No matter the industry, every company needs a comprehensive, strong cyber resiliency strategy. But where does one start? How do businesses remove the siloes that exist between departments and align its leaders? Listen as experts discuss the history of cyber resilience and share their insight on how companies can best plan for the next ‘cybergeddon.’ Featured experts: Gary Meshell, Worldwide Leader Global Partner Security Initiative, AWS Flick March, Global Vice President, Security & Resilience, Kyndryl
Recent IDC findings show only 1 in 4 organizations are ready to adequately prevent and respond to a disruptive event1. Whether that’s a natural disaster destroying servers and infrastructure, a mouse chewing through the wires or a ransomware attack, companies need to be able to anticipate, protect, withstand and recover quickly.
No matter the industry, every company needs a comprehensive, strong cyber resiliency strategy. But where does one start? How do businesses remove the siloes that exist between departments and align its leaders?
Tune in as we explore the history of cyber resilience and share their insight on how companies can best plan for the next ‘cybergeddon.’
Sarah B. Nelson00:02
Welcome back to another episode of The Progress Report. I'm Sarah B. Nelson, Chief Design Officer for Kyndryl Vital. I'm really glad you're here to join our conversation. Today's episode is very timely, at the increasing uncertainty in our world put cyber resiliency, front and center, and everything that we're doing. So joining me today are Gary Meshell, who is the Global Lead, Global Partner Security Initiative for AWS. He's a recognized thought leader in security and cloud within financial services industry. And he's well known as a speaker globally in places like China, Russia and Brazil, which is interesting for this conversation. He's worked with lots of large insurance companies, international banks, before AWS, he was actually IBM's world Security, leading the IBM Security business for financial services. So welcome, Gary.
Gary Meshell00:55
Thank you.
Sarah B. Nelson00:56
And then we have Flick March, who's the Global Vice President of Security and Resilience here at Kyndryl. Like myself, Flick is a lifelong technologist. And she's really passionate about cyber resilience. She spent her life designing and delivering IT services and has over a 30-year-period, held roles in security and resilience at IBM and Kyndryl. Welcome Gary and Flick.
Flick March01:18
Thank you.
Sarah B. Nelson01:19
So first, I want to share - I think kind of a scary statistic - recent IDC findings show only one in four organizations are ready to adequately prevent and respond to disruptive event. So I personally find this a little terrifying. Especially because disruption comes in so many forms: natural disasters and the mouse chewing through the wires and ransomware attacks, and we were talking about inside threats and social engineering and storms and terrorist attacks. huge list of disruptions. And my question here is what are we going to do about how companies anticipate, protect, withstand, respond quickly? Because I see a difference between like complete catastrophic failure on often really global levels. So I what I wanted to start with is actually - start with something simple. I'm curious from both of you, what does a perfectly - and I'm putting air quotes around - a perfectly secure and resilient company look like?
Gary Meshell02:20
So I'll take that first. One, there is no perfectly secure company. And unfortunately, that's a fallacy. And that's why we hear people talking about things like zero trust, because there is no real secure environment. And I think what is going on in the industry right now is one, it's a mentality; it's not a matter of if you're going to get breached, it's a matter of when, and we're hopefully getting past what I call cyber denial. A lot of folks took the same stance that I don't need life insurance, because it's never going to happen to me, given the headlines that we see every day. I think organizations are past cyber denial. And they're now in a mode where I call the and I use a description, you're only as good as your plan until you get punched in the face. And once you get punched in the face, then it's really a matter. Can you respond? Can you recover? And I think most organizations now are still suffering greatly on the response in the recovery side. There's too much focus on the manage-and-detect side. And we've got to move the needle more towards recover and response.
Flick March03:30
Gary is absolutely right, there is no such perfection. But we are seeing that there's a lot more focus from the C suite and the board in terms of making sure that a company or a cyber enabled business is resilient. We have three aspects we have to take into consideration to understand what we're do incyber resilience. Number one since the early 90s, we've been towered we've been institutionalized in towers for quite a few years after 31 years of being towered, when I say towered, we know mainframe server, end user, a desktop, network, applications, database, cloud, it passes the great British pub test of "what do you do for a job?" The reason I'm saying we're institutionalized is when I actually say to lots of lots of techies, "if it all went down, what would you recover?" First, we will think in our towers of what needs to be supported or protected or what we need to respond to. But actually, what is missing is where is the business process and all of this. So how do you make sure hospitals have access to patient records? How do you make sure that your retail website is up and running and functioning? The second aspect, of course, in when we look at cyber resiliency is we are looking at security incidents but we also have to consider other incidents in play that will take down a company as fast as a cyber attack. We've had beavers chewing through cables, the FAA down flights due to a corrupted data file by two contracts. And all the other wonderful ideas and things that we hear about why companies go down. And the reason is cyber attacks or a beaver chewing through cable will give you the same impact: loss of revenue, loss of brand, and loss of core purpose. So, fundamentally, the third issue that Gary and I live with every single day is if we look at the NIST framework of identify, protect, detect, respond and recover, there's always been an invisible line between respond and recover. And Gary is bang on right that there's been far more focus on protection. But actually, when it gets to the point where look at NotPetya, as a very good example, the virus that hit in 2017, was state sponsored, went into the Ukraine hit 3000 companies, and the White House says it cost the globe $10 billion. And what happened was it wiped out the server's firmware and then forced a reboot, which meant a lot of servers went down very, very quickly. In fact, one company lost 8000 servers in just under 12 minutes, as well as 65,000 laptops and PCs. And what happened when they turn around to the security team? They said, Right, we've gone down, off you go, go do your worst, because you've got all the budgets, only for the cyber security team to say, well, there's nothing for me to work on. I need you to recover, and they say Off you go, then oh, no, we don't do recover. That's sitting in another department elsewhere. So Gary and I are both extremely passionate about making sure there is a lifecycle of anticipate, protect, withstand and recover. And that is a lifecycle of continual learning, and continual approach.
Sarah B. Nelson06:43
So when you first encounter let's just say, a new customer who's interested, or you've identified resiliency as an issue, how do you approach that organization?
Flick March06:54
There's many angles, because we're partly towered, and people are still seeing that it's infrastructure, then apps, then business processes, I think we have to converge everything down. And one of the questions that we always ask is, what's your minimum viable company? That's a very simple question. What are your political processes to make sure you can maintain core purpose and integrity? So the conversation is easy. How long can you afford to be down for? And have you actually ever tried to properly restore or do a proper business continuity plan, but it's not just technology. And I know Gary will interject its people and processes as well. So you have to look at the whole holistic bundle when you're looking at that.
Gary Meshell07:38
One of the things that I find very intriguing about the narrative that Flick presents is this concept of minimum viable company or minimal viable service. And it's interesting, as I go out into the industry, most folks don't seem to grasp that concept. They grasp, well, maybe I need to bring up some storage, or I need to bring up some compute. What good is that storage and compute if your banking system is down? What good is that storage and compute if your core healthcare businesses down? And when we go out and have these conversations, we have a couple of key themes. One is that all of this starts with the board and the CEO. And I think for too long resiliency and security has been the business of technologists. It's really the accountability of the board and the CEO. The other thing that we talked through over and over again, is readiness, and preparedness. If you don't test your plan, and you don't run that plan at least three to four times a year, you have no guarantee that you're ready for your worst day. The injects, are you prepared for reporter calling you and saying Gary, I understand you've been breached? What am I going to say? I don't know? Am I gonna say yes? If the FBI came in and demanded my logs, are you prepared to give them over? And then I think the final thing we talk about the cost of security from a professional point of view, it's just simply too high. There's 1.8 million jobs open in the United States. Where are you going to go find those people? Where are you going to retain those people. And I think where the needle is moving is towards managed services, and making this problem part of an organization that can scale and provide all the right data and all the right tools, but it's got to start at the board. And it's got to start with the CEO.
Flick March09:28
Now, we and AWS have got massive services that we run for companies that are absolutely critical. So we're well versed in understanding what that business risk appetite is. The problem we see is of course, this is IT on IT on IT on IT, and it's turned into this hodgepodge in this history of spaghetti. And I'll give you a perfect example. If we go to any customer and say, "How many patches? Have you still got a patch? Tell me how accurate your asset database is." Most people will tell me 95%, but within three questions of "Oh, does that include your routers? Or does that include your SaaS solutions," they whittle it down to 65% accuracy. They don't even know what they've got. I mean, let's face it, anyone listening to this, when was the last time you actually restored your personal data to make sure you can get it back again? We have to change the overall mentality of making sure that we have that full sort of holistic aspect around it.
Gary Meshell10:28
We're also being forced to make business decisions that we've never had to make before. I was involved with a breach last year with a major healthcare provider in the United States and ransomware had gotten into the system. And preservation of life sometimes is the most important decision that you had to make. And this particular organization was being ransomwared for $5 million in crypto. And the bad guys had gotten into their core pacemaker system that controlled people's pacemakers. Now, you're a CEO, and someone's coming to you and saying, I want $5 million or I'm going to turn off people's pacemakers. Think about the implications of not having a backup system to keep people's pacemakers going, think of the implications of not having a backup system, if an insulin patient is having an automated drip and the bad guy says I'm going to turn that system down. So we got to stop thinking just about backup, because we're preserving data, in many cases backed up. And resiliency is about preserving human life, and human health. And these are just new dynamics that, frankly, very few people have started to think about.
Sarah B. Nelson11:42
There's something to really underscore here that I hear in both of what you said. So it's about business, but it's like baking something concrete, and relatable, and human. That's the why we're doing it. So I'm thinking about organizations too and you're thinking about buttoning up your business processes and looking at your life cycle, but also how can you get your employees to viscerally understand the impact of the decisions they're making?
Gary Meshell12:06
So I think you have to take a different paradigm, a different paradigm approach. It's not preservation of systems, apps and data, that's an end, it's an end to the means. It's preservation of human safety, it's preservation of your stock price, it's preservation of your brand. And frankly, its preservation of the customers you serve. Until we get to a model where we're thinking business first and technology second, I think the industry is going to continue to just throw money at solving problems. Instead of taking this top-down approach of making sure that - to Flick's point - we know what every process we have is at risk. We know what's core, we know what's not core, and a lot of times in a breach, you see people running around, well, do we turn this one down, keep that one on? That's not the time to make those decisions. The time to make those decisions is before the punch in the face occurs.
Flick March13:03
Oh, without a doubt. And you know, I've seen some, one of the NotPetya attacks, one company alone lost 980 million wiped off their share price. So there's that reputational risk is right out there. And I have seen exactly the same as Gary in board simulations and real situations where they have no idea what they can switch off and have no idea what servers are running which applications and even worse when there's a data theft. So it's not damage, it's just a data theft. The first thing the runbook says in the security tower - and we are siloed, and we need to stop being siloed - will say Oh, my runbook says switch it all off until we find out why we're leaking to the dark web. Well, they successfully switched the hospital off for nine days while they did their very oh so important work. And so why are we having conversations about modernizing your server, or improving your cloud usage without understanding the interpretation of what that means for the business. So that's where the power of AWS and Kyndryl come together, to be able to really know where you are today, where you need to go in that journey to build out that approach that puts business first brings business continuity, business impact analysis, disaster recovery, backup, cyber recovery, and everything around anticipate, protection and withstanding. So there's the full lifecycle approach to go back to that data is available, reliable, secure, and resilient. So it all becomes much, much smoother.
Gary Meshell14:41
I think if you look forward, and gosh, I don't know if I'm going to be here in 50 years, but certainly our children and our grandchildren are going to be here. You listen to what we're talking about. And, some people would say let's go build a bunker, and let's go dig a hole and go hide in it. This is not all doom and gloom. But I think it's important that there are some silver bullets that are beginning to arise. And one is autonomy. There's a lot of good stuff beginning to happen to identify problems before they occur. There's a real lot of work going on to this concept of actionable data, and being able to use data to predict when the breach is going to occur. And I think one of the things that I'm intrigued about working with Kyndryl, Kyndryl doesn't build walls between cyber and fraud, they don't build walls between threat intelligence and AML, and know your customer, this concept of fusion, I think, is one that's going to begin to solve a lot of the problems that are out there, because you're not going to need seven different sims. And you're not going to need, five AML databases and bring it all together in this concept of security leg and using analytics powered by Kyndryl. Those are some of the silver bullets, I think that are beginning to develop.
Sarah B. Nelson16:02
So now I'm thinking about how we sort of land some of this for folks that are listening. So I kind of am thinking about two people right now. So one is a CISO, or a CIO, person who's working on an organization and maybe you're starting to think like, "Oh, we got the towers, we have those tower Runbooks, we're not thinking about autonomy," what advice you would give to them about where they should start?
Gary Meshell16:27
I think all of it comes down to readiness and preparedness. And one of the things I talk to CEOs and boards about is, you've got to fight like you train, and you got to train like you fight. Folks do not have a practicable plan, they don't have an implementable plan, the time to see if your plan works is not when the bad guys are in. The time to make sure your plan works is beforehand. And if you are not doing readiness and response exercises, not just at the technical level, but at the business level, I think that's a real gating issue. And I think we've got to drive security from the top down, you cannot drive it from the CISO up. The CISO is viewed sometimes as somebody that sits in a dark room behind a screen wearing a hoodie. That's not where security starts. Security starts with the board and the CEO and Pinstripe and white shirts. Until we get that culture of accountability from the top down these problems are just going to continue to hinder the industry.
Flick March17:35
I've been in a board simulations, Gary, where they had their three external PR agencies in with them. And they were all waiting for a simulation that we hadn't informed them. Nobody knew except one person that built it with us. And we walked in and they we knew they were all waiting for someone to say IT has gone down, so they can all fold their arms and wait for the CIO to fix it. So we didn't do that. We just told them 8 million records had been stolen. And, they were now sitting on the dark web and you had to actually pay a ransom. They hadn't considered the impact to their customer call center, they hadn't understood the impact to their social media feed, they hadn't understood anyone in the room and whose responsibility it was. And in fact, the crisis coordinator was just there taking notes, because that's what they thought their role was. So it is essential that the board recognize this because I have seen companies go bankrupt because of cyber attacks, and their brand, so badly damaged, that they cannot recover. And even worse, people lose their own personal jobs through this, typically the CIO. So we have to get out of this mental shift and go back into how do we ensure that we keep those businesses functioning.
Gary Meshell18:53
The other cause for optimism here is we're getting to a point that there's enough data that's available to us one as human beings to utilize that data. But when you look at the promise of Gen AI, I was in a very senior meeting yesterday at AWS. And you look at Gen AI and its capabilities of automating those processes. Taking the decision in the middle of a crisis, like human beings are not trained to respond to crises, right? They panic, they have anxiety, machines, don't panic. And where we're heading is in a world where I think in three or four years, if there's a bad guy that's attacked your core system, rather than people getting in a boardroom and having to make that decision, that decision is going to happen through AI. It's going to happen through the quality of the data. And that's why there's cause for optimism and what the bad people don't realize. We're taking all that data and instead of letting them use it to their advantage we're starting to use that data for our advantage. And that's where the bad guys are going to be caught off guard.We've got to take these young college graduates that are coming out and realize the power of AI, they realize the power of ML, and we've got to train them. And we got to bring them into the organizations early, because that people factor still has to take place. And I know for me, I am passionate of going into universities and even high schools and getting these kids that have a different mental model than I have, as a technologist. We've got to bring that next generation of young people into the fold sooner than I think we've ever had to.
Sarah B. Nelson20:38
Well, Gary, and Flick, this has been really eye opening - and actually - I think I really appreciate the optimism that you're bringing into it. And I just wanted to thank you so much for joining us and sharing your wisdom. My takeaway from this conversation, it's about stewardship. How can we set ourselves up for a positive future? One that we don't assume is going to be catastrophic? This conversation really points to the roll-up-our-sleeves optimism that we need right now. Thank you for joining us for this episode of The Progress Report. You can find this episode wherever you listen to podcasts, and remember to like, subscribe and share it with people you think might be interested. And we look forward to having you in our conversation next time.