Security Masterminds

Understanding the role of a CISO to reduce the risk of an exposure for an organization with special guest Quentyn Taylor

November 12, 2022 Quentyn Taylor Season 1 Episode 12
Security Masterminds
Understanding the role of a CISO to reduce the risk of an exposure for an organization with special guest Quentyn Taylor
Show Notes Transcript Chapter Markers

After 20 years in the same role at Canon, Quentyn Taylor knows a thing or two about what it takes to be a successful CISO; in this episode, he shares his insights on the importance of technical skills, business skills, and storytelling to make the role of CSO one You will learn the role of the CISO in communicating with the Board of Directors.

"I strongly believe in educating users about the importance of comprehensive security programs and to try to improve security in a cost-effective way for organizations."

Quentyn Taylor is the senior Director of Product, Information, Security and Global Response at Canon Europe, Middle East and Africa. He has over 20 years of experience in both the It and information security environments and is focused on building business relationships within his organization and cybersecurity community. He strongly believes in educating users about the importance of comprehensive security programs and to try to improve security in a cost effective way for organizations.

In this episode, you will learn the following:

1. Why do tiny things matter in information security?

2. What is the secret to Quentyn Taylor's success as a CISO?

3. What is the best way for a CISO to communicate with the Board of Directors?

About Quentyn Taylor

Show Notes:

KnowBe4 Resources

This show's sound is edited by ProPodcastSolutions - https://propodcastsolutions.com/

Quentyn Taylor:

When you look at a lot of the information security failures, it's very, very easy to go, Oh, that was an advanced attacker. But if you start to boil all these lot down, it all comes down to really, really basic IT things. So if you are working in an information security team, realize that really tiny things matter. Hello everybody. I'm Quentin Taylor. I'm Senior Director of Product Information Security and Global Response here at Cannon Europe, Middle East and Africa.

Announcer:

Welcome to the Security Masterminds podcast. This podcast bring. Very best in all things cybersecurity, Taking an in depth look at the most pressing issues and trends across the industry.

Jelle Wieringa:

In today's society, we see chief information security officers only lasting within an organization on average for about three years. For Quentin Taylor, who has been with Canon for over 20 years, he provides insights into how he manages his cyber security program, his tips for CISO's, communication with the board of directors and best practices to implement and maintain a security culture with the business.

Erich Kron:

Quentin Taylor has a wealth of experience in both the IT and information security environments, and is focused on building business relationships within his organization and cybersecurity community. He strongly believes in educating users about the importance of comprehensive security programs and to try to improve security in a cost effective way for organizations.

Announcer:

This is episode 12. Understanding the role of a CISO to reduce the risk of an exposure for an organization with special guest Quentyn Taylor.

Jelle Wieringa:

Well, hello there and welcome to another episode of Security Masterminds. My name is Jelle Wieringa and I am joined by my awesome colleague, Eric Kron.

Erich Kron:

I'll tell you, I'm very excited about today's episode speaking with Quentyn Taylor. This was a fantastic talk and he's just such an interesting person. I can't wait to get into this one.

Jelle Wieringa:

Me too, 19 years worth of experience. That's his treasure trove for all of us. So, let's kick this off. The first question we asked him was, so how did he actually get into cybersecurity?

Quentyn Taylor:

So I was basically right place wrong time. I was working for a.com. up until that point, I'd always been a system administrator. My loves were Solaris I had a bit of networking, bit of my SQL a bit of Linux, and then I got hired by a.com because I had Solaris skills. Then we never did Solaris even when I started there. So I didn't really touch Solaris ever again apart from, uh, at home, in home labs and home networks. anyway, so I, I was doing all these little bits and pieces. Mainly system administration came from a network operating center. Uh, And then I started doing security. I read Mr. Anderson's book on, uh, security engineering and also Secrets and Lies and a few of the other ones. And I suddenly went, Wow, that's really where I want to go. And so I had the leeway at the dot com we had to do information security, so there were only two technical people. So we both did system administration, but I focused on then security, and he focused on the applications. And then Cannon bought dot com. I was working for, it was called Fotango. Canon bought it and they didn't have an information security person at the time. This is like 2000, 2001. So they wanted to start an information security team, cause before that, a lot of companies just didn't have anyone doing information security outside of the military or outside of banking or regulated industries. And even in those industries, InfoSec teams were tiny. And so I kind of started over there. It was myself and I managed to get permission to hire one other person. So we were a two person team for a very long period of time, and now we've grown up to an entire division. And now product security is now a totally separate division. And yeah, it's been a long 22 years really.

Jelle Wieringa:

So basically he stumbled into the profession, and that's the same for most of us, Same for years. Same for me, I think. But it's really cool that he stuck around at the same company for that long. That's Doesn't happen that much, but it's cool.

Erich Kron:

Yeah, that's 22 years now in, in one place almost. And that's pretty amazing. And like you said, Jelle, so many of us just kind of stumbled into this because those of us who've been in this field for so long, information security and cyber security wasn't a thing back then. We just kind of started doing those tasks. And a lot of us just eventually ended up rolling into this position because it's something that drew us in. But a lot of us come outta the IT field, even though many of the newer people I find don't.

Jelle Wieringa:

So what we've asked him, we wanted a peak into that 20 years of experience that he has. How has security been viewed from the board perspective in that last 20 years? How has it changed?

Quentyn Taylor:

It was interesting because we were so desperate to get cybersecurity onto the board agenda. That was like the, that was the big thing that everyone wanted to do and I, I've realized been a slight change now with a lot of information security people are desperate to not have cyber security on the board agenda cause it means something very bad has happened. Whereas back then it was like, Hey, listen to us. Look, look at us, listen to us. We're important and now it's like, yeah, we know we're really, really important. Lots of people know we're important and we, we don't have so much time people to spend on everything and that we'd rather like not to be over there. So it's really weird how that kind of, that pendulum has changed in 20 years. You kind of wanna have , the chair that you can go and sit on when you wanna go and sit on it, but you're not dragged into it every single time.

Jelle Wieringa:

Well, I actually think we've gone a long way, right? I truly agree. It was that we were shouting for attention. We thought cybersecurity was so important and it deserved a seat at the board room table. Now that we have it, cause most organizations I feel, do think that cybersecurity is important and what most board members understand the value of cybersecurity for the business.

Erich Kron:

It's not the most comfortable position for people to be in and. Let's be honest. A lot of people in our technical roles and our security roles don't know how to communicate with boards as well as possibly we could. We just don't have the experience with it, we think in different ways, and so some people struggle with that. It's not their favorite thing to do. But I think as boards are being held accountable more and more often for organizations and breaches that happen within them, I think we're going to continue to be at that table. I don't think there's any escaping it now if for no other reason than that they're being held accountable.

Jelle Wieringa:

So we were really impressed by Quentin and the length of his career at Canon. We wanted to know what is his secret for staying at CISO for such a long time when all of his peers actually, Well, they don't make it that long.

Quentyn Taylor:

I think it's down to corporate culture. So Canon has a corporate culture, which, which rewards people for loyalty and also has a corporate culture if we do things right. And doing things, it's not to say other companies don't do things right, but because we do things right, things can take a little bit longer to get done and. What surprises me is when you talk to people who've only been, who have been CISOs for like 18 months, and then they'd move to another role as a CISO for 18 months and then they move on. I kind of wonder like how do you get the big strategic projects done? Because sometimes these big strategic projects can take you six months to get from a. It's a good idea over a coffee to write. So we're actually gonna put that in the budget for next year, then we're gonna do this then. And so you sit there and think, well, if it takes you six months to do that bit, six months in 19 years is a, isn't a huge amount of time at all. But six months in like an 18 month timeframe is, is a huge amount of your sort of total lifespan. So I almost flip the question around, which is when people are only at the company's very short amount of time, how do they get things done and how do they actually achieve and how do they know strategic programs have And it does give you a totally different attitude on risk because you get to see projects come live, go through their entire cycle, and then I'm talking ERPs, and then get to the end and then be decommissioned. And you get to see that entire picture end to end, which then means that when you have a new project coming through, you've got that mental attitude say, Hey, hang on a second. We can't do this wrong cause if we do this wrong, Probably I still won't be retired by the time that thing goes out of commission, I now realize that that what we do right now won't echo for eternity, but it will echo for about 15 to 20 years. And I would like that not to be people turning around and say, So why Quentin? Why did you make that decision back then?

Jelle Wieringa:

I think he's absolutely right. You have to switch it around. If you're not at a company for that long, how can you do strategic projects?

Erich Kron:

Yeah, that's a tough one. I mean, it's easy to be tactical, but the role of a CISO is more on the strategic side, and you're gonna have to be there to get things at least going when you're there. Now, that's You gotta be changing it up. You gotta have goals, you gotta have aspirations, and that's part of it too. That can be your strategy at that CISO level. That's your goal, that's what you're driving for. And to keep it kind of fresh like that, I think can, can go a long ways towards staying in one place a bit longer.

Jelle Wieringa:

Luckily there's a bunch of new people trying to break in this industry as CISOs, and that's a good thing cause we need more competent CISOs. We wanted to know what Quentyn's advice is for all those aspiring CISOs.

Quentyn Taylor:

That's a really good question. If you enjoy playing around with things technically, if you don't enjoy budgeting, management, personnel management, program management, then you might not enjoy, being a CISO, however. So what skills and do they need to be technical or soft skills? Business skills? I would say it's a mixture of both, and it depends upon your company. Personally speaking, I think you should have a good solid grounding in technical skills because then you're able to question, you're able to read the reports that your staff are generating for you and understand and ask difficult questions. So to give you a good example of this, a couple of weeks ago we were dealing with an incident and the incident looked like it was a major attack. Now from my old system administration days, I was. It sounds more like a routing loop here. And of course if you've got a hammer, everything looks like a nail. So of course if you've escalate same to a security team, they're gonna go, That is a security issue and you're going, Well, it might not be, could just be a network issue. It could be a routing loop and yeah. Okay. Well, it may turn out to be a routing loop. And so I think having technical skills is really useful. Having broad technical skills is very useful. If you talk about the "I shaped people" and the 'T-shaped" people, . The CISO has to be the ultimate T-shaped person. They have to have a bit of skills in everything. But in terms of the business skills, if you don't have the business skills, you're not gonna get the budget. You're not gonna survive. You're not gonna have the ability to convince people to do what they need to do. Cause let's be honest here, as a CISO, you are the ring leader. You are the ring master. You're telling people what to do, but you're very rarely delivering stuff yourself by yourself, with your own hands. You're having to do it via other people. And also many times it's, you're not delivering things via your own staff members. You are delivering programs or changes or changes of attitude and opinion via lots of other people who are not connected to you at all. So you've gotta be to convince them and you, you can't threaten. You've gotta be able to convince people to move along and bring the story alive for them. Because if you sit there and say, "Hey, this bad stuff is happening, and if you, if you do this thing, it'll happen. If you click on a link, it'll be bad. You'll, you'll end up getting things happening". Well, you know what? They click on links all the time and bad things don't happen. So you're gonna lose credibility. So you've gotta be able to bring the story to life to affect the change that you want to change. So a mixture. I think you should have solid technical skills. When you move to become a CISO, I don't think you will be using your technical skills, depending upon which company you're in. If you are, it's an unusual role. Your soft skills, your interpersonal skills will probably the ones you'll be leaning upon the most.

Jelle Wieringa:

I couldn't agree more. I'm one of those guys that looks at a CISO role and thinks 80% business, 20% technology. You need just that enough technical skills to understand what the technology's all about. But it's changing that conversation, making that conversation. And I love what he said, like making that story alive. That's the important part. As a CISO.

Erich Kron:

yeah, I think that you definitely need those technical skills a little bit. If for no other reason, like he said, to be able to, to read the reports and interpret it and put it maybe into the larger picture. That's kind of your role as a strategic person, is to put it in and see how it fits in the larger picture. But I also think that they need to be able to take that and then translate it to something that makes sense to the board, which is more traditional risk type discussions. So in, in many ways, I see that role as kind of a translator. So you have to have that technical background.

Jelle Wieringa:

So when you look at that risk perspective, right and combine that with making this story your life. We wanted to know from Quentin, what impact does storytelling have for a CISO to explain that risk?

Quentyn Taylor:

I think the media has done an amazing job of briefing people as to how, bad things can be, and sometimes you actually need to tell the story, not to show people how bad the risk could be, but to bring the risk into focus for them. So when we had the situation with the recent incursion into Ukraine, of course there was this whole thing of, Oh, the cyber risk has gone up dramatically. What should we do? And so storytelling in that case was to talk to senior stakeholders and say, Actually the risk has changed, but maybe not as much in the direction that the newspapers are saying. So it's about trying to say to them, I know I put newspaper stories in all the presentations to show you what the voice and opinion of the press is, but in this particular case, maybe they're blowing it a little bit out of proportion. And I think that's really, really important and, but it's also important to be able to tell people that bad thing that happened to that company over there, whilst it's unlikely to happen to us if it does, what will we do? What will it feel like? What will it smell like? And that's why it's really important for me. If you're hiring people and by the, and hiring the right people is probably one of the most important skills of CISO. Bringing the right people into the organization, growing your team with the correct people. I quite often look for if someone's got a tale on there or I see in their job description or their employment history that they've worked for a company that's had a major cybersecurity incident. I'll ask them about that in the interview where they're able to answer about it, obviously, because I want them to be able to give that story firsthand depending on what role they're doing to other people to say, Right, I've lived through this. For me, this is not an abstract tale. This isn't a slide. This is something I remember wearing the same shirt for three days in a row. I remember flying over to wherever. I remember all of these things, and that's what's so important so that you can really bring the picture to life to then say to people, Right, well, we don't want that to happen here, so therefore we need to get budget, or we need to implement this change, or we need to do this thing.

Jelle Wieringa:

So that's actually really interesting. He's talking about hiring the right people that have experience with in, in cyber incidents when cyber incident happened. That leads me into a hot topic when it comes to CISOs. Should a CISO be fired after a data breach? We asked Quentin what he thought about that.

Quentyn Taylor:

So I would say maybe it's difference of culture between America and Europe. But if you have a breach, the last thing you should do, and I say this obviously as a CISO, but the last thing you should do is fire your CISO because unless your CISO was negligent, let's be clear here, the security posture of the company is influenced by the CISO, but not set by the CISO. We've seen major companies get breached and their entire email get leaked and people do analysis through and you suddenly realize, well, yeah, but the CISO and their team have been crying out about all those machines over there not being patched, talking about that whole problem for months and months and months and months. So if you fire the CISO, all you're doing is bringing in someone who's less experienced than they are, and you've still got your problem. They have to build up the favor bank. Cause when you know where the bodies are buried, other people know that you know where, you know where the bodies are buried and so therefore you have implicit favors there. But there's a great analogy, and I don't know whether this happened or didn't happen, but it's apparently from the US Navy and someone was landing a plane and they overcooked the landing and dropped the plane into the water. And when the pilot was recovered from the water, he said to the whatever it would. Captain of a ship or whoever the, the person who controls the things in the Navy, I'm fired, aren't I? And the guy goes, Well, are you gonna do it again? And he goes, Well, no. He goes, Well, I just spent one and a half million dollars on a training lesson for now. I now have a pilot who knows exactly what it feels like to go over the edge and that's the same thing. If the person was not negligent or if they were slightly negligent. So long as the attitude of the person is, Look, I wanna learn from this. I want to move on. I want to teach other people so that no one else makes this mistake. That's the person you want in your organization. We've had it where some of the best advocates for information security are the users who clicked on the link, who shouldn't have clicked on the link, who actually got compromised because they go round and tell everybody from personal experience."Don't do this. It happened to me. This is what happened. The security team dealt with it. They're very professional, but this is what happened to me." And those people become your absolute super advocates for information security awareness.

Jelle Wieringa:

So it really sounds like Quentin knows what he's talking about here. I think he's absolutely right. Firing a CISO after a breach, it's just silly. It's counterintuitive. It is finding an scapegoat for something where you go like, Hang on, we have an issue. We now have somebody with experience. Let's, as an organization make full use of that person having that experience. There's no training that you can get that really prepares you as well as a real security incident. So, nah, don't fire him please don't.

Erich Kron:

Yeah, I mean, obviously if there's serious negligence on the part of the CISO that led to that, then they have to be held accountable for it. But the practice of firing the CISO just because they're the quote unquote sacrificial lamb has gotta stop. And, you know, I think I'm, I'm feeling improvements in that, but he's right about the experience that you gain from having an incident like that, and he made the point of having that institutional knowledge, you know, knowing where the bodies are buried and having to build up that favor bank afterwards. Every time you hire a new person, if you think about the overall cost with that, while they learn the politics of the organization and, and who does what and all that, that's a very expensive thing to have happen. So we need to be a little bit more careful.

Jelle Wieringa:

One of the things that we see happening in the industry is that a lot of people are starting to really understand that security is not specifically something for the IT department or for the security department. So we ask Quentin, does he believe that security is for everyone as well?

Quentyn Taylor:

Yeah. I think this is actually not just an InfoSec. I think this is an IT as well. I mean, let's be honest here. IT calls, its what we call them users. There's another group of criminals who call their customers users, and they're not, they're they're colleagues. They're people who work on the systems and just like I, I can't do the month end closing. We've got some very, very talented people in our finance team who do the month end closing. They can't do some of the jobs and we all need to recognize that it's not the one person's job is more valuable than another person's job. It's just that we all do different jobs. And we see this actually in InfoSec as well, where you get people in InfoSec who go, I do the hardcore, this part of InfoSec you do. Something else that's more flaring. It's like, well, no, actually these two jobs are really hard because on the technical side you can do something and it's not relatively easy. It's takes a lot of brain power, but over here they've gotta convince people to do things. And so it's just everything's about the same and all things. I think we need to recognize the fact that there is this superiority complex that's probably, cause it's largely a very male dominated industry, but I see it in it and I see it's then transferred across into, into InfoSec. And you often see this as well between the red team and the blue team. You see? I'm gonna say some very poor attitudes on some of the international red teaming people who have big Twitter personalities where they're going, Oh, I broke into this company today. Yeah, yeah. They spent all this much money and it was all for nothing cause I managed to get in and it's like, well, great. Actual of fact, you've aimed on half your job. cause now your job is to show them how to fix the problems so that actually they can't get in. I was an early pioneer of purple teaming. We've been doing that for, for years and years and years. Cause I said, well if my security team is totally isolated away from, from IT, then it becomes this adversarial relationship. We try and break in and we are always better than you because we are the red team. We are better. Hang on a second. That's not doing a good thing for the company I work for because we are not getting any better. All we are doing is doing a report that they absolutely dread every single year cause we are just gonna demonstrate to them yet again how we manage to bypass their defenses. And now with purple teaming was saying actually, Let's have this very much more collaborative relationship and we are measuring the red team on how much they manage to improve the blue team. So you flip it around completely.

Jelle Wieringa:

I love that. I love the concept of purple teaming that makes it something for all of us, right? At least it combines IT. It combines IT security all into one, and you basically, you team up. Purple teaming is the way to collaborative security within organizations.

Erich Kron:

Well, I like what he mentioned about becoming adversarial as opposed to working together on things, and that, that has definitely been a challenge over the years. One of the things that's challenged us as IT and security professionals throughout many people's careers is that us against them mentality between the users and non-users, the technical people, but we've always gotta keep in mind, and I try to say it all the time when it comes down to it everybody has their own set of skills. I love his idea of pulling people together and being complimentary with the red team and the blue team part, making the purple team and learning from stuff.

Jelle Wieringa:

I agree. So basically we're talking something where in an organization you want a culture of collaboration on security. You want to pull together and do it all as one big team. And so we asked Quentin, if you look at that security culture, that thing that you want to get a collaboration, that you want to get those ideas on security that you wanna spread within your organization, what role does a CISO have within a security culture?

Quentyn Taylor:

I think it's about defining what the culture should be and what the steps would be to get there, and then also accepting the fact that the CISO might define what culture they want to be, but unless they get the buy-in from all the senior stakeholders or more, or at least a significant portion of the senior stakeholders accepting you're not gonna be able to change that culture. And even if you do get the buy-in, you may not be able to change that culture. So you might have, This is where I want to be. This is where I can probably get to in this organization. And remember that over time people change and as people change, new opportunities open and opportunities disappear. So change in one way can be bad and change in another way can be very good, cause it means that you can achieve different things. And it's about understanding what culture do you want, what does good look like, and not what does good look like? What is the possibility of what good looks like with your current people, with your current position and what your company wants to do. I mean, there's been a lot of concern over certain CISOs who have been in the press recently about the security culture that they presided over, and I'd say the direct security culture, how the teams go together. Yes, you're completely accountable for that, but how your company's security culture and how the belief is in your company, you can only influence that cause as all the other stakeholders. And I think a lot of the culture that you get to work with actually comes from the IT department and the IT excellence. If your IT department is not focused on IT excellence, then you are really gonna struggle on the security culture as well. And what do I mean by IT excellence. I mean, doing the job, right? Have you got the asset inventory vaguely done? Do you have a culture of actually applying the patch and doing? We always talk about security culture is when people do things when you're not watching. Well, IT excellence culture is, if there isn't a task, to apply that patch, do you still prep to do it? And do you generate the task yourself to apply the patch? Do you do it because someone's watching and there's a dashboard? Or do you do it because it should be done? Do you make sure these things are right? And that, I think is the cultural aspect. And it goes throughout the whole organization. There was someone who actually said that when they go in for an interview or something, they surreptitiously will drop a, a screwed up piece of paper on the floor and they leave it there. And if someone walks past, picks it up and puts it in the bin. That at least demonstrates that there is a culture of "Oh, there's some rubbish there. I didn't drop it, but I'll put it in the bin because it should be put in the bin." there's responsibility there, and I think if you sit there and you see staff members just wandering past it, you might not have the right culture.

Jelle Wieringa:

So basically what he is saying is that, and he's calling that IT excellence. Which I like that term. He's saying every individual should do what is right, and that's the same thing that we want in a security culture, right? Every person should understand how to behave in a secure manner that adds to the security posture of the organization.

Erich Kron:

I really like the part where he pulled it into the interview piece and where, you know, how often do we interview the company that we are applying for? But leaving a piece of trash on the floor and seeing if somebody picks it up and how that can be indicative of who works in the organization, the other people there, and how they're driven to do that sort of thing. I actually thought that was pretty clever and an interesting thoughts in my head there.

Jelle Wieringa:

And it shows that it doesn't always have to be the big things. It can be the little things picking up a piece of paper. It can be the little things too. So continuing on this, we ask him how critical is that human element in an organization's security posture?

Quentyn Taylor:

I think it's insanely critical because, people are doing the right thing because they know what the right thing to do, so they're educated, but they also want to do it because well, it's the right thing. We don't do things that way, that other way, that non-secure way, that's just the wrong way. That that just jars in our minds and everyone needs to be thinking the same thing. We need to have it where they've done a huge push on safety culture and you need to have it. And so if you do something, I was talking to someone who works in oil and gas and he said, Yeah. He said, It's so drilled into us. He goes, "I hold the banister handrail at home. He goes, cause it feels alien to not hold the banister handrail." And I went, I said, You have to tell me more about this. He goes, " because when you're in an oil and gas rig, you have to hold the banister when going down. Cause if the gas rig moves, you could fall quite a long way." He said", So we have this culture that everyone in the entire company does this at headquarters. So you don't go, Oh, I'm not in an oil and gas rig. I don't have to do the safety thing." This little safety thing of holding the banister, they do group wide. I dunno if there's a set of stairs, even if they're like a, like three steps down, they all hold the banister. And that's kind of the sort of the, that's the culture that you wanna try and get in. That's a very easy example. We wanna try and get that security culture kind of in to everywhere. That's the kind of feeling we wanna get so that when people are at home, they don't share passwords. When they're at home, they do unique passwords. When they're at home, they look critically at an email. I don't wanna say, don't click links. That's like 1990s. Look critically at the email to say, Am I expecting that? Is that right? Do I need to look more deeply into that? Well, there's a fascinating one I heard, and this is a bit of a, this is a cultural thing, so works in England. We were always taught here when I was younger. Never drink out of the hot tap. Because hot water in the UK, cold came off the mains. Hot water was out of a tank in the loft. There might be anything in that tank in the loft, dead pigeon, dead mouse, various things. So to this day, if the hot's on and I can see the hots on the mixer tap, I'll flip it onto cold and run it for a couple of seconds to make sure I've only got main's cold going through. Now that hasn't been the case for 20, 30 years in UK House building. Modern regulations are, you have to have isolation and you don't have these tanks in the loft. I was watching a YouTube video the other day where this guy explained it. Is that the reason why I've been doing this my entire life and I never knew why. So maybe if we drilled good security practice into our children, it'll last them a lifetime. That's what we need to be doing. It. Don't do security awareness here. Do security awareness to preschool. Yeah. Remember, we are the last generation going through who remembers a life pre-internet. I remember when URL started popping up at the bottom of TV adverts and going to my mum and I going, See, See, look that's a URL there. That's gonna be really important. And, and now could you imagine a life without ordering anything on the internet?

Jelle Wieringa:

Teaching security to young kids. I think that's really important. That's where culture starts in the end, right?

Erich Kron:

I think it's gonna make it easier in the future if we start younger. You know, it's funny how these things stick with you over life. I get what he's saying here. I think that as we teach younger people more about the implications of their information and it being lost, because they don't understand what it means to put their information in those devices, what it means to download certain apps and put information out there on the web, we need to start driving that a little bit younger. But for those that are already out there in the world too, we have to remember them as well. And we have to not only talk about it, but also demonstrate it to them especially for those of us that they may be looking up to.

Jelle Wieringa:

So in today's age where technology has really evolved and has become a lot more accessible to people, we want to know from Quentin if cyber criminals are also having an easier time nowadays.

Quentyn Taylor:

Well, we've seen the same in the, uh, in the ransomware side in the past, and I did this presentation about the evolution of ransomware. If you went back to like two thousands, if you wanted to commit online crime in early two thousands, you had to have some skills. Um, and we might laugh at them now and go, Oh, well what's his name? The Tgx Mac, uh, hacker was, was using open wifi networks, but you had to know how to get onto open wifi networks, which was not exactly mainstream knowledge back then. You come to now, all you need now is criminal intent and money. And you can go onto a dark net market you can buy your list, presorted, pre-filtered. You can buy your, uh, remote access services. You can buy all the other services that you need to be able to commit crime. And it's, it's scary, but I suppose we must hit the rough with the smooth you've had all the fact that if I wanted to set up an ERP in the past, I'd need to hire 50 people and do this, and do this, and do this. And now I can literally, with a credit card, I can have an ERP for it set up, uh, in a, in a few hours. What we've also noticed as well is there was a a, a gentleman who's arrested recently and when they look back through his history, it's alleged that when he was around 14, he was running a major criminal website, a doxing website. And it had, I believe was it, it had a hosting cost of like 300,000 uh, dollars a month. Now when I was 14, and my moral compass may not have been entirely as, uh, well formed as it currently is. I was still getting pocket money. Whereas now you've got kids who are part of major criminal enterprises who have the ability, they don't potentially have the knowledge of what's going to happen eventually, where this is gonna lead to. They think they can rule the world and run the world, and we all can remember back to when we were sort of that age. This is a potential problem and I, I don't think this is a problem that the industry's created. I think this is just a problem we need to just accept exists.

Jelle Wieringa:

I agree. So with ransomware particularly, you can just rent it, right? All you need is a credit card. You don't need any technical skills nowadays to set up a ransomware attack to an organization. But it's not just that. It's with everything. It's blockchain has become accessible nowadays. Um, so getting access to the money that you get out of your ransomware attack is easy. It's the whole circle, the whole cycle that has become easier for cyber criminals to use. So yeah, I'm looking at it from the perspective: technology on the one hand, makes it easy on them. How can we prevent it?

Erich Kron:

I think that we've seen some major improvements and maturity in the cyber crime side of things over the last four or five years and what I'm talking about here is when we get into those uh, as a service sort of features, right? We have phishing as a service, ransomware as a service. The underground markets are selling all the tools you need to do credential stuffing for next to nothing. Right? Um, phishing kits are available for next to nothing or free. I see this and I absolutely think the world has become easier for cyber criminals to get in there because they don't have to have those technical skills like he mentioned. And unfortunately, with these as a service things, It makes them much more scalable too, which makes the threat even bigger.

Jelle Wieringa:

It definitely is. You mentioned threat there. We want to know from Quentin, what does he see as the greatest threat in the next 10 years?

Quentyn Taylor:

So I think that we are gonna see a amalgamation of the value and volume businesses. We've got the value business from a ransomware perspective, and I think we're gonna, we're gonna lose the word, the ware bit. I think we're gonna, we are already seeing it starting to happen now, but on the the value business, people are not gonna bother writing malware. Why don't I bother writing out, Just go straight for cyber extortion, it's cheaper, it's easier. I can then, if you don't wanna pay the extortion money, someone else might buy the data from me. I might be able to use to hack other people. You know what, I, I can, I can do many different things. I can take a short position on the stock market against you. I can do lots of different bits and pieces. I can, I can monetize that. And then of course you've got the, the sort of the, um, the volume business, which is typically dealing not with the corporates or the dealing with the smaller corporates, and also dealing with the individual. I think we'll see those two businesses starting to coalesce together. We're kind of already seeing it where people are looking on the home user stolen credentials for corporate credentials. We've just seen two or three hacks like that, and I really, really think we will start to see the, not the, the criminal masterminds on the on the volume business, but we'll see the support structures on the volume business starting to say, Hey, hang on a second. People look at AV everywhere. There's EDR everywhere. There's a SOC everywhere. But you know, where there's not on their personal accounts. And we'll start after that. So I think we'll start to, these two worlds not directly coalescing because they don't want to coalesce because these are very, very high risk. The value people are ridiculously high risk. So they, so the, the value people will not want to be associated, but I think the backend support structures will start to coalesce and start to share an awful lot more data. And I think that's not me. The next 10 years, I think that'll be the next two years. I think we're already starting to see it now, and I think that's gonna lead to a very interesting place where we get to in the world. And then if they hunt through those stuffed credentials, there might be some of those where the attackers go, Oh, no, no, no, no, no, no. Don't do Facebook scams on that one. I think that credential might have more use and more value over here on this big corporate over here.

Jelle Wieringa:

You know what they say, right? The Chinese wish their enemies something like, May you live in interesting times.

Erich Kron:

I was thinking that same quote, Jelle It is definitely interesting times.

Jelle Wieringa:

Yeah. And especially so He thinks it's gonna be sooner than 10 years. Actually it, it is a pretty scary thought that it will mature that quickly.

Erich Kron:

Yeah, you know what everything is accelerating though and is just mind blowing. I don't even know what to expect in the next 10 years myself.

Jelle Wieringa:

If there's one thing I've learned from today's episode is that experience does. When you're a CISO the more you've seen, the better it is, right? So it's a good thing to have all those years of tenure at one organization. And in, in Quentyn's case, he's got some really solid advice.

Erich Kron:

I love getting this kind of guidance, this kind of info about the things that could help if we ever want to go down that path, and frankly, we need good CISOs in the world. We need those people in the boardroom saying the right things. Being able to communicate the risk to the organization. That's what's gonna really help us make our own movements forward and be able to keep up with the evolution of cyber crime itself.

Jelle Wieringa:

So folks, there you have it. First of all, thank you all for listening to this episode. I hope you find it worthwhile and we appreciate that you're here and we would really appreciate it if you leave a comment for us to see what you want different, if you think about new ideas that we could incorporate in this show or just want to leave review, please share it with us and please don't forget to share this episode and a link to this podcast with all your friends. Thank you for joining us for another episode of Security Masterminds.

Erich Kron:

I really enjoyed this myself. I gotta say for those listeners out there, if there's something you want to hear about, if there's some topics you want to hear about, let us know about that as well. That's kind of one of those things that we want to give you what you wanna hear. We know a lot of great security masterminds out there. We want to get you the info you want to hear. So having said that, how about we say goodbye Jelle.

Jelle Wieringa:

Goodbye Jelle.

Announcer:

Coming up on our next episode of Security Masterminds,

Karen Worstell:

Since the beginning of IT, the focus has always been to deliver new capability, deliver new services to improve whatever, to build competitive advantage. That's where the focus. Investment has been, and that has come without the necessary extra investment to maintain that or secure it over time.

Announcer:

We invite you to join us with our special guest, Karen Worstell, senior cybersecurity strategist and security advisor for VMware. You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.

Introduction
How did you get into cybersecurity?
Board perspective and cybersecurity for the past 20 years?
What was your secret for staying a CISO for such a long time?
What advice do you have for aspiring CISOs?
Storytelling, CISOs and Risk
Should a CISO be fired post breach?
Is security for everyone?
CISO's role with security culture
Human element's criticality for security posture?
Easy or hard for cybercriminals nowadays?
Greatest threat in the next 10 years?
Wrap-up