but the idea here is I switch back to kind of the fiduciary responsibility. What happens what's that Venn diagram? What is really the secret sauce that I'm looking for and getting to that point of I want to do away? The idea is that a bad guy shouldn't have to only be good once they should have to be good five or six consecutive times to be successful. And that's what we all should be working on right? And there's all kinds of corny terms out you know out there layers defense and debt. There's all kinds of terms. What it means is hey the bad guy's gotta be good a bunch of times not just once right?  so the idea when we're thinking about this and as what we've kind of  arrived at and and what we're looking at it's not just Hey you know what's active in our industry And and we look at that amongst our peers.

(26:51):

I think one of the one of the big topics that we've been talking about a lot and and especially from a leadership standpoint that we all should understand on this call is that the bad guys are working together today flat out just that's a truth.  that is not Dave DeWaard from S c I Sphere saying anything the threat actors there are terms today like ransomware as a service. I was with an organization probably a month and a half ago. That organization had unfortunately a hack right? The organization figured out as they went through the process how that occurred. And what actually occurred was some bad guys who were very good at infiltrating infrastructure they networked in and they planted the hack then they went on the dark web sold that on the on the at an auction access to that hack. And then those people who bought it came back in.

(27:49):

They entered back in through the the door that was built by the bad guys and they got about you know a gig of data and I think the estimate was closed to one  1.2 million or something like that right? The idea here is they're working together right? They they figured out solutions they're good and bad. They have people who are retiring they have people who are  you know renaming their groups.  recently if any of you pay attention to like some of the cyber stuff going on there was recently a hack in the on the west coast of some children. And it was a horrible horrible scenario. That person got kicked out of the hacker community. So think there's rules within this community now we all have to start working together. And what I mean by that is I'm not saying Hey you have to go select FBI's fear as vendor.

(28:33):

I would love that for everybody on the call but the idea is we have to share amongst our peers bank to bank. There's great ways and fors that are out there. You should be interacting with them. And if it's not you on this call someone in your organization should be interacting with your peers. It's not a competitive advantage to be good at cyber. Not one of you is gonna go out and put on your website that you are the best bank at cyber and because of that you're gonna get more customers. So I I think at the baseline level and this is something very proud from our organization standpoint we're one of the largest shares of free threat intelligence into the financial services market. Cuz we believe in this and we believe in the idea that if we can take some of the ROI out of this for the attackers it's gonna help us all as an organization.

(29:17):

It's the whole corny saying you know a rising tide raises all ships right? So once we look at everything that's active in the industry it it's not gonna cover everything but it sure covers a lot right?  but then you have to look at kind of the the process. What's the daily exercise? What do you go through? And in our world it is it's truly daily as we're looking at this but what's the process for choosing these? How are you going deeper into it? And this is what your organization can look at. You know we're working with  you know a vendor or someone you might be wor you know you might be using in this area but to define the scope. And then also how do you prioritize that right? There are billions billions of alerts and notifications out there today right? I'm sure many of you're part of CISA or FSI Stack or whatever the group or organization is that you're part of the idea.

(30:04):

There's billions of 'em. So you have to figure out a way to prioritize 'em. I hear so many times when we're out talking to people they're like yeah I get a lot of alerts. I don't even know what they mean necessarily. And sometimes I'm too busy to focus on 'em. Right? And then the last piece of this kind of as you're thinking about this and and I shouldn't say the last piece. The the the important piece is regularly updating this forecast right? How important on networking those relationships making sure you understand what's going on in the industry  and and really kind of starting to share back and forth right? It's you almost gotta share relentlessly back and forth. And I'm assing some of you have communities I know that we're a partisan private communities and things like that where you have that. I would just suggest that whomever in your organization should be part of those.

(30:46):

Cause it just helps us kind of keep that head on a swivel. And then the last piece of this like I talked about in the Venn diagram  is the protections we have in place in comparison to those threats and those attacks that we have out there. So we map each attack that we've identified almost as what we would expect to see right? I think anybody that sits here and tells you Hey we're gonna be proactive. I think that's a great statement and a great something that everybody wants to do but it's very difficult. I think you have to understand that cybersecurity is a person sitting on the other side of the screen trying to get into your organization. It's not it's not some technology right? It's a person.  so the idea that we need to create the make sure that we have the coverage  by continuing to acquire that right?

(31:32):

Threat intelligence. And really the final piece of this is what the heck happens if we fail? One of the cool stats I saw the other day that came out was last year the ransomware payments went up but 55% less companies paid the ransom right? Pretty cool stat. Now why? Right? Well some people you know negative Nels out there would say well that's because companies aren't reporting <laugh> reporting the ransomware. That's probably part of it. But I think part of it is also there's a cyber insurance element. And I think also a lot of u I professionals on this call deserve credit for that. Because what you have figured out is hey if I have a backup if I have my stuff tight and they and they encrypt it right? The idea that very quickly I can spin over to that backup and and it doesn't affect how I'm operating how the firm is operating right?

(32:23):

So a lot of credit goes to that. And I do believe in the goodness of those things that are happening right now.  at the end of the day when you think about this and this is another analogy I like to use. I don't know how many of you have ever lived in a city or live in a city now but when I used to live in a city you know car thieves would walk down through the block and they would just check the car handle right? That's all they were checking for to see if you locked your car or not. As long as you locked your car they kept moving by. And I think that's a good concept to understand from a cybersecurity element. Like that's why patching's important. That's why it's good to understand what's out in this environment and also vital to understand the protections you have in place.

(32:59):

Cause you wanna make sure your doors are locked you just don't wanna make it easy. And then we can work on taking the ROI outta this program but baseline make sure you know make sure the doors are locked.  <laugh> as you're going through this  now the idea and and I'm gonna give you a picture here. This is a little bit further down the path but the idea this is actually how we look at it right? So when we look you'll see here on the screen this is just a sample of a a grid. On the left side you're seeing some threat actors right? So we track almost a hundred I think it's like 95 different specific threat actors to the financial industry. And what you're seeing go across the grid there are the different attack phases of the kill chain. Some of you may be familiar with this if you're not it really doesn't matter.

(33:39):

Look at the grid. And what we're saying is that hey if something were to happen on the left do I have protection at each one of those phases to make sure that it can't continue? Right?  making sure that we're seeing everything in the environment then we know the controls are tested. And this also absolutely ensures that a bad guy has to be good more than one time right? They can't just get lucky. They can't just walk by the car pull open the door and be like damn I got lucky today.  so this may be a little bit further along but just a little bit of a visual to start understanding hey how do we prioritize this? We're actually spending some time as as an organization seeing if we can start to do some scoring back to that risk scoring and see a graphic maybe or a chart that looks more like a financial risk chart.

(34:26):

But the idea here is these are the risks that are out there. And I think that what I'm circling back around to right?  we we we said it kind of the the beginning of this or I said you know as we were talking about this there's a investment. There's definitely a a great wave of cyber kind of investment or churn coming. As I mentioned you know you couldn't get a degree in this you know 10 15 years ago. The talent's coming it's beginning to come online right? So and cyber education's you know really blowing up. But I think the the best conversations for the business to be able to articulate a defensible process and determine if there's investment needed right? Budget needed to reach that standard. That's and I know that's a lot to say and I just you know I said it in one sentence that makes it simple.

(35:11):

But the idea is we gotta get to a a place where we can defend this and we can present back to our groups our executives our boards and say Hey like we've been working really hard on this and this is what's happening.  so you know I I think just to to smarize what I said and hopefully I haven't board everybody in the office  you know in the audience here today. But really what what we're seeing is there's a regulatory push for for a greater standard in the C-suite. And you're starting to see that play out just in the initiative of where we're seeing and and who's being held responsible or accountable for this. And again that's not me sitting here saying Hey I want to you know push fear on a couple of the executives I see here. What you you want to move from like I mentioned proactive may not be the right term but future proofing is you have to get to the point where you're thinking about what you expect to see.

(36:08):

We have to start to get to that avenue very similar to excuse me that concept of risk and and financial risk.  and then you know the last piece is I spent a bunch of time on this of mapping your active controls. You're gonna work with a vendor you're gonna work with your tool vendors. I'm sure many of you probably are putting some of this together yourselves. You're gonna work with your team and you're gonna start to pull this together. Say okay how do we actually protect these different areas? Right? It was the concept was pretty simple when everybody wanted to train your employees right? That was a pretty simple one to identify. You're like okay threat my employee Dave's the problem right? Let me train Dave and make him better. That may not be perfect right? But the idea there's other threats that are out there it's not just your employee right?

(36:52):

And we and and that's where I think that peer that community again I'm not promoting anyone's community here. I think just joining a couple communities obviously the baseline ones of like a CISA and things like that are important.  but at the end of the day and I spend a lot of time looking at different tools and and different things with organizations and you know working with organizations after things have happened for example I think the best thing that we can all have in place is that defensible process. Here's what we do all the time. This is why it works. This is what I know or I think is coming and here are the tools I have in place right? But that defensible process will help with some of those kind of budgetary discussions. Cuz again I don't want any of the IT folks here on the phone to be like well Dave's told me not to go ask for budget.

(37:42):

I think everyone should go ask for budget. But I think what we all have to be aware of is that spending more money doesn't necessarily solve our security problem right?  the idea is the tools have to work together. You have to have visibility you have to have a baseline infrastructure program that's in place. All those things have to take place for this to work.  and I think that many times in a budgetary conversation the security element isn't one line item. It's broken up of course  across different items and different vendors. And that's something that we're all just working on as an organization to help better protect ourselves right? So with that  I I I do have  just one slide here and and you guys can submit questions if you have any questions for what I said. But I do just have one slide promoting s e sphere here today.

(38:30):

Hopefully you'd like the conversation.  but the idea is s e sphere is in market today. We do provide a cybersecurity program  with outcomes like I was showing you there on the screen.  and we do  two other services too. Obviously today was very much focused on cybersecurity but we're big believers in  network is really the baseline for a good security program.  so we do provide a a network operations more of a traditional network operations program where you talk about you know initial triage and resiliency and scalability and stuff like that.  and the the last piece of the fund commercial from SCI sphere  our original CEO used to say this  we may have been one of the first public cloud operators ever. We created a cloud about 30 years ago.  that cloud now has houses over 200 plus applications.

(39:18):

Ten of the 20 largest banks here in the country actually utilize that private cloud. But we're a Microsoft Gold partner. We as a financial organization also have to figure out how to take advantage and secure and leverage that public cloud.  so we do help organizations in getting to the cloud or even more importantly securing the cloud making sure that it's appropriate  having conversations in what is appropriate and having up in the cloud or maybe still on premise.  all of these services work standalone. They  also work as you can imagine quite well  intertwined. But  each one of those can can stand alone  in the offerings. So with that hopefully I didn't bore everybody today. I greatly appreciate your time.  I'm looking here for some questions and I'm gonna hand it back  over to Janine to  go through a couple of questions that I see coming in here.

Speaker 1 (40:06):

Great. Thanks Dave. Yes we do have some questions.  before we kick off with our q and a I just want you  to let you know that that is a live link on this slide. So you can click on seic.com/sp sphere. It will open in a separate window and be available to you following the be in case you want more information.  and also don't forget you can download  PDF of the slide deck if you join late.  you just need to go over to event resources and click on that dropdown menu and download those before we  conclude. Okay Dave so here's the first question. Have you seen a successful way to present cyber risk to our bank executives or the board

Speaker 2 (40:55):

So it's a it's a great question. I think that that's what  you know that's what the conversation evolves around. I'll be honest we have a CISO here. I work with him closely.  he makes presentations to our board right? Not just the sci sphere component but think of our larger organization.  I won't say that we've cracked the the the proverbial you know not yet. But what I do think is that it is we are getting close.  I had a conversation the other day with a a fairly large carrier insurance carrier.  and his the comment that they had made was well you know everyone's calculation's gonna be different. It's just like everybody else's financial calculation right? There's some baseline similarities but everybody's gonna look at this a little different. I think the success that we're seeing is is around the idea of the visibility that we have and the protections in place.

(41:46):

Being able to articulate that back in a very succinct  smary. You know kind of two pager. And we we do have a couple examples of that that we push out that I have seen to be baseline successful. I won't say it's perfect yet.  I think that you know at an executive and board level a lot of times people like to see nbers and they're not  as familiar. Cuz again we don't have risk type scores. So they like to see oh your firewall blocked 5000 things. You know well that must be good. Like that's a high nber. So I I think we're trending a little bit less towards like oh look this stopped this this many times. Cuz I think those nbers are a little bit redundant now and and losing some maybe some luster in front of the board. And I do think there's kind of a succinct like Hey here's where we see vulnerabilities and here are the things we've done to solve those vulnerabilities. And I think that's where the value's coming back to the organization.

Speaker 1 (42:38):

Okay.  can you suggest any good fors or subscriptions for threat intelligence?

Speaker 2:

That's a good one. Like I said I think that ooh that's a real good one. There's a ton of them out there. I  I'm assing that I C P A has some some partners too that that  would be in play. I know that  we're big believers in the FSI SEC program too. And obviously like I mentioned earlier everybody should probably be part of cisa. I think that  you know those you know if you're living it day to day and you have you know kind of eyes on glass the whole time that I think that maybe some of those alerts are a little bit delayed for some people.  but I I I would push that. I bet that the people on here have a couple peers and you would say Hey who do you associate with? That's the most important piece is having that peer-to-peer relationship again kind of going down that path. This isn't competitive differentiation stuff. This is stuff just to protect your business <laugh>. And I say it as just but  those are a couple of the ones that come to mind you know top of top of mind right away.  but for sure  you know if anyone I don't know if you if you have any other thoughts about that or you want to ask me any other questions about it you can reach out to me directly and I can see if I can  couple together a better list too for everybody.

Speaker 1 (43:54):

Okay.  how about those? Have you seen any trends in cyber insurance?

Speaker 2:

Ooh this is a  that's a that's a real good one. Congratulations to everybody that's still on this call because I think that that's probably a topic that should be our next conversation. Janine. It's cyber insurance. It's an evolving world. It's an evolving world. I do we spend a lot of time with insurance applications. I've been working with a couple organizations about that are really trying to get on top of kind of  data integration which is really cool. Like Hey can you send the data that we have? Almost like an underwriting standpoint. So I think that's a really cool trend that we're starting to see. I I think initially you know I feel for the you know the underwriters in cyber insurance I I don't think that everyone knew what we were all getting into.  but the idea that  I think the trends that I'm seeing right now is that they're really cyber insurance companies trying to get their hands around a couple things basically right?

(44:56):

It's not just the "hey, do have policies and procedures in place anymore." I think that's a baseline. Everybody understands table scraps if you will. I think there's an idea of  I think there's an idea also around the cyber side of what data do you capture. Going back to my very first comment about a recent blog we did around SEO right? A lot of you guys are using SEO today from a marketing standpoint you don't even think about some of the data you might be capturing there or storing there today.  so I think the trend that I'm seeing mostly is one the most exciting one is around data automation or integration right? So hey let's send true data that you're that you are protecting the organization right? That you're protecting your own organization and that should give you some type of a premi credit or whatever it is right?  discount in some way. And then the the other trend I'm seeing just more of is is just the more inquisitive nature of kind of what data are you truly capturing and housing? How how do you have that? Where is it stored and stuff like that.  

Speaker 1 (45:57):

Okay here's one for you. Is it possible to show a return on investment in a cybersecurity program?

Speaker 2

This is  that's a that's a real good one. I think everybody you know I think the term ROI and return on investment is something that's always been highly utilized in IT purchases right? Like we gotta show an roi any purchase at the business right? You're gonna go buy a company car you should probably show an ROI on it. I think that it's difficult because many times executives turn around and be like well my ROI is that I'm not hacked. I have never been hacked right? Like why am I worried about it? I think it's very difficult then to talk to your organization and say yes but it is becoming more presptuous. Like we have to continue to stay ahead of the game. We have to continue to reinvent ourselves as we're going through this process because the bad guys are doing the same thing.

(46:46):

And I think that's what's very very difficult. Like I think at the end of the day telling you know someone who's a fiduciary of an organization that hey you haven't been hacked. I would love to believe that that would justify every cost in the world right? But I don't think that's quite good enough from an ROI standpoint. So I guess the without me clamoring on too long here Janine I think the idea is it's very difficult to extrapolate roi. Again back to what I pointed out spending more money doesn't mean better protection. So I think that  you know I think that we have to look at that and look at it to say okay well you know  there's a component for sure of spend that goes to this. But I think that if we can start to associate that a risk element then we we could see some type of an roi.

(47:32):

But this point I haven't I I've been involved in a lot a lot of conversations and I I haven't necessarily seen cyber protection be associated to an roi. I've seen vendor consolidation be associated to different you know thoughts and changes that organizations make. And I've seen you know  maybe a better I've seen people use some calculators say oh my risk posture you know my security posture has enhanced or increased. And that is a way that I've seen some people use some tools out in the market to to justify some of the spend. But it is really really tough to to  you know to put an r o ROI to cybersecurity that's for sure.

Speaker 1 (48:09):

Okay. All right. Seeing no more questions I wanna thank everyone for attending today's webinar. Also thank you for the  several co compliments we received. Great presentation Dave.  and I also wanna thank you Dave for sharing your expertise with us today. Later this week watch for a follow up email. It will contain a link to the recording of today's webinar. That concludes our webinar. Thanks again and enjoy the rest of your day.

More insights from SEI Sphere

Helping to identify the intersection of people, process, tools, and budget for optimal risk control.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.