Episode #82 Outsourcing and Cyber Risk Management with Brendan Smith
We welcome Brendan back to share what has changed since we last spoke. We discuss his new role as CISO for Cube Networks; outsourcing and cyber risk management; and the 3 key things he has seen change in cyber in the last six months.
Brendan Smith had a vocational interest in security, across various internet technologies and cryptographic systems, prior to commencing his security career, and maintains his technical interest to this day. He has built high performing teams through authentic leadership, and continues to mentor and coach new entrants into the field. As the CISO for Cube Networks, he brings his experience from major enterprise to a new audience, enabling them to mature their security governance and defences in the face of increasing threats.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today's guest is Brendan Smith. We first met Brendan in Episode 58 and 59. It was an episode we split into two as I loved all the content, but we talked for much longer than my usual 20 minutes. And so Brendan, it's great to welcome you back on the podcast today.
BS: Hi, Claire, thanks. Thanks for having me back and it's good to see you again. And hello to everyone out there in The Security Collective world.
CP: So since we last talked to you a lot has changed both for you and the security industry. So let's start with you, Brendan, what are you up to now?
BS: Yeah, you're right, it's certainly been a time and some change for me, that's for sure. Since I left Tabcorp at the end of last year, I've now joined Cube Networks as their Chief Information Security Officer. And in that role, I've got a couple of very different and complementary mandates. So a completely different role to what I was doing when I was at Tabcorp. First, Cube for those who don't know them, is a network integrator and a service provider. And they've always done some security work that's related to the networks that they implement and support, you know, sort of firewall management VPNs, and things like that. But last year, they decided, before I joined, decided to complete their ISO 27,001 certification, which is a significant commitment by them to their internal security. And as their CISO I need to maintain and continue to build on that internal security posture, because as you know, and as any CISO knows, supply chain risk is a major risk for all organisations these days. And we may need to be able to give our clients the assurance that we're doing the right things internally, and that we're not going to be a conduit for any form of attack into their organisations. So we take our internal security very seriously. And we make sure that all of our clients understand what we're doing, we share with them what we're doing. And that's part of my role is to make sure that clients understand what Cube does. Secondly, I spend a lot of time just going out talking to our clients and others about what they can do to improve and mature their own security. And really just offering my experience and being the advocate, if you like, for their security internally. I don't really talk much about solutions and things, that's not really my role. But I'm there to make sure that they understand where their risks are, and the sorts of approaches that they might need to consider to mitigate them. In that sense, I'm kind of there to close the gap and bring a top down view of cyber. So whereas historically, we've done a lot of work, you know, bottom up if you like looking at solutions, and how engineering can support security and cybersecurity. I'm there to bring in my experience that I've had a Tabcorp working with executives and boards to bring that risk and governance view into some of those organisations that might have been missing it. And on occasions that sort of stretches out into the sort of work that you do, where I look at doing the virtual CISO role, where I might help an organisation for a day or two a week, over an extended period of time to bridge that gap between the operation space and the executive space, which has been fascinating.
CP: I'm interested to know as well from you, you know, you came out of Tabcorp, which was a much bigger corporate. And now you're in a role that's serving small to medium businesses, what's been that major shift for you in your mindset or your thinking, from serving an internal customer, to serving an external customer?
BS: It really brings a few things into very sharp focus very quickly. I guess first, my impression so far is that security in some of those SMEs, we tend to be towards the M rather than the S, but it's still very point solution driven. I guess if you're an organisation you have a choice between spending your money on someone to come and do risk assessments, or alternatively spend the same money on a firewall or a mail filtering service from a vendor, then you choose the latter because that gives you that immediate protection and therefore, some of those governance and risk functions kind of go by the wayside a bit. Large organisations can scale and do both. They have the governance frameworks that will drive that, whereas small ones might have an IT management function and they have a security operations function, but they miss that middle bit, the security management and the CISO layer. Threat, risk and governance are not always well understood, documented, executed. And so I try and use my experience from, you know, working in that large organisation, to bridge that gap. One of the things I thought about when thinking about this topic was that we talked about SMEs, and we kind of lumped them together as being anyone who's not in Collins Street (Melbourne). But in fact, some of these SMEs are just have a very different financial operating models. So I'm currently working with one organisation, and we work with a lot of retail organisations, they operate on extremely tight margins, they have, you know, very strict cost control in the IT space and, obviously, therefore, in the security space. You know, even though they face the same threats that large organisations do, they perhaps don't have that full appreciation. But it's an organisation that turns over pretty much the same as Tabcorp did. It's just they have a different way of looking at it and managing that. So I think that I've had to learn how those organisations think about their finances and therefore fund their IT operation, and use that as a way of also talking to them about the way that their risk modelling needs to work for cyber security.
CP: So what are they coming to you for what and what are you seeing as their pain points from a cyber perspective? And I guess, are they coming to you with problems that they're seeing, but when you're sort of reflecting back to them are they really their true issues? They've got a certain understanding of what their pain points are. But from a supplier perspective, are you recognising that maybe what you're helping them with is something bigger or different to what they're coming to you for initially?
BS: Yeah, I think that they do know, in some respects. I mean, their biggest challenge often is scale, you know how to cover all the bases that they need to cover with a minimum amount of staff given that their budgets are usually tight. That hasn't been helped by the pandemic, of course, you know, they're in the same marketplace for staff, as are the major enterprises who can afford to up the ante. And so finding and keeping staff is really a big challenge for them. They have the same sorts of threats and challenges as major organisations. Security awareness is one, that's a big one. And they all recognise that they have a challenge with Security Awareness and culture and training. You know, if you think about some of the larger organisations that we deal with they might have 16,000 staff in retail outlets, how do you do security awareness training, and what security awareness training is really relevant for them compared to head office staff, for example? Visibility and coordination, you know, finding out what's going on in their environments, the challenges around the threat profile. I spoke with the CFO of one organisation, and we just talked about the particular threats of ransomware, and how that would impact and play out on their organisation, given what I knew about their IT infrastructure. And whilst he had a conceptual view as to yes, ransomware is a "bad thing", you know, and we wouldn't want to get it. By the time you talk through well, this is the impact, this is what will happen, this is how many days it will take before you've actually wiped out your net profit for the year. And when you break it down and show them that actual threat and what the true impact of it is, and then compare that with, you know, the cost of remediation, it becomes very real for them. And I think that that's part of the problem, is that they have this conceptual view as to what attackers do, and the way cyber works and what their risks are. But at the same time, they have an imperative to keep operating their business and their outlets. And it is bridging that gap. And I think that’s the challenge, is making them truly aware of what the risks are that they're carrying. And that's where I tend to focus my time.
CP: You don't have to answer this question if it's commercially sensitive, but is there a particular risk framework that you use, or like or recommend, that helps these types of organisations to really understand what you were just describing around the financial impacts of something such as ransomware?
BS: I use a number of different tools in terms of doing any of my security work, you know. I rely on the on the common tools for assessing, you know, the sorts of your ASD Essential 8 or the, you know, top 37 or whatever it is. The NIST framework and that sort of thing. But in terms of actually analysing risk, I try and use the organisation's own risk framework as much as possible. But then input into that, you know, some true assessments of cyber risk. Sometimes the challenge is that organisations don't have a strong internal risk framework. And under those circumstances, what I tend to use as much as possible, is a quantitative model. So I've, you know, I use the fair framework, but also the work that was done by Douglas Hubbard in developing a quantitative risk assessment framework. So I use a format of that model in order to try and actually turn something from a colour, you know, your risk is red, into something that's a dollar figure. That you can then actually say to them, well, your potential losses are from this particular risk over the next 12 months. So as much as possible, I will use the internal framework, if that's not available, then I will turn to a quantitative framework, rather than just giving them a generic well, here's risk assessment.
CP: Yeah. And I think that clear business risk understanding, that operational impact, the cost, you know, and having a conversation with an organisation about, you know, how many days can you operate on pen and paper, before you start to bleed money? I mean, that's a much more realistic conversation for them, then, as you said, you're currently red and you want to get to orange, or you want to get to green or whatever the combination is. Hard facts around the dollars that would start to bleed out of an organisation should a ransomware attack occur, and should you be offline for X number of days. How do you think that hits home with, say, the board, as opposed to maybe the conversation with the CISO or the CIO?
BS: The CISOs normally get it, but sometimes the CIOs don't, you know. I was fortunate enough to have that conversation with the CFO. And, you know, knowing that I was having the conversation, you know, it was a listed company, pulled up the Annual Report, I figured out what their daily turnover and daily revenue and therefore, daily EBITDA was. And then it's a pretty straightforward equation to say, well, you know, how many days before you know, you're really, really going to feel it. And all organisations to some degree are reliant on centralised IT now. If, you know, centralised IT becomes unavailable due to a ransomware attack. And we know that ransomware attacks, you know, are very targeted at taking out the centralised functions, not just all of the workstations. If your central IT function is out, then how long can you run your business on pen and paper? And in most cases, not very long. I think it was a bit of an eye opener, you know, the eyebrows went up a bit when we had the chat. And it's not a matter of, you know, saying, you know, trying to scare people and you know, I'm really not into the very negative messaging and the FUD and all of that sort of thing. And I think that the people I've you worked with and reported to in the past will know that, you know, I tend to try and, you know, present things in a really realistic and objective way.
CP: Do you find that with SMEs who have a managed service for IT, or reach out to Cube for managed services, do you see them viewing that as an opportunity to also outsource their IT risk, as well as their IT operations? How can we turn that thinking around that an outsourced model is making someone else manage the risk as well?
BS: Yeah, I mean, to some extent, that implies they have at least defined their IT risks, which might not be true. Yeah, I think that there is a very real, I was going to say a very real risk, but that's probably using the word too much. I think that is a very real challenge. There is a tendency to think, well, I've handed that over, I don't need to think about that anymore. Whether it's to an outsource provider, to a managed service provider, you know, like a Cube or anyone else. Or whether it's even just to a small, you know, to a vendor or service vendor and saying, well, you know, we've put in place mail filtering with Proofpoint or something, so that's it. We don't need to think about mail filtering anymore. We've done that, that risk is gone, someone else is looking after that. I think that turning that around is very hard to do, because, you know, it comes back to getting them to understand and to own and to have that governance over risk, and to understand that security is about governance and risk, it's not just about operations. And I'm, you know, it's something that I've been talking about a little bit recently. I think part of the problem lies in the standards that we tend to promote. If you think about things like E8 or NIST, they're quite technical standards. They encourage control based security, and there's absolutely nothing wrong with that, everyone needs that. ISO 27,001, which does have a section on risk, is often seen as complex and certainly something for big enterprises. So of course, we've proven that it's not. But even organisations that do have good security policies and a decent security architecture and you know, are building out their NIST maturity, they might not have a risk register, and they might not be thinking about it and driving their security through risk. I think the only way that we're going to overcome this really, is to really continue that education, and to make sure that our relationships with our customers, we very much divide up and suggest, you know, and tell them, which bits they own and which bits we're taking on, and make sure that we plug in our service into a risk framework. So they don't have a risk framework there. You know, if we keep going along and saying, okay, we're going to run a VPN for you or something. And they say, that's great. You say, okay, well, where's the risk that that attaches to? How are we solving a problem for you? We might have to be the ones that guide them into drawing that up. And rather than just saying, oh, well, you haven't got it, so it doesn't matter, we'll just run the VPN, because that lets them off the hook. And so we might have to be the ones that say, okay, before we, you know, go down this path, let's make sure we're working as a partner, not just, you know, pipes and plugs provider. Let's make sure we work as a partner in helping you to lift your governance maturity, to match what we're doing in terms of the technical security. That requires an investment by service providers, you know, it's an investment by Cube in having me perform that role and making sure that, you know, going out and talking to people and making sure that, you know, they understand that the governance is just as critical as what all of our engineers, and you know, solutions, and architects and people like that do on their side. It's just as important for us as a part of these companies to make sure that they have someone like me who they can talk to, and say, okay, let's get your governance and your risk stuff sorted out, because that's going to be the thing that gives you the comprehensive coverage of all of your security.
CP: Which is interesting, because I don't think all customers get that partnership service from their MSP. In fact, I know that's not happening. And I'm sure there's a lot of small to medium enterprises out there, and as you said, it's probably not the right label for some of these companies, but I'm sure there's a lot of them out there who have tech providers, not partners. So I think the work that you're doing is hopefully changing that situation for a number of organisations out there.
BS: Yeah, I think that's, you know, and that's one of the things that attracted me to this particular role is that I met the CEO a couple of times, Frank, and he made it really clear to me that my role was actually to go out and advocate and sort of be the face of cyber, if you like, on behalf of Cube. It wasn't to go out and do anything else really apart from that, you know, obviously, the internal stuff, but they, as an organisation, value their partnerships. And I think that Cube's not the only one by the way, there are other organisations that I know that do, do that. But there are also other organisations who operate as a technical service provider. And, you know, whilst that will provide and deliver something for the customers and it provides them with a level of security, I think that there's an opportunity for us to do better as an industry perhaps, and to make sure that we develop that true partnership and, you know, help the organisation to really lift because it's a tough world out there. And, you know, for SMEs, they're facing the same threats, you know, that some of the other organisations are. And in some cases, these threats can be existential. You know, you get a really bad attack, ransomware attack whatever else, then it could be something that, you know, is really threatening to the continuing existence to the business.
CP: I've been asking all my return guests this season, what they think has changed since they were first on the podcast. And you were with us earlier this year, but I still think in the six months since we last spoke to you, a lot has changed. For you what would be the three key things, what's changed in cyber since we spoke six months ago?
BS: So I think, in the people space, you know, we could all talk about how tough it is trying to get, you know, good cyber staff, or good network security people or whatever else. Anyone who has experienced senior roles, you know, a number of my colleagues who are CISOs or equivalent, you know, have changed jobs in the last six to 12 months. It's quite amazing how fluid that market is. But I think that the big story in people is probably the increase in board level interest in cyber. I was fortunate at Tabcorp to work for a board and an MD, who took a very active and proactive interest in cyber. And they got that it was their field, they wanted to know what was going on. And I think what I've seen more over the last six to nine months is organisations like the AICD, who are really driving that message to all boards, large and small, making sure that they know that they need to be engaged, educated, take some accountability. You know, there's discussions around whether or not there needs to be, you know, a cyber trained individual who is a member of the board, which, you know, for some tech startups might be easy, but for an organisation like Tabcorp it's a bit more challenging. So I think that that's part of what I've seen in the people space, is a lot more stuff getting driven through the boards and into the executive. In terms of process, I think there's probably a lot more talk about ASD Essential 8 now in the general population. I mean, it was originally very government focused, aimed at being a standard that was really targeted at Canberra. But it's now a standard that many, many more organisations are talking of. Its focus on controls that can have a real impact on ransomware is a message that really resonates with people. It's got clear prioritisation, it's very digestible. But I think though, there's a coalescence of thought around some of these key standards like the NIST, CSF or the Mitre framework, for example. And that's a good thing, because security professionals are all talking about it together. And then finally, I think, technically, shift to the cloud for security and its acceleration is probably pretty important. So recently, we've seen the adoption of the cloud by MI5 and MI6 in the UK with the blessing of GCHQ. But also, I think the pandemic driven move to remote working is starting to lead to organisations using the cloud as their key security control. And I know that people throw around terms like zero trust and its SASSI and it's this and that and whatever. But in practical terms, the solutions that we see now from ZScaler, or Zed-Scaler if you're Australian, CISCO with their, you know, their umbrella products, Palo Alto with the Prisma solution, where all of your security essentially and your network security perimeter is now based in the cloud, your endpoints connect to that, it does your data centre data centre connection, because your data centre is now Azure or Google Cloud or whatever else. That technology and the maturation and the increased adoption of that by organisations I think is technically the biggest shift that that I've seen. I'm still somewhat in awe of the capabilities and the agility and the resilience of some of the key cyber threat actors. They've shown that they can pivot quickly, you know, adding theft and extortion to their ransomware model or targeting supply chains, for example. And they collaborate in, you know, in ways where necessary that are difficult for defenders. They bounce back from having their servers take taken down a lot like REvil did recently. It's a constant reminder to me that in cybersecurity, a fixed mindset is a real liability. And I think that all security leaders and all CISOs need to remember that. You can't have a fixed mindset. You need to have a growth mindset.
CP: I think that's really good advice for any leader in any profession, but certainly in an industry that has such pace, like cyber. You know, spending time making sure that you're up to date and you're collaborating with the community because, you know, cyber is not a competition between different companies. You know, it's us against the bad guys. And so, you know, having that agreement of sharing and confidential closed door, you know, Chatham House conversations with your peers in the industry is incredibly important. So that, you know, for those that aren't sharing, publicly, that they're under threat, or that they've had an incident, if at least the CISOs can get together behind closed doors and share some of the learnings because of the pace at which the industry is moving, I think that's incredibly important.
BS: Yeah. And, you know, that's, it's one of the things that I've had the privilege of doing in my new role is to actually start setting some of that stuff up. Setting up an open round table and a closed group to talk about security and in particular areas, and people are hungry for that, to share that information. It just needs someone to actually enable that conversation to take place. But as you say, it's absolutely critical that we do that. Because if if we just you know, rely on our own resources and whatever, we are always going to be on the backfoot against an adversary who does collaborate, who does pivot, and you know, who will continue to find weaknesses in our in our defences.
CP: Brendan, it's great to have been able to have an opportunity to chat with you again. Thanks so much for your generous time and for the audience to hear from you about where you're up to now and some of the new challenges that you're facing in your evolution as a cyber leader. So I really appreciate your time. And thanks for coming back again.
BS: No problem. Thank you.