In this compelling episode of Redefining Society, Marco Ciappelli and Igor Volovich explore the intricate relationship between societal norms, technology, and the concept of trust in the cybersecurity and compliance industry. They delve deep into issues like the role of compliance, the significance of whistleblowers, and the importance of considering the human element in our increasingly interconnected digital world.
Guest: Igor Volovich, Vice President, Compliance Strategy at Qmulos [@Qmulos]
On LinkedIn | https://linkedin.com/in/igorvo
On Twitter | https://twitter.com/CyberIgor
On YouTube | https://www.youtube.com/channel/UC_CQlzYjMnkyt7ilhm-8EPA
_____________________________
Host: Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
_____________________________
This Episode’s Sponsors
BlackCloak 👉 https://itspm.ag/itspbcweb
Bugcrowd 👉 https://itspm.ag/itspbgcweb
Devo 👉 https://itspm.ag/itspdvweb
Episode Introduction
In this episode of Redefining Society, Marco Ciappelli invites listeners on an enlightening journey into the sometimes shadowy realm of cybersecurity and compliance. Joined by Igor Volovich, Vice President of Compliance Strategy at Cumulus, the duo discusses a complex intersection between societal norms, technology, and the growing importance of trust in this digital age. An intriguing and expansive conversation unfolds, probing the deep undercurrents of our interconnected society and challenging us all to think critically about the shape of things to come.
In the rapidly-evolving realm of cybersecurity, there's an urgent need to recalibrate our perspective. In this revealing discussion, Marco and Igor lift the veil on an industry often misunderstood and even overlooked by those outside its borders. They tackle difficult questions, addressing why people resist engaging with cybersecurity and exploring the role society as a whole plays in this digital dance.
The duo also dives into a thought-provoking analysis of the role of compliance in cybersecurity. Is compliance truly the culprit behind our cybersecurity woes, or is it simply being misused? They dissect the complexities of this vital mechanism, underscoring the need for a shift in approach. According to Igor, the fault lies not in compliance itself, but in its application: the industry must move beyond capturing past state and strive towards real-time risk management.
The discussion becomes even more engaging when the conversation pivots towards whistleblowers. The role of whistleblowers in society, especially within cybersecurity, is a subject that provokes a gamut of reactions. And yet, as Marco and Igor discuss, these individuals could be considered the ultimate "canaries in the coal mine," heralding issues and risks that might otherwise go unnoticed. But is society ready to embrace this often-maligned group and give them the recognition they deserve?
As the conversation unfolds, Igor and Marco challenge listeners to reassess their understanding of cybersecurity, urging them to consider not just the technology but the human element of this intricate equation. They explore how the convergence of compliance, risk security, and operationalizing compliance can potentially transform the industry.
Intrigued? This episode of Redefining Society is one you won't want to miss. Join Marco and Igor for an enlightening exploration of a topic that touches us all. Listen in, ponder their insights, share the conversation with others, and don't forget to subscribe to the podcast. Cybersecurity is everyone's concern – let's start addressing it together.
_____________________________
Resources
SEC Issues $279 Million Whistleblower Award, Its Largest Ever: https://www.wsj.com/articles/sec-issues-279-million-whistleblower-award-its-largest-ever-517b9640
Cyber Whistleblowing a Critical Check on Corporate Malfeasance in IoT era: https://www.linkedin.com/pulse/cyber-whistleblowing-pivotal-ensuring-corporate-iot-igor/
How to Improve Cybersecurity Compliance With Real-Time Data and Automation: https://accelerationeconomy.com/cybersecurity/how-to-improve-cybersecurity-compliance-with-real-time-data-and-automation/
____________________________
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllTUoWMGGQHlGVZA575VtGr9
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/advertise-on-itspmagazine-podcast
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
voiceover00:15
Welcome to the intersection of technology, cybersecurity, and society. Welcome to ITSPmagazine. Let's face it, the future is now we're living in a connected cyber society, and we need to stop ignoring it or pretending that it's not affecting us. Join us as we explore how humanity arrived at this current state of digital reality, and what it means to live amongst so much technology and data. Knowledge is power. Now, more than ever.
sponsor message00:47
Black Cloak provides concierge cybersecurity protection to corporate executives, and high net worth individuals to protect against hacking, reputational loss, financial loss, and the impact of a corporate data breach. Learn more at Black cloak.io. big crowds award winning platform combines actionable contextual intelligence with the skill and experience of the world's most elite hackers to help leading organizations identify and fix vulnerabilities, protect customers and make the digitally connected world a safer place. Learn more@bugcrowd.com Devo unlocks the full value of machine data for the world's most instrumented enterprises. The Devo data analytics platform addresses the explosion in volume of machine data and the crushing demands of algorithms and automation. Learn more@devo.com.
Marco Ciappelli01:52
Right here we are redefining society I was gonna say redefining cyber security. But that's actually Shawn's show. But in a way, I think that was leapt off the tongue here because we are going to talk more specifically about cybersecurity today, or at least more than what I normally talk about cybersecurity, except I want to touch society, I feel like I have to bring it into the show. And so it's it's become cybersecurity. Something that I don't know, people don't really want to talk about it, unless they're in the industry. But they're gonna have to, it's kind of like, you can't keep closing your eyes or put your your head under the sand or pretend that I'm not seen. If you don't see I don't I don't see you, you don't see me. So truth is that we are dealing with that. And I think one of the proof for that is the fact that more and more there are news related to cyber security. And it's not just about the good old breach, right? It's there are certain regulation regulator, they want to know more about it. And I'm not just talking about Europe, but I'm talking about the US in this case, and I got this pitch for a conversation related to an article about some Western whistleblower award that little higher than the more we we thought it was going to be the record already, which when I saw the number, it wasn't that it wasn't that low anyway. And I brought it here, I go to all of it with hope I didn't chop that the last name, and I pronounce this correctly. But if I did, you can correct me from cumulus. And he has some, some some thoughts about this article. And I think we're gonna go well above and beyond this article. So either introduce yourself, and let's get started.
Igor Volovich03:57
Igor, of all of it chose actually pronounced Igor, but it's a calendar. And of course, you've got a foreign name, too. So I'm sure you get a lot of that. So it will have a chat with cumulus. I'm the Vice President compliance strategy, which well, what's compliant strategy? It's a kind of a nebulous concept. And while strategy is difficult to define to begin with compliance strategy, it's really a way to think about the roadmap towards compliance. And what does compliance do for an organization? These are the kinds of things that I like to talk about, there is a kind of a perception of compliance as a lagging indicator, something that you look in the rearview mirror of, and you just kind of look at it and say, Well, this is what happened three months ago, three weeks ago, three years ago, if you look in the federal space, do a common for compliance data to be very old, which means it's irrelevant for security purposes. Right. So these are the kinds of things I like to talk about the convergence of compliance, risk security, operationalizing compliance, bringing into a real world into real time and making it less of a paper exercise and really a tool of risk management. And so that's, that's what my function is. I do a lot of it analyzing I talk within the industry and hopefully outside the industry also, as you mentioned, cybersecurity touches everything. So we know that right then when people talk about cybersecurity, they typically think about technology, right? That's the that's sort of almost synonymous. Think about cyber, you think about hackers, you think about the matrix. And you know, bad guys, somewhere sitting in Russia and Belarus and Romania, and many, many other places, right? 100 countries have hackers operating actively So, but it's not really about that. A really a better synonym for that is trust. Cybersecurity is really about trust. And that's, that's what I'd love to talk about. And talk about the context of this huge whistleblower one.
Marco Ciappelli05:38
No doubt. And I think that when you when you see a news like this, and you read it for what it is, but then like I said at the beginning, and we were talking before we started recording, it's could be symptoms of many other things happening in the industry, and the way that regulators are coming to, to face and to deal with this reality, and the how, and I think this could be a good start of the conversation, how compliance is not, it's not enough, we have to kind of social engineer self into think outside of the box. And I'm wondering if there's, you know, going for compensating more people that blow the whistle, it's, it's, again, it's the way to go. It's a way to kind of face defeat at this particular time where we need to use this kind of strategy instead of the technology that should resolve technology. So I would like to know, What is your thought on this? Or if compliance is the reason maybe why we were getting here?
Igor Volovich06:47
I'll make it very simple. And marker. This is a great question. Right? You know, is compliance, the the culprit? And my contention is is right? In fact, right now? It's, I'll make it very simple, right? Compliance is at fault. And here's why. Right? So when we think about compliance on what the function of compliance is, regulatory compliance, industry specific compliance, mandates, executive orders, etc. All of it is meant to really control behavior, right? We're trying to mandate behavior, we're trying to verify that the behavior is actually occurring the way that we intended to occur, and always about managing risk. Unfortunately, the way compliance has been structured. In many industries, including cybersecurity industry, it's typically a lagging indicator. What I mean by that is we're capturing past state, it's a historical reporting function. So a control fails or control was not in place, where we say control is left open, always deficient in some way. And we talked about control, we mean anything, you know, it could be a policy, it could be a, an operational control, it can be some kind of a workflow that has to be in place, and it's not, or it's not being performed correctly. Or it could be a piece of technology. And when you talk about technical controls, that's where we refer to them, typically a piece of piece of technology, right? If that's not in place, it creates what we call a vulnerability. It's an opening, it's an opportunity for the bad guys to take advantage and exploit the environment and really dig in, go lateral, go go vertical, and extract data, encrypt data, create ransomware scenarios, et cetera, et cetera. Right? So compliance is supposed to give us this consistent model, right? The frameworks, the standards, the regulations, the very prescriptive guidance on how to manage risk, except, you know, it needs all great ideas, you know, Do this, don't do that. Protect yourself this way, watch out for these kinds of threats. And it captures the kinds of threat profile that different industries have. So all of these are great ideas, except all of them suffer from the same problem. The problem is, they're always capturing that past state, right? You're looking backwards. And that's where the failure point is. Right? So great ideas, terrible implementation, and it's nobody's fault. It's just the way it's been done. So
Marco Ciappelli08:52
based on what you just said, it, I definitely agree. I mean, on one side, you know, coming from sociology, I wish people use common sense. And we didn't need to tell them to, you know, I don't know put the seatbelt or don't, don't burn yourself, don't put the house on fire, but they do. So we have to actually put it on labels. And then, you know, tell people what to do. So let's not go there. But let's, we expect that people that are in cyber security, they are experts, they do it for a reason, right? Because they believe in what they do. And they know that there is an enemy out there, which is going to screw up things. So is there compliance? No. Is it compliance not working? Because the standard that baseline is too low? On our opinion, or it's very much a concert that we shouldn't use as we're using.
Igor Volovich09:52
So the legacy kind of compliance the traditional compliance that captures that past state that's basically a paper exercise, you know, things happen. You do an audit or you do an assessment, and you figure out that a control has failed. At some point later down the line, that piece of information winds up on some dashboard or on some report that somebody may or may not read. Right. And there are regulatory requirements. Of course, the SEC requires disclosures. Sissa, which is the cybersecurity and infrastructure security agency, which is a subset of the Department of Homeland Security, requires disclosure within actually hours of a breach. So there are things like that right there in place. The standards themselves are good. They're constantly being updated. They're very detailed, they're very advanced. There are literally scientists, computer scientists sitting at NIST, the National Institute of Standards and Technologies over in Maryland, creating these standards, right? They have industry input. I mean, these are great ideas, right? Some of these are industry self regulatory standards, like PCI DSS this isn't meant to secure the credit card infrastructures. So these are fantastic ideas, if we only follow them in real time, and this is where the caveat comes in. Right? If we could do it in real time, a lot of this stuff will exist, we wouldn't see these breaches every day, you know, the news headlines. Every day, somebody's getting breached, there was a ransomware attack, you know, if we're tracking it, in real time, would probably get one a minute, right? It's happening all over the place, the malware ecosystem, I mean, I spent years and years working with law enforcement, chasing pancakes around the world, trying to disrupt criminal networks that are using malware, to create things like ransomware attacks, and data extraction models, etc. Right. So we have all the tools in place, we have complete surplus of the kinds of technology and there are over 4500 vendors working in a cybersecurity security arena, right, there is no shortage of technology. And the idea that we have a shortage of people, we can have a conversation about that. There are some thoughts around that whether it's a shortage of talent, or it's a deep, artificially depressed pay scale for the talent, right? It's basic economics, right? Supply and demand supply. We have plenty of demand on paper, but somehow we just can't turn out enough talent. There's a conversation to be had about that. Maybe it's not for the podcast, right. But but in terms of tools, technologies, our understanding of from an operational perspective how to do this, right? We all know how to do this, right? And the standards inform us in doing it right. The thing that's missing is bringing into real time. So is compliance broken? From that perspective? Absolutely. If only compliance can be automated that in real time, we could have the kind of convergence that we had experienced before with things like dev SEC ops. I mean, most of the audience probably haven't heard that term, but basically, developing security and operations operationalizing the development of computer code, and making sure that it's secure at the same time, right, not bolting on security after the fact. So we talked about a similar transformation that took probably the most of the last two decades, that happened and it for that concept to be embraced. And I certainly don't want to spend the next 20 years evangelizing this idea. But if I have to I will, right, I'll delay my retirement. And I'll keep pushing this pushing this idea because I think it's super critical, right? We have invested so much into compliance. And so much is spent on compliance. I mean, companies spend close to 40% of their security budget, sometimes on compliance, and they extract no value out of it. From a security perspective, it's strictly a paper exercise, right? We're capturing past state were reporting it, and then we rinse, repeat, wipe hands on pants, and we do it again next quarter, next year, etc. Right? No value, universally derived, derived, derived it like this function. Folks don't want it right. CISOs don't want it chief security officers, they hate having compliance in their portfolio. It's just a drain of resources and money and workflow and cycles. Right, and they get no value out of it. So the only thing, the only answer from my perspective is you got to bring compliance into real time.
Marco Ciappelli13:51
Is, I mean, when I look at so I have two thoughts. One, before I go into the nowadays, technology, what could allow us to have this compliance in real time and curious to, to know what the answer is there? It's I want to think a little bit more about this article. And do you see these? I mean, what is the stroke you and said, I'm going to peach to talk about this article on the news, right? Because I kind of when I saw it, I was like, that's no good. Are we really going there? Because again, as I said, at the beginning, we have no other way to do it. Or it's just something that is just going to be so effective anyway, that it's kind of like a necessary evil in a way because people don't have a good perception of wisdom blower, not lately. More than ever.
Igor Volovich14:51
Yeah, I mean, look, we literally this morning, we had hearings in Congress from whistleblowers, who came out of the FBI, right, and we're not going to get politics of it but, you know, whistleblowers Yep, they get hurt. They suffer. I've personally worked in in places where I had to protect whistleblowers and step in to protect their livelihood and protect their jobs and keep the company from actually hurting itself. Because they were about to, to act in a retaliatory fashion against a whistleblower, right, because these are protected acts. Right. So I've been very familiar with this function for a long time. I've I've worked with whistleblowers, I've protected them. And I feel that whistleblowers are really kind of that ultimate canary in the mind, right? If you can, you can try to operate in an atmosphere of malfeasance, you can try to conceal things. In fact, I wrote an article about whistleblowing in 2015. And I co wrote it with a actually a famous whistleblower attorney in DC, Debbie Katz, who you probably have seen on TV, right in some congressional hearings. The idea back in those days for me in 2015, when I wrote it was what I said was, look, whistleblowers act as this ultimate safety valve, right? No matter how much a company tries to conceal, there are two things that can happen to really blow the covers off of some something like this one, it's a whistle blower, the other one is a breach, right? A breach happens and all of that concealment goes away, right? You can only play this plausible deniability game for so long. You can say, well, cybersecurity is too complex compliance is too complex. We didn't know we didn't understand. Right? And more and more, we're seeing agencies like the FTC and the SEC, and the federal government in general, right. And also the regulators within the industries themselves like FINRA, they're saying, Look, you're on gapping up plausible deniability, it is your job to know whether you know or you don't that's on you. Right. So pretending, you know, kind of head in the sand, as you mentioned before, right, playing the ostrich game? Well, it's still we didn't know, right? It was too hard. And I'm not equipped. I'm not I'm not qualified to know these things. That's not acceptable. Right. And so the problem with with enforcement that we've seen from the SEC, and the FTC in the past is it's It's sporadic, right? It's, it's not consistent, because we can only act upon known past acts. Right. So again, we get into the same retroactive perspective, right? It's acts that already occurred. So it's meant to create this deterrent effect. But guess what, we've been doing deterrence since the days of Hammurabi. Right, the first compliance code that's known to us, right, the first written compliance code was the building codes within the laws of Hammurabi, the code of laws of Hammurabi, right. And what do they say, you know, if you're a builder, and you build a house, and it collapses on the family that lives in there, it's your responsibility, and we collapse the house on to you. Right? Very direct, right? And yet, and of course, from there, we evolve to the current fire codes and building codes off today. But the model is still the same. 3700 years later, here we are, it's determined, right? And with the complexity of cybersecurity, it's not as simple as a building collapsing, or somebody said, right, it's a control that failed it, somebody forgot to do something, or they intentionally didn't do something, right. And it's easy to hide that. So ultimately, you've got these two safety valves one, well, it's a breach, right exposes everything, really. And then you get to realize, well, you weren't secure at all. And on the other hand, you've got whistleblowers who will expose it, and that's where the SEC comes in with their rewards. And they should be there right, that incentive should absolutely be there we seeing the DHS Secretary has a civilian cyber specific whistleblower program, that they're rolling out there and evangelizing very hard. They're trying to tell people look, if you know, something, say something, you will be rewarded. And in fact, your reward could be a percentage of the recovered sums. We had a recent case, federal contractor, rocket that Aerodyne rocket jet, federal contractor worked with NASA launched rockets. And they were executing contracts for a number of years claiming to be cyber compliant. Well, whistleblower came out actually happened to be their director of security and said, we've been lying for years, right? So about 1.2 $1.3 billion worth of contracts were executed, they got paid, the rockets flew. And yet, they pulled the covers out, often turns out, they've been lying about it. So I think the company settled for $9 million with the federal government. And the whistleblower got paid, I think somewhere around two and a half million. So on the scale of things, you know, 1.3 billion, 9 million today, what's the cost of doing business to that? whistleblower? Right? It's a life changing event. And yet, folks keep coming out because they're so incentivized not by the monetary reward. I mean, that's important, right? Because basically, what you're doing is you're setting them up for life, because they've lost their career. Right. So that's really the purpose of it. But more importantly, they're driven by ethics. And you depend on that, right. And to me, I mean, I applaud whistleblowers because they serve that ultimate as that ultimate safety valve, right? That's why they're critical, you know?
Marco Ciappelli19:43
Yeah, and there's so many thoughts in my head, one, being Italian and thinking, you know, the culture of the mafia, you know, not to advertise, but that's, that's what it is, you know, everybody just shut up and nobody's seen anything. Nobody's done anything and otherwise, else, I'll be consequences. And now this is the extreme where, you know, it's delinquent. But what you describe and all the other situation that made me think about it, it's not just a cybersecurity issue, it's more of a human issue. Right? So the point is, are we ever going to address that? Or is it just part of being being human? So in a way, I'm like, if we want to take these covering up or having the fear of losing a job losing a career, and all of that, and repercussion on actually being honest, and ethics and saving, maybe people life maybe saving a lot of money to a company? Is there like a magic technology and AI that is going to come? And like, look, I got no feelings? I take care of that. I'll see what's wrong. And what are you going to do? You know, I don't need money to pay my rent. Right. So I don't know. I mean, it's a big question. Right.
Igor Volovich21:11
You know, you mentioned America, right? And so there's a recent article that came out in April, that's the third of your organization actually admit to covering up cyber breaches, right? So if they don't go public, they just keep it under wraps, right. And 42% of IT and security professionals actually, were told to conceal breaches and conceal malfeasance and conceal non compliance. So
Marco Ciappelli21:34
legally, you're supposed to, of course,
Igor Volovich21:37
absolutely. And the SEC. I mean, because we ultimately what we're talking about is trying to correctly price the cybersecurity risk into well, decisions, but ultimately, the shareholder value, right, they the stock price. And so when you look at the SEC and their enforcement mandate, they look at it strictly from that, you know, there's a duty to disclose public information. And this is critical, right? You know, cybersecurity is no longer just an item on the balance sheet, or it's just, uh, you know, one line on the annual report, you know, or the quarterly report, right? So the 10 q 10k. The SEC is expanding its guidance. And in fact, it's saying, look, a you have to have cybersecurity expertise and your board B, you're gonna get to have this plausible deniability, because, you know, cybersecurity is just too difficult, right? We just didn't know we couldn't figure it out. It's your job to know it's your job to figure it out. And it's your ultimately you're accountable, your responsibility, accountability to report this credibly, right. So you can't you can't play this game anymore. And when you don't, you get these big judgments. And of course, on the one hand, you're incentivized to do the right thing. On the other hand, the whistleblowers are incentivized to disclose when you're not doing it, right. Of course, the ultimate disclosure is the breach, right? Because once it goes public, you know, you can't conceal it. And so then you wind up with congressional testimony like, you know, the CEO of Colonial Pipeline, if you remember a couple of years ago, sitting in Congress and saying, look, here's my compliance report, we were fine, right? We didn't have password 123 as a password. And yet, people were able to get in, right and exploit and it was very simple exploitation, right? It didn't, it didn't require very advanced hacking techniques. Because again, they left something off of their of their compliance report. They didn't know about it, it was maybe an honest mistake. But here's the thing, this idea of like, it's an honest mistake, because while things are just too complex, again, out the window, no, go. And if you're a public company, absolutely no, go right, you have to know. And let's say this, right, and I'm not to take to to go for a few lemons. But we have seen historically, at least for the last, you know, 15 years, we've been waiting for the for the time, we're either consumers, or shareholders will wise up and start making their investment or their buying decisions on the cyber security posture of either the the, the company that will invest in, or the company that want to buy from, and we haven't seen either, right? What we have seen is we've seen bad guys do insider trading based on their internal knowledge of nonpublic information that they would get through hacking, right, they would break into a company figure out their quarterly results, and then they would they would short the stock or they buy more of the stock, they do options, plays, etc. Based on that data. So the bad guys are not constrained by any sort of organizational boundaries or any sorts of, you know, ethics. That's kind of your pure economics at play. Right? You know, the bad guys always find a way. Right. And, you know, as Milton Friedman said, you know, regulation is government intrusion into efficiency of the market. Right? Well, that's pure efficiency of the market, right? The bad guys, they don't respect anything they break in. They're the ones who have been able to figure out how to price it and price cybersecurity into the price of stock. The community writ large has not been able to right and so to me, again, when the when the SEC does their enforcement action, and and also does their whistleblower awards. The again, these are symptomatic of the fact that we don't have an economic model, a sophisticated model for the investors To really price that process, and it's an afterthought, much like most of security is an afterthought. And compliance is most definitely an afterthought. Right? So is this as problematic, right? So we have to rely on things like whistleblower awards, and SEC enforcement action or FTC enforcement action, DHS says enforcement action, et cetera, et cetera. Because, again, it's sporadic, it's haphazard, it's not consistent. And this is not a way to assure trust in a digital ecosystem and a digital economy. Right? That's the thing that kind of keeps me up at night. So when folks kind of go, Well, what about this breach? What about that, but what about this standard? What about this framework? Which one should we pick? And how should we apply it? Pick the one that's relevant to the industry because that most likely represents the most relevant threat profile for that industry, right? PCI DSS cardholder environments, you know, FISMA, federal environments, etc, etc, right? There's many, many frameworks. But the one thing that I will say is, no matter the framework that you pick, or that's picked for you, by regulators, strive to bring it into real time, whatever you do, make it real time. And guess what security operations is already happening in real time. It's been happening forever, we would never dream of doing security operations running our socks, right? Secure operation centers on data from three months ago. It's impossible. It's inconceivable, but yet compliance makes up. So there's this one kind of stepchild, the redheaded stepchild, sitting off to the side, I like the little kids table, you know, the big boys are playing with the big toys, you know, they're playing with real time toys, they're pulling data into their Sims, they're into their data lakes, they making analytics happening in real time. And here's compliance off to the side, you know, with their pocket protectors and their, you know, tape glasses, doing nerd work of pulling these controls in by hand, making phone calls, doing data calls, shuffling a lot of paper, really, I mean, I not to denigrate anybody, but I call these human fax machine functions. Like they're acting as human fax machines, they're sneaky netting this data around their environment. And by the time it gets there, there's huge compliance lag built in, right, by the time you know, of some failure. It's been months. And by the time you actually get along some report, and somebody makes a decision about it, and they get to do something about it, mitigate that risk, fix that hole, fix that vulnerability. It can be months, if not years, and we've seen it time and again and again. Right? The the mantra for the industry is compliant, but not secure. Well, it doesn't have to be that way. Where we're struggling as an industry to really elevate compliance, that same timescale that we've had with risk and and security operations.
Marco Ciappelli27:29
Yeah, I mean, a lot of thinking, like where technology is nowadays, and we always say regulation cannot move as fast as technology, it's too fast, we're always catching up that can come with charges, deputy and copyright laws, for example, just to bring one out there, or how we're going to use the new technology that all of the time is out there. So talking about new technology, I like to, to wrap this conversation with you doing what I like to do the most, which is asking you to put a hat like your futurist hat on. And, and which often is also the present, because I'm assuming from your comb, things that you say you I'm understanding that this real time compliance is possible, is not just a dream, and maybe, you know, to look at what could be in an ideal utopian cybersecurity business world maybe 1015 years from now, just so that we have something to think about as we move forward.
Igor Volovich28:35
Absolutely. I think the the, to me, the real answer is automation, and reducing our reliance on manual labor as much as possible, especially within the compliance fear, right? Because that's where a lot of that manual, those manual cycles go. Right. And I hate to say, but they go there to die, right? That, you know, we spend all this time snooker dating this data or you know, manually deriving this data from our environments, trying to gain that visibility and dispel this kind of fog of war across our enterprise environments, trying to figure out what's going on, right? I mean, basically, let's just simplify it. Right? What is going on? And how do I know? What's going on? Right? What I mean, it's, it becomes kind of a philosophical question, right? You know, here's what I think I know about my environment, how much can I trust it? How much can I believe it? And so you have to ask that kind of a macro question. And next level question. Well, here's the data. Can I trust this data? And so you have to know who's watching the watchers, so to speak, right? And so you get automation to me is not just a cool thing that we go, Hey, we're automating, right, it's great. You know, we're gonna buy some technology, and we're gonna automate, and we're going to automate it data flows, we're going to ensure that analytics are happening in real time, we're going to enable technologies like big data and data, lakes and cloud and, you know, make all of this kind of come together in real time, give us real time insights. It's not just for the sake of the technology evolution. Right. And I think a lot of these conversations on fortunately start there. They start with the tech they start what I call bottom All right, we start with a tech, we try to then figure out well, what are the use cases? What's the value we're trying to derive out of it? I tend to work in reverse, I tend to envision that end state, as you said, Put on my futures has, you know, what's the n plus two n plus three? What does the future look like? What is that Nirvana state? And to me, the Nirvana state is automating everything that can be automated. So automate the automatable. And figure out the absolute things that you got to have human cycles on, right? Where is the human brain required? And where it's not right. And if you have hands moving data, get away from that, right? That is the most basic automation you can do today. And it's not really a question of technology. It's a question of strategy. You know, if you are married to these legacy models, these legacy operational frameworks where you have silos, you know, you have different departments, right? There's a great quote from the director of scissor Jen easterly. She said, our adversaries are unbounded by bureaucratic organizational boundaries, right? They don't worry about is it in compliance? Is it risk? Is it security, isn't it is it you know, the business unit, they don't care data is data, right? And we need to adopt that same mentality, that same philosophy, it's just data, right? And once you start converging your mindset, then you start converting the data points, right. And once you realize, well, a lot of this data is the same data. And you don't have compliance and security data, it data. It's all just data. And we see some of the forward thinking enterprises out there doing this already. You know, I'm aware of a couple who are in the healthcare space, who are actually converging a lot of that data dumping into a data lake, and letting AI and ML machine learning, figure out these patterns that are human like human would not be able to figure out right, and they're fusing they're fraud cases in the healthcare space, they fusing their financial cases, they're fusing their cybersecurity cases together. And they're figuring out how one feeds into another. Like if we were standing at the precipice, especially with things like Chad JpT, and Jenna AI, where the machine can really figure out how to kind of program itself, right? It's super exciting for me, because the biggest thing in cybersecurity is the wall volume of data. But it's what we call the fog of Moore, right? The fog of war, but it's really the fog. And we have so much we write. So for me automation, augmenting, with machine learning, augmenting with AI, it carries a lot of promise. But again, we have to be very careful at how we apply it right, because that's the question started to come up. Well, you know, I've got 400 analysts doing compliance in my environment. I mean, we don't get like large federal environments, large federal contractors, it's not uncommon to have several 100 analysts who are working on nothing but compliance. Well, what happens to them? Right, what what do they do? Do we do we train them? Do we now get on to a conversation that we had a few years back while you know, miners in West Virginia going to have to write code, like we're going to teach them and 55 years old, how to write code, like that kind of stuff, it becomes really uncomfortable. And you hear folks like Elon Musk and others, who are, you know, Sam Altman, like they're talking about things like basic universal income, because then you start worrying about, well, what am I going to do with all these folks, they might be, you know, too far down their career path to really retrain or unwilling to retrain. So you have to kind of apply it's a multifaceted conversation, right? You have to be applying systems design thinking to the entire problems, right, and you have to understand the political parameters, the the policy parameters, the strategy parameters, all of this has to come together, right? It cannot be just a conversation about technology, or about AI, or about compliance or regulation. All these things kind of have to be talked about at once. And it's really hard to do to bring enough folks into one virtual forum where these conversations can happen, because, you know, we tend to kind of follow our own tribe, right? That's the big problem. So I have a lot of hope. I think, going out to three years, I think we were looking at AI, being kind of a co pilot, and in fact, Microsoft calls their AI co pilot right within GitHub. So it's kind of a co pilot, I don't think we ever gonna relinquish full control. It's kind of like, we're now gonna have robots flying commercial airliners, it'll just never happen. Why? Because when you skin in the game, right, you need the pilot up front, because his life and my life are in the same boat. Literally, right? You need that? Now great. But so I think it's more of a co pilot conversation, and I can see more and more argumentation start to happen. So that's what I'd like to see. And I think we're moving in that direction already, you know, big companies like Splunk, for instance, give a shout out, you know, a lot of respect for what they do. And they're onboarding those kinds of use cases. I mean, there there's literally not a company today, that's not thinking about AI. A lot of it is kind of buzz, right? They're trying to capture momentum, capture the trend, capture the buzz, you know, trend, Jack, if you will. But in reality, if you're being conscious and conscientious, and really have a lot of integrity in that conversation, I think you can derive a lot of value out of AI and especially generating AI and large language models. Look, you look into compliance, pulling all that data together, interpreting that data again, lots of So data, it's very verbose and interpreting it. Absolutely. I mean, a large language model is totally meant for that. So I think we can increase our efficiencies without scaring a lot of people up front, and really demonstrate how we shrink that compliance latency shrink that lag from the breach or the control, failing us detecting it, and then doing something about it really shortening that window of opportunity for the bad guys to exploit. That's really the ultimate objective here, close that window down to zero if we can, we know we can't, but get to that get as much done as we can. So if we get if we're doing that, I think that's kind of my litmus test. Ultimately, no matter what you bring me technology, strategy, good ideas, good regulations. The question I always ask is, how will it shrink that window of opportunity for the bad guys, that vulnerability window? And if we're doing that we're doing the right thing?
Marco Ciappelli35:50
Yep. They sure don't care about regulation and compliance. That's that's the bad guys. They don't
Igor Volovich35:59
hackers don't care about checkboxes. They've been saying that last few years.
Marco Ciappelli36:02
Yeah, yeah, I've seen a few quotes around that line around the internet. And then coming back from RSA Conference, just from a couple of weeks ago, I can definitely say that AI. And everything is AI power was definitely one of the big buzzword during the, during the event, and rightfully so, let's, let's accept that. I mean, it is an incredible tool. Is it all and we need to use it. I love your co pilot analogy there. And another thing that I want to say closing this and thanking you because you, you're really, really great speaker, I was fascinated by you deliver everything eager. And it also made me think about how it would you said it's obviously cybersecurity, but I could cannot stop from saying, this is true for the medical field. And that's not just because you you're wearing what you're wearing. And people listening to the audio, they should definitely check out the YouTube, I'm not gonna give it up. But there is a field where there is so much knowledge and why don't you want to have an artificial intelligence reading through millions and millions of scans and figure out why that is happening while it's happening. And there's too much knowledge to manage. And so goes for a lot of other other things. So being able to find in society podcast, a lot of our audience is maybe not to not only involved in cybersecurity, but they're curious, they want to know, and I think I think your picture you painted a really good picture is about what the future could look like. So I want to thank you for that. And I hope you'll join me again for some more conversation later on. And for everybody listening. There'll be links to the article that started it all, even if we went way above and beyond that article, and, and connect with you and to your company and anything you want to share in terms of resources with us. So thank you very much.
Igor Volovich38:13
Thank you, Marco. I appreciate you having me on.
sponsor message38:18
Devo unlocks the full value of machine data for the world's most instrumented enterprises. The Devo data analytics platform addresses the explosion in volume of machine data and the crushing demands of algorithms and automation. Learn more@devo.com. Bug crowds award winning platform combines actionable contextual intelligence with the skill and experience of the world's most elite hackers to help leading organizations identify and fix vulnerabilities, protect customers and make the digitally connected world a safer place. Learn more at bug crowd.com. Black Cloak provides concierge cybersecurity protection to corporate executives and high net worth individuals to protect against hacking, reputational loss, financial loss, and the impact of a corporate data breach. Learn more at Black cloak.io
voiceover39:21
We hope you enjoyed this episode. If you learned something new and this podcast made you think then share itspmagazine.com with your friends, family and colleagues. If you represent a company in wish to associate your brand with our conversations sponsor one or more of our podcast channels, we hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society