Nailing the First 100 Days as a CISO: Insights from Cybersecurity Expert, Ashwin Ram
In episode 28 of REDD’s Business and Technology Podcast, join our hosts, Jackson Barnes and Brad Ferris, in a thought-provoking conversation with the distinguished Ashwin Ram.
With a background deeply rooted in technology, Ashwin has evolved into a highly respected figure in the cybersecurity field, currently serving as a cybersecurity evangelist at Checkpoint Software Technologies. In addition, he is an accomplished author and a sought-after public speaker. Hear about his professional evolution from a help desk analyst to a recognised expert in cybersecurity, dedicated to raising awareness about digital threats since 2005.
In this episode, explore Ashwin’s approach to cybersecurity. He shares invaluable insights into the development of robust digital defence strategies and the use of advanced tools like network security and artificial intelligence. Ram underscores the importance of continuous learning and adaptation as fundamental elements for staying ahead in the constantly evolving field of cybersecurity.
Ashwin elaborates on the significance of acquiring comprehensive knowledge and developing a strategic understanding to achieve effective cybersecurity. He emphasises that, while technical understanding is crucial, a sound comprehension of business risks and strategic alignment is equally important.
As we move further into a digital-first world, Ashwin provides his perspectives on the role of AI in cybersecurity, emphasising the importance of being prepared for AI-enabled threats.
Lastly, uncover what drives Ashwin in his personal and professional life. It is his commitment to making the digital world a safer place and his dedication to staying ahead of emerging threats that serve as his motivation.
Join us for this episode and be inspired by Ashwin’s extraordinary journey in the realm of cybersecurity.
00:00 – Start
00:56 – Ashram career background
02:21 – Why did Ashram pivot to cybersecurity?
02:46 – Checkpoint of Software Technologies
03:41 – What kind of business does Checkpoint work with?
04:46 – Endpoint security
05:07 – Holistic cybersecurity capability
05:19 – How does threats keep involving in cybersecurity?
07:24 – Threat actors creating tutorials on how to use ChatGPT
09:17 – Chapter 10
11:33 – Importance of cizo in the business
12:30 – Ultimate goal of cybersecurity
13:00 – What size of business needs a CISO?
15:01 – Advice for an upcoming CISO
15:24 – The role of CISO
19:23 – Preparing for the role of the CISO
20:45 – Importance of networking
21:43 – Planning the first 100 days as a CISO
23:33 – Finding industry peers across the globe
24:51 – Understanding risks
26:36 – High-level risk analysis
27:36 – Data classification
27:54 – What is success for a CISO?
30:50 – Running cybersecurity and infrastructure side for smaller businesses
32:59 – Cyber is not an IT problem, it’s a business risk
35:51 – Communicate effectively to the business owners
37:34 – Be able to tell stories and make an impact
38:39 – Importance of catching up with the key stakeholders in the business
38:54 – What’s next for cybersecurity business in Australia?
41:50 – Spectrum
42:46 – The problem with MDR
43:27 – Preventing attacks is the key ethos of Checkpoint
44:01 – SOC as a service
45:18 – Outro
#REDDPodcast #AshwinRam #Cybersecurity #TechEvolution #DigitalDefense #AIinCybersecurity #BusinessAndTechnology #CybersecurityAwareness #CheckpointTechnologies #NetworkSecurity #CyberThreats #StrategicCybersecurity #ProfessionalJourney #CybersecurityExpert #CyberEvangelist
If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected] or through any of the links below.
Show Transcript
(00:02):
Yeah.
(00:20):
Hello and welcome to REDD’s Business and Technology Podcast. I’m your host, Jackson Barnes, and I’m your co-host Brad Ferris. And today we’re sitting down with a cybersecurity expert, Ash Ram, who’s a cyber security evangelist from the office of the CTO at Checkpoint Software. Technologies today will be uncovering everything going on in cybersecurity. He’s actually up in Brisbane, which is on tomorrow as we record this one. The topic is nailing the first a hundred days as a czo or Chief Information Security Officer Ashram, thanks for coming in.
(00:46):
Thank you for having me.
(00:47):
No problems mate. Let’s start with your background. So what did you do way back like TE technical wise study evolving as you get to what you’re doing now?
(00:54):
Sure. I started off doing computer science at uni and then got my first gig as while actually was studying as a help desk analyst and then sort of worked my way up into becoming a senior analyst. And I think about 15 years ago I had my first crack at a working for a secure integrator here in Australia Loop Technologies. And that was my first experience delivering professional services. So designing and implementing security solutions and upgrades, migrations, cutovers, that sort of stuff. And then about 13 years ago I joined Checkpoint as a junior professional services consultant. Did that for about four years. Again, migration work upgrades, designing network security, security solutions. And then moved into pre-sales and looked after Telco healthcare and financial services for a few years. Started running the pre-sales business for Checkpoint for the northern region for a couple of years. And then about four years ago I got a tap on the shoulder saying, Hey, why don’t you come and join this brand new team that we’ve created called the Cybersecurity Evangelist Group And your role will be to go and evangelize cybersecurity at cybersecurity conferences, podcasts such as this, talk to media, write white papers.
(02:11):
And that’s been what I’ve been doing for the last four years.
(02:15):
All right, awesome. Looking forward to getting some insights to you. It’s definitely something you specialize in by the sounds of it. Why did you pivot into cyber security?
(02:22):
It was something that fascinated me. Initially I started, when I started understanding network security networking. I just found it really fascinating. And then the cybersecurity was just something that, it just happened. It was just an evolution. It wasn’t a like decision. I just happened to just evolve into it and I absolutely love it.
(02:42):
Tell us a bit about Checkpoint software technologies. What do they do?
(02:45):
Sure. So checkpoint’s a powerhouse in cybersecurity space. We started life about 30 years ago. Our founder actually wrote the software that enables stateful inspection within firewalls now that was 30 years ago. And as the threat landscapes evolved, so has Checkpoint to keep our customers safe. So we now not only provide full stack of network security, but also cloud security, endpoint security, no matter where the users are, user security as well as email security. Apart from all of those different types of controls, we also provide SOC as a service. We provide incident response capabilities. We help organizations carry out crisis management and crisis simulation through tabletop exercises. So we really provide security and security capabilities for quite a holistic approach,
(03:32):
Almost end to end security
(03:34):
Operators. It is indeed end to end.
(03:35):
And how many people in the business and what kind of businesses do you work with?
(03:41):
Sure. So we have about six and a 5,000 people I think now. And our r and d research and development is based out, and our headquarters is based in Tel Aviv, Israel. We also have a big office in a big number of employees in the states, but we also have organizers offices around the world, including here in Brisbane. We have an office in Sydney, Melbourne. We have an office in Perth as well, as well as Wellington Auckland, right. So that’s our region
(04:09):
Here. How big in Australia? How many people are? Probably
(04:11):
About 110.
(04:13):
Yeah. Okay.
(04:13):
Big operation. Big massive operation actually worldwide.
(04:16):
Cool. That’s huge. Must we don’t hear much about batch checkpoint, so I’m excited to hear a bit more about what you were seeing.
(04:21):
No, marketing’s not our strong point. Yeah.
(04:23):
So who’s your competitors maybe that would probably
(04:25):
Help. Our competitors would be Cisco or Palo Alto 40 Net, the big one, the hard
(04:31):
Work, the hard work
(04:32):
Hardware. All of those guys have
(04:34):
One. CrowdStrike,
(04:35):
Those two, all those guys. Okay. Yeah, absolutely. Zscaler they come to mind as well. So they’re all competitors, even the niche place. Cause again, we do endpoint security, we do a full stack of endpoint security as well. Complete EDR capabilities on the and the endpoint. So all those endpoint players are our competitors. We do incident response and so incident responders are competitors. SOC as a service. So
(04:58):
You’ve got a lot of competitors. Cause you guess touch a lot of, I guess, solutions in cyber
(05:03):
Screening. So at the end of the day, if an organization’s looking for holistic cybersecurity capability and if they’re actually looking to partner with one or two security vendors that become their partner rather than just a vendor, then Checkpoint should be one of those. No-brainers. Okay.
(05:16):
Ashman, tell us a bit about what you are seeing, how the threat landscape’s evolving and some interesting stuff that you’re seeing recently.
(05:22):
Well, of recent, I think the most pressing topic right now is the threat landscape of artificial intelligence. That is quite concerning. The misuse of artificial intelligence is very concerning. When Check G PT, for example, came out, one of the teams that get really excited whenever there’s hype in media is our security researchers because they know that cyber criminals are also going to be looking at this to try and figure out how they can weaponize it. And so we started asking the same question, is it possible to weaponize chat? And the initial question we thought of asking when we started our POC was, Hey, can you create a phishing email? We used the word phishing email and it did. We actually asked it to create a phishing email from a fictitious company created that even gave us a placeholder for the fake logging page. And then we thought, okay, well maybe that’s going to take us too long.
(06:21):
Let’s change the tactic. Why not just ask you to create a phishing email and ask the intended target to double click or open the a weaponized document. So it wrote that for us too. Then we’d like, all right, well let’s create that weaponized document. So we asked for it to create a script for reverse shell. It did that for us too. And then we’re like, okay, well if we’re going to go that far, what about can we create some tools for reconnaissance? So we’re like, can you please create a tool for ports, Kenny, he did that for us too. And then we’re like, well, let’s try and build some smarts into these tools. Can you write a script for us that would help bypass a sandbox? It did that for us too. Yeah, scary, right? So that’s basically what we are seeing at the moment.
(07:10):
And now that’s our poc. And we created hundreds of tools just as a POC just to see. But we also noticed that the threat actors are doing the same thing. Of course, they’re creating tools, they’re sharing ideas. One of the interesting things we found is threat actors are actually writing tutorials on how other threat actors could use chat G P T. We’ve seen threat actors share insights into how you could bypass open ai, which is the platform, that organization that owns chat. We’ve seen threat actors share on telegram and various different dark, dark web forums, how to bypass those geo geo locations using compromised phone numbers and SIM cards. So yeah, that’s the really interesting stuff that we’re seeing at the moment. Yeah,
(07:54):
It’s quite scary because it definitely was, I think five plus years ago through actors, you’d see if you see just a phish email come out, it was always broken English and unstructured properly. But now that’s going to be completely gone because tour actors can easily just get something to write an email for them and then it makes it look very, very slick. So that’s I guess a concern. Jackson,
(08:14):
You absolutely. What was really interesting, as I was reading that research, I thought I decided to do some research of my own, and I actually asked chat G P t some very specific questions. And one of those questions was, have you ever created a phishing email and denied it? So I thought what maybe it needs a little bit of the memory needs to be jogged. So I gave it specific fake, the fake account that it had used or the fake service provider that it had used in the Phish game, but it still denied that. And for me, that sort of takes us to a slightly topic of trustworthiness AI as well. How do we trust a platform that is not designed to tell us the whole truth?
(09:04):
That’s a funny one actually. I hadn’t really thought about that. That’s a scary one,
(09:07):
Isn’t it?
(09:08):
Yeah, that is scary. Another interesting story you mentioned off air, which I think is worth sharing on the episode, was a threat act of being in an environment for five years before being detected or checkpoint picked it up. Do you want to go through that in more detail?
(09:21):
Yeah, sure. That was in 2019. It was an interesting case where our incident response team got engaged by a government agency in Asia to assist with an attack. And while we were going through the logs and trying to understand what’s going on with this government agency, we noticed there was a completely separate attack happening from that environment. And so whilst we had our hands full here, we reached out to our Israeli, the researchers, the malware researchers, and asked them to take a look at this completely separate attack that was happening. And what we found was really interesting, actually, this threat actor had been in stealth mode for about five years. No one had no security researchers had talked about them
(10:04):
Five years, five
(10:05):
Years previous to that, the last time anyone had ever mentioned this was Kaspersky. And that was five years earlier. So five years stealth boat. And what we were able to do is not only identify who this threat actor was, we were able to then map out the entire infrastructure. So we’ve published all of this stuff and what we found is that they’d already compromised government agencies in various parts of Asia, including Philippines, Myanma Singapore, as well as Thailand Laos. And it was only when they were attacking an Australian state government here that we actually found them. And like I said, we mapped out the entire infrastructure. I’d actually been following them. Well, I followed them for a while anyway, and I noticed that they actually started focusing on India and Turkey, which is quite interesting as well. What other thing that we found quite interesting is they had compromised the A server within one of the government agencies in Asia and used it as a backup commander control server in their malware. So that was quite interesting.
(11:14):
Geez, bold. Yeah, they’re definitely getting bold. I wanted to get some of your insight, and I know you’re up in Brisbane and then I guess touring around Australia, speaking about nailing the first 100 days as a size O or chief of information security officer, let’s start with this question which and actually get some insights from this. What’s the importance of a competent size in a business?
(11:38):
Yeah, so have you seen the headlines lately?
(11:44):
No. Tell me
(11:44):
More. I mean, organizations are getting breached left round and center here. I mean, we’ve got our federal government talking about it. I think more than half of our population’s private information’s already been leaked out. So clearly there’s a need for organizations to mature the cybersecurity capability. And what a CSO does is the primary role is to actually bridge the gap between the technical and the business stakeholders, right? Because ultimately when we think about cybersecurity, we think about those technical guys who are actually implementing the policies and the rules, but really that needs to be driven from the business level. But ultimately the goal of cybersecurity is to reduce risks of the business, can do whatever it is that they’re trying to, the product or service that they’re trying to deliver. And to be able to do that, to be able to get the respect and the sponsorship from executives, you need to demonstrate the value that cybersecurity is going to bring to your organization or the risk that it’s going to reduce. And the best role for that is a CSO or a cso.
(12:54):
So what size business needs a cso? Because I feel like the common thing in Australia, maybe this is everywhere, is that businesses have a cfo, they may have an IT manager, and then maybe a risk officer or a risk manager, and then maybe a CIO depending on size. How does the business determine when you actually need to put a dedicated sizer in place?
(13:18):
I don’t think there’s a hard and fast rule here. I think there are a lot of organizers that don’t have a sizer, but they have somebody that’s doing the size of role that may be the head of IT network security. They inherit the responsibility of whoever’s responsible for cyber strategy. And so you don’t necessarily have to have the title to be able to deliver that on that. But to answer your question in terms of who should I think any organization that’s actually concerned about a breach, concerned about their brand name, concerned about their reputation should think about investing in a ciso and why would be, there are studies that have actually shown if you have a chief information security officer in your organization, the impact of a breach is far less on average than if you don’t.
(14:14):
That’s a good point. I mean, cyber risk is the likelihood of being attacked and the impact if you do get attacked is essentially cyber risk for businesses. One thing I wanted to go down, and you touched on it was stakeholder engagement or stakeholder management as a size being the most important thing, which is sounds simple, but it’s a really complex thing, right? Because you’ve got people who are non-technical like CFOs and CEOs who say, where are we at from Cyrus point of view? And you’ve got your probably IT managers and network engineers, system admins who go, we’ve got these things, we need more tools. And they’re the kind of conduit between that your IT team traditionally and then the actual people who have the risk associated to them and directors being liable for if they do get hit, that kind of stuff. What advice would you have for an upcoming sizer or sizes that are trying to get into that role around that stakeholder management?
(15:05):
So firstly, I don’t think there’s any clear path to becoming a sizer. You have some CISOs who come from a technical background and you have some CISOs who come from a risk compliance and governance background as well. So I think it’s important to understand that the role of ciso, there’s not one pre prerequisite for that right now in terms of the importance of stakeholder management. Ultimately the success of a CISO is dependent on how well they forge meaningful relationship with key stakeholders. Your brand name and your credibility is everything. If you’re to succeed in this role, it’s not a technical role. The most important thing that a cisso needs to do is be able to articulate the technical requirements to be able to enable business outcomes. Everything hinges on that. If you are able to demonstrate to an organization why they need to invest in cyber, what are the business outcomes? And the business outcomes doesn’t necessarily need to be risk reduction, it could actually be competitive outcome as well. So I’ll give you one example. Those organizations that invested in remote access technology that enabled the employees to be able to work from home, they generally did much better than those organizations who didn’t allow employees to work from home when covid hit. But it was a far easier move for employees to work remotely.
(16:31):
But where is I guess a business optimization there? Is that because they can work remotely, securely is why the sizer comes into play? Well,
(16:40):
What I’m saying is that your cyber strategy needs to enable business outcomes. In this particular case, what I’m saying is that there’s a competitive advantage if you are actually able to be agile because you can work remotely as opposed to those organizations that may not have invested in remote security, remote access controls, right? Securely. So if you’re not enabling employees to work remotely and if you expect everyone to come in and work from the office, when Covid 19 hit and we had that lockdown, a lot of organizations struggled with being able to move employees. Many of them didn’t even have and laptops for employees. We had a case where a lot of employees would be using personal devices to access corporate resource who’s securing those personal devices.
(17:25):
And there was a big phase five years ago around people going to thin clients and knucks and that kind of thing. Cause they’re like, oh, this is the way to go then COPE probably got stung, stung a little bit. I wanted to go on the path around that size of creating a hundred day plan. But Brad, do you have any questions before we get there? Yeah,
(17:38):
I was just going to say, we have had other people on the podcasts in the past talking about this and they have seen a competitive competitive advantage in employing cybersecurity controls, pitching for government work, government tenders. We’re more secure, therefore we are more likely to get the work. Do you see that much in your travels?
(18:01):
I do, yes. I mean that’s clearly another advantage that you have is if you can demonstrate that you are secure. I mean think about it, right? Third party breaches that we’re seeing nowadays where the threats are actually coming in from those trusted business partners. So if you’re not secure and you’re doing businesses that we can’t open up our systems and our networks to you. So being able to demonstrate that yes, we do have a certain level of maturity in our cyber definitely gives you that advantage.
(18:28):
That’s a good point. And supply chain management as well, we are seeing that as well, probably on two sides. From a carbon neutral kind of perspective and a securities perspective, the carbon neutral is not really relevant for this show. But definitely on a cyber perspe perspective, we’ve been asked as well by some of our potential clients what our posture is. But definitely I’ve heard from our clients that are now starting to ask their supply chain if they are also employing, upholding certain standards, certain frameworks essentially aid all that kind of stuff as
(18:58):
Well. Defense has been doing it for a while, but I think now, especially in Queensland, we’ve got mining companies will supply certain services to mines and then they’re now starting to get questions around, did you meet these kind of frameworks or did you have these fundamentals in place? And that’s something that’s going to get more and more important. I want to get down the path of essentially what you’re talking about tomorrow. How do you prepare before you start the role of a size O? So say you’re not upcoming size, you went from screw analyst to SAO to your position. How do you prepare? What do you do?
(19:27):
No silver bullets here. So first of all, you can’t over prepare, right? So I would say
(19:33):
First thing you need to do is research the company, understand the company. And that doesn’t mean that you just read the annual report. Go that one step further and look at the investor relationships in the investor publications that they have because that gives you some really good insights into potential upcoming mergers. For example, understand if the organization’s been in the news for the wrong reason. Now have they been breached? How many times have they been breached? Have they made money? I mean if they’re not financially doing well, then that’s going to have a huge impact on your security
(20:07):
Budget. They’re probably not going to invest in CI cybersecurity if they’re not making money, right? Absolutely.
(20:11):
And if they’re doing mergers and acquisition, now mergers and acquisition m and a, that has a massive impact on the landscape for your IT and subcu as well. So understanding that is important. So do your research. I think the other thing before you even take on that role is it’s important to have prior relationship with third party incident responders because there’s not guarantee that, you know, take a CISO role that within the first couple of months you don’t get breached.
(20:37):
Yeah, that’s a good advice actually. And would so would recommend networking with other people in the security industry?
(20:43):
Absolutely. Absolutely. You need to have those prior with external stakeholders and in third parties and responders is one of those. So those are some of the things I would recommend. Make sure you understand the organization you’re going to make sure during your interview process. In fact, I would position the fact that within the first a hundred days I want to carry out a tabletop exercise. And that kind of gives you the gauge of whether, how serious are these guys about actually cyber or not?
(21:12):
Well ask that question before you start. Yeah,
(21:14):
During the interview process. It’s
(21:16):
Good. Qualify how serious are about, I mean they’re hiring a size though. They’re probably pretty serious about cyber security, but
(21:22):
Well, you’d think so. You’d hope so. Yeah,
(21:23):
Hope that’s
(21:25):
The other thing you want to do is maybe speak to the previous sizer, understand why they left, what were their challenges?
(21:31):
Yeah, right. Good advice probably could be reasons I recommend all these tools and broke down communicate. I could imagine. Next what I have for you was how do you create a plan for your first a hundred days as a
(21:45):
Sizer? Well Jackson, the good thing is that we don’t have to create the plan. The plan’s already being done. Tell me
(21:51):
More. So
(21:53):
There’s an organization called Cyber Leadership Institute, and so I’m using their framework to talk atec tomorrow as well. Cool. And so Cyber Industry Institute provide a fantastic framework over a hundred days. So they provide a hundred day plan on the key initiatives and tasks that CSO, incoming CSO should invest in. And the reason they do that is because it’s very easy to be caught up in all the noise and before it hundred days is up and you haven’t actually done some of the really key, the important tasks, right? So let me just share with you some of the stuff that I can remember off the top of my head. One of them is as you’re starting, obviously you’re doing your onboarding so that you know, do your onboarding and make sure you have your regular catchups with your team leader and whoever you’re reporting to, penciling and those things. And then I think it’s also important to, in the initial phase, make sure you get access to all the critical systems that you have, such as risk registers that you may have. So you want to be able to make sure you’ve got access to all of the systems, subscribe to all the associations that you may need. For example, ASA and third party, it’s important to also have
(23:11):
A tribe, cybersecurity tribe, your tribe. So these are like-minded individuals who are trying to solve the same problem that you are. Now, cyber doesn’t exist in isolation. Cyber is not a local problem or a regional problem. It’s actually a global problem. So it’s important that you find peers, industry peers across the global try to fix and address the same challenges that you are, learn from them.
(23:36):
Where would you go to find a tribe around security?
(23:39):
Well also if in Australia, obviously you’ve got a says is a great example, my tribe is called the Cyber Leadership Institute for example. So there are various others, but C is the one that I I’m part of.
(23:52):
Okay, good advice. And what things should you look out for say when you first start in the role, you know get onboarded, what are you looking out for?
(24:02):
Next thing is to actually start understanding the environment. So it’s important that you figure out what the current state is, but don’t spend too much time understanding the current state. You want to also figure out where do you need to be? What’s the target set? Where do I need to get to? So get your hands on previous pen tests, any gap analysis that’s being done, any sort of assessment that’s being done, any audit reports and compliance reports that are being done. Get your hands in those, understand those things, understand how risk is communicated in the organization. Understand if you have any open risks currently. And schedule in regular time to catch up with teams that manage risk. Because the thing about risk is that it changes over time. So understanding risk, understanding how it’s been communicated in the organization, those are key things. Also, now is the time to build relationships with key stakeholders. So identify who those key stakeholders are. Understand the different lines of chain that they have, the reporting lines that they have. So you think of your general counsel, your legal team, your public relations team, your auditors, your SOC team, all of those different key stakeholders understand their challenges. What are the biggest two, three challenges from a cyber per perspective pencil in regular catchups with those guys because they will be fundamental they to your success of your cyber strategy.
(25:33):
It’s good advice. So you would book a meeting essentially with like the cfo F from a financial risk perspective, if there’s a risk manager or a compliance manager, go and speak to them about where they’re at, where they’re at now, what challenges they’re facing. Is that
(25:44):
What you Absolutely, yeah. Make sure you are speaking regularly to your chief risk officer if you’re lucky enough to have one. Yeah, right. Make sure you are, you’re speaking to all of the key stakeholders of the different lines of business that generate revenue for your organization. What are their challenges? And also it’s really important now that you’re building those relationships to also understand, okay, what are those crown jewels that we have? What are those really important assets that we have? Not just the customer databases, but the critical infrastructure that we may have. So I mean you may be a production house, you may be a water utility. So the different critical, those crown jewels are different for different organizations. Understand what they are, evaluate the security controls that you have around them. The reality is that in the first a hundred days, you’re probably not going to get approval for a full-blown risk assessment. So it’s important as an incoming system that you have, you carry out a high level risk analysis yourself to understand if the basics, the fundamentals are done. And generally what you want to do is understand if your controls are geared towards preventing attacks.
(26:54):
That’s good advice actually. I think definitely that’s good advice to know. Try and figure out where you’re at now and I guess from a risk perspective, financial, what makes them tick, what’s keeping up them up at night? And it’s finding something that we try and do as well. When we onboarding a customer, we might be, they’re looking after it for, we try and figure out what’s actually important from them keeping their business operational perspective. Is it a control system? Is it this bit of software? Do they actually have IP that needs to be protected more so than just standard data? So that’s really good advice. I mean that we would do separately to size are going in, but also good advice. Yeah.
(27:33):
One thing I would also understood, if you have data classification in place as a classification, that’ll help you understand if you are overinvesting in something that you don’t need to or if you’re under investing in something that you must invest more in because it’s critical to your business. So those things are really, really important as well.
(27:52):
So what does success look like as a first hundred days as a size, so you get to a hundred days complete, what is success?
(28:00):
Okay, so far what we’ve done is we’ve onboarded and we’ve sort of understand the current state and we want to understand obviously what the target state is. Now during that process, it’s really important first of all to figure out if each you have proper IT and cybersecurity governance in place. So do you actually even have a cybersecurity charter? Have you mapped out what is your security vision? What is your security mission? What is your security scope? Who’s responsible for cybersecurity? Who should be accountable for it? And who needs to be kept informed and who should be consulted? So before we just go into what a cybersecurity success looks like, these are foundational stuff that must be done. Okay. Once you’ve got your head around that stuff, then okay, now let’s figure out what are those quick wings that we can demonstrate to the business. Because ultimately, as I mentioned earlier, it’s all about stakeholder management. And when we talk about stakeholder management, you want to be able to deliver value quickly. You want to earn the trust and the respect of your executives and the board. And you want to do that by delivering success. So identify key, maybe those quick wins. One of those quick wins could be something like cybersecurity awareness training that could be easily outsourced to a third party these days. There’s plenty of cybersecurity wins. Checkpoint office one of those though by the way.
(29:28):
Nice. Well,
(29:29):
And so outsource that stuff and use the completion rate of, or the participation rate of your awareness training as a metric to demonstrate to the border. At least now you’re working on the culture of subcut in your organization. So something simple like that.
(29:48):
Goodbye you go, oh no, I was going to change topic. So not changed topic a little bit, but I guess we’re talking a lot. So obviously we provide services more to SME and it’s just interesting hearing you talk about frameworks, principles, charters, vision, strategy, that kind of thing. And I just wondered your opinion obviously with smaller businesses, and I think we touched on earlier, what size business should have a ciso and that’s a bit difficult, but I was wondering your opinion and there’s a few different school of thoughts, so just getting your opinion, but around that segregation of duties between effectively what is a risk management role to a CIO or whoever’s head of technology also being responsible for risk. So there’s an argument that you’re kind of assessing yourself if you are doing that role in a CIO or IT manager role, but these are the constraints that probably smaller businesses have that may not have the budget. Yeah, I guess what’s my question is ultimately what are your thoughts around for smaller businesses around someone kind of running the infrastructure side and running the security side I guess is a pretty broad question.
(31:01):
No simple answer
(31:03):
To that. The thing, right? Yeah, that’s very is an opinion million dollar
(31:05):
Question. It is. I think I wrote a paper on something similar. I think ultimately for small businesses they need to understand could they survive a one week downtime, could they survive two weeks downtime?
(31:20):
Yeah. And it doesn’t become as simple as that. We, we’ve seen this a few times recently
(31:25):
And then understanding what investments are going to be required to ensure that they don’t suffer those. I’ve got countless examples that I’ve seen as well of small businesses that just haven’t survived.
(31:39):
Yeah, it’s interesting and I really liked my background’s in big four. I worked for EY for a number of years and I quite like working with small to medium business because they, they’re not quite, have all the funding to have quite all the roles, but they’ve still got all the same issues that big businesses have and just have to tackle ’em a bit more creatively, sometimes more
(32:00):
Nimble.
(32:00):
Yes, exactly. So it is just an interesting one with security and where does that land? And we had a CFO on the show a little while ago and some of it belongs in risk, some the budget if you like, and the responsibility, some of it belongs on the risk side, some of it belongs on the IT side. So it’s just an interesting conversation of yes, in a perfect world it would be completely segregated. You’d probably, I would consider it more on the risk and compliance working with the auditors, working with those kinds of firms in a bigger business but in a smaller business. It’s just interesting that kind of crossover and where does that segregation of duties is kind of a kind of frame in this scenario. So yeah, I was just wondering if you’ve seen and where that crossover is from a small to medium to a large that can actually do it properly.
(32:52):
Yeah, look, I agree with you. I’m a firm believer that cyber is not an IT problem, it’s a business risk, but not everybody has the luxury of having a chief risk officer.
(33:05):
Exactly.
(33:06):
And so ultimately sometimes these things fall on the responsibilities of the business owner itself.
(33:14):
Well
(33:14):
And I think the big problem right now is if things go, say you’re small business, it’s 50 maybe a hundred employees and you’ve got an IT manager, cyber always gets lumped with that person when the risk really should be with the CFO or director of the business, but they don’t understand the technical side of it. So they’re lumped with the IT manager. How do you combat that problem?
(33:36):
So we feel IT managers feel really threatened because we feel like they’re cornered, right? They’re like, I only got this much money to spend, I’ve got all these objectives or things I need to achieve with that budget. Now you’re throwing this other thing in and like you said, it’s actually a business risk but it’s been lumped in with the IT manager and quite often we battle with this question, do we have a duty of care to go around that person If we see a substantial risk but we feel it’s being blocked, do we have a duty of care? I mean it’s really none of our business at the end of the day. We’re just trying to help. But it’s a very interesting dynamic that we find ourself in dealing with small business in where is the line? Because we do feel as tech providers, security providers, that we have a duty of care to really make sure that business understands the risk. And sometimes we don’t feel like depending on the person we interact with, we don’t feel that we’ve fully been able to articulate that risk properly to the people who need to understand it in that business and will get blocked. So
(34:38):
I think there’s outlines, but I think that the core problem is that if you look at drivers directors of businesses and CFOs and stuff who they’re actually liable for risk and profitability of the business. Exactly. But the decision making around what tools and people to partner with goes with an IT manager or cio and there’s outliers, some of those are really cyber savvy and across it. But generally what the drivers of the IT manager in a small business for example, or the one person that does it in smaller small businesses is around how do I keep the lights on and how do I get time to tools to save me time, right? Understandably. Because they are growing and have pains and they have people logging tickets with them and they want to get things operational so they look good and cyber’s a thing on the side. And when it comes the end of the day, if a business gets hit with ransomware and goes down, team managers probably got to work a bit, get paid a bit of overtime, the director’s liable for telling all the customers and so on. What’s your advice?
(35:41):
So I think for that problem, I think ultimately again it comes down to the same thing that I said before, right? Stakeholder management, how do you communicate effectively to the business owners about the risk to the business from a cyber perspective? And I think again, this is why the CISO’s role is so vital because they are able to take those technical risks and translate it into business risk. And I think that’s where for those IT managers, I think that’s what they need to do as well, is be able to translate those technical risks into business risks. And if they are unable to do that, that’s where you guys come in.
(36:16):
What advice would you have for an IT manager who’s struggling with that right now and say they identify those gaps in the business playing a bit of a size kind of role, bit of title as an IT manager, they’re responsible for a lot more things and maybe they got help desk team and yada yada yada. What advice would you have for them on how to effectively communicate to stakeholders that okay, we’ve got this gap, we haven’t said have no vulnerability management running, no cyber warrants training, whatever it is, but they’re like no more budget for it.
(36:43):
What I would say is the advice would be, first of all, make sure you understand your business. What business lines of business are generating revenue here and what would be the business impact from a financial standpoint. Cause ultimately that’s what stakeholders understand is finance the impact from a financial loss point of view, right? Yep. So understand what, okay, well if this line of business was impacted and it would take us two days or five days to get the business back up, this is the actual impact financially. Are we able to reset and then let the key stakeholders make that decision Now we need to invest more here. So I think that’s one thing. The other thing I think is really important for anybody that wants to be able to communicate effectively is to learn to tell stories, is to learn to effectively hook your audience and be able to make an impact with your story. So for example, if I’m talking to a healthcare like a small clinic, but I’ll talk about the patient, the impact on the patient and what does that mean. So when you make that connection, I think it’s a lot easier to sell your cyber strategy then because you’re not just asking for, because cyber’s ultimately looked at as a cost center
(38:04):
Until something happens.
(38:05):
Until something happens, even then it’s a cost set.
(38:09):
Well yeah, but looked at differently. Yeah, that’s really good advice actually to understand where money’s coming in and if it paint that, what if picture if identify a gap and you articulate it, but if something comes in because you don’t have this thing or this service in place or whatever it is, or we don’t align to a frame or whatever that is, this may happen which results in this.
(38:31):
And also I think it’s important for the IT manager or whoever’s trying to have that conversation to regularly catch up with the key stakeholders and let them know what’s happening in the industry, what’s happening with other businesses of the same size and the same industry
(38:47):
Through us. So check one software, what direction is that business going? Obviously security definitely in Australia has been a massive topic probably all around the world and over the last six to nine months and you see a lot of threats and you fairly intense operations where, where’s the business going? What’s next?
(39:03):
Wow. So like I said before, one of the things that we’ve been able to do is over the last 30 years is evolved to stay, try to stay one step ahead of the threat landscape. So as organizations moved from network to cloud, we evolved and provided cloud security as organizations started doing remote working and we’ve been doing remote security for remote security for quite some time. Endpoint security, mobile security. So I think from a checkpoint point of view, they will continue to evolve. They will continue to innovate. Checkpoint is a powerhouse when it comes to innovation. Well, we often joke that we’re a 25, 27 year old startup.
(39:47):
Glad you guys can still get away with that because we’ve been going about four or five years and we still feel like it’s startup.
(39:53):
But you have to have that mindset because a threat landscape just evolves so quickly. Yeah. Now I’ll give you an example. I think we have one of the largest threat intelligence platform globally. And within that threat intelligence platform we have I think just over 40 different engines which are AI driven. So forget the other ones that are doing thing. 40 years old now are AI driven. And over the last few years we’ve actually moved from machine learning to deep learning capabilities now and how tell funny, it’s interesting story about this we, there’s this one particular control that we have where we have two different AI engines that are competing against each other to outperform each other in being able to identify threat. And as they outperform each other, the one that outperforms becomes the master until the secondary one can outperform it. So we’re doing that kind of really, really cool innovation
(40:48):
That is cool,
(40:49):
Right? That’s just one example. One of the latest things that we’ve done is we’ve introduced capabilities around email security. We do something that I don’t think anybody else in the world does, which is we’re able to prevent threats, move laterally inside an organization’s email ecosystem. So most email security sits at the MX record level or just in front of your Azure, sorry, your Office 365 or G-suite, right? What we’ve been able to do through API integration is actually integrate our capability, our control so that we’re sitting behind everything and as an email is being sent from one inbox to another within their organization, we can still interrogate that and we can still look for threats. So that’s some really cool stuff that Checkpoint does. And we did this through an acquisition called ana, which is another Israeli company. One of the other really cool thing that we’ve done is an acquisition called Spectral where we really took this zero trust mindset to the cloud.
(41:54):
And really what I’m talking about here is providing DevOps with tools so that can move to DevSecOps. We’ve got the whole tool set to go from build time security to runtime security. That stuff with being able to integrate into C I C D pipeline, that stuff’s been doing that for quite a few years now. But the latest stuff we do is we can actually validate if a third party open source code that a developer is downloading if it’s safe or not, if it’s got vulnerabilities. So we’re able to do that interrogation of the actual source code before it’s being used in home broad applications or whatever applications organizations are writing. So I think that’s really cool stuff. And given the fact that we have an inter response team, one of the things we noticed is that there’s a lot of the managed services, managed service providers, the MDR manage detection and response capability is all around detection.
(42:50):
The problem with that is that when you’re focusing on detection, the damage is done right Now, I’ll give you one use case for this. Imagine a water supply. Now we’ve already seen a couple of attacks on water supply with threat actors tried to change the chemical level so that it would actually be hazardous to health. Geez, they were literally trying to poison the water. You can’t rely on manage detection and response capability here because by the time you may detect this stuff, people may be potentially get harmed in the future. So it’s really important that you prevent attack and that’s one of the key ethos that Checkpoint has mindset of that we’ve got to try and prevent attack. So we’ve actually released our own capability around managed detection and response and we call it managed prevention and response. So it’s essentially sock as a service, but our capabilities are there to prevent the attacks in the first place.
(43:43):
Obviously there’ll be something that may get through and then you automate the remediation capability. But the initial attempt is to make sure we prevent attacks. So that’s something really cool that we’ve released to the market. And part of that is our SOC as a service. We provide full XDR capability as well, or XPI as we call it, extended prevention and response. Right. Cool. Again, so because we secure cloud ecosystem, so we do the whole gamut of cloud ecosystem. We protect build time security, runtime security, network security from having virtual security gateways, workload protections, all of that kind of stuff with cloud security, posture management capabilities. So we’ve got all of that. We’ve got our full stack of network security, we’ve got full stack of endpoint security with EDR capability. We secure a mobile phone. So if anybody downloads a malware or any malicious app, we will be able to identify that. Cause we detonate that in cloud as well. And we make a call whether it’s malicious or not, all of that kind of stuff as well. And so if you think about it, that’s actually what an XD is.
(44:52):
Yeah, I think you’re right that cybersecurity is definitely evolving to a place where you need someone looking in your environment separate to the people that are doing the help desk or internally IT support or whatever because they get flooded with alerts from firewalls and antivirus tools and that kind of thing. You really need someone looking 24 7 for threats and detecting it, but also you’re right actually preventing it and responding and doing something within a certain time period. So Ash, and thanks for coming mate. Really appreciate you showing insights. So I hope the audience has got a lot of value out of that first a hundred days as a size. I think it’s pretty valuable. I appreciate your time. My
(45:26):
Pleasure. Thank
(45:27):
You very much.
If anything in this post interests you, or you'd like to have a chat with someone about your technology challenges, we would love to hear from you!